Privacy Law and Policy : Privacy Lawyer & Attorney : Kevin Whitaker Law Firm : Patient Confidentiality, Defamation, Identity Theft : Privacy Law & Policy Blog

Ross Clark's book, The Road to Big Brother, One Man's Struggle Against the Surveillance Society, involves Clark's experience in avoiding CCTV cameras and surveillance efforts in England. PrivacyDigest's review of the book, states (in part):

Ross Clark lays bare the astonishing amount of personal data which is hoarded by the state and by commercial organizations, and asks whom should we fear most: the government agencies who are spying on us - or the criminals who seem to prosper in the swirling fog of excessive data-collection.

As a city councilor, I was surprised to see surveillance cameras recently installed on new sets of local traffic lights. I wondered, "Who decides where these go and who will have access? Why are they there?" "Why didn't I have to approve these?"

I realize there's a practical argument for the potential advantages, such as recording accident data, raising compliance with safe driving laws, and, of course, avoiding traffic. In fact, the Connecticut Department of Transportation site lets you view traffic camera images that are updated every five minutes. The Boston SmarTraveler site offers several views, too.

But are things like Google Earth, government surveillance, and private webcams streaming on the web taking us into unchartered territories? I was excited to use Google Earth to see where my wife lived in Spain or others' travels. I've been on guided tours from the comfort of our home and they were fun experiences. But is there a trade off for fun?

• Email This
• Print
• Comments
• Trackbacks

In previous posts, I discussed the legislative amendment being kicked around that would weaken the MA data security law (M.G.L. 93H).

• An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part One
• An Act Ensuring Less Privacy of Massachusetts Residents' Data, Part 2 of 5
• An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part 3 of 5
• An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part 4 of 5,
• An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part 5 of 5.

Well, it appears the legislative change may not be necessary as the latest and ungreatest regulatory scheme changes appear to do the hatchet job for them.  Too bad.  In short, it's not good news for Massachusetts consumers or their privacy rights as privacy rights seem, once again, to be taking a backseat to political influences.

The Official Website of the Office of Consumer Affairs & Business Regulation (OCABR) states:

BOSTON – Aug. 17, 2009 – ... The updated regulations will take effect March 1, 2010. The regulations make clear that their approach to data security is a risk-based approach that is especially important to small businesses that may not handle a lot of personal information about customers. Under a risk-based approach, a business, in developing a written security program, should take into account its size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations.

...

New language in the regulations recognizes that the size of a business and the amount of personal information it handles plays a role in the data security plan the business creates. The new language requires safeguards that are appropriate to the size, scope and type of business handling the information; the amount of resources available to the business; the amount of stored data; and the need for security and confidentiality of both consumer and employee information.

The changes, Anthony said, make clear the regulations are risk-based in implementation, not just in enforcement as had been the case in earlier versions of the regulations. In addition, the regulations are technology neutral and acknowledge that technical feasibility plays a role in what many businesses, especially small businesses can do to protect data.  The overall approach is more consistent with federal law, she said.

...

The Office of Consumer Affairs and Business Regulation today sent to the Secretary of State notice of public hearing on the changes. That hearing will be held on Tuesday, Sept. 22, at 10 a.m. at the Transportation Building, 10 Park Plaza, Boston.

For more information about identity theft protection, visit the Office of Consumer Affairs and Business Regulation website, www.mass.gov/consumer.

• Email This
• Print
• Comments
• Trackbacks

Massachusetts Senate Bill No. 173 (PDF file or see full text below) introduced this year, would amend M.G.L. 93H and effectively water down the Office of Consumer Affairs and Business Regulation's (OCABR) authority on a few fronts. I've addressed a few of these in past posts.

• An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part One
• An Act Ensuring Less Privacy of Massachusetts Residents' Data, Part 2 of 5
• An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part 3 of 5
• An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part 4 of 5,

After a short vacation, today I'll briefly be addressing the fourth proposed change, but more importantly the sum of all the proposed changes, because I fear they fail to protect consumers and their privacy rights, but instead seem very good at protecting certain business interest aided by powerful lobbying efforts

Briefly, under the fourth proposed change, employees could be terminated for willful violations of the law, regulations, or written information security plans.

While I'm not going to attack this language (although you can see the proverbial passing of the buck coming here), it make me ask, "As a group, did any of the four proposed changes help consumers while guarding individuals' privacy rights?"

Let's review a summary of the three changes I've previously discussed:

1. Businesses would not have to comply with any Massachusetts state regulations with stricter standards than federal law
2. Ensures OCABR is prevented from requiring specific technology or methods be employed. Thus, the proposed amendment effectively guts OCABR's encryption requirement (and its power to do so in regulations).
3. The law would not apply evenly, but would depend on the size of the business and require separate standards be promulgated for small businesses, thus implying a person's privacy rights matter less depending on who is allowing them to be infringed upon. This would also add more delay as more layers of regulations are adopted.

The answer to my earlier question, I'm afraid, is a resounding "No," none of the four four proposed changes help consumers while guarding individuals' privacy rights--thus the title of this series of posts, "An Act Ensuring Less Privacy of Massachusetts Resident's Data" which is a play on the proposed act's title "An Act Ensuring the Privacy of Certain Data."

As stated in other posts, privacy rights simply aren't being treated as rights held by individuals but rather as things or issues to be regulated. With economic considerations, lobbying, and political influence guiding the outcome, it appears that short-term economic arguments may continue trumping individuals' privacy concerns. In the end, so long as economic incentives and business interests are placed before individuals' rights, then privacy rights can't really exist, no matter what we call or title them.

The full text of Senate Bill 173, An Act Ensuring the Privacy of Certain Data, is below. Funny, I don't think this is available anywhere else on the web except in PDF. Why is that?

• Email This
• Print
• Comments
• Trackbacks