A bill called the “FasTrak Privacy Bill” has been signed by the California Governor into law. It was authored by State Senator Joe Simitian

Senate Bill 1268, protects “locational privacy,” a person’s right not to be tracked while driving, in the following ways:
— Prohibits transportation agencies from selling or sharing personal data;
— Requires them to purge the data when it is no longer needed;
— Sets penalties for violations; and,
— Ensures that FasTrak subscribers are given notice of the privacy practices affecting them.

“There’s just no reason for a government agency to track the movements of Californians, let alone maintain that information in a database forever and ever,” said Simitian.

This is a great idea and nicely worded but I see a couple ways companies might try to get around this law. First, the data may not be clearly owned by the transportation agency. FasTrak data is agency specific but not cell phone or bluetooth data, both of which also are tracked and recorded as location data. If an entity is not under contract with a transportation agency it is excluded. The transportation agency can be just one consumer of the data rather than the clear steward or owner. Second, this is complicated by cloud and similar shared data environments with multiple tenants working on “traffic congestion” and “interoperability” projects.

The bill has a “fact sheet” that helps clarify the final text. Note the exception for search warrants:

A transportation agency may make personally identifiable information of a person available to a law enforcement agency only pursuant to a search warrant. Absent a provision in the search warrant to the contrary, the law enforcement agency shall immediately, but in any event within no more than five days, notify the person that his or her records have been obtained and shall provide the person with a copy of the search warrant and the identity of the law enforcement agency or peace officer to whom the records were provided.

The retention period says personal information other than billing data has to be purged within six months after the billing cycle ends, and all information has to be purged within 150 days after an account is closed.

Penalty for violating location privacy is set at “actual damages” or $2,500 for the first three violations; $4,000 for each violation after that as well as cost recovery including attorney’s fees.

Canada Cloud blog asks Would you trust a Canadian, with your Cloud Data?

Aside an image of the Mounted Police and a sled dog they speak of “global expansion”

..it is a very, very fertile area for new business start-up development, and is a key focus area for us as part of this Canadian Cloud initiative.

Canada also actually does have significant assets in the Cloud computing field, especially within this critical area of Cloud Data Privacy, and these provide a foundation for global expansion. Our primary activity to launch the network is to begin building an innovation portfolio around this cluster, aligning it to key markets like the USA and Europe.

For example on 19-Aug 2010, the Web 2.0/Cloud Computing Subcommittee of the American CIO.gov team published ‘USA’s Government Cloud Outsourcing Guide (11-page PDF), explaining how agencies can safely outsource to Cloud providers, focusing particularly on the aspect of privacy and how it can be protected through implementation of various best practices, like the NIST series, and it concludes with the recommendation:

“Private cloud vendors should be aware of these publicly published controls and should offer them as enhancements.”