A Microsoft Corp lawsuit aimed at striking down a law preventing companies from telling customers the government is seeking access to their data has been joined by a number of heavy hitters including: the US Chamber of Commerce, the National Association of Manufacturers, Delta Air Lines Inc, BP America, the Washington Post, Fox News, the National Newspaper Association, Apple, Google, Amazon and others.
Microsoft maintains that the law – which allows the government to seize data located on third party computers, without the targets’ permission, or even notice – is unconstitutional.
The Department of Justice argues that Microsoft has no standing to bring the case and that the public has “a compelling interest in keeping criminal investigations confidential”. It also maintains that procedural safeguards are in place to protect constitutional rights.
The FBI has collected nearly 430,000 iris scans over the past three years, an investigation by technology website The Verge, has revealed.
Privacy International said it was “deeply concerning” that hundreds of thousands of iris scans were being added to a database without public debate, proper safeguards “or even awareness that such data has been taken and is being stored”.
“If our biometric data is to be collected at all, such systems should not be introduced or continued before a public debate, strong legal frameworks, and strict safeguards are in place,” the organisation told the BBC.
Link: Radio New Zealand
The Minister of Justice has asked the Law Commission and Ministry of Justice to review the operation of the Search and Surveillance Act 2012. The Act controls how police and certain other government agencies search people or property, as well as the use of surveillance devices for the purpose of investigating crime.
The Law Commission and Ministry of Justice will be calling for public submissions later this year and will report to the Minister by the end of June 2017.
Link: Law Commission media release
First to press was ZDNet, highlighting wording that purports to disclaim responsibility for data breaches. This was followed by a letter (PDF) to the company from Senator Al Franken, demanding more detailed disclosures on what information Oculus collects from users and what it does with that data.
All in all, this is a timely reminder of the PR implications of privacy policies, especially for high profile businesses. In jurisdictions like New Zealand, it is also an open question as to whether disclaimers of the kind highlighted above might attract attention from regulators under unfair contract terms legislation.
Link: ZDNet | TechCrunch
More than 200 senior members of the legal profession – including QCs, law professors, senior lawyers and former judges – have signed an open letter to the UK Government condemning the Investigatory Powers Bill currently before Parliament. The letter describes the Bill as “unfit for purpose”, citing its failure to reflect international standards for surveillance powers, especially in relation to bulk data collection, targeting, and grounds for the issuing of warrants.
Link: Guardian article | Draft Bill
Radio NZ has coverage on the results of the recent review of New Zealand’s Security Intelligence Service (SIS) and Government Communications Security Bureau (GCSB).
Of particular interest to the media is the exemption in s57 of the Privacy Act, which provides that certain aspects of the Act do not apply to information collected, obtained, held, used, or disclosed by, or disclosed to, the SIS and GCSB.
This means the Privacy Act does not prohibit private entities such as banks and telcos from disclosing customers’ personal information to the SIS or GCSB, though of course other restrictions such as customer confidentiality may still be relevant in the absence of a warrant that compels disclosure.
The Radio NZ report notes that the Privacy Commissioner is calling for a tightening of the rules on collection of personal information by the SIS and GCSB.
Link: Radio NZ Report
Over at Out-Law.com, data protection lawyer Kathryn Wynn sets out her views on why IP addresses are best treated as personal information, regardless of which way the European Court of Justice rules in a pending case in Germany.
The ECJ has been asked to rule on whether website operators’ collection of IP addresses automatically qualifies as the collection of personal information, by virtue of the fact that additional information in the hands of third party ISPs could be used to identify individuals based on those IP addresses.