Bill: Draft PALANTIR Act

[zLost]

A
BILL
To
Strengthen Existing Privacy Laws​

The people of the Commonwealth of Redmont, through their elected Representatives in the Congress and the force of law ordained to that Congress by the people through the constitution, do hereby enact the following provisions into law:

1 - Short Title and Enactment
(1) This Act may be cited as the 'Privacy Act for Lawful Access, Notice, Transparency, Information & Rights' or "PALANTIR Act"
(2) This Act shall be enacted immediately upon its signage.
(3) This Act has been authored by ToadKing.
(4) This Act has been proposed by Representative zLost.
(5) This Act has been co-sponsored by Senator Omegabiebel.

2 - Reasons
(1) To strengthen privacy protections for all citizens across all platforms.
(2) To clarify privacy principles and rights afforded to citizens.
(3) To establish Breach of Confidence as a proper offence in the Criminal Code Act.
(4) To align this Act's Freedom of Information provisions with the existing FOI framework.
(5) To clarify the status of permanently deported players under privacy law.

3 - Amendments
(1) The Privacy Act shall be amended as follows:

"4 - Definitions
(1) For the purposes of this Act, "personal information" and "private information" shall have the same meaning and refer to any information relating to an identifiable individual, including but not limited to:
(a) Employment details, discipline records, termination details, and administrative actions
(b) Financial records with private organisations, including but not limited to:
(i) Account balances
(ii) Transaction history
(iii) Debts and other assets
(2) Personal information and Private information do not include:
(a) Information that is freely and publicly available
(b) Information that has been anonymised or aggregated such that it cannot reasonably identify any individual
(c) Information displayed on public leaderboards, statistics pages, or BlueMap
(d) Information voluntarily posted by the individual in a public area, except for real-life personal information as protected under Section 8
(3) For the purposes of this Act, "Permanently deported" means any ban issued by server staff with no defined expiration date, or any ban issued as a final enforcement action."

"5 - Privacy Principles
(1) Accessibility to your own private information
(2) Access to how your private information is collected and stored
(3) Ability to object to incorrect personal information and to have it corrected
(4) Ability to seek damages for breaching the privacy act where you have suffered a loss
(5) Access to private information is on a need-to-know and a need-to-access basis.
(1) The following Privacy Principles govern the collection, use, storage, and disclosure of personal information:
(a) Lawful and Fair Collection - Personal information must be collected by lawful and fair means, with the knowledge and consent of the individual where appropriate.
(b) Purpose Specification - The purpose for which personal information is collected must be specified at or before the time of collection.
(c) Use Limitation - Personal information shall not be used or disclosed for purposes other than those specified, except with the consent of the individual or as authorised by law.
(d) Data Quality - Personal information must be accurate, complete, and kept up-to-date as necessary for the purposes for which it is used.
(e) Security Safeguards - Reasonable security safeguards must protect personal information against loss, theft, unauthorised access, disclosure, copying, use, or modification.
(f) Openness - Organisations must be transparent about their practices relating to the management of personal information.
(g) Individual Access - Individuals have the right to access their own personal information and request corrections where appropriate.
(h) Accountability - Organisations are accountable for personal information under their control and must designate responsibility for compliance with these principles.
(i) Need-to-Know Basis - Access to personal information is restricted to those with a legitimate need to access such information in the course of their duties."

"6 - Privacy Rights
(1) The following Privacy Rights are afforded to all individuals and organisations:
(a) know be informed of why your personal information is being collected, how it will be used, how it will be stored, and who it will be disclosed to, before or at the time of collection
(b) have the option of not identifying yourself, or of using a pseudonym in certain circumstances where it is lawful and practicable to do so
(c) ask for request and receive access to your personal information held by any organisation or government entity within a reasonable timeframe
(d) ask for request that your personal information that is incorrect or incomplete to be corrected or updated, and have such requests processed in a timely manner
(e) make a complaint about an organisation or agency, if you think they've mishandled your personal information, and have such complaints investigated and addressed
(f) request deletion of your personal information where it is no longer required for the purpose for which it was collected, subject to legal retention requirements
(g) withdraw consent for the use or disclosure of your personal information at any time, subject to legal or contractual restrictions
(h) seek damages through civil proceedings for any breach of this Act where you have suffered quantifiable loss or harm"

"7 - Employees & Contractors
(1) Private entities and Government organisations must: ensure confidentiality when handling a current or past employee's or contractor's private information.
(a) Private information includes administrative action taken against the employee (nature of dismissal and or punishment) and or anything beyond these examples which may be considered of a personal nature, that if released, would be adverse to the individual.
(a) Limit access to employee private information to those with a legitimate need-to-know basis
(b) Ensure confidentiality when handling a current or past employee's or contractor's private information
(c) Not disclose employee private information to third parties without the employee's written consent, except where required by law or court order
(d) Maintain reasonable security measures to protect employee private information from unauthorised access or disclosure"

"7 - Breach of Confidence
(1) An individual/entity is guilty of breaching confidence when they share private information in the public domain unlawfully, punishable for up to $10,000 in fines as decided by the court."

"8 - Real Life Protection of Real-Life Information
(1) Citizens will never be required to provide any real life information, such as age, when making any post or application on the forums. No individual shall be required to disclose real-life personal information, including but not limited to: full legal name, age, address, phone number, email address, personal images, financial information, educational institutions, employment details, social media accounts, or any other information that could identify them in real life, in any context within the Commonwealth of Redmont.
(2) This protection applies across all platforms and services, including but not limited to:
(a) In-game
(b) Forum posts, applications, and private messages
(c) Discord, including text and voice channels, private and group direct messages
(d) Any other official or affiliated platform or service
(3) No government entity, private organisation, or individual may condition access to services, positions, benefits, or opportunities on the disclosure of real-life personal information, except:
(a) Timezone information may be requested on employment applications where such information is reasonably necessary for scheduling and coordination purposes
(4) Voluntary disclosure of real-life information by an individual does not constitute consent for that information to be shared, republished, or used by others without explicit permission."

"9 - Disclosure
(1) An organisation or agency can’t use or disclose personal information unless an exception applies.
(2) Exceptions include:
(a) the subject consented to an organisation or agency using or disclosing their personal information
(b) the disclosure is permitted by law or court order
(c) Any information shared as part of official Congressional or Court proceedings; or that is general in nature, is exempt from breach of confidence
(d) Criminal Records of citizens will be exempt from the Privacy Act and can be requested from or released by the Department of Homeland Security.
(a) The subject has provided informed consent to the organisation or agency using or disclosing their personal information
(b) The disclosure is required or permitted by law or court order
(c) The information is shared as part of official Congressional or Court proceedings
(d) The information is general in nature and does not identify or could not reasonably identify any specific individual
(e) The disclosure is necessary for law enforcement purposes or the investigation of suspected criminal activity
(f) Criminal records, which may be requested from or released by the Department of Homeland Security
(3) Any disclosure permitted under subsection (2) must be limited to the minimum information necessary to achieve the authorised purpose."

"10 - Freedom of Information
(1) Private information (i.e. Records that the Government hold about you) is not subject to freedom of information requests Any individual may submit a Freedom of Information request to access their own personal information held by any government entity, in accordance with relevant FOI laws.
(2) Personal information about other individuals is not subject to FOI requests, except where:
(a) The requesting party has written authorisation from the individual whose information is being requested, explicitly permitting the requester to act as their proxy; or
(b) The disclosure is otherwise authorised by law or court order
(3) Written authorisation under subsection (2)(a) must:
(a) Be signed or otherwise authenticated by the individual whose information is being requested
(b) Clearly identify what specific information may be requested
(c) Specify the time period for which the authorisation is valid, not exceeding 60 days
(d) Be submitted alongside the FOI request
(4) FOI requests for personal information shall be processed in accordance with relevant FOI laws.
(5) Where an FOI request seeks access to personal information that is intermingled with information about other individuals, the responding entity may:
(a) Provide the information with appropriate redactions to protect third-party privacy; or
(b) Request clarification from the requester to narrow the scope of the request."

"11 - Exemption for Deported Players
(1) Individuals who have been permanently deported are not entitled to the protections afforded by this Act.
(3) This exemption applies to the provisions under Section 6 and Section 7 and protections against disclosure under Section 9.
(4) Government entities and private organisations are not obligated to maintain the confidentiality of information relating to individuals covered by this exemption.
(5) This exemption does not authorise the disclosure of any real-life personal information in accordance with Section 7."

(2) The Criminal Code Act shall be amended by adding the following new section to PART III: PROPER ADMINISTRATION OF JUSTICE:

"11 - Breach of Confidence
Offence Type: Indictable
Penalty: Up to 200 Penalty Units; up to 60 min imprisonment
A person commits an offence if the person:
(a) knowingly or recklessly discloses private information of another individual or entity to the public domain or to unauthorised third parties without lawful authority or consent; or
(b) uses private information obtained in confidence for an unauthorised purpose that causes or is likely to cause harm to the individual or entity to whom the information relates.
Exceptions:
(c) This offence shall not occur where:
(i) the disclosure is required or permitted by law or court order;
(ii) the disclosure is made as part of official Congressional or Court proceedings;
(iii) the subject has provided explicit consent to the disclosure;
(iv) the information is already in the public domain through lawful means;
(v) the information is general in nature and does not identify or could not reasonably identify any individual or entity.
Relevant Law: Act of Congress - Privacy Act"

"12 - Legal Qualification Fraud

13 - Legal Malpractice

14 - Conflict of Interest

15 - Duty to Disclose

16 - Ex Parte Communication"

5 - Transitional Provisions
(1) Government entities shall have 30 days from the enactment of this Act to update their privacy policies and procedures to comply with the amended Privacy Act.
(2) All FOI request procedures must be updated to reflect the new Section 10 of the Privacy Act within 14 days of enactment.