France is receiving criticism for a new law expanding government agencies’ access to Internet data; a European Court of Justice advocate has deemed the data retention directive in violation of citizens’ fundamental privacy rights, and in the U.S., a petition to update the Electronic Communications Privacy Act has received more than 100,000 signatures. This week, Privacy Tracker reports on these developments as well as new administrative measures for Chinese credit reference agencies, U.S. states’ challenges to NSA surveillance and new fining powers for the Dutch data protection authority.
ECJ Advocate: Retention Directive Breaches Charter of Fundamental Rights
European Court of Justice Advocate General Pedro Cruz Villalón has issued an opinion stating, “The directive constitutes a serious interference with the fundamental right of citizens to privacy,” reports EUObserver. Operators are required to retain e-mails and phone calls for up to two years under the directive. Villalón wants to see safeguards limiting access to that data, suggesting using courts or independent bodies to screen requests on a case-by-case basis. While the opinion isn’t binding, Infosecurity states, it “is almost certainly how the court will rule, and the directive will have to go.”
France Gets Criticism for New Surveillance Law
Last week, France passed a law expanding government surveillance activities and the country is getting heavily criticized by privacy advocates for the move. The new law “essentially means that the police, intelligence and anti-terrorist agencies can now spy on Internet users in real-time, across computers, tablets and smartphones,” SC Magazine reports. Previously, these entities needed approval from a National Commission for the Control of Security Intercepts judge before conducting these activities. One privacy expert voiced his disappointment with the CNIL, the French DPA, and noted that the new law “shows (that) the EU governments still have few qualms about mass surveillance of their own populations, even as they protest about NSA.”
Measures Clarify Rules for Chinese Credit Reference Agencies
The People’s Bank of China put out Administrative Measures for Credit Reference Agencies to supplement the Administrative Regulations on the Credit Information Collection Sector. Hunton & Williams’ Privacy and Information Security Law Blog reports that the measures provide more detail to the regulations, which “established a series of rules for the collection, use, processing, disclosure and transfer of personal information by credit reference agencies.” The measures require agencies that handle personal information to gain pre-approval for licensing before they incorporate the data and state that all credit reference agencies may experience “enhanced surveillance” in certain circumstances, including if the agency is involved in a data breach incident or has failed to comply with reporting obligations, among others. The measures take effect on December 20.
AZ State Sen. Wants To Ban NSA from the State
Sen. Kelli Ward (R-Lake Havasu City) says next month she will introduce legislation to prohibit state and local law enforcement from providing support to the National Security Agency (NSA) and state-owned utilities providers from providing services to NSA facilities, reports Computerworld. Ward aims to prevent warrantless surveillance of Arizona residents. Michael Maharrey, of the Tenth Amendment Center, the group that wrote the template for the bill, says Arizona is the first state to announce it will officially consider it. "That the federal government cannot force states to help implement or enforce any federal act or program is well-established in the law. It is known as the anti-commandeering doctrine," Maharrey said.
Candidate Wants Surveillance Protection in MT State Constitution
U.S. Senate candidate John Bohlinger (D-MT) has filed paperwork with the Montana Secretary of State that would expand the state constitution’s privacy protections to include digital data, reports KRTV News. Bohlinger is looking to get the language on November’s voter ballot, but it must first go through the legislative counsel, the Montana Attorney General’s Office and gain more than 40,000 signatures.
NY Sen. Proposes Changes in State’s Education Privacy Regime
New York State Sen. and State Senate Education Committee Chairman John Flanagan (R-East Northport) issued a report recommending stronger privacy protections for student data, among other initiatives. The report addresses concerns voiced during five Education Committee hearings, including third-party access to the personally identifying information of students, teachers and principals in the state’s Education Data Portal. One piece of legislation the report points to is a privacy bill “which would strengthen protections of personal information stored on the state-wide data portal, establish significant civil and criminal penalties for unauthorized disclosure of personal information and create independent oversight within SED on matters related to privacy,” Long Island Exchange reports.
Jounalists, School Argue Over Whether Surveillance Video Is Protected Under FERPA
The Utah chapter of the Society of Professional Journalists (SPJ) has filed a brief stating that the Canyons School District has wrongfully cited the Family Education Rights and Privacy Act (FERPA) in denying access to school surveillance video footage, reports Student Press Law Center. While the school states the footage is protected because it is maintained by the school and identifies students, the SPJ says the video is not an education record and is therefore exempt from FERPA. The lawyer for the SPJ wrote in the brief that the footage “is akin to a law enforcement record, which is expressly excluded from the definition of ‘education record’ under FERPA.”
Petition Acquires Enough Signatures To Require White House Response
The Hill reports on a petition on the White House website calling for an update to the Electronic Communications Privacy Act (ECPA) to require police to obtain a warrant before accessing online communications. The petition reached 100,000 signatures by its December 12 deadline, meaning it requires an office response from the White House. The Justice Department said earlier this year that updating ECPA has “considerable merit” but recommended civil regulatory investigations be exempted from the warrant requirement because regulators don’t have access to the warrant power.
LinkedIn Seeks Class-Action Dismissal
SC Magazine reports LinkedIn is asking a federal judge “to toss out a class-action suit that claims the social networking company hacks into users' accounts for promotional use.” In an argument filed December 6 in a California federal court, the company asserted the suit is “meritless,” contending LinkedIn members “consent to the site's terms, which allow LinkedIn to send invitations to their contacts,” the report states. The company has also suggested the suit’s four plaintiffs should have been aware, as “any ‘reasonably prudent Internet user’ would have realized the permissions they were granting to the company after going through the various permission screens for the ‘Add Connections’ feature.”
Social Media Guidance for Financial Institutions
After taking into account comments received during the first few months of this year, the Federal Financial Institutions Examination Council (FFIEC) has issued its final guidance “to help financial institutions understand the applicability of existing requirements and supervisory expectations associated with the use of social media.” FFIEC says that financial institutions should have risk management programs including policies and procedures to “identify, measure, monitor and control” the use of social media and risks related to it. The guidance also recommends institutions provide guidance and training for employees as well as oversight, audit and compliance functions.
Groups Want Anonymized Phone Records Protected
In a petition filed with the Federal Communications Commission (FCC), privacy advocates have asked that even “anonymized” phone records be protected under the Communications Act, PCWorld reports. Section 222 of the act requires phone carriers to get customer consent before sharing data. The petitioners want the FCC “to issue a declaratory ruling that non-aggregate call records, purged of personal identifiers but with customers’ individual characteristics intact, are protected as ‘individually identifiable CPNI (customer proprietary network information)’ and phone carriers … must not sell the records without customers’ consent,” the report states. The petitioners allege AT&T violated the act by selling phone records to the Central Intelligence Agency.
GINA: Complying With this Camouflaged Privacy Law
The Genetic Information Non-Discrimination Act of 2008 (GINA) regulates employers’ collection, use, safeguarding and disclosure of “genetic information,” making it a privacy statute, writes Philip Gordon for the Privacy Tracker—and one with which it is becoming increasingly difficult to comply. Social media posts celebrating a family member’s cancer remission or a son’s trip to the ER for asthma contain “genetic information” in the eyes of GINA, Gordon writes, adding, “Recent (Equal Employment Opportunity Commission) enforcement actions and private class-action filings as well as the increasing prevalence of personal social media in the workplace highlight the need for organizations to address, or revisit, their compliance with GINA.” Find out more about the EEOC’s implementing regulations and how to mitigate risk in your organization. (IAPP member login required.)
Court To Hear California DNA Law Arguments Today
The Associated Press reports a panel of 11 Ninth Circuit Court of Appeals judges were scheduled to hear arguments in a case questioning the constitutionality of California’s DNA collection law. The law requires police to collect samples from every person arrested, the report states, noting the Ninth Circuit required attorneys on both sides of the California case to revise their arguments after the U.S. Supreme Court ruled 5-4 to uphold Maryland's narrower DNA collection law. While “California Attorney General Kamala Harris and the Obama administration are both urging the court to uphold California's law as a constitutional and powerful law enforcement tool,” the ACLU argues it is not constitutional because not all those arrested are charged with crimes.
Report: Ruling Suggests All Data Is Not Equal
In a complex ruling, the Supreme Court of Canada has found that data stored on a hard drive “is not equal to the same material stored in a filing cabinet,” SC Magazine reports. The case, which involved a man’s conviction for growing marijuana, is what the Canadian Bar Association's called “a marker (in the ground) for digital privacy law in Canada,” the report states, noting the man’s lawyer “succeeded in convincing the justices that computers are ‘stand-alone places’ that require specific search warrants.”
Bertrand Denies Support of Data-Sharing Bill
New Brunswick Privacy Commissioner Anne Bertrand has said she did not give the government input or support for a proposed government data sharing bill, CBC News reports. Earlier in the week, the education minister said Bertrand had supported Bill 23—a bill that would make it easier for government agencies to share personal information. In a letter to Speaker Dale Graham, Bertrand wrote, “With respect, I was surprised to hear the minister’s comments to this effect, as her comments do not accurately reflect the nature of the discussions that took place between our office and department officials on this matter.”
New Fining Powers Expected in 2015
Dutch Data Protection Authority Chairman Jacob Kohnstamm told the audience of the National Data Protection and Privacy Conference in Rotterdam on December 4 that his office will get the power to fine organizations in both the public- and the private-sector for violations of the Dutch Personal Data Protection Act. In this exclusive for The Privacy Advisor, Jeroen Terstegge, CIPP/US, examines what to expect as the Council of State advises on the new fining powers likely to come into force only on January 1, 2015.
DPAs Say They Aren't Ready for Reg
While European data protection authorities say they aren’t ready for the proposed data protection regulation, multinationals such as Facebook and Google are tasked with untangling 28 different legal frameworks in the EU in order to address the issue, PCWorld reports. Irish Data Protection Commissioner Billy Hawkes says, under the proposed regulation, he would no longer be able to take complaints from Irish citizens about companies that are headquartered in other member states. Instead, Hawkes would be responsible for regulating the multinationals headquartered in Ireland, and therefore would be required to respond to the complaint of any EU citizen. Meanwhile, European Commission Vice President Viviane Reding has expressed frustration with the head of the EU Council’s legal service after he issued an opinion on the proposed rules.
EU, U.S. Officials Indicate Potential Privacy Agreement at DPC
The keynote stage at the IAPP Data Protection Congress in Brussels became a diplomatic back-and -forth as Constantijn van Oranje-Nassau, Head of Cabinet of Vice-President of the European Commission, Commissioner for the Digital Agenda Neelie Kroes, first delivered the European Commission’s view of data protection and then was followed by an address from U.S. Federal Trade Commissioner Julie Brill. Both emphasized the need to encourage innovation while protecting privacy and addressed whistleblower Edward Snowden’s revelations about the activities of U.S. National Security Agency and other intelligence agencies. Reading between the lines, writes Publications Director Sam Pfeifle in this report from the event for The Privacy Advisor, there were reasons to be encouraged that Safe Harbor and the free flow of data between continents will continue.
One-Stop-Shop Principle Delays Progress on Reg
The proposed EU Data Protection Regulation suffered a setback last week when data protection authorities tried to reach agreement, indicating the update to current law will likely not occur until after European Parliament elections next year, EU Observer reports. An EU diplomat said the delay is due to concerns by Germany’s data protection authority that the one-stop-shop principle would enact weaker rules than the country currently has in place. “Harmonization, yes, but not at any price,” said a spokesman for Germany’s secretary of state in the federal ministry of the interior. Meanwhile, the head of the legal service for the European Council said the one-stop-shop rule would undermine human rights.
Amendment To Change Australia’s Privacy Landscape
Following the Australian government’s passage of the Privacy Amendment (Enhancing Privacy Protection) Act 2012, the privacy landscape will change significantly. As of March, a new set of Australian Privacy Principles will come into force, the information commissioner will see enhanced powers and credit reporting laws will change, reports Australian Security Magazine. A recent Gartner survey indicated businesses are aware and are rating privacy as a higher priority than they historically have.