Short Bites: Recent Privacy Law Developments
Summer snacks can be easier to digest than heavier meals. In that spirit, here is a short list of bite-sized summaries of recent developments in privacy law that may directly affect your business.
Privacy Lawyer Nominated as New FTC Commissioner
President Obama has nominated Maureen K. Ohlhausen, a Washington privacy lawyer, to a Republican vacancy on the Federal Trade Commission (FTC). The nomination is viewed as a signal that privacy law remains a priority for the administration. Ms. Ohlhausen will replace Commissioner Kovacic, who has been skeptical of calls for new privacy rules.
Data Breach Notification Bill Advances in House of Representatives
For nearly a decade, Congress has considered enacting a federal law to require notification to affected individuals of breaches of a business's data security that could create a risk of identity theft. Calls for federal legislation are prompted by the 46 state laws that now address the subject. Last year, the House of Representatives passed a bill that would have replaced the state laws with a uniform federal standard, but it died when the Senate adjourned without taking action.
Several legislative proposals have been introduced in the current Congress. (See article in the June issue of Privacy In Focus). The first to pass a legislative hurdle is a House bill (H.R. 2577) sponsored by Rep. Mary Bono Mack (R-CA), which, on July 20, was approved by voice vote by a subcommittee of the House Energy and Commerce Committee, which she chairs. The bill would establish national standards governing disclosures of breaches of data security and preempt the state laws. Subcommittee approval was a first step; the bill must receive favorable action by the full Committee and the House before moving to the Senate, where several powerful Senators have their own breach notification bills.
Commerce Department to Convene Groups to Develop Privacy "Codes of Conduct"
Moving forward on a proposal floated in its "Green Paper" on "Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework," the Department of Commerce recently said that it would convene multistakeholder groups to develop privacy codes of conduct tailored to particular industries. The agency did not indicate what industries would be subject to the codes or their timing. The idea is that the codes would be drafted by the private sector, although clearly, the Commerce Department expects to play a key role in their creation, and the process of creating codes would likely be contentious and slow.
Although the Commerce Department states that participation in developing and/or adhering to the codes would be voluntary, the FTC may take the view that a failure to abide by such a code of conduct might constitute an "unfair" trade practice.
Google Wi-Fi Litigation Tests Whether Wi-Fi Is a "Radio Communication" under the Wiretap Act
In litigation in California over Google's collection of unencrypted Wi-Fi data as part of its "Street View" project, a major issue is whether a "Wi-Fi" signal is a "radio communication" under the federal Wiretap Act, which is part of the Electronic Communications Privacy Act. In re Google Inc. Street View Electronic Communications Litigation (N.D. Cal. No. C10-MD-02184JW). Google is arguing (1) that a Wi-Fi signal is a "radio communication" and (2) that its collection of unencrypted Wi-Fi signals is permissible under an exception allowing interception of "radio communications" that are "readily accessible to the general public" because the lack of encryption left the signals accessible. 18 U.S.C. §2511(2)(g)(i).
This appears to be a case of first impression. The federal district court hearing the case ruled against Google, holding that a narrow interpretation of the term "radio communication" better fits the Act's purpose (even though Wi-Fi signals are plainly "radio" in a technical sense). But the court has since granted a motion by Google to certify the question to the Court of Appeals for the Ninth Circuit. The case also highlights once again that the Electronic Communications Privacy Act, enacted long before Wi-Fi became a common household feature, deserves a serious update.
Consumer Financial Protection Board Begins Operations
The Consumer Financial Protection Board (CFPB), an agency created by the Dodd-Frank financial reform law of 2010, is now operating. Among the CFPB's many responsibilities is jurisdiction to enforce the Telemarketing Sales Rule insofar as the telemarketing campaign concerns a "consumer financial product or service." Therefore, telemarketing campaigns conceivably could be subject to three regulators, depending upon the product being sold and the geographic range of the campaign: the CFPB, the Federal Communications Commission (FCC) and the FTC.
The CFPB also has jurisdiction over the Fair Credit Reporting Act (FCRA). It now has exclusive jurisdiction to interpret the FCRA, including the issuance of rules. As in the case of telemarketing, however, the CFPB will continue to share enforcement responsibility with the FTC.