Other Developments, Further Reading, and Comings Events (31 March 2021)

Other Developments

  • The European Data Protection Board (EDPB) issued its 2021-2022 Work Programme that details the agency’s plans for the next year. Not surprisingly, the EDPB will seek to further clarify and elucidate the General Data Protection Regulation (GDPR). Among other tasks, the EDPB stated it will address the following with asterisked items having already been started:
    • Further guidance on key notions of EU data protection law, developed also taking into account practical experience of stakeholders, gathered through stakeholder events and consultations
      • Guidelines on controller and processor*
      • Guidelines on Article 23 GDPR*
      • Guidelines on the targeting of social media users*
      • Guidelines on data subject rights
      • Guidelines on legitimate interest
      • Guidelines on processing of personal data for medical and scientific research purposes
      • Guidelines on children’s data
      • Guidance on remuneration against personal data
    • Encouraging and facilitating the use of the full range of cooperation tools enshrined in Chapter VII of the GDPR and Chapter VII of the LED and continuously evaluating and improving the efficiency and effectiveness of these tools, as well as further promoting a common application of key concepts in the cooperation procedure
      • Guidance on Art. 60 GDPR – One-stop-shop
      • Guidance on Art. 61 GDPR – Mutual assistance
      • Guidelines on Article 65 GDPR
      • Guidelines on the calculation of administrative fines
      • Assessment of the practical implementation of the amicable settlement
    • Reinforcing the application of fundamental data protection principles and individual rights and establishing common positions and guidance, especially in the context of new technologies
      • Guidelines on examples regarding Data breach notifications*
      • Guidelines on Blockchain
      • Guidelines on Anonymisation and Pseudonymisation
      • Guidelines on the use of facial recognition technology in the area of law enforcement
      • Guidelines on virtual voice assistants*
      • Guidelines on data protection in social media platform interfaces: practical recommendations
      • Any additional guidance on legal implications relating to technological issues, such as Cloud computing, Artificial intelligence/Machine Learning, Digital Identity & Identity Federation, Data Brokers, Internet of Things, and payment methods
    • Providing guidance on the use of transfer tools ensuring an essentially equivalent level of protection and increasing awareness on their practical implementation and issues relating to government access to personal data
      • Recommendations on supplementary measures (on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data)*
      • Opinions on and review of adequacy decisions (UK, Republic of Korea, review of Japan decision, any revision of 95/46 adequacy decisions…) PNR agreements (UK, Canada, Japan…)
      • Guidelines on codes of conduct as a tool for international transfers Guidelines on certification as a tool for international transfers
      • Guidelines on Article 37 LED (transfers subject to appropriate safeguards)
      • Guidance on Article 48 GDPR (transfers or disclosures not authorised by Union law)
      • Territorial scope (Article 3) of the GDPR and its interplay with Chapter V
      • Statement on the proposed second additional protocol to the Council of Europe Convention on Cybercrime
      • International agreements involving transfers, including FATCA and OECD CRS
      • Approval procedure for Article 46.3(a) ad-hoc contractual clauses and Article 46.2(d) GDPR standard data protection clauses
  • Acting Federal Trade Commission (FTC) Chair Rebecca Kelly Slaughter announced that the agency would establish a new rulemaking group to be housed in their General Counsel’s office. This new entity will likely spearhead rulemakings at the FTC that would open new enforcement powers for the agency when companies violate the FTC Act, notably civil fines for first offenses. The move is also designed address two cases currently before the Supreme Court of the United States that have placed into question the agency’s power to seek restitution and disgorgement if conduct that violated Section 5 of the FTC Act has stopped or has yet to occur.
    • Slaughter stated:
      • The new structure will allow the FTC to take a strategic and harmonized approach to rulemaking across its different authorities and mission areas. With this new group in place, the FTC is poised to strengthen existing rules and to undertake new rulemakings to prohibit unfair or deceptive practices and unfair methods of competition. Especially given the risk that the Supreme Court substantially curtails the FTC’s ability to seek consumer redress under section 13(b), rulemaking is a critical part of the FTC’s toolbox to stop widespread consumer harm and to promote robust competition.
    • In October 2020, the FTC wrote the House and Senate committees with jurisdiction over the agency, asking for language to resolve the litigation over the power to seek and obtain restitution for victims of those who have violated Section 5 of the FTC Act and disgorgement of ill-gotten gains. The FTC also asked that Congress clarify that the agency may act against violators even if their conduct has stopped as it has for more than four decades. Two federal appeals courts have ruled in ways that have limited the FTC’s long used powers, and now the Supreme Court of the United States is set to rule on these issues sometime next year. The FTC is claiming, however, that defendants are playing for time in the hopes that the FTC’s authority to seek and receive monetary penalties will ultimately be limited by the United States (U.S.) highest court.
    • The FTC asked the House Energy and Commerce and Senate Commerce, Science, and Transportation Committees “to take quick action to amend Section 13(b) [of the FTC Act i.e. 15 U.S.C. § 53(b)] to make clear that the Commission can bring actions in federal court under Section 13(b) even if conduct is no longer ongoing or impending when the suit is filed and can obtain monetary relief, including restitution and disgorgement, if successful.” The agency asserted “[w]ithout congressional action, the Commission’s ability to use Section 13(b) to provide refunds to consumer victims and to enjoin illegal activity is severely threatened.” All five FTC Commissioners signed the letter.
  • The Federal Bureau of Investigation (FBI) issued a private industry notification titled “Malicious Actors Almost Certainly Will Leverage Synthetic Content for Cyber and Foreign Influence Operations,” and the agency asserted:
    • Malicious actors almost certainly will leverage synthetic content for cyber and foreign influence operations in the next 12-18 months. Foreign actors are currently using synthetic content in their influence campaigns, and the FBI anticipates it will be increasingly used by foreign and criminal cyber actors for spearphishing and social engineering in an evolution of cyber operational tradecraft.
  • House Oversight and Reform Committee Chair Carolyn Maloney (D-NY) wrote President Joe Biden, urging him to use newly bestowed authority to nominate a National Cyber Director, especially in light of the recent SolarWinds and Microsoft Exchange hacks. There have articles on the White House’s reticence about naming a National Cyber Director, possibly because the preferred organization on cybersecurity issues is through the National Security Council. Deputy National Security Advisor for Cyber & Emerging Technology Anne Neuberger is the apparent lead on cybersecurity issues, and a National Cyber Director would have a dedicated staff and could called before Congress to testify unlike Neuberger. Maloney claimed:
    • The mission-critical importance of nominating a National Cyber Director was highlighted at a hearing I held this month on the Government Accountability Office (GAO) 2021 High-Risk Report. The report revealed that, shockingly, more than 750 of GAO’s recommendations to address the federal government’s cybersecurity challenges remain unaddressed—500 of which have accumulated since the Trump Administration eliminated the role of White House Cybersecurity Coordinator in May of 2018.
    • This high-risk area is so critical, complex, and concerning that, today, GAO issued a follow-up report on the lack of progress that has been made on four major cybersecurity challenges: establishing a comprehensive cybersecurity strategy and performing effective oversight, securing federal systems and information, protecting critical infrastructure, and protecting privacy and sensitive data. The report confirms that, once the National Cyber Director position is filled, “the federal government will be better situated to direct activities to overcome the nation’s cyber threats and challenges, and to perform effective oversight.”
    • The Trump Administration’s elimination of the White House Cybersecurity Coordinator role in 2018 left the nation more vulnerable, and the need for comprehensive, streamlined, effective federal cybersecurity leadership has never been greater. Congress and the executive branch must work together strategically on cybersecurity so federal agencies are in the best position possible to serve the American people through this time of crisis, and that means nominating and confirming the nation’s first National Cyber Director as soon as possible.
  • “[A] broad coalition of organizations” wrote a letter to then Attorney General-designate Merrick Garland and White House Chief of Staff Ronald Klain to express their concern about “the recent appointments of individuals with backgrounds defending large corporations to the Department ofJustice.” They asserted “[s]taffing the top law enforcement agency in the United States with individuals with ties to embattled industries or corporations poses a threat to the department’s ability to hold corporate actors accountable.” They further asserted:
    • As the Biden Administration looks to fill remaining positions within the Department of Justice and elsewhere, we ask that advocates of corporate accountability, not individuals with deep ties to corporate actors, be prioritized during the appointment process. In addition, we respectfully submit that the above-named individuals who already have been hired to the Department should be recused from all matters, including personnel selection, relating to antitrust or other areas that could impact adversely corporations that they previously advised.
    • We were distressed by the choice of Brian M. Boyntonto serve as acting head of the Civil Division given Boynton’s role in seeing through the merger of T-Mobile and Sprint during his time at BigLaw firm WilmerHale.
    • The choice of Lisa O. Monaco to serve as Deputy Attorney General is also troubling, owing to ties revealed in her personal financial disclosure agreement dated January 25, 2021. Per the document, Monaco has advised or represented a multitude of corporate giants including Boeing, ExxonMobil, and SoftBank Group. Monaco’s record of providing services to Apple stands out as especially worrisome as the company is currently subject to federal scrutiny over its anti-competitive business practices.
    • The appointment of Emily M. Loeb to serve as Assistant Deputy Attorney General is of similar concern, owing to her representation of Apple during the House antitrust investigation against the embattled company.
    • Furthermore, reporting by The American Prospect indicates that Susan M. Davies, a former partner at BigLaw firm Kirkland & Ellis, is being considered for a role in the Department of Justice. Davies’s ties with Facebook make the prospect of her being appointed to a role in the department troubling: Facebook is the subject of federal scrutiny owing to its anti-competitive practices, being accused by the Federal Trade Commission(FTC) of engaging in monopolistic behavior.
  • Senators John Cornyn (R-TX) and Joe Manchin (D-WV) reintroduced their “Eliminate the Digital Divide Act,” “to distribute $10 billion to states to build out broadband infrastructure in unserved areas…[and] will also create a process to deliver funds directly to states based on their proportion of unserved areas and includes a $1 billion set-aside for high cost areas like West Virginia” per their press release. They contended:
    • Previous programs to expand broadband access have worked as a reverse auction where the lowest bidder wins, which has disadvantaged small providers and high cost areas where it is more expensive to build out broadband infrastructure. The bipartisan Eliminate the Digital Divide Act will create a clear process to distribute funds directly to states based on their proportion of unserved areas, establish guidelines for the program and require the FCC to create an online platform for consumers to learn more about and determine if they are eligible to receive internet subsidies.
    • The Eliminate the Digital Divide Act will also:
      • Require the FCC to update their coverage maps to reflect the Broadband Data Act
      • Allow local and state governments to challenge the FCC maps
      • Include a $1 billion high-cost set aside for states where the cost to build broadband infrastructure is more expensive
  • The Office of the Privacy Commissioner of Canada (OPC) released its submission “containing key recommendations in response to the Department of Justice’s consultation on modernizing Canada’s outdated federal public sector privacy law.” The OPC added in its statement:
    • The proposed changes to the Privacy Act are substantive and go much further in providing a rights-based foundation to the law than those in Bill C-11, the government’s bill to modernize the federal private sector privacy law. A legal framework entrenching privacy as a human right and as a prior condition for the enjoyment of other democratic rights is critical for modernized privacy laws in both the public and private sectors.
    • A number of other elements of the Privacy Act modernization plan would also better protect privacy rights than Bill C-11.
    • For example, the proactive audit powers proposed for the Privacy Act go further in ensuring effective oversight over how institutions manage personal information. As well, the Commissioner’s order-making powers, while limited, would involve a process that is simpler, faster and more effective.
    • The OPC’s submission on Privacy Act reform includes a number of recommendations aimed at improving the law, such as:
      • Clarify the “reasonably required” standard, which limits the collection of personal information by a federal public body, to clearly affirm that the privacy impacts must be proportionate to the public interest at stake.
      • Add provisions on automated decision-making including, for example, a definition, a right to meaningful explanation and human intervention related to its use. The law should also establish an obligation for institutions to log and trace personal information used in automated decision-making.
      • Provide for responsible design and development of artificial intelligence and situating it within a framework of demonstrable accountability.
      • Expand the OPC’s order-making powers so that they apply to all Privacy Act violations. These powers should not be limited to complaints concerning refusals of access to personal information. Instead, they should encompass issues related to the collection, use and disclosure of personal information by government institutions, recognizing that these contraventions affect the greater number of Canadians.
      • Clarify that the concept of publicly available personal information does not apply to information where an individual has a reasonable expectation of privacy.
  • The United States’ Department of Veterans Affairs (VA) will conduct a “strategic review” of its troubled electronic health record (EHR) acquisition and modernization program. The agency stated the review was launched so that new Secretary Denis McDonough could assess the program. The VA stated:
    • The strategic review consists of a full assessment of the ongoing electronic health record modernization program to ensure continued success for all future EHR deployments. This assessment period will not exceed 12 weeks. 
    • The strategic review will focus on identifying areas for additional productivity and clinical workflow optimization at Mann-Grandstaff and upcoming “go-live” sites, conducting further research into Veteran-centered improvements for the patient portal experience, data syndication and revenue cycle improvements. 
  • Senators Brian Schatz (D-HI) and Senate Minority Whip John Thune (R-SD) reintroduced the “Platform Accountability and Consumer Transparency (PACT) Act,” (S.797) “bipartisan legislation to update Section 230 of the Communications Act” as explained in their press release. They argued:
    • The Schatz-Thune PACT Act creates more transparency by:
      • Requiring online platforms to explain their content moderation practices in an acceptable use policy that is easily accessible to consumers;
      • Implementing a biannual reporting requirement for online platforms that includes disaggregated statistics on content that has been removed, demonetized, or deprioritized; and
      • Promoting open collaboration and sharing of industry best practices and guidelines through a National Institute of Standards and Technology-led voluntary framework.
    • The PACT Act will hold platforms accountable by:
      • Requiring large online platforms to provide due process protections to consumers by having a defined complaint system that processes reports and notifies users of moderation decisions within twenty-one days, and allows consumers to appeal online platforms’ content moderation decisions;
      • Amending Section 230 to require that large online platforms remove court-determined illegal content and activity within four days; and
      • Allowing smaller online platforms to have more flexibility in responding to user complaints, removing illegal content, and acting on illegal activity, based on their size and capacity.
    • The PACT Act will protect consumers by:
      • Exempting the enforcement of federal civil laws from Section 230 so that online platforms cannot use it as a defense when federal regulators, like the Department of Justice and Federal Trade Commission, pursue civil actions online;
      • Allowing state attorneys general to enforce federal civil laws against online platforms; and
      • Requiring the Government Accountability Office to study and report on the viability of a FTC-administered whistleblower program for employees or contractors of online platforms.

Further Reading

  • New Software Vendor Standards Coming Within Weeks, CISA Head Says” By Mariam Baksh — Nextgov. The Cybersecurity and Infrastructure Security Agency’s acting director said the Biden Administration will soon roll out changes in regulations or through other means to push higher security standards among private sector contractors providing the government with information technology (IT). There are any number of levers and bodies that may figure into such a rule, especially given the fractured landscape with contractors at the Department of Defense and other agencies.
  • Amazon Delivery Drivers Forced to Sign ‘Biometric Consent’ Form or Lose Job” By Lauren Kaori Gurley — Vice’s Motherboard. In a move not likely to charm Amazon’s drivers, the company has apparently given them a take-it-or-leave it offer on using their biometrics. The company has portrayed its efforts to put cameras on all their delivery vehicles as safety measures, and there is likely something to that. However, one wonders if the company is seeking to capture vast quantities of footage for some other purpose. Perfecting its face-reading biometrics for a new commercial project? An app to compete with Google Maps? In any event, this new development will catch the eyes of the Senators who wrote Amazon about privacy concerns about the cameras.
  • Google’s top security teams unilaterally shut down a counterterrorism operation” By Patrick Howell O’Neill — MIT Technology Review. Google’s respected security team has apparently foiled an attempt by some unnamed western nation’s operation against unnamed terrorists. In a pair of blog posts (here and here), Google revealed that these hackers used at least 11 zero day exploits (i.e. vulnerabilities that were unknown and likely never used) to access their targets. These weaknesses were in iOS, Android, and Windows. However, Google blew the whistle but did not reveal any identifying details. This action is raising larger questions about private firms and their obligation to keep secret operations of democratic nations against bad actors. These revelations call into question the process the American and other governments use in weighing the equities of telling companies their products have exploitable weaknesses as opposed to keeping and using them for surveillance and hacking. Of course, the risk is that these vulnerabilities will almost certainly fall into the hands of bad actors (at least from the western perspective) and be turned against the United States and allies.
  • Cars Have Your Location. This Spy Firm Wants to Sell It to the U.S. Military” By Joseph Cox — Vice’s Motherboard. It was inevitable given the market among governments for smartphone and app location data that a business would start selling car location data. And so, the Ulysses Group’s pitch claims the company “can provide our clients with the ability to remotely geolocate vehicles in nearly every country except for North Korea and Cuba on a near real time basis.” And this is so because of all the computerized parts in modern cars that are constantly transmitting information to the manufacturers that are then sold or traded to data brokers or aggregators. It looks like Vice was given this story by the office of Senator Ron Wyden (D-OR), so it is very likely they will press the United States government to confirm or deny use of these types of services and also introduce legislation limiting or banning these practices.
  • Mailchimp employees have complained about inequality for years — is anyone listening?” By Zoe Schiffer — The Verge. This privately owned company based in Atlanta has many of the same discrimination and diversity problems other technology firms have if the accounts of employees are to be believed.

Coming Events

  • The Federal Communications Commission (FCC) will hold an open meeting on 22 April. No agenda has been announced as of yet.
  • The Federal Trade Commission (FTC) will hold a workshop titled “Bringing Dark Patterns to Light” on 29 April.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Syazani Nizam on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s