The guidance outlines scenarios in which PIPEDA applies or does not apply based on the conduct of commercial activities, including:

• An intermediary who relays financial information into and out of Canada for international transactions involving Canadian banks is engaged in a commercial activity.
• A non-profit daycare organization partially subsidized by a municipal government is engaged in a commercial activity. 
• A landlord who collects, uses or discloses tenants’ personal information to administer a lease or for insurance purposes is an organization engaged in a commercial activity.
• An educational institution is not engaged in a commercial activity if the institution’s core activity is the provision of educational services and the institution does not have as one of its objectives the goal of earning a profit for the owners of the institution.

Organizations with Canadian business operations or seeking to do business in Canada should be aware of PIPEDA’s broad-based applicability and requirements, which include customer consent provisions, limitations on information use, disclosure, and retention, and obligations to safeguard personal information.

Particularly noteworthy is the Commission’s proposal that Model Rule 1.6 -- which describes the duty to protect client confidences -- be updated to make clear that a lawyer has a duty to provide “reasonable” data security measures for client information.  The Commission notes that the reasonableness of particular security measures will depend on factors such as the cost of safeguards and the sensitivity of the client information at issue.  Although Comments to the Rule currently reference the obligation to protect client information, the Commission believes that changes in technology have “so enhanced the importance of this duty that it should be identified in the black letter of Rule 1.6.”

The Commission also recommended that comments elaborating on the duty of competence (Rule 1.1) be amended to clarify that “maintaining competence” in the practice of law includes staying current on the “benefits and risks associated with relevant technology.”       

The ABA’s House of Delegates will take up the proposals at the Association’s annual meeting in August. 

• The California Assembly unanimously approved a bill, A.B. 1844, that would prohibit employers from demanding social media account passwords from employees or prospective employees.  The bill does not specify a remedy for violations.  To become law, the bill must be passed by the state Senate and signed by the governor.  A bill on the same topic, S.B. 1349, is under consideration in the Senate Appropriations Committee.
• In New Jersey, the Consumer Affairs Committee of the New Jersey Assembly approved a two-bill package (A2878 and A2879) that would prohibit employers or from requiring current or prospective employees to disclose user names or passwords for social media sites.  The bills also would apply to colleges and universities with respect to students or applicants.  The bills authorize private civil suits for violations.

During their remarks, Congressmen Markey and Wasserman Shultz each expressed support for the Do Not Track Kids Act of 2011 (H.R. 1895), which we have blogged about here.  The bill would expand privacy protections for minors under the age of 18, including a prohibition on the use of personal information for targeted marketing to minors and a requirement that website operators provide “eraser buttons” to enable the deletion of personal information shared publicly by minors.  Senator Blumenthal also indicated that he was supportive of the legislative proposal, which he described as “common sensical,” although he stated that there likely would be substantial concern among advertisers and other stakeholders about implementation issues.

Senator Blumenthal emphasized the importance of having in place not only rules about when a company can intentionally share data, but also appropriate safeguards to protect personal information from unauthorized access.  He mentioned that he has introduced legislation, the Personal Data Protection and Breach Accountability Act of 2011 (S.1535), which would require companies to implement appropriate data security safeguards.  (We previously have discussed S. 1535 here.)  S. 1535 includes a provision authorizing private rights of action by consumers in the event of a violation, and Senator Blumenthal stated that he believes that private rights of action, not just FTC enforcement, should be a component of privacy and data security legislation.  Chairman Leibowitz noted that he supports providing the FTC civil penalty authority to fine those who fail to safeguard consumer data appropriately.

Researchers and health care professionals that participated in the panel discussions expressed the need for additional research―and funding to support such research―to help policymakers better understand the impact of marketing and media on children.  A third panel focused on the impact of media on body images for young women―a topic that Congresswoman Wasserman Schultz also discussed in her remarks.

Committee Chairman John D. (Jay) Rockefeller IV (D-WV) introduced the hearing by calling for “strong legal protections” and “simple and easy to understand rules” about information collection. He called for “strong, consumer-focused” privacy legislation this year, though conceded that no consensus about such legislation exists yet. Senator John Kerry (D-MA) also voiced support for privacy legislation. In contrast, Senator Pat Toomey (R-PA) expressed skepticism about new legislation, calling for a detailed cost/benefit analysis and identification of a specific market failure prior to any new regulation.

• FTC Chairman Jon Leibowitz briefly summarized the contents of the FTC’s recent report, which we have described previously.  He also reiterated the report’s call for security and breach notification legislation and legislation regarding “data brokers,” as well as its call for Congress to “consider” enact baseline privacy legislation.  He also praised industry strides toward a “meaningful” Do Not Track system, which he expects to be in place by the end of the year.
• U.S. Department of Commerce General Counsel Cameron Kerry addressed the claim by Senator Pat Toomey (R-PA) that a market failure justifying new regulation has not been identified.  Mr. Kerry stated that consumers’ lack of understanding of how their data is used and the misuse of such data by outlier businesses form market failures justifying baseline privacy legislation.  He summarized the Administration’s recent legislative recommendations, including its call to promote industry safe harbor codes of conduct.New
• FTC Commissioner Maureen K. Ohlhausen, who was not with the FTC at the time of the release of its privacy report, commended the FTC’s enforcement record.  She also praised the FTC report’s “privacy by design” principle and stated her support for data security legislation.  She expressed concern, however, that the report went too far in moving away from a tangible harm-based approach.  She also stated that if consumers are presented with a clear choice prior to information collection, it can be assumed that they will exercise that choice in an informed way.

As with many of the incidents involving consumer privacy that have been subject to recent FTC action (as well as private litigation), MySpace’s practices appear to have been first explored by the Wall Street Journal, as part of its “What They Know” series on online privacy.

The EEOC’s updated guidance generally provides that the EEOC will regard as suspect blanket or automatic exclusions of individuals from employment or promotion simply based on an individual’s criminal record, particularly when the individual is an African American or a Hispanic male.  However, the EEOC indicates that it will accept as a defense to a statutory discrimination claim an employer’s showing that the exclusion is job-related and consistent with business necessity and that the employer has made an individualized determination that hiring or promoting the individual in question would be likely to create a risk of improper conduct that would be detrimental to the employer’s business or workplace.  Specifically, the guidance indicates that, in making individualized assessments, employers should consider the following three factors:

The EEOC warns against employer’s relying on arrest records per se as a disqualifying factors. 

Separately, Senators Richard Blumenthal (D-CT) and Chuck Schumer (D-NY) have called on the EEOC to investigate whether information obtained by employers through social networking and email sites may be used to unlawfully discriminate against otherwise qualified applicants.  Congress and a number of state legislators―including those in Maryland, Illinois, and California―are considering legislation that would prevent prospective and current employers from requesting access to employee social networking accounts.

The workshop will be held on May 30, 2012 at the FTC Conference Center, 601 New Jersey Avenue, NW, Washington, DC.    The program begins at 8:30 am and will conclude at 5:30 pm.  The workshop is free, open to the public, and no registration is required.  The FTC will also provide a webcast.

Explaining the need for this legislation, Engel cited a “number of reports about employers requiring new applicants to give their username and password as part of the hiring process.” These reports have garnered considerable attention and inspired activity in many state legislatures.  As we previously wrote, Maryland’s legislature passed a bill last month banning employers from requesting or requiring social media password disclosures.  Gov. Martin O’Malley signed that bill into law on Wednesday afternoon.  Similar measures have been introduced in other states, and recent developments indicate that some of these bills are gaining momentum.  In New York, there are now indications of bipartisan support for legislation after a Republican state senator introduced a bill that is similar to a Democratic-sponsored measure.  Meanwhile, in California, similar bills have received unanimous approval from committees in both the Senate and state Assembly, and in Illinois, a bill has already passed the state House of Representatives and a Senate committee.

The Agreement aims to protect intellectual property rights (“IP rights”) by developing a common approach to enforcement and facilitating cooperation at international level.  Though ACTA includes a wide range of provisions addressing issues such as the counterfeiting of goods and the unlawful use of trademarks, the Opinion focuses in particular on measures relating to the enforcement of IP rights in the digital environment.

Though ACTA has already been signed by a majority of the countries which are party to it, including 22 EU Member States, it must be ratified by the European Parliament before it can enter into force in the EU.  The EDPS’ Opinion comes amidst growing criticism of the Treaty in recent weeks.  Since the Opinion’s publication, the Treaty’s rapporteur in the European Parliament, David Martin MEP, has recommended that it be rejected and the liberal ALDE group (“Alliance of Liberals and Democrats”) has declared that they would vote against it.  It seems increasingly unlikely therefore that the necessary Parliamentary approval will be achieved this summer for the Treaty to enter into force.