On January 25, 2017, President Trump signed a new Executive Order on Enhancing Public Safety in the Interior of the U.S.  Among other elements, the Executive Order directs U.S. government agencies to “ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information,” but only if doing so is “consistent with applicable law.”

This prompted certain commentators, such as Member of the European Parliament Jan-Philipp Albrecht, to question whether the Executive Order would have an impact on the robustness of the EU-U.S. Privacy Shield data transfer framework
Continue Reading European Commission Dismisses Privacy Shield Concerns Over Trump Executive Order

By Daniel Cooper and Fredericka Argent

On 29 November 2012, the Office of the Australian Information Commissioner announced that the Australian government passed the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (“the Act”). The Act, due to come into force in March 2014, is the biggest reform to Australian privacy law in over 20 years, since the passing of the original Australian Privacy Act 1988. It represents the culmination of a recommendation for reform made originally by the Australian Law Reform Commission (“ALRC”) in 2005. One of the aims of the reform is to bring Australia’s privacy laws “into the digital age”. Alongside the Privacy Act reforms, the ALRC are also currently in the process of consulting on introducing a mandatory personal data breach law for Australia. It is likely that the passing of the Act will give this discussion more momentum.

One of the key changes in the new Act is the introduction of a single set of 13 harmonised “Australian Privacy Principles” (“APPs”) which will apply to government agencies as well as the private sector. The 13 APPs will replace the current bifurcated system, which includes “National Privacy Principles” (“NPPs”) for the private sector and “Information Privacy Principles” (“IPPs”) for the public sector.  The APPs are intended to make it easier for businesses and consumers to understand their obligations with regard to personal data and privacy. The Act also introduces reforms that will reshape how entities may process personal information and the circumstances in which it can be used for direct marketing (APP 7), and how entities may transfer personal information overseas (APP 8). Further, the Act will introduce a higher standard of protection for “sensitive” information, including health-related information, DNA and biometric data. The Act will also bring in new powers for businesses to check individuals’ credit worthiness, by introducing more comprehensive credit reporting rules.

Continue Reading Australia Introduces New Privacy Act

On Wednesday, the Supreme Court heard oral argument in Federal Aviation Administration v. Cooper, a case that raises the question of whether a plaintiff who alleges only mental and emotional distress can establish “actual damages” within the meaning of the federal Privacy Act’s civil remedies provision.  The question is crucial to determining the scope of relief afforded under one of the principal legal restraints on the federal government’s use and disclosure of the “records” it maintains about individuals.

Continue Reading Supreme Court Considers Key Question Under the Privacy Act

Government agencies maintain large quantities of information about individuals, covering everything from physical description to the person’s family life, property, political activity, employment history, criminal records, and health condition.  In a light of a recent finding that reports of information-security incidents at federal agencies have increased more than 650 percent over the past five years, it is unsurprising that data-handling requirements for government entities and contractors are a subject of ongoing concern.  A roundup of recent developments:

  • A recent General Services Administration (“GSA”) cloud computing procurement solicitation attempted to address data security concerns by limiting the foreign countries where vendors’ servers could be located, but this requirement was rejected on October 17 as unduly restrictive.  Noting that the GSA had failed to explain its basis for differentiating between acceptable and unacceptable locations, the Government Accountability Office (“GAO”) recommended that the solicitation be revised to reflect the agency’s actual needs. 
  • On October 18, Sen. Daniel Akaka (D-HI) introduced the Privacy Act Modernization for the Information Age Act of 2011 to strengthen privacy protections for government records.  Among other things, the bill would create a federal chief privacy officer position, update penalties for violating the Privacy Act, and establish a centralized website for information about records maintained by individual agencies. 


Continue Reading Privacy and Security Requirements for Handling Government Records Under Scrutiny