Friday, May 20, 2011, 11:22 AM

Privacy Bulletin: Issue No. 58

India Enacts Final Privacy Rules which may Impact U.S. Companies that Outsource

India released its final privacy rules in four parts that went into effect April 13, 2011. These rules could have a significant impact on businesses that transact business in India, those businesses that outsource business activities to India or have subsidiaries or affiliates based in India that perform various back-office functions and other business activities.

The rules have requirements for the storage and use of “sensitive personal data or information,” which includes certain financial and health data such as bank account details, credit or debit card account details, physical, physiological and mental health conditions, and medical records. There are also rules impacting the transfer of “sensitive personal data or information” between companies in India or between entities in India and entities outside of India. These requirements may apply not only to Indian citizens but to foreign citizens as well. Thus, these rules could impact a wide variety of U.S. businesses that outsource to India. For example, many financial service providers outsource certain loan application functions to India companies or to subsidiaries or affiliates based in India. Many companies have customer call centers based India who may handle customer billing issues that may also be impacted.

This piece only touches on some parts of the rules put in place by the Indian government. What remains to be seen about these rules is how the rules will be enforced by the Indian government. All businesses transacting business in India, or who outsource functions to Indian companies or have subsidiaries or affiliates in India with access to the information governed by the rules should ensure that each is complying with these new rules. Links to the four sets of rules: data security safeguard rules, guidelines for cyber cafes, intermediaries guidelines, and electronic service delivery rules.

DO-NOT-TRACK Legislation Introduced in Senate

On May 9, 2011, Senator John D. Rockefeller (D-W.Va.) introduced “do not track” legislation that would allow consumers to block Internet companies from following their activity on the Web. The “Do-No-Track Online Act of 2011” (S. 913) would give the Federal Trade Commission authority to draft specific rules about (i) how and when consumers could register their choice to be tracked by providers of online services or through providers of mobile applications and services, and (ii) rules that prohibit those providers from collecting personal information when a consumer has opted not to be tracked. The FTC and state attorneys general would be responsible for enforcing the law.

“Recent reports of privacy invasions have made it imperative that we do more to put consumers in the driver’s seat when it comes to their personal information,” Sen. Rockefeller said in a statement. . Womble Carlyle’s Privacy blog has covered recent allegations of privacy investigations such as Apple’s alleged collection and retention of precise location data through its iPhone product and Sony Corp.’s reported breach exposing the personal data of more than 100 million of its online video game users (See Privacy Bulletin: Issues 57 and 55).

Along these lines, Senator Al Franken (D-MI) recently held a hearing to review this location-based data. “Consumers have a fundamental right to know what data is being collected about them,” Sen. Franken said, as reported on Bloomberg Business Week.. “And yet reports that the information on our mobile devices is not being protected in the way it should be.” Testifying in this hearing were, among others, the FTC, the Department of Justice, Google, Inc., and Apple, Inc. Copies of the witnesses written testimony is available online.

Washington Enacts Bill Restricting Access to Juvenile Records

On May 12, Governor Christine Gregoire (D-Wash.) signed House Bill 1793, which restricted access to juvenile records into law. Effective July 22, 2011, the bill prohibits credit reporting agencies from generating consumer reports that contain juvenile records when the subject of the records is twenty-one years old or older at the time of the report. In an attempt to balance the public’s right to information with the goal of rehabilitating juvenile offenders and reintegrating juvenile offenders into society by keeping their records private, the act provides several instances when juvenile records can be used in credit reports. These instances include use in connection with credit and life insurance transactions in excess of fifty thousand ($50,000) dollars and use in employment investigations in excess of twenty thousand ($20,000) dollars. The Act also amends certain provisions related to the sealing of juvenile records and establishes a joint legislative task force which is tasked with determining how to cost-effectively restrict public access to juvenile records when an individual has met statutory requirements and reporting its findings and recommendations to the governor and legislature by December 15, 2011.

ACLU Asks for More Information on Michigan State Police Use of “Data Extraction Devices”

The American Civil Liberties Union has requested information from the Michigan State Police over its use of “data extraction devices,” reports CNet. It was alleged that the Michigan State Police are using these devices on motorists the Police pull over. “Data extraction devices” can download text messages, photos, videos, and even GPS data from many brands of cell phones.

The Michigan State Police responded to this request by stating that it is not using these devices during routine traffic stops but only use the devices when it has obtained a search warrant or had the consent of the cell phone owner, CNet reports. CNet further reports that the State Police further stated that, "the MSP does not possess DEDs that can extract data without the officer actually possessing the owner's mobile device. The DEDs utilized by the MSP cannot obtain information from mobile devices without the mobile-device owner knowing."

The ACLU later stated that it was not accusing the Michigan State Police of wrongdoing but was still seeking further information on the Police’s use of these devices.

Indiana Enacts Bill Extending Do Not Call to Cell Phones and VoIP and Instituting other Consumer Protection Programs

On May 13, Indiana Governor Mitch Daniels (R) signed House Bill 1273, an Act to amend the Indiana Code concerning trade regulation. Among the many amendments contained in the bill, the Act amended the Do Not Call provisions enacted in connection with the National Do Not Call List to include phone calls places to mobile telecommunications services, VoIP subscribers, and prepaid wireless calling services. Effective immediately, the law allows Indiana residents to register any wireless or VOIP telephone number associated with their residential addresses or a prepaid wireless number that is used primarily in Indiana. The definition of a “telephone sales call” was broadened to include text messages sent to a wireless phone number and thus prohibits the sending of solicitations by text to numbers that are on the Do Not Call list. Violators of the law are subject to the same penalties, including fines up to ten thousand dollars ($10,000) for the first violation and twenty-five thousand dollars ($25,000) for subsequent violations, as those who call a registered landline.

In addition the Do Not Call provisions, the Act also made other consumer protection changes including, for example, clarifying that a violation of the federal Fair Debt Collection Practices Act as well as other state consumer protection statutes constitutes a violation of the state provision on deceptive consumer sales and requiring that specific information is collected and stored about residential mortgage and real estate transactions.


Blogger Chris Hopes said...

Residential Voip!!!! Nice blog. It works great! This is solution of a problem introducing old posts to new visitors.Thanks...

June 29, 2011 at 8:01 AM  

Post a Comment

<< Home

back to top