Liability of Transportation Entity for the Unintentional Release of Secure Data or the Intentional Release of Monitoring Data on Movements or Activities of the Public (2016)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

20 reasonable person would have known, state officials or employees sued in their individual capacities would have qualified immunity for a disclosure of secure data or monitoring data.267 A § 1983 claim could arise if an official commits an egregious, intentional, arbi- trary, and malicious act that in and of itself violates the Fourth Amendment as alleged in the Toomer case. However, a claim based on “mere negligence” for a dis- closure of personal data ordinarily would be insuffi- cient because “under section 1983 there must be an intentional or deliberate deprivation of life, liberty, or property, or at least ‘deliberate indifference.’”268 IV. WHETHER THERE ARE FEDERAL STATUTES APPLICABLE TO TRANSPORTATION AGENCIES’ COLLECTION OR DISCLOSURE OF DATA A. Evolution of Federal Statutory Privacy Rights With respect to federal statutes protecting indi- viduals’ right to privacy, the laws historically have been derived from general tort law, but government recordkeeping on its citizens has resulted in “a dis- tinct subspecies of statutory law.”269 Some federal laws, such as the Privacy Act and the FOIA, broadly control the “use and disclosure of federal govern- ment records about its citizens,”270 whereas other laws such as the DPPA or the Gramm-Leach-Bliley Act of 1999271 govern narrow, specific issues that affect individuals.272 Although several federal laws address the privacy rights of individuals, the sub- ject of the right to privacy has been left largely to the states.273 Scholars point out that with respect to data col- lection in public transportation, other than the DPPA, there are no federal statutes that protect an individual’s personal data and none that protect an individual’s locational data.274 Thus, with the excep- tion of the DPPA that applies to the state DMVs’ collection of secure data including PII, there appear to be no federal statutes protecting privacy rights that are implicated by transportation agencies’ col- lection of secure or monitoring data.275 B. Privacy Act of 1974 The Privacy Act of 1974276 protects the privacy of records maintained by federal agencies on individu- als277 and regulates the agencies’ release of privacy information.278 The Act is a “reaction to the perceived threat to personal privacy presented by computer- ized government records about its citizens” and addresses problems “largely beyond the reach of tra- ditional tort law.”279 The Act requires each government agency to make certain information available to the public but provides further that [t]o the extent required to prevent a clearly unwarranted invasion of personal privacy, an agency may delete identify- ing details when it makes available or publishes an opinion, statement of policy, interpretation, staff manual, instruction, or copies of records referred to in subparagraph (D)….280 The USDOT explains that the Privacy Act sets forth “how the federal government should treat indi- viduals and their information and imposes duties upon federal agencies regarding the collection, use, dissemination, and maintenance of personally identifiable information (PII).”281 The USDOT also observes that Section 208 of the E-Government Act of 2002 “establishes the requirement for agencies to conduct privacy impact assessments (PIAs) for elec- tronic information systems and collections.”282 The Privacy Act governs government or govern- ment-controlled corporations, but not private enti- ties.283 However, the Privacy Act applies to “certain federal contractors who operate Privacy Act systems of records on behalf of federal agencies.”284 When dis- closing records, no federal agency or its contractors may disclose PII without the affected individual’s written consent.285 If the Privacy Act and privacy regulations provide different standards, a federal 267 Harlow v. Fitzgerald, 457 U.S. 800, 818, 102 S. Ct. 2727, 73 L. Ed. 2d 396 (1982) (citation omitted). 268 Froomkin, supra note 213, at 1053. 269 McCarthy, supra note 83, at § 5.83. 270 Id. § 6.135. 271 Gramm-Leach-Bliley Act of 1999, § 501, Pub. L. No. 106-103, 113 Stat. 1338, codified at 15 U.S.C. § 6801 (2015). 272 Privacy Act of 1974, Pub. L. No. 93-579, 88 Stat. 1896, codified at 5 U.S.C. §§ 551(1) and 552a(b) (2015). 273 Katz, 389 U.S. at 350–351, 88 S. Ct. at 511, 19 L. Ed. 2d at 581 (footnote omitted). 274 Garry, Douma, and Simon, supra note 2, at 97. 275 Id. at 103. 276 See Pub. L. No. 93-579, 88 Stat. 1896, codified at 5 U.S.C. § 552a (2015). 277 5 U.S.C. § 552a(b) (2015). See also 5 U.S.C. § 552(d) (1) (2015); Douma and Deckenbach, supra note 2, at 306. 278 5 U.S.C. §§ 552(a) and (b) (2015). 279 McCarthy, supra note 83, at § 5.85. 280 5 U.S.C. § 522(a)(2)(E) (2015). 281 U.S. depT. Of TRaNspORTaTiON, Privacy Impact Assess- ment (Update) National Registry of Certified Medical Examiners (National Registry) (Aug. 20, 2012), available at: http://www.dot.gov/sites/dot.dev/files/docs/FMCSA_PIA_ National_Registry_082012.pdf (last accessed Oct. 12, 2015). 282 Id. 283 John M. Eden, When Big Brother Privatizes: Com- mercial Surveillance, the Privacy Act of 1974, and the Future of RFID, 2005 dUke L. & Tech. Rev. 20, P4 (2005) (citing 5 U.S.C. § 522(a) and (a)(1)) [hereinafter Eden]. 284 65 Fed. Reg. 82,462, 82,482 (Dec. 28, 2000). 285 Id.

21 agency must abide by whichever provision allows for the least disclosure.286 Section 552g(1) of the Privacy Act states: Whenever any agency…fails to maintain any record con- cerning any individual with such accuracy, relevance, time- liness, and completeness as is necessary to assure fair- ness…or fails to comply with any other provision of this section, or any rule promulgated thereunder, in such a way as to have an adverse effect on an individual, the individual may bring a civil action against the agency, and the district courts of the United States shall have jurisdiction in the matters under the provisions of this subsection.287 Although an individual may bring a civil action when private information allegedly was wrongfully disclosed, a plaintiff has the burden of showing that the agency willfully or intentionally disclosed the information.288 Apparently, the Privacy Act has not been applied to data breaches resulting from unau- thorized access.289 There are four essential elements that must be established when a plaintiff makes a claim under the Privacy Act: (1) the information is covered by the Act as a “record” con- tained in a “system of records;” (2) the agency “disclosed” the information; (3) the disclosure had an “adverse effect” on the plaintiff (an element which separates itself into two compo- nents: (a) an adverse effect standing requirement and (b) a causal nexus between the disclosure and the adverse effect); and (4) the disclosure was “willful or intentional.”290 In Stephens v. Tennessee Valley Authority,291 a former Tennessee Valley Authority (TVA) employee sued the TVA under the Privacy Act for violating his federal civil rights when it publicly circulated a memorandum accusing the plaintiff of accepting kickbacks and violating several laws.292 After the document was released to the media, the TVA recalled and replaced it with a sanitized document that did not personally identify the plaintiff; how- ever, one copy of the original document was released publicly.293 The court held that the plaintiff could not recover for a violation of the Privacy Act even though there was a wrongful disclosure because the agency had not acted willfully or intention- ally.294 By recalling and sanitizing the document, the TVA demonstrated a concern for the plaintiff ’s privacy interests.295 However, in a 2008 case brought under the Privacy Act, American Federation of Government Employees v. Hawley,296 the plaintiffs alleged that the defendants violated the Aviation and Transportation Security Act (ATSA)297 and the Privacy Act298 by failing to establish appropriate safeguards to insure the secu- rity and confidentiality of personnel records. A federal court in the District of Columbia explained what is meant by the Privacy Act’s require- ment that a violation be intentional or willful: An agency acts in an intentional or willful manner “either by committing the act without grounds for believing it to be lawful[] or by flagrantly disregarding others’ rights under the Act.” …To rise to this level, “[t]he violation must be so patently egregious and unlawful that anyone undertaking the conduct should have known it [to be] unlawful.”299 The plaintiffs alleged that the defendants were informed repeatedly of “recurring, systemic, and fundamental deficiencies in [their] information security,” but that the defendants “demonstrated reckless disregard for privacy rights when [they] failed to effectively secure the external hard drive that maintained the personal information of [their] personnel workforce.”300 The court held, inter alia, that the plaintiffs’ allegations that the agency had negligently lost control of their personal data by fail- ing to establish safeguards to prevent the loss of hard drives stated a claim.301 In subsequent proceedings, however, the court granted the defendants’ motion for summary judg- ment because the undisputed facts showed that nei- ther had there been a violation of the Privacy Act nor had the plaintiffs sustained any actual damages. In 2014 in Kelley v. FBI,302 a federal court in the District of Columbia held that the plaintiffs pled sufficient facts to state a claim against the FBI under the Privacy Act.303 In Kelley, after the 286 Id. 287 5 U.S.C. §§ 552a(g)(1)(A)–(D) (2015) (emphasis added). 288 5 U.S.C. § 552a(g)(4) (2015). 289 Froomkin, supra note 213, at 1034. 290 Quinn v. Stone, 978 F.2d 126, 131 (3d Cir. 1992). 291 754 F. Supp. 579, 584 (E.D. Tenn. 1990). 292 Id. at 580. 293 Id. at 581. 294 Id. at 582. 295 Id. at 583. See also Wisdom v. Dep’t of Housing and Urban Development, 713 F.2d 422, 424–425 (8th Cir. 1983) (holding that the Department of Housing and Urban Development had not acted intentionally or willfully in disclosing information to the IRS pertaining to an indi- vidual’s default on a home loan). 296 543 F. Supp. 2d 44 (D.D.C. 2008). 297 Id. at 45 (citing 49 U.S.C. §§ 44901 and 44935). 298 Id. (citing 5 U.S.C. § 552a). 299 Id. at 51 (citations omitted) (some internal quotation marks omitted). 300 Id. at 52 (citations omitted) (some internal quotation marks omitted). 301 Id. at 51–53. 302 67 F. Supp. 3d 340 (D.D.C. 2014). 303 Id. at 264.

22 plaintiffs received a number of harassing emails, they notified the FBI of the cyber stalking.304 During the investigation, the plaintiffs consented to giving the passwords to their email accounts to the FBI to enable it to track the IP address of the stalker.305 The FBI promised not to release the plaintiffs’ names, but their names were released when the media received some of the harassing emails that the plaintiffs had received.306 The plaintiffs alleged that their information and report to the FBI were main- tained in a system of records that identified them by name or identification number, that the FBI shared this information with the Department of Defense, and that both agencies disclosed the information to the media.307 As of October 12, 2015, there were no further reported proceedings in the Kelley case. Finally, the Privacy Act provides that a person shall be entitled to recover no less than $1,000.308 In 2004, in Doe v. Chao,309 the Supreme Court held that in the absence of proof of actual damages, the peti- tioner could not recover for a violation of the Privacy Act even though the government repeatedly disclosed the claimant’s Social Security number.310 It was not sufficient to show that the government intentionally or willfully violated the Act; the claimant also had to show an adverse effect, i.e., actual damages.311 C. Driver’s Privacy Protection Act The Driver’s Privacy Protection Act of 1994312 protects personal information collected by a state DMV. The DPPA provides that a DMV officer, employee, or contractor must not knowingly disclose or otherwise make available to any person or entity: (1) personal information, as defined in 18 U.S.C. 2725(3), about any individual obtained by the department in connec- tion with a motor vehicle record, except as provided in sub- section (b)…; or (2) highly restricted personal information, as defined in 18 U.S.C. 2725(4), about any individual obtained by the depart- ment in connection with a motor vehicle record, without the express consent of the person to whom such information applies, except uses permitted in subsections (b)(1), (b)(4), (b)(6), and (b)(9)….313 The term “personal information” is defined as information that identifies an individual, such as by name, address (but not the 5-digit zip code), tele- phone number, Social Security number, driver iden- tification number, photograph, or medical or disabil- ity information, but not information on vehicular accidents, driving violations, and a driver’s status.314 The term “highly restricted personal information” means an individual’s Social Security number, pho- tograph or image, or medical or disability informa- tion.315 The term “express consent” means that a person must consent in writing, but consent may be evidenced by a signature sent electronically.316 Although there are various exceptions in the DPPA that allow for the dissemination of personal information, an important one is that personal infor- mation may be disclosed “[f]or use by any govern- ment agency, including any court or law enforcement agency, in carrying out its functions, or any private person or entity acting on behalf of a Federal, State, or local agency in carrying out its functions.”317 The DPPA provides for a private right of action that may be brought in a United States district court against a person who knowingly violates the DPPA.318 The DPPA provides that “[a] person who knowingly obtains, discloses, or uses personal information, from a motor vehicle record, for a purpose not permitted under this chapter shall be liable to the individual to whom the information pertains….”319 In the event of liability, a court may award actual damages but not less than liquidated damages in the amount of $2,500, punitive damages if there is proof of a willful or reck- less disregard of the law, and attorneys’ fees and other litigation costs that are reasonably incurred, as well as preliminary and equitable relief when appropriate.320 Several state and local governments unsuccess- fully challenged the constitutionality of the DPAA on the basis that the law exceeds Congress’s author- ity under the Commerce Clause. In Travis v. Reno,321 the State of Wisconsin argued that the law required the state to “make costly changes in the way it han- dles requests for access to its records,” as well as pre- vented the State from generating revenue by selling personal information to third parties for mailing lists. However, the Seventh Circuit, stating that “driving is an interstate business,”322 held that 314 18 U.S.C. § 2725(3) (2015). 315 18 U.S.C. § 2725(4) (2015). 316 18 U.S.C. § 2725(5) (2015). 317 18 U.S.C. § 2721(b)(1) (2015). 318 18 U.S.C. § 2724(a) (2015). 319 18 U.S.C. § 2724(a) (2015). 320 18 U.S.C. § 2724(b) (2015). 321 163 F.3d 1000, 1002 (7th Cir. 1998). 322 Id. 304 Id. at 248. 305 Id. at 248–49. 306 Id. 307 Id. at 265. The court dismissed all other claims for either lack of jurisdiction or failure to state a claim. Id. at 256. 308 Froomkin, supra note 213, at 1034 (citing 5 U.S.C. § 552(q)(4)). 309 540 U.S. 614, 124 S. Ct. 1204, 157 L. Ed. 2d 1122 (2004). 310 Id. at 616, 124 S. Ct. at 1206, 157 L. Ed. 2d at 1129. 311 Id. at 627, 124 S. Ct. at 1212, 157 L. Ed. 2d at 1134. 312 18 U.S.C. §§ 2721–2725 (2015). 313 18 U.S.C. §§ 2721(a)(1) and (2) (2015).

23 “nothing in the [DPPA] interferes with the state’s ability to license drivers and remove dangerous ones from the road; it regulates external rather than internal uses of the information.”323 Thus, with respect to statutes such as the DPPA, it appears that federal privacy laws are likely to be upheld when they regulate interstate commerce and govern the external uses of information without interfering with a state or local government’s perfor- mance of its regulatory responsibilities. D. Other Federal Privacy Laws Some federal laws are broad in scope and allow a government agency to enforce privacy law even in the absence of explicit rules. For example, the Fed- eral Trade Commission Act of 1914 (FTC Act)324 is used to regulate companies’ privacy notices to con- sumers concerning how they collect and use con- sumer data, including locational data.325 However, the FTC Act only states that the FTC is “empowered and directed to prevent persons, partnerships, or corporations…from using unfair methods of compe- tition…and unfair or deceptive acts or practices in or affecting commerce.”326 In 2014, in FTC v. Wyndham Worldwide Corpora- tion,327 a federal district court in New Jersey stated that rapidly evolving digital and privacy issues are in an “ongoing struggle” over a “variety of thorny legal issues that Congress and the courts will con- tinue to grapple with….”328 Nevertheless, the court held that even in the absence of more formal notice via rulemaking, the FTC could bring an action against the defendant under the FTC Act when “‘an agency...is given an option to proceed by rulemaking or by individual adjudication the choice is one that lies in the informed discretion of the administrative agency.’”329 The court recognized that the FTC has broad authority to regulate the security of data even if explicit language is not included in the statute. The court reasoned that “the FTC’s unfairness authority over data security” would not “lead to a result that is incompatible with more recent legisla- tion” or “plainly contradict congressional policy.”330 Because Section 5 of the FTC Act “codifies a three- part test that proscribes whether an act is ‘unfair,’” the court was not convinced by the defendant’s argu- ment that regulations are the only way to provide fair notice.331 Therefore, prior to bringing a suit for a violation of the Act, the FTC was not required to pro- mulgate regulations explaining what data security practices were forbidden or required by the FTC Act. The court stated that a ruling for the defendant would mean that “the FTC would have to cease bringing all unfairness actions without first pro- scribing particularized prohibitions—a result that is in direct contradiction with the flexibility necessar- ily inherent in Section 5 of the FTC Act.”332 As for other federal privacy legislation, there are federal laws that require regulated entities to have privacy policies, but the laws do not create a private right of action for violations of the policies. For exam- ple, the Gramm-Leach-Bliley Act of 1999333 requires financial institutions to have privacy policies but does not provide for a private right of action.334 A 2014 Legal Research Digest (LRD) published by TRB discusses335 USDOT privacy regulations, as well as the Health Insurance Portability and Accountability Act (HIPPA),336 the Patient Protec- tion and Affordable Care Act,337 the Public Health Service Act338 and Records of Substance Abuse, the 323 Id. at 1003. See also Reno v. Condon, 528 U.S. 141, 148, 151, 120 S. Ct. 666, 671, 672, 145 L. Ed. 2d 587 (2000) (holding that the sale or release of motorists’ information in interstate commerce was “sufficient to support congres- sional regulation” and that the DPPA does not require the states to enact any laws or regulations) and Zittel v. City of Gainesville, 2013 U.S. Dist. LEXIS 128209, at *1 (N.D. Fla. 2013) (upholding the DPPA’s constitutionality). 324 Pub. L. No. 63-203, 38 Stat. 717, as amended and codified at 15 U.S.C. §§ 41-58 (2015). 325 See 15 U.S.C. § 45(a) (2015). 326 15 U.S.C. § 45(a)(2) (2015). 327 10 F. Supp. 3d 602 (D. N.J. 2014). 328 Id. at 610. 329 Id. at 617, 619 (citation omitted). 330 Id. at 612 (citation omitted) (internal quotation marks omitted). 331 Id. at 619 (citation omitted). 332 Id. at 621. 333 Pub. L. No. 106-102, 113 Stat. 1338, codified at 15 U.S.C. § 6801 (2015). 334 Lowe v. Viewpoint Bank, 972 F. Supp. 2d 947, 954, 961 (N.D. Tex. 2013). See also Dunmire v. Morgan Stanley, 475 F.3d 956 (8th Cir. 2007); Borninski v. Williamson, 2004 U.S. Dist. LEXIS 29407, at *1 (N.D. Tex. 2004); and Downs v. Regions Bank, 2010 U.S. Dist. LEXIS 6231, at *1 (M.D. Ala. 2010). 335 LaRRy W. ThOMas, hOW The heaLTh iNsURaNce pORTa- BiLiTy aNd accOUNTaBiLiTy acT (hipaa) aNd OTheR pRivacy LaWs affecT pUBLic TRaNspORTaTiON OpeRaTiONs (Legal Research Digest No. 46, Transportation Research Board of the National Academies of Sciences, Engineering, and Medi- cine, 2014). (Digest also referencing the Electronic Commu- nications Privacy Act, 18 U.S.C. §§ 2511(1)(a)-(b), Telecom- munications Act, 47 U.S.C. §§ 222(a)-(c), Cable Communications Act, 47 U.S.C. § 551, Child Online Protec- tion Act, 15 U.S.C. §§ 6501(4) and (8), Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801(a)-(b), Sarbanes-Oxley Act, 15 U.S.C. § 7262, and Fair Credit Reporting Act, 15 U.S.C. § 1681), available at http://onlinepubs.trb.org/onlinepubs/tcrp/tcrp_ lrd_46.pdf (last accessed Oct. 12, 2015). 336 Pub. L. No. 104-191, 110 Stat. 1936 (1996). 337 Pub. L. No. 111-148, 124 Stat. 119-1025 (2010). 338 Pub. L. No. 78-410, ch. 373, 58 Stat. 682 (1944).

24 Employee Retirement Income Security Act of 1974,339 the Family Educational Rights and Privacy Act,340 Medicare and Medicaid, and the Genetic Information Nondiscrimination Act.341 E. Proposed Federal Privacy Legislation 1. Geolocational Privacy and Surveillance Act Introduced in the House on January 22, 2015, the Geolocational Privacy and Surveillance Act342 would amend the federal criminal code to require a search warrant to acquire geolocational information.343 Although there are exemptions (e.g., consent, emer- gency circumstances), the bill also would prohibit any person providing covered services from inten- tionally divulging geolocational information per- taining to another person and would prevent the use of such information as evidence. The bill has been assigned to the House Committee on the Judiciary, the Select Committee on Intelligence, and the Sub- committee on Crime, Terrorism, Homeland Security, and Investigations. In January 2015, a bill with the same title that was introduced in the Senate was referred to the Committee on the Judiciary.344 2. Online Communication and Geolocation Protection Act Introduced in the House on February 2, 2015, the Online Communication and Geolocation Protection Act (OCGPA) would prohibit “an officer, employee, or agency of the United States in the normal course of the official duty of the officer, employee, or agent to conduct electronic surveillance” without the consent of the individual under surveillance or pursuant to a warrant.345 The OCGPA also would prohibit commu- nications-related service providers from disclosing geolocational information to governmental enti- ties.346 The bill includes exceptions for electronic surveillance authorized by the Foreign Intelligence Surveillance Act of 1978347 and for emergency responders or police officers acting in situations pre- senting an immediate danger of death or serious injury.348 On March 17, 2015, the bill was referred to the Subcommittee on Crime, Terrorism, Homeland Security, and Investigations.349 3. Driver Privacy Act The proposed Driver Privacy Act (DPA), introduced in the Senate on March 17, 2015, would protect data recorded in a passenger vehicle’s event data recorder (EDR), regardless of when the vehicle was manufac- tured, by ascribing ownership of the data to the owner or lessee of the vehicle.350 Under the DPA, EDR data would not be accessible by anyone other than the owner or lessee unless: 1) the data is required by court order; 2) the owner or lessee grants consent; 3) the data is obtained pursuant to an investigation by the National Transportation Safety Board or the USDOT; 4) the data is obtained “for the purpose of determining the need for, or facilitating, emergency medical response in response to a motor vehicle crash”; or 5) the data is obtained for traffic safety research and the owner’s or lessee’s identification is not disclosed.351 After referral to the Committee on Commerce, Science, and Transportation, the Committee on March 25, 2015, sent the DPA to the Senate for its consideration.352 4. Biometric Information Privacy Act Under the proposed Biometric Information Pri- vacy Act (BIPA), although biometric information on an individual would have been available pursuant to a court order, it would have been a crime whenever a business entity, government entity, or individual fraudulently obtained or disclosed an individual’s bio- metric information.353 Referred to the Subcommittee 339 Pub. L. No. 93-406, 88 Stat. 829 (1974). 340 Pub. L. No. 93-380, 88 Stat. 484 (1974). 341 Pub. L. No. 110-233, 122 Stat. 881 (2008). 342 Geolocational Privacy & Surveillance Act, H.R. 491, 114th Cong. (2015). 343 An older version of the bill was previously introduced in the House in 2013 under the same title. See Geolocational Privacy & Surveillance Act, H.R. 1312, 113th Cong. (2013). It may be noted that the Location Privacy Protection Act of 2014 (LPPA), S. 2171, 113th Cong. (2014) would have made it presumptively illegal for nongovernment entities to col- lect an individual’s locational information absent consent. On March 27, 2014, the LPPA was referred to the Commit- tee on the Judiciary. 113 Bill Tracking S. 2171, 133th Cong. (2014). On June 4, 2014, the Committee on the Judiciary Subcommittee on Privacy, Technology, and the Law held hearings on the proposed legislation. Id. The bill has not been introduced in the current session of Congress. 344 Geolocational Privacy and Surveillance Act, S. 237, 114th Cong. (2015). 345 Online Communications and Geolocation Protection Act, H.R. 656, 114th Cong. (2015). 346 Id. 347 Pub. L. No. 95-511, 92 Stat. 1783. 348 CRS Bill Summary, H.R. 656, 114th Cong. (2015), available at Congress.gov (last accessed Oct. 12, 2015). On March 6, 2013, the bill was referred to the House Commit- tee on the Judiciary and to the Committee on Intelligence. 113 Bill Tracking H.R. 983, 113th Cong. (2013). 349 Online Communications and Geolocation Protection Act, H.R. 656 (114th Cong. (2015)). 350 Driver Privacy Act of 2015, S.766, 114th Cong. (2015). 351 Id. The DPA was first introduced in 2014. On Sep- tember 15, 2014, the Committee on Commerce, Science and Transportation amended the DPA and placed the DPA on the Senate Legislative Calendar. 113 Bill Tracking S. 1925, 113th Cong. (2014). 352 Id. 353 Biometric Information Privacy Act, H.R. 4381 (2014).

25 on Crime, Terrorism, Homeland Security, and Inves- tigations in April 2014, the bill has not been reintro- duced in the current session of Congress.354 5. Transportation, Housing and Urban Development, and Related Agencies Appropriations Act In 2014, an amendment to the Transportation, Housing and Urban Development, and Related Agencies Appropriations Act would have prohibited the use of funds to mandate GPS tracking or EDRs in personal motor vehicles. The Senate version of the bill did not include a provision on GPS track- ing.355 The final version of the bill, enacted as Public Law No. 113-235, prohibited the use of funds that would be made available under the Act to require GPS tracking in private passenger motor vehicles without providing “full and appropriate consider- ation of federal privacy concerns.”356 6. Commercial Privacy Bill of Rights Act Introduced in the House on February 25, 2015, HR 1053 proposes to establish a regulatory frame- work for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission.357 The bill would amend the Children’s Online Privacy Protection Act of 1998 to “improve provisions relating to collection, use, and disclosure of personal information of children.”358 On February 24, 2015, the bill was referred to the House Committee on Energy and Commerce and thereaf- ter on February 27, 2015, to the Subcommittee on Commerce, Manufacturing, and Trade. On February 24, 2015, an identical bill in the Senate was referred to the Senate Committee on Commerce, Science, and Transportation.359 7. Black Box Privacy Protection Act The Black Box Privacy Protection Act would amend the Automobile Information Disclosure Act of 1958360 by requiring automobile manufacturers to disclose to consumers the installation of EDRs on new automobiles. Manufacturers would have to pro- vide every consumer with an option to enable or dis- able the device prior to purchasing a vehicle. The bill also would prohibit the importation into the United States of an automobile manufactured after 2015 that is equipped with an EDR unless the consumer is given control over the recording capabilities.361 In May 2015, the bill was referred to the Subcommittee on Commerce, Manufacturing, and Trade. 8. Secure Data Act The Secure Data Act of 2015 would prohibit a fed- eral agency from requiring or requesting a manufac- turer, seller, or developer of computer hardware, software, or an electronic device made available to the general public to design the security functions of their products in a way that would allow the surveil- lance of any user.362 The bill also would prohibit a requested or mandated physical search by a federal agency of such a product. The bill excludes acts of surveillance by law enforcement agencies autho- rized by the Communications Assistance for Law Enforcement Act.363 On March 16, 2015, the bill was referred to the House Subcommittee on Crime, Ter- rorism, Homeland Security, and Investigations. F. Consumer Privacy Bill of Rights In February 2012, the Obama Administration released a Consumer Privacy Bill of Rights (CPBR) that is directed at how companies handle and pro- tect consumers’ data.364 The CPBR applies compre- hensive, globally recognized Fair Information Prac- tice Principles,365 stating, inter alia, that consumers have a right to exercise control over the kinds of per- sonal data that companies collect on them and how they use it.366 The CPBR applies to the commercial uses of personal data, meaning any data, including aggregations of data, [that are] linkable to a specific individual. Personal data may include data that is linked to a specific computer or other device. For example, an identifier on a smart phone or family computer that is used to build a usage profile is personal data. This definition provides the flexibility that is necessary to capture the many kinds of data about consumers that commercial enti- ties collect, use, and disclose.367 354 Biometric Information Privacy Act, 2013 Legis. Bill Hist. U.S. H.B. 4381, 113th Cong. (2013). 355 Transportation, Housing and Urban Development, and Related Agencies Appropriations Act of 2015, 2013 Legis. Bill Hist. U.S. H.B. 4745, 113th Cong. (2013). 356 Pub. L. No. 113-235, § 416 (2013–2014). 357 H.R. 1053, 114th Congress (2015). Short titles for portions of the bill include Commercial Privacy Bill of Rights Act of 2015 and Do Not Track Kids Act of 2015. 358 Id. 359 S. 547, 114th Congress (2015). 360 15 U.S.C. §§ 1231–1233 (2015). 361 Black Box Privacy Protection, H.R. 2526, 114th Cong. (2015). 362 Secure Data Act of 2015, H.R. 726, 114th Cong. (2015). 363 Pub. L. No. 103-414, 108 Stat. 42 79, codified at 47 U.S.C. 1001–1010 (1994). 364 The WhiTe hOUse, Consumer Data Privacy in a Net- worked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (Feb.), available at: https://www.whitehouse.gov/sites/default/files/ privacy-final.pdf (last accessed on Oct. 12, 2015). 365 See Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress, http://www.ftc.gov/reports/privacy 2000/privacy2000.pdf. 366 Id. at 1. 367 Id. at 10.