Disparate State Laws Mean Breach Response Confusion, Unprotected Consumers
Mondaq reports that while companies work to navigate disparate state breach laws, plaintiffs’ lawyers are on the hunt for the next “mega lawsuit, and data privacy looks very promising with its litigation trifecta: major consumer exposure, complex and increasingly antiquated state and federal data privacy laws, and ever larger and more frequent data breaches.” Standardizing and modernizing data breach laws is the first step to protecting consumers and organizations, according to the report, noting that “as companies constantly work to keep one step ahead of the bad guys, the goal should be to achieve real data security with legal clarity, rather than another big payday for the plaintiffs' bar."
VT Supreme Court Rules No Privacy on Workplace Computer
In a case that involved Rutland Police Department employees viewing and sending pornography on work computers while on duty, the Vermont Supreme Court ruled that the employees had no right to privacy. Additionally, because the computers were city property and the employees were on duty, there was no basis to redact personally identifying information from the records. The report from HR.BLR.com includes major takeaways from the decision, including that “personal information about public employees may be disclosed if the broad public interest served by the disclosure outweighs individual employees’ expectations of privacy.”
FTC v. Wyndham: Round One
Last week, FTC v. Wyndham, a privacy case that commands the close attention of thousands of privacy professionals worldwide, challenging a decade of escalating Federal Trade Commission activity in the field of data security, went to oral arguments on the defendant’s motions to dismiss. Wyndham Worldwide Corporation was charged in June 2012 for “unfair and deceptive acts and practices” arising from alleged data breaches in its franchisees’ computer systems. In this exclusive for The Privacy Advisor, IAPP Westin Fellow Kelsey Finch examines this case, where the company is disputing whether “its failure to safeguard personal information caused substantial consumer injury,” and perhaps more importantly, whether the FTC even has the authority to regulate data security.
U.S. Accountability Office Calls for Baseline Privacy Legislation
The Government Accountability Office (GAO) has released a report calling for a comprehensive federal law governing the collection, use and sale of personal data by businesses, AdWeek reports. The report was called for by Sen. Jay Rockefeller (D-WV) earlier this year. The GAO analyzed current law, regulation and enforcement actions and convened with representatives from government, advocacy groups, trade associations and data broker organizations, concluding, “Congress should consider strengthening the current consumer privacy framework to reflect the changes in technology and the marketplace, particularly in relation to consumer data use for marketing purposes.” The Direct Marketing Association (DMA) said, “While we do not share the GAO’s opinion … DMA was pleased to see that the report recognized the important economic benefits that derive from the responsible use of consumer data…”
Franken Wants Users Protected Against Facial Recognition ASAP
Sen. Al Franken (D-MN) has asked the Commerce Department to facilitate a discussion between tech companies and privacy advocates on facial recognition technology, The Hill reports. In a letter to the Commerce Department’s National Telecommunications and Information Administration this week, Franken said the tech community should develop best practices “as quickly as possible” to protect individuals when it comes to the technology. “The urgency of this matter is underlined by Facebook’s recent expansion of its facial recognition database—already likely the largest in private hands,” Franken wrote, referring to Facebook’s recent update to its data-use policy that states it will use public profile pictures to identify users in other photos.
Google To Pay $17M To Settle Cookies Case
Google has agreed to pay $17 million in a settlement with 37 states and the District of Columbia “over its unauthorized placement of cookies on devices running Apple’s Safari browser,” IDG News Service reports, following Google’s agreement last year to pay a $22.5 million civil penalty to the Federal Trade Commission. In their case, the state attorneys general alleged “Google’s circumvention of Safari’s default privacy settings violated state consumer protection and related computer privacy laws,” the report states. A Google spokeswoman said, “We work hard to get privacy right at Google and have taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers.”
How To Handle California's New DNT Law
Last month, California passed a new amendment to the California Online Privacy Protection Act (CalOPPA) that requires companies that collect personal information from Californians to address how they respond to Do-Not-Track (DNT) signals from browsers in their online privacy policies. According to Stephanie Sharron and Emily Tabatabai, CIPP/US, the legislation “may raise as many questions as it answers,” because, due to the lack of consensus from the W3C, “companies are required to disclose how they respond to a browser’s DNT signals, when there is no consensus on what the DNT signal means in the first place.” So what are companies to do? Discover practical options in this Privacy Tracker blog post. (IAPP member login required. Look for a companion piece, "Five Things You Should Know to Comply with California's DNT Law," in Tuesday's Privacy Advisor.)
What Does Unconstitutional Ruling Mean for Alberta Privacy Law?
In the wake of news that the Supreme Court of Canada has deemed the Alberta Personal Information Protection Act (PIPA) unconstitutional, Shaun Brown of nNovation analyzes what the decision means for the province in this Privacy Tracker exclusive. “It was inevitable that freedom of expression would eventually clash with privacy legislation in the courts,” writes Brown, adding that the ruling was “not surprising.” The broad “prohibition-first” approach of PIPA means “there are bound to be certain purposes that maybe should be exempted from the requirement to obtain consent but could not be conceived by legislatures when privacy laws were initially drafted,” Brown writes. (IAPP member login required.)
Cyber-Bullying Bill Revives Bill C-30 Controversy “A tough new law on cyberbullying is putting a spotlight on the Conservative government’s sweeping approach to strengthening police investigative powers,” The Globe and Mail reports, highlighting how the proposed law, which was introduced Wednesday, is reviving the controversy around the previously withdrawn Bill C-30. “Regrettably, the federal government is using this pressing social issue as an opportunity to resurrect much of its former surveillance legislation, Bill C-30,” said Ontario Information and Privacy Commissioner Ann Cavoukian, suggesting the new bill gives police surveillance powers that pose a risk to privacy. Meanwhile, The Canadian Press reports Minister of Justice and Attorney General Peter MacKay has denied the “new anti-cyberbullying bill will do an end-run around legitimate Internet privacy protections.”
Supreme Court To Hear Gun Registry Appeal
The Supreme Court decided Thursday it will give Quebec’s government a final chance at making a case for preserving gun registry data, The Globe and Mail reports. In June, the Quebec Court of Appeal ruled the province “has no property right in the data,” noting “its existence in a registry infringes the right to privacy,” the report states. “For the moment, we’re satisfied with the situation, and we’re preparing for the eventual creation of a Quebec arms registry,” said Stéphane Bergeron, Quebec’s public safety minister. Federal Public Safety Minister Steven Blaney issued a statement, however, that the Conservative government “will vigorously defend our legislation, adopted by Parliament, in front of the Supreme Court.”
Opinion: Saskatchewan Should Look to Neighbours
Attorney Greg Fingas writes for the Leader-Post about Saskatchewan’s lack of provincial privacy law, noting that while it has managed to skirt the issues some of its neighbours have come up against, its citizens may not be getting the level of privacy protection they want. Federal law offers some protection to Saskatchewan residents, and Fingas says “it's possible that our current privacy protection is sufficient. But given an ideal opportunity to ask what protection we expect for ourselves, we should keep an eye on our neighbours' choices rather than avoiding the question entirely.”
Safe Harbor's in Trouble—Unless You Ask the U.S.
The U.S. Department of Commerce says Safe Harbor is still viable, and the Federal Trade Commission (FTC) says it has rigorously enforced compliance with the data-transfer mechanism. But privacy regulators and politicians from European countries—Germany in particular—seem hell-bent on putting an end to the agreement and are calling the U.S.’s bluff everywhere but on paper. So far. In this exclusive for The Privacy Advisor, Angelique Carson, CIPP/US, talks with FTC Commissioner Julie Brill, the U.S. Department of Commerce, Covington & Burling’s Henriette Tielemans and Wilson Sonsini Goodrich & Rosati’s Christopher Kuner, both in Brussels, about the impact of new accusations that as many as 400 companies are violating Safe Harbor and what to expect in the European Commission’s December report on the pact’s viability. “I can’t overstress the hostility toward it here,” Kuner said. (Editor's Note: A panel including representatives from the Federal Trade Commission, Department of Commerce, European Commission and CNIL will speak about "Safe Harbour: Lessons Learned and Protocols" at the IAPP Data Protection Congress, Dec. 10-11, in Brussels.)
Reding: U.S. Must Allow Europeans To Sue Agencies That Violate Privacy
EU Justice Commissioner Viviane Reding says the U.S. can win back EU trust by allowing EU citizens the right to sue U.S. agencies that violate their privacy, Bloomberg reports. Reding said today’s meeting between EU and U.S. officials must make progress toward enforceable rights. Meanwhile, the U.S. Supreme Court has rejected a challenge of the National Security Agency’s telephone spying program, and two district courts will hear challenges to NSA snooping. In Luxembourg, Europe v. Facebook wants more specific answers on the federal data protection commissioner’s ruling that Microsoft and Skype did not break privacy law by transferring EU user data back to the U.S.
Albrecht Weighs In Following Reding-Holder Chat
After EU Justice Minister Viviane Reding was making positive noises about a deal with the U.S. on law enforcement access to data, MEP Jan Philip Albrecht told IDG News Service that there is a line in the sand the EU Parliament will not cross: “If a U.S. citizen has a problem with how his data has been treated in the EU, he can take it up with an EU court. We just want the same rights in the U.S. This should be possible. It would be very easy to fast-track change in the U.S.’s privacy act and simply add text to include EU citizens.”
Opinion: Data Community Must Influence Law
“It is essential … that the information security community not only make the effort to be aware and prepare but also recognise and exert influence over” the eventual EU data protection legislation, writes Yves Le Roux of (ISC)2 for Computerworld. Pointing to the lack of technical feasibility of the right to be forgotten, Le Roux writes that privacy pros and others need to speak up about such elements of the law that may not be practicable, noting that the IAPP Europe Data Protection Congress provides an opportunity to do just that. (Editor’s Note: The IAPP Data Protection Congress runs 10-12 Dec. in Brussels.)
Things Looking Up for U.S./EU Relations on Law-Enforcement Access?
U.S. Attorney General and Acting Secretary of the Department Homeland Security Rand Beers met yesterday with EU Justice Commissioner Vivane Reding, Lithuanian Justice Minister Juozas Bernatonis and other EU officials at the Justice Department in Washington. Prior to the meeting, reports Bloomberg, Reding spoke of a new accord between the U.S. and EU that would “contribute to restoring trust in trans-Atlantic relations, which is of particular importance at this moment in time” (you can see Reding’s speech here). Later, in an interview with DW, Reding said the EU is “negotiating a framework agreement to protect the data of European and American citizens when there is judicial and police cooperation between the two continents.” Officials on both sides agreed to seek a new accord by mid-2014.
German Court: Google Rules Violate User Rights
Final Set of APPs Released for Comment
The Office of the Australian Information Commissioner (OAIC) has released the final set of Australian Privacy Principles (APPs), reports Computerworld. APP 12 and 13 cover access to and correction of personal information and require organisations to give consumers access to the information organisations hold on them and to take reasonable steps to correct information as well as “contact other organisations that hold the same information about a person so that they can update these details,” the report states. The consultation period is open until 16 December.
Long-Delayed Malaysian Data Protection Law Now In Effect
Passed originally in 2010, Malaysia’s Data Protection Law is now actually in effect, after years of postponements. Hunton & Williams’ Privacy and Information Security Law Blog reports that the Malaysian Minister of Communications and Multimedia announced on November 14 that the law would go into effect the next day, leaving professionals to scramble to make sure they are in compliance. Major features of the law include: An exemption for Malaysia’s federal and state governments, a category of personal data that is considered so sensitive that it requires explicit consent, cross-border transfer restrictions and criminal penalties of up to $156,000 and imprisonment of up to three years.