The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

Canada’s Anti-Spam Law (CASL) – New Guidance on Providing Apps and Software

Canada’s Anti-Spam Law (CASL) targets more than just email and text messages 

In our previous post, we explained that on July 1, 2014, Canada’s Anti-Spam Law (CASL) had entered into force with respect to email, text and other “commercial electronic messages”.

CASL also targets “malware”.  It prohibits installing a “computer program” – including an app, widget, software, or other executable data – on a computer system (e.g. computer, device) unless the program is installed with consent and complies with disclosure requirements.  The provisions in CASL related to the installation of computer programs will come into force on January 15, 2015.

Application outside Canada

Like CASL’s email and text message provisions, the Act’s ”computer program” installation provisions apply to persons outside Canada.  A person contravenes the computer program provisions if the computer system (computer, device) is located in Canada at the relevant time (or if the person is in Canada or is acting under the direction of a person in Canada).  We wrote about CASL’s application outside of Canada here.

Penalties

The maximum penalty under CASL is $10 million for a violation of the Act by a corporation.  In certain circumstances, a person may enter into an “undertaking” to avoid a Notice of Violation.  Moreover, a private right of action is available to individuals as of July 1, 2017.

CASL’s broad scope leads to fundamental questions – how does it apply?

The broad legal terms “computer program”, “computer system” “install or cause to be installed” have raised many fundamental questions with industry stakeholders.  The CRTC – the Canadian authority charged with administering this new regime – seems to have gotten the message.  The first part of the CRTC’s response to FAQ #1 in its interpretation document CASL Requirements for Installing Computer Programs is “First off, don’t panic”.

New CRTC Guidance 

The CRTC has clarified some, but not all of the questions that industry stakeholders have raised.  CRTC Guidance does clarify the following.

  • Self-installed software is not covered under CASL.  CASL does not apply to owners or authorized users who are installing software on their own computer systems – for example, personal devices such as computers, mobile devices or tablets.
  • CASL does not apply to “offline installations“, for example, where a person installs a CD or DVD that is purchased at a store.
  • Where consent is required, it may be obtained from an employee (in an employment context); from the lessee of a computer (in a lease context); or from an individual (e.g. in a family context) where that individual has the “sole use” of the computer.
  • An “update or upgrade” – which benefits from blanket consent in certain cases under CASL – is “generally a replacement of software with a newer or better version”, or a version change.
  • Grandfathering – if a program (software, app, etc.) was installed on a person’s computer system before January 15, 2015, then you have implied consent until January 15, 2018 – unless the person opts out of future updates or upgrades.

Who is liable?

CRTC staff have clarified that as between the software developer and the software vendor (the “platform”), both may be liable under CASL.  To determine liability, the CRTC proposes to examine the following factors, on a case-by-case basis:

  • was their action a necessary cause leading to the installation?
  • was their action reasonably proximate to the installation?
  • was their action sufficiently important toward the end result of causing the installation of the computer program?

CRTC and Industry Canada staff have indicated that they will be publishing additional FAQs, in response to ongoing industry stakeholder questions.

See:  Step-by-Step: How CASL applies to software, apps and other “computer programs”

See also:  fightspam.gc.ca  and consider signing up for information updates through the site.


Leave a comment

Canada’s Anti-Spam Law (CASL) in force July 1

Canada’s Anti-Spam Law (CASL) enters into force on Canada Day, July 1.  It was passed in 2010 as a “made-in-Canada” solution to “drive spammers out of Canada“. 

Are you outside Canada?  It’s important to know that this law reaches beyond Canada’s borders.  CASL is already affecting businesses in the United States, Europe and elsewhere as they change their communications practices to send emails and other “commercial electronic messages” into Canada. 

As we have described in our presentation Comparing CASL to CAN-SPAM, the new law applies to messages that are accessed by a computer system in Canada.  That means that messages sent by a person, business or organization outside of Canada, to a person in Canada, are subject to the law.

CASL expressly provides for sharing information among the Government of Canada, the Canadian CASL enforcement agencies, and “the government of a foreign state” or international organization, for the purposes of administering CASL’s anti-spam (and other) provisions.  The MOU among the Canadian CASL enforcement agencies similarly references processes to share and disseminate information received from and provided to their foreign counterpart agencies. 

In a speech on June 26, the Chair of the Canadian Radio-television and Telecommunications Commission, Jean-Pierre Blais, emphasized the CRTC’s cooperation with its international counterparts to combat unlawful telemarketers, hackers and spammers that “often operate outside our borders“.  The Chairman specifically named “the Federal Trade Commission in the U.S., the Office of Communication (OFCOM) in the U.K., the Authority for Consumers and Markets in the Netherlands, the Australian Communications and Media Authority and others”, and noted that the CRTC has led or participated in many international networks on unlawful telecommunications.

Companies should also take note that a violation of CASL might also result in the CRTC exercising its so-called “name and shame” power, by posting the name of the offender and the violation on its online compliance and enforcement list.  The CRTC has for years published notices of violation with respect to its “Do Not Call List”, and is expected to take a similar approach for CASL notices of violation as well. 

The CRTC recently published a Compliance and Enforcement Bulletin on its Unsolicited Telecommunications Rules and on CASL, available here.  The CRTC recommends implementing a corporate compliance program as part of a due diligence defence: 

Commission staff may take into consideration the existence and implementation of an effective corporate compliance program if the business presents the program as part of a due diligence defence in response to an alleged violation of the Rules or CASL. Although the pre-existence of a corporate compliance program may not be sufficient as a  complete defence to allegations of violations under the Rules or CASL, a credible and effective documented program may enable a business to demonstrate that it took  reasonable steps to avoid contravening the law.


Leave a comment

Washington State May Soon Regulate Personal Information Collection by Drones

Two Washington State bills are addressing the issue of government surveillance using drones, and the potential negative impact this could have on privacy.

The first bill, HB 1771, is a bi-partisan bill sponsored by Rep. David Taylor, R-Moxee, which was   introduced last year. It calls drones a “public unmanned aircraft system.”

HB 2789, is also sponsored by Rep. David Taylor. It calls drones “extraordinary sensing devices” and its Section 3(1) would have government use of drones “conducted in a transparent manner that is open to public scrutiny.”

Calling drones “devices” instead of “aircraft” has significance for a State famous for its aeronautic industry.  Indeed, while HB 1771 passed the House last week, HB 2789 stills lingers in Committee.

A Very Broad Definition of Personal Information

HB 2789 and HB 1771 both define what is “personal information” quite broadly, as it would not only encompass a social security or an I.D. number, but also “medical history, ancestry, religion, political ideology, or criminal or employment record.

Interestingly, it would also encompass information that can be “a basis for inferring personal characteristics” such as “the record of the person’s presence, registration, or membership in an organization or activity, or admission to an institution” or even, “things done by or to such person,” a definition that is so broad that it may encompass just about anything that ever happens to an individual. This definition recognizes that drone surveillance allows for a 24/7 surveillance society.

Personal information also means IP and trade secret information.

Illegal Collection of Data by Drones Must be “Minimized”

Under section 4 of HB 2789, disclosure of personal information acquired by a drone must be conducted in a way that minimizes unauthorized collection and disclosure of personal information. It reprises the words of Section 5 of HB 1771, only replacing ‘public unmanned aircraft by ‘extraordinary sensing device.’

I am not sure that I interpreted section 4 correctly, so here is the full text:

All operations of an extraordinary sensing device or disclosure of personal information about any person acquired through the operation of an extraordinary sensing device must be conducted in such a way as to minimize the collection and disclosure of personal information not authorized under this chapter.

So the standard it not complete avoidance of unauthorized collection of personal information, but instead minimization of illegal collection. The wording may reflect the understanding of the legislature that, because of the amazing volume of data that may potentially be collected by drones, including “things done by or to such person,” it would be unrealistic to set a standard of complete avoidance of data collection.

Maybe this ”minimizing” standard set by HB 1771 and HB 2789 is a glimpse of the standards for future data protection law…

Warrant Needed to Collect Personal Information by Drones

Under Section 5 of HB 2789, a drone could to collect personal information pursuant to a search warrant, which could not exceed a period of ten days.

The standard to obtain a warrant under Section5 (3)(c) of HB 2789 and Section 6 (2) (c ) of HB 1771would be “specific and articulable facts demonstrating probable cause to believe that there has been, is, or will be criminal activity

Under Section 5 (3)(d) of HB 2789, a petition for a search warrant would also have to include a statement that “other methods of data collection have been investigated and found to be either cost prohibitive or pose an unacceptable safety risk to a law enforcement officer or to the public. ”

So drones should be, at least for now, still considered an extraordinary method to be used in criminal investigations.  Such statement would not be necessary though under HB 1771.

Warrant could not exceed ten days under Section 5(5) of HB 2789, but could not exceed 48 hours under section 6(4)HB 1771, and thus HB 1771 would be much more protective for civil liberties. However, as we saw, it is unlikely that HB 1771 will ever be enacted into law.

Warrant Not Needed in Case of an Emergency

Both bills would authorize some warrantless use of drones.

However, under Section 7 of HB 2789 a warrant would not be needed if a law enforcement officer “reasonably determines that an emergency situation exists [involving] criminal activity and presents immediate danger of death or serious physical injury to any person,” and that the use of a drone is thus necessary.

Under Section 8 of HB 1771, it would only be necessary for the law enforcement officer to “reasonably determine that an emergency situation exists that involves immediate danger of death or serious physical injury to any person” which would require the use of drone, without requiring a pre-determination of criminal activity.

But even if an emergency situation does not involve criminal activity, section 8 of HB 2789 allows for the use of drones without a warrant if there is “immediate danger of death or serious physical injury to any person,” which would require the use of drones in order “to reduce the danger of death or serious physical injury.”

However, such use would only be authorized if it could be reasonably determined that such use of drones “does not intend to collect personal information and is unlikely to accidentally collect personal information,” and also that such use is not done “for purposes of regulatory enforcement.“

Both bills require that an application for a warrant be made within 48 hours after the warrantless use of a drone.

Fruits of the Poisonous Drone

Under section 10 of HB 2789 and section 10 of HB 1771, no personal information acquired illegally by a drone nor any evidence derived from it could be used as evidence in a court of law or by state authorities.

Handling Personal Information Lawfully Collected

Even if personal information has been lawfully collected by drones, such information may not be copied or disclosed for any other purpose than the one for which it has been collected, “unless there is probable cause that the personal information is evidence of criminal activity.”

If there is no such evidence, the information must be deleted within 30 days if the information was collected pursuant to a warrant and 10 days if was incidentally collected under section 11 of HB 2789, but would have to be deleted within 24 hours under section 11 of HB 1771.

Drone regulation is a new legal issue, but Washington  would not be the first State to regulate it. Many other States have introduced similar proposals, often not successfully however. But Florida, Idaho, Illinois, Montana, Oregon, Tennessee, Texas and Virginia have all enacted laws regulating the use of drones for surveillance purposes and North Carolina has enacted a two-year moratorium. It remains to be seen if and when federal legislation will be enacted.


1 Comment

FTC v. Wyndham Update, Part 2

Update (April 10, 2014): For a more recent update on this case, please see this post.

Since our last update, there has been some interesting activity in the matter concerning the Federal Trade Commission’s (FTC) complaint against Wyndham Worldwide, currently pending before the U.S. District Court for the District of New Jersey, and I thought this might be a good time for an update on these proceedings. This case has drawn considerable attention, mainly due to Wyndham’s challenge of the FTC’s authority to bring a data security enforcement action on unfairness grounds under Section 5 of the FTC Act. The outcome in this matter may very well have a profound effect on the FTC’s ability to regulate data security.

When we last discussed this matter, Wyndham’s motions to dismiss the FTC’s complaint, asserting, inter alia, that the FTC lacked the legal authority to enforce data security standards for private businesses, were before the court. On November 7, 2013, Judge Esther Salas heard oral argument on these motions. Wyndham opened by citing FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120 (2000), as support for their proposition that the FTC’s data security standards exceeded the agency’s authority. Judge Salas remained skeptical during the hearing, stating that she thought Brown & Williamson was distinguishable.

Wyndham further argued that the FTC’s informal data security guidelines are insufficient, and do not provide fair notice of what is required under Section 5. Wyndham questioned both the FTC’s authority as well as their expertise in this area. The FTC countered by asserting that its data security guidelines, which include best practices and past consent decrees, put businesses on notice of what is required to meet a standard of reasonableness.

Following oral argument, Judge Salas denied Wyndham’s motion to stay discovery proceedings, but did not immediately address Wyndham’s other pending motions to dismiss. On December 27, Judge Salas ordered the parties to submit a supplemental, joint letter brief to the Court, addressing the two outstanding motions to dismiss. The parties filed their joint letter brief on January 21.

In the brief, Wyndham once again argued that the FTC lacks the statutory authority to regulate data security practices for every American company. Wyndham pointed out that Congress has limited the FTC’s data security power to only certain, well-defined areas, citing the Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley Act (GLBA), and the Children’s Online Privacy Protection Act (COPPA) as evidence of these boundaries. Wyndham dismissed the FTC’s argument that FCRA, GLBA, and COPPA merely supplement the FTC’s existing data security authority as “revisionist history.”

In addition, Wyndham refuted the theory first raised by the FTC at oral argument, that Congress “understood Section 5 to provide the FTC with general police power over data-security matters,” but enacted FCRA, GLBA, and COPPA “for the limited purpose of freeing the Commission from the need to prove substantial consumer injury in specific contexts” as “a far-fetched reconstruction” of Congressional intent. Wyndham cited the context and legislative history of the FCRA, GLBA, and COPPA as further proof that the FTC is exceeding its authority, stating that Congress enacted these statutes “precisely because it believed that data security was not covered by existing statutory provisions, including Section 5 of the FTC Act.” (emphasis in original).

Finally, Wyndham reasserted that, even if the FTC is correct in its understanding of the statutes, they have not provided businesses fair notice required by the Due Process Clause. Wyndham points out that the “FTC has not published any rules, regulations, or guidelines explaining to businesses what data-security protections they must employ to comply with the FTC’s interpretation of Section 5 of the FTC Act.” This has been a growing concern among U.S. businesses, which face a daily struggle against data breaches and other related information security incidents, and are unsure of what “reasonable data security practices” might mean.

In its section of the brief, the FTC responded by asserting that “Section 5 of the FTC Act applies by its terms to all unfair commercial practices,” and “is not susceptible to a ‘data security’ exception.” The FTC highlighted the recent LabMD and Verizon decisions as supporting their argument for statutory authority.

The FTC also reiterated its position that the FCRA, GLBA, and COPPA permit the FTC to enforce these statutes using “additional enforcement tools,” which differentiate them from the FTC Act. Further, the FTC argues that where the FTC Act “merely authorizes,” the FCRA, GLBA, and COPPA “affirmatively compel the FTC to use its authority in particular ways” in certain contexts, which does not “divest the [FTC] of its preexisting and much broader authority to protect consumers against ‘unfair’ practices.”

Finally, the FTC pointed out that, while the court did not request additional briefing on the due process question, they felt obliged to respond to Wyndham’s claim on this point. The FTC asserted that to follow Wyndham’s argument would “undermine 100 years of FTC precedent,” and would “crash headlong” into Supreme Court precedent regarding Section 5 of the FTC Act.

Of note, the FTC has also been making similar arguments before Congress, where the FTC has expressed its support for new data security legislation. In hearings held before House Energy and Commerce Committee, the FTC emphasized its ongoing efforts to promote data security through civil law enforcement, education, and policy initiatives.

The court accepted parties’ brief and submissions of supplemental authority on January 23, and granted Wyndham’s request to submit a five-page letter brief in order to respond to the substantive issues raised by the FTC’s inclusion of the LabMD and Verizon decisions. Wyndham filed this brief on January 29, citing multiple negative responses to these decisions in the press as evidence of a breach of the “fundamental principles of fair notice” that “imposes substantial costs on business.”

Judge Salas has not yet responded to these arguments, but we will certainly be keeping a very close eye on these proceedings and its implications for the FTC regulation of data security standards.


Leave a comment

GAO Data Broker Report Calls for Comprehensive Privacy Law

On November 15, 2013, the U.S. Government Accountability Office released a report on the statutory legal protections for consumers with regard to the use of data for marketing purposes by data brokers.

The GAO report canvasses the existing federal consumer legal protections applicable to information resellers and finds them wanting with regard to the use of the data for marketing purposes.  Specifically, the GAO concluded the following:

– “[I]nformation about an individual’s physical and mental health, income and assets, mobile telephone numbers, shopping habits, personal interests, political affiliations, and sexual habits and orientation,” can legally be collected, shared, and used for marketing purposes.  The report notes limits on HIPAA’s applicability to health-related marketing lists used by e-health websites.

– Although some industry participants have stated that current privacy laws are adequate – particularly in light of self-regulatory measures – there are gaps in the current statutory privacy framework that do not fully address “changes in technology and marketplace practices that fundamentally have altered the nature and extent to which personal information is being shared with third parties.”

– Current law is often out of step with the fair information practice principles.

According to the GAO, Congress should therefore consider strengthening the current consumer privacy framework in relation to consumer data used for marketing while not unduly inhibiting the benefits to industry and consumers from data sharing.  In doing so, Congress should consider:

– the adequacy of consumers’ ability to access, correct, and control their personal information in circumstances beyond those currently accorded under FCRA;

– whether there should be additional controls on the types of personal or sensitive information that may be collected and shared;

– changes needed, if any, in the permitted sources and methods for data collection; and

– privacy controls related to new technologies, such as web tracking and mobile devices.

GAO Report at 19, 46-47.

The GAO Report is the most recent expression of support for comprehensive privacy legislation from within the federal government.  In this regard, the report echoes the Obama Administration’s 2012 Privacy Blueprint and the FTC’s 2012 Privacy Report, both of which called for baseline privacy legislation.  The FTC Privacy Report also reiterated the agency’s support for a privacy law targeted to data brokers.  The GAO Report, by contrast, implies that a general privacy law could suffice to address the issues raised by data brokers.


Leave a comment

Direct Marketing Association Launches “Data Protection Alliance”

Image

On October 29, 2013, the Direct Marketing Association (“DMA”) announced the launch of a new initiative, the Data Protection Alliance, which it describes “as  a legislative coalition that will focus specifically on ensuring that effective regulation and legislation protects the value of the Data-Driven Marketing Economy far into the future.” In its announcement release, the DMA reports the results of a study it commissioned on the economic impact of what calls “the responsible use of consumer data” on “data-driven innovation.” According to the DMA, its study indicated that regulation which “impeded responsible exchange of data across the Data-Driven Marketing Economy” would cause substantial negative damage to the U.S.’ economic growth and employment. Instead of such regulation, the DMA asks Congress to focus on its “Five Fundamentals for the Future”:

  1. Pass a national data security and breach notification law;

  2. Preempt state laws that endanger the value of data;

  3. Prohibit privacy class action suits and fund Federal Trade Commission enforcement;

  4. Reform the Electronic Communications Privacy Act (ECPA); and

  5. Preserve robust self-regulation for the Data-Driven Marketing Economy.

The DMA is explicitly concerned with its members’ interests, as any trade group would be, and this report and new Data Protection Alliance are far from the only views being expressed as to the need for legislation and regulation to alter the current balance between individual control and commercial use of personal information. Given the size and influence of the DMA and its members, though, this announcement provides useful information on the framing of the ongoing debate in the United States and elsewhere over privacy regulation.


1 Comment

Privacy and Data Protection Impacting on International Trade Talks

European Commission

The European Union and the United States are currently negotiating a broad compact on trade called the Transatlantic Trade and Investment Partnership (“TTIP”). While the negotiations themselves are non-public, among the issues that are reported to be potential obstacles to agreement are privacy and data protection. Not only does the European Union mandate a much stronger set of data protection and privacy laws for its member states than exist in the United States, but recent revelations of U.S. surveillance practices (including of European leaders) have highlighted the legal and cultural divide.

In an October 29, 2013 speech in Washington, D.C., Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner, emphasized that Europe would not put its more stringent privacy rules at risk of weakening as part of the TTIP negotiations. She said in part,

Friends and partners do not spy on each other. Friends and partners talk and negotiate. For ambitious and complex negotiations to succeed there needs to be trust among the negotiating partners. That is why I am here in Washington: to help rebuild trust.

You are aware of the deep concerns that recent developments concerning intelligence issues have raised among European citizens. They have unfortunately shaken and damaged our relationship.

The close relationship between Europe and the USA is of utmost value. And like any partnership, it must be based on respect and trust. Spying certainly does not lead to trust. That is why it is urgent and essential that our partners take clear action to rebuild trust….

The relations between Europe and the US run very deep, both economically and politically. Our partnership has not fallen from the sky. It is the most successful commercial partnership the world has ever seen. The energy it injects into to our economies is measured in millions, billions and trillions – of jobs, trade and investment flows. The Transatlantic Trade and Investment Partnership could improve the figures and take them to new highs.

But getting there will not be easy. There are challenges to get it done and there are issues that will easily derail it. One such issue is data and the protection of personal data.

This is an important issue in Europe because data protection is a fundamental right. The reason for this is rooted in our historical experience with dictatorships from the right and from the left of the political spectrum. They have led to a common understanding in Europe that privacy is an integral part of human dignity and personal freedom. Control of every movement, every word or every e-mail made for private purposes is not compatible with Europe’s fundamental values or our common understanding of a free society.

This is why I warn against bringing data protection to the trade talks. Data protection is not red tape or a tariff. It is a fundamental right and as such it is not negotiable….

Beyond the TTIP talks, the divergence between European and U.S. privacy practices is putting new pressure on an existing legal framework, the Safe Harbor that was adopted after the enactment of the EU Data Protection Directive. A number of EU committees and political groups are either criticizing or recommending revocation of the Safe Harbor, a development that could significantly change the risk management calculus for the numerous companies which move personal information between the United States and Europe.


Leave a comment

California Continues to Expand Consumer Privacy Protections, Enacting Further Amendments to CalOPPA and the Data Breach Notification Law

On September 27, California Governor Jerry Brown signed into law two bills—both to take effect January 1, 2014—that expand the online privacy protections for California residents.  These two new laws were the second and third enacted during September, as the Governor signed a bill imposing restrictions on the advertising of certain products marketed to minors earlier that week, and demonstrate that the California legislature continues to prioritize consumer privacy by amending its legislation to reflect changes in the way websites collect, and consumers provide, personal information online.

“Do Not Track” Disclosures

The first bill, AB 370, amends the California Online Privacy Protection Act (“CalOPPA”) (Cal. Bus. & Prof. Code § 22575 et seq.), requiring that the privacy policy posted on all commercial websites include a disclosure explaining how the website operator responds to mechanisms, such as “Do Not Track” signals, that provide consumers with the ability to exercise choice regarding personally identifiable information collection over time and across third-party websites.

The new law states that website operators may satisfy this requirement by providing a clear and conspicuous hyperlink in the privacy policy that links to a description, including the effects, of any program or protocol the operator follows that offers consumers that choice, but defines neither the content of the disclosure nor “do not track.”

Data Breach Notification for Disclosure of Online Account Access Information

The second bill, SB 46, amends California’s data breach notification law (Cal. Civ. Code § 1798 et seq.), adding to the definition of “personal information” certain information that would permit access to an online account, and imposing additional disclosure requirements if a breach involves personal information that would permit access to an online account or email account.  Specifically, the legislation adds to the definition of personal information “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.”   A breach of this information, if unencrypted, of any California resident would trigger the state’s data breach notification obligations.

In the case of disclosure of this type of personal information, however, a company will be permitted to notify affected California residents by alternative means.  If the breach involves no other personal information, a company may notify the affected resident in electronic or other form that directs the resident to change his/her password and security question or answer, as applicable, or to take other steps appropriate to protect the affected online account and all other online accounts with the same user name or email address and password or security question and answer.

However, if the breach involves the login credentials of an email account furnished by the company, it cannot provide notification to that email address, but may provide notice by:  (1) one of the methods currently permitted under the law for notification of a breach of unencrypted personal information; or (2) by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an IP address or online location from which the company knows the resident customarily accesses the account.


Leave a comment

California Soon to Have RFID Driver Licenses

A California bill, S.B. 397, would allow the Department of Motor Vehicles (DMV) to issue enhanced driver’s licenses (EDLs) and identification cards, that is, licenses and IDs containing radio frequency identification (RFID) technology.

Such EDLs would include a machine readable zone or barcode that could be electronically read from a distance. These cards would transmit an encrypted randomly assigned number, but would not contain any other personal data, biometric information, or number. They would only contain the information required by the federal Western Hemisphere Travel Initiative (WHTI) established by the Department of State and Department of Homeland Security.

Pro: Convenience and Speediness

The WHTI requires U.S. and Canadian travelers to present a passport or other document proving their identity and citizenship when entering the U.S.

Carrying an EDL would allow travelers to use the Ready Lanes already available at some port of entry, which make the process of entering the U.S. faster and easier. A summary of the bill made this month by the Assembly’s Appropriations Committee describes the process as “convenient and time-saving.” Four U.S. states, Michigan, New York, Vermont, and Washington are already issuing EDLs.

Con: Privacy and Security Risks

What may be the risks for privacy? The web site of the Department of Homeland Security (DHS) states that “[n]o personally identifiable information is stored on the card’s RFID chip or can be transmitted electronically by the card. The card uses a unique identification number that links to information contained in a secure Department of Homeland Security database. This number does not contain any personally identifiable information.”

S.B. 397 contains provisions addressing the security issues that the use of such cards may raise. It states that the DMV would include in the EDLs “reasonable security measures, including tamper-resistant features to prevent unauthorized duplication or cloning and to protect against unauthorized disclosure of personal information regarding the person who is the subject of the license, permit, or card.”

The American Civil Liberties Union of Northern California opposes the bill, and states that DHS has admitted that the personal information encoded on the RFID chip could be read from up to 30 feet away. Also, the EDLs do not include technological protections to prevent the personal information from being read without the individual’s knowledge or consent.

The ACLU mentions a scientific report which studied the security of the Washington EDLs. The authors of this report stated that RFID contained in such cards only have limited security features and, as such, could be surreptitiously scanned and reproduced.

A note from the ACLU of Washington, published that the time Washington state proposed to have EDLs, had noted that such cards do not have built-in security, and thus the Department of Licensing would had to provide users with a security sleeve designed to block the RFID transmission. Such sleeve indeed prevents a card to be scanned without authorization, but, as the EDL does not have an on/off switch, the card can broadcast information to compatible readers within its range if taken out of the protective sleeve by accident.

The site of the Washington State Department of Licensing informs users that the “[e]nhancements included in the EDLs… are industry best practices for security”, that is, “secure and isolated-dedicated (optic fiber) network connectivity; encryption of personal identifying information between Washington State and the Border Officer during transmission; closed and secure network design, including firewalls and limited and controlled access to the network, network equipment, and data centers.”

Big Data at the Borders

However, there is no clear information on whether data about travel is retained, and, if it is, for how long. As travel data is of particular interest to governments, there may be a temptation to store and analyze it. For example, the Australian Customs and Border Protection Service recently put in place a program using Big Data to analyze passenger information.  There is no such program yet in the U.S., and the EDLs cannot be used for air travel, but we should keep in mind that these cards may be used as intelligence/surveillance tools.

The California bill has been approved by the Senate, and is now under consideration in the Assembly. It is expected to pass. A Committee hearing is scheduled for next Friday, August 30th.


1 Comment

A Ballot Initiative Seeks to Add a Right to Privacy in PII to the California Constitution

The California Office of the Attorney General received on July 19 a ballot initiative request, the “California Personal Privacy Initiative.” Under California Law, every California elector has the right to submit a ballot initiative. The two proponents of the initiative are Steve Peace, a former California State Senator, and Michael Thorsnes, an attorney.

The initiative proposes to add an article XXXVI, Right to Privacy in Personally Identifying Information, to the California Constitution:

SECTION 1. Whenever a natural person supplies personally identifying information to a legal person that is engaged in collecting such information for a commercial or governmental purpose, the personally identifying information shall be presumed to be confidential.

SEC. 2. Harm to a natural person shall be presumed whenever his or her confidential personally identifying information has been disclosed without his or her authorization.

SEC. 3. Confidential personally identifying information may be disclosed without authorization if there is a countervailing compelling interest to do so (such as public safety or protected non-commercial free speech) and no reasonable alternative for accomplishing such compelling interest.

Section 1: PII Collection

Under the language of this section, personally identifying information (PII) provided by a data subject to either a private entity or to the government would be presumed to be confidential. In other words, PII would be confidential by default and entities wanting to process PII would have to first secure the consent of the data subject. The initiative, if enacted, would make opt in the only legal option for choice and consent in California.

The initiative defines PII broadly as “any information which can be used to distinguish or trace a natural person’s identity, including but not limited to financial and/or health information, whether taken alone, or when combined with other personal or identifying information which is linked or linkable to a specific natural person.” Under that definition, even information rendered anonymous but which could be re-identified would be protected.

Section 2: Harm

Harm would be presumed if the PII has been disclosed without the data subject’s authorization, and that would be very protective of consumers’ interests, as proving harm is notoriously difficult for victims of data breaches or improper data collection. However, in Krottner v. Starbucks, the 9th Circuit found in 2010 that plaintiff faced a credible threat of harm and thus met the injury-in-fact requirement for standing under Article III because of the theft of a laptop containing unencrypted personal data.

But in a recent California case, Yunker v. Pandora Media, the plaintiff had argued that Pandora’s alleged conduct had diminished the value of his PII, decreased the memory space on his mobile device, that disclosure of his PII had put him at risk of future harm, and that Pandora had invaded his constitutional right to privacy when allegedly disseminating his PII to third parties.

The Northern District Court of California found that the facts were not sufficient to prove decreasing memory space and diminished value of PII, and that the mere possibility of future harm was insufficient to establish standing. However, the court found that plaintiff had standing with respect to Pandora’s alleged violations of the constitutional right to privacy.

Under the initiative, plaintiff would no longer have to prove he suffered harm: the defendant would have to prove plaintiff suffered no harm.

Section 3: Countervailing Compelling Interest

The right to the privacy in one’s PII would not be absolute and would have to bend to countervailing interests. For instance, law enforcement would nevertheless have access to PII in order to protect public safety. Would the threat to public safety have to be immediate, or would a general mission of protecting safety be enough to override privacy interests? In the wake of the PRISM scandal, this question is particularly salient.

Another countervailing interest cited by the initiative is non-commercial free speech. One remembers that the Supreme Court held in 2010 in IMS Health, Inc. v. Sorrell that a Vermont prescription privacy law barring disclosure of prescription data for marketing purposes was unconstitutional as it violated the free speech rights of data brokers. Under a new article XXXVI, commercial free speech would not be considered a compelling interest, and thus data brokers would not be able to invoke a free speech defense.

What’s next? Under California law, Election Code § 9001, the Attorney General must now prepare a circulating title and a summary of the initiative within 15 days of the receipt. An initiative petition must then be presented to the Secretary of State and be certified by local election officials to have been signed by a specified number of qualified registered voters.

But the broad scope of the initiative may be its nemesis, as it may trigger intense lobbying against it. Even if enacted, companies may chose to block access to many of their services or products unless the data subject provides a general and broad opt in consent, to the detriment of a more granular consent.