The U.S. personal data protection is better than previous trans-Atlantic data transfer mechanisms, but "concerns remain," the European Data Protection Board (EDPB) said Tuesday. Its opinion on the EC decision saying the U.S. now ensures adequate data protection (see 2212130040) welcomed "substantial improvements" such as the introduction of requirements embodying the principles or necessity and proportionality for U.S. intelligence gathering of data and the new redress mechanism for EU data subjects. However, it said it has concerns with some rights of data subjects, onward transfers, the scope of exemptions, temporary bulk data collection, and the practical functioning of the redress mechanism. The EDPB said adopting the adequacy decision and its entry into effect should be conditioned on the U.S. updating its policies and procedures to implement executive order 14086 (which introduced the concepts of necessity and proportionality for U.S. signals intelligence) by all U.S. intelligence agencies. It recommended the EC then assess the updated policies and procedures and report back to the board.

Registries and registrars may refrain from canceling expired domain names in Turkey and Syria in earthquake-affected areas, ICANN said Monday. It's concerned the emergency might prevent people from renewing their domains on time and lose them due to circumstances beyond their control. ICANN urged domain name sellers "to support this action when reviewing domain name renewal delinquencies in the affected areas," and said it's monitoring the situation to see if further relief is warranted.

Vermont legislators should consider privacy bill exemptions for companies and organizations already subject to federal privacy regulations, representatives from the financial and health sectors told the House Commerce Committee during a hearing Thursday on H-121, a consumer privacy bill introduced by Chairman Michael Marcotte (R). Vermont legislators announced plans to pursue a privacy bill last year (see 2203160053). H-121 includes data minimization requirements like those in the California Consumer Protection Act and requires businesses to respect do-not-track signals like those in Colorado’s law. The proposal would expand Vermont’s data broker law to allow consumers to opt out of the processing of personal information for targeted advertising, predictive analytics, tracking and/or the sale of personal information. The law would take effect July 1. The 32-page bill doesn’t scratch the surface of what’s passed in California and the EU, but it would enhance consumer privacy in Vermont, said Legislative Counsel David Hall. Europe has much more robust privacy laws, said Assistant Attorney General Sarah Aceves. She said she’s more concerned about inaction on the privacy front than about moving forward with a state patchwork of privacy laws. She said the AG’s office, which would be responsible for enforcement, is comfortable with what’s in the bill but open to organically changing elements. VPIRG Communications and Technology Director Zachary Tomanelli encouraged passage of the bill but said he anticipates further changes. Vermont Bankers Association President Chris D'Elia, Association of Vermont Credit Unions President Joseph Bergeron and Devon Green, Vermont Association of Hospitals and Health Systems vice president-government relations, all spoke of the need for exemptions for organizations already subject to federal laws on financial- and health-related privacy, including the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act.

Colorado’s latest privacy regulation proposal is more burdensome than the EU’s general data protection regulation in its requirement for companies obtaining informed consumer consent for data processing, Google commented Friday (see 2302060037). The proposed regulation’s consent standards require “so much information to be presented in such a scripted manner that it may undermine rather than improve consumer understanding” of how data is processed, said Google. This “prescriptive” approach could result in “consent fatigue” and “checkbox exercises,” the company said. Google suggested Colorado Attorney General Phil Weiser (D) remove the proposal’s internal documentation requirements, which are separate from requirements for data protection assessments. The draft rules require companies to analyze and document data minimization and secondary use decisions, “seemingly untethered from any potential risk of harm to consumers or the statute’s data protection assessment requirements,” said Google. This would result in companies accumulating “enormous paper trails” with little consumer benefit, the company said.

Education technology company Chegg will implement a comprehensive data security program as part of a finalized, non-monetary settlement the FTC announced Friday (see 2210310051). Chegg failed to establish basic security measures, exposing sensitive data of about 40 million customers and employees, the agency alleged in its complaint. The commission voted 4-0 to finalize the order with Chegg. As part of the order, the company must limit the data it collects and retains, offer users multifactor authentication and allow users to “request access to and deletion of their data.” Attorneys for the company didn’t comment Friday.

The FTC finalized a $3 million settlement Monday with Credit Karma, alleging the company used “dark patterns” to mislead and entice consumers to apply for credit card offers they often didn’t qualify for (see 2209010036). The commission voted 4-0 approving the final order and letters to commenters.

Comments are due March 6 for an NTIA study on data privacy harms inflicted on marginalized communities, the agency said Friday (see 2301180031).

WhatsApp Ireland owes $6 million (5.5 million euros) for data processing violations, the Irish Data Protection Commission said Thursday. The investigation arose from a 2018 German complaint. Before the EU general data protection regulation (GDPR) took effect May 25, 2018, the company updated its terms of service to tell users that if they wanted to have continued access to the service under the GDPR, they would have to click "agree and continue" to accept the revised terms. WhatsApp contended that once the terms of service were accepted, a company-user contract existed and the processing of user data in connection with the delivery of WhatsApp services was necessary for performance of the contract, making its processing operations legal under the GDPR's "contract" legal basis. The complainant argued that WhatsApp Ireland was trying to rely on consent as the legal basis for processing, and that by forcing users to consent to having their data processed for service improvement and security, the company breached the GDPR. The DPC said WhatsApp breached its obligation for transparency by not making its legal basis clear to users, leaving them uncertain about what processing operations were being carried out on their personal data, for what purposes and under what GDPR legal basis. That lack of transparency violated the regulation, but the DPC, having imposed a fine of 225 million euros on the company earlier, didn't suggest another penalty. The regulator also found, however, that in principle, the GDPR didn't preclude WhatsApp from relying on the contract legal basis. Several other data protection authorities objected to the conclusions, so the DPC referred the disputed points to the European Data Protection Board. It backed Ireland's findings of a breach of transparency obligations but rejected its view that WhatsApp could rely on the contract legal basis for processing people's personal data. The board's decision is binding, and WhatsApp now has six months to comply with the GDPR. The EDPB also ordered the DPC to look into all of WhatsApp Ireland's processing operations, but the DPC said the board doesn't have jurisdiction to order an "open-ended and speculative investigation." If the order amounts to EDPB overreach, the DPC said, it could appropriately ask the European Court of Justice to annul it. A similar dispute between the EDPB and DPC arose earlier this month involving Meta Ireland (see 2301040014). WhatsApp said it will appeal the decision. The company believes "the way the service operates is both technically and legally compliant," a spokesperson emailed.

The National Institute of Standards and Technology’s Information Security and Privacy Advisory Board will meet March 1 and 2, starting at 10 a.m. each day, said a Thursday Federal Register notice. The meeting will be at the Grand Hyatt Washington, Quarter Penn A, 1000 H St. NW. Discussion topics include “Risk Framework Uses by U.S. Federal Agencies” and Office of Management and Budget Memo M–22–18 on “Enhancing the Security of the Software Supply Chain Through Secure Software,” the notice said.

Wisconsin became the latest state to ban the use of TikTok on government devices (see 2212280048). Gov. Tony Evers (D) announced an executive order Thursday banning the Chinese-owned app on state-issued devices. TikTok has been banned on federal government devices (see 2212270051) and government devices in more than 20 states. The list includes Alabama, Florida, Georgia, Idaho, Louisiana, New Jersey, New Hampshire, Maryland, Ohio, Pennsylvania, South Carolina, Texas, Utah and Virginia.