Don't impose additional restrictions on exemptions for informational calls to residential phone numbers under the Traced Act, a consortium led by the American Bankers Association told staff to FCC Commissioner Jessica Rosenworcel, said a filing posted Wednesday in docket 02-278. The associations said there's a lack of evidence to support limiting how many calls can be placed, and "consumers value receiving calls and text messages for non-telemarketing purposes."
Bipartisan legislation introduced Tuesday would require a warrant for police to access emails and other digital records, and let providers notify users when officials request data. Introduced by Rep. Suzan DelBene, D-Wash.; House Judiciary Committee Chairman Jerry Nadler, D-N.Y.; and Republican Reps. Jim Sensenbrenner of Wisconsin and Rodney David of Illinois, the Email Privacy Act would amend current law that allows police to “seize any email older than 180 days without a warrant.”
The FCC Hospital Robocall Protection Group OK'd best practices for service providers and healthcare facilities to combat illegal robocalls and spoofing Monday. Recommendations for service providers include implementing secure telephone identity revisited (Stir) and signature-based handling of asserted information using tokens (Shaken) on IP portions of networks, prioritizing support for hospitals, and establishing notification protocols for robocall events. HRPG recommended hospitals establish a process to identify a robocall problem and coordinate with providers and law enforcement, consider joining threat intelligence and information sharing organizations, and consider implementing available robocall-blocking capabilities. Enforcement Bureau Telecom Consumers Division Chief Kristi Thompson recommended further implementation of blocking and labeling tools throughout hospital networks. Thompson recommended establishing safe harbors to incentivize increased call blocking and cooperation with trace-back requests. HRPG Chair Dave Summitt emphasized the need for these recommendations, citing recent Social Security spam calls at his employer, Moffitt Cancer Center. “In a four-day period, we totaled over 45,000 of these calls hitting our infrastructure,” Summitt said. Commissioner Brendan Carr abstained from the vote, saying he will wait to cast an official vote in case any of the recommendations are brought before the full commission. Earlier Monday, the FCC approved an order clarifying that government contractors must obtain consumer consent before making robocalls (see 2012140028).
The Association of National Advertisers issued guidance on California Consumer Privacy Act compliance, though CCPA will be replaced in 2023 (see 2011040043). “This is no easy task given the nearly constant modifications ... and the seemingly never-ending compliance finish line,” Executive Vice President-Government Relations Dan Jaffe said Monday. The state DOJ revised CCPA rules Thursday (see 2012100065).
Draft provisions updating personal data transfer rules to non-EU countries brought cheers but also some concerns from stakeholders. A European Commission consultation on updating standard contractual clauses (SCCs) ended Thursday with about 150 responses. SCCs required modernization under the European Court of Justice in Schrems II, which threw out trans-Atlantic data transfer mechanisms in the Privacy Shield (see 2009100001. The draft clauses, floated Nov. 23, aim to align SCCs with the EU general data protection regulation and the court judgment (see 2011200003). Stakeholders generally welcomed several aspects of the draft. ICANN, the Computer & Communications Industry Association (CCIA), the European Internet Services Providers Association (EuroISPA) and the Information Technology Industry Council, among others, praised its risk-based approach to situations where data importers subject to foreign data disclosure laws may have to gauge whether they're likely to receive such requests in deciding whether to use SCCs. That approach "lies at the heart of ICANN community's efforts to develop a mechanism for enabling access to non-public generic top-level domain registration data," the internet body said: "Following this approach seems to be both a realistic and reasonable route to enable global data transfers while meeting other important objectives ... such as public security, crime prevention and investigation, or the enforcement of civil law claims." EuroISPA and the European Consumer Organisation, however, worried the draft SCCs would require companies to take into account the specific circumstances of a transfer, including subjective factors, when the European Data Protection Board and the ECJ said they must rely on objective factors when assessing the law in a data importer's jurisdiction. Vodafone pressed the EC to give companies tools and assurances on how to assess whether surveillance laws and practices in countries without an EC data protection adequacy decision put data subjects' privacy at risk, it said. Several commenters, including the Software & Information Industry Association, BSA|The Software Alliance and CCIA, said the one-year transition period to the new SCCs is too short and would unfairly burden smaller companies. ACT|The App Association, which represents small and midsize application developers, said: "Due to their complexity and implementation burdens, the updated SCCs would not and cannot serve as a replacement for the Privacy Shield for our small business members."
The California Justice Department again revised privacy rules Thursday, saying the fourth set of edits to the California Consumer Privacy Act responds to comments on previous revisions from October. One change clarifies “that a business selling personal information collected from consumers in the course of interacting with them offline shall inform consumers of their right to opt-out of the sale of their personal information by an offline method.” Another change involves a uniform button for consumers to opt out of selling personal information. Comments are due Dec. 28.
The debate on trans-Atlantic data flows is starting to shift as the U.S. and EU increasingly recognize their shared values, officials said Tuesday at a webcast data protection and privacy conference in Brussels. The regions are negotiating a targeted enhancement to Privacy Shield that will comply with the European Court of Justice ruling in Schrems II, withstand further legal challenge and ensure U.S. sovereignty over its national security, said James Sullivan, International Trade Administration deputy assistant secretary for services. The ECJ decision overturned PS (see 2007240031). Any revised accord will have to relieve companies of the need to carry out separate reviews of the national security regimes of countries to which they want to transfer personal data, Sullivan said. Since the U.S. revised its surveillance laws in 2015, it has become the gold standard for protection against data access for national security purposes, he said. One complicating factor in the discussion is that Schrems II caused skepticism from some in the U.S. about making further commitments to Europe that could force changes in U.S. law, doubts reinforced by the EU not scrutinizing at the same level surveillance practices of some of its own members, he said. The European Commission is convinced the intersection of privacy and national security is the avenue to pursue to address the court ruling, said Bruno Gencarelli, head of international data flows and protection unit. He warned there's no quick fix because a solution must be legally and politically defensible. Gencarelli sees much more common ground now between the EU and U.S. and more convergence as more companies adopt data protection practices around privacy laws; nations at the G7, G20 and Organization for Economic Co-operation and Development level now realize that like-minded countries should be the ones to define common standards. Talks with the U.S. on an enhanced PS involve a negotiation on complex issues that won't be resolved overnight, Gencarelli said. It's a priority for the EC, and "we expect to move quickly" to agree on several provisions. This isn't a beauty contest about which privacy system is better; it's about finding solutions, he said. Sullivan said both sides have been "very creative" in coming up with solutions to bridge their differences, and challenges aren't insurmountable.
Given how the legal issues in the Carlton & Harris junk fax case have changed in its path to the Supreme Court and back, the best route is to remand a narrower inquiry to U.S. District Court in Huntington, West Virginia, the 4th U.S. Circuit Court of Appeals ruled Monday (in Pacer, docket 16-2185) vacating the lower court. The 4th Circuit said it wasn't determining what level of deference a district court should give FCC interpretation of what an unsolicited advertisement is under the Telephone Consumer Protection Act, but the lower court should determine how persuasive that interpretation is and the extent to which that persuasiveness requires deference to the agency. Judges Albert Diaz, Stephanie Thacker and Pamela Harris decided the case, with Diaz penning the opinion. Oral argument on the remanded case was in September (see 2009100008).
A Seattle ban on facial recognition remains necessary even as the city responded to one police detective using the technology improperly, said the American Civil Liberties Union in Washington state. Seattle denied using Clearview AI facial recognition last week (see 2012020057). Seattle Police Chief Adrian Diaz further explained in a Wednesday letter to the ACLU that a single SPD officer downloaded the software onto a personal device. “This matter has been referred to the Office of Police Accountability for investigation,” Diaz wrote in the letter shared with us by the city. “SPD does not use Clearview AI and has no intention of using Clearview AI. As Chief, I am committed to upholding the tenets of the Surveillance Ordinance and the civil liberties of our residents. Clearview AI’s business product is at odds with those two central priorities.” ACLU-Washington is glad “the department is addressing the downloading of unauthorized surveillance software,” but “this isolated action is not sufficient to protect Seattle residents from surveillance using this flawed, inaccurate, and racially biased technology,” said Technology and Liberty Project Manager Jenny Lee in a Thursday statement. She urged Mayor Jenny Durkan (D) to ban face surveillance to “clarify that no city employee should be downloading these systems.” A Durkan spokesperson pointed us to the city's 2018 surveillance transparency law.
Seattle should ban agencies from using facial recognition technology that police may have improperly acquired, the American Civil Liberties Union said Wednesday. The Seattle Police Department may have violated the city’s surveillance law when it acquired and used Clearview AI technology, ACLU-Washington state wrote Mayor Jenny Durkan (D) and two council members who chair relevant oversight committees, citing a public records request. A Durkan spokesperson responded, "The Seattle Police Department has no licenses for Clearview AI, no agreements with Clearview AI, and does not use Clearview AI."