Chairman Joe Simons defended FTC Privacy Shield enforcement efforts, as officials from the U.S. and the EU discuss extending PS. The FTC is committed to maintaining “a robust mechanism for protecting privacy and enabling transatlantic data flows,” he said in Brussels Thursday. Since 2017, the FTC brought eight PS enforcement actions. He cited 39 actions under the U.S.-EU safe harbor, which predated the Privacy Shield, and four actions linked to the Asia-Pacific Economic Cooperative’s Cross-Border Privacy Rules system. The Privacy Shield actions concerned entities falsely claiming program verification, failure to complete the verification process and failure to uphold program standards after leaving. The chairman cited the steady stream of press reports about privacy and data breaches, saying the agency is investigating Facebook and Equifax.

About 30 million Facebook users had “access tokens” stolen in the latest privacy breach (see 1809280036), it announced Friday. Vice President-Product Management Guy Rosen said the platform is cooperating with the FBI, “which is actively investigating.” Cooperation will continue with the FTC, Data Protection Commission Ireland and others, he said. Hackers accessed names, phone numbers and/or email addresses for 15 million people, Rosen said. For another 14 million people, hackers accessed the same information and additional profile details, he said. Data Protection Commission Ireland tweeted that Facebook’s update was “significant now that it is confirmed that the data of millions of users was taken by the perpetrators of the attack. @DPCIreland’s investigation into the breach and Facebook’s compliance with its obligations under #GDPR continues.” While 30 million users had tokens stolen, about 50 million are believed to be affected, Rosen said. He said Facebook hasn't ruled out smaller-scale attacks. The hackers “exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018,” Rosen said.

NTIA extended the deadline for comments on the administration’s privacy principles process (see 1808060035) from Oct. 26 to Nov. 9, says a Federal Register notice prepared for Thursday. NTIA began soliciting comments in late September. The agency has been meeting privately with tech, telecom, retail and privacy groups individually throughout the process.

The FCC invited input on IHS Markit's request that urgent motor vehicle recall messages be exempted from Telephone Consumer Protection Act wireless calling restrictions (see 1809240046). Comments are due Nov. 5, replies Nov. 20 on the petition for emergency declaratory ruling, said a Consumer and Governmental Affairs Bureau public notice in docket 02-278 and Friday's Daily Digest. IHS said calls and texts on recalls should be exempt from TCPA wireless calling restrictions under a public safety exception: "automated calls may be placed, even absent 'prior express consent,' when they are 'made for emergency purposes.'" Citing a circuit split, the National Association of Federally-Insured Credit Unions asked the FCC to resolve uncertainty on what constitutes TCPA-restricted "automated telephone dialing system" calls. Following a U.S. Court of Appeals for the D.C. Circuit's ACA International v. FCC ruling (see 1803160053), "three circuit courts have decided questions related to what type of equipment constitutes an autodialer," NAFCU filed, posted Thursday in FCC docket 18-152. "The Second and Third Circuit have adopted a narrower definition whereas the Ninth Circuit chose to expand the definition." The FCC recently sought comment after the 9th Circuit ruling (see 1810030054).

Online platforms don’t need all user data to improve service, Apple CEO Tim Cook told VICE News Tonight in an interview aired Tuesday. “The narrative that some companies will try to get you to believe is, 'I've got to take all of your data to make my service better,'” he said. "Well, don't believe that. Whoever's telling you that, it's a bunch of bunk.” He denied any political motivation in Apple’s removal of far-right conspiracy theorist Alex Jones and argued for “some level of government regulation” for data privacy. Internet Association didn't comment.

WineAmerica is the formal name of the National Association of American Wineries (see 1810010031).

European privacy officials Sunday pressed Facebook for details about the impact on EU citizens from the latest breach (see 1809280036). The Data Protection Commission Ireland tweeted Sunday it was waiting for details from Facebook about affected EU users “so that we can properly assess the nature of the breach and risk to users.” EU Justice Commissioner Vera Jourova urged the platform to “fully cooperate” with the Irish regulator, saying “we need to know if EU users were affected and what had happened to their data.” Data Protection Commission Ireland said Monday that Facebook notified officials that EU users represented less than 10 percent of the 50 million reportedly affected. EU general data protection regulation violators face up to $20 million per infraction, or 4 percent of global revenue, whichever is more. Facebook initially said as many as 50 million users were affected, and reset access information for another 40 million as a precaution. The company didn’t comment on the European response.

The Senate Commerce Committee should have six consumer privacy experts testify on data privacy after lawmakers heard last week from an all-industry panel on potential legislation (see 1809260050), privacy groups wrote Monday. Groups signing included Center for Digital Democracy, Electronic Frontier Foundation, Electronic Privacy Information Center, New America's Open Technology Institute and World Privacy Forum. Chairman John Thune, R-S.D., said at the last hearing the committee expects to hear testimony in early October from California privacy activist Alastair Mactaggart and EU chief data privacy regulator Andrea Jelinek. The groups’ letter suggested testimony from Jelinek and state attorneys general. DOJ recently met with state AGs in Washington, where they discussed tech industry concerns (see 1809280041). An aide said the committee was "surprised" the letter didn't acknowledge the witness commitment from Mactaggart, "who has perhaps had greater impact in advancing data privacy protections than any other U.S. individual or organization."

Vermont should build on this year’s privacy law for data brokers, Electronic Frontier Foundation Senior Staff Attorney Adam Schwartz blogged Thursday. It enacted a bill in May to mandate security standards for data brokers and require them to report annually to the Vermont secretary of state (see 1805140060). Attorney General T.J. Donovan (D) last week hosted a hearing on next steps for Vermont on privacy (see 1809250035). Schwartz urged Vermont legislators to expand the law, which applies to third-party data brokers, to also cover first parties with a direct relationship with consumers. “For example, the Vermont law does not cover a social media platform like Facebook, or a retailer like Walmart, when those companies gather information about how consumers interact with their own websites,” he said. Lawmakers should “impose on data brokers a fiduciary duty towards the consumers whose data they harvest and monetize,” create a government office to assist data breach victims and ensure those people can also seek compensation for nonfinancial injuries, he said.

AT&T looks forward to helping craft privacy legislation that protects consumers with uniform rules fostering innovation under FTC authority, Senior Vice President-Global Public Policy Len Cali blogged Friday after testifying before the Senate Commerce Committee (see 1809260050). “I was gratified to hear a growing consensus among internet service providers, Silicon Valley tech companies and Members of the Committee about the need for federal legislation.”