While the retail and drone industries are wary of some state laws getting traction in the U.S., a software industry executive in Africa is touting the need for a continent-wide privacy law to drive cloud adoption. In this Privacy Tracker weekly legislative roundup, read about concerns surrounding the Pakistani proposed cybercrime law, EU member states’ reactions to the EU Court of Justice’s decision on the Data Protection Directive and which sections of South Africa’s POPI are now in effect.
Opinion: Laws Needed To Encourage Cloud Growth in Africa
In order to promote cloud computing in Africa, the African Union needs to come up with privacy legislation that also promotes cross-border data transfers, according to Mike Ettling, global head of cloud and on-premise human resources for business software company SAP. “It would be fantastic if the African Union could come up with a European Union-style data privacy legislation regime, where it doesn’t matter where the data center is in Africa; as long as it’s in the union, data is secure,” he told ITWebAfrica, adding, “But if legislation then doesn’t allow data from Zimbabwe or Botswana to be stored in Nigeria, it’s going to really slow down the growth.”
Opinion: Pakistan’s Proposed Cybercrime Law Will Stifle Privacy
The Prevention of Electronic Crimes Act, 2014, is aimed at updating Pakistan’s criminal law to “address the sophisticated online threats,” but Privacy International reports that provisions in it will violate individuals’ privacy. One provision allows the nation’s government to share information from investigations under the act with foreign or international agencies; another allows the government to access data located in a foreign country with the consent of “the person who has the lawful authority to disclose it,” and still another requires service providers to hold “traffic data” for a minimum of 90 days. The reports calls the proposal “a blatant attempt to establish a legal regime containing broad powers when it comes to obtaining, retaining and sharing data obtained through criminal investigations, including communications data.”
South Africa’s POPI: Some Provisions Now In Effect
Some of the provisions of South Africa’s Protection of Personal Information Act (POPI) have come into effect as of April 11, KPMG reports. The sections establishing the information regulator, the procedures for creating regulations and the nature of the regulations the information regulator may make under POPI are a few of the sections of the law that are now in effect.
State Drone Laws Hampering Industry
Computerworld reports on the effect state laws are having on the commercial drone industry in the U.S. Since President Obama signed a bill allowing the commercial use of drones, 43 state legislatures have seen—and in 13 cases passed into law—bills governing drone use. Meanwhile, the Federal Aviation Administration has yet to issue its own set of rules. All this could mean “the U.S. is in danger of falling well behind other parts of the world in the use of drones for commercial applications,” according to Ben Gielow, general counsel of the Association for Unmanned Vehicle Systems International. Gielow also warns of curtailing drone use before people have even begun to use it, noting, “This is a Big Data issue. It has nothing to do with the platform,” and the same rules apply to the data collected by drones as apply to other means of collection.
Cali Breach Law Expected To Draw Fire from Retailers
Amendments to California’s data breach bill that would make businesses liable for reimbursing all breach-related costs is expected to draw fire from big retailers, reports Law360. “Retailers have a vested interest in not letting this happen,” said Sharon Klein, chair of Pepper Hamilton LLP’s privacy, security and data protection practice, adding, “It will be a long fight and perhaps because of the bill’s unique, expansive nature, retailers are certainly going to do everything they can to make sure it doesn’t spread nationally.” The California Retailers Association has already come out against the bill. (Registration may be required to access this story.)
Patient Privacy Bill Passes California Senate Committee
The California Senate Committee on Health has passed a bill aiming to protect patient information in the state’s insurance exchange. Sen. Joel Anderson (R-Alpine) authored the bipartisan legislation that would prohibit the exchange and those representing it from disclosing patient information without consent. SFGate reports that some healthcare advocates oppose the bill, saying that while they agree with the need to ensure patient privacy, the bill inhibits their ability to do outreach for the exchange and help people sign up online.
Oklahoma Senate Approves Social Media Bill
The Oklahoma Senate has unanimously passed a bill prohibiting employers from requiring access to the personal online accounts of employees or prospective employees, reports The Daily Ardmoreite. HB 2372 makes it illegal for employers to require employees to offer up login information, to open accounts for the employer to view them or to retaliate against employees for not allowing the access. The bill now heads to the House.
SEC Rolls Out Cybersecurity Roadmap for Wall Street
The Securities and Exchange Commission (SEC) has released a blueprint explaining how it plans to ensure Wall Street companies are prepared to detect and prevent cyber-attacks, Reuters reports. The document includes example questions the SEC may ask brokerages and financial firms during inspections and warns firms should be ready to disclose a comprehensive list of when they’ve detected malware, undergone a denial-of-service attack or discovered a breach after January 2013. Former SEC Chief of Internet Enforcement John Reed Stark said the list of questions is unusual but “forward-thinking.” He added, “With the public disclosure of this questionnaire, the SEC is giving up the surprise of one aspect of their exam program and opting to provide to SEC-registered financial firms a rare chance to prepare.”
ECPA Reform Stalled; Courts Avoid Tech Questions
A federal appeals court has affirmed an earlier court ruling holding Lavabit founder Ladar Levison in contempt for refusing to turn over the master encryption keys to Lavabit’s 400,000 users, and at the same time, Ars Technica reports, reforms to the Electronic Communications Privacy Act (ECPA) have stalled in Congress. The Center for Democracy & Technology’s Jim Dempsey said, “It has become clear to us in the course of a year and a half, we’re not going to see comprehensive ECPA reform at this time.” Kashmir Hill reports on the Levison and Andrew “weev” Auernheimer court cases and how, in each case, the important technological questions of Internet security were not decided because of court technicalities. Meanwhile, German-based startup Lavaboom is unveiling a new e-mail encryption service inspired by Lavabit.
Harassment Continues As Laws Lag Behind Reality
It’s a rare occasion that legislators act swiftly to protect against emerging privacy violations, writes Danielle Citron for Forbes, suggesting the law needs sooner-than-later updating to combat privacy invasions facilitated by today’s technologies. She uses as an example the case of Ian Barber, who allegedly posted nude pictures of his ex-girlfriend to Twitter and sent them to her employer and sister. A judge dismissed sexual harassment charges against him because he hadn’t sent the pictures directly to the victim, as required under the law. The case isn’t an anomaly, Citron writes. While 22 states are considering anti-revenge porn legislation, “time will tell” if Congress will respond. Editor’s Note: Jedidiah Bracy, CIPP/US, CIPP/E, recently examined issues of data ownership and revenge porn in this post for Privacy Perspectives.
Greene: New HIPAA Audits Will Allow Less Room for Explanations
FierceHealthIT reports on Davis Wright Tremaine’s Adam Greene’s recent interview with HealthcareInfoSecurity and his advice for healthcare organizations facing Health Insurance Portability and Accountability Act (HIPAA) audits this fall that are expected to be “more narrow in focus.” Greene says the process is going to be a “bit tougher” coming forward for organizations that don’t employ meticulous documentation. “If you’re a well-organized organization, I think these desk audits will make things significantly easier,” Greene said, adding the Office for Civil Rights “has indicated they are not going to do follow-up questions … so you want your policies and procedures to tell a good story of your compliance.” Editor’s Note: The IAPP Resource Center’s Close-Up: HIPAA offers additional tools and research related to this topic.
Denham Report, Cavoukian Investigation Reveal Data-Sharing Concerns
In what she has described as her “most important report ever,” BC Information and Privacy Commissioner Elizabeth Denham “concluded too much mental health and so-called non-conviction information is being revealed to employers,” The Canadian Press reports. The 42-page report, entitled Use of Police Information Checks in British Columbia, states, "The time has come to find a new way forward in BC that meets the legitimate business interests of employers while respecting the fundamental rights of our citizens, including their statutory privacy rights.” Separately, Ontario Information and Privacy Commissioner Ann Cavoukian, who has been investigating how U.S. law enforcement was able to access Canadian travellers’ personal information, has found “Ontario police services routinely uploaded” mental health-related information to the Canadian Police Information Centre, “to which U.S. border guards and the FBI have access.”
A Close Look at Latest Bill To Enhance Gov't Surveillance
In this Privacy Tracker post, Timothy Banks of Dentons Canada looks at Bill C-13, which attempts to grant law enforcement enhanced surveillance powers. “The proposed legislation has been promoted by the government as ‘anti-cyberbullying’ legislation; however, the new offence of unlawful distribution of intimate images is a small component of a suite of provisions intended to expand law enforcement tools to investigate online crime.” Noting previous attempts at increasing surveillance powers have met criticism from the federal and provincial privacy commissioners, Banks writes that this bill “is much more respectful of privacy rights ... However, the recent attempt to stifle debate in the House of Commons certainly could be interpreted as the government remaining uncomfortable with scrutiny of these provisions.” (IAPP member login required.)
Article 29 WP on Safe Harbor, Anonymisation, Data Controllers
“If the revision process currently undertaken by the European Commission does not lead to a positive outcome, then the Safe Harbor agreement should be suspended.” That was the message in a letter to Vice President and Commissioner for Justice Viviane Reding from Article 29 Working Party (WP) Chair Isabelle Falque-Pierrotin. The improvements made to modify Safe Harbor must be “valuable to the European Commission,” the letter states. Meanwhile, the WP has also issued an opinion on “making data processing legitimate.” The opinion states, “Beyond guidance on the practical interpretation and application of Article 7(f) under the current legal framework, it aims at formulating policy recommendations to assist policy makers as they consider changes to the current data protection legal framework.” A second WP opinion “analyses the effectiveness and limits of existing anonymisation techniques against the EU legal background of data protection and provides recommendations to handle these techniques by taking account of the residual risk of identification inherent in each of them.”
Why Attempts To Physically Control Data Make No Sense
“With cloud computing, many fear losing control. True, supply chains may be complex … However, users can retain control in cloud computing—depending,” writes cloud computing expert Kuan Hon in this Privacy Tracker post. Using examples of the evolution of the EU Data Protection Directive and cases from the EU Court of Justice and the Danish Data Protection Agency, Hon outlines reasons the data export restriction and the “transfer to a third country” provisions are antiquated in today’s technological environment. “Nowadays, physically confining data to the EEA does not equate to or guarantee data protection. Yet vast amounts of time and resources are poured into compliance with the restriction, which could be better spent on improving information security,” Hon writes. (IAPP member login required.) Editor's Note: The IAPP and TRUSTe will present a free web conference, The Role of Privacy Seals and Certifications in Building Trust and Global Interoperability, on May 8.
Member States React to CJEU Ruling
Since the Court of Justice of the EU (CJEU) rejection of the Data Retention Directive, several member states have taken action. Norway has changed plans to incorporate the directive into law, with officials confirming the government “will prepare a new proposal for data storage.” Swedish authorities, meanwhile, “won’t take action against an ISP that erased all retained communications metadata, even though there is still a law in place compelling providers to retain such data,” PC World reports. And in The Netherlands, the GroenLinks Party “plans to introduce legislation within two weeks ending the requirement for telecom and Internet companies to store data on customer communications.” This week, the IAPP’s Privacy Tracker legislative roundup includes, with other news from round the globe, the CJEU’s recent decision invalidating the directive. (IAPP member log in required.)
AEPD Publishes Draft PIA Guide
Spain’s Data Protection Agency (AEPD) has published a draft privacy impact assessment (PIA) guide and “initiated a public consultation, open until 25 April, to garner opinion and comments on the guide,” Mondaq reports. The PIA guide provides “a framework to improve privacy and data protection in relation to an organisation's technological developments, with the aim of helping them identify, address and minimise data protection risks prior to the implementation of a new product or service,” the report states. In the guide, the AEPD discusses the importance of developing PIAs to show organisations are performing due diligence and developing “appropriate methods and procedures for addressing privacy risks,” the report states.
The CJEU Ruling and Australia’s Data Retention Plans
Following the Court of Justice of the EU (CJEU) ruling the EU’s Data Retention Directive violates EU law, Angela Daly and Sean Rintel of Electronic Frontiers Australia write for The Sydney Morning Herald that the ruling “comes at an important point in the data retention debate in Australia” in the midst of its own data retention discussions. Daly and Rintel suggest, “If the UK decides to include more accountability in its data retention implementation as a result of the CJEU ruling, this might bode well for Australian civil liberties—but given the fragmented response so far from European countries, arguably the time to look for models is over. It is time for Australians to take their own rights seriously.”
If you want to comment on this post, you need to login.