A US/EU data transfer agreement, student privacy, privacy after Roe, Colorado privacy regulations ... and more!
The White House (whitehouse.gov)
Biden's Executive Order (EO) is the latest attempt to satisfy European Union (EU) concerns about US intelligence agencies' access to data and smooth the path to for European companies to transfer data in the US. As Morgan Meaker says in Biden’s Privacy Order Slaps a Band-Aid on the EU-US Data Crisis
The United States is not going to stop spying on Europeans’ data, but it is going to make sure that spying is “proportionate.”
As well as establishing some new civil liberties and privacy policies for intelligence agencies, the EO also establishes a procedure when EU residents complain about data abuse: the Civil Liberties Protection Officer will conduct an initial regulation, and the "Data Protection Review Court" (DPRC) will review. As Max Schrems of noyb.eu points out, though, the DPRC isn't really a court, and that's likely to be a sticking point for the EU.
Since Schrems was the plaintiff in both the 2015 Schrems case where the European Court of Justice (CJEU) struck down the "Safe Harbor" agreement and the 2020 Schrems II case where the CJEU struck down the replacement Privacy Shield agreement), his opinion that the new agreement is unlikely to satisfy EU law is worth paying attention to. Dutch privacy expert Joroen Terstegge notes that the mutual recognition paragraph at the end of the EO shifts the power balance in favor of the US, and predicts fierce opposition from EU member states.
Here's how Schrems describes the next steps:
Now where the US has issued its Executive Order, the European Commission will have to draft a so-called "adequacy decision" under Article 45 of the GDPR. Once the draft decision is issued, the Commission must hear the European Data Protection Board (EDPB), but is not bound by its findings. In addition, the European Member States must be head and could block the deal. This process can take a couple of months. However, even negative statements by the EDPB and Member States are not binding on the Commission. Once the decision is published, companies can rely on it when sending data to the US and users can challenge it via the national and European courts. This is not expected before spring of 2023, even when it was originally envisioned in fall of 2022.
Pia Ceres, Wired (wired.com)
School districts across the country use monitoring software to track students’ online behavior. What can students and parents do? This article has some very practical suggestions: asking the school why and how they're monitoring students; assuming you're being watched, even after school; being careful on social media; and teaming up with other students and parents.
Here's the questions that Marika Pfefferkorn (co-founder of the Twin Cities Innovation Alliance and a leader of the No Data About Us Without Us Institute) suggests asking:
- What software is being used? Does it operate on school devices, over the school Wi-Fi network, or both?
- If it’s student monitoring software, what kind of information does the algorithm scan for? If the algorithm detects a “threat” or “inappropriate content,” who does the alert go to? At what point does content get flagged to a third party, such as law enforcement?
- How is student data secured?
- Where can students and parents report violations of privacy in the district? What processes does the district have to repair harm?
- How much of the budget is used for surveillance technology?
Privacy after Roe
Adam Schwartz, Electronic Frontier Foundation (EFF) (eff.org)
A description of three bills recently signed by California Gov. Gavin Newsom, all of which EFF supported: A.B. 1242, authored by Asm. Rebecca Bauer-Kahan; A.B. 2091, authored by Asm. Mia Bonta; and S.B. 107, authored by Sen. Scott Wiener. EFF supported all three bills. The highlights:
- New reproductive and trans health data exemptions from existing disclosure mandates, covering both law enforcement and civil subpoenas based on either an out-of-state law that interferes with California abortion rights.
- New limits on California judges' power to authorize or compel the disclosure of reproductive health data if it's for purposes of investigating abortions that are legal in California.
- Similar limits on California state government agencies disclosing providing information to any individual or out-of-state agency.
Tonya Riley on CyberScoop (cyberscoop.com)
Many abortion rights advocates say data brokers selling their personal information online put them at risk.
Johana Bhuiyan on The Guardian (theguardian.com)
Activists fear Flock, whose tech reads license plates, might endanger women seeking abortions
State privacy regulation
David Stauss on JD Supra (jdsupra.com)
A detailed analysis of the proposed Colorado Privacy Act (CPA) rules recently published by the Colorado Attorney General’s office. The CPA was based on the Bad Washington Privacy Act, but contained several improvements – including a rulemaking process, similar to California's. Stauss' summary:
The CPA draft rules are a complex and lengthy set of regulations that, if adopted without substantial modification, will significantly expand the CPA’s requirements and require controllers to carefully consider their compliance obligations.
Ben Green on SpringerLink (link.springer.com)
Efforts to promote equitable public policy with algorithms appear to be fundamentally constrained by the “impossibility of fairness” (an incompatibility between mathematical definitions of fairness). This technical limitation raises a central question about algorithmic fairness: How can computer scientists and policymakers support equitable policy reforms with algorithms? Substantive algorithmic fairness presents a new direction for algorithmic fairness: away from formal mathematical models of “fair” decision-making and toward substantive evaluations of whether and how algorithms can promote justice in practice.
Caitriona Fitzgerald and Ben Winters on Protocol (protocol.com)
In last week's article on the White House Office of Science and Technology Policy's "Blueprint for an AI Bill of Rights", I mentioned that the next step is to go from principles to changing policy. Fitzgerald and Winters of EPIC have some suggestions, and note that the administration doesn’t have to wait around for Congress to get moving on some of the principles in the blueprint.
on NL Times (nltimes.nl)
A remote employee of a U.S. business who was fired for refusing to leave his webcam on while he was working was awarded roughly 75,000 euros by a Dutch court for wrongful termination. The resident of Diessen, Noord-Brabant, was hired by the the Rijswijk branch of Chetu Inc., a software development c…
The White House on The White House (whitehouse.gov)
By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows: Section 1. Purpose. The United States collects signals intelligence so that its national security decisionmakers have access to the timely, accurate, and i…
Cobun Zweifel-Keegan, CIPP/US, CIPM on iapp.org
This white paper explores how the roles of privacy and cybersecurity professionals are becoming increasingly interdependent, and compares the challenges faced b
Brandon Vigliarolo on The Register (theregister.com)
Don’t have a TT account? Doesn’t matter!
FPF Statement on White House Executive Order to Implement the European Union-U.S. Data Privacy Framework
on Future of Privacy Forum (fpf.org)
Statement from Future of Privacy Forum’s CEO Jules Polonetsky: With this step, the U.S. puts in place practical surveillance limitations, oversight, and individual redress that are unmatched almost anywhere else in the world in the context of national security. Leading democracies are converging on…
TALIA SOGLIN Chicago Tribune on pantagraph.com (pantagraph.com)
Illinois residents who filed claims for a cut of Google’s $100 million class-action settlement over alleged violations of state privacy law could receive checks of about $154 each.
Lucas Ropek, Gizmodo (gizmodo.com)
Amazon keeps trying to put a cute face on its surveillance tech.
Luke Hughes on TechRadar pro (techradar.com)
Anonymous browsers like Opera and Mozilla Firefox are fighting an uphill battle on multiple fronts
The A.V. Club on Lifehacker (lifehacker.com)
The A.V. Club on Gizmodo (gizmodo.com)
A Greek financial journalist is one of several who believe they have been targeted for surveillance by the nation’s government with the help of Intellexa.
Robin Berjon on Robin Berjon (berjon.com)
The way in which most businesses approach privacy issues is far from ideal and more often than not self-defeating. Compliance with data regulations has imposed itself as the central part of the work when privacy really is a product concern: as aspect you work on to make your product better and incre…
Daniel Sandford & Tom Symonds on BBC News (bbc.com)
Elton John, Prince Harry and other public figures take legal action against Associated Newspapers.
A Current Affair Staff on nine (9now.nine.com.au)
A data privacy expert says the Optus data breach has shown just how vulnerable our personal information rea...