(Update 1: Included link and excerpt from Rep. Sargent's Op-Ed when the bill was introduced, and further comments - to provide some context)
Governor Scott Walker of Wisconsin signed 62 bills into law today, including SB223 (relating to social media privacy) and SB367 (revenge porn).
A full list of the bills he signed can be found here: At a glance: List of 62 bills Gov. Walker signed, and regarding the two bills mentioned above:
Senate Bill 223 – prohibits employers, educational institutions and landlords from requesting or requiring passwords or other protected access to personal internet accounts of students, employees, and tenants. Viewing, accessing and using information from internet accounts, including social media, in the public domain is allowed. Senator Glenn Grothman (R-West Bend) and Representative Garey Bies (R-Sister Bay) authored the bill which unanimously passed the Senate and passed the Assembly on a voice vote; it is Act 208.
Senate Bill 367 – modernizes Wisconsin’s law relating to disseminating private images and expands protections for victims who have their private images distributed without their consent. Senator Leah Vukmir (R-Wauwatosa) and Representative John Spiros (R-Marshfield) authored the bill which passed both the Senate and the Assembly on a voice vote; it is Act 243.I criticized the original revenge porn bill proposal in Wisconsin (see: Wisconsin's "revenge porn" bill goes too far. Hypos to ponder and why the legislature should look to Professor Franks ); specifically, I labeled the original proposal as overbroad because the bill did not include a scienter requirement. In the final bill, after a substitute amendment was adopted, the statutory text has been narrowed with just such a requirement. The bill signed into law requires "knowledge":
942.09 (3m) (a) Whoever does any of the following is guilty of a Class A misdemeanor:
1. Posts, publishes, or causes to be posted or published, a private representation if the actor knows that the person depicted does not consent to the posting or publication of the private representation.
2. Posts, publishes, or causes to be posted or published, a depiction of a person that he or she knows is a private representation, without the consent of the person depicted.The social media privacy bill signed by the governor will surely be lauded by privacy advocates as a win for individual autonomy (and freedom from employer/educational institution snooping). But, I find the exceptions to the bill much more intriguing and noteworthy than the protections most will focus on. Particularly, the interesting carve-outs in bold:
(2) Restrictions on employer access to personal Internet accounts.
(a) Except as provided in pars. (b), (c), and (d), no employer may do any of the following:
1. Request or require an employee or applicant for employment, as a condition of employment, to disclose access information for the personal Internet account of the employee or applicant or to otherwise grant access to or allow observation of that account.2. Discharge or otherwise discriminate against an employee for exercising the right under subd. 1. to refuse to disclose access information for, grant access to, or allow observation of the employee's personal Internet account, opposing a practice prohibited under subd. 1., filing a complaint or attempting to enforce any right under subd. 1., or testifying or assisting in any action or proceeding to enforce any right under subd. 1.
3. Refuse to hire an applicant for employment because the applicant refused to disclose access information for, grant access to, or allow observation of the applicant's personal Internet account.
(b) Paragraph (a) does not prohibit an employer from doing any of the following:
…
2. Discharging or disciplining an employee for transferring the employer's proprietary or confidential information or financial data to the employee's personal Internet account without the employer's authorization.3. Subject to this subdivision, conducting an investigation or requiring an employee to cooperate in an investigation of any alleged unauthorized transfer of the employer's proprietary or confidential information or financial data to the employee's personal Internet account, if the employer has reasonable cause to believe that such a transfer has occurred, or of any other alleged employment-related misconduct, violation of the law, or violation of the employer's work rules as specified in an employee handbook, if the employer has reasonable cause to believe that activity on the employee's personal Internet account relating to that misconduct or violation has occurred. In conducting an investigation or requiring an employee to cooperate in an investigation under this subdivision, an employer may require an employee to grant access to or allow observation of the employee's personal Internet account, but may not require the employee to disclose access information for that account.
…So, an employer may not require you to provide access to your personal Internet account on a whim or a hunch. But, if the employer can point to an Acceptable Use Policy, text in an employee handbook, or can establish reasonable cause to believe employment-related misconduct, the employer can require such access. Sure, you don't have to provide your login/password, but in subsection 3, above, you could be required to grant access (whatever that means).
The social media bill's carve-outs sound a lot like CFAA cases of late, and also general social media prying lawsuits as well. How, then, is this bill a boon for employee/student privacy? Also, if my employer requested I grant access to a personal account, as part of an "investigation," I would almost assuredly deny that request, absent a subpoena. I am very curious how these exceptions will be used by employers going forward.
Update 1:
Rep. Sargent wrote an Op-Ed in the Milwaukee Journal Sentinel when she proposed the bill (with other representatives). See here: Bipartisan bill protects social media accounts
Later, after the bill made it out of the Senate on a 33-0 vote, Sargent issued a press release. See here: Social Media Protection Bill Passes Senate on a 33-0 Vote. An interesting quote from the release:
I’m pleased that this common sense, bi-partisan legislation advanced further through the legislative process today. It makes sense that personal internet accounts should be given the same, 4th Amendment protections as other aspects of our daily lives. People have a reasonable expectation of privacy when interacting with their friends and family on Facebook or other sites. An employer, university, or landlord should not have access to private communications on social media sites. As technology evolves, so must our legislative efforts to protect our citizen’s privacy. The current generation will write the laws on social media. We must do it carefully and with respect for all parties involved.There should, in my opinion, be an asterisk (*) after that paragraph, noting that the exceptions may indeed swallow a large chunk of the well-intentioned proposal. If the bill's intent was to prevent forced disclosure of account credentials, then the text should have narrowly reflected that (considering, to wit, that the exceptions do not require providing credentials, but merely providing/granting access). Further, just as some courts have attempted to bring TOS/Acceptable Use Policies/Employee Handbooks within the ambit of CFAA liability, this bill allows varying employer-defined standards to dictate whether an employee must grant access to a social media/personal email account.
Hypo: If an employee handbook states no surfing the internet for personal reasons (or updating social media) during work hours and there is "reasonable cause" to believe that a violation occurred - must the employee grant access to the account to prove otherwise? How is that giving personal internet accounts "4th Amendment protections...[similar to those in] other aspects of our daily lives?" What if the employee refuses to grant access - is that grounds for termination?
More fundamentally, though, is this question: now that the bill has become law, who benefitted more from its enactment: employers, or employees?
0 comments:
Post a Comment