In this week’s Privacy Tracker roundup, there are mixed messages coming out of the U.S. Congress. On the one hand, there is talk that ECPA reform is imminent, thanks to 218 cosponsors, which should be enough to pass the bill in the House. On the other hand, few have any belief that a federal data breach bill, or a federal cybersecurity bill, have any chance of moving forward, due to the “toxic atmosphere in Congress.” What about Sen. Feinstein’s new Cybersecurity Information Sharing Act? Globally, Mexico is poised to pass new rules for government access to data in a telecoms bill, and Canada’s Supreme Court on IP addresses as PII could have wide-ranging implications. Finally, pharmacies in Connecticut have a new rewards program bill to contend with.
Mexican Telecoms Bill To Be Taken Up in Special Session
Activist site Access Now reports that a telecoms regulation bill that has been hotly contested among Mexican Internet users is likely to be taken up in a special session of Congress in the next few weeks. The contentious portions of the bill would allow for greater law-enforcement access to data without judicial approval, allow for law enforcement to block phone and Internet access and would allow for so-called "fast lanes," whereby Internet Service Providers could provide more bandwidth to those companies who pay for it. According to the report, "President Enrique Peña Nieto and his party, the Institutional Revolutionary Party or PRI, was forced to publicly say they would modify the bill."
U.S. Reps. Introduce SSN Protection Bill
Reps. Dennis Ross (R-FL) and Kathy Castor (D-FL) have introduced the Safeguarding Social Security Numbers Act of 2013, a bill to protect Social Security numbers by limiting the number of visible digits, reports Sunshine State News. “Identity theft is a serious issue in our community … More needs to be done to protect our neighbors, and this is bipartisan legislation to implement an important safeguard and reduce identity theft-related scams,” said Castor.
Judge Certifies Class-Action Under New Canadian Privacy Tort
Justice Robert Smith recently certified a class-action lawsuit against the Bank of Nova Scotia under the new privacy tort of intrusion upon seclusion, saying “he couldn’t rule out the possibility the bank is vicariously liable for breach of privacy” after an employee stole client records, reports Law Times. The employee “was given complete power in relation to the victims’ (customers) confidential information because of his unsupervised access to their confidential information,” Smith said, which created the opportunity for him to “abuse his power.” Suzanne Chiodo, an associate at Rochon Genova LLP, says this is good news for privacy lawyers, adding it “combines the law that was laid down in Jones v. Tsige with the low bar for certification” in class-actions.
Feinstein Releases Draft Information Sharing Bill
Senate Intelligence Committee Chairman Dianne Feinstein (D-CA) has released a draft of the Cybersecurity Information Sharing Act, which she wrote with the Committee Vice Chairman Saxby Chambliss (R-GA), reports Sierra Sun Times. The bill creates incentives for private organizations to share cybersecurity threat information with the government and within public agencies. It would provide liability protection for the sharing of cyber information for cybersecurity reasons under the terms of the bill and then sets out protections to stave off privacy intrusions, such as a requirement for companies to strip out personally identifying information before sharing data.
Federal Breach Law Not Likely, Especially with Cantor Defeat
Kentucky recently became the 47th state to enact a breach notification law. One of the bill’s sponsors pointed to its success as a way “to be in uniformity with other states, especially the big commerce states that you think of, like Texas, New York and California," adding, "That uniformity helps our business community here." However, Joseph Lazzarotti, head of Jackson Lewis’ privacy, social media and information management practice, notes, “The nuances of breach notification laws across the country ... further complicate responding to multi-state breaches." BankInfoSecurity reports that the “toxic atmosphere in Congress” means “a data breach notification measure and other cybersecurity reforms can't get passed,” noting that the defeat of House Majority Leader Eric Cantor in his state’s primary race “makes passing such a bill tougher.”
Sixth Circuit Clarifies “Development” in Dirty World Decision
The Sixth Circuit has overturned a lower court ruling that determined a website provider was liable under Section 230 of the Communications Decency Act for defaming comments made on the site, reports News Room Legal. The district court ruled against Dirty World Entertainment, saying, ““a website owner who intentionally encourages illegal or actionable third-party postings to which he adds his own comments ratifying or adopting the posts becomes a ‘creator’ or ‘developer’ of that content and is not entitled to immunity.” The Sixth Circuit, however, interpreted the term “development” using the “material contribution test” and sided with the defendant, saying it “cannot be found to have materially contributed to the defamatory content of the statements … simply because those posts were selected for publication” or “through the decision not to remove the posts.”
Connecticut Gov. Signs Pharmacy Rewards Program Bill
Connecticut Governor Dannel Malloy has signed into law a bill requiring pharmacies to notify customers that take part in prescription drug rewards programs about which third parties will have access to their data and whether they will have access to protected health information. Hunton & Williams’ Privacy and Information Security Law Blog reports the law requires pharmacies to provide a “plain language summary of the terms and conditions” of their pharmacy reward programs before the consumers enroll and information on how they may revoke their HIPAA authorization.
Kentucky State Rep. Pre-files Drone Privacy Bill
State Rep. Diane St. Onge (R-District 63) has reintroduced a bill requiring police to obtain a warrant before using drones to gather evidence, reports USA Today. St. Onge pre-filed the bill for the 2015 session and has received support from the American Civil Liberties Union and others. The bill allows for colleges and private businesses to use drones for research and business purposes and allows for emergency police use other than evidence-gathering.
The Supreme Court Decision on IP Addresses and Its Implications
Canada’s Supreme Court unanimously concluded individuals “may have an interest in anonymity on the Internet that should be taken into account in determining whether law enforcement should have warrantless access to subscriber information associated with Internet Protocol addresses.” The court determined Internet service providers’ (ISPs’) terms of service and the Personal Information Protection and Electronic Documents Act (PIPEDA) “did not affect the analysis in the way previous courts had suggested,” writes Timothy Banks of Dentons Canada in this Privacy Tracker post. “The court rejected the idea that PIPEDA permits an organization to respond to a police request that would otherwise violate an individual’s reasonable expectation of privacy.” This decision sets the stage for consideration of other data and has implications for any organization that receives police requests for information. (IAPP member login required.)
Protecting Student Privacy in the Age of Ed Tech
In this Privacy Tracker post, attorney Bradley Shear discusses the challenges of protecting student privacy in an environment where students regularly use online technology in the classroom. Pointing to the outdated nature of the Family Educational Rights and Privacy Act, Shear writes that an “update to the terms ‘education records’ and ‘personally identifiable information’ to account for the increased capturing of student data in a digital format is needed.” Some states have stepped in with possible solutions, but, according to Shear, “The bottom line is that students, parents, teachers, privacy professionals, lawmakers, state attorneys general, the FTC and the ed-tech industry must work together to ensure that student privacy is protected in the Digital Age.” (IAPP member login required.)
Markey Wants Privacy Protected Before Commercial Drones Take Flight
Sen. Ed Markey (D-MA) proposed a funding bill amendment Thursday to prohibit the Federal Aviation Administration (FAA) from approving nonmilitary drone use unless steps are taken to protect personal privacy, The Hill reports. The amendment would require the FAA to add a data collection mechanism to its application process for commercial drone use that would specify the drone operator, the location where the drone would be flown and what type of data would be collected, along with what would happen to it afterwards, the report states. “We need to build in strong personal privacy protections and public transparency measures before commercial drones take off, which is exactly what my amendment will do," Markey said.
House Has Enough Votes for ECPA Reform
The Hill reports that the E-mail Privacy Act gained its 218th cosponsor late Tuesday, enough to give lawmakers hope the reform could move forward this year. “Having a majority of House members supporting our bill shows House leadership that the bill would pass … if it was put on the House floor,” said one of the bill’s authors, Rep. Kevin Yoder (R-KS). The proposed legislation would reform the Electronic Communications Privacy Act. There are signs, according to the report, that other lawmakers may have “some interest in attaching additional components,” including restrictions on law-enforcement access to cellphone location information. Though Yoder conceded that he’d be flexible with add-ons, he warned, “The more things you add … the more challenging it becomes.”
Changes to Incident Reporting; Potential New Legislation
The “Morning Cybersecurity” report from Politico had a number of items of interest yesterday. First, they report on an update from US-CERT that will change the system for reporting cybersecurity incidents on federal networks. It’s expected to go into effect by October 1. Further, Rep. Lee Terry (R-NE) is expected to circulate a federal data breach bill this week, which would go before the House Energy and Commerce Committee. He’s looking for democratic cosponsors before bringing the bill forward. In other legislative news, the FY15 State and Foreign Operations Appropriations bill supports funding to continue for implementing the White House’s International Strategy for Cyberspace. Finally, there is a note on YouTube and its 38,000 instructional videos on obtaining stolen credit card numbers, discovered by the Digital Citizens Alliance.
Judge Rules LinkedIn Must Face Privacy Lawsuit
Professional services social network LinkedIn must face a privacy class-action lawsuit alleging the company violated its users’ privacy when it accessed their external e-mail accounts, downloaded their contacts’ e-mail addresses and solicited business from those contacts, Reuters reports. U.S. District Court Judge Lucy Koh said the practice “could injure users’ reputations by allowing contacts to think that the users are the types of people who spam their contacts or are unable to take the hint that their contacts do not want to join their LinkedIn network,” adding, “In fact, by stating a mere three screens before the disclosure regarding the first invitation that ‘we will not … e-mail anyone without your permission,’ LinkedIn may have actively led users astray.”
Tech Sector Approves of New Majority Leader
Newly appointed House Majority Leader Kevin McCarthy (R-CA) is receiving praise from much of the tech sector, The Hill reports. “Few members of Congress have as deep an understanding and appreciation for the economic impact and social change created by technology as Leader McCarthy,” said TechNet Chief Executive Linda Moore, who added, “he knows what public policies make the innovation economy thrive.” TechNet’s members include Apple, Google, Facebook and Microsoft.
State Working on Privacy Changes; New Social Network for Students, Teachers
The Louisiana Board of Elementary and Secondary Education (BESE) is expected to appropriate $1 million toward an effort to create a new identification system for public school students that doesn’t use Social Security numbers, Associated Press reports. A recently passed bill requires schools to use unique student IDs. The BESE president said, “This goes to the benefit of every single family and every single student of this state.” Meanwhile, Wired reports on Edmodo, a social network built specifically for primary and secondary students and teachers that offers new ways for teachers to assess students and trade tips. Cofounder Nic Borg said, “K-12 is an incredibly change-resistant system, and to be disruptive, you have to do it in the least disruptive way possible.”
Competitors Put Differences Aside To Fight Microsoft Case
Apple, Cisco and AT&T all filed amicus curiae briefs on Friday supporting Microsoft in its appeal of a federal court order to turn over a customer’s information stored in a data center in Ireland to U.S. law enforcement officials, GigaOM reports. Verizon filed an amicus brief last week. “The case highlights how the advent of cloud computing has technology companies overcoming their competitive differences in order to challenge troublesome data protection laws,” the report states. The companies say the court’s reasoning indicates, no matter where it is stored in the world, customer data isn’t safe from law enforcement’s grip.
Tech Giants Back Spokeo in Privacy Class-Action
A group of web companies have joined together to back Spokeo in fighting a class-action lawsuit alleging the company provided inaccurate data. Google, Yahoo, Facebook and eBay are pushing the Supreme Court to hear Spokeo’s appeal of a recent decision allowing a Virginia resident to sue the data broker for allegedly violating the Fair Credit Reporting Act, MediaPost News reports. In an amicus brief, the tech companies argue such “no-injury” lawsuits are producing an “increasingly negative impact” on their business. “If any of the millions of individuals who interact with (web companies) is willing ... to allege that a generalized practice or act violated a law providing a private cause of action and statutory damages, then she could launch a putative class action,” the companies write.
Despite Supreme Court Ruling, Senate Passes Bill S-4
While Privacy Commissioner Daniel Therrien has said Bill C-13 and S-4 should be reviewed in light of last week’s Supreme Court ruling that warrants are required to access telecom subscriber info, the Senate has passed Bill S-4, The Huffington Post Canada reports. In his blog, Michael Geist called the move a “head in the sand approach.” Meanwhile, Justice Minister Peter MacKay has said the Supreme Court’s ruling “actually confirms what the government has said all along: that Bill C-13's proposals regarding voluntary disclosure do not provide legal authority for access to information without a warrant.”
Bill Calls for CSEC Scrutiny
The Globe and Mail reports Liberal MP Joyce Murray tabled a private member’s bill on Thursday seeking “to impose greater judicial and parliamentary scrutiny on Communications Security Establishment Canada (CSEC).” CSEC currently “faces no such direct scrutiny,” the report states, noting, “This spy agency operates under secret orders from the Minister of National Defence and keeps its relationships with communications corporations murky,” while being allowed to gather Internet data “without going to court.” Critics are calling for changes, with University of Ottawa Law Prof. Craig Forcese suggesting, “The government has been operating on a theory that what they’re collecting is something magical that doesn’t attract a reasonable expectation of privacy.”
Cavoukian Calls for Document Destruction Penalties
Describing the alleged destruction of public records related to a scandal over a decision to cancel two gas plants as “offensive,” Ontario Information and Privacy Commissioner Ann Cavoukian is calling for “real penalties for bureaucrats or elected officials who deliberately destroy government records in violation of the Privacy Act,” The Canadian Press reports. “This is not how freedom works,” Cavoukian said during Tuesday’s release of her final annual report before the end of her third term as the province’s commissioner. She added, “I just think we have to drive that home so government doesn't think they can do whatever they want quietly behind closed doors.”
UK Gov't Says Warrantless Spying on Social Media Sites is Legal
The UK government’s most senior security official says mass surveillance of social media is permissible under the law because such sites are “external communications,” The Guardian reports. Christopher Farr, director general of the Office for Security and Counter-Terrorism, says the monitoring of such online communications—recently called out in a case brought by Privacy International, Liberty, Amnesty International and other civil rights groups—does not require law enforcement to obtain search warrants because the Regulation of Investigatory Powers Act only requires warrants for spying on internal communications between British residents.
Irish High Court Refers Facebook Case to ECJ
In a move that could have big implications for Facebook and the EU-U.S. Safe Harbor arrangement, Ireland’s High Court has referred questions raised in a case brought by Max Schrems to the European Court of Justice (ECJ), the Irish Times reports. A recent ECJ ruling made waves after it ruled Google must delete links in the so-called “right-to-be-forgotten” case. Schrems, who started Europe-v-Facebook, has alleged Facebook illegally transferred EU citizens’ personal data out of the EU to U.S. intelligence agencies and that Irish Data Protection Commissioner Billy Hawkes wrongly interpreted EU data transfer law. A legal representative for Hawkes said the controversy was a matter for the political level, the report states. Meanwhile, EU Justice Commissioner Viviane Reding said a lack of judicial redress for EU citizens in the U.S. could prevent the EU from backing the Safe Harbor agreement.
Right-To-Be-Forgotten Decision Has Nothing To Do With Right To Be Forgotten
In the weeks following the European Court of Justice (CJEU) decision on the so-called “right to be forgotten,” reactions have varied among stakeholders. And today, Google announced it will begin removing links to online content in Europe by the end of June, according to The New York Times. Now that enough time has passed since the decision, Profs. Vagelis Papakonstantinou and Paul de Hert have ruminated on its implications. In this post for Privacy Perspectives, Papakonstantinou and de Hert “calmly assess what the CJEU decision really is and is not about,” suggesting it “has nothing to do with a ‘right to be forgotten’” at all.
Hustinx Pushes for Privacy Framework in Letter to EC President
It is “vital for a strong and modernised data protection framework in the EU to be adopted as soon as possible and for privacy and data protection considerations to be mainstreamed into all new policies and legislation,” European Data Protection Supervisor Peter Hustinx wrote in a letter to European Council (EC) President Herman Van Rompuy. The letter comes in advance of the EC’s next meeting, during which it intends to agree on “strategic guidelines for the future development of justice and home affairs in the EU.” Hustinx notes his concern that communications from the council “barely acknowledge the role of data protection in ensuring the EU’s activities are appropriate and proportionate” and recommends the council use his office’s opinion on the future development of freedom, justice and security as guidance.
Is China’s Privacy Law Being Used To Quell Dissent?
Chinese officials arrested prominent human rights lawyer Pu Zhiqiang last week, according to a Reuters report, on “suspicion of the crimes of causing a disturbance and illegal access to the personal information of citizens.” The charges carry penalties of five and three years in prison, respectively. Pu was arrested at a private gathering commemorating the 25th anniversary of the Tiananmen Square protests, in which he took part. He has represented artist Ai Weiwei and other activists who have been a thorn in the side of the Chinese government. In a piece for The Washington Post, former NSA General Counsel Stewart Baker suggests the Chinese are using privacy law as a means to quell dissent. Further, “How is China’s privacy law different from the data protection laws that Europe has been urging the world to adopt?”
Australian Gov't: Breach Legislation Needs More Work
Although agreeing with the proposal in principle, the government will not support a bill to force companies to notify customers of data breaches because the legislation “needs more work,” IT News reports. In March, Sen. Lisa Singh reintroduced the lapsed Privacy Alerts Bill, which seeks to compel organisations that suffer data breaches involving such information as personal, credit or tax file number data to notify the privacy commissioner and individuals affected “as soon as possible,” the report states. Senators raised concerns about reintroducing a bill without updating the text from the prior bill. “Definitions are important. It's not something we should just be rushing through,” said Liberal Senator David Fawcett.
Australian and Irish Commissioners Agree to Cooperate
The Office of the Australian Information Commissioner (OAIC) and the Data Protection Commissioner of Ireland (DPCI) have signed a Memorandum of Understanding (MOU) to assist each other with investigations and collaborate on consumer and business education, new laws, government and self-regulatory enforcement, staffing and resource issues and information relating to investigations, PS News reports. “Each participant will designate a primary contact for the purposes of requests for assistance and other communications,” the MOU states. In the MOU, the OAIC and DPCI recognize the complexity of the global economy and the wide-ranging circulation of personal information across national borders, increasing the need for cross-border enforcement cooperation.
Chiang Supports Right To Be Forgotten in Hong Kong
Following the EU’s “right to be forgotten” ruling, South China Morning Post reports Hong Kong Privacy Commissioner Allan Chiang “will ask his regional counterparts to join him in pressing the Internet search giant to extend the same safeguards to the region.” Chiang said, “As a responsible enterprise, Google should also entertain removal requests from other parts of the world to meet their privacy expectations … We are not exercising a legal right but requesting a service that is available to EU citizens.” In a separate report, SCMP quotes a Hong Kong cryptography expert on the increased “interest in open-source cryptographic tools” since the Edward Snowden revelations. (Registration may be required to access this story.)
Commissioner: Policies Needed for Wearables at Work
With wearable devices sure to make it into the workplace, Privacy Commissioner Timothy Pilgrim is encouraging companies to develop policies addressing the use of such devices, The Sydney Morning Herald reports. For devices that collect personal information, Pilgrim said, “the policy could also outline how that information is used, disclosed and stored.” The report suggests organisations “develop their own enterprise-grade privacy policies to ensure employees are at ease working with and around wearable computers,” noting there has been a lack of discussion “on the impact wearables will have on employee privacy and how organisations can deal with this challenge.”
Business NZ Drops Breach Notification Objection
Lobbying group Business NZ has dropped its objection to Justice Minister Judith Collins’ call for organisations to inform the Office of the Privacy Commissioner in data loss incidents and to inform those affected in “serious” breach cases, Fairfax NZ News reports. BusinessNZ’s Phil O'Reilly said issues the group would have with a change in New Zealand law would be in such details as defining what constitutes a "serious" breach, the report states, noting “BusinessNZ would object if officials implemented the law change in an ‘impractical fashion,’ but O'Reilly did not believe that was likely.”