We started week 10 on Tuesday with
a discussion on recent developments related to information privacy, then discussed
the question
of the week 9 about big data, which was followed by a few variations of the
same question, discussed in class. The
class unanimously voted against an “unqualified
right,” concluding that no right is unqualified. Variations of the question were related to privacy
rights in healthcare, finance, etc., as well as a qualified right. The class discussions revealed many questions
that we would need to answer in a factors based analysis (pasted below), and on
the question of a “qualified
right,” the class unanimously voted in favor of it. We concluded week 10 on Thursday with first a discussion
on current topics including bills in the Utah legislature, and a discussion on
data brokers, following up on Chalene’s
post in week 9 on the Data Broker
Accountability and Transparency Act of 2015. We examined various issues related to that
bill, reviewed class responses to the blog post, and discussed the adequacy of
these proposed measures.
Recent Developments
-
Apple FBI litigation
-
“Hulk
Hogan” v. Gawker
o
Florida requires appealing parties to post the
full amount in bonds, capped at $50 million, which is higher than
Gawker’s net revenue of $45 million in 2014.
-
FBI issued a public service announcement (alert I-031716-PSA) on
internet-enabled devices in vehicles.
o
Personal safety risk in additional to privacy
risk.
o
Remote exploits are possible over wireless.
-
Chairman of the FCC proposed
an NPRM for choice & transparency by ISPs with regard to consumer data
o
Gives consumers certain rights to data use by
ISPs, who are now classified
as common carriers. FCC has jurisdiction over common carriers.
o
Imposes duty on ISPs to protect consumer data in
transit and at rest.
o
Mandates the convening of a working group of
FCC, FTC, Dept. of Commerce, NSF, etc. and prepare a report to Congress within
1 year about how IoT should be regulated.
-
Utah Legislature
§
A law enforcement agency that uses body-worn
cameras worn by law enforcement officers shall have a written policy governing
the use of body-worn cameras that meets or exceeds the minimum guidelines
provided;
§
minimum guidelines for the activation or use of
body-worn cameras; and
§
the prohibited uses of body-worn cameras by law
enforcement officers.
§
Other provisions:
·
Must be visible to the parties being recorded.
·
Must remain on continuously until the end of the
encounter, unless victim requests recording to be turned off.
·
Classified under GRAMA as public or private
depending on the context – no blanket classification.
§
§
Enacts the Student Data Protection Act;
§
defines terms;
§
provides for student data protection governance
at the state and local levels;
§
enacts requirements for data protection and
maintenance by state and local
§
education entities and third-party contractors;
§
enacts penalties;
§
gives rulemaking authority;
§
amends provisions related to student privacy;
§
enacts a requirement for notice given to a
parent or guardian before a student is
§
required to take a certain type of survey; and
§
makes technical corrections.
§
Other provisions:
·
Significant act prompted by concerns over third
parties providing services to students and giving access to student records
(e.g. Canvass, Blackboard, etc.).
·
Ensures that third party vendors have to protect
the privacy of students, in addition to the educational institutions.
·
Charges the State Student Data Officer in
consultation with the State Board of Education to develop a state-wide data
governance plan and each local school board can develop a data governance plan
that is not inconsistent with the statewide plan.
·
Provides for de-identified and aggregated
information where possible.
·
Addresses biometric identification.
-
Should an individual have an
unqualified legal right to control the collection, use, access and retention of
personal information about them and their activities?
-
Class responses:
o
Yes (0)
o
No (6)
-
Ideas:
o
Use of the data within the scope of the service.
Reformulated question
1 (in class)
Should an individual have an
unqualified legal right to control the collection, use, access and retention of
personal information about them and their activities that
they generate?
-
The law already grants individuals the right to
control content that they create under the Copyright Act.
-
Common law misappropriation claims.
-
Juvenile records, expungement of records, etc.
-
Key questions:
o
Who owns the data?
o
What is the extent of the data generation?
o
Is there a public interest in access to the
data?
-
Class consensus: “it depends”
Reformulated question
2 (in class)
Should an individual have an
unqualified legal right to control the collection, use, access and retention of
personal medical information?
-
Who is using this information, and for what
purposes?
-
Is there social value in reporting this
information?
-
They key question is whether this is
identifiable.
-
Informed consent: are patients adequately
informed to provide consent in this context?
-
Health information exchanges are avenues for aggregating
these types of data.
-
Medical information deserves greater privacy
protection.
Reformulated question
3 (in class)
Should an individual have an
unqualified legal right to control the collection, use, access and retention of
personal financial information?
-
Context-based answers, similar to the above
responses.
-
Financial information, like medical information,
also deserves greater privacy protection.
Reformulated question
4 (in class)
Should an individual have a qualified legal right to control the collection, use,
access and retention of personal information about them or their activities?
-
Unanimous class response: yes.
-
Factors that could be used to determine whether qualified
rights might be appropriate
o
What is the setting in which the information is
collected?
§
Reasonable expectation of privacy in one’s home.
o
Type of information being collected.
o
Who is collecting the information?
o
How will the information be used?
§
Is it being collected for one purpose but
actually being used for a different purpose?
Data Broker
Regulation
-
Who is a data broker?
o
More than merely an entity that collects
information.
o
Under the definition proposed in the Data Broker
Accountability and Transparency Act of 2015 (Bill S.668, not yet passed),
Facebook does not fall under this definition.
-
What types of data are aggregated by data
brokers?
o
Education level
o
Estimated net worth
o
Types of purchases
o
Investments
o
Habits (e.g. smoking, gambling, etc.)
o
Number of kids
o
Contact information
o
Religious & political views
o
Marital status
o
Mortgage amount
o
Salary
-
Transparency
o
What information is being collected?
o
Why is this information being collected?
o
How is the information being used?
o
How did they obtain this information
(provenance)?
o
How many different categories/lists are you included
in?
o
How can you opt out?
-
Access
o
Who has access to this information?
o
Who has actually viewed this data (accounting of
disclosure)?
o
How can you restrict access to your information?
-
Sensitive Information
o
Protected health information
o
What kind of information can a broker aggregate
about you, if you provided it to a third party like Facebook?
-
Data security standards
o
Most states have laws regulating data breaches,
although there is no uniform Federal statute that applies to all areas.
o
Federal laws cover areas like healthcare (e.g.
HIPAA Security Rule), student records (e.g. FERPA), etc.
o
Do data brokers use encryption? No information
available.
-
Consumer education
o
DBATA would create a central website that
explains the implications of having your information in different places.
-
Enforcement
o
Violations are considered to be unfair and
deceptive practices under the FTC.
o
Provides for injunctive relief.
o
State Attorney Generals have the power to
enforce
No comments:
Post a Comment