« 米国の連邦プライバシー法の立法検討 - Omnibus Federal Privacy Law | トップページ | 技術者以外にもわかる「DPI技術のマーケティング利用議論」入門 »

2010年5月20日 (木)

我輩は連邦プライバシー法である。まだ名は無い・・・

日本が天気に恵まれたゴールデンウィークを楽しんでいる最中、
米国で検討が始まった連邦プライバシー法(Omnibus Federal Privacy Law)の検討ドラフトがリリースされましたね。

僕は法律家ではないので最初に驚いたのは、内容以前にこの立法過程の透明性。
検討ペーパーの段階から資料公開するのはすごいですね。

Rick Boucher 下院議員のウェブに資料があります。

BOUCHER, STEARNS RELEASE DISCUSSION DRAFT OF PRIVACY LEGISLATION

そして、ここまで公開するのに、なんでこんなに見難い体裁なのだろうと思ってみると・・・
XMLで書いてるのですね。
確かに検討段階だと用語とかが二転三転することはよくあることで、
審議が進むに連れて文書を更新してると古い用語とかがごちゃ混ぜになりやすいですが、
XMLを使うとそういう不整合を防ぎやすそうです。

本題の検討状況ですが、Staff Discussion Draft の全文はページ下のリンクで見ることができます。

とはいえ、XML の直出力があまりにも見難いので、インデントを付けて成形しました。


さて、本題。
気になるところを行間に書き込んでみました。

全体を通してだと、既に法律を持っている国の法律なども調べて準備している様子。
日本にいたっては、国内個人情報保護法の改正ネタにしてよいようなことまで見受けられます。




以下の文中の書式:

青色文字:見出し

斜体文字:定義用語

赤色文字:佐藤のコメント(主として、国内法との差異)

黄色マーカ:佐藤のコメント(本法に対する意見)

 

[STAFF DISCUSSION DRAFT]

 

MAY 3, 2010

 

To require notice to and consent of an individual prior to the  collection and disclosure of certain personal information relating to that individual.

 

A BILL

 

 

To require notice to and consent of an individual prior to the collection and disclosure of certain personal information relating to that individual.

 

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

 

SECTION 1. SHORT TITLE.

 

This Act may be cited as [To be provided].

→まだ、名は無い。(笑)

 

SEC. 2. DEFINITIONS.

 

In this Act the following definitions apply:

(1) ADVERTISEMENT NETWORK. - The term ‘”advertisement network” means an entity that provides advertisements to participating websites on the basis of individuals’ activity across some or all of those websites.

SEC.3.(e)(3)で使われる

(2) AGGREGATE INFORMATION. - The term “aggregate information” means data that relates to a group or category of services or individuals, from which all information identifying an individual has been removed.

SEC.5.の除外範囲の特定に使われる

(3) COMMISSION. - The term “Commission” means the Federal Trade Commission.

(4) COVERED ENTITY. - The term “covered entity” -

(A) means a person engaged in interstate commerce that collects data containing covered information; and

(B) does not include -

(i) a government agency; or

(ii) any person that collects covered information from fewer than 5,000 individuals in any 12-month period and does not collect sensitive information.

→5000人分未満の取得なら除外・・・どこかで見たことある数字ですね(笑)

ただし、過去12ヶ月という期間を明記している点は改善です

あと、センシティブ情報を、この人数下限から除いています

確かに国内法はセンシティブ情報でも少数取得なら対象から漏れるのはおかしいですね・・・

一方で国内法は「保有数」なのにこちらは、「collect」という書き方

これ以外の箇所では「collect」を状態ではなく行為としての文脈で使っているので、「保有」に相当する用語の方が適当では?

(5) COVERED INFORMATION. - The term “covered information” means, with respect to an individual, any of the following:

→「covered information(対象情報)」として定義するのはよいですね

国内法のように「個人情報」のような一般名詞を法条文で定義をすると、社内教育をする際に定義語としての個人情報と、いわゆる個人情報が混同されて誤解を生じやすいです

(A) The first name or initial and last name.

→ファーストネームをイニシャルにしてもラストネームがあると対象ですね

日本で言えば、姓名のうち姓だけでも対象ということになるのかな

(B) A postal address.

(C) A telephone or fax number.

(D) An email address.

→メールアドレスが無条件に対象ですね

国内は氏名がわかるような表記なら該当するという解釈がありますが、無条件とはすごい

(E) Unique biometric data, including a fingerprint or retina scan.

(F) A Social Security number, tax identification number, passport number, driver’s license number, or any other government-issued identification number.

(G) A Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.

financial accountへのアクセスに用いるものに限るとはいえ、パスワードも一緒に対象に含めていますね

個人情報云々という視点だとおかしいですが、実務の安全対策では当然に保護すべきなので現実的ですね

言われてみると、国内法だと、たとえば、金融機関に登録した個人情報に該当しないメールアドレスとパスワードのペアは保護対象ではないですね・・・

こちらは、「個人情報」ではなくて「covered information」として定めるため、いわゆる個人情報の範囲にとらわれずに定義できるのでよいのですね

ただし、これを含める趣旨からすると、後半の「any required security code, access code, or password」をfinancial accountに限るよりも、それらを独立した項目にした上でsensitive informationに係るものにした方がよいかもしれませんね

(H) Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used to collect, store, or identify information about a specific individual or a computer, device, or

software application owned or used by a particular user or that is otherwise associated with a particular user.

IPアドレスその他の固有番号を含めていますね

直接的な人の特定以外に、人が使用している機器やソフトウェアなら対象ですね

 (I) A preference profile.

→「preference profile」を対象に含めた上で、それを(8)で定義しています

(J) Any other information that is collected, stored, used, or disclosed in connection with any covered information described in subparagraphs  (A) through (I).

→これまでlinkableとか言われてきたものでしょうか

だとすると"in connection with"という表現なので、linkableではなく、より範囲の狭いlinkedに限定しているのでしょうかね

(6) FIRST PARTY TRANSACTION. - The term “first party transaction” means an interaction be tween an entity that collects covered information when an individual visits that entity’s website or place of business and the individual from whom covered information is collected.

→一次とそれ以降を分けて定義してくれるのはいいですね

弊社内でも国内法人では一次取得と二次取得という社内用語を定義して社内トレーニングしてます

いま気づいたけど、二次取得という表現は正確じゃなかったかな・・・三次以降も含むから

社内資料を修正しないといけないな(苦笑)

(7) OPERATIONAL PURPOSE. -

→国内法だと第18条4項の「適用除外」に相当するかんじですね

こちらの方が国内法より具体的になっているのと、利用目的の文脈だけではなく利用の形態として定義してくれるのは実務的に大変助かります

この用語はSEC.3 (a)(5)の対象範囲に使われることになります

以下のように(A)で対象を(B)で対象外を明記してくれているのは、とても扱いやすいです

(A) IN GENERAL - The term “operational purpose” means a purpose reasonably necessary for the operation of the covered entity, including –

→国内法第18条4項4号の「取得の状況からみて利用目的が明らかであると認められる場合」に相当する表現で総じた上で、以下のように列記しています

(i) providing, operating, or improving a product or service used, requested, or authorized by an individual;

(ii) detecting, preventing, or acting against actual or reasonably suspected threats to the covered entity’s product or service, including security attacks, unauthorized transactions, and fraud;

(iii) analyzing data related to use of the product or service for purposes of optimizing or improving the covered entity’s products, services, or operations;

(iv) carrying out an employment relationship with an individual;

(v) disclosing covered information based on a good faith belief that such disclosure is necessary to comply with a Federal, State, or local law, rule, or other applicable legal requirement, including disclosures pursuant to a court order, subpoena, summons, or other properly executed compulsory process; and

(vi) disclosing covered information to a parent company of, controlled subsidiary of, or affiliate of the covered entity, or other covered entity under common control with the covered entity where the parent, subsidiary, affiliate, or other covered entity operates under a common or substantially similar set of internal policies and procedures as the covered entity, and the policies and procedures include adherence to the covered entity’s privacy policies as set forth in its privacy notice.

→この(vi)もよいですね

国内法では委託先を考慮していますが、こちらは親子関係会社(parentcontrolled subsidiary)と関連会社(affiliate)を含めています

国内法も共同利用で運用できますが、このように Operational Purpose の文脈に入れてくれると実務しやすそうな気がします

その上で共通の管理下(under common control / under a common or substantially similar set of internal policies and procedures)にあるところを含めています。

国内法では委託先ならよいことにして委託管理をするというものですが、このように「管理が共通」であることが要件として必要だと思います

国内はこれを明記しないので、委託先が実施するリスクマネージメントシステムの管理下に入ってしまうISMSPマーク取得を、委託元が盲目的に要求するということが起きますね

ただ、これらの総称を用語定義していないのが残念です

残念な理由は、この後の「(13) UNAFFILIATED PARTY」の定義で後述します

(B) EXCLUSION - Such term shall not include the use of covered information for marketing, advertising, or sales purposes, or any use of or disclosure of covered information to an unaffiliated party for such purposes.

(8) PREFERENCE PROFILE. - The term “preference profile” means a list of information, categories of information, or preferences associated with a specific individual or a computer or device owned or used by a particular user that is maintained by or relied upon by a covered entity.

→直接的なopt-in/out状況だけではなく、Cookie やウェブビーコンも該当することになりそうですね

(9) RENDER ANONYMOUS. - The term “render anonymous” means to remove or obscure covered information such that the remaining information does not identify, and there is no reasonable basis to believe that the information can be used to identify -

→以下で(A)(B)をちゃんと区別するのは(5)(H)と同じモデルでの定義ですね

このように解釈論に任せずに明記してくれると、正しく解釈してる事業者が馬鹿を見て、解釈を正しくしないで無視する事業者が得をすることが防げてよいと思います

(A) the specific individual to whom such covered information relates; or

(B) a computer or device owned or used by a particular user.

(10) SENSITIVE INFORMATION. - The term “sensitive information” means any information that is associated with covered information of an individual and relates to that individual’s -

(A) medical records, including medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;

(B) race or ethnicity;

(C) religious beliefs;

(D) sexual orientation;

(E) financial records and other financial information associated with a financial account, including balances and other financial information; or

(F) precise geolocation information.

→この(F)が新しいでしょうか?・・・

(11) SERVICE PROVIDER. - The term “service provider” means an entity that collects, maintains, processes, stores, or otherwise handles covered information on behalf of a covered entity, including, for the purposes of serving as a data processing center, providing customer support, serving advertisements to the website of the covered entity, maintaining the covered entity’s records, or performing other administrative support functions for the covered entity.

→欧州の定義への配慮をちゃんとしてますね・・・米国にとっては重要なことですね

(12) TRANSACTIONAL PURPOSE. - The term “transactional purpose” means a purpose necessary for effecting, administering, or enforcing a transaction between a covered entity and an individual.

→これも弊社内の定義用語として、第18条4項4号に関連して「業務連絡」と社内独自定義してトレーニング説明を簡潔にしていましたが、用語が法律上も明確になり助かります

この用語はSEC.3 (a)(5)の対象範囲に使われることになります

(13) UNAFFILIATED PARTY. - The term “unaffiliated party” means any entity that is not related by common ownership or affiliated by corporate control with a covered entity.

(7)(A)(vi)以外のことを指すことになるのでしょうね

その場合、(7)(A)(vi)は、parent company + controlled subsidiary + affiliate + other covered entity under common controlという集合なので、ここで、集合の1要素である affiliated の補集合であるunaffiliatedを使うと誤解を生じやすそうです

したがって、(7)(A)(vi)の集合を、たとえば「controlled entity」などの用語定義をして、これについては、その補集合となる「uncontrolled entity又はparty」などとするのが、用語がより直感的になってよいかもしれませんね

 

SEC. 3. NOTICE AND CONSENT REQUIREMENTS FOR THE COLLECTION, USE, AND DISCLOSURE OF COVERED INFORMATION.

 

(a) NOTICE AND CONSENT PRIOR TO COLLECTION AND USE OF COVERED INFORMATION. -

(1) IN GENERAL. - A covered entity shall not collect, use, or disclose covered information from or about an individual for any purpose unless such covered entity -

shall not いいですねぇ(笑)

国内法が「個人情報を取得した場合は、~~しなければならない」というのに対して、こちらは「~~をしなければ如何なる目的であっても対象情報を取得・利用・開示してはならない」となっており、趣旨は同じですが、後者の方が社内教育などでそのまま引用できそうですね

(A) makes available to such individual the privacy notice described in paragraph (2) prior to the collection of any covered information; and

prior to ですから、国内法の「速やかに」ではなく 「事前」に限定していますね

(B) obtains the consent of the individual to such collection as set forth in paragraph (3).

→オプトイン方式ですね

(2) NOTICE REQUIREMENTS. -

(A) NATURE OF NOTICE. -

(i) COLLECTION OF INFORMATION THROUGH THE INTERNET - If the covered

entity collects covered information through the Internet, the privacy notice required by this section shall be.

(I) posted clearly and conspicuously on the website of such covered entity through which the covered information is collected; and

→国内法で言う通知(posted clearly)と公表(conspicuously on the website)が「又は」ではなく「及び」で両方義務付けられています

(II) accessible through a direct link from the Internet homepage of the covered entity.

→ホームページからワンクリックということで要件が明確です

(ii) MANUAL COLLECTION OF INFORMATION BY MEANS OTHER THAN THROUGH THE INTERNET. - If the covered entity collects covered information by any means that does not utilize the Internet, the privacy notice required by this section shall be made available to an individual in writing before the covered entity collects any covered information from that individual.

→こちらも before で、「事前」に限定していますね

(B) REQUIRED INFORMATION. - The privacy notice required under paragraph (1) shall include the following information:

→以下のとおり、具体的に決めています

(i) The identity of the covered entity collecting the covered information.

(ii) A description of any covered information collected by the covered entity.

(iii) How the covered entity collects covered information.

(iv) The specific purposes for which the covered entity collects and uses covered information.

(v) How the covered entity stores covered information.

→保管方法

(vi) How the covered entity may merge, link, or combine covered information collected about the individual with other information about the individual that the covered entity may acquire from unaffiliated parties.

unaffiliated partiesから獲得する情報とどのように併合(merge)、関連付け(link)、連結(combine)するのか・・・確かに重要ですが企業にとってはこれを予め明記するのは大変そうです

でも、大変ですがやらないといけないことですね

(vii) How long the covered entity retains covered information in identifiable form.

→保管期間

(viii) How the covered entity disposes of or renders anonymous covered information after the expiration of the retention period.

→廃棄又は匿名化方法

(ix) The purposes for which covered information may be disclosed, and the categories of unaffiliated parties who may receive such information for each such purpose.

→開示する場合の目的と、目的ごとにどのようなunaffiliated partiesに出すのかですね

unaffiliated partiesを業種にとどめているのは現実的でよいです

会社名を予め特定するのは非現実的ですからね

(x) The choice and means the covered entity offers individuals to limit or prohibit the collection and disclosure of covered information, in accordance with this section.

→国内法でいうところの第三者提供の禁止ですね

制限として、他段階に指定できるようにしているのは現実的ですね

(xi) The means by and the extent to which individuals may obtain access to covered information that has been collected by the covered entity in accordance with this section.

→国内法の開示の手続きに相当しますかね

(xii) A means by which an individual may contact the covered entity with any inquiries or complaints regarding the covered entity’s handling of covered information.

→国内法の苦情処理に相当しますね

(xiii) The process by which the covered entity notifies individuals of material changes to its privacy notice in accordance with paragraph (4).

→変更の通知方法ですが、実際には(4)でオプトインを求めているので、オプトインの方法ということになりますね

(xiv) A hyperlink to or a listing of the Commission’s online consumer complaint form or the toll-free telephone number for the Commission’s Consumer Response Center.

→問い合わせ先の記載ですが、無償で連絡できる方法に限定していますね

そうしないと、無関係のフリーダイヤルや電子メールの受付に連絡がくるので、意外と実務上重要なポイントだと思います

(xv) The effective date of the privacy notice.

(3) OPT-OUT CONSENT REQUIREMENTS. -

(A) OPT-OUT NATURE OF CONSENT. - A covered entity shall be considered to have the consent of an individual for the collection and use of covered information relating to that individual if -

(i) the covered entity has provided to the individual a clear statement containing the information required under paragraph  (2)(B) and informing the individual that he or she has the right to decline consent to such collection and use; and

(ii) the individual either affirmatively grants consent for such collection and use or does not decline consent at the time such statement is presented to the individual. If an individual declines consent at any time subsequent to the initial collection of covered information, the covered entity may not collect covered information from the individual or use covered information previously collected.

(B) ADDITIONAL OPTIONS AVAILABLE. - A covered entity may comply with this subsection by enabling an individual to decline consent for the collection and use only of particular covered information, provided the individual has been given the opportunity to decline consent for the collection and use of all covered information.

→ん?ここはちょっと意味がよくわからないな・・・

(4) NOTICE AND CONSENT TO MATERIAL CHANGE IN PRIVACY POLICIES. - A covered entity shall provide the privacy notice required by paragraph (2) and obtain the express affirmative consent of the individual prior to –

→変更時は「事前の」オプトインですね

ただ、変更の程度に応じた同意取得でないと、なんでもを事前に同意を取るのは結構大変な気がします

(A) making a material change in privacy practices governing previously collected covered information from that individual; or

(B) disclosing covered information for a purpose not previously disclosed to the individual and which the individual, acting reasonably under the circumstances, would not expect based on the covered entity’s prior privacy notice.

(5) EXEMPTION FOR A TRANSACTIONAL PURPOSE OR AN OPERATIONAL PURPOSE. -

(A) EXEMPTION FROM NOTICE REQUIREMENTS. - The notice requirements in this sub-section shall not apply to covered information that –

→利用目的通知の適用除外について定めています

(i) is collected by any means that does not utilize the Internet, as described in paragraph (2)(A)(ii); and

(ii)

(I) is collected for a transactional purpose or an operational purpose; or

(II) consists solely of information described in subparagraphs (A) through (D) of section 2(5) and is part of a first party transaction.

(B) EXEMPTION FROM CONSENT REQUIREMENTS. - The consent requirements of this subsection shall not apply to the collection, use, or disclosure of covered information for a transactional purpose or an operational purpose, but shall apply to the collection by a covered entity of covered information for marketing, advertising, or selling, or any use of or disclosure of covered information to an unaffiliated party for such purposes.

→オプトインの適用除外について定めています

当然のことながら、marketing, advertising, or selling, or disclosure of covered information to an unaffiliated party for such purposesはオプトインの適用対象です

(b) EXPRESS CONSENT REQUIRED FOR DISCLOSURE OF COVERED INFORMATION TO UNAFFILIATED PARTIES. –

→国内法の第三者提供時のオプトインに相当しますね

(1) IN GENERAL. - A covered entity may not sell, share, or otherwise disclose covered information to an unaffiliated party without first obtaining the express affirmative consent of the individual to whom the covered information relates.

→ぱっと見ると、当然のことが書いてありますが、最後の「relates」の範囲があいまいですね

SEC.2.(8)で定義された preference profile も入るとすると、cookieweb beaconも対象となり、unaffiliated partyのことまで管理するのは結構大変そうです

あと、文中の「first obtaining」については、定義した「first party transaction」をうまく使えるといいですね

(2) WITHDRAWAL OF CONSENT. - A covered entity that has obtained express affirmative consent from an individual must provide the individual with the opportunity, without charge, to withdraw such consent at any time thereafter.

→「without charge」で無償を明記していますね

文中に、「express affirmative consent」という表現が出てきますが、このようにconsentの前にexpressが付く場合と付かない場合、同様にaffirmativeの有無の違いは定義されるべきですね

(3) EXEMPTION FOR CERTAIN INFORMATION SHARING WITH SERVICE PROVIDERS. - The consent requirements of this subsection shall not apply to the disclosure of covered information by a covered entity to a service provider for purposes of executing a first party transaction if –

→「controlled entity」を定義すると、こういうところで使えるようになります

(A) the covered entity has obtained consent for the collection of covered information pursuant to subsection (a); and

(B) the service provider agrees to use such covered information solely for the purpose of providing an agreed-upon service to a covered entity and not to disclose the covered information to any other person.

(c) EXPRESS CONSENT FOR COLLECTION OR DISCLOSURE OF SENSITIVE INFORMATION. - A covered entity shall not collect or disclose sensitive information from or about an individual for any purpose unless such covered entity

→センシティブ情報については、他と区別したオプトインを明記しています

この区別がされて、続く(d)online activityのオプトインも要求することから、オンラインでセンシティブ情報を扱う場合には、ダブル・オプトインが必要になりますね

内容を見ると、欧州の要求に配慮しているのですね

(1) makes available to such individual the privacy notice described in subsection (a)(2) prior to the collection of any sensitive information; and

(2) obtains the express affirmative consent of the individual to whom the sensitive information relates prior to collecting or disclosing such sensitive information.

(d) EXPRESS CONSENT FOR COLLECTION OR DISCLOSURE OF ALL OR SUBSTANTIALLY ALL OF AN INDIVIDUAL’S ONLINE ACTIVITY. - A covered entity shall not collect or disclose covered information about all or substantially all of an individual’s online activity, including across websites, for any purpose unless such covered entity -

(1) makes available to such individual the privacy notice described in subsection (a)(2) prior to the collection of the covered information about all or substantially all of the individual’s online activity; and

(2) obtains the express affirmative consent of the individual to whom the covered information relates prior to collecting or disclosing such covered information.

(e) EXCEPTION FOR INDIVIDUAL MANAGED PREFERENCE PROFILES. - Notwithstanding subsection (b), a covered entity may collect, use, and disclose covered information if –

→「notwithstanding」って法律系ではよく使うのだろうか・・・、初めて見た、発音は区切っていいのだろうか()

(1) the covered entity provides individuals with the ability to opt out of the collection, use, and disclosure of covered information by the covered entity using a readily accessible opt-out mechanism whereby, the opt-out choice of the individual is preserved and protected from incidental or accidental deletion, including by -

(A) website interactions on the covered entity’s website or a website where the preference profile is being used;

(B) a toll-free phone number; or

(C) letter to an address provided by the covered entity;

(2) the covered entity deletes or renders anonymous any covered information not later than 18 months after the date the covered information is first collected;

→18ヶ月以内となっており、国内法と文脈は異なりますが保有個人データの6ヶ月未満より長期間ですね

ただし、(1)から(4)まではAND条件なので、それなりに限定されています

(3) the covered entity includes the placement of a symbol or seal in a prominent location on the website of the covered entity and on or near any advertisements delivered by the covered entity based on the preference profile of an individual that enables an individual to connect to additional information that –

→「symbol又はseal」とあるのは、第三者機関による認証取得のことでしょうかね・・・

そうであれば、それが明確にわかるような表現か定義が必要ですね

(A) describes the practices used by the covered entity or by an advertisement network in which the covered entity participates to create a preference profile and that led to the delivery of the advertisement using an individual’s preference profile, including the information, categories of information, or list of preferences associated with the individual that may have led to the delivery of the advertisement to that individual; and

preference profileを使って管理し、かつ

(B) allows individuals to review and modify, or completely opt out of having, a preference profile created and maintained by a covered entity or by an advertisement network in which the covered entity participates; and

preference profileを本人が参照・更新などできることが求められますね

(4) an advertisement network to which a covered entity discloses covered information under this subsection does not disclose such covered information to any other entity without the express affirmative consent of the individual to whom the covered information relates.

 

SEC. 4. ACCURACY AND SECURITY OF COVERED INFORMATION AND CONSUMER EDUCATION CAMPAIGN.

 

→このセクションは、これから肉付けするのかな?

たとえば、データ流出など事故発生時の本人通知などについて触れてない

少なくともセクションタイトルは、CONSUMER EDUCATION CAMPAINとは分けてもよさそう

以下の本文も、securityintegrityconfidentialityを並べたり、securityintegrityだけを並べたり、protecting informationと表現してみたり、ここは、これから仕上げていくのでしょうね

(a) ACCURACY. - Each covered entity shall establish reasonable procedures to assure the accuracy of the covered information it collects.

(b) SECURITY OF COVERED INFORMATION. -

(1) IN GENERAL. - A covered entity or service provider that collects covered information about an individual for any purpose must establish, implement, and maintain appropriate administrative, technical, and physical safeguards that the Commission determines are necessary to –

(A) ensure the security, integrity, and confidentiality of such information;

(B) protect against anticipated threats or hazards to the security or integrity of such information;

(C) protect against unauthorized access to and loss, misuse, alteration, or destruction of, such information; and

(D) in the event of a security breach, determine the scope of the breach, make every reasonable attempt to prevent further unauthorized access to the affected covered information, and restore reasonable integrity to the affected covered information.

(2) FACTORS FOR APPROPRIATE SAFEGUARDS. - In developing standards to carry out this section, the Commission shall consider the size and complexity of a covered entity, the nature and scope of the activities of a covered entity, the sensitivity of the covered information, the current state of the art in administrative, technical, and physical safeguards for protecting information, and the cost of implementing such safeguards.

(c) CONSUMER EDUCATION. - The Commission shall conduct a consumer education campaign to educate the public regarding opt-out and opt-in consent rights afforded by this Act.

 

SEC. 5. USE OF AGGREGATE OR ANONYMOUS INFORMATION.

 

Nothing in this Act shall prohibit a covered entity from collecting or disclosing aggregate information or covered information that has been rendered anonymous.

→統計情報と匿名化情報を除外することを明記しています

 

SEC. 6. USE OF LOCATION-BASED INFORMATION.

 

→国内だと、どれに相当することになるのでしょうかね

(a) IN GENERAL. - Except as provided in section 222(d) of the Communications Act of 1934 (47 U.S.C. 222(d)), any provider of a product or service that uses location-based information shall not disclose such location-based information concerning the user of such product or service without that user’s express opt-in consent. A user’s express opt-in consent to an application provider that relies on a platform offered by a commercial mobile service provider shall satisfy the requirements of this subsection.

(b) AMENDMENT. - Section 222(h) of the Communications Act of 1934 (47 U.S.C. 222(h)) is amended by adding at the end the following: “(8) CALL LOCATION INFORMATION - The term ‘call location information’ means any location-based information.”

 

SEC. 7. FEDERAL COMMUNICATIONS COMMISSION REPORT.

 

Not later than 1 year after the date of enactment of this Act, the Federal Communications Commission shall transmit a report to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate describing -

(1) all provisions of United States communications law, including provisions in the Communications Act of 1934, that address subscriber privacy; and

(2) how those provisions may be harmonized with the provisions of this Act to create a consistent regulatory regime for covered entities and individuals.

 

SEC. 8. ENFORCEMENT.

 

(a) ENFORCEMENT BY THE FEDERAL TRADE COMMISSION. -

(1) UNFAIR OR DECEPTIVE ACTS OR PRACTICES. - A violation of this Act shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.

FTCのこれまでの監督体制を使いつつ・・・(以下につづく)

(2) POWERS OF COMMISSION. - The Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act  (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any person who violates such regulations shall be subject to the penalties and entitled to the privileges and immunities provided in that Act. Notwithstanding any provision of the Federal Trade Commission Act or any other provision of law and solely for purposes of this Act, common carriers subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.) and any amendment thereto shall be subject to the jurisdiction of the Commission.

(3) RULEMAKING AUTHORITY AND LIMITATION. - The Commission may, in accordance with section 553 of title 5, United States Code, issue such regulations it determines to be necessary to carry out this Act. In promulgating rules under this Act, the Commission shall not require the deployment or use of any specific products or technologies, including any specific computer software or hardware.

FTCが本法のために、新たなルールを設ける可能性を示唆していますね

(b) ENFORCEMENT BY STATE ATTORNEYS GENERAL. -

(1) CIVIL ACTION. - In any case in which the attorney general of a State, or agency of a State having consumer protection responsibilities, has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by any person who violates this Act, the attorney general or such agency of the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction to –

→被害者に代わって州政府が事業者に民事措置をしたり、FTCが調停をしたりできます

日本からすると厳しい内容ですが、これは米国で消費者保護を目的とする法律でよく見られるものなので、米国内では特段に厳しいということはないのでしょうね

(A) enjoin further violation of such section by the defendant;

(B) compel compliance with such section;

(C) obtain damage, restitution, or other compensation on behalf of residents of the State; or

(D) obtain such other relief as the court may consider appropriate.

(2) INTERVENTION BY THE FTC. -

(A) NOTICE AND INTERVENTION. - The State shall provide prior written notice of any action under paragraph (1) to the Commission and provide the Commission with a copy of its complaint, except in any case in which such prior notice is not feasible, in which case the State shall serve such notice immediately upon instituting such action. The Commission shall have the right -

(i) to intervene in the action;

(ii) upon so intervening, to be heard on all matters arising therein; and

(iii) to file petitions for appeal.

(B) LIMITATION ON STATE ACTION WHILE FEDERAL ACTION IS PENDING. - If the Commission has instituted a civil action for violation of this Act, no State attorney general or agency of a State may bring an action under this subsection during the pendency of that action against any defendant named in the complaint of the Commission for any violation of this Act alleged in the complaint.

(3) CONSTRUCTION. - For purposes of bringing any civil action under paragraph (1), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to -

(A) conduct investigations;

(B) administer oaths or affirmations; or

(C) compel the attendance of witnesses or the production of documentary and other evidence.

 

SEC. 9. NO PRIVATE RIGHT OF ACTION.

 

This Act may not be considered or construed to provide any private right of action. No private civil action relating to any act or practice governed under this Act may be commenced or maintained in any State court or under State law (including a pendent State claim to an action under Federal law).

private rightに係るものではないと明記

 

SEC. 10. PREEMPTION.

 

This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State, that includes requirements for the collection, use, or disclosure of covered information.

 

SEC. 11. EFFECT ON OTHER LAWS.

 

(a) APPLICATION OF OTHER FEDERAL PRIVACY LAWS. - Except as provided expressly in this Act, this Act shall have no effect on activities covered by the following:

(1) Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).

(2) The Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).

(3) The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).

(4) Part C of title XI of the Social Security Act  (42 U.S.C. 1320d et seq.).

(5) The Communications Act of 1934 (47 U.S.C. 151 et seq.).

(6) The Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.).

(7) The CAN-SPAM Act of 2003 (15 U.S.C. 7701 et seq.).

(b) COMMISSION AUTHORITY. - Nothing contained in this Act shall be construed to limit authority provided to the Commission under any other law.

 

SEC. 12. EFFECTIVE DATE.

 

Unless otherwise specified, this Act shall apply to the collection, use, or disclosure of, and other actions with respect to, covered information that occurs on or after the date that is one year after the date of enactment of this Act.

→施行までの猶予は1年間ですね

 

5月 20, 2010 |

トラックバック

この記事のトラックバックURL:
http://app.cocolog-nifty.com/t/trackback/66521/48392502

この記事へのトラックバック一覧です: 我輩は連邦プライバシー法である。まだ名は無い・・・:

» 米国連邦プライバシー法-第2案 トラックバック 砂糖の甘い付箋
「我輩は連邦プライバシー法である。まだ名は無い・・・」でご紹介した、米国の連邦プ [続きを読む]

受信: 2010/07/22 17:04:15

コメント

おおきに。。。大変参考になります。

投稿: 丸山満彦 | 2010/05/20 17:57:56

コメントを書く