Skip to content

Privacy News: November 15

Privacy after Roe, Algorithmic bias, privacy legislation, Twitter, and more

A red and orange neon sign with the word "News" all in capital letters

Checking out Mastodon?  The Nexus of Privacy is at!

Webinar: The Fight for Privacy in a Post-Dobbs World

Thursday December 1, 11:00 am Pacific (2:00 pm Eastern)

This webinar, hosted by privacy scholar Daniel Solove, will focus on themes from Danielle Citron’s new book, The Fight for Privacy: online harassment and hate, Section 230, and how privacy invasions disproportionately are targeted at women. It will also discuss the implications of Dobbs, where the U.S. Supreme Court struck down the right to abortion.  

And talk about an all-star cast!  As well as Solove and Citron, speakers include Mary Anne Franks of  Miami Law, Jolynn Dellinger of Duke Law, Elizabeth Joh of UC Davis Law, and Allyson Haynes Stuart of Charleston Law.

A People’s Guide to Finding Algorithmic Discrimination

Center for Critical Race and Digital Studies (

This very approachable guide features four critical lessons:

  • What is a machine learning algorithm?
  • Algorithmic Bias?
  • What types of Bias?
  • How do these emerge in real-world contexts?

There are also demonstrations to help you get hands-on practice using state-of-the-art detection and debiasing tools.  Development of the People's Guide was led by Meredith Broussard and Avriel Epps-Darlin, partnering with Rumman Chowdhury and Parity AI.

Federal privacy legislation

Make Privacy Legislation a Lame Duck Priority

David Morar on Tech Policy Press (

Morar, a Policy Fellow at New America's Open Technology Institute (OTI), makes the case for American Data Privacy Protection Act (ADPPA). It's a good example of the kind of spin I talked about in The elephant and the lame duck.  For example, Morar claims "the bill came out of committee debate stronger", which ignores the many important changes that significantly weakened the bill – and justifies his claim by cites an IAPP article that (as I pointed out in the September 17 privacy news) makes ADPPA look stronger than it really is and has a chart that omitted most of the weakening changes.  And he parrots the line from ADPPA supporters that it's stronger than any state privacy bill while ignoring Californians for Consumer Privacy's rebuttal, highlighting dozens of ways California's existing bill is stronger than ADPPA.

By the way, OTI's top funder is Melinda Gates' Pivotal Ventures LLC.  Former Google CEO Eric Schmidt's foundation, the Gates Foundation , the Siemens Foundation, and Bloomberg Philanthropies are also in the top 10.  


Deleting DMs from Twitter using the GDPR

Michael Veale (

As we discussed a few weeks ago in A new Chief Twit - and a big Twitter privacy issue, deleting your Twitter data – and even deactivating your account – doesn't necessarily do anything.  In some jurisdictions, though, you have the right to request Twitter delete your data.  Michael Veale has detailed instructions for how to do this if you're in the EU. It would be great to see similar instructinos for California, but as far as I know nobody's written them up.

Of course Twitter's laid off so many people that they may well ignore the request. Still, if they ignore it, it creates a paper trail of a violation – and if and when regulators choose to act against Twitter, the more violations that are on record, the higher the fines will be.

Worth mentioning: ADPPA gives people the right to delete their data ... but there are a lot of exceptions.  For example, Twitter doesn't have to delete anything related to "investigations" or preventing unlawful activity; and they don't have to delete anything older than two years.  I went into more detail about the deletion problems in Does ADPPA allow pregnant people to force companies to delete data that might put them at risk? ... I really should add the Twitter use case to that post make it more concrete.

Irish privacy boss Damien Kieran leads Twitter executive exodus

Adrian Weckler and Anne-Marie Walsh on (

The global chief privacy officer of Twitter, Irishman Damien Kieran, has reportedly resigned from the company in a mass exodus of senior security and privacy executives.

Is Elon Musk’s Twitter about to fall out of the GDPR’s one-stop shop?

Natasha Lomas on TechCrunch (

An "anonymous and well-placed source" tells TechCrunch that Twitter is no longer fulfilling key obligations required for it to claim Ireland as its so-called “main establishment” under the European Union’s General Data Protection Regulation (GDPR).  It sounds wonky but as Lomas explains, this is actually a pretty big deal.

Like many major tech firms with customers across the European Union, Twitter currently avails itself of a mechanism in the GDPR known as the one-stop shop (OSS). This is beneficial because it allows the company to streamline regulatory administration by being able to engage exclusively with a lead data supervisor in the EU Member State where it is ‘main established’ (in Twitter’s case Ireland), rather than having to accept inbound from data protection authorities across the bloc....

In practice, that means any EU data protection authority would be able to act directly on concerns it has that local users’ data is at risk — with the power to instigate their own investigations and take enforcement actions. So Ireland’s more business friendly regulator would no longer be leading the handling of any GDPR concerns about Twitter; probes could be simultaneously opened up all over the EU — including in Member States like France and Germany where data protection authorities have a reputation for being quicker to the punch (and/or more aggressive) in responding to complaints compared to Ireland.

And ...

40 states settle Google location-tracking charges for $392M

Dave Collins and Marcy Gordon on Associated Press (

Google has agreed to a $391.5 million settlement with 40 states in connection with an investigation into how the company tracked users’ locations, state attorneys general announced Monday, calling it the largest multistate privacy settlement in U.S history.


Apple faces new lawsuit over its data collection practices in first-party apps, like the App Store

Sarah Perez on TechCrunch (

A new lawsuit is taking on Apple’s data collection practices in the wake of a recent report by independent researchers who found Apple was continuing to track consumers in its mobile apps, even when they had explicitly configured their iPhone privacy settings to turn tracking off.


French agency warns World Cup fans to get burner phones for Qatar apps

Laura Kayali on POLITICO (

Avoid naughty pictures and scrub your phone to keep clear of state snoopers, French regulator says.

UK and non-EU businesses to face more uncertainty in GDPR data breach reporting

Wouter Seinen on Pinsent Masons (

Companies that are not established in the EU could face more uncertainty when reporting a data breach involving EU data subjects and complying with the General Data Protection Regulation GDPR.

Stalking fears over PimEyes facial search engine

Chris Vallance on BBC News (

Privacy campaign group Big Brother Watch has asked the UK privacy watchdog to investigate PimEyes.

New US FTC Commissioner Bedoya signals support for broad view of online privacy harms – Paywalled

Mike Swift on MLexMarketing (

The US Federal Trade Commission traditionally has been staffed by lawyers, economists and — more recently — by computer scientists who untangle the complex workings of online platforms

Harsher penalties for data breaches in new Australian privacy bill

Nik Hewitt on Security Boulevard (

High-profile breaches mean high-profile action In the aftermath of another crop of high-profile data breaches, the Australian Government (also known as the Commonwealth Government) has introduced amendments to Australian privacy law which give the regulator new powers and the ability to impose harsh penalties.

Why Data Privacy Should Matter To Advertisers

Emilia Kirk on Forbes (

The death of the cookie opens the door for new, more innovative forms of advertising that respect user privacy while also offering engaging and relevant content.

Data privacy lawsuits explode in healthcare, tech sectors

Ian Cohen on Security Magazine (

Cybersecurity executives can explore three recent data privacy lawsuits to determine whether their organizations are truly compliant with data sharing laws.

Image credit: Daquella manera on Flickr via Wikipedia Commons.  licensed under the Creative Commons Attribution 2.0 license.