Privacy laws are being considered in nations across the globe, and this week’s Privacy Tracker legislative roundup has updates on many of them. Brazil’s Chamber of Deputies has passed the Internet bill of rights—without its controversial local data storage provision; India has exempted government intelligence agencies from its draft law; Australia’s Senate is looking at a mandatory breach notification bill, and in Ireland, a bill intending to give adopted children identity rights is raising questions over parental privacy rights. In the U.S., Sen. Al Franken (D-MN) has proposed an updated version of his location privacy bill, and states continue to discuss issues surrounding student privacy and breach notification, among others.
Mandatory Breach Notification Bill Proposed in Australian Senate
A bill filed in the Australian Senate would require organizations and government agencies to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of data breaches, reports Privacy & Security Law Report. The bill includes a risk-of-harm trigger and authorizes the OAIC to create regulations specifically for notification involving sensitive information.
Brazil’s Congress Passes Marco Civil
After dropping the controversial local data storage provision, the Brazilian Chamber of Deputies voted to approve a bill of rights for Internet users, reports infojustice.org. The current version of the bill, Marco Civil, emphasizes net neutrality, freedom of expression and user privacy. The bill now heads to the Senate for discussion and then back to the Chamber of Deputies before it can be sanctioned by President Dilma Rousseff.
Analysis of India’s Proposed Internet Privacy Bill
The Centre for Internet & Society offers an analysis of India’s draft privacy bill, noting “the government has substantially increased penalties for offences against penalty and has also clarified certain discrepancies and strengthened safeguards present in the earlier draft … but wants to severely restrict the scope of the bill.” According to a draft leaked to The Economic Times, there is now an exemption for government intelligence agencies. The report states that this exemption “would defeat the purpose of the bill” as it “was drafted in the hope of curbing the growing trend of unbridled surveillance and to ensure that there are legal mechanisms for safeguarding individual privacy.”
Minister: Irish Adoption-Tracing Bill Must Consider Mothers’ Privacy Rights
While the main outline of the Adoption (Information and Tracing) Bill are close to completion, The Irish Times reports Minister for Children Frances Fitzgerald, during Dáil question time, underscored that the bill must take into account the privacy rights of the birth mother. The bill aims to give adopted children the ability to discover information about their identities, and Independent TD Clare Daly said the starting point “has been to provide as much information as possible.” Fitzgerald, in responding to criticisms that she’s putting the mother’s right to privacy over the child’s right to identity, noted, “I will be bound and am bound … to provide for a balancing between the strong constitutional provision relating to privacy and the right to identity.”
Franken Introduces Mobile-Location Privacy Bill
U.S. Sen. Al Franken (D-MN) on Thursday reintroduced his Location Privacy Protection Act, which would require companies to get users' permission before collecting or sharing location information from mobile devices and car navigation systems, reports The Hill. The bill specifically targets so-called “stalking apps” and would put “an end to GPS stalking apps that allow abusers to secretly track their victims,” Franken said.
Cate: California Vehicle Data Bill Unworkable
SB 994, the Consumer Vehicle Information Choice and Control Act, aims to give car owners control over access to vehicle information, but Government Technology reports that Fred Cate of Indiana University's Maurer School of Law says its “completely unworkable in practice.” Cate says requiring car manufacturers to provide owners with “access from the motor vehicle to the vehicle information” is unrealistic. The bill, sponsored by Sen. Bill Monning (D-Carmel) aims to give owners control over personal data generated by onboard technology systems, according to the report, but Cate claims it will amount to “another set of privacy notices” that most people ignore, adding, “It’s a way to say, ‘Look, we did something to protect privacy,’ but it doesn’t necessarily do anything.”
Florida Senate Passes Student Privacy Bill
The Florida Senate has passed SB 188, which would prohibit schools from collecting political and religious beliefs and biometric information from students, reports CBS12. A similar bill is circulating in the House, and the state is also calling for a new student identification system that would phase out the use of Social Security numbers.
Kansas House Passes Student Privacy Bill
The Kansas House has passed a bill that would restrict access to student records and prohibit the state from collecting information relating to students’ and their families’ religious beliefs and sexual orientation, among others, reports Lawrence Journal-World. The bill is aimed at addressing concerns over the sharing of education data with the federal government, and, the Associated Press reports, it outlines specific parties that may access the data including local school districts, the state education department and public health agencies. SB 367 also includes a breach notification provision and a requirement that the state board submit a report on data collection and handling practices. The bill now heads back to the Senate, which approved an earlier version of the bill.
Louisiana Committee Backs Student Privacy Bill
Louisiana Rep. John Schroder has sponsored a student data privacy bill that has now received the backing of the House Education Committee, reports New Orleans City Business. The bill would set up a new student ID system, eliminating the use of Social Security numbers, and places restrictions on the sharing of student information. After working with the state education department on a revision due to concerns raised with the initial version, the committee unanimously backed the bill.
New Mexico Breach Notification Bill Heads to House
A bill calling for shorter notification deadlines on payment card-related breaches and the ability for cardholders to sue for recovery costs is heading to New Mexico’s House, reports The Huffington Post. HB 224 sets a 10-day limit for covered entities on notifying individuals of a breach of their unencrypted personal information and also includes requirements for data security and disposal and pass these standards on to nonaffiliated third parties through contracts.
Oregon Bill Protecting Land Owners’ Privacy Heads to Governor
Both houses in Oregon have passed bill HB 4093, which would create “public record exemption for written agreements relating to conservation of greater sage grouse entered into voluntarily by owners or occupiers of land with soil and water conservation district.” Natural Resource Report states there are concerns among cattle ranchers and others that entering into Candidate Conservation Agreements with Assurances would make data submitted through the program public; by signing the bill into law, Gov. John Kitzhaber would protect landowners’ privacy.
Pennsylvania Senate Considering Bill To Expand Prescription Database
Pennsylvania Sen. Pat Vance (R-Cumberland) has introduced a bill to “create an expanded prescription drug monitoring program and increase access for pharmacists and healthcare practitioners who prescribe medication,” reports Watchdog.org. SB 1180 is seeing pushback from the American Civil Liberties Union of Pennsylvania mostly due to the removal of a provision requiring investigators to obtain a warrant before accessing most records. According to a co-sponsorship memo, Vance introduced the bill to stop people from inappropriately getting prescription drugs through multiple doctors.
Fandango, Credit Karma Settle with FTC for Deceptive Data Security
The Federal Trade Commission (FTC) has announced two mobile app makers have agreed to settle charges for allegedly deceiving customers by failing to securely transmit sensitive data. Fandango and Credit Karma, the FTC alleged, did not take reasonable steps to secure their apps, leaving credit card and credit report data as well as Social Security numbers at risk. The FTC has also charged the companies with disabling the Secure Sockets Layer (SSL) certificate validation process. FTC Chairwoman Edith Ramirez said the companies “have failed to properly implement SSL encryption,” and added, “Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.”
Officials Vow To Strengthen Safe Harbor; The Road Ahead for EU DPR
In a joint statement, EU and U.S. officials announced a commitment to strengthening the Safe Harbor framework by this coming summer, Out-Law.com reports. The announcement also promised to hasten efforts toward an “agreement for data exchanges in the field of police and judicial cooperation in criminal matters, including terrorism," among others. Meanwhile, Eduardo Ustaran, CIPP/E, reminds us that while much has been made of Parliament’s passing of EU data protection reforms, “we have yet to see where the other legislative body—the Council of the EU—stands on this debate,” and outlines the challenges ahead.
Will NSA Reform Hamper Privacy Lawsuits?
Plans by President Barack Obama and Congress to reform Section 215 of the Foreign Intelligence Surveillance Act may eliminate lawsuits that seek to find the program unconstitutional, according to U.S. News & World Report. One legal expert said, “If the change comes in the form of a formal statute, rather than simply an executive branch discretionary decision, and there is no issue of past damage … I would put my money on the judiciary’s finding the issue moot.” Rep. Justin Amash (R-MI) has expressed skepticism regarding legislative proposals set forth by the White House and the House Intelligence Committee. Meanwhile, The Hill reports that government requests for user data are on the rise. A number of tech companies released transparency reports covering the second half of 2013, including Twitter, Yahoo, Microsoft and Google.
FTC and Cali AG Say Facebook is Misinterpreting COPPA; LabMD Sues FTC
The Federal Trade Commission (FTC) and California Attorney General Kamala Harris say Facebook is misinterpreting how the Children’s Online Privacy Protection Act (COPPA) works, reports the Los Angeles Times. The FTC and the AG have both filed amicus briefs with the Ninth Circuit Court of Appeals challenging a 2012 Facebook settlement, arguing the settlement violates laws in seven states that require parental consent be obtained before a child’s image can be used in advertising. Facebook said the states can’t enforce their own laws on teen privacy because COPPA only protects kids 12 and under. Meanwhile, LabMD has filed a lawsuit against the FTC, challenging the agency’s enforcement action following two data breaches.
OSHA Proposes Expanded Data Access Rule
The Occupational Safety and Health Administration (OSHA) has proposed a rule that would increase the availability of data regarding workplace health and safety, reports EIN News. The rule would require businesses with more than 250 employees to electronically file all serious injuries that happen on their premises. Much of this data would be made public , such as incident dates and times, descriptions of the injuries or illnesses and where and how they occurred—as well as job titles of any employees involved—and employees and the government would have increased access as well. Ben Huggett, a shareholder with Littler Mendelson and an OSHA expert who prepared and submitted comments on the rulemaking, told the Daily Dashboard that “by publicly posting information on the Internet about the date of injury, injured body part, treatment and job title, the identity of particular employees could be easily determined in many industries, small or rural locations or where an unusual injury occurs.” He also notes that the proposed rulemaking does not adequately address this privacy invasion. OSHA says the changes are aimed at decreasing incidents, but opponents say this is a way to “name and shame” employers, and disputes over workplace accidents may well increase because of it.
Obama To Call for End of Bulk Phone Collection; House Bill Would Require Telco Data Storage
President Barack Obama is expected this week to call for an end to the National Security Agency’s (NSA) bulk collection of phone records through a legislative proposal, The New York Times reports. If approved by Congress, the bill would end the systematic bulk collection of Americans’ phone records and the storage of those records by the NSA. Instead, it would require telecommunications companies to store the data for up to 18 months, and the NSA could obtain specific phone records with judicial permission. Meanwhile, The Wall Street Journal reports House Intelligence Committee leaders plan to release a bill overhauling the phone records program. The NSA “vetted” the bill and was okay with it, the report states, noting one telco executive questions whether it goes far enough to protect privacy. (Registration may be required to access this story.)
Unpacking the Denial of Gmail Scanning Class-Action
Clayton Finds Police Program Contrary to FOIP
Alberta Privacy Commissioner Jill Clayton has found an Edmonton police program aimed at pushing those with outstanding warrants to turn themselves in “failed to make reasonable arrangements to protect personal information,” CBC News reports. Project Operation Warrant Execution featured a public campaign encouraging individuals to come forward “or risk having their names and faces advertised publicly,” the report states, noting “Names, photographs and other personal information of individuals appeared in newspapers and on the police website.” Clayton found the program contravened the Freedom of Information and Protection of Privacy Act (FOIP) because it “did not make reasonable security arrangements to protect personal information as required under FOIP,” the report states.
Bennett: Election Reform Bill Lacks Privacy Protection
CBC News reports on Bill C-23, citing comments from University of Victoria Prof. Colin Bennett suggesting the 242-page election reform bill “doesn't have any measures to fill gaping holes in privacy protection that experts have been warning about for years.” Bennett said the bill not only lacks protection for private information held by political parties, but it could also “make the situation worse,” the report states. Despite joining with the privacy commissioner and chief electoral officer in raising those concerns two years ago, Bennett said, “basically nothing's happened. And then this bill comes along, and still nothing's happened." Editor’s Note: Author and University of Victoria Prof. Colin Bennett will offer one of the keynotes at the upcoming IAPP Canada Privacy Symposium.
Suit Filed; Ad Campaign Cleared
ICO: Ignorance Won't Prevent Enforcement
The Information Commissioner’s Office (ICO) reports a record number of complaints linked to accident claims during the last three months of 2013, and the office believes “solicitors may be unaware that they could be breaching the Data Protection Act by using leads generated through unlawful methods,” The Law Society Gazette reports. While opt-in rules apply generally a consumer advocacy group has found more than eight in 10 people have received an unsolicited call in one month, and one in 10 received 50 or more. The ICO has said ignorance will not prevent enforcement actions.
Hustinx Says Banks Need To Respect the Law
Dutch banks ING and Robobank are taking their legal responsibility to protect data too lightly, says European Data Protection Supervisor Peter Hustinx. The comments follow ING’s recent consideration of plans to sell customer data to companies for advertising purposes. The Dutch-based bank has since said it will not move forward with such plans. Hustinx says companies are only allowed to use customer data with clear permission and banks aren’t respecting that.
Australians Now Have Right to Anonymity
Australia’s new privacy laws give citizens “the right to remain anonymous or use a pseudonym” for interactions with government and healthcare entities and “organisations and companies that have a turnover of more than $3 million a year,” The Sydney Morning Herald reports. While there are caveats to that, the Australian Privacy Foundation’s Roger Clarke said that for the "vast majority" of circumstances, organisations’ default position should be to enable pseudonymity for those who request it. According to the law, individuals “must have the option of dealing anonymously or by pseudonym.” Clarke said, “The laws apply to anybody who isn't exempted under the law. There are arguments about enforceability internationality—but absolutely, it applies to everybody."
India’s UID Faces Criminal Justice Challenge
“The UID (unique identification) authority's claim that biometric data collected by it for issuing 'Aadhar' cards was only for civilian purposes is set to be tested on the touchstone of our criminal justice system,” Gyanant Singh writes in a Daily Mail report about the UID receiving a court order to share its database to help solve a criminal case. The UID “stands burdened with the task of justifying its refusal to share the 'Aadhar' data for forensic purposes, particularly when our law orders the sharing of relevant material with probe agencies and does not consider the use of fingerprints, etc., even if taken forcefully, as self-incriminatory,” Singh writes.