Dugie Standeford

Ireland's privacy watchdog must investigate whether Facebook is wrongfully processing WhatsApp Ireland (IE) users' personal data by combining or comparing it with other data sets processed by other Facebook companies in the context of other apps or services they offer, the European Data Protection Board (EDPB) said Thursday. It told the Irish Data Protection Commission not to impose any final measures on Facebook Ireland (IE) now. The board's first "urgent decision" under the general data protection regulation followed a request from the Hamburg, Germany, data protection authority (DPA); it ordered Facebook to stop processing WhatsApp user data for its own purposes after changing the terms of service and privacy policy applicable to European users of WhatsApp (IE). In exceptional circumstances, GDPR lets DPAs impose provisional measures when they believe there's an urgent need to act to safeguard data subjects' rights. The board said those conditions weren't met. Given contradictions, ambiguities and uncertainties in WhatsApp's user-facing information, some written commitments adopted by Facebook IE and WhatsApp IE's written submissions, it's "not in a position to determine with certainty which processing operations are actually being carried out and in which capacity." The Hamburg order "was based on fundamental misunderstandings as to the purpose and effect of the update to our terms of service," emailed a company spokesperson.

The year since Privacy Shield was annulled had encouraging developments, speakers told a Wednesday Information Technology Industry Council webinar. Since the European Court of Justice's (ECJ) July 16 ruling to void the trans-Atlantic personal data transfer mechanism in Schrems II (see Ref:2007160002]), the European Commission deemed negotiating a successor with the U.S. a top priority, said Bruno Gencarelli, head of unit-international data flows and protection, Directorate General-Justice. Talks intensified after President Joe Biden's trip to Brussels in June, and both sides agree a doable solution must be based on the ECJ ruling and there's no shortcut, he said. Principles being discussed include access to U.S. courts for European citizens and limits on excessive government access to personal data. One "surprising" recent development was increased demand for international data protection standards, Gencarelli said. The EC is working more closely with other regional blocs such as the Association of Southeast Asian Nations, talks that could create a "critical mass" of principles. The Organisation for Economic Co-operation and Development began a process to identify safeguards shared by OECD members for government access to personal data, he said. The post-Schrems II year has been "reactive" as everyone tried to come to grips with the ruling, said Centre for Information Policy Leadership President Bojana Bellamy. She urged both sides to "negotiate to yes" by focusing not on a 50-50 compromise but on understanding each other's concerns and adjusting positions accordingly. Positive engagement between stakeholders and regulators led to a better place but "we all know the enforcement is coming," said Caitlin Fennessy, International Association of Privacy Professionals research director. Some European data protection authorities question aspects of trans-Atlantic data flows, and businesses face uncertainty. One sticking point is redress for Europeans whose data is misused in the U.S. EU law requires such a right, but under U.S. law it's difficult for people outside the country to gain standing, said Alston & Bird's Peter Swire. A binding solution could come from a presidential executive statement ordering intelligence agencies take certain actions, he said. Gencarelli cautioned that for the EC, whether legislation or executive action is needed is secondary to complying with ECJ requirements. He said it's wrong to think OECD work will replace PS. ITI, the Computer & Communications Industry Association and other tech organizations urged Commerce Secretary Gina Raimondo and EU Justice Commissioner Didier Reynders to "swiftly ensure an agreement for secure transatlantic data flows."

Controversy flared this week during talks on a treaty to update broadcasting protections for the digital age. Formal negotiations by the World Intellectual Property Organization Standing Committee on Copyright and Related Rights (SCCR) remain stalled due to COVID-19, but some member countries and observers were “quite shocked” to discover that an informal “friends of the chair” group had met twice this year to work on treaty language, emailed Knowledge Ecology Online Geneva Representative Thiru Balasubramaniam. The group, which had lain dormant during the COVID-19 pandemic, met before the Monday-Thursday partly virtual meeting. In his meeting summary, acting Chair Abdoul Aziz Dieng said he would consider concerns raised about the informal talks.

The U.S. and EU will tackle AI issues together in the newly launched Trade and Technology Council because it's vital they "write the rules of the road" together, Commerce Secretary Gina Raimondo told a Thursday virtual BSA|The Software Alliance event. The two regions don't have widely different views on technology, and they share commitments to privacy, democracy and equity, she said: One challenge is to determine how to regulate and set standards for emerging tech in a way that lets it flourish while safeguarding fundamental values. The European Commission unveiled an AI regulatory framework last month based on risk management (see 2104210003). The U.S. wants to develop similar, said Raimondo. She said the key is "robust industry engagement. Industry needs to lean in" and partner with the U.S. government: The goal is to "harness the power but keep a lid on the danger." Ensure tech doesn't undermine trust, said Margrethe Vestager, EC executive vice president-Europe Fit for the Digital Age: That includes ensuring there's no bias in AI. Creating trust and safety for AI is "market-creating," she said: The marketplace for the many applications for AI use within public sector activities won't function without trust. BSA launched its framework for confronting bias in AI Thursday. It calls for a process for carrying out impact assessments to identify and mitigate potential bias risks; identifies existing best practices and technical tools for lessening specific bias risks; and lays out corporate governance processes and safeguards needed for effective risk management. Separately, Raimondo met with EU officials at the June 14-16 U.S.-EU summit, Commerce newly blogged. She and EC officials agreed on the importance of data transfers and the need to continue talks on a successor to data-sharing mechanism Privacy Shield. They "recognized that, while key issues remained to be addressed in those negotiations, the liberal values and commitment to individual privacy shared by the U.S. and EU would help drive those negotiations to a mutually-agreeable resolution at the appropriate time."

Reputation blocklists help fight domain name system abuse but raise questions of accuracy and transparency, panelists said Thursday at a virtual ICANN meeting. RBLs blacklist IP addresses or domain names generally regarded as malicious, untrustworthy or of bad repute, said Samaneh Tajalizadehkhoob of ICANN's chief technology office. They're important to, and must be better understood by, ICANN, registries/registrars, hosting companies and other service providers and end-users, said iQ Chief Technology Officer LG Forsberg.

Privacy watchdogs may enforce breaches even if they're not the lead authority -- under certain conditions -- the European Court of Justice ruled Tuesday. ECJ's decision prompted cheers from consumer groups and a cautious response from Facebook and the tech sector. The case arose when the Belgian Privacy Commission tried to stop Facebook Ireland, Facebook Inc. and Facebook Belgium from allegedly collecting personal information on the browsing behavior of account holders and non-users via cookies, social plug-ins and pixels. In 2018, a Brussels court held that it had jurisdiction and that Facebook wasn't adequately informing Belgian users about its data collection. The court ordered the social media giant to stop gathering the information in Belgium. The company appealed; that court said its jurisdiction covered only Facebook Belgium, not Facebook Ireland or Facebook Inc. The appeals court asked the ECJ to determine whether Belgium's data protection authority had the required standing to bring the proceedings, given that general data protection regulation created a "one-stop shop" for enforcement actions, and that only the Irish Data Protection Commission had jurisdiction because it's the controller for Facebook personal data in the EU. The ECJ held that a national data protection authority has the power to pursue alleged GDPR violations involving cross-border data processing even though it's not the lead supervisory authority and that it's not necessary that the controller of such personal data have a main establishment in that country. However, the ECJ said the non-lead authority can enforce only if it complies with rules governing the relationship between itself and the lead authority. The one-stop shop mechanism "requires close, sincere and effective cooperation" between authorities to ensure consistent application of the rules, the court said. Facebook said it's pleased the court "upheld the value and principles of the one-stop shop mechanism, and highlighted its importance" in ensuring uniform application of the GDPR. "While the Court has upheld the one-stop shop principle ... it has also opened the back door for all national data protection enforcers to start multiple proceedings against companies," said the Computer & Communications Industry Association, adding that this risks compliance becoming more fragmented and uncertain. "Given the existing bottlenecks in the GDPR cross-border enforcement system, all national authorities must be able, under certain conditions, to proactively take matters into their own hands, said the European Consumer Organisation.

The U.S. hasn't done a good job responding proportionately to cyberattacks, House Homeland Security Committee ranking member John Katko, R-N.Y., told an American Enterprise Institute webinar Friday: "The bad guys don't take you seriously unless you whack the hell out of them." Diplomacy doesn't work because countries that enable attacks understand only strength and power, which the U.S. isn't projecting, he said. Until recently, cyberattacks had little visible public impact, but the Colonial Pipeline hack let people see the disruption that stopped them from buying gas, he said. Katko criticized President Joe Biden's budget request for the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, saying it doesn't appear to match Biden's rhetoric on cybersecurity. Information-sharing in the cybercommunity is in its infancy, and the U.S. needs better reporting of cyber incidents, Katko said. One key issue is how to encourage the private sector to share information without worrying about lawsuits and immunity from liability, he said. Colonial Pipeline, SolarWinds and other incidents show malefactors are ratcheting up attacks and have figured out that going for critical infrastructure is "where the rubber meets the road." Asked about possible regulation, Katko said it's under discussion. One idea would be to require companies to certify in SEC 10-K filings they're adhering to cybersecurity best practices. Katko has floated legislation aimed at beefing up cybersecurity standards in the critical infrastructure industry, and said such other measures could be rolled out sector by sector. Lack of chips is also a serious threat the U.S. must address by bringing some manufacturing home, he said. Asked what responsibility industry bears to balance security with new technologies such as 5G and quantum computing, the lawmaker sought standards. U.S. companies paid $350 million in ransomware payments in 2020, up 171% from 2019, said AEI Resident Fellow Klon Kitchen.

The U.S. and EU should stop squabbling over tech issues or risk having China or another authoritarian government step into the gap, speakers told a Tuesday Information Technology and Innovation Foundation webinar. High on President Joe Biden's agenda for the summit in Brussels next week is discussion of the relationship, including whether the EU should stop attacking America's tech sector and Biden should refrain from giving away too much to make amends to Europe for the previous administration's attitude, said ITI President Robert Atkinson. He accused Europe of deploying a range of tools to hobble U.S. tech giants, such as the Digital Services Act and limits on cross-border data flows, and urged Biden to aggressively defend America while seeking stronger trans-Atlantic ties. The EU and U.S. are at an uneven point, said Atlantic Council Distinguished Fellow Frances Burwell: Europe is active on these issues while it's unclear where Biden or Congress wants to go. The U.S. must pick its battles with the EU and be clear about what it wants, Burwell said. The summit is a great opportunity to reset the EU-U.S. relationship, said President Paul Hofheinz of think tank The Lisbon Council. There are two different forms of government in the world -- democracies and one-party states -- and no one is thinking hard enough about how to regulate the neutral technology that sits between them, he said. The discussion should focus on China, said Center for European Policy Analysis President Alina Polyakova. This year will be important for seeing where and who sets normalization rules for technology, she said. Creating a level playing field for European companies is a top priority for the EU, but that will come from stimulating innovation, not regulation, she said. The "big gorilla in the room" is the Digital Markets Act, which attacks U.S. companies, she said. She urged the EU to rethink its digital agenda, including Privacy Shield and the DMA, and both sides to cooperate more. They potentially can meet in some areas, such as on facial recognition technology and the need for a U.S. federal privacy law, said Hofheinz: "We need to talk to each other humbly, respectfully and honestly." One problem with the U.S. approach is that no official "owns" this issue, which is spread across various agencies, said Polyakova. On the other hand, Europe is more thoughtful, strategic and sophisticated about policy, said Atkinson.

New provisions for data transfers will give businesses more legal certainty, the European Commission said Friday. It published its long-awaited revamped standard contractual clauses, which drew some U.S. tech industry support. One SCC set is for use between data controllers and processors, a second is for personal data transfers to third countries. They take into account new requirements under general data protection regulation and the European Court of Justice ruling in Schrems II, which annulled Privacy Shield, the EC said. Key changes update protections to align with GDPR, cover a wide range of transfer scenarios instead of necessitating use of separate sets of clauses, and list practical actions companies must take to comply with the ECJ judgment. Companies using former versions of SCCs have 18 months to switch. "Unlike its predecessor, the new SCCs can be used by a wider range of companies in different data transfer scenarios," said the Computer & Communications Industry Association. CCIA Public Policy Senior Manager Alexandre Roure urged the EU to quickly "conclude its data transfer negotiations with its main trading partners." Like CCIA, the Information Technology Industry Council urged EU leaders to stay focused on a new Privacy Shield agreement. The two most important changes are new flexibility that enables businesses to enter into the same SCCs covering new kinds of transfers, and new obligations to assess transfer risks case by case, emailed Linklaters data protection attorney Tanguy Van Overstraeten.

There's "strong urgency" to boost trans-Atlantic cooperation on issues such as AI, Rep. Jerry McNerney, D-Calif., told a DigitalEurope webinar Thursday. The two regions share a growing set of challenges on such issues as privacy, AI and content moderation, and they should look to how the other side is handling them, because rapidly developing technology needs guardrails and there's fierce competition from ideological rivals, he said. Identify where they differ to develop the right set of rules, said McNerney, who chairs the Artificial Intelligence Caucus. Panelists agreed interest is growing at higher levels in finding common ground.