In this week’s Privacy Tracker weekly legislative roundup, read about court cases in both India and the U.S. that may affect notification and consent pertaining to recording individuals; Zimbabwe’s review of its privacy law in light of its new constitutional guarantee to the right to access of information; Indiana’s governor’s signing of a law limiting law enforcement access to cellphone data, and the Colorado Senate clearing a bill that would add “electronic data” to items protected from warrantless search and seizure. And let’s not forget the Supreme Court discussed the same issue early last week shortly before the White House released its Big Data report calling for legislative action.
India’s Supreme Court To Address Privacy Issues in Recording Case
India’s Supreme Court, in tackling issues of illegality and criminality related to a controversial recording of a former corporate lobbyist’s discussions, has decided first to address the issues surrounding privacy rights, reports The Hindu Business Line. The three-judge panel will hear arguments related to “right to privacy vis-a-vis government, right to privacy vis-a-vis press and the right-to-know information” from August 26 to 28, and will address other aspects of the case once the privacy discussions are complete.
Zimbabwe To Review Privacy Law, Align with New Constitution
Deputy Minister of Media, Information and Broadcasting Services Supa Mandiwanzira has announced that Zimbabwe’s Access to Information and Protection of Privacy Act (AIPPA)is among the 400 laws that will be reviewed and possibly amended to align with the country’s new constitution, reports The Zimbabwean. The constitution was signed into law almost a year ago, and though it guarantees the right to access of information, with some conditions, no freedom of information law has been enacted. Mandiwanzira encouraged stakeholders’ participation in the Information and Media Panel of Inquiry’s process and assured them the group’s recommendations would be implemented by the government.
U.S. Federal Court Indicates Prior Notice Is Required for All Cellphone Recording
A federal court in California denied Verizon’s motion to dismiss a class-action case against the company for failing to give prior notification that it was recording calls to cellphones. Courtney Bowman writes for The National Law Review that a third party contracted by Verizon had been recording conversations with a non-customer who it mistakenly thought was a customer indebted to Verizon. The man took Verizon to court for violations of California’s Invasion of Privacy Act. Verizon attempted to have the case dismissed, saying the recordings did not invade the man’s privacy, but the motion was denied with the court noting language in the “the Invasion of Privacy Act banned the recording of all calls made to cellphones—not just confidential or private calls made to cellphones.” The case is ongoing, however, and Bowman writes, “companies may be held responsible for their third-party vendors’ lack of disclosure, meaning that companies should change their policies to require their third-party vendors to refrain from recording phone conversations without prior notice.”
Alaska Legislature Passes Bill To Restrict Access to Court Papers
The Alaskan legislature has passed SB 108, making records from criminal cases resulting in acquittals or dismissals confidential, reports KTUU. Currently these records are available online, but proponents of the bill say this level of access has led to individuals being treated unfairly in housing and employment situations. Opponents say the bill takes away a fundamental right to access court records. The governor has yet to sign the bill into law.
Colorado Senate Approves Protecting Electronic Data from Warrantless Search
The Colorado Senate has unanimously approved an amendment to add ”electronic and other data” to the list of items protected from warrantless search, reports The Denver Post. Representatives from the attorney general’s office and the district attorney argued against the change, saying the data is already protected by the state and federal constitutions and courts should be trusted to protect it when appropriate. Senate President Morgan Carroll (D-District 29) said, "Electronic data is the modern equivalent of your 'papers,'” one of the items already on the protected list.
Connecticut Committee Axes Student Privacy Bill
The Connecticut House of Representatives’ Veterans Affairs Committee has squashed a bill that would have stopped the sharing of high-school students’ military-aptitude test results, reports the New Haven Register. According to the National Coalition to Protect Privacy’s Jack Elder, this test is the only exception to the parental consent provision in the Federal Educational Rights Privacy Act, meaning students’ “test information and some pretty sensitive personal information and Social Security number (are) sent to the Pentagon for recruiting purposes.” SB 423 aimed to require school districts to select the option not to share the data with recruiting services and had been passed by the Education Committee.
Indiana Governor Signs Anti-Surveillance Bill
Indiana Gov. Mike Pence has signed a bill that prohibits law enforcement from using drone surveillance and tracking the location of mobile devices in real time without first getting a search warrant, reports The Indianapolis Star. HB 1009 has exceptions for emergency situations, as when lives are in danger, and also makes it illegal for private citizens to place an unmanned camera or tracking device on another individual. The law goes into effect July 1.
Minnesota Legislature Introduces Breach Notification Expansion
Minnesota lawmakers have introduced a bill to expand the state’s breach notification law, effectively turning it into “a 50-state notification requirement for entities doing business in Minnesota,” writes Cynthia Larose, CIPP/US, for The National Law Review. The new law would require all individuals—not just Minnesotans—be notified within 48 hours of discovery or notification of a breach. It would also require breached organizations to offer a year of credit monitoring to those affected and full reimbursement for all expenses incurred due to the breach plus require businesses that sell goods and services to provide a $100 gift card to each person affected.
Advocates Laud White House Call for Law Updates
Privacy advocates are cheering news that the White House’s Big Data review has resulted in calls for an overhaul of privacy laws and the country’s surveillance programs, reports The Hill. Representatives from the Center for Democracy and Technology (CDT) and the American Civil Liberties Union praised the 85-page report, released Thursday, which consolidated the White House’s John Podesta’s 90-day fact-gathering effort into six specific recommendations for the president, including legislation on data breaches and updating the Electronic Communications Privacy Act. The CDT’s Nuala O’Connor, CIPP/US, CIPP/G, said, “The report rightfully highlights the potential for limiting our choices or discriminating based on broad assumptions from a data set.” Some, however, are chiding the report for not going far enough. Jeff Chester of the Center for Digital Democracy expressed disappointment that the report “failed to identify the commercial surveillance complex that has been put in place by … data-driven businesses.”
Court Rules Location of Data Doesn’t Matter
U.S. District Court Judge James Francis has ruled e-mail providers must turn over users’ e-mail and other data to U.S. law enforcement when a search warrant is issued—even if the data is stored overseas, IDG News Service reports. Francis ruled Friday that Microsoft must hand over a user’s e-mails, despite the fact that the data is stored in Ireland. Francis granted a warrant in December for the seizure of all the user’s e-mails and other identification records. Microsoft submitted the user’s name, country and address book information but refused to hand over e-mail content, arguing its extraterritorial location precluded it. Francis disagreed, but Microsoft says it will appeal the ruling.
SCOTUS To Debate Cellphone Privacy, What You Should Know
Tomorrow, the U.S. Supreme Court will hear oral arguments in two cases that will ultimately decide the constitutionality of warrantless searches of cellphones incident to arrest. Lower courts are split on the issue, and there’s a lot at stake. As Orin Kerr pointed out, about 12 million people are arrested every year and about 90 percent of Americans have cellphones. IAPP Westin Fellow Dennis Holmes writes for Privacy Tracker about the cases. “In deciding these cases, the Supreme Court will ultimately opine, either explicitly or implicitly, on whether individuals’ expectation of privacy in their cellphone data is reasonable and thus deserving of Fourth Amendment protection,” Holmes writes. (IAPP member login required.)
SCOTUS Discussions Suggest Compromise
USA Today reports that Supreme Court discussions involving the protection of information contained in the cellphones of arrestees “appear to point toward a compromise.” While recognizing the breadth of information people now carry in their cellphones, the justices also voiced concern about not hampering authorities’ ability to conduct relevant searches. Justice Elena Kagan pointed out, “Most people now do carry their lives on cellphones,” which she said will only increase, prompting Justice Stephen Breyer to voice his support of requiring a warrant to search cellphones. But Justice Antonin Scalia noted, "Our rule has been if you carry it on your person, you ought to know it is subject to seizure and examination."
Sens. Introduce Cybersecurity Law: CISPA Revived?
Sen. Dianne Feinstein (D-CA) and Sen. Saxby Chambliss (R-GA) have introduced the Cybersecurity Information Sharing Act of 2014, which some claim is the twice-shot-down Cybersecurity Intelligence Sharing and Protection Act re-branded, reports ZDNet. Civil liberties experts say this new version offers industry even more latitude to share data with the government in order to thwart cyber-attacks. The report states the White House had indicated the president would veto such a bill if it made it to his desk. The bill is currently in discussion draft.
Senators Drafting Threat-Sharing Bill; Kerry Outlines Internet Freedom Framework
The Washington Post reports members of the Senate Intelligence Committee are drafting cyber legislation that would allow companies to share threat data with federal agencies without fear of getting sued. The draft bill was written by Sen. Dianne Feinstein (D-CA) and Sen. Saxby Chambliss (R-GA). And during a Google+ Hangout session on Monday, Secretary of State John Kerry outlined the framework for the Obama administration’s principles on Internet freedom, stating democracies should collect and share intelligence for national security reasons only. Meanwhile, Special Assistant to the President and Cybersecurity Coordinator Michael Daniel wrote on The White House Blog how the government decides when to disclose cyber vulnerabilities. (Registration may be required to access this story.)
Will Access to Metadata Prompt Privacy Law Changes?
“The battle over the way law enforcement agencies can get telecommunications companies to hand over subscriber information went into Question Period on Wednesday,” IT World Canada reports, with Prime Minister Stephen Harper “deflecting heated questions from Opposition Leader Thomas Mulcair.” Harper said, “There is independent surveillance, independent oversight to make sure that these laws are respected.” The report cites Interim Privacy Commissioner Chantal Bernier’s announcement that “agencies made 1.2 million requests for information in 2011 alone.” A Bell Canada executive said, “we don’t know how far we can go in providing very specific, detailed information” on the customer data the company gives to government agencies because it could affect investigations. Bernier told a Senate committee “she would like federal privacy laws changed so that service providers have to break out statistics,” CBC News reports.
MPs Question Cyberbullying Bill
Opposition MPs are questioning “wide-ranging changes included in Justice Minister Peter MacKay's cyberbullying legislation,” CBC News reports. The House started its committee review of Bill C-13 on Thursday, the report states, noting legal experts have already raised concerns about measures in the bill, which would “include giving police easier access to the metadata that Internet service providers and phone companies keep on every call and e-mail.” MacKay said, “This bill does not create any new protection from any criminal or civil liability for anyone who would voluntarily assist law enforcement. It simply clarifies existing provisions.” Editor's Note: Timothy Banks of Dentons Canada recently examined Bill C-13 in this Privacy Tracker post.
Lawyer: CASL Should Be Scrapped
David Fraser, a privacy lawyer with Halifax-based McInnes Cooper, has a definite opinion about CASL. “I think it should be scrapped,” he told CBC News. “This has gone through so many different committees and so many different parts of Industry Canada. It's turned into a real Frankenstein.” Speaking of the new rules, which go into effect on Canada Day, Fraser said, “For those who are already sending out fraudulent emails, they’re already breaking the law. So this probably isn't going to discourage them." Editor's Note: For an in-depth look at CASL, see our recent exclusive in The Privacy Advisor and additional information in our Resource Center.
Denham: Better Laws Needed for PHI
The Canadian Press reports on concerns from BC Privacy Commissioner Elizabeth Denham about the province’s "weak patchwork" of laws amidst emerging healthcare technologies. In a report recommending “an all-inclusive framework to protect health data,” Denham listed “21 recommendations she hopes will help legislators start a discussion and initiate a public consultation process that could help deal with the issues involved,” the report states. During an interview Wednesday, Denham said, "Doctors treat the whole patient and not a specific condition. Similarly, government needs to take a holistic and comprehensive approach to how personal health information and patient data is used, shared and disclosed."
Can Data Protection Survive If the EU Breaks Up?
“There is a widespread belief that ‘the world is flat,’ national borders don’t matter anymore and data processing is inexorably becoming more globalized,” writes Wilson Sonsini’s Christopher Kuner. “However, in Europe, the forces of Euroskepticism and nationalism are throwing these beliefs into question.” In this post for Privacy Perspectives, Kuner discusses the potential data protection implications from news that both Scotland and Catalonia are holding referendums on whether to break from the UK and Spain, respectively, and UK Prime Minister David Cameron’s comments on whether the UK should break from the EU.
Study Indicates EU Cos Active in Safe Harbor, Would Suffer from Its Termination
A new Future of Privacy Forum (FPF) study documents that more than 150 European companies are active Safe Harbor participants. While European policy-makers have been calling for an end to the Safe Harbor program, citing noncompliance by U.S. companies, the FPF study concludes that terminating the program would negatively impact not only U.S. companies but EU companies as well. “Safe Harbor provides benefits to many top European companies and particular protection to their EU customers,” FPF Co-Chair Jules Polonetsky, CIPP/US, told the Daily Dashboard. “The debate has often been about U.S. companies—and certainly they are the bulk of participants—but many of the leading European companies would be significantly impacted if they couldn’t rely on the Safe Harbor for their U.S. subsidiaries.”
Has the EU Cookie Directive's Time Finally Come?
“Two years ago this week, I attended my first IAPP conference and the first-ever Data Protection Intensive,” Eleanor Treharne-Jones, CIPP/E, writes in this post for Privacy Perspectives, detailing a time when “the talk was of nothing but cookies” with enforcement of the EU Cookie Directive in the UK one month away. While cookies are not making news this year, she writes that “at TRUSTe we have seen just as many global companies adopt our comprehensive cookie-management solution in the first quarter of this year as in any other quarter of the last two years,” offering reasons why despite “enforcement activity so far amounting to little more than notices from regulators and some limited fines,” companies are increasing investment in this area.
Schrems' Facebook Case Ruling Expected in June
The Irish Times reports on closing arguments in the case Austrian student Max Schrems has brought alleging Data Protection Commissioner Billy Hawkes wrongly refused to investigate his complaint that Facebook Ireland could not lawfully permit mass transfer of personal data—including Schrems’s—to U.S. intelligence services. Schrems’s team said the data transferred was not in accordance with any exceptions under the EU-U.S. Safe Harbor agreement. The judicial review has ended, and Justice Gerard Hogan is expected to rule on the matter June 18.