This week’s Privacy Tracker legislative roundup includes the IAPP’s coverage of the European Commission’s report critiquing the EU-U.S. Safe Harbor agreement and offering the U.S. 13 ways to save it, and insight from Eduardo Ustaran, CIPP/E, on the report. You’ll also find information on the United Nation’s approval of an unlawful surveillance resolution, why India may have to wait a little longer for a privacy law and South Africa’s new law. In the U.S., more regions are considering social media laws and DNA databases, and courts have decided cases relating to COPPA and consumer privacy.
South Africa: Zuma Signs Privacy Bill Into Law
South African President Jacob Zuma’s administration announced on Wednesday that he has signed the Protection of Personal Information Bill into law, reports Global Post. "The act will give effect to the right to privacy, by introducing measures to ensure that the personal information of an individual is safeguarded when it is processed by responsible parties," said presidential spokesman Mac Maharaj. The bill contains eight principles that express the right to privacy provided in the constitution and establishes the Office of the Information Regulator, which will take over responsibility for the Promotion of Access to Information Act.
India’s Privacy Bill To See Further Delay
Differences between the ministries of Home and Law and the Department of Personnel and Training mean the Right to Privacy Bill has little chance of being tabled in this winter’s session of Parliament, reports Indian Express. The bill was originally proposed in 2011 and aims to "safeguard security interests of all affected individuals whose personal data has or is likely to have been compromised by such a breach." Causing the divide is a provision stating the proposed law will supersede all provisions of the 58 existing laws that touch on privacy, Economic Times reports. An official at the Department of Personnel and Training told ET that the bill has been “stuck at the law ministry for several months now.”
NJ Social Media Privacy Law In Effect, NYC Debating Its Own
On the heels of New Jersey’s Social Media Privacy Law going into effect, the Staten Island City Council is looking at a bill that would provide similar protections for employees and potential employees, SI Live reports. Councilwoman Debi Rose (D-North Shore) one of the bill’s sponsors, said it "would eliminate the ability of an employer to demand or retaliate against failure to divulge a job applicant's or employee's private social media account information,” adding, “Privacy rights in this technological age must be protected. Information that is not available to the rest of the public cannot be demanded by an employer and should not hinder an individual's prospective or current employment."
Pennsylvania Senate Committee Amends Proposal for DNA Database
The Pennsylvania Senate in June passed a proposal allowing police to collect and retain DNA from anyone arrested for a felony or misdemeanor, expanding the current law which allows for DNA collection from those convicted of a “serious felony,” reports The Sentinel. However, the House Judiciary Committee amended the bill before approving it to address concerns that the bill was too broad. One amendment would stop police from entering DNA data into any state or national database until a suspect is “held for court at a preliminary hearing or waives his right to the hearing,” the report states. Another makes it easier for those determined innocent to have their DNA records expunged. One ACLU representative says the amendments don’t go far enough.
Site Settles After State Alleges COPPA Violation
New Jersey has reached a settlement with a California app developer who allegedly violated COPPA by collecting the personal information of customers, which included children, NorthJersey.com reports. Dokogeo has agreed to pay the state $25,000, but that payment will be suspended for 10 years and voided if the company complies with the settlement’s terms, which include Dokogeo’s disclosure of the type of information it collects on its apps and website and how it shares data with third parties. Meanwhile, attorneys at Reed Smith discuss the increasing attention state Attorneys General are paying to privacy lately.
Apple Wins iPhone Privacy Lawsuit Dismissal
Data Broker Settles With NJ Attorney General
A firm specializing in the tracking of car buying has settled charges with New Jersey’s attorney general after it was accused of using code to identify websites visited by its customers without their knowledge or consent and selling the harvested data, InformationWeek reports. At least 181,000 consumers were affected. The Tennessee-based data broker in question, Dataium, has been fined $99,000, payable over the next two years, and will be liable to pay a suspended amount of $301,000 if the company fails to comply with the settlement over the next five years. New Jersey Division of Law Director Christopher S. Porrino said, “Dataium allegedly used software code to track the websites visited by consumers without their knowledge or consent. The company also allegedly transferred the personal information of 400,000 consumers to one of the largest data brokers in the world.” Meanwhile, the city of San Diego, CA, has settled with a family after their DNA was swabbed without their consent by police.
Commissioner Supports Call for CSC Audit
Correctional Investigator Howard Sapers has recommended Correctional Service Canada “conduct an internal audit of its practices and procedures to protect personal information,” Canada NewsWire reports, and that call has prompted a statement of support from Privacy Commissioner Jennifer Stoddart. “We are very pleased that the correctional investigator has called for an internal audit,” Stoddart’s statement reads. “Year after year, our own office has identified serious privacy concerns with respect to Correctional Service Canada (CSC).” The statement notes the CSC “consistently accounts for the largest number of complaints received by our office”—with 284 received in 2012-2013.
Journalists Concerned About Bill C-461
Journalists and broadcasters are raising concerns that Bill C-461 “could undermine the journalistic and programming integrity of Canada's public broadcaster, the CBC/Radio-Canada,” CNW reports. In a statement, the journalists cite multiple concerns, including that it “opens the door to privacy requests that could also jeopardize the CBC's journalistic integrity.” The report suggests, “C-461 changes the Privacy Act by removing the CBC's right to exclude privacy information collected for reasons of journalism and instead makes disclosure of that information subject to a test of injury to the CBC's ‘independence.’”
Commission Gives U.S. 13 Ways To Save Safe Harbor
The European Commission has released its report on EU-U.S. data flows, including a critique of the widely-criticized Safe Harbor framework , which makes 13 recommendations to improve the data-transfer mechanism. The commission says U.S. authorities have until summer of 2014 to implement the recommendations, at which point it will revisit the review. In this exclusive for The Privacy Advisor, U.S. Federal Trade Commissioner Julie Brill said she’s pleased the commission has indicated its support for maintaining Safe Harbor as a data transfer mechanism. “I think some of the recommendations—increasing transparency and making alternate dispute resolution accessible and affordable—would be helpful.” Dutch MEP Sophie in ‘t Veld told The Privacy Advisor that while she’s pleased there’s progress, the report is long overdue. “Maybe we’re now finally entering the phase where we no longer tolerate that our own EU rules are being overruled by third countries’ laws,” she said. Covington & Burling’s Henriette Tielemans said the report indicates a “genuine willingness on the part of the commission” to save Safe Harbor.
Safe Harbor Report Could Be the Start of Real Privacy Interoperability
According to Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E, the European Commission’s report on Safe Harbor lived up to expectations of being “critical” of the agreement but stopped short of “delivering a fatal blow to the scheme.” Ustaran writes for Privacy Perspectives that false claims of compliance with Safe Harbor “appear to be a greater concern than the potential vulnerability of Safe Harbor as a conduit to allow U.S. intelligence authorities to access data originating from the EU,” adding, “In other words, the European Commission is not really seeking to turn Safe Harbor into a data bunker…”
Cookie Monsters of Silicon Valley Come to Brussels
In the world of online tracking, the cookie is king—but there may be a regime change on the horizon. Cookies are under more regulatory scrutiny than ever, especially in Europe, but even as legislation seeks to make cookie use more privacy protective, the technology itself is on the way out. Instead, server-side tracking alternatives and embedded device identifiers, mainly in the hands of Internet giants like Google, Facebook, Microsoft and Apple, are poised to supplant cookies in the digital tracking market. Thus, it is important to analyze the effect of these changes in the techno-business landscape on the EU regulatory framework. IAPP Westin Research Fellow Kelsey Finch examines how this new technology is likely to be viewed and regulated in the European Union. (Editor’s Note: The IAPP Data Protection Congress will explore these issues Dec. 10 through 12, in Brussels.)
UN Passes Internet Privacy Resolution
The United Nations General Assembly’s Human Rights Committee has unanimously approved an unlawful surveillance resolution originally proposed by Brazil and Germany, the Associated Press reports. Though symbolic, the resolution looks to pass along privacy rights to people around the world. The U.S., along with the other “Five Eyes” nations, had tried to dilute some of the resolution’s language, the report states. Brazil’s UN ambassador said the resolution “established for the first time that human rights should prevail irrespective of the medium and therefore need to be protected online and offline.” Germany’s ambassador queried, “Is the human right to privacy still protected in our digital world? And should everything that is technologically feasible, be allowed?”
Pilgrim Discusses New Powers
Privacy Commissioner Timothy Pilgrim has said his office “won’t take a ‘softly-softly’ approach with new regulatory powers that will become available to it in March,” IT News reports. Speaking at the iappANZ Privacy Unbound Summit this week, Pilgrim said, “The two sets of principles we have are fundamentally very similar to the ones that are coming into place. The private sector has been working with them for over 12 years; the government has been working with them for over 25 years; there’s a common theme, so there shouldn’t be a big challenge in complying with them." He noted, however, that for “difficult organisations and some intransigent organizations,” the office would take a stricter stance. Meanwhile, the Australian Law Reform Commission will be recommending updates to privacy laws to address serious invasions of privacy.
Critics Say Hong Kong Data Protection Law Needs Update
Critics of Hong Kong’s data protection law say the law is “miles away” from comparable laws internationally and needs an update in order for the city to tackle privacy challenges and embrace opportunities presented by public data use, South China Morning Post reports. Reviews of the law have come following the privacy commissioner’s forced shutdown of mobile app “Do No Evil” for privacy violations. “There is a need to conduct a public consultation again to see whether people think the law now needs to be amended,” said lawmaker Charles Mok, adding he hopes the government will engage the public.