In this week’s Privacy Tracker legislative roundup, read about the Italian data protection authority’s new provisions on consent and policies around online cookies, EU officials reviving a 2011 passenger name records bill and the Presidency of the Council of Ministers’ plans to tweak the “one-stop-shop” mechanism in proposed data reform. Canada has a new privacy commissioner who has said he’d like to split the controversial Bill C-13, and the BC Supreme Court has authorized a lawsuit against Facebook claiming that its practice of publishing users’ “likes” of businesses on their friends’ pages violates the BC Privacy Act. And in the U.S. Sen. Dianne Feinstein (D-CA) and a group of big tech firms are voicing their objections to the House’s NSA reform bill.
Credit Providers Get New Regime Under New Australian Laws
Changes to Australian privacy law have changed the default requirements for credit providers reporting to credit reporting bodies. This Mondaq report reviews what types of transactions fall under the new regime, as well as ways to meet the new requirements.
EU Bill Would Allow Police Access to Air Passenger Details
The European Commission has renewed its push for the 2011 EU passenger name records proposal after news that a suspect in last month’s shootings at the Jewish Museum in Brussels spent time fighting with a radical Islamist group in Syria, EUObserver reports. The bill is aimed at protecting EU citizens from terrorists entering the region by air, but it was rejected last year due to privacy concerns.
Feinstein Holds Hearing To Examine House NSA Bill
NPR reports Sen. Dianne Feinstein (D-CA), a supporter of National Security Agency (NSA) surveillance programs, held a hearing last week to examine the possible outcomes of the House-passed NSA reform bill. NPR reports NSA Deputy Director Richard Ledgett said the current law requiring phone companies to retain billing records for 18 months is sufficient for the agency, but noted that he can’t say confidently that companies will retain call data for that period of time. "They'll retain the records for as long as their business requirements dictate they retain their records,” he said. When asked about a minimum requirement for retaining calling records, Verizon Vice President Michael Woods said, "We would be very much opposed to it."
Sen. Menendez Introduces Commercial Privacy Bill of Rights
Sen. Robert Menendez (D-NJ) has introduced the Commercial Privacy Bill of Rights Act of 2014, which would establish “a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission; to amend the Children's Online Privacy Protection Act of 1998 to improve provisions relating to collection, use and disclosure of personal information of children, and for other purposes.” The bill has been referred to the Committee on Commerce, Science and Transportation.
California ZIP Code Law Exempts Machine Collection
A provision in California’s law prohibiting retailers to collect personally identifying information from credit card users exempts Redbox machines from the law, allowing them to collect ZIP codes from customers, reports SFGate. The law exempts sellers that require PII to be used in conjunction with a credit card to collect money “in the event of default, loss, damage or other similar occurrence.” Redbox charges $1 for a daylong rental and then adds charges for each additional day. Because of this structure, the Ninth U.S. Circuit Court of Appeals in San Francisco has ruled the company is using the credit card as a deposit to secure payment, making it exempt from the law.
Colorado Law Aims To Strengthen Patient Privacy
A new law in Colorado prohibits the Department of Revenue from “accessing or distributing an individual’s personal medical record without their permission and creates a ‘Government Access to Personal Medical Information’ task force,” reports Modern Healthcare. Gov. John Hickenlooper signed the bill on May 31, and it went into effect immediately. The panel will, over the summer, look into “why and to what extent state and local government departments or agencies have access to, and the ability to use or distribute, an individual’s personal medical information or medical record with and without the individual’s consent.” (Registration may be required to access this story.)
NY Magistrate Judge Allows “Tower Dump,” Asks for Privacy Protections
Magistrate Judge James Francis issued an order on the lawfulness of warrantless “tower dumps,” which refers to the government practice of collecting “every cell phone that is connected with one or more cell towers over a specified period of time,” the ACLU reports. The ACLU and the NYACLU were asked by the court to submit a brief in the circumstance of one tower dump request in particular. The ACLU argued the Stored Communications Act doesn’t permit such broad requests and the practice also violates the Fourth Amendment. The court rejected this argument, noting that individuals give up the privacy of their cellphone location by signing up for the service, but asked the government to resubmit its request including “more specific justification for the time period for which the records will be gathered” and its protocol for handling “the private information of innocent third parties whose data is retrieved.”
Industry Group Backs Ohio Social Media Privacy Bill
The Financial Services Institute (FSI) has backed Ohio’s HB 424, which would ban employers and educational institutions from punishing individuals for “failing or refusing to grant access to, allow observation of, or provide access information to an individual’s personal Internet-based account,” reports Akron Legal News. FSI in particular pointed to a section of the bill that allows financial institutions to meet their compliance duties in candidate screening.
RTBF Decision "is censorious in the extreme"
Albert Gidari of Perkins Coie writes for Privacy Tracker that while many have focused on the implementation challenges of the European Court of Justice’s right to be forgotten decision, “The potential far-reaching implications of this case are that the logic of the opinion will apply more broadly to all advertising services offered by U.S.-based Internet services … It is censorious in the extreme, giving one local DPA global data control without regard to the law of the land where the search engine is incorporated or operates ... How far the DPA will reach in applying the local law remains to be seen,” but the jurisdictional decision has the potential to trigger an enduring and widespread impact. (IAPP member login required.)
Tech Giants Want Global Surveillance Reform
One year after the first Edward Snowden leak about NSA surveillance made its way into the public eye, nine of the world’s biggest technology companies have banded together to call on governments around the world to address surveillance. Additionally, they urge the U.S. Senate to not pass the NSA reform bill recently passed by the House of Representatives. In an open letter, the coalition also said it “believe(s) that it is time for the world’s governments to address the practices and laws regulating government surveillance of individuals and access to their information.” Included in the letter are five principles: limiting government authority to access user data; increased oversight and accountability; transparency about government data requests; avoiding data localization laws, and avoiding conflicts among governments. Today, organizations and activists are observing “Reset the Net” to urge surveillance reform.
NTIA Looking for Public Input on Data Collection
The National Telecommunications and Information Administration (NTIA) is seeking public comment as to whether the Obama Administration’s Privacy Bill of Rights should be “clarified or modified to accommodate the benefits of big data.” As MediaPost reports, last month’s big data reports indicated the possibility of discrimination and other concerns, and the NTIA would now like comments on whether “consumer privacy legislation (could) make a useful contribution to addressing this concern … Should big data analytics be accompanied by assessments of the potential discriminatory impacts on protected classes?”
ComScore Settles Privacy Class-Action for $14 Million
Analytics company comScore has agreed to pay panel members $14 million for privacy violations, MediaPost reports, and it will revise disclosures to panelists and implement procedures with its partners. U.S. District Court Judge James Holderman must still accept the settlement. Meanwhile, Michaels Stores Inc. is asking an Illinois federal judge to dismiss a class-action lawsuit brought by plaintiffs who claim harm for the company’s data breach. The company argues the plaintiffs lack standing in the case.
Brill To Push Back Against Use-Based Privacy Frameworks
The Federal Trade Commission’s (FTC) Julie Brill spoke in Brussels yesterday about big data, data brokers, privacy and competition with still-in-office European Data Protection Supervisor Peter Hustinx. Brill said she’s planning to push back against privacy frameworks that examine only use or risk, Politico reports. “Notice and choice, collection limits and data security—as well as a careful analysis of the risks that go along with actual data uses—are all necessary strands in the tapestry we must weave to create effective consumer privacy protection,” Brill said. She added that she applauds companies that are using privacy as a competitive differentiator.
Has the Time Come for Statewide Chief Privacy Officers?
As chief privacy officers (CPOs) become increasingly pervasive in the private sector, Government Technology looks whether the time has come for CPOs to become just as common in government departments, maybe even in a statewide role. While tight budgets have hampered governments in terms of hiring CPOs, the IAPP currently has more than 1,500 certified members in the public sector. And that’s expected to grow. “The potential for it to catch on at the state level is certainly there,” said Sallie Milam, West Virginia’s first statewide CPO. Editor’s Note: Sheila Kaplan made the case for state education CPOs in this Privacy Tracker post.
House Committee Probing FTC Breach Enforcement
PCWorld reports that the U.S. House Oversight Committee is launching an investigation into the Federal Trade Commission’s (FTC) data breach complaint against LabMD. A lawyer representing security vendor Tiversa told an FTC administrative law judge that the House panel is investigating the company. According to the complaint that was brought against LabMD in 2013, the company exhibited poor data security practices by placing a spreadsheet containing sensitive personal data of more than 9,000 customers on a Tiversa P-to-P network in 2008. LabMD, which has since gone out of business, has argued the FTC does not have the authority to bring such complaints against companies and that it has provided little guidance.
Rep To Take Shortcut Around ECPA Update
It’s been more than a year since the E-mail Privacy Act was introduced in an effort to update the Electronic Communications Privacy Act, but one of the bill’s authors says he plans to take a shortcut and introduce a privacy amendment in upcoming House Appropriations legislation that would get the same job done, The Washington Post reports. Rep Kevin Yoder (R-KS) says his amendment would ban federal agencies from using “any part of their budget for accessing e-mails using warrantless data requests,” the report states. Yoder said the Fourth Amendment “applies to digital communications, same as with paper communications.” (Registration may be required to access this story.)
Therrien Confirmed as Commissioner, Criticizes C-13 in Committee
Just days after NDP Leader Tom Mulcair hammered Prime Minister Stephen Harper over his nomination of Justice Department lawyer Daniel Therrien to take over as federal privacy commissioner, The Globe and Mail reports that the House of Commons voted 153 to 75 to approve Therrien. Meanwhile, CBC reports, Therrien voiced support for splitting Bill C-13 to a Parliamentary committee, a plan advocated by the Canadian Bar Association and others. He also advocated for an independent review of the bill, saying, “I think Canadians want to know more about why police and security agencies require information.” He likely knows more than most Canadians, as he's given legal advice on surveillance to security agencies in the past. Therrien’s first order of duty is to testify before the committee considering Bill C-13 on June 10. Editor's Note: The Privacy Advisor rounded up heated reaction to Therrien's nomination last week.
BC Supreme Court Certifies Class-Action Against Facebook
The BC Supreme Court has authorized a lawsuit against Facebook claiming that its practice of publishing users “likes” of businesses on their friends’ pages violates the BC Privacy Act. CBC News reports that through Facebook’s “Sponsored Stories” program, companies can pay to use a person’s name and likeness as proof of an endorsement. Plantiff lawyer Christoper Rhone says doing this without consent breaches the BC Privacy Act. In the court decision, BC Supreme Court Justice Susan Griffin said one key question is whether BC users of foreign social media sites have the protection of the BC Privacy Act, adding, "Given the almost infinite life and scope of internet images and corresponding scale of harm caused by privacy breaches, BC residents have a significant interest in maintaining some means of policing privacy violations by multi-national internet or social media service providers."
OPC: S-4 Will Allow Data Sharing without Consent
While Bill S-4 intends to overhaul online privacy rules, introduce new penalties for breaches and give new powers to the Office of the Privacy Commissioner (OPC), the OPC warns it also opens the door for the sharing of consumer data between private companies without consent, reports The Globe and Mail. Patricia Kosseim, OPC senior general counsel and director general, told a Senate committee on Wednesday the bill’s data-sharing provision “could lead to excessive disclosures that would be invisible both to the individuals concerned and to our office.” Industry Minister James Moore, who is leading government efforts to pass the bill said, “These rules ensure that information is only released when there is a reason to believe the law has been broken.”
EU DPAs To Form Right-To-Be-Forgotten Taskforce
Bloomberg reports that a panel of watchdogs will be formed in the EU to examine “right-to-be-forgotten” takedown requests. A member of the Article 29 Working Group said the move was approved in a meeting in Brussels. The panel will reportedly analyze how regulators should respond to citizen complaints about Google’s management of takedown requests.
EU Council Unlikely To Back One-Stop-Shop
EU ministers are not expected to reach an agreement on the proposed “one-stop-shop” (OSS) component of the proposed General Data Protection Regulation (GDPR), EUobserver reports. On Tuesday, an EU official said, “The discussion hasn’t moved on to be honest since the last council,” and an EU presidency source said finalizing the OSS “is out of the question.” A “discussion text” to resolve the disagreement was passed out last week, but some member states, including Germany and the UK, have expressed concern their nations could be subject to unwanted data protection rules. European Data Protection Supervisor Peter Hustinx said, “I expect the council will mark that progress has been made, but will probably not give the OK to the final version,” adding, “with the one-stop-shop principle, it can only work if we think in terms of close collaborations.”
Council May Offer Tweak to Proposed "One-Stop-Shop" Mechanism
The Presidency of the Council of Ministers in the EU has provided an outline of plans to tweak the proposed “one-stop-shop” mechanism by allowing local data protection authorities (DPAs) to have more of a say in cases where a questionable data protection practice affects citizens within their jurisdiction, Out-Law reports. The presidency proposed not employing the one-stop shop “if the subject matter of the specific processing concerns only processing carried out in a single member state and involving only data subjects in that single member state.” The local DPA, in such a case, would have power to investigate and resolve cases on their own, regardless of where the data processor’s headquarters are located, the report states.
UK Man Wins Damages Under Spam Rules
Retailer John Lewis has been prosecuted for sending unsolicited e-mails in a privacy ruling “that could open the floodgates for harassed consumers,” Sky News reports. A producer for Sky News brought the case, and a county court said the company acted unlawfully because it couldn’t prove Roddy Mansfield agreed to receive the e-mails or was a customer. This is the third time Mansfield has won damages for receiving spam under the Privacy and Electronic Communications Regulations.
Garante Publishes New Cookie Rules
Room: Regulators Acting Like EC Proposal Is In Effect
While proposed EU data protection reforms may be far from becoming law, “Regulators and courts throughout Europe are acting as if the proposed legislation were already in force,” Stewart Room, CIPP/E, told SC Congress attendees, noting that “with regulators and courts already acting according to the new thinking embodied in” the proposal, increased fines are the only big change that would come with its passage. Room also addressed the recent European Court of Justice ruling against Google, noting that it shows that “anyone with power over data will be treated as a data controller” and that EU authorities have no fear in taking on big tech firms, ComputerWeekly reports.
Malta’s Education Minister Suspends Student Data Request Pending Report
Education Minister Evarist Bartolo has suspended the implementation of a legal notice allowing him and “unspecified” authorities to request student information from school representatives reports The Independent. Legal Notice 76 would require school representatives to hand over data relating to students’ abilities and identity card numbers or face criminal charges. Bartolo contacted the Data Protection Commissioner once the notice was passed, and the commissioner set up a working group to determine the privacy concerns and whether the notice breached the privacy act. The notice is suspended pending the working group’s report.
Swiss Gov't Surveillance Bill Sparks Protest
The Swiss government has proposed legislation that would increase its ability to access telecommunications and Internet data and strengthen mandatory data retention laws, reports Access Now. The proposal contains “provisions which greenlight government use of Trojan horse software and IMSI catchers” for criminal investigations and increase data retention requirements on telcos, telecom-enabled communications providers and non-commercial providers as well. The bill easily cleared the Council of States, the report states. Privacy rights activists have planned a protest against “BÜPF,” as it’s called.
Turnbull Speaks About RTBF, Big Data and Government Responsibility
Australian Communications Minister Malcolm Turnbull gave a speech at the National Archives Conference that could easily have been titled, “With Great Power, Comes Great Responsibility.” Outlining the historical need to remember, Turnbull noted that in the digital world—and importantly the post-Snowden world—the right-to-be-forgotten debate “has become increasingly relevant.” The recent European Court of Justice decision raises a lot of questions, he says, noting that one is, “Did the court go far enough—is it enough to say that you should be removed from the Google search results?” Turnbull also spoke to the economic opportunities of big data as well as its implications for government.
AG Welcomes New Privacy Act, Territory Privacy Principles
“The Information Privacy Act supports the development of clear, consistent and easy to understand information sharing practices within the ACT public service,” said Australia’s Attorney General Simon Corbell, in welcoming the passage of the act. The act sets out new Territory Privacy Principles consistent with the recently passed Australian Privacy Principles to guide ACT agencies’ data handling practices. “In a world where technological changes have led to a shift in community perceptions of privacy, people are more willing to share personal information but are also increasingly interested in how their information is handled and managed,” Corbell said.