California’s bill banning the sale of license-plate scanner data has failed, but the state has bigger fish to fry—the Senate recently passed a bill to legislate data brokers and the Assembly has passed a breach notification bill. Meanwhile, Tennessee is the latest state to pass a social media law and Oregon is debating mobile privacy legislation. In New Zealand, Privacy Commissioner John Edwards is pushing a new privacy act giving his office increased powers and, in Canada, government surveillance bills are drawing the ire of privacy commissioners and advocates nation-wide. Read all about it in this week’s Privacy Tracker weekly legislative roundup.
California On Its Way to Regulating Data Brokers?
The California Senate has passed SB 1348, a bill that would require online data brokers to provide consumers with a way to opt out and access data held about them, Lexology reports. Under the bill, brokers that sell data would be required to honor requests from consumers that information about them be removed within 10 days and could then not be reposted or sold to a third party. The bill also includes a private right of action. The action comes amid investigations, reports and discussions at the federal level surrounding similar legislation. SB 1348 has the backing of privacy groups but is expected to face challenges from industry groups.
California Bill Banning the Sale of License-Plate Data Fails
California Breach Notification Bill Passes Assembly
In a 43-24 vote, the California Assembly passed AB 1710, which would set requirements for breach notifications and ID theft mitigation. According to a press release from the bill’s authors, Assemblymembers Roger Dickinson (D-Sacramento) and Bob Wieckowski (D-Fremont), it requires businesses to notify affected individuals by e-mail or snail mail, post notification to their websites and to statewide media and also provide at least two years of ID theft protection services. The bill was gutted of more stringent provisions due to warnings from industry groups against enshrining evolving technologies into law. “Recent breaches emphasized the need for stronger consumer protections and awareness. The retailers affected by the recent mega data breaches are not the first nor will they be the last,” said Dickinson.
Oregon Legislature Debates Privacy v. Public Safety
In front of an Oregon Senate panel last week, advocates weighed in on a slate of bills that would limit police access to digital data, reports NWPR. Portland criminal defense attorney Bronson James noted that current law was created prior to the digital age, adding, smart phones have “become the portal into where we contain our privacy." But prosecutors warned against tying the hands of law enforcement. Both sides agree the bills need more work before going up for a possible vote next year.
Tennessee Gets Social Media Privacy Law
Tennessee Gov. Bill Haslam has signed into law the Employee Online Privacy Act of 2014, which bans employers from requiring current and potential employees to hand over login credentials to personal online accounts, ESR Check reports. Businesses found in violation of the act may face fines of up to $1,000 per violation and exceptions have been made in the bill for employer-supplied devices.
While U.S. Companies Suffer, Bi-partisan Push for ECPA Reform Grows
While U.S. businesses continue to suffer “real, tangible” harms following the Snowden revelations, bipartisan supporters are pushing for an update to the nearly 30-year-old Electronic Communications Privacy Act (ECPA) in the name of bolstering privacy protections, The New York Times reports. “It’s very easy for providers outside the country to say, ‘Hey, move your business offshore into an area that cares more about your privacy.’ They don’t have better laws necessarily. They have a better marketing department,” said the COO of a web-hosting company in Virginia. Sen. Mike Lee (R-UT) said it’s “frightening” we still have a law on the books that says the government can read your e-mail, and bi-partisan support is a no-brainer. (Registration may be required to access this story.)
Sens. Paul, Coombs: Founding Fathers Would've Protected Smartphones
In a column for Politico, Sens. Rand Paul (R-KY) and Chris Coons (D-DE) write that privacy “is a core American value” and that two recent cases heard by the Supreme Court—Riley v. California and United States v. Wurie—give rise to “whether technological advancements have rendered one of our most treasured civil liberties obsolete.” The Fourth Amendment, they argue, “did not find its way into the Constitution by accident,” but, “Today, many Americans keep their entire lives on their phones … What protection does the Constitution offer them from suspicionless search by the government?” They add, “How the Supreme Court addresses this challenge will set an important precedent as technology continues to present capabilities and threats never specifically considered by our Founders.” Editor’s Note: For more on these cases, IAPP members can read Cellphone Privacy in the Supreme Court: What To Know in the Lead-Up to Oral Arguments in the IAPP’s Privacy Tracker.
Franken Reintroduces Tracking Bill; Sens Question EBay on Breach
Sen. Al Franken (D-MN) will reintroduce legislation aimed at preventing organizations—both in the public and private sectors—from tracking individuals by their geolocation, Venture Beat reports. The Location Privacy Protection Act of 2014 aims to give consumers better control over their location-based data, particularly in the mobile sphere. The bill also would require companies to gain consent from consumers prior to collecting such data. Meanwhile, Sens. Joe Barton (R-TX) and Bobby Rush (D-IL) have sent a letter to eBay CEO John Donahoe with questions about the recent data breach affecting more than 100 million users. The senators asked whether eBay noticed a breach in location information and to explain if it intends to perform a data security assessment.
So CalOPPA Was Amended. Now What Do I Do?
The latest amendment to the California Online Privacy Protection Act (CalOPPA) became effective on January 1 of this year. The law now requires privacy policies to include certain Do Not Track (DNT) disclosures, which has led to confusion and uncertainty on how to comply. To provide guidance, California Attorney General Kamala Harris recently released a guide titled Making Your Privacy Practices Public. But what to make of it? The IAPP will host a web conference aimed at helping you understand the CalOPPA guidance on Tuesday, June 10 from 1 to 2:30 p.m. In an exclusive for The Privacy Advisor, Lei Shen, CIPP/US, unpacks the AG’s CalOPPA guide and offers tips on how to comply.
FTC Calls for Legislative Action to Regulate Data Brokerage
In a report roughly 18 months in the making, the FTC has released “Data Brokers: A Call for Transparency and Accountability,” which both defines the data broker industry and includes strenuous recommendations for legislative action. Through 130 pages of report, appendices and exhibits, the FTC commissioners have unanimously raised a series of concerns over data brokerage while offering a series of pointed fixes, including a call for mandatory notification by all companies when collected data could potentially be sold to a broker. This exclusive for The Privacy Advisor examines the report and gets initial comment from FTC Chairwoman Edith Ramirez and FTC Commissioner Julie Brill. “We want to lift the veil of secrecy that shrouds the data broker industry’s practices,” Ramirez said. Editor’s note: Speakers will expand on the data broker industry and the meaning of the FTC Data Broker report at the IAPP Privacy Academy, in San Jose, CA, Sept. 17-19.
Industry Reaction to FTC Report: Eh.
Whether talking to the Digital Marketing Association, Acxiom or the Consumer Data Industry Association, you won’t find much disagreement with the FTC’s data broker report, released yesterday. There is some general puzzlement, however: “One interesting thing about this report is that after thousands of pages of documentation submitted over the two years of thorough inquiry by the FTC, the report finds no actual harm to consumers, and only suggests potential misuses that do not occur,” said Peggy Hudson, DMA senior vice president of government affairs. The Privacy Advisor rounds up response and looks ahead to next steps.
Bills Have Privacy Commissioners, Advocates Worried
A Senate subcommittee is investigating online advertising, InsidePrivacy reports. The Senate Permanent Subcommittee on Investigations held a hearing last week entitled “Online Advertising and Hidden Hazards to Consumer Security and Data Privacy,” looking at advertisement-based malware that cybercriminals could use to target consumers. It was supplemented by a report by Sen. John McCain (R-AZ) and Subcommittee Chairman Carl Levin (D-MI). Meanwhile, privacy advocates are concerned that the bill aimed at reforming the surveillance practices of the National Security Agency is getting watered down before it sees a vote.
Senate Liberal Caucus Tackles Surveillance Oversight Bill
A meeting of the Senate Liberal caucus on Wednesday discussed a bill to create a parliamentary committee to oversee Canada’s surveillance regime, reports The Globe and Mail. Sen. Hugh Segal, the bill’s sponsor, called national security a struggle between a democracy’s freedoms and protecting the public, and the bill’s co-sponsor said he believes the intelligence community backs it. During the meeting, former head of the Communications Security Establishment Canada John Adams commented Canadians post more online than any other country, adding, “We’re not very smart, so we’ve got a long ways to go.” Interim Privacy Commissioner Chantal Bernier noted, “we’re at a crossroads at this point where we use the Internet without having fully understood its powers and its risks.” Meanwhile, a group of academics and privacy advocates issued a seven-part statement calling for stricter privacy controls on agencies conducting surveillance.
CCLA Pushing for Rules on Police Database Disclosures
The Toronto Star conducted an investigation into what and how much information police have stored in data banks and how often that data is requested, finding that the Canadian Police Information Centre alone holds more than 10 million records and processes 200 million inquiries a year. The Canadian Civil Liberties Association (CCLA) is pushing for clearer rules around what police should be able to release from their data banks. According to the CCLA, “The current legal lacunae largely leave it to requesting organizations and local police services to decide what should be disclosed, to whom, and under what circumstances,” adding, “The widespread release of non-conviction records runs counter to the presumption of innocence; violates individuals’ privacy; and leads to discriminatory, stigmatizing exclusion from employment, education and community opportunities.”
Expert: IGA Good for Banks, but Needs Refinement
Roy Berg, director of U.S. Tax Law with Moodys Gartner Tax Law in Calgary explains in this Calgary Herald report some of the intricacies of the Foreign Account Tax Compliance Act (FATCA) and the more recently signed intergovernmental agreement (IGA). “If Canada hadn’t entered into this intergovernmental agreement then the banks would have been subject to the full nasty force of FATCA. Instead, they’re in a better position having entered into this IGA,” said Berg. But the rules need refining. Berg would like to see certain Canadian trusts included in the definition of organizations subject to reporting under the IGA, noting, “This would eliminate the problem of every Canadian trust and every Canadian estate that have non-Canadian accounts being subject to additional withholding of distributions back to Canada.”
Data Privacy Pledges in Elections; One-Stop-Shop Still Debated
PCWorld reports on the recently held European Parliament elections and how dozens of candidates pledged to support data privacy initiatives and curb surveillance. “It’s great to see that so many candidates and citizens consider their digital civil rights worth defending and were ready to commit to the principles of the charter,” said digital rights group EDRi Director Joe McNamee. The New York Times reports on the continued debate in the EU about the proposed “one-stop-shop” regulatory efforts. The aim is to streamline data protection regulation for companies doing business in the EU, but some are concerned that companies will set up headquarters in the country with the most lenient regulations. “This issue has become more political than technical,” said a representative from Brussels digital rights group Access. “Who gets to decide these matters is very important.”
Germany May Set Up RTBF Arbitration Court; Ireland to Audit Apple, Adobe, Yahoo
The government of Germany may set up arbitration courts to advise on what data EU citizens can compel Google and other search engine businesses to take down, after the recent European Court of Justice ruling on the so-called “right to be forgotten.” The Interior Ministry in Berlin is seeking to create “dispute-settlement mechanisms” for takedown requests. The ministry is concerned that algorithms that automatically remove links after takedown requests could put public information at risk. The ministry wrote, “Politicians, prominent figures and other persons who are reported about in public would be able to hide or even delete reports they find unpleasant.” The New York Times reports on how Irish Data Protection Commissioner Billy Hawkes finds himself in the middle of the “one-stop-shop” debates currently underway in the EU. Additionally, Hawkes said his office plans to conduct audits of Apple, Adobe and Yahoo in the near future.
Edwards Pushes for Strengthening Privacy Act
New Zealand Privacy Commissioner John Edwards is pushing proposed changes to the 20-year-old Privacy Act, saying they would give New Zealanders more control over their information and give his office better tools to protect privacy in the digital age, reports ITNews. "These reforms will power up our privacy law to bring it more in line with world class standards of protection that New Zealanders are entitled to expect," Edwards said. The new law would mean mandatory breach notification, a five-fold increase in fines and give the privacy commissioner the power to order businesses to fix practices and make binding decisions on complaints, among other changes.
Gov't To Develop New Systems for Int'l Biometric Data Sharing
Using funding from the Operation Sovereign Borders initiative, the new government plans to develop systems to share biometric data with other nations, reports ZDNet. Immigration Minister Scott Morrison told an audience at the Biometrics Institute conference that this kind of data sharing helps the government detect high-risk individuals before they enter the country. Currently, Australia has biometric data sharing agreements in place with New Zealand, Canada, the UK and the U.S. “This funding is directed towards the development of solutions that use secure Internet-based data exchange between partner countries, without reliance on data being stored on the Australian secure server," Morrison said.