Three of the Four Top Privacy Stakeholders Float A Compromise Discussion Draft (Free Version)

A data privacy draft bill breathes new hope into the chances of enactment of such a law this year.

House Energy and Commerce Committee Chair Frank Pallone Jr (D-NJ), Ranking Member Cathy McMorris Rodgers (R-WA), and Senate Commerce, Science, and Transportation Committee Ranking Member Roger Wicker (R-MS) released a discussion draft titled “American Data Privacy and Protection Act” (ADPPA) and a section-by-section summary.

The first big question about ADPPA is what is Senate Commerce, Science, and Transportation Committee Chair Maria Cantwell’s (D-WA) view on the bill? According to a tweet from an industry publication reporter, Cantwell said of the two major sticking points in privacy legislation:

Per the same source, Cantwell is holding out the possibility of marking up a data privacy bill this month and possibly even a social media content moderation bill as well:

Axios reported that Cantwell is shopping her own draft bill, and a quote of her’s in a Cyberscoop article tells us a few reasons why:

“For American consumers to have meaningful privacy protection, we need a strong federal law that is not riddled with enforcement loopholes,” Cantwell wrote in a statement to CyberScoop. “Consumers deserve the ability to protect their rights on day one, not four years later. Americans also deserve a law that imposes a duty of loyalty on the companies that collect and monetize personal data so that the companies cannot abuse that data.”

Additionally, Cantwell may set a markup of her draft bill as this Wall Street Journal piece suggests she might.

It is worth keeping in mind that Cantwell and Wicker offered competing bills at the end of 2019 when their roles were reversed on the committee. Cantwell revised her 2019 bill, the “Consumer Online Privacy Rights Act“ (COPRA) (S.3195), and reintroduced it last fall (see here for analysis and detail on the first iteration which is almost word-for-word the same as the latest draft.) This bill was cosponsored by Senators Brian Schatz (D-HI), Amy Klobuchar (D-MN), and Ed Markey (D-MA). Her draft bill likely tracks closely with COPRA and will probably preempt state laws but give people a right to sue that may be more expansive than ADPPA does.

And, here are developments and articles from last month. Being subscribed would mean getting these in a more timely fashion.

The European Commission “informed Apple of its preliminary view that it abused its dominant position in markets for mobile wallets on iOS devices” but cautioned that it “does not take issue with the online restrictions nor the alleged refusals of access to Apple Pay for specific products of rivals” under an investigation launched on 16 June 2020. The EC stated “can examine the documents in the Commission's investigation file, reply in writing and request an oral hearing to present their comments on the case before representatives of the Commission and national competition authorities.”

none of your business (noyb) has posted a decision of Austria’s Datenschutzbehörde (DSB) (here for German and here for English) that Google’s Analytics violates Article 44 of the General Data Protection Regulation (GDPR) on data transfers out of the European Union.

The Court of Justice of the European Union (CJEU) dismissed Poland’s action to annul “Article 17 of Directive 2019/790…[that] infringes the freedom of expression and information guaranteed in the Charter of Fundamental Rights of the European Union” according to the court’s summary. The CJEU inferred “the obligation, on online content-sharing service providers, to review, prior to its dissemination to the public, the content that users wish to upload to their platforms, resulting from the specific liability regime established in the Directive, has been accompanied by appropriate safeguards by the EU legislature in order to ensure respect for the right to freedom of expression and information of the users of those services, and a fair balance between that right, on the one hand, and the right to intellectual property, on the other.”

The United States (U.S.) Office of the Director of National Intelligence (ODNI) “released the Annual Statistical Transparency Report (ASTR) regarding the Intelligence Community’s (IC) use of National Security Surveillance Authorities for 2021” and the “annual Statistical Transparency Report Regarding Use of National Security Surveillance Authorities.”

The European Data Protection Board (EDPB) issued a “Statement on enforcement cooperation” following “a two-day high level meeting in Vienna” of EDPB members, which “agreed to further enhance cooperation on strategic cases, and to diversify the range of cooperation methods used.”

The United States (U.S.) Government Accountability Office (GAO) issued a reporton January 6, 2021 attempted insurrection and found that “[f]ederal agencies obtained and shared social media posts and other publicly available information—referred to in this report as “open source data”—on potential criminal activity prior to January 6, 2021.”

The Indian Computer Emergency Response Team (CERT-In) “issued directionsrelating to information security practices, procedure, prevention, response and reporting of cyber incidents under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000,” including “mandatory reporting of cyber incidents to CERT-In; maintenance of logs of ICT systems; subscriber/customer registrations details by Data centers, Virtual Private Server (VPS) providers, VPN Service providers, Cloud service providers; KYC norms and practices by virtual asset service providers, virtual asset exchange providers and custodian wallet providers” per the press release.

The United States (U.S.) Securities and Exchange Commission announced “the allocation of 20 additional positions to the unit responsible for protecting investors in crypto markets and from cyber-related threats” and stated that “[t]he newly renamed Crypto Assets and Cyber Unit (formerly known as the Cyber Unit) in the Division of Enforcement will grow to 50 dedicated positions.”

Brazil’s Autoridade Nacional de Proteção de Dados published updated guidance on data processing agents and data protection officials under the General Law for the Protection of Personal Data (LGPD).

The United States (U.S.) Government Accountability Office’s (GAO) Office of the Inspector General (OIG) issued a report about the GAO’s information security and found “[w]hile GAO has taken steps to protect sensitive information and prevent data exfiltration, opportunities exist to improve its privacy program in the areas of incident response and training for people with specific roles.”

The British government published its response to “an 8 week consultation on audience protection standards on video-on-demand services…[that] considered whether UK audiences viewing TV-like on-demand programme content should receive the same or similar level of protections as if they were watching traditional television; and whether video-on-demand services not currently regulated by Ofcom and which target UK audiences should be brought within UK jurisdiction.

The United States (U.S.) Department of Veterans Affairs’ (VA) Office of the Inspector General (OIG) conducted an inspection “to determine whether the VA Financial Services Center (FSC) in Austin, Texas, was meeting federal security guidance and focused its inspection on the four security control areas” and found: “Within configuration management, the inspection team identified deficiencies with component inventory, vulnerability management, and flaw remediation. The team did not identify deficiencies with contingency planning controls. The team’s review of security management controls identified a deficiency with system and information integrity procedures. Finally, the team identified access control deficiencies in system audit and video surveillance controls.”

The United Kingdom’s Secretary of State for Digital, Culture, Media and Sport Nadine Dorries MP met with “[p]ublic figures who have suffered online abuse” who “have come out in support of world-leading online safety laws (i.e. the pending Online Safety Bill) following an exclusive discussion recorded at the Science Museum, London.”

“FBI Conducted Potentially Millions of Searches of Americans’ Data Last Year, Report Says” By Dustin Volz— Wall Street Journal

“Disinformation board to tackle Russia, migrant smugglers” By Amanda Seitz — Associated Press

“Applied for Student Aid Online? Facebook Saw You” By Surya Mattu and Colin Lecher — The Markup

“Grindr User Data Was Sold Through Ad Networks” By Byron Tau and Georgia Wells — Wall Street Journal

“Hacking Russia was off-limits. The Ukraine war made it a free-for-all.” By Joseph Menn — Washington Post

“Apple’s third-party payment proposal isn’t enough for Dutch regulators” By Mitchell Clark — The Verge

“‘Troll factory’ spreading Russian pro-war lies online, says UK” — The Guardian

“Twitter toxicity is rising among politicians, study says” By Melanie Mason — Los Angeles Times

“Thomson Reuters commits to human rights assessment of ICE contracts after union investor push” By Corin Faife — The Verge

“Amazon workers vote against unionization in New York” By Rachel Lerman, Greg Jaffe and Anna Betts — Washington Post

“Pro-Russian Hacking Group Killnet Attacks Romanian Websites” By Andra Timu — Bloomberg

“Report calls out abuse of social media by Minneapolis police” By Steve Karnowski — Associated Press

“Spanish PM Pedro Sánchez had phone hacked with Pegasus spyware” By Camille Gus — Politico

“How a billionaires boys’ club came to dominate the public square” By Michael Scherer and Sarah Ellison — Washington Post

“A chilling Russian cyber aim in Ukraine: Digital dossiers” By Frank Bajak — Associated Press

“How Twitter’s Board Went From Fighting Elon Musk to Accepting Him” By Lauren Hirsch and Mike Isaac — The New York Times

“CIA hires first-ever chief technology officer” By Dave Nyczepir — Fedscoop