While industry leaders at the World Economic Forum in Davos, Switzerland, called for new rules surrounding data protection, the U.S. Supreme Court announced it will hear two cases involving warrantless searches by law enforcement of suspects’ cellphones. And, the U.S. Federal Trade Commission announced settlements with 12 companies over false claims of alignment with Safe Harbor rules. In this Privacy Tracker roundup, learn about these as well as bills being considered by U.S. state legislatures, how Obama’s NSA plans may affect EU law and more.
Judge: Plaintiffs Sufficiently Allege Legal Duty in Sony Case
While U.S. District Judge Anthony Battaglia shot down parts of the class-action suit against Sony over its 2011 hacking incident, he did allow certain claims through, including one related to Sony’s legal duty to provide reasonable security, reports databreaches.net. Battaglia wrote that “because plaintiffs allege that they provided their personal information to Sony as part of a commercial transaction, and that Sony failed to employ reasonable security measures to protect their personal information, including the utilization of industry-standard encryption, the court finds plaintiffs have sufficiently alleged a legal duty and a corresponding breach.”
Sens. Introduce Anti-Fraud Legislation
Sens. Tom Carper (D-DE) and Roy Blunt (R-MO) have reintroduced legislation that would require certain entities to “better safeguard sensitive information, investigate security breaches, and notify consumers when there is a substantial risk of identity theft or account fraud,” now called the Data Security Act of 2014, Government Security News reports. The requirements would supersede current state breach laws and apply to “businesses that take credit or debit card information; data brokers that compile private information, and government agencies holding nonpublic personal information.”
NJ Governor “Pocket Vetoes” Drone Privacy Bill
Among the 44 bills Gov. Chris Christie (R-NJ) allowed to expire was a drone privacy bill that would’ve required police to get a warrant before using drones for surveillance, reports Philly.com. The bill passed the New Jersey Assembly with a vote of 74-1.
Wisconsin Assembly Passes Social Media Bill; Senate Passes Mental Health Bill
Senate Bill 223, making it illegal for employers, universities and landlords to require social media login information from workers, students, tenants or applicants, has passed the Wisconsin Assembly, reports WEAU. If the bill passes into law, violators could see fines of up to $1,000. One employment law expert says that if misconduct on social media is suspected, employers can ask for access to the site but not for login credentials. The bill now heads to the Senate for approval.
The Wisconsin Senate, meanwhile, has passed the Mental Health Care Coordination Bill, updating Wisconsin law to be more consistent with HIPAA, reports the National Law Review. Currently, state law requires a level of confidentiality for behavioral health treatment beyond that required in HIPAA. The current requirements have been criticized for hampering appropriate treatment by restricting the sharing of patient data with other treatment providers.
How Obama's NSA Plans May Affect EU Law
President Barack Obama’s plans for surveillance reform, as revealed in his speech last week, “have had a lukewarm reception by European politicians,” writes Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E. “Such reforms are a work in progress that will extend over months and years, but Obama’s stance is bound to have a very direct effect on existing and forthcoming EU data protection requirements,” he adds. In this installment of Privacy Perspectives, Ustaran lays out his predictions “about the practical impact of the proposed plans in Europe.”
At World Economic Forum, Industry Leaders Call for New Privacy Rules
In a blog post, Microsoft General Counsel Brad Smith has called for “an international legal framework—an international convention—to create surveillance and data access rules across borders” and has said the current legal structures are out-of-date, prompting “some governments, as we’ve learned over the past year … to take unilateral actions outside the system,” CNET News reports. Smith is expected to take part in a World Economic Forum (WEF) panel discussion about the public perceptions of surveillance, data security and privacy in light of the NSA disclosures. BT Group Chief Executive Gavin Patterson, also speaking at the WEF, said customers cannot be guaranteed 100-percent privacy online and called for updates to “murky” data collection laws, The Guardian reports. Meanwhile, DW reports on Human Rights Watch's call this week for "a clear regulatory framework to keep intelligence services in check."
FTC Settles Safe Harbor Charges Against 12 Companies
The Federal Trade Commission (FTC) has settled with 12 U.S. companies over charges the companies falsely claimed they were abiding by Safe Harbor rules. The companies involved spanned various industries, including mobile apps, DNA testing and professional sports. The complaints filed by the FTC state the companies allowed their EU-U.S. Safe Harbor certifications to lapse, despite claims in their privacy policies or Safe Harbor certification marks indicating otherwise. Three of the companies were also charged with falsely claiming to abide by the U.S.-Swiss Safe Harbor framework. The settlements, which follow criticism from the European Commission that the Safe Harbor framework has not been effectively enforced, are now open for public comment. FTC Chairwoman Edith Ramirez said Safe Harbor enforcement is a priority and the cases “send a signal to companies” that they can’t falsely claim certification. In a blog post on the FTC’s site, Lesley Fair, senior attorney with the Federal Trade Commission's Bureau of Consumer Protection, says this is fair warning that, “If you feature the Safe Harbor mark on your site or refer to your participation, remember that you must ‘re-up’ every year.”
SCOTUS To Hear Cellphone Privacy Cases
Politico reports that the Supreme Court has agreed to hear two cases involving warrantless searches by law enforcement of suspects’ cellphones. The two cases—Wurie v. U.S. and Riley v. California—were granted cert by the court last Friday. In Riley, police searched a suspect’s text messages, photos and videos, finding evidence of gang-related activity and images implicating him in a separate crime. In Wurie, law enforcement went through the call logs of the suspect. The Electronic Frontier Foundation’s Hanni Fakhoury said, “These cases give the court the chance to determine to what extent the Fourth Amendment applies to newer technologies and whether the breadth and scope of information stored on a smartphone matters under the Constitution. We think it does and hope the Court agrees with us.” Editor’s Note: Privacy Perspectives recently opined on an Associated Press report on the wariness expressed by Supreme Court justices about ruling on technology-related cases.
Is a Constitutional Amendment the Answer to Restricting Data Collection?
Last Sunday, privacy scholar and National Constitution Center President and Chief Executive Jeffrey Rosen opined that a constitutional amendment may be needed to “prohibit unreasonable searches and seizures of our persons and electronic effects, whether by the government or by private corporations like Google and AT&T.” But Adam Thierer, a senior research fellow at George Mason University’s Mercatus Center, disagrees. In this Privacy Perspectives post, Thierer explains why there “are several problems with Rosen’s proposal—legal, economic and practical” and writes “that better alternatives exist to deal with the privacy concerns he identifies.”
Making a Privacy Law for the 21st Century
With the EU’s proposed General Data Protection Regulation (GDPR) hanging in the balance, some think it a good time to go back to the drawing board. “Better, I think, to start again and design a good law than to adopt legislation for the sake of it—no matter how ill-suited it is to modern-day data processing standards,” writes Field Fisher Waterhouse Partner Phil Lee, CIPM, CIPP/E. In this post for Privacy Perspectives, Lee reflects on what a “21st-century data protection law ought to achieve, keeping in mind the ultimate aims of protecting citizens’ rights, promoting technological innovation and fostering economic growth.”
Regulation Won't Be Adopted Before May Elections
With several member states aiming to water it down, the revised data protection law will not be adopted before European Parliament elections in May, EUObserver reports. On Wednesday, EU Justice Commissioner Viviane Reding and the lead negotiators on the package agreed to set the deadline for before the end of the year. German Green MEP Jan Philipp Albrecht said the timetable established seeks a mandate for negotiations in June, adding, “If it will be possible to stick to this timetable, this would be good news and important.” The member states aiming to soften the regulation—UK, Denmark, Hungary and Slovenia—would prefer to see it turned into a directive instead.
Reding Calls for Billion-Dollar Fines
European Commission Vice President Viviane Reding is calling for larger fines against companies that breach the EU’s privacy laws, BBC News reports. Reding “dismissed recent fines for Google as ‘pocket money’ and said the firm would have had to pay $1 billion under her plans for privacy failings,” the report states, noting she believes increased punishments are needed to encourage firms to take personal data use more seriously. Out-Law.com, meanwhile, reports the EU’s Court of Justice “is set to rule in a case involving Google and the judgment could offer some clarity about which local data protection rules will apply to multinational Internet service providers that process personal data abroad but have a business presence in a local jurisdiction.”
Australian Breach of Privacy Case Dismissed
A police officer’s privacy complaint against the Queensland Police Service (QPS) has been dismissed, Brisbane Times reports. The officer “launched legal action against the Queensland Police Service claiming his privacy had been breached when details of a raid on his home appeared in the media,” the report states. The Queensland Civil and Administrative Tribunal dismissed the complaint after finding the officer “had not substantiated his claims against the QPS,” the report states.
Data Privacy Complaints at Record High in Hong Kong
South China Morning Post reports complaints and enquiries to the Office of the Privacy Commissioner for Personal Data (PCPD) peaked in 2013, “driven partly by new restrictions on companies’ use of their customers’ personal data for direct marketing.” The PCPD reported Thursday that more than 75 percent of the “complaints targeted private organisations, while more than half of the enquiries asked about the marketing restrictions,” the Office of the Privacy Commissioner for Personal Data said on Thursday. The number of complaints received in 2013 was up 48 percent over 2012, the report states. (Editor’s Note: The IAPP Asia Privacy Forum comes to Hong Kong on 31 March.)