Wavelength Brief | 8 December 2022

Wavelength Brief | 8 December 2022
Photo by Fabio Ballasina on Unsplash

Other Developments

The “Journalism Competition and Preservation Act” (JCPA) (S.673) was removed from the “James M. Inhofe National Defense Authorization Act for Fiscal Year 2023” (H.R.7776), the annual must-pass United States defense policy bill, after an outcry from industry and advocacy stakeholders.

The European Parliament adopted a revised Network and Information Security (NIS) Directive (aka NIS2 Directive), which “will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing…[and] [t]he requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions.”

The European Data Protection Supervisor (EDPS) published its opinionon “a proposed Regulation laying down cybersecurity requirements for products with digital elements” and recommended that the package “include the data protection by design and by default principles as an essential part of these requirements” and suggested “suggests clarifying the type of synergies envisaged between the relevant bodies and organisations” on “the standardisation and certification on cybersecurity.”

Ireland’s Data Protection Commission (DPC) revealed it has “submitted a draft decision in an inquiry into Yahoo! EMEA Limited to other Concerned Supervisory Authorities, or fellow regulators, across the EU…centred around Yahoo!’s compliance with its obligations under Articles 5(1)(a), 12, 13 and 14 of the GDPR, which deal with the processing of personal data, in the context of its products and services across the EU.”

In a filing, SolarWinds stated that “on October 28, 2022, the enforcement staff of the U.S. Securities and Exchange Commission (the “SEC”) provided the Company with a “Wells Notice” relating to its investigation into the previously disclosed cyberattack on the Company’s Orion Software Platform and internal systems” that “states that the SEC staff has made a preliminary determination to recommend that the SEC file an enforcement action against the Company alleging violations of certain provisions of the U.S. federal securities laws with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures.”

A number of state attorneys general “announced multistate settlements with Experian, totaling over $13.67 million, concerning data breaches in 2012 and 2015 that compromised the personal information of millions of consumers nationwide.” They also announced “[a] $2.5 million multistate settlement was also reached with T-Mobile in connection with the 2015 Experian breach, which impacted more than 15 million individuals who submitted credit applications with the telecommunications company.”

The European Data Protection Board (EDPB) adopted Recommendations on the application for approval and on the elements and principles to be found in Controller Binding Corporate Rules (BCR-C) that “build upon the agreements reached by data protection authorities in the course of approval procedures on concrete BCR applications since the entering into application of the GDPR.”

A United States (U.S.) court has entered a $90 million settlement between plaintiffs and Meta over claims first made in 2011 that Facebook “knowingly intercepted and tracked users’ internet activity on pages that displayed a “Like” button using “cookies,” or small text file that the server creates and sends to the browser, which stores it in a particular directory on the user’s computer in violation of state and federal laws.”

The Court of Justice for the European Union’s General Court dismissed “as inadmissible the action brought by WhatsApp against a decision of the European Data Protection Board” (EDPB) per the court’s statement. The court add, however, that “[t]he validity of the EDPB’s decision may, however, be challenged before the national court, which is able to make a request to the Court of Justice for a preliminary ruling.” Last year, the EDPB had used Article 65 of the General Data Protection Regulation (GDPR) to settle a dispute between Ireland’s Data Protection Commission and eight other regulators about the size the fine WhatsApp deserved for GDPR violations that ultimately resulted in a €225 million fine.

Germany’s Bundeskartellamt announced that “[u]sers who want to use the Quest 2 VR headset offered by Meta Quest (formerly Oculus) no longer need a Facebook account to do so,” a development that occured in response to the “Bundeskartellamt’s competition concerns.”

The United Kingdom’s Competition and Markets Authority announced that it “is investigating the anticipated acquisition by Broadcom Inc. of VMware, Inc.”

Australia, Fiji, Ireland and the United Kingdom launched the Global Online Safety Regulators Network “intended to pave the way for a coherent international approach to online safety regulation, by enabling new online safety regulators to share information, experience and best practices.”

The state attorneys general wrote Apple CEO Tim Cook “expressing concerns regarding reproductive health privacy on Apple’s App Store (the “App Store”) following the U.S. Supreme Court’s Dobbs decision overturning Roe v. Wade and urging Apple to take commonsense steps to protect consumers’ private reproductive health information.”

The Australian Competition and Consumer Commission (ACCC) issued the “fifth report of the ACCC’s five-year Digital Platform Services Inquiry” and “has proposed that platforms be subject to mandatory dispute resolution processes and stronger requirements for combating scams, harmful apps and fake reviews, among other measures.”

The Netherlands’ National Cyber Security Centre stated that a legal analysis it commissioned from a United States (U.S.) law firm “shows that while the risk of the U.S. government gaining access to European (personal) data, specifically on the basis of the CLOUD act, is conceivable, yet in practice also (very) small.”

The Australian Federal Police and the Australian Signals Directorate revealed that they “will initiate an ongoing, joint standing operation to investigate, target and disrupt cyber criminal syndicates with a priority on ransomware threat groups.”

India’s Ministry of Electronics and Information Technology has invited “feedback on the draft ‘Digital Personal Data Protection Bill, 2022’” that is designed to “provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes.”

The European Data Protection Supervisor (EDPS) published an opinion in which he said he “welcomes the objectives pursued in the proposed EU Media Freedom Act to protect media freedom, independence and pluralism across the EU” but “is concerned that the measures envisaged to protect journalists, their sources, and media service providers included in the proposed EU Media Freedom Act may not be effective in practice” per his press statement.

The United States (U.S.) Federal Trade Commission (FTC) “has extended the compliance deadline by six months [of the Gramm-Leach-Bliley required Safeguards Rule]– to June 9, 2023 – in response to reports of personnel shortages and supply chain issues.

The New York State Department of Financial Services (DFS) “proposed an updated cybersecurity regulation” that “strengthens the DFS risk-based approach to ensure cybersecurity risk is integrated into business planning, decision-making, and ongoing risk management.”

France’s Commission Nationale Informatique & Libertés fined Discord €800,000“for failing to comply with several obligations of the General Data Protection Regulation (GDPR), in particular with regard to the data retention periods and security of personal data.”

United States (U.S.) Senators Richard Blumenthal (D-CT), Dianne Feinstein (D-CA), Ben Ray Luján (D-NM), Elizabeth Warren (D-MA), Edward J. Markey (D-MA), Cory Booker (D-NJ) and Robert Menendez (D-NJ) “called on the Federal Trade Commission (FTC) to conduct vigorous oversight and enforcement of Twitter’s consent decree and to investigate potential violations of consumer protection laws” “[f]ollowing recent alarming developments at Twitter after Elon Musk’s takeover of the company.”

United States (U.S.) Senator Chuck Grassley (R-IA) wrote to Twitter CEO Elon Musk asking a range of questions related to the platform’s security issues as revealed by former Twitter head of security, Peiter Zatko.

United States (U.S.)Senator Edward J. Markey (D-MA) “sent a letter to Twitter Chief Executive Officer Elon Musk demanding the company explain the procedures in place for its “blue checkmark” verification process…after a Washington Post reporter successfully obtained the Twitter handle “@realedmarkey,” and purchased the account a “blue check” verification that noted the account was verified because it belonged to a ‘notable person in government.’”

The United Kingdom’s Competition and Markets Authority “launched a market investigation into cloud gaming and mobile browsers after receiving widespread support for its proposals first published in June.”

United States (U.S.) Senator Ron Wyden (D-OR) “called on the State Department to create new protections for Americans’ passport application records, after learning that 25 federal agencies have unfettered access to a database containing 145 million Americans’ personal information.”

The Australian Competition and Consumer Commission lauded the Federal Court’s order that directs “Uber to pay a penalty of $21 million after Uber admitted it had engaged in misleading or deceptive conduct and made false or misleading representations to consumers in its app and on its website.”

The United States (U.S.) Office of Management and Budget (OMB) published a memorandum titled “Migrating to Post-Quantum Cryptography” that provides direction for agencies to comply with National Security Memorandum 10 (NSM-10), on Promoting United States Leadership in Quantum Computing While Mitigating Risk to Vulnerable Cryptographic Systems (May 4, 2022).”

France’s Commission Nationale Informatique & Libertés has specified “under what conditions supplementary health insurance organizations can collect health data.”

The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA), “in partnership with the U.S. Department of State and the Spanish Ministry of the Interior, announced a joint project last week to develop a capacity-building tool to help countries utilize public-private partnerships (PPPs) to combat ransomware…developed as part of the Second International Counter Ransomware Initiative (CRI) Summit.”

The European Commission (EC) “adopted a proposal for a Regulation to enhance transparency in the field of short-term accommodation rentals and help public authorities ensure their balanced development as part of a sustainable tourism sector.”

The United Kingdom’s Information Commissioner’s Office “published an update to our guidance on international transfers” that “clarifies an alternative approach to the one put forward by the European Data Protection Board.”

Tweet of the Day

Further Reading

San Francisco decides killer police robots aren’t such a great idea” — Ars Technica

Apple’s new AirDrop rules will limit viral protest memes in China” — Rest of the World

A globally critical chip firm is driving a wedge between the U.S. and Netherlands over China tech policy” — CNBC

TikTok National-Security Deal Faces More Delays as Worry Grows Over Risks” — Wall Street Journal

Facebook Asks Lawmakers Not to Regulate Crypto Too Harshly Just Because of All the Fraud” — Vice

NATO prepares for cyber war” — Politico

U.S. to spend $1.5 billion to jumpstart alternatives to Huawei” — Axios

New Zealand Plans to Make Facebook, Google Pay for News” — Wall Street Journal

We don’t need another Twitter” — Recode

Iranian espionage campaign targets journalists, diplomats, activists, says Human Rights Watch” — The Record

Amnesty International Canada says it was hacked by Beijing” — Associated Press

U.S. lawmakers ease planned curbs on Chinese chips amid corporate pushback” — Reuters

Risky online behaviour ‘almost normalised’ among young people, says study” — Guardian

Apple's anti-union tactics in Atlanta were illegal, U.S. officials say” — Los Angeles Times

Meta threatens to remove US news content if new law passes” — BBC

DHS secretary says US faces 'a new kind of warfare'” — Cyberscoop

Russian disinformation is demonizing Ukrainian refugees” — Washington Post

Apple Sued by Women Over ‘Dangerous’ AirTag Stalking by Exes” — Bloomberg

Pentagon splits cloud contract among 4 Big Tech firms” — Axios

Lebanon’s neglected dams are powering a secret community of crypto miners” — Rest of the World

Apple makes it easier to keep your data secret from hackers, cops, and even Apple” — Recode

US Export Controls 'in Urgent Need' of a Tech Upgrade, Experts Say” — Nextgov

Hackers linked to Chinese government stole millions in Covid benefits, Secret Service says” — NBC News

Coming Events

§ 8 December

o   The United Kingdom’s House of Commons’ Public Accounts Committee will hold a formal meeting (oral evidence session) on the Digital Services Tax.

o   The European Parliament’s Committee on the Internal Market and Consumer Protection will hold a hearing on the Right to Repair.

o   The United States (U.S.) Federal Trade Commission will hold a closed meeting.

§  14 December

o The United States (U.S.) Federal Trade Commission will hold an open meeting.

§ 16 December

o   The California Privacy Protection Agency will hold a board meeting with this agenda.

§ 21 December

o   The United States (U.S.) Federal Communications Commission will hold an open meeting.

§ 1 February 2023

o   The Colorado Attorney General will hold a rulemaking hearing on the draft regulations proposed to implement the “Colorado Privacy Act.”

§ 29 and 30 April 2023

o The G7 Digital and Technology Ministers' Meeting will take place.

Photo Credits

Photo by WrongTog on Unsplash

Photo by Clem Onojeghuo on Unsplash

Photo by hao wang on Unsplash

Photo by madeleine ragsdale on Unsplash