Utah's Governor Gary Herbert is expected to sign a privacy bill in the next few days following unanimous approval in the state's legislature. This bill is particularly interesting (at least to privacy law geeks like you and me) for two reasons:
First, this bill diverges from the general trend. The bill's primary effect is to limit law enforcement's access to electronic data. (The general trend in the United States over the past two decades has been to grant law enforcement greater access to electronic data while gradually restricting data access and sharing in the private sector.) In the United States, law enforcement agencies are generally permitted to access data that is shared with a third party without a warrant, if the third party (not the individual data subject) consents. Many of the large custodians of consumer data routinely grant access to government agencies without demanding a warrant. The U.S. Constitution's 4th Amendment, which prohibits unreasonable searches and seizures, generally has not been applied to information in the custody of a third party.The bill, titled simply "The Electronic Information or Data Privacy Act,"
Second, bills like this could eventually make trans-Atlantic data transfers easier. One of the primary sources of tension in the context of cross-border personal data transfers is the difference between the U.S. government's relatively easy access to these data repositories without strict procedural protections versus the European Union's General Data Protection Legislation, which calls for strong protections around consumer data. If other states, or the federal government, follow Utah's lead, the U.S. could move closer to becoming a jurisdiction with "adequate" privacy protections, for purposes of the GDPR.
- makes clear that the "owner" of data is the individual who transmits electronic information or data;
- requires, with some exceptions, a search warrant to obtain certain electronic information or data in the custody of a third-party (other than the owner);
- requires, with some exceptions, notification that electronic information or data was obtained;
- provides for transmission of electronic information or data to a remote computing service, including restrictions on government entities;
- excludes from evidence certain electronic information or data obtained without a warrant;
- defines and re-defines certain terms; and
- makes some technical and conforming changes.
You can read the bill's full text for yourself here.