Senators in Florida and Illinois are proposing bills to limit surveillance and police access to data; the Texas Court of Appeals has expanded cellphone privacy rights, and the Washington State Supreme Court has ruled citizens have the right to privacy in the text messages sent from their mobile devices. Meanwhile, the U.S. government has entered an agreement with Japan allowing the countries to share fingerprints of suspected terrorists to be matched against each other’s databases, and the U.S. Department of Justice is asking the Foreign Intelligence Surveillance Court for longer retention periods for certain data. Read about these developments and more in this week’s Privacy Tracker legislative roundup.

Latest News

Japan and U.S. To Share Fingerprint Data
Japan's Cabinet has approved a bill designed to implement the recently signed Agreement on Preventing and Combating Serious Crime with the U.S., reports Kyodo News International. If passed, the bill will speed up the sharing fingerprint data on suspected terrorists and people engaged in serious crimes, which now must be routed through Interpol. Under the agreement, each country will be able to send a suspected criminal’s fingerprints to the other to see if there are matches in its database.

Colorado Bill Aims To Protect SSNs
Colorado’s HB 14-1141 is headed to the house after being passed by the State, Veterans and Military Affairs Committee. The bill, sponsored by Rep. Don Coram (R- District 58), would prohibit state and local government entities from requiring unpaid board members to disclose their Social Security numbers, reports The Watch.

Florida Sen. Proposes Limits on Prescription Drug Database Access
Florida Sen. Aaron Bean (R-Fernandina Beach) has proposed SB 862, which would require law enforcement to get a court order to access information in the state’s prescription drug database, reports The Daytona Beach News-Journal. Police say the database has helped curb prescription drug abuse, and a judge recently dismissed a case challenging investigators’ access to the data, but others in the state say citizens need more privacy protections. Bean says there needs to be a balance between privacy and law enforcement, adding, “The government already monitors our phone calls; they read our e-mail. Does the government have to be in our medicine cabinets, too? I don’t think they do.”

Illinois House Committee Endorses Student Privacy Bill
HB 4558, which would require that public preK-12 schools get written parental consent prior to sharing student data with outside individuals or entities, heads back to the house for consideration after gaining the support of the Elementary & Secondary Education Committee, reports The Herald-Review. The bill’s sponsor, Rep. Scott Drury (D-Highwood), points to education data nonprofit inBloom as an example of the need for the law. “Illinois is allowing your student’s data to go to a hub that’s called inBloom, along with two other states that are allowing it,” Drury said, adding, “From inBloom, third-party vendors can buy that data and target your kid by Social Security number or by name.” InBloom has released a statement saying it “will never sell student or customer data.”

Illinois Senate Considering Cellphone Tracking Limits
The Illinois Senate is now considering legislation to require authorities to obtain a search warrant prior to using cellphone geolocation technology to track individuals in most circumstances, reports The Chicago Sun-Times. Sen. Daniel Biss (D-Evanston) says his bill aims to protect privacy, noting, “If you envision a world where there’s no gates around what can be done with our information that comes from a cellphone … that’s a picture of a world that nobody wants to live in.” This is Bliss’s second attempt, and with the new iteration, he has gained the support of Deputy Chief of Narcotics for the Cook County State’s Attorney Office Patrick Coughlin, who testified against his first bill. “Our biggest objection was that we needed to have probable cause for any location information, including historical information—where someone was a week ago,” which Coughlin said could hamper investigations.

New Mexico House Passes Breach Notification Bill
The New Mexico House has passed an amended version of HB 224, which would require companies to notify customers of a data breach within 45 days of discovery—as opposed to the 10 days originally proposed, reports Bloomberg BNA. The bill also includes requirements for notifying the state attorney general and consumer reporting agencies within 14 days and has a risk-of-harm threshold for notifications as well as payment card breach provisions.

Texas Court Expands Privacy Rights
American-Statesman reports the Texas Court of Criminal Appeals has expanded cellphone privacy rights in its ruling that police improperly searched a Huntsville student’s cellphone without a warrant. The phone was being held in a jail property room, and while prosecutors claimed officials have a right to search inmates’ items with probable cause, the court said in its decision, “A cellphone is unlike other containers as it can receive, store and transmit an almost unlimited amount of private information,” adding, “The potential for invasion of privacy, identity theft or, at a minimum, public embarrassment, is enormous.” The one dissenter in the nine-judge panel wrote in his opinion that because the defendant failed to prove an expectation of privacy because he was not in possession of the phone and knew it was in the hands of the police. “The fact that cellphones potentially contain vast amounts of private data, by itself, does not automatically result in a finding of a reasonable expectation of privacy in every case,” he said.

Utah Considers Expanding DNA Collection Practices
The Utah Senate Judiciary, Law Enforcement and Criminal Justice Committee has approved a bill that would allow law enforcement to collect DNA samples from those convicted of felonies at the time of booking. Rep. Steve Eliason (R-Sandy), who proposed HB 212, says DNA testing helps “law enforcement know much sooner who they have in custody and how they should handle and treat them.” However, Deseret News reports, the Utah Association of Criminal Defense Lawyers says the bill violates the rights of innocent people.

U.S.

DoJ Asks FISC for Increase in Retention Limits
The Department of Justice has asked the Foreign Intelligence Surveillance Court for a term limit extension for how long it can retain telephone metadata beyond the current five years, citing civil suits regarding the data, IDG News Service reports. In a filing made public on Wednesday, the DoJ wrote, “A party may be exposed to a range of sanctions not only for violating a preservation order, but also for failing to produce relevant evidence when ordered to do so because it destroyed information that it had a duty to preserve.” The American Civil Liberties Union, Sen. Rand Paul (R-KY) and the First Unitarian Church of Los Angeles have filed civil suits challenging the phone metadata collection program.
Full Story 

AG Holder Calls for National Breach Law
Attorney General Eric Holder has called on Congress to enact federal data breach protection legislation, CNN reports. “A strong, national standard for quickly alerting consumers whose information may be compromised ... would empower the American people to protect themselves if they are at risk of identity theft,” he said. “It would enable law enforcement to better investigate these crimes—and hold compromised entities accountable when they fail to keep sensitive information safe." In response to claims this would overwhelm law enforcement, Holder said legislation should have exceptions for small breaches. Meanwhile, Bloomberg is reporting the hackers who compromised Neiman Marcus are almost definitely separate from those who attacked Target, and the number of cards affected is fewer than initially reported: a maximum of 350,000.
Full Story

Judges: Users Have Right to Text Message Privacy
The Washington State Supreme Court has ruled citizens have the right to privacy in the text messages sent from their mobile devices, the Associated Press reports. In two 5-4 decisions, justices overturned drug convictions that hinged on law enforcement access to text messages without warrants. Justice Steven Gonzalez wrote in one of the cases, “Text messages can encompass the same intimate subjects as phone calls, sealed letters and other traditional forms of communication that have historically been strongly protected under Washington law.” The Electronic Frontier Foundation’s Hanni Fakhoury said, “People have a right to have those messages delivered without fear of government intrusion or interception, and if the government wants to intrude of intercept them, they have to get a warrant or wiretap to do so.”
Full Story

HIPAA Changes Mean Tightening Vendor Relationships
With the changes to the HIPAA Privacy and Security Rules, the responsibilities and relationships between covered entities and their vendors have moved to the forefront of information security management. Particularly, renewed emphasis has been placed on vendor security management and the responsibility that covered entities bear on performing appropriate due diligence. In this exclusive for The Privacy Advisor, David Holtzman, CIPP/G, and Erin McMillan drill down on how to comply with the changes. Editor’s Note: Holtzman will speak at next week’s IAPP Global Privacy Summit.
Full Story

CANADA

Court Grants Plaintiffs Anonymity in Medical Marihuana Case
The Federal Court of Canada has agreed that denying plaintiffs anonymity in a court proceeding “would disclose the very information they seek to protect and exacerbate the damage and/or risk of harm that has already been caused by Health Canada's mailing that identified them” as taking part in the Medical Marihuana Access Program, Canada NewsWire reports. Health Canada had argued public opinion on marihuana use is now “more accepting,” the report states, but the court rejected that argument, stating, “Disclosing their identities discloses that a course of treatment has been prescribed by them by a medical doctor and that they suffer from serious health conditions and symptoms.”
Full Story

Series Considers Why Police Are Not Subject to FOIP
The Regina Leader-Post examines why police are not subject to Saskatchewan’s information access and privacy laws, plans to review the act and what the process to change the law might involve. “Police chiefs in both Regina and Saskatoon have expressed concern that the Freedom of Information and Privacy (FOIP) Act would put police work and sensitive information at risk,” the report states, noting the province’s former privacy commissioner, Gary Dickson, disagrees. “Being subject to FOIP doesn't mean that a public body loses all control and all of the records can go out the door,” he said.
Full Story

EU

The CNIL Is Making Its Mark
With an uptick in inspections, 43 formal compliance notices, its president named the new chair of the Article 29 Working Party and a record fine against Google for noncompliance with the French Data Protection Act, the French data protection authority, the CNIL, is asserting itself in the international data protection scene. In this Privacy Tracker post, Olivier Proust of Field Fisher Waterhouse offers concrete examples of the CNIL’s growth, resourcefulness and experience, noting “companies should pay close attention to the actions of the CNIL as it becomes a more powerful authority in France and within the European Union.” In a separate report, Proust looks at concerns regarding privacy and France’s new law on real-time geolocation.
Full Story

ASIA PACIFIC

Australian Privacy Principles Finalized, Effective March 12
The final iteration of the Australian Privacy Principles (APPs) has been issued by the Office of the Australian Information Commissioner following public consultation, Computerworld Australia reports. Public and private organizations must adhere to the APPs when they go into effect on March 12 along with the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, which gives Australian Privacy Commissioner Timothy Pilgrim a mandate to seek civil penalties of up to $340,000 for individuals and $1.7 million for businesses in cases of serious beach incidents. Pilgrim said, “Most of the requirements contained in the APPs are not new, and business and government should be ready to hit the ground running come March 12.”
Full Story