A Modified Data Privacy Bill Advances In House Committee (Free Version)

A Modified Data Privacy Bill Advances In House Committee (Free Version)
Photo by Arthur Mazi on Unsplash

Here is the free version of yesterday's post, and in a change, I've included the same "Other Developments" and "Further Reading" sections, and so these reflect current events.

Join those who've already subscribed to The Wavelength. I think you'll find The Wavelength valuable in understanding tech policy, politics, and law.

Microwave

Even though the Senate Commerce Chair still opposes ADPPA, a revised version gets marked up in House subcommittee.

Shortwave

The House Commerce Committee started marking up a revised version of the “American Data Privacy and Protection Act” (H.R. 8152) even though Senator Maria Cantwell (D-WA) has repeatedly said she opposes the bill in its current form. Cantwell’s position as the chair of the committee of jurisdiction in the Senate means she could likely single handedly block the bill. And yet, Democrats and Republicans on the House Commerce Committee are closer than they have been in the last decade to getting a data privacy bill through the House. A private right of action, preemption, loyalty programs, and other issues remain outstanding.

Longwave

The revised ADPPA makes the bill more industry friendly in a number of places but also changes the bill in some ways that privacy and civil liberties advocates will like. Nonetheless, today, we will cover the markup itself and the revised and expanded bill text tomorrow.

However, an outstanding change that has still not been folded into the package is the restoration of the Federal Trade Commission’s (FTC) historical Section 13(b) authority the Supreme Court of the United States struck down in AMG Capital. This may be a bargaining tactic to get Cantwell onboard given that her committee recently marked up a bill to give the agency back these long used powers.

And, speaking of Cantwell, she continues to make known her reservations about ADPPA, which she claims Senate Majority Leader Chuck Schumer (D-NY) shares. If Cantwell and Schumer both indeed oppose the bill as currently written, it has dim chances in the Senate. Moreover, she continues to produce new drafts of her “Consumer Online Privacy Rights Act“ (COPRA) (S.3195) first introduced in 2019 and subsequently revised lightly in 2021. However, some of the provisions are puzzling some stakeholders that one might think of as allies in the fight to toughen the enforcement language. One such stakeholder is claimingCantwell wants to sink all data privacy legislation for reasons only she knows perhaps because of ego or allegiance to home state tech giants Microsoft and Amazon.

Moreover, it is being alleged that Cantwell refused to allow consideration of a compromise bill agreed to by Senators Richard Blumenthal (D-CT) and Marsha Blackburn (R-TN) earlier this year even though Ranking Member Roger Wicker (R-MS) was signaling his support for this bill.

It also bears mention that the FTC may be proceeding with a Magnuson-Moss rulemaking for the first time in decades “to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination” with an advanced notice of proposed rulemaking (ANPRM) being issued in the near future. Of course, this more time-consuming rulemaking procedure in Section 18 of the FTC Act (Magnuson-Moss) has been rarely used since its inception over four decades ago, and Chair Lina Khan would face significant hurdles in getting regulations promulgated. Since the agency is using an existing grant of authority to draft rules not reliant on ADPPA (assuming it is enacted in something resembling its current state), the question is begged whether the agency may do so legally. Inevitably any such rulemaking would be challenged in court on procedural and substantive grounds, and Republican judges are showing an increasing inclination to discard long settled law. It is possible the agency loses in court.

Subscribe to read the rest.

Other Developments

The European Parliament passed “the new Digital Services Act (DSA) and Digital Markets Act (DMA),..[that] aim to address the societal and economic effects of the tech industry by setting clear standards for how they operate and provide services in the EU, in line with the EU’s fundamental rights and values.”

The European Commission announced that following talks, Amazon “will enable consumers from the EU and EEA to unsubscribe from Amazon Prime with just two clicks, using a prominent and clear “cancel button” in order “to comply with the EU rules on consumer protection and, in particular, with the Unfair commercial practices Directive.”

At its recent summit, the G7 nations unveiled “the Partnership for Global Infrastructure (PGII) to mobilize hundreds of billions of dollars and deliver quality, sustainable infrastructure that makes a difference in people’s lives around the world, strengthens and diversifies our supply chains, creates new opportunities for American workers and businesses, and advances our national security” according to the White House’s fact sheet. Additionally, the Biden Administration issued “a Presidential Memorandum to execute the PGII across four priority pillars that will define the second half of the 21st century.”

United States (U.S.) Democratic Senators introduced the “Health and Location Data Protection Act” (S. 4408) “that bans data brokers from selling some of the most sensitive data available about everyday Americans: their health and location data.”

President Joe Biden signed the “State and Local Government Cybersecurity Act of 2021” (S. 2520) that “codifies and strengthens the cybersecurity relationship between the Multi-State Information Sharing and Analysis Center (MS–ISAC) and the Department of Homeland Security (DHS)” according to the committee report. The Senate Homeland Security continued “[i]t authorizes DHS to work with MS–ISAC to assist State, local, Tribal, and territorial (SLTT) entities by conducting cybersecurity exercises, sharing information to increase situational awareness and prevent incidents, and coordinating effective implementation of cybersecurity tools, products, resources, policies, and guidelines.” The committee added “[t]he bill also directs DHS to report to Congress on any services that the Cybersecurity and Infrastructure Security Agency (CISA), directly or indirectly through the MS–ISAC, provides to SLTT entities.”

“The California Age-Appropriate Design Code Act” (AB 2273) was modified and reported out of the California Senate Judiciary Committee.

United States (U.S.) Senators Ron Wyden (D-OR), Sheldon Whitehouse (D-RI), Cynthia Lummis, (R-WY), Marco Rubio (R-FL) and Bill Hagerty (R-TN) introduced the “Protecting Americans’ Data from Foreign Surveillance Act” (S. 4495) that would “create new protections against Americans’ sensitive personal information being sold or transferred to high-risk foreign countries.”

The United States (U.S.) House Armed Services Committee finished marking up the “National Defense Authorization Act (NDAA) for Fiscal Year 2023” (H.R. 7900), an $802.4 billion package that funds a range of technology programs administered by the Department of Defense (DOD).

The United States (U.S.) National Telecommunications and Information Administration (NTIA) wrote the U.S. Federal Communications Commission (FCC), stating that it, the U.S. National Oceanic and Atmospheric Administration (NOAA), and U.S. National Aeronautics and Space Administration (NASA) have reached “consensus that unlicensed devices operating under the rules proposed in the [notice of proposed rulemaking] [on updated rules for short-range radars in the 57-64 GHz (60 GHz) band] would not result in harmful interference to passive EESS sensors operating in the 57-59.3 GHz band.”

A group of Democratic Senators introduced the “My Body, My Data Act” (S. 4434) after the U.S. Supreme Court overturned Roe v. Wade, which they characterized as “the first Congressional action to strengthen digital privacy and protect personal reproductive health information specifically.” They asserted the “bill would create a new national standard to protect personal reproductive health data, enforced by the Federal Trade Commission (FTC).”

President Joe Biden nominated Dr. Arati Prabhakar to serve as Director of the Office of Science and Technology Policy (OSTP), Chief Advisor for Science and Technology, co-chair of the President’s Council of Advisors on Science and Technology, and a member of the Cabinet. Prabhakar served as the head of Defense Advanced Research Projects Agency during the Obama administration and the Director of the National Institute of Standards and Technology during the Clinton administration.

The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command warned of ongoing vulnerabilities related to the Log4Shell vulnerability, including “state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches.”

The Federal Trade Commission (FTC) “issued a report to Congress warning about using artificial intelligence (AI) to combat online problems and urging policymakers to exercise “great caution” about relying on it as a policy solution.” The agency explained the “report outlines significant concerns that AI tools can be inaccurate, biased, and discriminatory by design and incentivize relying on increasingly invasive forms of commercial surveillance.”

The Department of Defense’s (DOD) Responsible AI Working Council issued the “DOD Responsible Artificial Intelligence Strategy and Implementation Pathway,” that “illuminates our path forward by defining and communicating our framework for harnessing AI” and “helps eliminate uncertainty and hesitancy — and enables us to move faster.”

The European Data Protection Board (EDPB) is asking for comments on draft guidelines on the use of one means under which the General Data Protection Regulation permits the transfer of EU personal data to third countries. The EDPB explained that without an adequacy decision “a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processors has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available” The Board said “[p]ursuant to Article 46 (2) (f) of the GDPR, such appropriate safeguards may be provided for by an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.”

National Institute of Standards and Technology’s (NIST) Cybersecurity for the Internet of Things (IoT) program released two new documents:

Senator Tim Scott (R-SC) Senate Minority Whip John Thune (R-SD), Senate Minority Leader Mitch McConnell (R-KY), and over 20 other Senate Republicans introduced the “Political Bias in Algorithm Sorting (BIAS) Emails Act” (S. 4409) that “would hold Big Tech platforms accountable for using biased algorithms that take control away from consumers and alter the way users are able to see emails from political campaigns” and “would also create more transparency for consumers by revealing the censoring practices Big Tech platforms, including Google, use to filter certain emails.”

The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA)  published “the second version of “Cloud Security Technical Reference Architecture (TRA)” today, which strengthens guidance to fulfill a key mandate under President Biden’s Executive Order (EO) 14028 – “Improving the Nation's Cybersecurity.” CISA stated that “[t]he Cloud Services TRA is designed to guide agencies’ secure migration to the cloud by defining and clarifying considerations for shared services, cloud migration, and cloud security posture management.”

On June 8, the California Privacy Protection Agency met and voted to initiate a rulemaking process using draft regulations released in advance of the meeting that would implement many sections of the “California Privacy Rights Act” (CPRA) (Proposition 24).

The United States (U.S.) National Telecommunications and Information Administration (NTIA) submitted three requests to collect information as part of its responsibilities for implementing its sections of the FY 2021 omnibus appropriations act and the Infrastructure Investment and Jobs Act (IIJA): 1) the Broadband Infrastructure Program; 2) the Tribal Broadband Connectivity Program; and 3) the Connecting Minority Communities Pilot Program. Under the paperwork Reduction Act, OMB must review and approve all such information collection efforts after a period of public comment.

Texas Attorney General Paxton filed an amended lawsuit “that adds Google’s Incognito mode to his previous geolocation-related lawsuit against the Big Tech giant,” his “fifth lawsuit against Google, and in it Texas argues that the company misled consumers by tracking their personal location without consent, and in many cases continued to track them after the feature was disabled by users, all of which constitute a violation of the Texas’ Deceptive Trade Practices Act” per his press statement.

The Chamber of Commerce wrote the heads of the Senate and House Commerce Committees urging “Congress to pass durable, bipartisan national privacy legislation that protects all Americans equally” while registering concerns about “attempts to rush through legislation that would encourage an unmanageable patchwork of laws and abusive class action lawsuits through private rights of action.”

The United States (U.S.) Federal Communications Commission (FCC) granted “NTCA’s request for (1) an extension until September 15, 2022 for small broadband internet access service providers that serve Tribal ACP customers to track usage on a rolling thirty-day basis for ACP subscribers who receive free-to-the-end-user service, including ACP/Lifeline subscribers who receive both benefits on the same service and (2) a retroactive waiver to January 1, 2022 of the Lifeline requirement to track usage on a rolling thirty-day basis to the extent that this subset of providers apply both the Lifeline and ACP benefit to the same service resulting in free-to-the-end-user service.” The FCC denied “NTCA’s request for an indefinite waiver of this requirement for small broadband providers that serve Tribal ACP subscribers.” Likewise, the FCC granted “AT&T a temporary sixty-day waiver to August 13, 2022 of the non-usage rules for AT&T’s customers who receive free-to-the-end-user ACP service that uses Asymmetric Digital Subscriber Line (ADSL) technology” but denied “AT&T’s petition requesting an indefinite waiver of these rules for this subset of AT&T’s subscribers.”

The New York legislature passed the “Fair Repair Act” (S4104A), making it the time first a state has passed a right to repair law.

The United States (U.S.) Bureau of Industry and Security published a final rule instituting export controls on cybersecurity tools that “could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it” per the Wassenaar Arrangement.

The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security’s Science and Technology Directorate and the Department of Defense’s (DOD) Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E) introduced “a proposed five-step 5G Security Evaluation Process that is derived from research and security analyses.”

The National Institute of Standards and Technology (NIST) published an analysis of the comments received on its Request for Information (RFI) on “Evaluating and Improving NIST Cybersecurity Resources: The Cybersecurity Framework and Cybersecurity Supply Chain Risk Management.”

The Zero Trust Architecture (ZTA) team at National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) “published Volume A of a preliminary draft practice guide titled “Implementing a Zero Trust Architecture” and is seeking the public’s comments on its contents.”

The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly and National Cyber Director Chris Inglis wrote an op-ed on how U.S. entities can maintain the heightened security posture urged by the Shields Up campaign.

The United States (U.S.) Federal Trade Commission’s (FTC) staff “is seeking the public’s input on ways to modernize the agency’s business guidance titled “.com Disclosures: How to Make Effective Disclosures in Digital Advertising”…[that] provides guidance to businesses on digital advertising and marketing.”

The European Union has reached agreement on regulatory changes that establishes a single charging solution for certain electronic devices (i.e. the USB-C) that will force Apple to change its iPhones, iPads, and other devices, “as a part of a broader EU effort to make products in the EU more sustainable, to reduce electronic waste, and make consumers’ lives easier.”

The European Data Protection Supervisor (EDPS) “expresse[d] its concerns that the [the amended Europol Regulation in the Official Journal of the EU], which will enter into force on 28 June 2022, weaken the fundamental right to data protection and do not ensure an appropriate oversight of the European Union Agency for Law Enforcement Cooperation (Europol).”

Tweet of the Day

Further Reading

Twitter Fights India’s Order Compelling the Company to Block Some Tweets” By Newley Purnell — Wall Street Journal

Ruling could dampen government efforts to rein in Big Tech” By Matt O’Brien — Associated Press

Hackers Claim Theft of Police Info in China’s Largest Data Leak” By Sarah Zheng — Bloomberg

Canada’s national police force admits use of spyware to hack phones” By Maura Forrest — Politico

Uber Says Sexual Assaults Are Down but Rate of Traffic Deaths Is Up” By Kellen Browning — New York Times

Google hit with more privacy complaints for “deceptive” sign-up process” By Ashley Belanger — Ars Technica

Next post-Roe battlefield: Online abortion information” By Ashley Gold — Axios

TikTok National Security Concerns Resurface: What You Need to Know” By Marguerite Reardon — C|Net

TikTok seeks to reassure U.S. lawmakers on data security” By David Shepardson and Echo Wang — Reuters

Trump social media firm subpoened by feds, stock regulators” By Bernard Condon — Associated Press

Google will delete user location history for abortion clinic visits” By Gerrit De Vynck — Washington Post

Amazon, Microsoft, Google Strengthen Grip on Cloud” By Aaron Tilley — Wall Street Journal

The West’s drought could bring about a data center reckoning” By Lisa Martine Jenkins — Protocol

On Conservative Radio, Misleading Message Is Clear: ‘Democrats Cheat’” By Stuart A. Thompson — New York Times

Congress is trying to rein in Big Tech. This lawmaker could stand in their way.” By Emily Birnbaum — Politico

As China shuts out the world, internet access from abroad gets harder too” By Stephanie Yang — Los Angeles Times

‘An Invisible Cage’: How China Is Policing the Future” By Paul Mozur, Muyi Xiao and John Liu — New York Times

The biggest privacy risks in post-Roe America” By Russell Brandom, Nicole Wetsman, Corin Faife, and Mary Beth Griggs — The Verge

With Roe overturned, period-tracking apps raise new worries” By Tatum Hunter and Heather Kelly — Washington Post

Trump’s social network deal is under grand jury scrutiny.” By Matthew Goldstein — New York Times

State Department offers up to $10M reward for info on foreign election interference” By Matt Berg — Politico

Amazon bows to UAE pressure to restrict LGBTQ+ search results” By Julia Kollewe — The Guardian

Waymo, UPS, others pressure Gov. Newsom to allow autonomous trucking in California” By Rebecca Bellan — Tech Crunch

DOJ fails to report on making federal websites accessible to disabled people” By Shruti Rajkumar — NPR

Coming Events

§ 19 October

o   The United States (U.S.) Federal Trade Commission (FTC) will hold a virtual event “to examine how best to protect children from a growing array of manipulative marketing practices that make it difficult or impossible for children to distinguish ads from entertainment in digital media.”

§ 1 November

o   The United States (U.S.) Federal Trade Commission (FTC) will hold PrivacyCon.