In this Privacy Tracker legislative roundup, read about privacy concerns related to Brazil’s proposed Internet privacy law and one Turkey’s president recently signed into law, and get some insight on complying with South Africa’s new law. In the U.S., states are moving along bills to prevent revenge porn in Illinois and protect readers’ privacy in New Jersey and student privacy in Wyoming and Kansas, among others. Also, the Massachusetts Supreme Court has determined that police need to get a warrant in order to collect cellphone location data over a period of time.
Amendments to Brazil’s Proposed Internet Privacy Law May Jeopardize Privacy
Activists have launched an online campaign aimed at removing one of the recent amendments to Brazil’s Internet bill of rights that is expected to be voted on by Congress at the end of the month. Global Voices reports that the amendments put net neutrality and user privacy in jeopardy, citing specifically Article 16, which requires service providers to retain personal data of consumers.
Turkish President Signs Internet Law
Turkish President Abdullah Gul has signed a law giving the government the power to monitor Internet activity and block content it deems illegal or to be "violating privacy" of a person, The Wall Street Journal reports. The law also requires Internet providers to retain records on users for two years. While the prime minister argues the change will protect privacy and further democracy, critics say it is an attempt to squash freedom of speech in advance of the upcoming elections. (Registration may be required to access this story.)
Complying with South Africa’s New Privacy Laws
ITWeb explores South Africa’s Protection of Personal Information Act (POPI), which was signed into law last November but has yet to come into practice. "Once a commencement date is announced, companies will only have one year to get their houses in order," according to Accenture’s security practice lead. The law has brought the country in line with international data privacy laws and is based on the EU directive.
Franken To Reintroduce Geolocation Privacy Bill
U.S. Sen. Al Franken (D-MN) has announced plans to reintroduce the Location Privacy Protection Act, which would require express consent in order for nongovernment entities to obtain geolocation information from an electronic communication device, among other provisions. Inside Privacy reports that the bill would apply to a range of businesses that interact with customers’ geolocation data and would allow enforcement by the federal attorney general, state attorneys general and private citizens.
Illinois Senate Committee Passes Revenge Porn Bill
An Illinois Senate committee has unanimously passed a bill that would make it a felony to post sexual material of others on the Internet without consent and to use that material for blackmail purposes, reports the Associated Press. The American Civil Liberties Union of Illinois is concerned the measure is too broad and may restrict free speech.
Indiana Senate Committee Passes Digital Privacy Bill
An Indiana Senate Committee has unanimously passed HB 1009, which would limit law enforcement’s use of drones, GPS tracking and cellphone searches as well as set new rules for citizens’ use of surveillance technologies, reports The Statehouse File.
Kansas Student Privacy Bill Gains School Board Assoc. Support
The Topeka Capital-Journal reports that the Kansas Association of School Boards has put its support behind a bill that would restrict the sharing of student data and collection of biometrics, codifying the Department of Education’s practices. SB 367 would prevent data sharing with other state agencies in the absence of data-sharing agreements, which causes concern for the state’s epidemiologist, who says it could have unintended consequences for public health.
Massachusetts Supreme Court Rules Warrant Needed for Cell Location Data
The Massachusetts Supreme Judicial Court has ruled that police must obtain a warrant prior to collecting cellphone location data. The court ruled 5-2 against prosecutors, deciding that obtaining cell-site location information over a two-week period “without a warrant based on probable cause was an invasion of privacy and a violation of the state Declaration of Rights,” reports the Associated Press. The decision “says that people can have a constitutionally protected privacy interest in information about them even if that information is in the hands of a third-party service provider like their cellphone company,” said Matthew Segal, legal director for the American Civil Liberties Union of Massachusetts.
New Jersey Assembly Committee Passes Reader Privacy Act
The New Jersey Assembly Consumer Affairs Committee has unanimously recommended passage of the Reader Privacy Act, reports The New Jersey Law Journal. The law would require police to obtain a judge's approval before collecting information about a person's book and e-book purchase history and prevent sellers from sharing the information with third parties. If passed, the state would become the third in the nation to have such a law.
Rhode Island Considers Social Media Privacy Bill
The Rhode Island Legislature is considering a bill that would prohibit employers and schools from penalizing employees or students for refusing to hand over social media information or compelling them to do so, reports The Brown Daily Herald. Senate Majority Leader Dominick Ruggerio (D-Providence and North Providence) and Rep. Brian Patrick Kennedy (D-Hopkinton and Westerly) proposed the legislation, with Ruggerio noting, “The term ‘social media’ does not mean everything associated with a person’s online presence is automatically public, and it is not a license for an employer or school to pry into private material,” according to a press release.
Wisconsin Senate Passes Drone Bill
The Wisconsin Senate passed a bill that would limit police and others’ use of drones, including barring drones with cameras and weapons, reports the Milwaukee-Wisconsin Journal Sentinel. Under the bill, police would need a warrant to use data collected by drones unless in public, and the bill would ban private individuals from using drones to record others where they would have a reasonable expectation of privacy. While civil rights advocates say drones pose a threat to privacy, drone industry groups are concerned that drone privacy bills will hamper the benefits of drones.
Wyoming Student Privacy Bill Heads to House Floor
The Wyoming House Judiciary Committee passed a bill requiring parental consent before collecting children’s personal and education data, but first it amended the bill to state that only data collected by the state Department of Education would require the consent, reports the Associated Press. HB 179 passed with a 7-2 vote. Rep. Lynn Hutchings (R-Cheyenne) said the bill would allow parents “to be able to see exactly what's going on, what the education system is asking for and truly get involved by saying each year, 'Yes, I agree that you can collect this data or not.'" The bill will now go to debate on the House floor.
Cline: U.S. Leads World in Privacy Violation Fines
Jay Cline, CIPP/US, writes for Computerworld on EU leaders’ belief that the U.S. has not adequately enforced the EU-U.S. Safe Harbor agreement, citing research showing that is not the case. “Any way you cut the data,” Cline writes, “the U.S. dwarfs Europe and every other jurisdiction in doling out fines for data privacy violations. If privacy is measured by its weight in gold, America is the safest place on earth for personal data.” Cline’s report looks at the history of Safe Harbor, highlighting his team’s research on fines of $100,000 or more imposed by government agencies for privacy violations. “We also set out to rank-order the top privacy fines in history,” he writes. “When we did this, the U.S. dominated the leader board.”
AGs Want State Breach Laws Kept on Books
Given that there is no federal law regulating data breaches, most states have created their own rules on data breach disclosures. And state attorneys general (AGs) are interested in keeping it that way, Politico reports. While a federal baseline law would be welcome, the report notes that state AGs want to keep their laws in place. “States have been the leaders, the cops on the beat defining what is reasonable and not reasonable for their own states and heading up investigations on data breach cases for as long as there have been such things,” said Maryland Attorney General Doug Gansler. “It’s almost always a local issue. … We actually get things done.” Editor's Note: Divonne Smoyer, CIPP/US, and Aaron Lancaster, CIPP/US, recently examined the privacy protection efforts of AGs in the Privacy Perspectives post, “Think the FTC Is the De Facto U.S. Data Protection Authority? State AGs May Have Something To Say.”
Indian Gov't Plans To Create DPA, Give Citizens Privacy Rights
The government plans to grant all residents a right to privacy and establish a data protection authority (DPA) to rule on issues involving privacy and impose penalties for violations, The Economic Times reports. Under the draft “Right to Privacy” bill, the DPA will investigate data breaches and issue orders to protect those affected. The draft bill also prohibits “covert surveillance of individuals which leads to breach of their privacy, unless authorized by law.” Exemptions to the bill have been proposed for national safety or security and maintenance of public order.
Bill Would Restrict Use, Collection of Student Data
California Sen. Darrell Steinberg (D-Sacramento) will today introduce a bill aimed at protecting student data, The New York Times reports. “The bill would prohibit education-related websites, online services and mobile apps for K-12 graders from compiling, using or sharing the personal information of those students in California for any reason other than what the school intended or for product maintenance,” the report states. A growing chorus of lawmakers believes laws on student data have been unable to keep pace with technological innovations. Steinberg said he doesn’t want to limit legitimate use of student data but believes the data should be used for “educational benefit and nothing else.” (Registration may be required to access this story.)
Court: Facebook Must Comply with Data Protection Law
Experts Examine Next Step for Alberta's PIPA
In a Mondaq report, James Bond, Robert W. Pakrul and Eileen Vanderburgh look back at the November decision by the Supreme Court that Alberta's Personal Information Protection Act (PIPA) is unconstitutional and consider what will come next. “Varying degrees of scope of amendment could possibly be advanced to deal with the constitutional issues arising from PIPA's structure, which establishes a broad prohibition against any information collection, use or disclosure absent consent,” they write. Alberta Information and Privacy Commissioner Jill Clayton’s recommendation is “that the most appropriate scope of change is the narrowest one,” they write, citing her desire to “would preserve the delicate balance between freedom of expression rights, and legitimate privacy expectations of individuals, which PIPA is designed to protect.”
Court Generates List of Factors for Metadata Cases
Mondaq reports on a recent Nova Scotia Court of Appeal case on “questions of relevance, proportionality and privacy in the context of whether or not to order the production of electronic information.” Laushway v. Messervey resulted in a court order requiring a plaintiff to produce a hard drive containing metadata for forensic review, and the court has created “a list of factors for judges to consider when deciding whether to grant a production order in similar circumstances,” the report states. Among the factors the court recommends in its list are privacy, balancing, objectivity, discoverability and reliability.
On Leveraging Big Data While Complying with Law
The Big Data Project (BDP), an Open University study, is looking into how organizations can leverage Big Data while complying with EU data protection principles. In this post for Privacy Perspectives, Sara Degli Esposti, a research fellow at the Open University Business School, discusses the study, asking, “What kind of legislation do we need to create that positive system of incentive for organizations to innovate in the privacy field?” The BDP “represents a chance for you to contribute,” she writes, “and learn about, the debate on the reform of the EU Data Protection Directive.” The BDP is open to employees concerned with data management or use “from all types of organizations … with interests in Europe.”
German Court: Facebook Must Comply with Data Protection Law
Dutch Law Enforcement Calls for Improvements
Dutch law enforcement officials want improvements in how communications data is collected and stored, Telecompaper reports, citing a justice ministry evaluation of The Netherlands’ data retention law. “Law enforcement officials that participated in the evaluation called for an expansion of the retention period for the data to a full 12 months, as well as an end to distinctions between telephony and Internet data,” the report states, noting, “For mobile calls, they also want not only the time when the call started recorded but also the time it ended.”
Swedish Telecom Privacy Rules Go Into Effect in September
PTS, Sweden’s postal and telecoms regulator, is establishing requirements for telecoms operators to protect their customers' personal information and communications, Telecompaper reports. “Among other things, the new regulations deal with the question of who is allowed to access and handle customer information. PTS said only people with the correct training and who need the information in order to carry out their work will be able to access sensitive details about customers and their communications,” the report states. The regulations are scheduled to go into effect on 1 September.
Hong Kong PCPD Releases Guidance on Privacy-Management Programs
The Office of the Privacy Commissioner for Personal Data (PCPD) has released a guide outlining the foundations of privacy management programs. The Privacy Advisor takes a closer look at the guide, aimed at helping organizations as they develop or improve programs. The South China Morning Post reports from the PCPD’s event, spotlighting how privacy scandals, such as the much-publicized Octopus incident, can result in businesses choosing “to reconsider their approach to data protection.” Octopus Holdings Chief Executive Sunny Cheung said, "Legal rights do not save you from dissatisfied customers," explaining the company now collects “minimal” personal data and avoids “vague terms that could mislead customers about data policies,” the report states. Editor’s Note: PCPD Allan Chiang will be one of the keynote speakers at The IAPP Asia Privacy Forum in Hong Kong on March 31.
South Korea’s FSS Announcing New Measures
South Korea’s Financial Supervisory Service (FSS) is preparing to announce measures to “better protect personal information (PI) handled by financial firms following a recent massive data leak,” Yonhap News Agency reports. The measures include limiting financial firms from requesting "too much" PI. “The newly crafted measures may go into effect starting in April after preparation works,” said an FSS official. The breach that prompted the measures involved PI on “half of the country's 50-million population” from three credit card firms—KB Kookmin, NH Nonghyup and Lotte— and Kookmin Bank.