HB-5523, As Passed House, September 12, 2012
SUBSTITUTE FOR
HOUSE BILL NO. 5523
A bill to prohibit employers and educational institutions from
requiring certain individuals to grant access to, allow observation
of, or disclose information that allows access to or observation of
personal internet accounts; to prohibit employers and educational
institutions from taking certain actions for failure to allow
access to, observation of, or disclosure of information that allows
access to personal internet accounts; and to provide sanctions and
remedies.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
Sec. 1. This act shall be known and may be cited as the
"internet privacy protection act".
Sec. 2. As used in this act:
(a) "Access information" means user name, password, login
information, or other security information that protects access to
a personal internet account.
(b) "Educational institution" means a public or private
educational institution or a separate school or department of a
public or private educational institution, and includes an academy;
elementary or secondary school; extension course; kindergarten;
nursery school; school system; school district; intermediate school
district; business, nursing, professional, secretarial, technical,
or vocational school; public or private educational testing service
or administrator; and an agent of an educational institution.
Educational institution shall be construed broadly to include
public and private institutions of higher education to the greatest
extent consistent with constitutional limitations.
(c) "Employer" means a person, including a unit of state or
local government, engaged in a business, industry, profession,
trade, or other enterprise in this state and includes an agent,
representative, or designee of the employer.
(d) "Personal internet account" means an account created via a
bounded system established by an internet-based service that
requires a user to input or store access information via an
electronic device to view, create, utilize, or edit the user's
account information, profile, display, communications, or stored
data.
Sec. 3. An employer shall not do any of the following:
(a) Request an employee or an applicant for employment to
grant access to, allow observation of, or disclose information that
allows access to or observation of the employee's or applicant's
personal internet account.
(b) Discharge, discipline, fail to hire, or otherwise penalize
an employee or applicant for employment for failure to grant access
to, allow observation of, or disclose information that allows
access to or observation of the employee's or applicant's personal
internet account.
Sec. 4. An educational institution shall not do any of the
following:
(a) Request a student or prospective student to grant access
to, allow observation of, or disclose information that allows
access to or observation of the student's or prospective student's
personal internet account.
(b) Expel, discipline, fail to admit, or otherwise penalize a
student or prospective student for failure to grant access to,
allow observation of, or disclose information that allows access to
or observation of the student's or prospective student's personal
internet account.
Sec. 5. (1) This act does not prohibit an employer from doing
any of the following:
(a) Requesting or requiring an employee to disclose access
information to the employer to gain access to or operate any of the
following:
(i) An electronic communications device paid for in whole or in
part by the employer.
(ii) An account or service provided by the employer, obtained
by virtue of the employee's employment relationship with the
employer, or used for the employer's business purposes.
(b) Disciplining or discharging an employee for transferring
the employer's proprietary or confidential information or financial
data to an employee's personal internet account without the
employer's authorization.
(c) Conducting an investigation or requiring an employee to
cooperate in an investigation in any of the following
circumstances:
(i) If there is specific information about activity on the
employee's personal internet account, for the purpose of ensuring
compliance with applicable laws, regulatory requirements, or
prohibitions against work-related employee misconduct.
(ii) If the employer has specific information about an
unauthorized transfer of the employer's proprietary information,
confidential information, or financial data to an employee's
personal internet account.
(2) This act does not prohibit or restrict an employer from
complying with a duty to screen employees or applicants prior to
hiring or to monitor or retain employee communications that is
established under federal law or by a self-regulatory organization,
as defined in section 3(a)(26) of the securities and exchange act
of 1934, 15 USC 78c(a)(26).
Sec. 6. This act does not prohibit an educational institution
from requesting or requiring a student to disclose access
information to the educational institution to gain access to or
operate any of the following:
(a) An electronic communications device paid for in whole or
in part by the educational institution.
(b) An account or service provided by the educational
institution that is either obtained by virtue of the student's
admission to the educational institution or used by the student for
educational purposes.
Sec. 7. (1) This act does not create a duty for an employer or
educational institution to search or monitor the activity of a
personal internet account.
(2) An employer or educational institution is not liable under
this act for failure to request or require that an employee, a
student, an applicant for employment, or a prospective student
grant access to, allow observation of, or disclose information that
allows access to or observation of the employee's, student's,
applicant for employment's, or prospective student's personal
internet account.
Sec. 8. (1) A person who violates section 3 or 4 is guilty of
a misdemeanor punishable by a fine of not more than $1,000.00.
(2) An individual who is the subject of a violation of this
act may bring a civil action to enjoin a violation of section 3 or
4 and may recover not more than $1,000.00 in damages plus
reasonable attorney fees and court costs. Not later than 60 days
before filing a civil action for damages or 60 days before adding a
claim for damages to an action seeking injunctive relief, the
individual shall make a written demand of the alleged violator for
not more than $1,000.00. The written demand shall include
reasonable documentation of the violation. The written demand and
documentation shall either be served in the manner provided by law
for service of process in civil actions or mailed by certified mail
with sufficient postage affixed and addressed to the alleged
violator at his or her residence, principal office, or place of
business. An action under this subsection may be brought in the
circuit court for the county where the alleged violation occurred
or for the county where the person against whom the civil complaint
is filed resides or has his or her principal place of business.
(3) It is an affirmative defense to an action under this act
that the employer or educational institution acted to comply with
requirements of a federal law or a law of this state.