The U.S. and EU have made good progress in implementing the agreement for trans-Atlantic personal data flows but more is needed, the European Data Protection Board (EDPB) said in its first review of the data privacy framework (DPF). The board praised the U.S. for creating redress mechanisms for EU individuals and appointing judges and special advocates to handle complaints. However, it said, it has "identified ... a number of points for additional clarifications, for attention or for concern." These include that while the DPF certification process seems to be running smoothly, the board expects the Commerce Department to boost oversight and enforcement to ensure compliance by certified organizations with all DPF principles. The need for proactive oversight is particularly clear in light of the very low number of complaints received in the DPF's first year, it said. The review also urged Commerce to provide practical guidance on accountability for the onward transfer principle, saying it's concerned some certified companies are unaware of the requirements for lawful transfers of personal data they receive from EU exporters to third countries that the European Commission, under the general data protection regulation (GDPR), doesn't consider adequate. Regarding government access to data, the EDPB said it would welcome more discussion on how U.S. agencies are interpreting and applying GDPR principles of necessity and proportionality of data collection. The board "regrets" that the "Reform Intelligence and Securing America Act," which extends Section 702 of the Foreign Intelligence Surveillance Act, didn't incorporate a recommendation by the Privacy and Civil Liberties Oversight Board to codify some aspects of Executive Order 14086, which would add more safeguards. The board also suggested that the EC carry out its next review of the DPF in three years rather than four to monitor EDPB concerns more closely.

Florida’s social media law should be permanently enjoined since the U.S. Supreme Court found it potentially violates the First Amendment, tech industry groups told a federal court Friday, submitting an amended lawsuit (see 2411010060). The Supreme Court in July ruled the First Amendment protects social media platforms’ ability to moderate content, sending the tech industry’s suits against Florida and Texas laws back to the lower courts (see 2407010053). The Computer & Communications Industry Association and NetChoice on Friday submitted an amended complaint with the U.S. District Court for Northern Florida (docket 4:21-cv-0220) (see 2411010060). The Supreme Court settled the question whether platforms like Facebook and YouTube engage in First Amendment-protected activity when moderating and organizing content, said CCIA and NetChoice. Citing the high court’s ruling, the complaint said: “In short, when the government regulates websites’ ‘choices about the views they will, and will not, convey,’ it ‘interfere[s] with protected speech.’” The associations asked that the district court rule SB-7072’s challenged provisions facially violate the Constitution and award the plaintiffs damages. “The government cannot force any speaker, be it a private citizen or a social media website, to say or disseminate speech against their will,” said CCIA Chief of Staff Stephanie Joyce in a statement Friday.

Talks on toughening cross-border enforcement provisions of the EU general data protection regulation (GDPR) began Nov. 4 between the European Commission, European Parliament and Council. GDPR enforcement sometimes varies among EU countries, "leaving certain gaps that need to be addressed," said Member of the European Parliament Marketa Gregorova, of the Greens/European Free Alliance Party and Czechia. Gregorova, parliamentary reporter on the measure, said legislators' and governments' positions were encouraging: "Our negotiations will concentrate on refining these ideas into a coherent and effective framework." A key priority is ensuring that all entities, regardless of where they're located, "are subject to consistent and timely enforcement." The EC proposed changes to GDPR enforcement provisions in July 2023. Among other things, it recommended harmonizing rules on the rights of complainants and parties under investigation, and streamlining cooperation and dispute resolution among national data protection authorities (DPAs). Council ministers approved their negotiating position in June. It called for clearer timelines to speed cooperation among DPAs; more efficient cooperation to reduce red tape in simple cases; and an early resolution mechanism for national authorities. Parliament cemented its stance in April. It wants a stronger role for complainants, DPAs and the European Data Protection Board.

FTC Chair Lina Khan has “undermined the FTC’s bipartisan, independent mission through a relentless violation of legal, procedural, historical, and management norms,” the House Oversight Committee said Thursday, releasing a staff report on her tenure. Khan helped spearhead President Joe Biden’s executive order on competition, which ignores the pro-competitive and pro-consumer benefits of acquisitions, the report said. The agency’s decision to withdraw from its merger guidelines has expanded market uncertainty that deters pro-competitive deals, the committee said. Khan's approach is ultimately a “tax” on mergers and acquisitions, the report said. She has led several rulemaking efforts that follow the same pattern, staff said, “bulldozing agency norms, going beyond statutory authority, and regulating based on Biden-Harris ideology, not the facts.” If Khan’s policy and enforcement approach continues, “it will further undermine Americans’ confidence in the FTC’s role in protecting American consumers and the U.S. marketplace,” said Committee Chairman James Comer, R-Ky., in a statement. Her “term expired last month, and she should not be permitted to continue leading an independent agency.” Elon Musk posted Thursday on X: “She will be fired soon.” Progressive Democrats like Rep. Alexandria Ocasio-Cortez, D-N.Y., and Sen. Elizabeth Warren, D-Mass., and Sen. Bernie Sanders, I-Vt., have defended Khan's time in office (see 2410160030). The FTC didn’t comment Thursday.

The U.S. Supreme Court set Jan. 15 oral argument in the Free Speech Coalition’s challenge of a Texas anti-porn law requiring that websites verify users’ ages, said a text-only entry Thursday in case 23-1122. FSC is a porn industry trade association represented by the American Civil Liberties Union. Last month, DOJ supported the challenge but cautioned SCOTUS against discouraging states and Congress from preventing children from accessing pornography online (see 2409240021).

Chinese online marketplace Temu may be violating the EU Digital Services Act (DSA), the European Commission said in opening a formal inquiry Thursday. The company arrived in Europe in 2023, grew quickly and immediately started drawing the attention of national privacy and consumer protection authorities, EC officials said at a briefing. In May, the EC designated Temu a very large online platform as defined in the DSA after it reported having more than 45 million monthly active users in the EU. Under the act, Temu was required to assess and mitigate any systemic risks from its service, but officials said the assessment is "too general" and doesn't dive into the platform's specific risks. The EC is concerned that Temu's system for limiting "rough traders'" sale of dangerous or illegal products in the EU is ineffective and could result in a proliferation of non-compliant products in EU online markets. It's also investigating risks linked to the service's addictive design, which includes game-like reward programs and systems to mitigate those risks. Another complaint is the way the platform recommends content and products to users; a fourth is that Temu isn't offering researchers sufficient data so they can gauge its DSA compliance. In opening the probe, the EC said it relied for the first time on information from national authorities under the European Board of Digital Services Coordinators. Temu is "a real concern" for many EU DSA coordinators, officials said. It can respond as the EC continues gathering evidence. The investigation is "a promising step, but only the first," emailed the European Consumer Organisation, which submitted evidence to the EC. It urged the EC to keep pressure on Temu and force it to comply with the law as soon as possible.

A district court shouldn’t dismiss a free speech lawsuit attorneys general in Louisiana and Missouri filed against the Biden administration given new evidence, the New Civil Liberties Alliance said in a brief filed Tuesday. Republican attorneys general in Louisiana and Missouri sued the Biden administration in 2022, claiming senior officials “colluded” with social media giants Meta, Twitter and YouTube, censoring information about COVID-19 and other topics. The U.S. Supreme Court in June ruled the 5th U.S. Circuit Appeals Court was "wrong" when it affirmed a district court’s “sweeping” preliminary injunction that barred dozens of White House officials and four federal agencies from coercing social media platforms (see 2406260034). The 5th Circuit's judgment was reversed and remanded to the U.S. District Court for the Western District of Louisiana. NCLA claims some of its clients, including several medical professionals, still face censorship on major social media platforms, and the court should allow additional discovery. As such, NCLA asked the district court to allow an amended complaint and the possibility of adding plaintiffs.

The FTC should investigate whether OpenAI violated federal law when it offers unfair and deceptive services, the Electronic Privacy Information Center said in a complaint filed with the agency Tuesday. EPIC argued that OpenAI directly and indirectly enabled unfair and deceptive trade practices, a violation of the FTC Act, through application programming interface integrations and its GPT Store, where customers can buy custom versions of ChatGPT. In addition, OpenAI has not shown its AI products “meet established public policy standards for responsible development and use of AI systems,” including standards detailed in President Joe Biden’s executive order on AI, said EPIC. The lack of review and curation associated with its “mass data scraping often leads to false, offensive, biased, and discriminatory data being included in the training dataset,” said EPIC: This means biases and negative stereotypes “are baked into their models and difficult to effectively remove without retraining the models.” OpenAI didn’t comment. The FTC confirmed receiving the complaint.

Congress should pass a bill from Sen. Dick Durbin, D-Ill., that would establish a right for victims of deepfake porn to sue violators, the Software & Information Industry Association said in a letter to congressional leaders Tuesday. SIIA voiced support for passing more than a dozen bills during the remainder of the 118th Congress. The list included the Disrupt Explicit Forged Images and Non-Consensual Edits (Defiance) Act, which the Senate approved unanimously in July (see 2407240021).

LinkedIn Ireland violated EU data protection law when it processed personal data for behavioral analysis and targeted advertising, the Irish Data Protection Commission (DPC) announced Thursday. The data under question involved member information they provided directly to LinkedIn and member data obtained via third-party partners. The decision followed a complaint that French digital rights advocacy group La Quadrature du Net filed in August 2018, the DPC said. LinkedIn will pay a fine of $335 million and bring its processing into compliance with the general data protection regulation.