Further Reading and Other Developments (29 June)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Other Developments

  • The Senate Commerce, Science, and Transportation Committee held an oversight hearing on the Federal Communications Commission (FCC) with the FCC Chair and four Commissioners.
  • New Zealand’s Parliament passed the “Privacy Act 2020,” a major update of its 1993 statute that would, according to New Zealand’s Privacy Commissioner, do the following:
    • Mandatory notification of harmful privacy breaches. If organisations or businesses have a privacy breach that poses a risk of serious harm, they are required to notify the Privacy Commissioner and affected parties. This change brings New Zealand in line with international best practice.
    • Introduction of compliance orders. The Commissioner may issue compliance notices to require compliance with the Privacy Act. Failure to follow a compliance notice could result a fine of up to $10,000.
    • Binding access determinations. If an organisation or business refuses to make personal information available upon request, the Commissioner will have the power to demand release.
    • Controls on the disclosure of information overseas. Before disclosing New Zealanders’ personal information overseas, New Zealand organisations or businesses will need to ensure those overseas entities have similar levels of privacy protection to those in New Zealand.
    • New criminal offences. It will be an offence to mislead an organisation or business in a way that affects someone’s personal information or to destroy personal information if a request has been made for it.  The maximum fine for these offences is $10,000.
    • Explicit application to businesses whether or not they have a legal or physical presence in New Zealand. If an international digital platform is carrying on business in New Zealand, with the New Zealanders’ personal information, there will be no question that they will be obliged to comply with New Zealand law regardless of where they, or their servers are based.
  • The United States’ National Archives’ Information Security Oversight Office (ISOO) submitted its annual report to the White House and found:
    • Our Government’s ability to protect and share Classified National Security Information and Controlled Unclassified Information (CUI) continues to present serious challenges to our national security. While dozens of agencies now use various advanced technologies to accomplish their missions, a majority of them still rely on antiquated information security management practices. These practices have not kept pace with the volume of digital data that agencies create and these problems will worsen if we do not revamp our data collection methods for overseeing information security programs across the Government. We must collect and analyze data that more accurately reflects the true health of these programs in the digital age.
    • However, ISOO noted progress on efforts to better secure and protect CUI but added “[f]ull implementation will require additional resources, including dedicated funds and more full-time staff.”
    • Regarding classified information, ISOO found “Classified National Security Information policies and practices remain outdated and are unable to keep pace with the volume of digital data that agencies create.”
  • The Australian Strategic Policy Institute’s International Cyber Policy Centre released its most recent “Covid-19 Disinformation & Social Media Manipulation” report titled “ID2020, Bill Gates and the Mark of the Beast: how Covid-19catalyses existing online conspiracy movements:”
    • Against the backdrop of the global Covid-19 pandemic, billionaire philanthropist Bill Gates has become the subject of a diverse and rapidly expanding universe of conspiracy theories. As an example, a recent poll found that 44% of Republicans and 19% of Democrats in the US now believe that Gates is linked to a plot to use vaccinations as a pretext to implant microchips into people. And it’s not just America: 13% of Australians believe that Bill Gates played a role in the creation and spread of the coronavirus, and among young Australians it’s 20%. Protests around the world, from Germany to Melbourne, have included anti-Gates chants and slogans.
    • This report takes a close look at a particular variant of the Gates conspiracy theories, which is referred to here as the ID2020 conspiracy (named after the non-profit ID2020 Alliance, which the conspiracy theorists claim has a role in the narrative), as a case study for examining the dynamics of online conspiracy theories on Covid-19. Like many conspiracy theories, that narrative builds on legitimate concerns, in this case about privacy and surveillance in the context of digital identity systems, and distorts them in extreme and unfounded ways.
  • The Pandemic Response Accountability Committee (PRAC) released “TOP CHALLENGES FACING FEDERAL AGENCIES:  COVID-19 Emergency Relief and Response Efforts” for those agencies that received the bulk of funds under the “Coronavirus Aid, Relief, and Economic Security (CARES) Act” (P.L. 116-136). PRAC is housed within the Council of the Inspectors General on Integrity and Efficiency (CIGIE) is comprised of “21 Offices of Inspector General (OIG) overseeing agencies who received the bulk of the emergency funding.” PRAC stated
    • CIGIE previously has identified information technology (IT) security and management as a long-standing, serious, and ubiquitous challenge that impacts agencies across the government, highlighting agencies’ dependence on reliable and secure IT systems to perform their mission-critical functions.  Key areas of concern have included safeguarding federal systems against cyberattacks and insider threats, modernizing and managing federal IT systems, ensuring continuity of operations, and recruiting and retaining a highly skilled cybersecurity workforce.  
    • These concerns remain a significant challenge, but are impacted by (1) widespread reliance on maximum telework to continue agency operations during the pandemic, which has strained agency networks and shifted IT resources, and (2) additional opportunities and targets for cyberattacks created by remote access to networks and increases in online financial activity.
  • Following the completion of a European Union-People’s Republic of China summit, European Commission President Ursula von der Leyen pointed to a number of ongoing technology-related issues between the EU and the PRC, including:
    • [W]e continue to have an unbalanced trade and investment relationship. We have not made the progress we aimed for in last year’s Summit statement in addressing market access barriers. We need to follow up on these commitments urgently. And we also need to have more ambition on the Chinese side in order to conclude negotiations on an investment agreement. These two actions would address the asymmetry in our respective market access and would improve the level playing field between us. In order to conclude the investment agreement, we would need in particular substantial commitments from China on the behaviour of state-owned enterprises, transparency in subsidies, and transparency on the topic of forced technology transfers.
    • We have raised these issues at the same time with President Xi and Premier Li that we expect that China will show the necessary level of ambition to conclude these negotiations by the end of this year. I think it is important that we have now a political, high-level approach on these topics.
    • I have also made it clear that China needs to engage seriously on a reform of the World Trade Organization, in particular on the future negotiations on industrial subsidies. This is the relevant framework where we have to work together on the topic – and it is a difficult topic – but this is the framework, which we have to establish to have common binding rules we agree on.
    • And we must continue to work on tackling Chinese overcapacity, for example in the steel and metal sectors, and in high technology. Here for us it is important that China comes back to the international negotiation table, that we sit down there and find solutions.
    • We also pointed out the importance of the digital transformation and its highly assertive approach to the security, the resilience and the stability of digital networks, systems and value chains. We have seen cyberattacks on hospitals and dedicated computing centres. Likewise, we have seen a rise of online disinformation. We pointed out clearly that this cannot be tolerated.
  • United States Secretary of State Mike Pompeo issued a statement titled “The Tide Is Turning Toward Trusted 5G Vendors,” in which he claimed:
    • The tide is turning against Huawei as citizens around the world are waking up to the danger of the Chinese Communist Party’s surveillance state. Huawei’s deals with telecommunications operators around the world are evaporating, because countries are only allowing trusted vendors in their 5G networks. Examples include the Czech Republic, Poland, Sweden, Estonia, Romania, Denmark, and Latvia. Recently, Greece agreed to use Ericsson rather than Huawei to develop its 5G infrastructure.
  • Germany’s highest court, the Bundesgerichtshof (BGH), ruled against Facebook’s claim that the country’s antitrust regulator was wrong in its finding that it was abusing its dominant position in combining data on German nationals and residents across its platforms. Now the matter will go down to a lower German court that is expected to heed the higher court’s ruling and allow the Bundeskartellamt’s restrictions to limit Facebook’s activity.
  • France’s Conseil d’État upheld the Commission nationale de l’informatique et des libertés’ (CNIL) 2019 fine of €50 million of Google under the General Data Protection Regulation (GDPR) “for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”
  • A Virginia court ruled against House Intelligence Committee Ranking Member Devin Nunes (R-CA) in his suit against Twitter and Liz Mair, a Republican consultant, and Twitter accounts @devincow and @DevinNunesMom regarding alleged defamation.
  • The California Secretary of State has listed the ballot initiative to add the “California Privacy Rights Act” to the state’s law, in large part, to amend the “California Consumer privacy Act” (CCPA) (AB 375) as having qualified for November’s ballot.

Further Reading

  • Wrongfully Accused by an Algorithm” – The New York Times. In what should have been predictable and foreseeable given the error rate of many facial recognition algorithms at identifying correctly people of color, an African American was wrongly identified by this technology, causing him to be released. Those in the field and experts stress positive identifications are supposed to only be one piece of evidence, but in this case, it was the only evidence police had. After a store loss specialists agreed a person in low grade photo was the likely shoplifter, police arrested the man. Eventually, the charges were dismissed, initially with prejudice leaving open the possibility of future prosecution but later the district attorney cleared all charges and expunged the arrest.
  • Pentagon Says it Needs ‘More Time’ Fixing JEDI Contract“ – Nextgov. The saga of the Department of Defense’s Joint Enterprise Defense Infrastructure cloud contract continues. Amazon and Microsoft will need to submit revised bids for the possibly $10 billion procurement as the Department of Defense (DOD) is trying to cure the problems turned up by a federal court in the suit brought by Amazon. These bids would be evaluated later this summer, according to a recent DOD court filing. The next award of this contract could trigger another bid protest just as the first award caused Amazon to challenge Microsoft’s victory.
  • EU pushing ahead with digital tax despite U.S. resistance, top official says” – Politico. In an Atlantic Council event, European Commission Executive Vice President Margrethe Vestager stated the European Union will move ahead with an EU-wide digital services tax despite the recent pullout of the United States from talks on such a tax. The Organization for Economic Co-operation and Development had convened multi-lateral talks to resolve differences on how a global digital services tax will ideally function with most of the nations involved arguing for a 2% tax to be assessed in the nation where the transaction occurs as opposed to where the company is headquartered. EU officials claim agreement was within reach when the US removed itself from the talks. An EU-wide tax is of a piece with a more aggressive stance taken by the EU towards US technology companies, a number of which are currently under investigation for antitrust and anti-competitive behaviors.
  • Verizon joins ad boycott of Facebook over hateful content” – Associated Press. The telecommunications company joined a number of other companies in pulling their advertising from Facebook organized by the ADL (the Anti-Defamation League), the NAACP, Sleeping Giants, Color Of Change, Free Press and Common Sense. The #StopHateforProfit “asks large Facebook advertisers to show they will not support a company that puts profit over safety,” and thus far, a number of companies are doing just that, including Eddie Bauer, Patagonia, North Face, Ben & Jerry’s, and others. In a statement, a Facebook spokesperson stated “[o]ur conversations with marketers and civil rights organizations are about how, together, we can be a force for good.” While Facebook has changed course due to this and other pressure regarding content posted or ads placed on its platform by most recently removing a Trump campaign ad with Nazi imagery, the company has not changed its position on allowing political ads with lies.
  • The UK’s contact tracing app fiasco is a master class in mismanagement” – MIT Technology Review. This after-action report on the United Kingdom’s National Health Service’s efforts to build its own COVID-19 contact tracing app is grim. The NHS is basically scrapping its work and opting for the Google/Apple API. However, the government in London is claiming “we will now be taking forward a solution that brings together the work on our app and the Google/Apple solution.” A far too ambitious plan married to organizational chaos led to the crash of the NHS effort.
  • Trump administration sees no loophole in new Huawei curb” – Reuters. Despite repeated arguments by trade experts the most recent United States Department of Commerce regulations on Huawei will not cut off access to high technology components, Secretary of Commerce Wilbur Ross claimed “[t]he Department of Commerce does not see any loopholes in this rule…[and] [w]e reaffirm that we will implement the rule aggressively and pursue any attempt to evade its intent.”
  • Defense Department produces list of Chinese military-linked companies” – Axios. Likely in response to a letter sent last year by Senate Minority Leader Chuck Schumer (D-NY) and Senator Tom Cotton (R-AR), the Department of Defense has finally fulfilled a requirement in the FY 1999 National Defense Authorization Act to update a list of “those persons operating directly or indirectly in the United States or any of its territories and possessions that are Communist Chinese military companies.” The DOD has complied and compiled a list of People’s Republic of China (PRC) entities linked to the PRC military. This provision in the FY 1999 NDAA also grants the President authority to “exercise International Emergency Economic Powers Act (IEEPA) authorities” against listed entities, which could include serious sanctions.
  • Andrew Yang is pushing Big Tech to pay users for data” – The Verge. Former candidate for the nomination of the Democratic Party for President Andrew Yang has stated the Data Dividend Project, “a movement dedicated to taking back control of our personal data: our data is our property, and if we allow companies to use it, we should get paid for it.” Additionally, “[i]ts primary objective is to establish and enforce data property rights under laws such as the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020.” California Governor Gavin Newsom proposed a similar program in very vague terms in a State of California speech but never followed up on it, and Senator John Kennedy (R-LA) has introduced the “Own Your Own Data Act” (S. 806) to provide people with rights to sell their personal data.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Retha Ferguson from Pexels

Privacy Bill A Week: “Own Your Own Data Act” (S. 806) and the “Designing Accounting Safeguards To Help Broaden Oversight and Regulations on Data” (S. 1951).

This week, we will look at a pair of bills referenced by Senate Banking, Housing, and Urban Affairs Committee Chair Mike Crapo (R-ID) at a recent hearing on data ownership that take a different approach to privacy. In short, these bills would approach the issues presented by mass collection and use of consumer data by granting ownership rights.

Senator John Kennedy (R-LA) introduced the “Own Your Own Data Act” (S. 806), and Senators Mark Warner (D-VA) and Josh Hawley (R-MO) introduced the “Designing Accounting Safeguards To Help Broaden Oversight and Regulations on Data” (S. 1951).

The “Own Your Own Data Act” provides that “[e]ach individual owns and has an exclusive property right in the data that an individual generates on the internet under section 5 of the Federal Trade Commission Act.” This provision of a new right raises many more questions than it answers. Presumably, the required rulemaking the Federal Trade Commission (FTC) must undertake to effectuate this language will fill some gaps and define the terms that this brief three-page bill does not.

Additionally, every “social media company,” a term not defined by the bill, must

  • have a prominently and conspicuously displayed icon each user may click to obtain a copy of the user’s data with any analysis of the user’s data performed by the social media company;
  • have a prominently and conspicuously displayed icon each user may click to easily export the user’s data with any analysis of the user’s data performed by the social media company.

These provisions would seem to lend themselves to greater transparency in how one’s personal data is being used and portability should someone want to use a different platform.

The key provision of the bill, however, is that every user of a social media company’s offerings must “knowingly and willfully enter into a licensing agreement” during the registration of the account. For future users this legislation would grant them the ability to license the exclusive property that is their data, but what of existing accounts such as the millions of Facebook, Twitter, and Google accounts in the U.S.? Would this be only prospective as legislation typically is? And, if so, then current users of Twitter, and Facebook may not be able to license their accounts as the companies might not need to offer them the opportunity. As a practical matter, these companies might offer current users the opportunity, but within the four corners of the bill, they would be under no obligation to do so.

The FTC would be able to enforce this act. However, it is not altogether clear how the FTC would enforce this act. Would the misuse or stealing of a person’s personal data be considered a violation of the Section 5 prohibition on unfair and deceptive practices? Will the FTC’s required rulemaking deem a violation of one’s exclusive property right in their personal data a violation of the Section 5 bar against deceptive and unfair practices? Or is the FTC to wade into enforcing personal licenses and punishing violations? Would the agency husband its resources and wait until it has a sizeable number of complaints about social media company X before it investigates? This may be a likely outcome given that a number of critics of the FTC already claim the agency is stretched too thin and brings too few enforcement actions for data security and privacy violations.

Regarding the rulemaking, the FTC “promulgate regulations carrying out this [bill], which shall be approved by Congress.” Presumably the agency must use the more cumbersome Moss-Magnuson procedures for rulemaking instead of the Administrative Procedure Act (APA) notice and comment process? However, the bill does not speak directly this point, and so it is likely the FTC would be stuck using the Moss-Magnuson process which has effectively choked off the agency’s rulemaking capability.

How exactly will Congress must approve these regulations? Will it be like reprogramming requests that usually require the assent of the Appropriations Committees often through a formal process? Or will the informal sign off from the committees of jurisdiction over the FTC suffice? Or must Congress pass a resolution of approval or disapproval as it may under a number of statutes designed to police executive branch actions? The bill leaves this question unanswered.

A different privacy bill we examined, the “American Data Dissemination (ADD) Act” (S. 142) also requires the FTC to submit regulations to Congress. In the case of that bill, the agency needs to send “detailed recommendations [to the House Energy and Commerce Committee and the Senate Commerce, Science, and Transportation Committee] for privacy requirements that Congress could impose on covered providers that would be substantially similar, to the extent practicable, to the requirements applicable to agencies under the Privacy Act of 1974.” 12-15 months after the FTC submits this report, it would be required to submit to the same committees proposed regulations that would similarly make covered entities subject to requirements along the lines of how the Privacy Act of 1974 applies to federal agencies.

However, despite creating a property right, there is no right of action provided by the bill. Consumers would not be able to sue if their licensing of their “exclusive property right in the data” they generate is violated. Normally, for most property rights, consumers may go to court if they think their rights to this property have been impinged. This bill would not grant such a right to consumers, and I do not know of any other federal grounds under which consumers would be able to sue. Or would a person’s data be similar to trademarked or copyrighted information? Among the many questions raised under this scheme, would consumers be able to use existing state property statutes to sue in state courts? Could a state like California enact a right to sue for a violation of this newly created federal right?

This week’s other bill, the “Designing Accounting Safeguards To Help Broaden Oversight and Regulations on Data” (S. 1951), would force a select class of online entities to disclose how much they earn from users’ data and also provide consumers the right to delete their data subject to some exceptions. The entities would need to file additional disclosures with the Securities and Exchange Commission (SEC) to bring greater transparency to consumers, shareholders, and investors regarding the value of the data that companies collect and then share.

The bill defines which companies or entities would be “commercial data operators” those “acting in its capacity as a consumer online services provider or data broker that—

  • generates a material amount of revenue from the use, collection, processing, sale, or sharing of the user data; and
  • has more than 100,000,000 unique monthly visitors or users in the United States for a majority of months during the previous 1-year period.”

This definition would seem to include a small class of online entities while excluding most businesses that generate a material amount of their revenue from other activities. But, how “material” is defined would determine how a company like an auto manufacturer that derives significant revenue from both auto sales and the sale or sharing of personal data would be treated. Nonetheless, those entities that act as data brokers would be swept into this definition of commercial data operators, and they would need to meet the new responsibilities imposed on them.

Generally, the bill would require every commercial data operator to “provide each user of the commercial data operator with an assessment of the economic value that the commercial data operator places on the data of that user.” The agency charged with effectuating this portion of the bill, the FTC, would likely need to spell out what constitutes an “assessment of economic value.” Would this need to be consumer friendly and easily understandable?

Additionally, commercial data operators would have to reveal to all users the following

  • the types of data collected from users of the commercial data operator, whether by the commercial data operator or another person pursuant to an agreement with the commercial data operator; and
  • the ways that the data of a user of the commercial data operator is used if the use is not directly or exclusively related to the online service that the commercial data operator provides to the user

These disclosures seems straightforward and seem designed to better inform consumers about all the sources from which a commercial data operator is obtaining data and all the additional uses of user data beyond those immediate uses of the commercial data operator. Again, how this information is presented to consumers would be key, for if the format is barely intelligible or a sprawling spreadsheet, then one wonders how much the average use of Twitter would understand it. Additionally, would the FTC be able to aggregate these data and publish de-identified statistics on industry-wide data usage practices for commercial data operators? It would appear so. Additionally, the filings that must be made to the SEC would seem to present the FTC and the Department of Justice with a new source of data to investigate possible anti-competitive activity in the markets where commercial data operators are present.

Users must also be able to delete all the data a commercial data operator possesses subject to certain exceptions by the use of “a single setting” or “another clear and conspicuous mechanism by which the user may make such a deletion.” The excepted circumstances under which deletion may not occur are

  • in cases where there is a legal obligation of the commercial data operator to maintain the data;
  • for the establishment, exercise, or defense of legal claims; or
  • if the data is necessary to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or assist in the prosecution of those responsible for such activity.

However, commercial data operators may not retain any more user data than is necessary to “carry out” the aforementioned exceptions to the general right of users to delete their data. This would seem to serve as a limit to an entity’s likely inclination to interpret such restrictions in ways most favorable to them. However, the extent to which these companies did not push the boundaries egregiously will hinge on FTC enforcement.

As mentioned, the FTC would enforce this new regime. Like virtually all the other privacy bills, the FTC would be empowered to treat acts contrary to the bill “as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act,” meaning the ability right off the bat to ask federal courts for civil fines of more than $40,000 per violation in addition to all the other enforcement tools the FTC normally wields in data security and privacy cases. Of course, the full panoply of the FTC’s other powers would still be available for such cases.

In a twist for a privacy bill, commercial data operators would need “to file an annual or quarterly report” with the SEC that must disclose” the aggregate value, if material, of—

  • user data that the commercial data operator holds;
  • contracts with third parties for the collection of user data through the online service provided by the commercial data operator; and
  • any other item that the [SEC] determines, by rule, is necessary or useful for the protection of investors and in the public interest.

The SEC must also “develop a method or methods for calculating the value of user data required to be disclosed” and “provide quantitative and qualitative disclosures about the value of user data held” by some commercial data operators.”

These data disclosure requirements would likely bring much greater transparency into the data practices of a company like Facebook or Google, presumably allowing investors to better understand and value such companies. In a section-by-section summary, Warner and Hawley asserted two additional ways the bill would address data privacy and usage:

  • making the value more transparent could increase competition by attracting competitors to the market.
  • disclosing the economic value of consumer data will also assist antitrust enforcers in identifying unfair transactions and anticompetitive transactions and practices.

While these two bills take different approaches on data privacy by trying to leverage the economics of data, it is not clear how appealing these are to Democrats whose agreement will be needed before any privacy leverage can move forward. Possibly a modified version of the concepts in these bills could be added to a broader privacy bill such that entities collecting and sharing data would need to make additional disclosures to the SEC.