Lawmakers See Amazon Announcement as More Reason for Drone Regulation
The Verge reports the recent announcement by Amazon’s founder Jeff Bezos that the company expects to make deliveries by drones in the near future has given Reps. Ted Poe (R-TX) and Zoe Lofgren (D-CA) and Sen. Ed Markey (D-MA) a new hook to push bills that would regulate drone use with respect to privacy. “The issue of concern, Mr. Speaker, is surveillance, not the delivery of packages. That includes surveillance of someone's backyard, snooping around with a drone, checking out a person's patio to see if that individual needs new patio furniture from the company,” Poe said in front of Congress this week.
CA Court of Appeals Limits Claims, Damages Under CMIA
In keeping with previous data breach cases, the California Court of Appeal recently limited plaintiffs’ ability to state a claim and get statutory damages under the California Medical Information Act, reports Law360. The court ruled that “plaintiffs must plead and prove more than the mere allegation that a healthcare provider negligently maintained or lost possession of data but rather that such data was in fact improperly viewed or otherwise accessed.”The authors state the court relied heavily on “an analysis of the legislative intent behind Senate Bill No. 19.”
FTC Settles with Flashlight App Developer
Potential Settlement Over Alleged Data-Mining Without Notice
A recent filing indicates Comscore, which measures website traffic, will confer December 16 on settling a 2011 lawsuit alleging a privacy invasion, Bloomberg reports. In the group lawsuit, plaintiffs said the company installed data-mining software on their computers in order to collect user names, passwords and credit card numbers, the report states. The suit alleges the company did not disclose such practices in its online policies. The company has denied the allegations.
OCR Not Fully Enforcing HIPAA; Revisions Called For
A recent report from the Department of Health and Human Services (HHS) Office of Inspector General concludes the Office for Civil Rights (OCR) did not meet all of its enforcement and oversight requirements under the Health Insurance Portability and Accountability Act (HIPAA). According to FierceHealthIT, the report criticizes the OCR for not completing privacy impact assessments, among others, for two of three systems that oversee the Security Rule. Meanwhile, the Health IT Policy Committee has recommended HHS revise certain delayed plans to revamp the HIPAA accounting of disclosures rule and roll out pilot tests prior to implementing a final rule. Additionally, the Bipartisan Policy Center has issued a report stating that HIPAA is “misunderstood, misapplied and over-applied” and is burdensome toward improved patient care.
State AGs: The Most Important Regulators in the U.S.?
The last year was an eventful one in the area of data and online privacy, with more laws, more enforcement actions and generally increased attorney general scrutiny. Given that we are not likely to see federal preemption of state authority in this area anytime soon—and that the Federal Trade Commission (FTC) is encouraging state action on data privacy—it remains critical that privacy professionals expand their focus beyond the FTC and data protection authorities to consider AGs, who are rapidly becoming the most important data privacy regulators around, write Divonne Smoyer, CIPP/US, and Aaron Lancaster, CIPP/US. In this exclusive for The Privacy Advisor, Smoyer and Lancaster look back at 2013 to make predictions for the year ahead.
Where the FTC is Headed in 2014
On Capitol Hill Tuesday, all four FTC commissioners testified before a House Energy and Commerce subcommittee to defend their regulatory role and ask for more authority in the rapidly developing digital economy. According to Politico, the commissioners faced tough questions from the Republican-dominated subcommittee on its current budget, resources and authority, but FTC Chairwoman Edith Ramirez said her agency is limited in its current authority and that baseline federal privacy legislation is needed. The scope of the FTC’s authority, the privacy issues with which it’s grappled and the day-to-day work of its staff on consumer privacy issues were also the focus during Wednesday’s IAPP Practical Privacy Series in Washington, DC, reports The Privacy Advisor , including remarks by Rep. Marsha Blackburn (R-TN) and FTC Bureau of Consumer Protection Director Jessica Rich. The FTC also last week announced it will host a set of three seminars to explore consumer privacy issues The first seminar, focusing on mobile device tracking, will be held in February.
Legal Reform Needed in U.S., Not Just Europe
“I recall that in the early 1990s and early 2000s, it was often a struggle to get people outside of Europe to take EU data protection law seriously,” writes Wilson Sonsini Partner Christopher Kuner, adding, “The perceived lack of enforcement in the EU, and the dynamic legislative climate in the U.S., meant that more attention was given to U.S. developments.” But now, with the advent of the European Commission’s proposed General Data Protection Regulation, the situation is reversed and “U.S.-based lobbyists have descended in hordes on the EU institutions,” making Brussels “the center of the global privacy world.” In this Privacy Perspectives post, Kuner asks, “Why doesn’t the U.S. work as hard to improve its own privacy law as it does to lobby for changes in the EU?” He makes the case for why, when lobbying for privacy reforms, the U.S. should look in the mirror.
ALEC Publishes Model Bill for State Education CPOs
The American Legislative Exchange Council (ALEC) is promoting a model bill that would require state school boards to appoint a chief privacy officer and publish an inventory of student data collected by the state, among other requirements, reports Education Week. The bill was modeled after a recently passed Oklahoma law, and while other advocacy groups are praising ALEC’s efforts, they have expressed concerns about the lack of limits placed on noneducational use of the data. “Focusing on transparency and accountability is always a good start, but I’m not sure that (the ALEC model bill) is comprehensive in covering the education-technology landscape,” said Joni Lupovitz of Common Sense Media. Editor’s Note: The IAPP’s Privacy Tracker blog featured a post highlighting a similar model bill earlier this fall.
Denham Calls for Amendment To Law; Ring Voices Concerns
Citing concerns that public entities are not doing enough to raise awareness of possible health, safety and environmental concerns, BC Information and Privacy Commissioner Elizabeth Denham is recommending the government amend the Freedom of Information and Protection of Privacy Act, Times Colonist reports. In a report released this week, Denham raises concerns that public bodies are not aware of or trained in their duty to inform residents of potential dangers. Separately, the CEO of a health research firm is cautioning that privacy concerns in BC limit researcher access to data for healthcare innovations. And in Newfoundland and Labrador, Information and Privacy Commissioner Ed Ring is concerned the province’s premier’s office “improperly withheld” documents related to search and rescue efforts.
Draft EU Data Protection Package: A History and Look to the Finish Line
Reforming the outdated EU legislative framework governing data protection was always going to be a daunting task, but the Snowden revelations certainly haven’t made things easier. Nóra Ní Loideain examines in this exclusive for The Privacy Advisor the underpinnings of what has led to the EU Data Protection Reform’s current state and looks at whether the Greek or Italian presidencies will be able to push through a package that has so far eluded Denmark, Cyprus, Ireland and now Lithuania. Will it be done before the parliamentary elections in May? It’s now looking increasingly unlikely.
Pan-Euro Law Likely Means ICO Restructuring
SC Magazine reports that pending new pan-Europe legislation will decrease revenues for the UK Information Commissioner’s Office (ICO), meaning that it will likely change the way it handles casework and enquiries. An ICO spokesperson says this will allow the office to “identify and address wider compliance issues, and only where appropriate, to address individual concerns.” A consultation document titled “Looking Ahead, Staying Ahead: Towards a 2020 Vision for Information Rights” outlines the planned changes to the regime, including coordinating more with other organisations and regulators, the report states. The consultation is open for comment through 7 February.
Dutch DPA Says Google Policy Violates Law
Member States Need More Time with Regulation Proposal
Bloomberg reports the EU’s data protection overhaul faces months of delays after some member states have demanded more time to sign off on a law that would fine companies as much as 100 million euros for privacy violations. An anonymous EU official said the measures are unlikely to pass before European Parliament elections in May, noting the measure is “too complicated and sensitive” for member states to reach a deal this week. “If there’s not the necessary political will, the whole regulation is at risk,” said MEP Jan Philipp Albrecht.
Report: Developing Countries Need Privacy Laws To Bridge the Gap
UN trade and development body Unctad has released a report stating developing countries need to “adopt and enforce privacy and data protection laws” in order to bridge the “digital divide” that has arisen as a result of cloud computing. The Guardian reports that as of 2013, 101 countries had data privacy laws or bills, but only 40 developing economies could say the same. While the cloud provides many benefits, such economies must also be aware of the risks. Privacy International’s Carly Nyst said in developing countries, the absence of privacy laws and “weak accountability mechanisms” means cloud data is vulnerable, and no government or company should promote cloud services before ensuring privacy.
Australian Privacy Amendments Carry Big Penalties
In a feature for Mondaq, David Grace of Cooper Grace Ward advises businesses dealing with personal information to prepare to comply with Australia’s new privacy amendments. Noncompliance, he writes, carries the risk of “penalties of up to $1.7 million for breaches by corporations and up to $340,000 for breaches by individuals.” Grace continues on to describe how the Privacy Amendment (Enhancing Privacy Protection) Act 2012 “essentially rewrites the existing privacy laws,” citing the introduction of the 13 Australian Privacy Principles for the handling of personal information among other facets of the amendments and offers tips for compliance. The amendments will come into effect on 12 March.
ALRC Examines Right To Be Forgotten; Privacy Tort
The Australian Law Reform Commission (ALRC) is examining a "right to be forgotten” and “right and to erasure," News.com.au reports, noting “privacy groups are demanding the right to censor other people's posts as well, if they are embarrassing or defamatory.” However, Prof. Barbara McDonald, head of the ALRC review, noted such rights would only apply with consent. “Where a person has given consent for something to go up on Facebook, they should be able to withdraw that consent,” she said, adding, “We can't give people the right to erase history.” Meanwhile, the nation’s mainstream newspaper publishers are refusing to assist the ALRC’s efforts to design a statutory privacy tort.
New Zealand Official Welcomes Draft FATCA Legislation
Inland Revenue (IR) has released draft legislation to facilitate compliance with U.S. Foreign Account Tax Compliant Act (FATCA) regulations, Voxy reports, quoting PwC New Zealand FATCA Director Henry Risk, who said, "We welcome the release of the proposed legislation by IR and the New Zealand Government. It offers a solution to the Privacy Act issue.” The legislation will allow New Zealand financial institutions to meet FATCA reporting obligations without breaching the Privacy Act, the report states.
Commissioner Rules Fitness Center Collected Excessive Data
California Fitness has been fined by Hong Kong Privacy Commissioner for Personal Data Allan Chiang for breaching privacy law, South China Morning Post reports. Following an investigation, Chiang’s office found the fitness chain put 220,000 customers’ personal details at risk by asking them to provide too much personal information and by storing copies of their identity cards. A data leak could have led to identity theft, Chiang said. “It is irresponsible for organizations to collect (detailed personal) data for identification and authentication purposes without seriously assessing the risk … of using alternative and less privacy-intrusive means.” (Registration may be required to access this story.)