Arent Fox Privacy Report: Behind the Screens
More than 200 companies call for national privacy law
A broad coalition of more than 200 retailers, banks and technology companies (the Business Roundtable) released new recommendations for national privacy legislation in a push to get out in front of lawmakers promising to rein in data collection practices in the next Congress. Members of the Business Roundtable include chief executives from companies such as Apple, Walmart and Wells Fargo. The fact that such a wide cross-section of companies—far beyond the technology campuses of Silicon Valley—are actively seeking ways to change the collection and storage of data online reflects a sea change for the privacy debate in the US. The Business Roundtable’s recommendations to lawmakers include: (i) apply the same data collection requirements to all companies regardless of sector, (ii) allow for some self-regulation, (iii) create a national standard for breach notification laws, (iv) put the FTC in charge of enforcement, and (v) consider how the law will impact small businesses that do not process much personal data.
Accountability program bolsters consumer choice about persistent ID, location use for targeted advertising
The Online Interest-Based Advertising Accountability Program, an independent enforcer of the Digital Advertising Alliance’s self-regulatory Principles, released the results of inquiries into two advertising technology companies. The Accountability Program routinely tests mobile apps for compliance with the DAA Principles. As part of this work, the Accountability Program tested a popular dating app, where it observed VRTCAL collecting user data—including precise location information—for IBA. After the inquiries, the companies, Kiip and VRTCAL, updated their privacy disclosures and consumer opt-out tools to ensure that they met the requirements of industry best practices for interest-based advertising. “Making opt-out tools easy to use and ensuring they are clearly described are essential components of the DAA Principles,” said Jon Brescia, Accountability Program Director of Adjudications and Technology. “We are pleased to see that Kiip and VRTCAL have taken this philosophy to heart.”
Two new draft privacy frameworks proposed
First, Sen. Brian Schatz, D-Hawaii, and 14 Democratic senators proposed the Data Care Act. Unlike most, if not all, federal privacy bills that preceded it, the bill would establish a duty of care, loyalty and confidentiality for online companies in relation to personal information. The bill aims to provide a general shape of the duties while authorizing the FTC to decide on the details.
Second, the Center for Democracy & Technology (CDT) offered up a draft position. They want to move beyond the traditional “notice and choice” paradigm by aiming to prohibit “data processing that is presumptively unfair.” This would include practices that would surprise users, practices that make it nearly impossible for the user to avoid, as well as other secondary uses. The CDT's proposal would also prohibit “deceptive practices, such as dark patterns designed to coerce or confuse users into providing their consent.” This suggests that any method of obtaining consent that is not clearly understandable (e.g., clear language, unbundled, prominent) may be viewed as deceptive.
GDPR – Year in Review
- Implementation laws have yet to be passed in Portugal, Czech Republic, and Spain;
- European Data Protection Board has endorsed 16 WP29 opinions, on: consent, transparency, automated decision-making and profiling, personal data breach notification, data portability, DPIA, DPO, lead supervisory authority, BCRs, adequacy referential, and setting of administrative fines;
- Prospective class actions for forced consent against Google, Instagram, WhatsApp and Facebook; and
- Prospective class action for Google location tracking in breach of the GDPR.
EU sets deadline for US to fill Privacy Shield job
While the European Commission applauded the steps that US officials have taken to improve the Privacy Shield data transfer pact this past year, it warned that it would take action if the Trump administration doesn’t select a permanent ombudsperson to handle national security complaints by the end of February. Federal officials have only appointed a temporary ombudsperson at the U.S. Department of State to handle national security complaints since the Privacy Shield was enacted, despite repeated calls by EU policymakers for the role to be permanently filled immediately. Such measures the Commission may take in the event an ombudsperson is not selected include suspending the pact, sanctioning the government or refusing to allow transfers to continue.
UK to preserve effect of adequacy rulings
In light of Brexit, the UK has stated that it will “preserve the effect” of the European Union’s third country data protection decisions. This means that data transfers from UK organizations to countries where the European Commission has made an adequacy ruling will be able to continue uninterrupted. In guidelines published by the UK Information Commissioner Elizabeth Denham, the government has made clear that the GDPR will be absorbed into UK law at the point of exit so there will be no substantive change to the rules that most organizations needs to follow. Data transfers from the EU to the UK will depend on the basis on which the UK leaves the EU.
ICO releases encryption guidance
The guidance outlines the concept of encryption in the context of the GDPR’s integrity and confidentiality principle, and particularly Article 32 on security processing, provides a summary of current forms of encryption and a number of scenarios illustrating how encryption may be used. While the GDPR includes encryption as an example of a technical measure that can be appropriate to protect the personal data you hold, whether or not encryption is the right measure to put in place depends on your circumstances—the sort of processing you are undertaking, the risks that may be posed to individuals’ rights and freedoms, and the state of the art of technology available to you to protect that data. Where personal data has been lost, stolen or subject to unauthorized access and encryption was not used, it’s possible that regulatory action will be taken.
ICO calls for views – direct marketing code of practice
In order to meet its obligations under the Data Protection Act, the Information Commissioner’s Office (ICO) has called for views (input from relevant stakeholders) in order to work on producing a direct marketing code of practice. The call will enable the ICO to build on the existing code of practice and incorporate GDPR and PECR requirements. Given that the new ePrivacy Regulation is not yet in place, the ICO has decided that this new code of practice will only cover the current PECR rules and will be updated once ePrivacy and the UK’s positions have become clearer.
Germany imposes first GDPR fine
The State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) imposed the first fine under the GDPR in Germany, € 20,000, on Knuddels.de, a social media company, for a violation of its data security obligations. The company was hacked in September; 808,000 email addresses and passwords were affected. The company reported the incident to the LfDI in accordance with GDPR’s breach notification requirements. The € 20,000 fine is relatively low, especially considering the maximum potential fine (€ 10 million or up to 2 percent of an organization’s total worldwide annual turnover). According to the LfDI, the company benefited significantly from the fact that it contacted the LfDI directly after the hack and informed users immediately and comprehensively about the attack. The LfDI also highlighted the company's “exemplary cooperation” with its authority and the significant improvement of its level of IT security in the aftermath of the hack and investigation. Furthermore, LfDI took into account the company’s significant investment in the aftermath of the breach in updating its IT security measures, which totaled in the six-figure Euro range.
New guidance on Privacy Shield and the UK
The International Trade Association released guidance explaining how a Privacy Shield participant may rely on the Privacy Shield Framework to receive personal data from the UK in light of Brexit. The guidance depends on how the UK and the EU implement the withdrawal; there will either be a transition period or no transition period. In the event of a transition period, steps to comply must be taken by December 31, 2020. In the event there is no transition period, steps to comply must be taken by March 29, 2019. To receive personal data by the UK in reliance on Privacy Shield after either of the above dates, a Privacy Shield participant must:
- Update its public commitment to comply with the Privacy Shield to include the UK; and
- Maintain a current Privacy Shield certification, recertifying annually.
Data protection authorities endorse ethical development of AI
The International Conference of Data Protection & Privacy Commissioners (ICDPPC) released the Declaration on Ethics and Data Protection in Artificial Intelligence [subscription required], endorsing guiding principles designed to preserve human right in the development of AI. These guiding principles include:
- Fairness: AI should be designed, developed and used in a manner that is fair and respects fundamental human rights;
- Responsibility: AI developers should be attentive, vigilant and accountable for the potential effects and consequences of AI systems;
- Transparency: AI transparency and intelligibility should be improved;
- Ethics by Design: AI should be designed and developed responsibly by applying the principles of privacy by default and privacy by design;
- Empowerment: Individuals should be empowered to exercise their rights, challenge decisions, and participate in public engagement in relation to AI; and
- Protection: Unlawful biases or discriminations that may result from AI should be reduced and mitigated.
Supreme Court recognizes right to privacy over shared devices
The Supreme Court of Canada ruled citizens have the right to privacy over the materials stored on a machine they share with other individuals [subscription required]. The decision stems from a case where a common-law spouse consented to a police seizure of a computer owned by both partners after she discovered child pornography on the device.The court determined the warrantless seizure of the computer violated Section 8 of the Charter of Rights and Freedoms. “We are not required to accept that our friends and family can unilaterally authorize police to take things that we share,” Justice Andromache Karakatsanis wrote in the ruling. “The decision to share with others does not come at such a high price in a free and democratic society.”
China enacts first e-commerce law
The goal of the People’s Republic of China e-Commerce Law, which went into effect on January 1, 2019, is to regulate China’s rapidly growing e-commerce sector, harmonize its rules with those applicable to brick-and-mortar stores, maintain market order, facilitate growth, and eradicate IP infringements, scams and unfair competition. The law’s scope is broad; it is applicable to all e-commerce activities taking place within China. Some activities, such as the provision of financial products and services, news, audio or video programs, publication and cultural services, are excluded from the scope of the law. One of the more controversial provisions is the requirements that all e-commerce operators obtain a business license. Exceptions to this requirements are only made for providers of certain agricultural by-products, cottage industry products, services to benefit the public, and low-value intermittent transactions. Other provisions touch on advertising, intellectual property, data protection, and shipment risks. The focus of the new e-Commerce Law is firmly on domestic e-commerce, and there is not much in the way of detail on how cross-border e-commerce will be regulated.
Brazilian Data Protection Authority established
Provisional Measure n. 869/18, which complements the Brazilian Data Protection Law (LGPD), creates the Brazilian Data Protection Authority (ANPD), modifies the terms of data sharing between the public and private sectors, and extends the date the law will go into effect. The ANPD will be directly linked to the President, will have technical autonomy, and will not be able to audit controllers/processors, but only request information through administrative proceedings. The Provisional Measure got rid of the prohibition of the processing of personal data by private companies based on public safety and national security. The date the LGPD will go into effect has been extended from February 200 to August 2020.
Australia passes encryption-busting law
Australia’s Parliament recently passed controversial legislation, the Encryption Act, which will allow the country’s intelligence and law enforcement agencies to demand access to end-to-end encrypted digital communications. This means that Australian authorities will be able to compel tech companies like Facebook and Apple to make backdoors in their secure messaging platforms, including WhatsApp and iMessage. Privacy advocates warn that the legislation poses serious risks, and will have real consequences that reverberate globally. The new law allows officials to approach specific individuals—such as key employees within a company—with these demands, rather than the institution itself. In practice, they can force the engineer or IT administrator in charge of vetting and pushing out a product's updates to undermine its security. In some situations, the government could even compel the individual or a small group of people to carry this out in secret. Under the Australian law, companies that fail or refuse to comply with these orders will face fines up to about $7.3 million. Individuals who resist could face prison time.
Analysis You Can Use
AI use increasing among marketers
The recent Salesforce report “State of Marketing” shows that an increasing number of marketers are using artificial intelligence to connect with customers. The report surveyed 4,100 marketing leaders worldwide and found that 29% now use AI, whereas 20% used AI in 2017. The AI adoption rate was higher among “high performing” marketers, at 40%. Marketers are typically using AI in two different ways: powering real-time next best offers or predictive marketing journeys.
Twitter security flaw exposed user data
Twitter apologized for a November security issue that exposed user data, including the country codes of phone numbers and account statuses, to (potentially) state-sponsored groups who may be connected to the Chinese and Saudi Arabian governments. The company observed a “large number of inquiries” from IP addresses registered in those countries as part of an investigation into an error on a support form members use for issues with their account. Twitter stressed that no “personal information” was exposed and that the issue was resolved Nov. 16, within a day of it being discovered. The error could have been exploited to determine whether a certain account had been locked, and if the phone number registered to an account was from a particular country. Unusual activity on the compromised support form's application programming interface, or API, came from IP addresses in China and Saudi Arabia and could “have ties to state-sponsored actors,” the company said. Twitter said it has already informed account holders it believes have been directly affected.