The Electronic Frontier Foundation sued the U.S. Postal Service Tuesday, seeking “records about a covert program to secretly comb through online posts of social media users before street protests.” EFF filed a Freedom of Information Act lawsuit in U.S. District Court in Washington. EFF wants details about USPS internet covert operations, in which U.S. Postal Inspection Service analysts allegedly “sorted through massive amounts of data created by social media users to surveil what they were saying and sharing.” Government hasn’t “explained the legal justifications for this surveillance,” said EFF Public Interest Legal Fellow Houston Davidson. USPS didn’t comment.
Pass consumer data privacy legislation this term, Rep. Suzan DelBene, D-Wash., told a Friday Brookings Institute webinar. Data flows are "critical to our shared economic future" and nowhere more important than EU-U.S., she said. The European Court of Justice (ECJ) ruling in Schrems II (see 2007160002) left thousands of smaller companies that relied on trans-Atlantic data transfer mechanism Privacy Shield scrambling, she said: The growing patchwork of state privacy laws won't work and won't lead to a PS alternative. Current tools such as standard contractual clauses, binding corporate rules and recent European Data Protection Board guidance are helpful but don't "take away the need for a successor framework," said Workday Chief Privacy Officer Barbara Cosgrove. Talks on a PS replacement are ongoing, said Sharon Bradford Franklin, a director of the Center for Democracy and Technology security and surveillance project: CDT has heard that one is the extent to which the U.S. government can enact measures by the executive branch or Congress to address ECJ concerns. A comprehensive U.S. consumer data privacy law would be helpful, but surveillance laws must change to benefit Europeans and Americans, she said. The big issue is individual redress, said lawyer Peter Swire. There's frustration on the U.S. side about the issue because the U.S. has a good system via Foreign Intelligence Surveillance Act courts, Swire said: "Get over it." He and other panelists said it might be possible to give Europeans an independent review and some pathway to redress in federal courts administratively, via an executive order on surveillance law. Most agreed any solution must ultimately become law. The U.S. looks "really different" from the rest of the world with regard to privacy protection, and it’s hard to make the case that it's a safe place for data, said Swire. The U.S. and EU are considering whether they can align on tech issues such as data governance and AI, and must get a handle on privacy law first because it underpins those areas, said Cameron Kerry, Brookings distinguished visiting fellow-Center for Technology Innovation. The idea of the recently created Tech and Trade Council is to bring like-minded democratic countries together, he said: The U.S. is "the outlier" because it lacks a privacy regime.
U.S. companies selling AI products into Europe will be subject to EU AI laws no matter where they're headquartered, European Commission Legal and Policy Officer Gabriele Mazzini said on a Thursday FCBA webinar. A legislation proposal, which the EC floated in April (see 2104210003), would affect anyone marketing AI into the EU, said Mazzini, of the Directorate-General for Communications Networks, Content and Technology. The EC made clear it wants to promote its vision of AI regulation globally, so similar policies may arise elsewhere, including in the U.S., said Verizon Senior Manager-EU Public Policy Marco Moragon. The proposal aims to address risks of AI technologies, such as enforcement of fundamental rights, consumer and other laws, said Mazzini. Protecting democratic rights and legal principles is a top priority for civil society, said Iverna McGowan, Center for Democracy and Technology Europe Office director: AI could disproportionately affect vulnerable people. Verizon operates in EU markets and wants a consistent, harmonized regime, said Moragon. CDT believes a risk-based and rights-based approach to AI isn't mutually exclusive, said McGowan. She seeks a baseline against which to assess the technology's possible impact on human rights, saying a rights-based approach should start by consulting people about how AI services affect their real-life experiences. The proposal divides AI systems into three groups: prohibited, where there's no societal value from their use; higher risk, which may pose problems but can have beneficial societal/economic benefits; and low risk, where no prior rules will be imposed, but companies will be subject to transparency requirements, said Mazzini. Companies must self-assess risk, which may be burdensome to smaller firms, said Moragon. When the measure refers to users, it means purchasers of AI systems, not end users, said McGowan: Accountability should be clearer on what rights and redress end-users get. A European Parliament decision on which committees will have jurisdiction here isn't likely before September, Mazzini added.
Three in four businesses that received notices of alleged privacy violations under the California Consumer Privacy Act (CCPA) cured problems in the 30-day period allowed by the law, state Attorney General Rob Bonta (D) said at a livestreamed Monday news conference. The other 25% include businesses under active investigation or within the 30-day window, he said. Bonta declined to say how many businesses received notices or which companies failed to cure and now face probes. He cited a few examples of alleged violations that businesses cured in response to notices, including an unnamed social media platform that users said was too slow to respond to CCPA requests and an online dating app that forced sharing of personal information during sign-up but didn't have a do-not-sell link as required by the law. "Businesses are motivated and able to comply with the law,” and the “vast majority” comply, said Bonta. No “gotchas,” he said. The AG launched an online tool on Monday so consumers can directly notify a business that lacks a clear and easy-to-find do-not-sell link on its website. Such consumer notices “may” trigger the 30-day cure period, he said. Bonta said he hopes for higher uptake from consumers clicking do-not-sell links to get CCPA protections. California started enforcing CCPA about a year ago.
House Commerce Committee Democrats should hold hearings and markups to develop a “strong federal privacy framework” for data, said ranking member Cathy McMorris Rodgers, R-Wash., and House Consumer Protection Subcommittee ranking member Gus Bilirakis, R-Fla., marking one year since EU-U.S. Privacy Shield invalidation (see 2107140020). They called the invalidation a “major setback for the privacy protections of Europeans and Americans and a significant disruption to cross-border data flow.” They urged the committee to show leadership in protecting American data and “finally enact a national privacy standard.” The office for House Commerce Committee Chairman Frank Pallone, D-N.J., didn’t comment. Senate Commerce Committee ranking member Roger Wicker, R-Miss., and Senate Consumer Protection Subcommittee ranking member Marsha Blackburn, R-Tenn., joined Rodgers and Bilirakis in a separate letter Friday urging President Joe Biden to “prioritize comprehensive data privacy legislation as part of the Administration’s agenda.” They called for a federal standard to replace a patchwork of state privacy laws.
Ireland's privacy watchdog must investigate whether Facebook is wrongfully processing WhatsApp Ireland (IE) users' personal data by combining or comparing it with other data sets processed by other Facebook companies in the context of other apps or services they offer, the European Data Protection Board (EDPB) said Thursday. It told the Irish Data Protection Commission not to impose any final measures on Facebook Ireland (IE) now. The board's first "urgent decision" under the general data protection regulation followed a request from the Hamburg, Germany, data protection authority (DPA); it ordered Facebook to stop processing WhatsApp user data for its own purposes after changing the terms of service and privacy policy applicable to European users of WhatsApp (IE). In exceptional circumstances, GDPR lets DPAs impose provisional measures when they believe there's an urgent need to act to safeguard data subjects' rights. The board said those conditions weren't met. Given contradictions, ambiguities and uncertainties in WhatsApp's user-facing information, some written commitments adopted by Facebook IE and WhatsApp IE's written submissions, it's "not in a position to determine with certainty which processing operations are actually being carried out and in which capacity." The Hamburg order "was based on fundamental misunderstandings as to the purpose and effect of the update to our terms of service," emailed a company spokesperson.
The year since Privacy Shield was annulled had encouraging developments, speakers told a Wednesday Information Technology Industry Council webinar. Since the European Court of Justice's (ECJ) July 16 ruling to void the trans-Atlantic personal data transfer mechanism in Schrems II (see Ref:2007160002]), the European Commission deemed negotiating a successor with the U.S. a top priority, said Bruno Gencarelli, head of unit-international data flows and protection, Directorate General-Justice. Talks intensified after President Joe Biden's trip to Brussels in June, and both sides agree a doable solution must be based on the ECJ ruling and there's no shortcut, he said. Principles being discussed include access to U.S. courts for European citizens and limits on excessive government access to personal data. One "surprising" recent development was increased demand for international data protection standards, Gencarelli said. The EC is working more closely with other regional blocs such as the Association of Southeast Asian Nations, talks that could create a "critical mass" of principles. The Organisation for Economic Co-operation and Development began a process to identify safeguards shared by OECD members for government access to personal data, he said. The post-Schrems II year has been "reactive" as everyone tried to come to grips with the ruling, said Centre for Information Policy Leadership President Bojana Bellamy. She urged both sides to "negotiate to yes" by focusing not on a 50-50 compromise but on understanding each other's concerns and adjusting positions accordingly. Positive engagement between stakeholders and regulators led to a better place but "we all know the enforcement is coming," said Caitlin Fennessy, International Association of Privacy Professionals research director. Some European data protection authorities question aspects of trans-Atlantic data flows, and businesses face uncertainty. One sticking point is redress for Europeans whose data is misused in the U.S. EU law requires such a right, but under U.S. law it's difficult for people outside the country to gain standing, said Alston & Bird's Peter Swire. A binding solution could come from a presidential executive statement ordering intelligence agencies take certain actions, he said. Gencarelli cautioned that for the EC, whether legislation or executive action is needed is secondary to complying with ECJ requirements. He said it's wrong to think OECD work will replace PS. ITI, the Computer & Communications Industry Association and other tech organizations urged Commerce Secretary Gina Raimondo and EU Justice Commissioner Didier Reynders to "swiftly ensure an agreement for secure transatlantic data flows."
Ohio lawmakers proposed a comprehensive data privacy bill that would apply to businesses with at least $25 million revenue in the state. “Federal and state laws do not adequately protect how companies use your personal data and what rights you have to that information,” Lt. Governor Jon Husted (R) said Tuesday on the bill (HB-376) introduced Monday. “Without action in this space on the federal level, it’s important that our state take the lead.” Rep. Rick Carfagna (R) said his bill “will balance reasonable privacy standards to protect Ohioans with less bureaucracy and regulation on businesses.” The plan lists data rights for consumers including a right to delete personal data and to request that businesses not sell such information. Ohio’s attorney general would exclusively enforce HB-376, which has no private right of action. The bill would give enhanced legal protection for Ohio businesses that adopt the National Institute of Standards and Technology privacy framework. Husted’s office shared supportive statements Tuesday from Charter Communications, the Ohio Cable Telecommunications Association and several business groups including the Ohio Business Roundtable and Ohio Chamber of Commerce. Colorado enacted the third state privacy law last week (see 2107080004).
Colorado is the third state with a comprehensive privacy law, after Gov. Jared Polis (D) signed SB-190 Wednesday, following California and Virginia (see 2106080066). Polis said he hopes his state’s law can become a template for a national law. “In the haste to pass this bill, several issues remain outstanding,” which will require “clean-up legislation next year,” noted Polis: Talks started among legislators and stakeholders. The governor asked negotiators to “strike the appropriate balance between consumer protection while not stifling innovation and Colorado’s position as a top state to do business.” In coming months, the Computer and Communications Industry Association hopes policymakers engage stakeholders "to address implementation issues, so that businesses have sufficient clarity for meeting their new compliance obligations," said CCIA State Policy Director Alyssa Doom.
OMB OK'd for three years FCC E-rate information collection, said Friday’s Federal Register. Schools and libraries must certify compliance with the Children's Internet Protection Act (see 1912190020).