Privacy laws are being considered in nations across the globe, and this week’s Privacy Tracker legislative roundup has updates on many of them. Brazil’s Chamber of Deputies has passed the Internet bill of rights—without its controversial local data storage provision; India has exempted government intelligence agencies from its draft law; Australia’s Senate is looking at a mandatory breach notification bill, and in Ireland, a bill intending to give adopted children identity rights is raising questions over parental privacy rights. In the U.S., Sen. Al Franken (D-MN) has proposed an updated version of his location privacy bill, and states continue to discuss issues surrounding student privacy and breach notification, among others.


Mandatory Breach Notification Bill Proposed in Australian Senate
A bill filed in the Australian Senate would require organizations and government agencies to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of data breaches, reports Privacy & Security Law Report. The bill includes a risk-of-harm trigger and authorizes the OAIC to create regulations specifically for notification involving sensitive information.

Brazil’s Congress Passes Marco Civil
After dropping the controversial local data storage provision, the Brazilian Chamber of Deputies voted to approve a bill of rights for Internet users, reports The current version of the bill, Marco Civil, emphasizes net neutrality, freedom of expression and user privacy. The bill now heads to the Senate for discussion and then back to the Chamber of Deputies before it can be sanctioned by President Dilma Rousseff.

Analysis of India’s Proposed Internet Privacy Bill
The Centre for Internet & Society offers an analysis of India’s draft privacy bill, noting “the government has substantially increased penalties for offences against penalty and has also clarified certain discrepancies and strengthened safeguards present in the earlier draft … but wants to severely restrict the scope of the bill.” According to a draft leaked to The Economic Times, there is now an exemption for government intelligence agencies. The report states that this exemption “would defeat the purpose of the bill” as it “was drafted in the hope of curbing the growing trend of unbridled surveillance and to ensure that there are legal mechanisms for safeguarding individual privacy.”

Minister: Irish Adoption-Tracing Bill Must Consider Mothers’ Privacy Rights
While the main outline of the Adoption (Information and Tracing) Bill are close to completion,  The Irish Times reports Minister for Children Frances Fitzgerald, during Dáil question time, underscored that the bill must take into account the privacy rights of the birth mother. The bill aims to give adopted children the ability to discover information about their identities, and Independent TD Clare Daly said the starting point “has been to provide as much information as possible.” Fitzgerald, in responding to criticisms that she’s putting the mother’s right to privacy over the child’s right to identity, noted, “I will be bound and am bound  … to provide for a balancing between the strong constitutional provision relating to privacy and the right to identity.”

Franken Introduces Mobile-Location Privacy Bill
U.S. Sen. Al Franken (D-MN) on Thursday reintroduced his Location Privacy Protection Act, which would require companies to get users' permission before collecting or sharing location information from mobile devices and car navigation systems, reports The Hill. The bill specifically targets so-called “stalking apps” and would put “an end to GPS stalking apps that allow abusers to secretly track their victims,” Franken said.

Cate: California Vehicle Data Bill Unworkable
SB 994, the Consumer Vehicle Information Choice and Control Act, aims to give car owners control over access to vehicle information, but Government Technology reports that Fred Cate of Indiana University's Maurer School of Law says its “completely unworkable in practice.” Cate says requiring car manufacturers to provide owners with “access from the motor vehicle to the vehicle information” is unrealistic. The bill, sponsored by Sen. Bill Monning (D-Carmel) aims to give owners control over personal data generated by onboard technology systems, according to the report, but Cate claims it will amount to “another set of privacy notices” that most people ignore, adding, “It’s a way to say, ‘Look, we did something to protect privacy,’ but it doesn’t necessarily do anything.”

Florida Senate Passes Student Privacy Bill
The Florida Senate has passed SB 188, which would prohibit schools from collecting political and religious beliefs and biometric information from students, reports CBS12. A similar bill is circulating in the House, and the state is also calling for a new student identification system that would phase out the use of Social Security numbers.

Kansas House Passes Student Privacy Bill
The Kansas House has passed a bill that would restrict access to student records and prohibit the state from collecting information relating to students’ and their families’ religious beliefs and sexual orientation, among others, reports Lawrence Journal-World. The bill is aimed at addressing concerns over the sharing of education data with the federal government, and, the Associated Press reports, it outlines specific parties that may access the data including local school districts, the state education department and public health agencies. SB 367 also includes a breach notification provision and a requirement that the state board submit a report on data collection and handling practices. The bill now heads back to the Senate, which approved an earlier version of the bill.

Louisiana Committee Backs Student Privacy Bill
Louisiana Rep. John Schroder has sponsored a student data privacy bill that has now received the backing of the House Education Committee, reports New Orleans City Business. The bill would set up a new student ID system, eliminating the use of Social Security numbers, and places restrictions on the sharing of student information. After working with the state education department on a revision due to concerns raised with the initial version, the committee unanimously backed the bill.

New Mexico Breach Notification Bill Heads to House
A bill calling for shorter notification deadlines on payment card-related breaches and the ability for cardholders to sue for recovery costs is heading to New Mexico’s House, reports The Huffington Post. HB 224 sets a 10-day limit for covered entities on notifying individuals of a breach of their unencrypted personal information and also includes requirements for data security and disposal and pass these standards on to nonaffiliated third parties through contracts.

Oregon Bill Protecting Land Owners’ Privacy Heads to Governor
Both houses in Oregon have passed bill HB 4093, which would create “public record exemption for written agreements relating to conservation of greater sage grouse entered into voluntarily by owners or occupiers of land with soil and water conservation district.” Natural Resource Report states there are concerns among cattle ranchers and others that entering into Candidate Conservation Agreements with Assurances would make data submitted through the program public; by signing the bill into law, Gov. John Kitzhaber would protect landowners’ privacy.

Pennsylvania Senate Considering Bill To Expand Prescription Database
Pennsylvania Sen. Pat Vance (R-Cumberland) has introduced a bill to “create an expanded prescription drug monitoring program and increase access for pharmacists and healthcare practitioners who prescribe medication,” reports SB 1180 is seeing pushback from the American Civil Liberties Union of Pennsylvania mostly due to the removal of a provision requiring investigators to obtain a warrant before accessing most records. According to a co-sponsorship memo, Vance introduced the bill to stop people from inappropriately getting prescription drugs through multiple doctors.


Fandango, Credit Karma Settle with FTC for Deceptive Data Security
The Federal Trade Commission (FTC) has announced two mobile app makers have agreed to settle charges for allegedly deceiving customers by failing to securely transmit sensitive data. Fandango and Credit Karma, the FTC alleged, did not take reasonable steps to secure their apps, leaving credit card and credit report data as well as Social Security numbers at risk. The FTC has also charged the companies with disabling the Secure Sockets Layer (SSL) certificate validation process. FTC Chairwoman Edith Ramirez said the companies “have failed to properly implement SSL encryption,” and added, “Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.”
Full Story 

Officials Vow To Strengthen Safe Harbor; The Road Ahead for EU DPR
In a joint statement, EU and U.S. officials announced a commitment to strengthening the Safe Harbor framework by this coming summer, reports. The announcement also promised to hasten efforts toward an “agreement for data exchanges in the field of police and judicial cooperation in criminal matters, including terrorism," among others. Meanwhile, Eduardo Ustaran, CIPP/E, reminds us that while much has been made of Parliament’s passing of EU data protection reforms, “we have yet to see where the other legislative body—the Council of the EU—stands on this debate,” and outlines the challenges ahead.
Full Story

Will NSA Reform Hamper Privacy Lawsuits?
Plans by President Barack Obama and Congress to reform Section 215 of the Foreign Intelligence Surveillance Act may eliminate lawsuits that seek to find the program unconstitutional, according to U.S. News & World Report. One legal expert said, “If the change comes in the form of a formal statute, rather than simply an executive branch discretionary decision, and there is no issue of past damage … I would put my money on the judiciary’s finding the issue moot.” Rep. Justin Amash (R-MI) has expressed skepticism regarding legislative proposals set forth by the White House and the House Intelligence Committee. Meanwhile, The Hill reports that government requests for user data are on the rise. A number of tech companies released transparency reports covering the second half of 2013, including Twitter, Yahoo, Microsoft and Google.
Full Story

FTC and Cali AG Say Facebook is Misinterpreting COPPA; LabMD Sues FTC
The Federal Trade Commission (FTC) and California Attorney General Kamala Harris say Facebook is misinterpreting how the Children’s Online Privacy Protection Act (COPPA) works, reports the Los Angeles Times. The FTC and the AG have both filed amicus briefs with the Ninth Circuit Court of Appeals challenging a 2012 Facebook settlement, arguing the settlement violates laws in seven states that require parental consent be obtained before a child’s image can be used in advertising. Facebook said the states can’t enforce their own laws on teen privacy because COPPA only protects kids 12 and under. Meanwhile, LabMD has filed a lawsuit against the FTC, challenging the agency’s enforcement action following two data breaches.
Full Story

OSHA Proposes Expanded Data Access Rule
The Occupational Safety and Health Administration (OSHA) has proposed a rule that would increase the availability of data regarding workplace health and safety, reports EIN News. The rule would require businesses with more than 250 employees to electronically file all serious injuries that happen on their premises. Much of this data would be made public , such as incident dates and times, descriptions of the injuries or illnesses and where and how they occurred—as well as job titles of any employees involved—and employees and the government would have increased access as well. Ben Huggett, a shareholder with Littler Mendelson and an OSHA expert who prepared and submitted comments on the rulemaking, told the Daily Dashboard that “by publicly posting information on the Internet about the date of injury, injured body part, treatment and job title, the identity of particular employees could be easily determined in many industries, small or rural locations or where an unusual injury occurs.” He also notes that the proposed rulemaking does not adequately address this privacy invasion. OSHA says the changes are aimed at decreasing incidents, but opponents say this is a way to “name and shame” employers, and disputes over workplace accidents may well increase because of it.
Full Story

Obama To Call for End of Bulk Phone Collection; House Bill Would Require Telco Data Storage
President Barack Obama is expected this week to call for an end to the National Security Agency’s (NSA) bulk collection of phone records through a legislative proposal, The New York Times reports. If approved by Congress, the bill would end the systematic bulk collection of Americans’ phone records and the storage of those records by the NSA. Instead, it would require telecommunications companies to store the data for up to 18 months, and the NSA could obtain specific phone records with judicial permission. Meanwhile, The Wall Street Journal reports House Intelligence Committee leaders plan to release a bill overhauling the phone records program. The NSA “vetted” the bill and was okay with it, the report states, noting one telco executive questions whether it goes far enough to protect privacy. (Registration may be required to access this story.)
Full Story

Unpacking the Denial of Gmail Scanning Class-Action
The Northern District of California denied a motion for class certification in a suit over Google’s practice of scanning Gmail messages in order to serve content-based advertising. This Privacy Tracker exclusive discusses how Gmail’s Terms of Service and Privacy Policy, which the court previously called “vague at best and misleading at worst,” and “a ‘panoply of sources’ where users could have impliedly consented to Google’s practices” helped the court make its decision. “Putting aside the question of whether Google’s Terms were in fact vague or misleading, a key takeaway for businesses from this case should be the importance of educating customers about their data practices,” the authors write. (IAPP member login required.)
Full Story


Clayton Finds Police Program Contrary to FOIP
Alberta Privacy Commissioner Jill Clayton has found an Edmonton police program aimed at pushing those with outstanding warrants to turn themselves in “failed to make reasonable arrangements to protect personal information,” CBC News reports. Project Operation Warrant Execution featured a public campaign encouraging individuals to come forward “or risk having their names and faces advertised publicly,” the report states, noting “Names, photographs and other personal information of individuals appeared in newspapers and on the police website.” Clayton found the program contravened the Freedom of Information and Protection of Privacy Act (FOIP) because it “did not make reasonable security arrangements to protect personal information as required under FOIP,” the report states.
Full Story

Bennett: Election Reform Bill Lacks Privacy Protection
CBC News reports on Bill C-23, citing comments from University of Victoria Prof. Colin Bennett suggesting the 242-page election reform bill “doesn't have any measures to fill gaping holes in privacy protection that experts have been warning about for years.” Bennett said the bill not only lacks protection for private information held by political parties, but it could also “make the situation worse,” the report states. Despite joining with the privacy commissioner and chief electoral officer in raising those concerns two years ago, Bennett said, “basically nothing's happened. And then this bill comes along, and still nothing's happened." Editor’s Note: Author and University of Victoria Prof. Colin Bennett will offer one of the keynotes at the upcoming IAPP Canada Privacy Symposium.
Full Story


Suit Filed; Ad Campaign Cleared
AFP reports on consumer rights group UFC-Que Choisir filing suit against Twitter, Facebook and Google “accusing the Internet giants of breaching privacy laws.” The group accuses the sites of having terms of use that are “inaccessible, unreadable and full of hypertext links,” the report states, noting UFC-Que Choisir has said, “After several months of talks and despite our warnings, they are stubbornly maintaining clauses that the association considers abusive or illegal.” In a separate case, The Guardian reports the UK’s Advertising Standards Authority “has cleared a campaign by Microsoft attacking the privacy standards used by Google's Gmail e-mail service.”
Full Story

ICO: Ignorance Won't Prevent Enforcement
The Information Commissioner’s Office (ICO) reports a record number of complaints linked to accident claims during the last three months of 2013, and the office believes “solicitors may be unaware that they could be breaching the Data Protection Act by using leads generated through unlawful methods,” The Law Society Gazette reports. While opt-in rules apply generally a consumer advocacy group has found more than eight in 10 people have received an unsolicited call in one month, and one in 10 received 50 or more. The ICO has said ignorance will not prevent enforcement actions.
Full Story

Hustinx Says Banks Need To Respect the Law
Dutch banks ING and Robobank are taking their legal responsibility to protect data too lightly, says European Data Protection Supervisor Peter Hustinx. The comments follow ING’s recent consideration of plans to sell customer data to companies for advertising purposes. The Dutch-based bank has since said it will not move forward with such plans. Hustinx says companies are only allowed to use customer data with clear permission and banks aren’t respecting that.
Full Story

Asia Pacific

Australians Now Have Right to Anonymity
Australia’s new privacy laws give citizens “the right to remain anonymous or use a pseudonym” for interactions with government and healthcare entities and “organisations and companies that have a turnover of more than $3 million a year,” The Sydney Morning Herald reports. While there are caveats to that, the Australian Privacy Foundation’s Roger Clarke said that for the "vast majority" of circumstances, organisations’ default position should be to enable pseudonymity for those who request it. According to the law, individuals “must have the option of dealing anonymously or by pseudonym.” Clarke said, “The laws apply to anybody who isn't exempted under the law. There are arguments about enforceability internationality—but absolutely, it applies to everybody."
Full Story

India’s UID Faces Criminal Justice Challenge
“The UID (unique identification) authority's claim that biometric data collected by it for issuing 'Aadhar' cards was only for civilian purposes is set to be tested on the touchstone of our criminal justice system,” Gyanant Singh writes in a Daily Mail report about the UID receiving a court order to share its database to help solve a criminal case. The UID “stands burdened with the task of justifying its refusal to share the 'Aadhar' data for forensic purposes, particularly when our law orders the sharing of relevant material with probe agencies and does not consider the use of fingerprints, etc., even if taken forcefully, as self-incriminatory,” Singh writes.
Full Story

Written By

Emily Leach, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»