Further Reading, Other Developments, and Coming Events (8 February 2021)

Further Reading

• “‘A kiss of death’: Top GOP tech critics are personae non gratae after election challenge” By Cristiano Lima — Politico. I take these articles with a block of salt, not least of which because many inside the Beltway articles lack perspective and a sense of history. For sure, in the short term the Josh Hawleys and Ted Cruzes of the world are radioactive to Democrats, but months down the road things will look different, especially if Democrats need votes or allies in the Senate. For example, former Senator David Vitter’s (R-LA) interesting activities with prostitutes made him radioactive for some time and then all was forgotten because he held a valuable currency: a vote.
• “I Talked to the Cassandra of the Internet Age” By Charlie Warzel — The New York Times. A sobering read on the implications of the attention economy. We would all be helped by slowing down and choosing what to focus on.
• “A Vast Web of Vengeance” By Kashmir Hill — The New York Times. A true horror story illustrating the power platforms give anyone to slander others. The more these sorts of stories move to the fore of the consciousness of policymakers, the greater the chances of reform to 47 USC 230 (Section 230), which many companies used to deny requests that they take down defamatory, untrue material.
• “Amazon says government demands for user data spiked by 800% in 2020” By Zack Whitaker — TechCrunch. In an interesting development, Germany far outpaced the United States (U.S.) in information requests between 1 July and 31 December 2020 for Amazon except for Amazon Web Services (AWS). Regarding AWS, the U.S. accounted for 75% of requests. It bears note there were over 27,000 non-AWS requests and only 523 AWS requests.
• “Russian hack brings changes, uncertainty to US court system” By MaryClaire Dale — Associated Press. Because the Administrative Office of United States (U.S.) Courts may have been part of the massive SolarWinds hack, lawyers involved with cases that have national security aspects may no longer file materials electronically. It appears these cases will go old school with paper filings only, stored on a computers in federal courts that have no connection to the internet. However, it is apparently believed at present that the Foreign Intelligence Surveillance Court system was not compromised by the Russians.

Other Developments

• Senator Ted Cruz (R-TX) placed a hold on Secretary of Commerce designate Gina Raimondo’s nomination, explaining on Twitter: “I’ll lift the hold when the Biden admin commits to keep the massive Chinese Communist Party spy operation Huawei on the Entity List.” Cruz was one of three Republicans to vote against reporting out Raimondo’s nomination from the Senate Commerce, Science, and Transportation Committee. Even though the Ranking Member, Senator Roger Wicker (R-MS), voted to advance her nomination to the Senate floor, he, too, articulated concerns about Raimondo and the Biden Administration’s refusal to commit to keeping Huawei on the Department of Commerce’s Entity List, a designation that cuts off needed technology and products from the company from the People’s Republic of China (PRC). Wicker said “I do remain concerned about the Governor’s reluctance to state unequivocally that she intends to keep Huawei on the department’s entity list…[and] [k]eeping Huawei on this list is important for the security of our networks and I urge the Governor and the administration to make its position clear.” Of course, the continuing Republican focus on the PRC is seeking to box in the Biden Administration and to try to force them to maintain the Trump Administration’s policies. The new administration has refused to make hard commitments on the PRC thus far and will likely seek different tactics than the Trump Administration even though there will likely be agreement on the threat posed by the PRC and its companies.
• Virginia’s “Consumer Data Protection Act” (SB 1392/HB 2307) advanced from the Virginia Senate to the House of Delegates by a 36-0-1 vote on 5 February. The package was sent to the Communications, Technology and Innovation Subcommittee in the House on 7 February. Last week, it appeared as if the legislature would not have time to finish work on the United States’ second privacy law, but Governor Ralph Northam (D) convened a special session right before the legislature was set to adjourn. Now, there will be more time to address this bill and other priorities.
• Senators Brian Schatz (D-HI), Deb Fischer (R-NE), Richard Blumenthal (D-CT), Rick Scott (R-FL) and Jacky Rosen (D-NV) introduced “The Safe Connections Act” “to help survivors of domestic violence and other crimes cut ties with their abusers and separate from shared wireless service plans, which can be exploited to monitor, stalk, or control victims” per their press release. The Senators asserted “the Safe Connections Act would help them stay safe and connected by:
  • Allowing survivors to separate a mobile phone line from any shared plan involving an abuser without penalties or other requirements. This includes lines of any dependents in their care;
  • Requiring the Federal Communications Commission (FCC) to initiate a rulemaking proceeding to seek comment on how to help survivors who separate from a shared plan enroll in the Lifeline Program for up to six-months as they become financially stable; and
  • Requiring the FCC to establish rules that would ensure any calls or texts to hotlines do not appear on call logs.
• The European Commission’s Directorate-General for Justice and Consumers issued the “Report on the implementation of specific provisions of Regulation (EU) 2016/679,” the General Data Protection Regulation (GDPR), in which it was determined that implementation of these provisions at the member state level is uneven. The implication of this assessment released some 2.5 years after the GDPR took effect is that it may be some time more before each European Union state has made the statutory and policy changes necessary to the data protection regime full effect. And so, the Directorate-General made “[t]he following general observations can be made in relation to the implementation of the GDPR clauses under assessment:
  • As regards Article 8(1) GDPR (i.e., Conditions applicable to child’s consent in relation to information society services), the majority of the Member States have set an age limit lower than 16 years of age for the validity of the consent of a minor in relation to information society services. Nine Member States set the age limit at 16 years age, while eight Member States opted for that of 13 years, six for that of 14 years and three for 15 years.
  • With respect to Article 9(4) GDPR (i.e., Processing of special categories of personal data), most Member States provide for conditions/limitations with regard to the processing of genetic data, biometric data or data concerning health. Such limitations/conditions typically consist in listing the categories of persons who have access to such data, ensuring that they are subject to confidentiality obligations, or making processing subject to prior authorisation from the competent national authority. No national provision restricting or prohibiting the free movement of personal data within the European Union has been identified.
  • As regards Article 23(1) GDPR, and irrespective of the areas of public interest assessed under Article 23(1)(c) and (e) GDPR (i.e. public security, public administration, public health, taxation and migration), some Member States provide for restrictions in the area of (i) social security; or (ii) supervision of financial market participants, functioning of the guarantee systems and resolution and macroeconomic analyses. Concerning Article 23(1)(c) GDPR, the majority of Member States allow for restrictions of various provisions referred to in Article 23(1) GDPR. Normally there is a general reference to public security, while more specific areas of processing include the processing of personal data for the investigation and prosecution of crimes, and the use of video cameras for surveillance. Most commonly, the restrictions apply only where certain conditions are met. In some Member States the proportionality and necessity test is not contemplated at all, while in most Member States it is established in law, rather than left to the data controller. The overwhelming majority of Member States do not sufficiently implement the conditions and safeguards under Article 23(2) GDPR.
  • As regards Article 23(1)(e) GDPR in relation to public administration, half of the Member States provide for restrictions for such purpose. Normally there is a general reference to general public interest or public administration, while more specific areas of processing include discussions of the Council of Ministers and investigation of judicial or ‘administrative’ police authorities in connection with the commission of a crime or administrative infringement. Most commonly, the restrictions apply only where certain conditions are met. In some Member States the proportionality and necessity test is not contemplated at all, whereas in some other Member States the test is established in law or left to the data controller. No Member State implements all conditions and safeguards under Article 23(2) GDPR.
  • As regards Article 23(1)(e) GDPR in relation to public health, a minority of the Member States provide for restrictions for such purpose. Normally there is a general reference to public health or general public interest, while more specific areas of processing include the security of food chain and medical files. In most Member States, the applicable restrictions apply only where certain conditions are met. The proportionality and necessity test is generally established in the law. No Member State implements all conditions and safeguards under Article 23(2) GDPR.
  • With respect to Article 23(1)(e) GDPR in relation to taxation, a sizeable number of Member States provide restrictions for such purposes. There tends to be a general reference to taxation or general public interest, while more specific areas of processing include recovery of taxes, as well as automated tax data transfer procedures. Normally, the applicable restrictions apply only where certain conditions are met. The proportionality and necessity test is generally left to the data controller. No Member State implements all conditions and safeguards under Article 23(2) GDPR.
  • As regards Article 23(1)(e) GDPR in relation to migration, a minority of the Member States provide for restrictions for such purpose. Normally there is a general reference to migration or general public interest. The applicable restrictions tend to apply only where certain conditions are met. The proportionality and necessity test is generally left to the data controller. No Member State implements all conditions and safeguards under Article 23(2) GDPR.
  • As regards Article 85(1) GDPR (which requires Member States to reconcile by law the right to the protection of personal data with the right to freedom of expression and information), the majority of the Member States provide for provisions aiming to reconcile the right to the protection of personal data with the right to freedom of expression and information. These provisions are usually in the national data protection act implementing the GDPR, however, in some instances there are also specific provisions in media laws to this effect.
  • With respect to Article 85(2) GDPR (Reconciliation of the right to the protection of personal data with the right to freedom of expression and information), most Member States provide exemptions/derogations from the rules set out in Chapters II, III, IV, V, VI, VII and IX GDPR. More often than not, no specific balancing or reconciliation test is identified in the national legislation. A detailed account of the exemptions/derogations can be found in Annex 2 – Implementation of Article 85(2) GDPR.
• The United Kingdom’s (UK) Information Commissioner’s Office (ICO) announced it is resuming the “investigation into real time bidding (RTB) and the adtech industry” in response to the COVID-19 pandemic. Simon McDougall, ICO Deputy Commissioner – Regulatory Innovation and Technology stated in a blog posting:
  • Enabling transparency and protecting vulnerable citizens are priorities for the ICO. The complex system of RTB can use people’s sensitive personal data to serve adverts and requires people’s explicit consent, which is not happening right now.
  • Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, also raises questions around the security and retention of this data.
  • Our work will continue with a series of audits focusing on data management platforms* and we will be issuing assessment notices to specific companies in the coming months. The outcome of these audits will give us a clearer picture of the state of the industry.
  • Data broking also plays a large part in RTB and following our data broking investigation into offline direct marketing services and enforcement action for Experian in October 2020, we will be reviewing the role of data brokers in this adtech eco-system.
  • The investigation is vast and complex and, because of the sensitivity of the work, there will be times where it won’t be possible to provide regular updates. However, we are committed to publishing our final findings, once the investigation is concluded.
  • All organisations operating in the adtech space should be assessing how they use personal data as a matter of urgency. We already have existing, comprehensive guidance in this area, which applies to RTB and adtech in the same way it does to other types of processing – particularly in respect of consent, legitimate interests, data protection by design and data protection impact assessments (DPIAs).
  • We are also continuing to work with the Competition and Markets Authority (CMA) in considering Google’s Privacy Sandbox proposals to phase out support for third party cookies on Chrome.
• Washington State Representative Shelley Kloba (D) and cosponsors introduced a bill, HB 1303, to establish a data brokers registry in Washington state that would also levy a 1.8% tax on gross revenue from selling personal data. In her press release, Kloba stated:
  • We are spending more and more of our lives on our phones and devices. From this has arisen a new business model where brokers collect, analyze, and resell personal data collected from applications on our phones and other devices. Currently, this type of business is totally unregulated and untaxed, and these businesses are reselling information with no compensation to the people of Washington. My legislation would shine a light on this very active segment of our economy while also establishing a small tax on the companies that profit from selling our personal data. Brokers that make money from collecting our personal information should contribute their fair share in tax revenue, and there should be more transparency on the number of businesses engaged in this industry.
  • HB 1303 would:
    • Impose a 1.8% Business & Occupation (B&O) tax on gross income arising from the sale of personal data.
    • Require companies that engage in this type of economic activity to register annually with the Department of Revenue (DOR).
    • Require DOR to provide the Legislature with an annual report on this information.
  • Recently, Kloba and cosponsors introduced the “People’s Privacy Act” (HB 1433), a bill to establish a privacy and data protection regime in Washington state. (see here for analysis.)
• The Federal Trade Commission (FTC) used recently granted authority to police the use of algorithms and automated processes to buy tickets for entertainment and sporting events. The “Better Online Ticket Sales (BOTS) Act” (P.L. 114-274) “was enacted in 2016 and gives the FTC authority to take law enforcement action against individuals and companies that use bots or other means to circumvent limits on online ticket purchases” per the agency’s press release. The FTC stating it is taking “legal action against three ticket brokers based in New York who allegedly used automated software to illegally buy up tens of thousands of tickets for popular concerts and sporting events, then subsequently made millions of dollars reselling the tickets to fans at higher prices.” The FTC added:
  • The three ticket brokers will be subject to a judgment of more than $31 million in civil penalties for violating the Better Online Ticket Sales (BOTS) Act, under a proposed settlement reached with the FTC. Due to their inability to pay, the judgment will be partially suspended, requiring them to pay $3.7 million.
  • The FTC explained “[u]nder the terms of the proposed orders, judgments will be entered against the defendants for civil penalties as follows:
    • $16 million against Concert Specials, Inc. and Steven Ebrani, which is partially suspended due to an inability to pay. They will pay $1,565,527.41.
    • $11.2 million against Just In Time Tickets, Inc. and Evan Kohanian, which is partially suspended due to an inability to pay. They will pay $1,642,658.96.
    • $4.4 million against Cartisim Corp. and Simon Ebrani, which is partially suspended due to an inability to pay. They will pay $499,147.12.  
• The National Institute of Standards and Technology (NIST) pushed back the deadline for comments until 26 February 2021 for four guidance documents on the Internet of Things:
  • Draft NIST SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements, has background and recommendations to help federal agencies consider how an IoT device they plan to acquire can integrate into a federal information system. IoT devices and their support for security controls are presented in the context of organizational and system risk management. SP 800-213 provides guidance on considering system security from the device perspective. This allows for the identification of IoT device cybersecurity requirements—the abilities and actions a federal agency will expect from an IoT device and its manufacturer and/or third parties, respectively.
  • Draft NISTIR 8259B, IoT Non-Technical Supporting Capability Core Baseline, complements the NISTIR 8259A device cybersecurity core baseline by detailing additional, non-technical supporting activities typically needed from manufacturers and/or associated third parties. This non-technical baseline collects and makes explicit supporting capabilities like documentation, training, customer feedback, etc.
  • Draft NISTIR 8259C, Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline, describes a process, usable by any organization, that starts with the core baselines provided in NISTIRs 8259A and 8259B and explains how to integrate those baselines with organization- or application-specific requirements (e.g., industry standards, regulatory guidance) to develop a IoT cybersecurity profile suitable for specific IoT device customers or applications. The process in NISTIR 8259C guides organizations needing to define a more detailed set of capabilities responding to the concerns of a specific sector, based on some authoritative source such as a standard or other guidance, and could be used by organizations seeking to procure IoT technology or by manufacturers looking to match their products to customer requirements.
  • Draft NISTIR 8259D, Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government, provides a worked example result of applying the NISTIR 8259C process, focused on the federal government customer space, where the requirements of the FISMA process and the SP 800-53 security and privacy controls catalog are the essential guidance. NISTIR 8259D provides a device-centric, cybersecurity-oriented profile of the NISTIR 8259A and 8259B core baselines, calibrated against the FISMA low baseline described in NIST SP 800-53B as an example of the criteria for minimal securability for federal use cases.
• The New York State Department of Financial Services (NYDFS) announced “[r]egulated entities and licensed persons must file the Certification of Compliance for the calendar year 2020 by April 15, 2021” These certificates are due under the NYDFS’ cybersecurity regulations with which most financial services companies in the state must comply. These regulations took effect in May 2017.

Coming Events

• On 10 February, the House Homeland Committee will hold a hearing titled “Homeland Cybersecurity: Assessing Cyber Threats and Building Resilience” with these witnesses:
  • Mr. Chris Krebs, Former Director, Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security
  • Ms. Sue Gordon, Former Principal Deputy Director of National Intelligence, Office of the Director of National Intelligence
  • Mr. Michael Daniel, President & CEO, Cyber Threat Alliance
  • Mr. Dmitri Alperovitch, Executive Chairman, Silverado Policy Accelerator
• The House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold a hearing titled “Justice Restored: Ending Forced Arbitration and Protecting Fundamental Rights.”
• The Federal Communications Commission’s (FCC) acting Chair Jessica Rosenworcel will hold a virtual Roundtable on Emergency Broadband Benefit Program on 12 February “a new a program that would enable eligible households to receive a discount on the cost of broadband service and certain connected devices during the COVID-19 pandemic.” The FCC also noted “[i]n the Consolidated Appropriations Act of 2021, Congress appropriated $3.2 billion” for the program.
• On 17 February, the Federal Communications Commission (FCC) will hold an open meeting, its first under acting Chair Jessica Rosenworcel, with this tentative agenda:
  • Presentation on the Emergency Broadband Benefit Program. The Commission will hear a presentation on the creation of an Emergency Broadband Benefit Program. Congress charged the FCC with developing a new $3.2 billion program to help Americans who are struggling to pay for internet service during the pandemic.
  • Presentation on COVID-19 Telehealth Program. The Commission will hear a presentation about the next steps for the agency’s COVID-19 Telehealth program. Congress recently provided an additional $249.95 million to support the FCC’s efforts to expand connected care throughout the country and help more patients receive health care safely.
  • Presentation on Improving Broadband Mapping Data. The Commission will hear a presentation on the work the agency is doing to improve its broadband maps. Congress directly appropriated $65 million to help the agency develop better data for improved maps.
  • Addressing 911 Fee Diversion. The Commission will consider a Notice of Proposed Rulemaking that would implement section 902 of the Don’t Break Up the T-Band Act of 2020, which requires the Commission to take action to help address the diversion of 911 fees by states and other jurisdictions for purposes unrelated to 911. (PS Docket Nos. 20-291, 09-14)
  • Implementing the Secure and Trusted Communications Networks Act. The Commission will consider a Third Further Notice of Proposed Rulemaking that proposes to modify FCC rules consistent with changes that were made to the Secure and Trusted Communications Networks Act in the Consolidated Appropriations Act, 2021. (WC Docket No. 18-89)
• On 27 July 2021, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Martin Ceralde on Unsplash