Utah Creates Personal Privacy Oversight Committee

By Mary Pieper

The Utah House of Representatives passed a bill last week to regulate the use of surveillance and data-collection technology by government entities or their contractors. 

If signed by Republican Gov. Spencer Fox, the legislation would establish two personal privacy officer positions, one appointed by Fox and the other by State Auditor John Dougall, also a Republican, as well as a privacy oversight commission. 

The bill, sponsored by House Majority Leader Frank Gibson, R-Mapleton, may be the first of its kind in the nation.

The House passed the legislation March 4 on a unanimous procedural vote after the Utah Senate approved it earlier in the day.

According to the bill, known as H.B. 243, any Utah governmental agency, whether on the state or local level, that uses technology for personal data-collection or contracts with a company to do so is subject to privacy testing, Gibson told Digital Privacy News. 

If personal identifying information is at risk or a contract with an outside vendor doesn’t maintain the safety of the information, the contract would be terminated or rectified.

“We live in a world currently where information is king,” Gibson said. “And unfortunately, our personal, private identifying data or information gets into the hands of the wrong people.”

Cameras are tracking where people are going — and social media sites are being trolled to see what individuals are saying and doing, he added.

“Our personal, private identifying data or information gets into the hands of the wrong people.” 

Utah House Majority Leader Frank Gibson.

Although Gibson believes crimes like mass shootings can be prevented when these methods are used in predictive policing, “I worry about the abuse that could happen.”

People shouldn’t be profiled, he said, because of their ethnic background, socioeconomic status or the neighborhood where they live. 

“I live in ——- America, where you are innocent until proven guilty,” Gibson told Digital Privacy News.

ACLU Weighs In

Marina Lowe, legislative and policy council with the American Civil Liberties Union of Utah, said the legislation was a response to government entities entering into contracts that used the technology in the name of solving crimes.

If the bill becomes law, it would provide “a mechanism so these sorts of engagements with technology companies can be halted,” she said.

The legislation also would “provide an opportunity for a thorough, deep dive — specifically looking at how privacy has been violated or is likely to be violated — and how that technology can be used moving forward,” Lowe said.

In the summer of 2019, Utah contracted with Banjo, a tech surveillance company in Park City, to gather huge amounts of data from multiple sources — including surveillance cameras, 911 calls and social media sites. 

Company officials claimed the data could help law enforcement prevent school shootings and other crimes and increase first-responder response times.

But Lowe told Digital Privacy News: “A lot of people had concerns about what Banjo would do — and there really wasn’t an opportunity for the public to weigh in or feel like their rights were being protected.”

Contract Suspended

Last April, GOP State Attorney Sean Reyes said the state had suspended Banjo’s services after news reports that the company’s founder, Damien Patton, had connections to a white supremacy group as a teen and was involved in a shooting at a synagogue at the time.

Reyes also pledged to implement a third-party audit and a committee to address issues like data privacy and possible bias.

The bill would “provide an opportunity for a thorough, deep dive — specifically looking at how privacy has been violated or is likely to be violated.” 

Marina Lowe, Utah ACLU.

“This is sort of the unicorn bill,” Gibson said. “The only people who aren’t on board are the state agencies — the ones I’m trying to protect citizens from.

“It’s meant to be disruptive,” the seven-term representative continued. “If the everyday citizen is going to give you information on themselves, for whatever service it may be, then it’s incumbent upon you to make sure you maintain that privacy.”

‘Enough Bandwidth’

Hayley Tsukayama, legislative activist for the Electronic Frontier Foundation, told Digital Privacy News that she had not personally seen another state bill exactly like H.B. 243 — but that across the country, “there is a sort of growing interest in having a dedicated privacy regulator or agency.

“I definitely applaud the effort and the thought that goes into setting up a dedicated person, a dedicated committee.”

Regarding Utah’s legislation, “I like that they have given clearly good thought to the makeup of the committee,” Tsukayama said.

She does have concerns, however, about whether governmental agencies have enough staff to handle privacy regulation, particularly in smaller states. 

“At EFF, we are pretty agnostic about where regulation falls in privacy protections and violations,” Tsukayama told Digital Privacy News. “We just want to make sure that there is enough bandwidth.”

California’s Prop 24

In November, California voters approved Proposition 24, which reinforces and redefines portions of the 2019 California Consumer Privacy Act (CCPA).  

After lawmakers approved CCPA, the state attorney general’s office said it lacked the staffing to enforce it. Prop 24 established of a state privacy-protection agency.  

EFF neither supported nor opposed the ballot measure. Tsukayama coauthored a foundation report last July on Prop 24.

“Prop 24 does not empower consumers to sue businesses that violate their privacy rights,” the report said. “Without effective enforcement, a law is just a piece of paper.”

Generally, Tsukayama said, EFF supports consumers suing companies that violate their privacy without having to go through an intermediary. 

“It very much democratizes privacy regulations,” she said. 

“I like that they have given clearly good thought to the makeup of the committee.” 

Hayley Tsukayama, Electronic Frontier Foundation.

However, that state lawmakers across the country are discussing data privacy is encouraging, Tsukayama noted.

Last week, Virginia became the second state to pass a law requiring some companies to allow consumers to opt out of data collection. The Consumer Data Protection Act, signed into law March 2 by Democratic Gov. Ralph Northam, mirrors CCPA.

A similar bill was introduced in the Utah Senate, but it failed last week. 

In Colorado, lawmakers are drafting legislation to ban the state’s motor vehicle department from selling drivers’ private data.  

“Privacy concerns are growing,” Tsukayama told Digital Privacy News.

“Constituents are letting their legislators know that they are not comfortable with the way privacy is in this country and that they would like to see more focus and attention given to it.”

Mary Pieper is an Iowa writer. 

Who Would Serve?

Utah’s H.B. 243 would allow Gov. Spencer Fox, State Auditor John Dougall and Attorney General Sean Reyes, all Republicans, to appoint its 12 members.

The governor would name:

  • One member who, at the time of the appointment, provides internet technology services for a county or municipality.
  • One member with experience in cybersecurity.
  • One member representing private industry in technology. 
  • One member representing law enforcement.
  • One member with experience in data-privacy law.

The state auditor would appoint:

  • One member with experience in internet-technology services.
  • One member with experience in cybersecurity. 
  • One member representing private industry in technology.
  • One member with experience in data-privacy law.
  • One member with experience in civil-liberties law or policy and with “specific experience in identifying the disparate impacts of the use of a technology or a policy on different populations.”

The attorney general would select:

  • One member with experience as a prosecutor or appellate attorney and with experience in civil-liberties law.
  • One member representing law enforcement.

— Mary Pieper