In this Privacy Tracker weekly legislative roundup, read about amendments to South Korea’s Data Protection Law including increased fines, a 24-hour notification deadline and customer compensation without verification of damages; a constitutional challenge to Canada’s PIPEDA by the Canadian Civil Liberties Association; and the U.S. house passing an NSA reform bill, with some of its original supporters are calling it “watered down” and voting against it. Meanwhile, Louisiana has a new social media privacy law, Florida has a new breach notification law and Missouri is a governor’s signature away from getting a student privacy law and a library privacy law.
South Korea Amends Law, Increases Fines, Offers Consumer Compensation
South Korea has amended its Data Protection Law, reports Bloomberg BNA. Under the amendments, the limit for revenue-based fines for a data breach has increased to one percent—without a need to provide evidence of deliberate negligence—and there is a 24-hour deadline for notifying consumers of a breach. The law also offers breach complainants financial compensation of up to three million Korean won without having to verify damage claims, the report states. Companies may face fines of up to three percent of their revenue for breaching the law, which takes effect in six months.
California Court Clarifies Meaning of Medical Information under CMIA
A California appellate court has cleared a hospital of wrongdoing in a case where a stolen laptop resulted in the exposure of 500,000 patients’ personally identifiable information, reports Law360. The laptop contained names, ages, birthdays, clerical record numbers and partial Social Security numbers, but no information that revealed “medical history, diagnosis or care.” The court stated, “It is clear from the plain meaning of the [Confidentiality of Medical Information Act] that medical information cannot mean just any patient-related information held by a healthcare provider, but must be ‘individually identifiable information’ and also include ‘a patient’s medical history, mental or physical condition or treatment.’”
California Senate Passes Anti-Surveillance Bill
The California Senate has passed SB 828, which would mean that the National Security Agency (NSA) would need to get a warrant prior to collecting data on California residents, reports NBC Los Angeles. The bill passed 29-1. The bill’s author, Ted Lieu (D-Torrance), said, "The Fourth Amendment is very clear, it's says you cannot engage in unreasonable searches and seizures if you are the government without a specific warrant.” The bill goes to the Assembly in June.
Florida Passes New Breach Legislation
The Florida legislature has passed the Florida Information Protection Act, establishing new notification requirements for both public and private entities, reports JDSupra. The act sets a 30-day deadline for notifying consumers of a data breach after identifying it and sets specification for what must be included in the notification. While failure to comply could bring civil penalties of up to $500,000, the act specifically states that it does not create a private right of action.
Louisiana Passes Social Media Law
Louisiana Gov. Bobby Jindal's has signed into law the Personal Online Account Privacy Protection Act, which prohibits employers and schools from requesting login credentials to the personal online accounts of employees and students, the Associated Press reports. The law also prohibits disciplining students and employees for refusing to provide the information, it does not, however, apply to company-owned devices.
Missouri Puts Constitutional Amendment on Ballot, Lawmakers Pass Student, Library Privacy Bills
Missouri lawmakers have passed measures banning the RFID chipping of students to track location and to protect the privacy of library patrons' use of e-books and digital materials, reports the Associated Press. Both bills are now headed to the governor for signing. The legislature has also voted to put on the August ballot a measure to include electronic communications and data among the list of items protected from unreasonable search and seizure under the state constitution.
New Jersey Assembly Passes Social Media Responsibility Campaign
The New Jersey Assembly has passed A-2409, which would require the Department of Law and Public Safety to operate a website to inform individuals on how to protect their online privacy, reports South Jersey Times. The department would be required to produce videos on how to use privacy controls on popular sites and keep an active presence on social media sites. Celeste Riley (D-Cumberland/Gloucester/Salem), one of the bill’s sponsors, said "Many young people use social media, but don't really understand that the information and images they share online live in perpetuity.”
"Compliance Jurisdiction Creep" and How It Happens
“In our modern, interconnected global economy, being compliant with one’s ‘home’ jurisdiction is not sufficient. It is equally important to consider whether an organization has through its deliberate activities or its relationships with other organizations become subject to the laws of foreign states,” writes Timothy Banks of Dentons Canada in this Privacy Tracker blog post. Companies can become subject to the laws of other jurisdictions in a number of ways. Using specific examples, Banks explores some of those ways. (IAPP member login required.)
Houses Passes "Watered Down" NSA Reform
The U.S. House of Representatives passed a bill Thursday aimed at reforming the National Security Agency’s (NSA) bulk collection of phone data amidst criticism from privacy advocates, technology companies and some lawmakers that the reform does not go far enough in protecting the privacy of U.S. citizens, The Washington Post reports. The USA Freedom Act passed 303-121. Rep. Zoe Lofgren (D-CA) said, “This is not the bill that was reported out of the judiciary committee unanimously,” adding, “The result is a bill that will actually not end bulk collection, regrettably.” The White House endorsed the bill on Wednesday, saying it “ensures our intelligence and law enforcement professionals have the authorities they need … while further ensuring that individuals’ privacy” is protected. One of the bill’s co-sponsors, Rep. Carol Shea-Porter (D-NH) voted against the latest iteration of the legislation. A post from The New York Times Editorial Board said the bill falls short. (Registration may be required to access this story.)
Advocates Withdraw Support for Bill Aimed at Curbing NSA Spying
As reported earlier this week, a bill aimed at reforming National Security Agency (NSA) surveillance practices has been watered down, resulting in privacy advocates withdrawing their support. Center for Democracy and Technology President Nuala O’Connor, CIPP/US, CIPP/G, said the USA FREEDOM Act has been “made so weak that it fails to adequately protect against mass, untargeted collection of Americans’ private information,” The Washington Post reports. Meanwhile, venture capitalist Marc Andreessen said Silicon Valley is still fuming over the impact the NSA revelations have had on the international community’s trust in U.S. companies, and a Frontline exclusive looks at how Google’s ad targeting may have paved the way for widespread government surveillance. (Registration may be required to access this story.)
Ad Industry Pushes for Data Breach Law
The advertising industry has said it supports a federal data breach law that would require companies to notify consumers of a data breach, MediaPost reports, but only when the incident “poses a significant risk” of tangible harm such as identity theft or economic harm. The industry coalition said an overly broad trigger would overburden consumers with breach notifications; therefore, Congress should develop a specific definition of “sensitive personally identifiable information.” The group wrote, “A balanced bill would also exclude public records and information derived from public records from its scope.” The numerous patchwork of state breach laws “frustrate efficient and uniform breach notification to consumers,” the group added. Editor’s Note: A recent Privacy Perspectives post discussed the importance and difficulties of defining “personal information,” in “The Problem at the Heart of the Privacy Profession.”
Senate Looks at Harmful Advertising; Advocates Worried About NSA Bill
A Senate subcommittee is investigating online advertising, InsidePrivacy reports. The Senate Permanent Subcommittee on Investigations held a hearing last week entitled “Online Advertising and Hidden Hazards to Consumer Security and Data Privacy,” looking at advertisement-based malware that cybercriminals could use to target consumers. It was supplemented by a report by Sen. John McCain (R-AZ) and Subcommittee Chairman Carl Levin (D-MI). Meanwhile, privacy advocates are concerned that the bill aimed at reforming the surveillance practices of the National Security Agency is getting watered down before it sees a vote.
FCC Fines Company $2.9 Million for Robocalls; FTC Settles with Two Companies
The Federal Communications Commission (FCC) has announced plans to fine Dialing Services, LLC, nearly $3 million for making illegal “robocalls” to cellphones, InsidePrivacy reports. The Telephone Consumer Protection Act prohibits robocalls to cellphones except for calls made for emergencies or with express prior consent of the recipient. This isn’t the first time Dialing Services has drawn the ire of the FCC. Meanwhile, the Federal Trade Commission has announced settlements with two companies, Gene Link and foru, that falsely represented their privacy and security practices.
FCC Fines Sprint a Record $7.5 Million for Do-Not-Call Violations
The Federal Communications Commission (FCC) has fined Sprint a record $7.5 million for failing to honor consumer requests not to receive telemarketing calls, PBS reports. Customers continued receiving telemarketing calls after opting out through a Sprint Do-Not-Call registry. Sprint said the issues stemmed from “technical and inadvertent human errors.” FCC Acting Enforcement Bureau Chief Travis LeBlanc said, “We expect companies to respect the privacy of consumers who have opted out of marketing calls,” adding, “When a consumer tells a company to stop calling or texting with promotional pitches, that request must be honored.” As part of the FCC action, Sprint will also have to set up a two-year compliance program to protect user privacy and report to regulators.
HHS Releases New Privacy Regs
The Department of Health and Human Services (HHS) has issued a final rule on Affordable Care Act health exchanges, including possible civil monetary fines for those that provide enrollment assistance and then improperly process or disclose personal health data, GovInfoSecurity reports. The changes are scheduled to go into effect on July 28. The new rule will give HHS the authority to impose civil fines “on navigators, non-navigator assistance personnel, certified applications counselors and certified application counselor organizations in the federally facilitated exchange who violate certain exchange standards applicable to them.” A Consumers Union representative said, “This is a good way of effectively protecting consumer information from possible negative behavior.”
Will FTC v. LabMD Outcome Provide Clarity on Safe Practices, Who Is Subject To FTC Rule?
GovInfoSecurity reports on the next battle between the Federal Trade Commission (FTC) and LabMD, which “could shed light on how the FTC evaluates data security when the agency pursues enforcement actions against companies for alleged unfair business practices,” the report states. An FTC administrative judge ruled earlier this month that the FTC must testify about the data security standards it used to bring enforcement action against the testing lab for alleged data security violations. Expert Adam Greene said the case will be important for the healthcare sector to watch for clarity on what the FTC considers “reasonable” data security practices. LabMD argues it’s subject to HIPAA, not FTC standards.
AG Issues Guidelines for CalOPPA
California AG Kamala Harris has issued guidelines to help businesses disclose, in clear language, all their privacy practices—including whether Do-Not-Track preferences are being honored—in accordance with the recent amendments to the law commonly called CalOPPA. “This guide is a tool for businesses to create clear and transparent privacy policies that reflect the state’s privacy laws and allow consumers to make informed decisions,” Harris said. Special Assistant Attorney General Jeff Rabkin told The New York Times the AG’s office would review businesses’ privacy policies and work with them to ensure they are complying. Those that fail to comply will receive 30-day warnings prior to facing potential litigation. In this exclusive for The Privacy Advisor, Jedidiah Bracy, CIPP/US, CIPP/E, gathers analysis of the guidance’s impact and reception and what it suggests for the future of Do Not Track. Tanya Forsheit, CIPP/US, offers some key takeaways from the guidance in this InfoLawGroup post.
When FERPA Gets in the Way of Public Knowledge
News & Observer reports on the ways in which the Family Educational Rights and Privacy Act can hamper the release of important information to the public. A request for the public release of a University of North Carolina spreadsheet that lists the number of athletes enrolled in “fake classes” at the school was denied out of concern the athletes could be identified if the list was compared to public records on the school’s website. “That student privacy should be respected is not in dispute,” the report states, but “Congress should revise the law to specify what is protected and make explicit what is not.” Editor’s Note: The IAPP recently released “Close Up: Privacy in Education” in the Resource Center.
Gov’t Drone Use Means Questions for Congress, Courts
While government use of drones has been underway for years, the privacy laws governing those activities remain uncertain. The sophistication and capabilities of these aircraft (known as UAS), already being deployed in a wide variety of settings—from disaster relief to law enforcement—is certain to create an increased demand for their use by government agencies. Given the lack of direct legal precedent, it is certain that the U.S. Congress and Supreme Court will be challenged in the coming years to define the privacy boundaries governing the use of UAS technology. In the last of this three-part series for The Privacy Advisor, David Young, CIPP/US, reports. Editor's Note: See parts one and two of this series here.
CCLA To Challenge PIPEDA's Constitutionality
The Canadian Civil Liberties Association (CCLA) is calling for the Ontario Supreme Court to reject certain provisions of the Personal Information and Protection of Electronic Documents Act (PIPEDA), saying they are unconstitutional, reports The Chronicle Herald. CCLA says in its court application that the large-scale disclosure of customer data by telecoms “allows government agencies access to personal information in the custody of private corporations on a massive scale.” A CCLA press release states the organization would like to see the law changed “in a manner that is more protective of individual rights and freedoms.” The challenge comes as three bills are being considered by the Canadian legislature that, if passed, would expand data sharing with government agencies.
FATCA May Jeopardize Dual Citizens’ Privacy
IT World Canada reports on concerns Interim Privacy Commissioner Chantal Bernier has voiced indicating the sharing of tax information with the U.S. in accordance with the Foreign Account Tax Compliance Act could put the privacy of dual citizens in jeopardy. Speaking to a House of Commons committee studying the agreement between Ottawa and Washington, DC, Bernier cautioned the law could be abused, the report states. “The risk to privacy is mainly related to over-collection, over-reporting and security,” Bernier said.
Cavoukian: C-13 Contains "Overreaching Surveillance Powers"
Ontario Information and Privacy Commissioner Ann Cavoukian has written a “sharply worded” letter to Conservative MP Mike Wallace warning against “dressing up overreaching surveillance powers in the sheep-like clothing of sanctimony about the serious harms caused by child pornography and cyberbullying,” reports CBC. Cavoukian is pushing for the withdrawal of most of the bill, leaving only the provisions making it illegal to distribute intimate images without consent. Meanwhile, an op-ed in The Globe and Mail calls for “a blue-ribbon panel, or even a royal commission, to recommend a coherent set of policies” around electronic surveillance, pointing to Bill C-13 and comments from former head of communications Security Establishment Canada John Adams as evidence of the need.
Regulators, Google Adjust to a World Where We Can Be Forgotten
In an article for re/code, Future of Privacy Forum’s Jules Polonetsky, CIPP/US, and IAPP Vice President of Research and Education Omer Tene discuss last week’s decision by the European Court of Justice requiring Google to delete certain search results. The decision indicates that “even the highest of courts can lack a basic technical dexterity,” the authors write, noting, however, that “condemning the court’s decision should not invalidate the concerns it sought to address.” Meanwhile, Google has been in touch with EU data protection regulators since the court’s decision and says it will release an online tool to remove personal information, and the UK Information Commissioner’s Office has outlined how it will handle complaints on the way search engines address “right-to-be-forgotten” requests.
Safe Harbor-Compliant Companies Seeking Contracts Face an Uphill Battle in the EU
Despite the bad rep Safe Harbor has earned and the nail-biting that’s followed about its potential doom, the data transfer framework isn’t going anywhere—at least not for now. But its longevity isn’t because organizations and regulators in the EU are suddenly satisfied with the controversial self-certification program—quite the contrary. The two governments say they’re engaged in healthy talks about U.S. efforts to make ongoing improvements to the framework, but despite the reported solidarity, EU regulators’ and organizations’ mistrust of Safe Harbor-certified U.S. companies is making it difficult for U.S. companies to win contracts with companies across the pond—especially those with third-party vendor relationships. In this exclusive for The Privacy Advisor, experts discuss the latest in this ongoing saga.
Japan’s House Endorses Fingerprint-Sharing Agreement with U.S.
Kyodo News International reports Japan’s House of Representatives has endorsed an agreement with the U.S. to enable the two countries to share the fingerprint data of suspects of serious crimes. “The pact, which is set to clear the Diet during the ongoing session with approval from the House of Councillors, makes it possible for the two countries to mutually provide fingerprint information upon request more swiftly than under conventional procedures through the International Criminal Police Organisation,” the report states, noting the sharing of the data is expected to begin in the next few years.
Singapore PDPC Publishes Advisory Guidelines
The Hunton & Williams Privacy and Information Security Law Blog details two recent advisory guidelines published by Singapore’s Personal Data Protection Commission on the implementation of its Personal Data Protection Act (PDPA). The guidelines are aimed at the telecommunications sector and real estate agency sector. “The publication of these two advisory guidelines illustrates the overall structure under which Singapore will implement its PDPA,” the report states, noting, “The publication of these guidelines also illustrates the seriousness and focus with which Singapore and its commission are preparing for the effectiveness and implementation of the PDPA.”