Revision: Nov. 20, 2017, 8:52 a.m.
HB 1750-FN - AS INTRODUCED
HOUSE BILL 1750-FN
AN ACT relative to an expectation of privacy in personal information.
SPONSORS: Rep. Kurk, Hills. 2
This bill establishes an expectation of privacy in personal information. This bill also prohibits the government from acquiring, retaining, or using personal information with certain specific exceptions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Explanation: Matter added to current law appears in bold italics.
Matter removed from current law appears [in brackets and struckthrough.]
Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.
STATE OF NEW HAMPSHIRE
In the Year of Our Lord Two Thousand Eighteen
Be it Enacted by the Senate and House of Representatives in General Court convened:
EXPECTATION OF PRIVACY IN PERSONAL INFORMATION
507-H:1 Definitions: In this chapter:
I. "Individual" means a living human being.
II. "Government" means the federal government, the state government and any political subdivisions thereof, and state and municipal agencies and departments, including employees, agents, and contractors.
III. "Information and service providers" means those persons who provide an individual with information and services, including cellular and land-line telephone service providers; Internet service providers; cable television providers; social media providers; email service providers; banks and financial institutions; insurance companies; and credit card companies, but excluding service providers regulated by the public utilities commission as defined in RSA 363:37, II.
IV. "Persons" means individuals, partnerships, limited liability companies, corporations, and any other organizations, including for-profit and not-for-profit entities, but excluding government.
V. "Personal information" means:
(a) A person's name, date or place of birth, social security number, address, employment history, credit history, financial information, account numbers, cellular telephone numbers, voice over Internet protocol or landline telephone numbers, biometric identifiers, including fingerprints, facial photographs, or images, retinal scans, DNA/RNA, or other identifying data unique to that individual; or
(b) One or more pieces of information that, when considered together or in the context of the information that is presented or gathered, are sufficient to identify a unique individual.
507-H:2 Expectation of Privacy.
I. An individual shall have an expectation of privacy in personal information, the content of messages, and the history of usage of the information or service given or available to information and service providers with whom the individual has a contractual relationship.
II.(a) No government shall acquire, collect, retain, or use the personal information described in paragraph I, directly or indirectly, related to individuals located in New Hampshire except:
(1) With the express written consent of the individual, provided that such consent is not a condition for providing information or service.
(2) With a warrant signed by a judge and based on probable cause or pursuant to a judicially-recognized exception to the warrant requirement.
(3) In the case of the division of emergency services and communications, when handling emergency 911 telecommunications.
(b) Subparagraph (a) shall not apply to personal information described in paragraph I if required by a government pursuant to state or federal law, provided that such information is requested of and supplied by an information and service provider for named individuals only or, in the case of employees and/or contractors of an information and service provider, for all of its employees and/or contractors.
(c) Subparagraph (a) shall not apply to personal information described in paragraph I if the individual to whom it pertains (1) provides it to a government, but only for the purpose for which it is provided, including, but not limited to, credit card transactions and affinity programs, or (2) authorizes access to it by a government, but only for the purpose for which such access is granted.
III. No government shall acquire, collect, or retain individually-identifiable social media data, including such data associated with Facebook and Twitter, whether password protected or encrypted or not, except:
(a) With a warrant signed by a judge and based on probable cause, or pursuant to a judicially-recognized exception to the warrant requirement.
(b) In connection with hiring an individual to work for a government.
(c) If investigating misconduct on the part of employees or contractors of a government.
(d) In an emergency involving severe bodily injury or significant damage to property.
(e) If required by a government pursuant to state or federal law, provided that such social media data is for named individuals only.
(f) If the individual to whom such social media data pertains (1) provides it to a government, but only for the purpose for which it is provided, including but not limited to credit card transactions and affinity programs, or (2) authorizes access to it by a government, but only for the purpose for which such access is granted.
(g) Where there exists a reasonable suspicion that a named individual has committed a criminal act.
IV. This chapter shall not apply to personal information acquired, collected, retained, or used by the judicial branch or by any state regulatory agency when such acquisition, collection, retention, or use is within the branch's or agency's adjudicatory or regulatory function.
507-H:3 Action Against a Corporation. This chapter shall not be construed to create a cause of action against a corporation or its officers, employees, or agents for providing information to a government in accordance with the provisions of this chapter.
507-H:4 Federal Preemption. If federal law preempts any provision of this chapter, that provision shall not apply to the federal government.
507-H:5 Construction. This chapter shall be construed to provide the greatest possible protection of the privacy of the people of this state.
507-H:6 Penalties. Any government agency, including the judicial branch, that uses an individual's personal information in violation of RSA 507-H:2 shall incur a fine of $10,000 for each such individual.
HB 1750-FN- FISCAL NOTE
FISCAL IMPACT: [ X ] State [ ] County [ ] Local [ ] None
Estimated Increase / (Decrease)
[ X ] General [ ] Education [ X ] Highway [ X ] Other - Various Government Funds
This bill would enact chapter 507-H concerning the expectation of privacy in personal information.
The Judicial Branch identified two provisions in this bill which could have a fiscal impact on the Branch.
The Department of Justice states it is not clear if the intent of the bill is to create a civil cause of action allowing individuals to sue or if enforcement by a government authority would be required. If a civil cause of action is created, the Department of Justice would have to defend any state agency, board, commission or employee who might be sued. The Department cannot estimate how many such lawsuits might result from passage of the bill. If the Department were to be responsible for enforcement, a straightforward enforcement action without significant constitutional issues would require between 70 and 100 hours of an attorney’s time. The Department has no basis upon which to estimate the number of possible enforcement actions. Finally, the Department would provide legal counsel to state boards, agencies and commissions regarding the limitation imposed by the bill. The Department could provide such counsel within its current budget.
The Department of Administrative Services indicates the fiscal impact of this bill to the State is indeterminable. The bill would prohibit the submission of personal information by the Employee and Retiree Health Plan (HBP) to the federal government to obtain Employer Group Waiver Plan (EGWP) subsidies without the express written consent from each member for each type of information exchange. In CY 2016, the EGWP subsidies provided $4.5 million in revenue to the Retiree Health Benefit Plan. The Department states the requirement to obtain express written consent would impose an extreme administrative burden which could jeopardize the subsidy. The penalty provision provides for a $10,000 per individual whose information is wrongly used. The Department states there are more the 36,000 members in the HBP and the Department assumes it could be subject to fines. The number of HBP members who would provide written consent is unknown. If members do not provide consent, the HBP could face significant fines if it submits data to the federal government. If the data is not provided there is a risk of losing the $4.5 million federal subsidy. Two additional staff and resources would be needed develop a process to obtain written consent from plan members and to administer a plan for members who do not consent.
The New Hampshire Municipal Association indicates this bill is unlikely to have an impact on municipal revenues and expenditures.
The New Hampshire Association of Counties determined this bill would have no fiscal impact on the counties.
Judicial Branch, Departments of Administrative Services and Justice, New Hampshire Municipal Association and New Hampshire Association of Counties