Other Developments, Further Reading, and Coming Events (28 April 2021)

Antitrust, CISA, Coming Events, Competition, Cybersecurity, Data Flows, Data Protection, data security, DHS, DOC, EDPB, EU, FBI, FISA, Fourth Amendment, Further Reading, GDPR, NIST, Other Developments, People's Republic of China, privacy, Social Media, Technology, Telecommunications 17 Minutes

Other Developments

  • The United Kingdom’s (UK) Digital Secretary Oliver Dowden indicated that the British government would intervene to possibly stop the acquisition of a British semiconductor manufacturer. NVIDIA Corporation had proposed to buy ARM Limited (ARM) from SoftBank in $40 billion deal. Dowden wrote the Competition and Markets Authority (CMA) “to inform them of his decision and has instructed them to begin a ‘phase one’ investigation to assess the transaction.” In terms of background, the Department for Digital, Culture, Media & Sport (DCMS) explained:
    • On 13 September 2020, NVIDIA Corporation (NVIDIA) and SoftBank Group (SoftBank) announced an agreement under which NVIDIA will acquire ARM Limited (ARM) from SoftBank in a transaction valued at approximately $40 billion.
    • Under the terms of the transaction, which has been approved by the boards of directors of NVIDIA, SoftBank and ARM, at closing, NVIDIA will pay in consideration to SoftBank a total aggregate amount of $12bn in cash and $21.5bn in NVIDIA shares. Additionally, SoftBank may receive up to $5bn subject to satisfaction of specific financial performance targets by ARM. NVIDIA will also issue $1.5bn in equity to ARM employees.
    • Under the powers set out in the Enterprise Act 2002, the Secretary of State for Digital, Culture, Media and Sport is able to intervene on national security grounds. This responsibility is discharged in a quasi-judicial capacity.
    • The DCMS explained the next steps:
      • Once the ‘phase one’ process is complete, the Digital Secretary has a number of options:
      • He can decide whether to clear the transaction if, for example, no concerns arise on either public interest or competition grounds;
      • Clear the transaction subject to any agreed undertakings (to remedy the competition or public interest concerns or both);
      • Refer the transaction to a ‘phase two’ investigation for further scrutiny (whether on public interest and competition grounds or on public interest grounds alone).
      • There is no set period in which this decision must be made, but it must take into account the need to make a decision as soon as reasonably practicable to reduce uncertainty.
      • If the Digital Secretary determines there are no public interest concerns, but there are competition concerns based on the CMA’s report which cannot be remedied by undertakings, he will instruct the CMA to deal with the merger as an ‘ordinary’ merger case.
      • If the transaction is referred to a ‘phase two’ investigation, the CMA will lead a further investigation of any identified competition and/or public interest concerns.
      • If a ‘phase two’ referral has been made based on public interest concerns, the CMA will assess further whether the merger raises public interest concerns and make recommendations as to what the Digital Secretary should do to remedy any adverse effects.
      • At the end of a phase two investigation the Digital Secretary has the power to take action to remedy, mitigate or prevent any effects adverse to the public interest.
  • The Senate Foreign Relations Committee marked up and reported out the “Strategic Competition Act of 2021” (S.1169) as amended. According to a committee press release, the bill “is an unprecedented, bipartisan effort to mobilize all United States strategic, economic, and diplomatic tools for an Indo-Pacific strategy that enables the U.S. government to compete effectively with the People’s Republic of China and the challenges it poses to our national and economic security for decades to come.” Chair Bob Menendez (D-NJ) and Ranking Member Jim Risch (R-ID) highlighted “key provisions:”
    • Bolsters the United States’ diplomatic strategy in addressing challenges posed by the People’s Republic of China and reaffirms America’s commitment to its allies and partners in the Indo-Pacific region and around the world.
    • Calls for the United States to reassert its leadership within international organizations and other multilateral fora.
    • Renews America’s commitment to allies and partners by prioritizing diplomatic and economic engagement and security assistance for the Indo-Pacific region, assuring the State Department is organized and well-resourced for strategic competition, and strengthening U.S. diplomatic efforts to address challenges posed by China around the world.
    • Invests in universal values, authorizing a broad range of human rights and civil society measures including supporting democracy in Hong Kong, genuine autonomy for Tibet, and imposing sanctions with respect to forced labor, forced sterilization, and other abuses in Xinjiang.
    • Focuses on confronting and countering China’s predatory international economic behavior, and includes measures to counter intellectual property violations and Chinese government subsidies, to monitor Chinese use of Hong Kong to circumvent U.S. export controls, and to track the presence of Chinese companies in U.S. capital markets. Directs the United States to provide technical assistance to countries working to counter foreign corrupt practices.
    • Strengthens American competitiveness with investments in science and technology, global infrastructure development, and digital connectivity and cybersecurity partnerships.
    • Counters CCP influence and malign operations, especially in American universities, by requiring that the Committee on Foreign Investment in the United States review certain foreign gifts and contracts.
    • Calls for enhanced coordination and cooperation with allies on arms control in the face of China’s military modernization and expansion, and requires reporting on Chinese ballistic, hypersonic glide, and cruise missiles, conventional forces, nuclear, space, cyberspace and other strategic domains.
    • Authorizes the U.S. Governor to the Inter-American Development Bank to vote in favor of a 10th IDB general capital increase and requires U.S. diplomatic engagement in support of a capital increase to counter China’s efforts in the Western Hemisphere.
    • Includes critical provisions to increase transparency for Congress and the American public related to international agreements. 
  • The United States (U.S.) Department of Commerce (Commerce) revealed that it served a subpoena “on a Chinese company to support the review of transactions pursuant to Executive Order (EO) 13873, Securing the Information and Communications Technology and Services (ICTS) Supply Chain” that tasked Commerce with establishing a review process for transactions involving information and communications technology and services. Commerce issued a final rule pursuant to the EO in January 2021 establishing the review process. Commerce claimed “[t]he action taken today is an important step in investigating whether the transactions involving this company meet the criteria set forth in the Executive Order” and added:
    • Unrestricted acquisition or use in the United States of ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries poses a significant risk to the national security interests of the United States. The subpoena served today allows the Commerce Department to collect information that will help make a determination regarding the potential risk to the security of United States and its citizens. The Commerce Department hopes to work cooperatively with this company to conclude a thorough review.
  • The Australian Competition & Consumer Commission (ACCC), the United Kingdom’s (UK) Competition and Markets Authority and Germany’s Bundeskartellamt issued a joint statement “highlighting the importance of rigorous and effective merger enforcement.”  The joint statement suggests the agencies may coordinate their enforcement of mergers, especially in tech markets. The three agencies stated:
    • Effective merger control is vital to ensuring competitive markets exist in a free market economy. Competition drives prices down; quality, choice and service up; and pushes companies to innovate. Competition can only be maintained by ensuring anticompetitive mergers do not happen. This is even more so in a fast-developing digital world impacted by the Coronavirus (Covid-19) pandemic. We believe that in the world today there is a real need for strong merger enforcement from competition agencies globally to ensure that high concentration levels do not become the accepted norm, and to maintain and promote competition for the benefit of consumers. To achieve this, competition agencies, courts and tribunals are strongly encouraged to protect competition also when there is uncertainty raised by contentious mergers and ensure the interests of consumers are promoted over the profits of the merging firms.
  • The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) published “Defending Against Software Supply Chain Attacks” that “provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate software supply chain risks.” This guidance is timely in light of the spate of recent supply chain attacks that have compromised swaths of United States critical cyber infrastructure (e.g., SolarWinds.)
  • The European Data Protection Board (EDPB) is asking for comments on draft “Guidelines 03/2021 on the application of Article 65(1)(a) GDPR,” the process by which disputes between European Union data protection authorities are to be resolved by the Board via binding decisions. The EDPB has used these powers once in issuing a decision on how Ireland’s Data Protection Commission should punish Twitter for data breaches. The EDPB explained:
    • These Guidelines clarify the application of Article 65(1)(a) GDPR. In particular, they clarify the application of the relevant provisions of the GDPR and Rules of Procedure, delineate the main stages of the procedure and clarify the competence of the EDPB when adopting a legally binding decision on the basis of Article 65(1)(a) GDPR. The Guidelines also include a description of the applicable procedural safeguards and remedies.
    • The present Guidelines do not concern dispute resolution by the EDPB in cases where:
      • there are conflicting views on which of the supervisory authorities concerned is competent for the main establishment (Article 65(1)(b) GDPR);
      • a competent supervisory authority does not request the opinion of the Board in the cases referred to in Article 64(1), or does not follow the opinion of the Board issued under Article 64 (Article 65(1)(c) GDPR).
  • Senators Ron Wyden (D-OR) and Rand Paul (R-KY) and 18 other cosponsors have introduced the “Fourth Amendment is Not for Sale Act,” (S.1265) “to put a stop to shady data brokers buying and selling Americans’ Constitutional rights.” House Judiciary Committee Chair Jerry Nadler (D-NY) and House Administration Committee Chair Zoe Lofgren (D-CA) introduced a companion bill in the House (H.R.2738). They claimed:
    • The Fourth Amendment is Not for Sale Act closes the legal loophole that allows data brokers to sell Americans’ personal information to law enforcement and intelligence agencies without any court oversight – in contrast to the strict rules for phone companies, social media sites and other businesses that have direct relationships with consumers.
    • The Senators asserted the bill:
      • Requires the government to get a court order to compel data brokers to disclose data — the same kind of court order needed to compel data from tech and phone companies.
      • Stops law enforcement and intelligence agencies buying data on people in the U.S. and about Americans abroad, if the data was obtained from a user’s account or device, or via deception, hacking, violations of a contract, privacy policy, or terms of service. As such, this bill prevents the government buying data from Clearview.AI.
      • Extends existing privacy laws to infrastructure firms that own data cables & cell towers.
      • Closes loopholes that would permit the intelligence community to buy or otherwise acquire metadata about Americans’ international calls, texts and emails to family and friends abroad, without any FISA Court review.
      • Ensures that intelligence agencies acquiring data on Americans do so within the framework of the Foreign Intelligence Surveillance Act and that when acquiring Americans’ location data, web browsing records and search history, intelligence agencies obtain probable cause orders. This language is similar to language that was in the 2020 Wyden-Daines amendment to legislation to reform Section 215.
      • Takes away the Attorney General’s authority to grant civil immunity to providers and other third parties for assistance with surveillance not required or permitted by statute. Providers retain immunity for surveillance assistance ordered by a court.
  • The European Parliamentary Research Service (EPRS) issued an analysis of European Union (EU)-United Kingdom (UK) data flows and asserted:
    • Data transfers are essential for digitally enabled and digitally delivered trade in goods and services, such as cross-border financial services and e-commerce.
    • Upon its withdrawal from the EU on 31 January 2020, the United Kingdom (UK) became free to determine its own international trade policy, but simultaneously forfeited rights stemming from EU membership. Without a robust follow-up arrangement to the Withdrawal Agreement, the parties would have risked disruption in cross-border transfers of personal data as well as high compliance costs. However, due to lack of agreement on data transfer conditions and possible divergence in data standards, the parties were unable to implement sustainable solutions, such as long-term trade rules or an adequacy decision under the General Data Protection Regulation (GDPR). A recent study estimated the costs of ‘inadequacy’ at around GB£1-1.6 billion (€1.116-1.7856 billion) for UK firms, stemming largely from companies reverting to alternative transfer mechanisms under the GDPR. At the time of writing, the remaining mechanisms hardly present a reliable alternative, since they are encumbered by similar concerns to a UK adequacy decision and are partially immature, as well as narrow in scope. After lengthy negotiations, the UK and the EU agreed on a Trade and Cooperation Agreement (TCA), including an interim solution (‘bridging mechanism’) ensuring the provisional continuation of personal data flows. Although the interim solution is already subject to criticism from the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), it seems that supervisory authorities are willing to accept the bridging mechanism – as long as this approach is not repeated, much less becomes the norm. With the interim solution expiring on 30 June 2021, the risk of disruption and high costs has only been deferred.
    • Consequently, the European Commission launched the procedure for the adoption of two adequacy decisions for transfers of personal data to the UK, under the GDPR and the Law Enforcement Directive (LED) respectively, on 19 February 2021. With the publication of its draft decisions, the Commission initiated the process of adopting an adequacy decision that enables the commercial transfer of personal data without the need to obtain further authorisation. While privacy professionals, academics, supervisory authorities and civil society organisations have raised concerns that the UK’s legislative framework and data-related practices may preclude an adequacy decision, the Commission considers that the UK’s level of data protection is essentially equivalent to that of the EU and intends to grant the UK an adequacy decision. Specifically, the Commission attempts to dispel criticism as regards, for instance: (i) UK surveillance laws and practices; (ii) shortcomings in the implementation of EU data protection standards linked to the immigration exemption and the Digital Economy Act 2017; (iii) weak enforcement of data protection rules by the UK Information Commissioner’s Office (ICO); (iv) potential liberal onward transfer of data; and (v) the UK’s wavering commitment to EU data protection standards. Against this backdrop, the Commission emphasises its suspension and termination rights in case inadequacy is revealed and includes an unprecedented expiry date in the draft decision. Critics argue that the UK must first implement reforms and provide assurances before the Commission may grant an adequacy decision. One way forward may be a thorough assessment of the UK legal framework against EU standards, including CJEU case law. Where risk of non-compliance is low and legal remedies are likely effective, commitments to a specific interpretation of the law as well as assurances of compliance might suffice as a mitigation strategy. Where serious doubts regarding UK data adequacy persist, supplementary rules, including additional safeguards, could be agreed and included in the adequacy decision, to bridge the differences between the two data protection systems. In its highly anticipated (forthcoming) opinion on the draft decision, the European Data Protection Board (EDPB) will likely scrutinise the Commission’s approach and provide recommendations on next steps.
  • A Foreign Intelligence Surveillance Act (FISA) Court decision was declassified that continue to show problems with the Federal Bureau of Investigation’s (FBI) query procedures of foreign intelligence. The Office of the Director of National Intelligence (DNI) explained:
    • On November 18, 2020, the FISC issued a classified Memorandum Opinion and Order approving the 2020 Certifications and the associated targeting, minimization, and querying procedures (linked below). In the Memorandum Opinion, the Court examined the proposed procedures, both as written and in the context of how prior procedures had been implemented by the government, and found that the proposed procedures satisfy the requirements of FISA and the Fourth Amendment. 
    • One focus of the November 2020 opinion was on the Federal Bureau of Investigation’s (FBI) queries of unminimized Section 702-acquired information. The Court took note that since its most recent opinion on Section 702, FBI had implemented system changes to comply with recordkeeping and documentation requirements for such queries and had deployed mandatory training for all FBI personnel with access to unminimized Section 702-aquired information. The Court, however, stated it “continues to be concerned about FBI querying practices involving U.S.-person query terms, including (1) application of the substantive standard for conducting queries; (2) queries that are designed to retrieve evidence of crime that is not foreign-intelligence information; and (3) recordkeeping and documentation requirements.” See p. 39. The Court examined specific compliance incidents (see pp. 39 – 44) and evaluated the manner in which FBI implemented various changes to systems (see pp. 44 – 52). The Court noted that a majority of these query incidents occurred prior to FBI implementing system changes and deploying mandatory training intended to address these compliance matters, and that the COVID-19 pandemic had subsequently severely limited the ability of the government to monitor the FBI’s compliance once these system and training changes had been put in place.  See pp. 41, 43, 49-50.  As a result, the Court concluded that the improper queries do not undermine the Court’s determination that FBI’s querying and minimization procedures meet the applicable statutory and Fourth Amendment requirements, but stated that it would “continue to closely monitor the government’s reporting in order to evaluate whether the querying procedures are being implemented in a manner consistent with the statute and the Fourth Amendment.”  See pp. 41, 44, and 49-50.  The Court also imposed new reporting obligations on the government to facilitate its oversight.  See pp. 51, 63, and 66.
    • In addition to releasing the FISC opinion, ODNI is releasing the targeting, minimization, and querying procedures filed with the 2020 Certifications.  Links to these documents are provided below.  The documents are also posted in full-text searchable format on Intel.gov.

Further Reading

  • Myanmar’s internet suppression” By Andrea Januta and Minami Funakoshi — Reuters. The junta in Naypyidaw is cutting access to or severely slowing down the internet to contain the civil unrest following its coup. The military leadership is trying to allow internet usage during the day for government and businesses while also trying to stymie protests, online coordination and communication, and attempts to inform the world of what is happening in Myanmar.
  • Proctorio Is Using Racist Algorithms to Detect Faces” By Todd Feathers — Vice. A college student discovered that a popular test proctoring system is likely using an open source library facial recognition technology renowned for misidentifying minorities at significant rates. The company obliquely claimed this is not so. If true, this would explain why so many students of color have had trouble logging in and staying logged in to the platform to take examinations.
  • Alibaba Hit With Record $2.8 Billion Antitrust Fine in China” By Keith Zhai — The Wall Street Journal. Even the People’s Republic of China (PRC) is cracking down on “Big Tech.” Beijing levied a $2.8 billion fine on Alibaba for allegedly abusing its dominance on its e-commerce platform to the detriment of smaller firms, a figure representing 4% of its sales in the PRC. Regulators argued Alibaba was forcing companies to choose between its platform or others. Going forward the company will have to abide by the government’s imposed reorganization plan and submit compliance reports. This may be only Beijing’s most recent attempt to diminish the power of Alibaba founder Jack Ma who has criticized the government Xi Jinping.
  • The new world of ‘deep fake’: How cyber attackers impersonated senior ministers, diplomats” By Anthony Galloway — The Sydney Morning Herald. Through fairly unsophisticated means, a group of hackers created fake accounts on Telegram for some senior Australian officials that were then used to try to trick people into transferring money to Hong Kong banks. It appears the hackers set up fake accounts with the officials’ real phone numbers some of who then confirmed the accounts when prompted by Telegram. Government officials need to better understand and use cyber hygiene, and it is really just a matter of time before these sorts of attacks on everyone.
  • Chinese Big Tech’s shadiest practices” By Shen Lu — Protocol. The People’s Republic of China (PRC) seems to be aligned with other nations in their view that some technology companies are too large and pose threats to competition. The PRC can, of course, implement new laws and regulations at speeds unheard of in democracies, and so, Beijing has revamped parts of its antitrust and anti-competition regulation. This piece details some of the abuses regulators may take on.
  • A $2 Billion Government Surveillance Lab Created Tech That Guesses Your Name By Simply Looking At Your Face” By Thomas Brewster — Forbes. The MITRE Corporation has built upon research from an Israeli university that suggests the feasibility of humans and computers assigning the right name to a face above expected averages. The U.S. government funded entity has supposedly pushed positive rates higher than the researchers did. Some experts are not so sure.
  • India Seeks U.S. Help as China-Backed Hacks Threaten Military” By Sudhi Ranjan Sen — Bloomberg. The head of India’s military said the nation needs help in securing its defense industry from Chinese cyber-attacks. This admission comes amidst rising tensions between India and the People’s Republic of China (PRC) as the two nations again skirmished over their border in 2020, India banned some Chinese apps including TikTok, and the PRC allegedly launched cyber-attacks against civilian targets in India. The U.S. and other allies have been courting New Delhi to join their efforts to counter the PRC, and the two nations joined with Australia and Japan in reviving the Quadrilateral Security Dialogue most recently at a March 2021 meeting with the heads of the four nations.
  • I Thought My Job Was To Report On Technology In India. Instead, I Got A Front-Row Seat To The Decline Of My Democracy.” By Pranav Dixit — BuzzFeed News. This journalist documents where and how technology and the increasingly authoritarian government of Prime Minister Narendra Modi are intersecting. He is no longer able to divorce technology policy from the dismantling of democracy as companies like Twitter and Facebook knuckle under to India’s laws and regulations that force companies to remove offending content under pain of jail for the required local employees they must have.

Coming Events

  • On 28 April, the House Science, Space, and Technology Committee’s Research and Technology Subcommittee will hold a hearing titled “National Science Foundation: Advancing Research for the Future of U.S. Innovation.”
  • On 28 April, the Senate Commerce, Science, and Transportation Committee will mark up the following bills:
    •  S.120, Safe Connections Act; Sponsors: Sens. Brian Schatz (D-HI), Deb Fischer (R-NE), Rick Scott (R-FL), Richard Blumenthal (D-CT), Jacky Rosen (D-NV), Shelley Moore Capito (R-WV)
    • S.163, Telecommunications Skilled Workforce Act; Sponsors: Sens. John Thune, (R-SD) Jon Tester (D-MT), Gary Peters (D-MI), Roger Wicker (D-MS), Jerry Moran (R-KS)
    • S.198, Data Mapping to Save Mom’s Lives Act; Sponsors: Sens. Jacky Rosen (D-NV), Deb Fischer (R-NE), Todd Young (IN), Brian Schatz (D-HI), Ed Markey (D-MA), Richard Blumenthal (D-CT), Amy Klobuchar (D-MN), Gary Peters (D-MI)
    • S.326, Measuring the Economic Impact of Broadband Act; Sponsors: Sens. Amy Klobuchar (D-MN), Shelley Moore Capito (R-WV), Dan Sullivan (R-AK)
    • S.735, Advanced Technological Manufacturing Act; Sponsors: Sens. Roger Wicker (R-MS), Maria Cantwell (D-WA), Jacky Rosen (D-NV)
    • S.1260, Endless Frontier Act; Sponsors: Sens. Chuck Schumer (D-NY), Todd Young (R-IN)
  • On 28 April, the Senate Appropriations Committee’s Military Construction, Veterans Affairs, and Related Agencies Subcommittee will hold a hearing titled “VA Telehealth Program: Leveraging Recent Investments to Build Future Capacity.”
  • On 29 April, the Senate Armed Services Committee will hold open and closed hearings on worldwide threats.         
  • On 29 April, the Commerce, Science, and Transportation Committee will consider the nomination of Eric Lander to be Director of the Office of Science and Technology Policy (OSTP).
  • The Federal Trade Commission (FTC) will hold a workshop titled “Bringing Dark Patterns to Light” on 29 April and has made an agenda available.
  • The Department of Commerce’s National Telecommunications and Information Administration (NTIA) will hold “a virtual meeting of a multistakeholder process on promoting software component transparency” on 29 April
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by analogicus from Pixabay

Published by Michael Kans

An attorney who specializes in technology policy, law, and politics with other areas of expertise.

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s