Legislative Update

By James S. Cawood, CPP
Legislative Liaison

The following information has been culled from information provided by the California Association of Licensed Investigators (CALI) and some additional research on Federal Legislation of note.

In California, the following bills are noted as being of possible interest:

SB 1432 (Alpert) - This bill will allow Human Resource consultants to conduct third party investigations of harassment in the workplace. They will not have to be licensed, will not have any oversight, and will allow out of state HR consultants to come into CA to conduct the investigations. This practice has been against the law for the last 20 years, but only has come to public awareness in the last 18 months. This bill was introduced to bring the law in line with practice.

AB 1985 (Leach) - This is a bill sponsored by CALI with the blessing of BSIS Chief Nickols. It provides: (1) A raise in PI license fees not to exceed $16 to pay for the manufacture and issuance of a new PI license card, with photograph. It will be more professional and durable than the present card (similar to a CA driver's license). (2) An amendment to the PI Act to allow public defender investigator's hours of investigative experience to count towards the 6,000 hours required for a PI license. This corrects an inadvertent omission from the original PI Act. (3) Reciprocity - This amends the PI Act so that licensed private investigators from out of state may come into California to conduct follow-up investigation on an investigation that originated in that investigator's home state, PROVIDING, their home state provides reciprocal investigative privileges to California licensed investigators. In addition to these three provisions, there is a proposed amendment to this bill that will change the law to allow the BSIS to have more clout in enforcing the unlicensed practices provisions of the PI Act.

AB 2813 (Maddox) - This is a bill to allow licensed investigators to have access DMV address information. Last year it was known as AB 512, and although it passed both houses, it was vetoed by the Governor. It has been introduced and will have its first hearing late in April. We will keep you apprised.

Federal Legislation: Both of these bills could effect vast changes in the management of data on the Internet and touch every electronic transaction and interaction.

HR 4049: Establish Commission for the Comprehensive Study of Privacy Protection. In reading the preamble and the purpose of the commission, it is clear that if this bill is passed, the commission will have a significant influence on the management of electronic commerce and transmission of data over the Internet.

The Congress finds the following: (1) Americans are increasingly concerned about their civil liberties and the security and use of their personal information, including medical records, educational records, library records, magazine subscription records, records of purchases of goods and other payments, and driver's license numbers. (2) Commercial entities are increasingly aware that consumers expect them to adopt privacy policies and take all appropriate steps to protect the personal information of consumers. (3) There is a growing concern about the confidentiality of medical records, because there are inadequate Federal guidelines and a patchwork of confusing State and local rules regarding privacy protection for individually identifiable patient information. (4) In light of recent changes in financial services laws allowing for increased sharing of information between traditional financial institutions and insurance entities, a coordinated and comprehensive review is necessary regarding the protections of personal data compiled by the health care, insurance, and financial services industries. (5) The use of Social Security numbers has expanded beyond the uses originally intended. (6) Use of the Internet has increased at astounding rates, with approximately 5 million current Internet sites and 64 million regular Internet users each month in the United States alone. (7) Financial transactions over the Internet have increased at an astounding rate, with 17 million American households spending $20 billion shopping on the Internet last year. (8) Use of the Internet as a medium for commercial activities will continue to grow, and it is estimated that by the end of 2000, 56 percent of the companies in the United States will sell their products on the Internet. (9) There have been reports of surreptitious collection of consumer data by Internet marketers and questionable distribution of personal information by on-line companies. (10) In 1999, the Federal Trade Commission found that 87 percent of Internet sites provided some form of privacy notice, which represented an increase from 15 percent in 1998. (11) The United States is the leading economic and social force in the global information economy, largely because of a favorable regulatory climate and the free flow of information. It is important for the

United States to continue that leadership. As nations and governing bodies around the world begin to establish privacy standards, these standards will directly affect the United States. (12) The shift from an industry-focused economy to an information-focused economy calls for a reassessment of the most effective way to balance personal privacy and information use, keeping in mind the potential for unintended effects on technology development, innovation, the marketplace, and privacy needs.

SEC. 3. ESTABLISHMENT. There is established a commission to be known as the 'Commission for the Comprehensive Study of Privacy Protection' (in this Act referred to as the 'Commission'). SEC. 4. DUTIES OF COMMISSION. (a) STUDY- The Commission shall conduct a study of issues relating to protection of individual privacy and the appropriate balance to be achieved between protecting individual privacy and allowing appropriate uses of information, including the following:

(1) The monitoring, collection, and distribution of personal information by Federal, State, and local governments, including personal information collected for a decennial census, and such personal information as a driver's license number. (2) Current efforts to address the monitoring, collection, and distribution of personal information by Federal and State governments, individuals, or entities, including- (A) existing statutes and regulations relating to the protection of individual privacy, such as section 552a of title 5, United States Code (commonly referred to as the Privacy Act of 1974) and section 552 of title 5, United States Code (commonly referred to as the Freedom of Information Act); (B) legislation pending before the Congress; (C) privacy protection efforts undertaken by the Federal Government, State governments, foreign governments, and international governing bodies; (D) privacy protection efforts undertaken by the private sector; and (E) self-regulatory efforts initiated by the private sector to respond to privacy issues.

(3) The monitoring, collection, and distribution of personal information by individuals or entities, including access to and use of medical records, financial records (including credit cards, automated teller machine cards, bank accounts, and Internet transactions), personal information provided to on-line sites accessible through the Internet, Social Security numbers, insurance records, education records, and driver's license numbers.

H.R. 4059: "Online Privacy and Disclosure Act of 2000" This bill would establish a system for businesses engaged in electronic commerce to adopt, and certify their compliance with, internationally recognized principles concerning the collection, use, and dissemination of personal information, and for other purposes. SEC. 3. PURPOSES. The purposes of this Act are- (1) to identify and establish principles concerning fair and non-deceptive business practices for the collection, use, and dissemination of personal data ; (2) to permit businesses that have adopted and implemented such principles to certify the implementation by publicly displaying a uniform seal; and (3) to require the Commission to prohibit and prevent unfair and deceptive acts and practices in the use of that uniform seal.

SEC. 4. PRINCIPLES FOR FAIR PERSONAL INFORMATION PRACTICES. Data controllers who abide by the following rules shall be permitted to display an official seal certifying such compliance under such regulations as the Commission shall prescribe: (1) COLLECTION LIMITATION PRINCIPLE- The collection of any personal data through means of interstate commerce should be obtained by lawful and fair means and with the knowledge of the data subject. (2) DATA QUALITY PRINCIPLE- Personal data should be accurate, complete, and current. (3) PURPOSE SPECIFICATION PRINCIPLE- The purposes for which personal data are collected should be specified and disclosed to the data subject not later than the time of data collection, and any subsequent use should be limited to the fulfillment of those disclosed purposes, or such other purposes as are not incompatible with those disclosed purposes and as are also disclosed to the data subject on each occasion of a change of purpose. (4) USE LIMITATION PRINCIPLE- Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified and disclosed in accordance with paragraph (3), except-

(A) with the consent of the data subject; or (B) by the authority of law.

(5) OPENNESS PRINCIPLE- A data subject should have readily available means of establishing the existence and nature of personal data , and the main purposes of their use, as well as the identity and usual place of business of the data controller. (6) INDIVIDUAL PARTICIPATION PRINCIPLE- An individual should have the right-

(A) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to the individual; (B) to have communicated to the individual, data relating to the individual-

(i) within a reasonable time; (ii) at a charge, if any, that is not excessive; (iii) in a reasonable manner; and (iv) in a form that is readily intelligible to the individual;

(C) to be given reasons if a request made under subparagraphs (A) and (B) is denied, and to be able to challenge such denial; and (D) to challenge data relating to the individual and, if the challenge is successful to have the data erased, rectified, completed, or amended.

(7) ACCOUNTABILITY PRINCIPLE- A data controller should be accountable for complying with measures which give effect to the principles stated in paragraphs (1) through (6) of this section. SEC. 2. DEFINITIONS. For purposes of this Act, the following definitions apply: (1) DATA CONTROLLER- The term 'data controller' means a person who, by any means of interstate commerce, collects personal data , regardless of whether or not such data are collected, stored, processed, or disseminated by that person or by an agent on its behalf. (2) PERSONAL DATA - The term 'personal data' means any information relating to an identified or identifiable individual (data subject). (3) DATA SUBJECT- The term 'data subject' means an individual to whom personal data pertain. (4) COMMISSION- The term 'Commission' means the Federal Trade Commission. (5) PERSON- The term 'person' has the meaning provided such term in section 1 of title 1, United States Code.

Thank you for your interest in this report. Please contact me if you have any questions.