The Australian government recently released an exposure draft of legislation that would fundamentally reform the Australian Privacy Act and would unify public and private sector privacy principles. The exposure draft includes thirteen principles intended to protect individuals from the risks associated with the sharing of personal information.
Of particular interest to the international business community, Principle 8 addresses the cross-border disclosure of personal information. The principle states that an entity must take reasonable steps to ensure that an overseas recipient does not breach the Australian Privacy Principles with respect to personal information being disclosed, but provides an exception if the entity reasonably believes that (i) the recipient of the information is subject to a law or binding scheme that provides protection that is substantially similar to protections provided by the Australian Privacy Principles, and (ii) there are mechanisms available for affected individuals to enforce such protection.
Opt-in? Browser setting as opt-in? Opt-out? The Opinion clarifies the Working Party’s interpretation of the new Article 5(3) and Recital 66 of the e-Privacy Directive. According to the Working Party, Article 5(3) and Recital 66, along with the General Data Protection Directive (“Directive 95/46/EC”), require prior opt-in consent since “prior opt-in consent mechanisms are better suited to deliver informed consent.”
Connecticut Attorney General Richard Blumenthal recently announced that his office will lead a multistate investigation into the “deeply disturbing” unauthorized collection of personal data from wireless computer networks by Google’s Street View cars. Attorney General Blumenthal noted that Google “must provide a complete and comprehensive explanation of how this unauthorized data collection happened, why the information was kept if collection was inadvertent and what action will prevent a recurrence.” A significant number of states are expected to participate in the investigation.
Blumenthal’s press release is available on the Connecticut Attorney General’s website.
Reporting from Israel, legal consultant Dr. Omer Tene writes:
The Israeli Law, Information and Technology Authority (“ILITA”), Israel’s privacy regulator, continues to up the ante for data controllers in Israel. This week ILITA imposed a $70,000 (NIS 258,000) fine against a company illicitly trading personal data.
As reported in BNA’s Privacy Law Watch, the Federal Trade Commission intends to agree to temporarily exempt health care providers from the FTC’s Identity Theft Red Flags Rule. The Red Flags Rule implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act. In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program. The FTC previously has stated that health care providers could be deemed “creditors” under the Rule. The agreement will grant relief to health care providers until the resolution of litigation pending before the U.S. District Court for the District of Columbia, in which the American Medical Association and other health groups have asked the court to prevent the FTC from applying the rule to physicians. As we reported in our previous blog post, the FTC has delayed enforcement of the Red Flags Rule until December 31, 2010, to allow Congress to take action to clarify the Rule’s scope.