Developments
___________________________
FTC Action Against Meta/Facebook
The Federal Trade Commission (FTC) announced (May 3) that it is proposing to modify a prior privacy order on Meta/Facebook, to prohibit the company from profiting from the under-age-18 user data it collects, including through virtual reality products.
The revised privacy order also, among other things, prohibits the release of new or modified products, services, or features without written confirmation from the assessor that its privacy program is in full compliance with the order’s requirements and presents no material gaps or weaknesses; ensure compliance with the FTC order for any companies Meta/Facebook acquires or merges with, and to honor those companies’ prior privacy commitments; and to disclose and obtain users’ affirmative consent for any future uses of facial recognition technology.
The FTC suggests it is taking these actions because the company failed to fully comply with the current order including misleading parents "about their ability to control with whom their children communicated through its Messenger Kids app, and misrepresented the access it provided some app developers to private user data.”
The company will have an opportunity to respond to the order before final action on the proposal by the FTC.
(posted: 5-4-23)
________________________
Transatlantic Data and Signals Intelligence
President Biden issued an Executive Order (EO) (October 7) that formalizes the data-sharing framework as potentially impacted by U.S. signals intelligence activities. A US-EU framework was announced in March 2022.
Under the agreement as formalized within the EO, signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties.
Affected persons will be able to seek redress. The EO requires the heads of each element of the Intelligence Community to establish a process to receive complaints, and the Director of National Intelligence will conduct investigations of complaints that will then be reviewed by a Data Protection Review Court (DPRC). The DPRC will include "legal practitioners with appropriate experience in the fields of data privacy and national security law" who are not employees of the United States Government.
(updated: 10-11-22)
_________________________
Transatlantic Data and Signals Intelligence Activities
The United States and the European Union (EU) agreed to an updated data-sharing framework that will implement what the parties believe are safeguards intended to ensure that signals intelligence activities “are necessary and proportionate in the pursuit of defined national security objectives.”
The United States says it is committing to strengthen privacy and civil liberties safeguards governing U.S. signals intelligence activities; establishing a new redress mechanism with independent and binding authority; and, enhancing its existing rigorous and layered oversight. The specifics of when and how these measures will be implemented beyond this commitment were not announced.
Under the agreement, signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties. Persons in the EU will be able to seek redress including through a “Data Protection Review Court” encompassing persons from outside the U.S. Government.
(updated: 3-26-22)
_________________________
Federal Surveillance Information
The Federal Privacy and Civil Liberties Oversight Board (PCLOB) released two reports (February 10, 2022) related to CIA clandestine surveillance of Americans and the management of that information.
The reports are redacted, but perhaps most importantly confirm that the CIA does, in fact, have information on U.S. citizens that it obtains via surveillance methods. A published statement of Board Member Travis LeBlanc stated that he has “serious reservations about how our Intelligence Community handles U.S. person information. This is a recurring issue that again raises important privacy and civil liberties concerns.”
Included among the PCLOB staff recommendations are that the CIA should develop new implementing policies, procedures, or guidance regarding certain data; and that the agency needs to determine how to retain and use legacy data including through periodic efficacy assessments.
(updated: 2-12-22)
_________________________
Non-Banking Finance and Personal Information
The Federal Trade Commission (FTC) announced (December 9, 2021) that it is requesting public comments on data breach and security event reporting by financial institutions on its "Safeguards Rule", finalized only in October of 2021. The Safeguards Rule applies to non-banking institutions such as mortgage brokers, auto dealerships, and payday lenders.
October updates include more specific criteria for what safeguards financial institutions must implement as part of their information security program; for example, limiting who can access consumer data and using encryption to secure the data. The Rule requires that institutions must explain information sharing practices; specifically, "the administrative, technical, and physical safeguards the financial institutions use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customers’ secure information."
(updated: 2-2-22)
_________________________
Connected Policies
___________________________
No Results Found
Kids Online Safety Act
Status
This legislation proposes, among other things, to require social media that platforms: provide minors with options to protect their information, disable addictive product features, and opt out of algorithmic recommendations; provide protective tools to parents; require online platforms to prevent and mitigate specific dangers to minors; and perform an annual independent audit that assesses the risks to minors
Status: The proposal was introduced in the Senate on May 2, 2023.
Children's Online Privacy Protection Rule
Status
This is a website with the provisions of Federal Trade Commission (FTC) rules associated with the Children's Online Privacy Protection Act.
Status: these rules, last modified in 2013, are currently in effect.
Laying Down Harmonized Rules on Artificial Intelligence
Status
This is a proposed legal framework of the European Union that would put in standards and rules on the use and management of artificial intelligence. Under the framework, a limited number of unacceptable AI use cases, such as social profiling by governments, would be completely banned and high-risk use cases would be subjected to prior conformity assessment and wide-ranging new compliance obligations.
Status: the framework is still going through EU legislative processes and therefore is not final. The current framework was proposed in April of 2021.
Big Tech Information Collection / Competition EO
Status
Executive Order (14036), the Biden Administration EO on "Competition" includes a provision that "encourages" the FTC to establish rules on surveillance and the accumulation of personal and other related data.
Status: this EO was published on July 14, 2021.
Consumer Banking Data / Competition EO
Status
Executive Order (14036), the Biden Administration EO on "Competition" includes a provision "encouraging" the Consumer Financial Protection Bureau (CFPB) to issue rules allowing customers to download their banking data and take it with them.
Status: this EO was published on July 14, 2021.
Apps & Health Data Information Breaches Notifcation
Status
This Policy Statement of the U.S. Federal Trade Commission (FTC) is intended to make it clear to health care app companies that they are subject to the FTC's overarching Health Breach Notification Rule. The Rule requires that vendors of personal health records (“PHR”), and PHR-related entities, must notify U.S. consumers and the FTC (and potentially the media) if there has been a breach of unsecured identifiable health information.
Status: this Statement was issued on September 15, 2021.
Privacy & Security Standards - Letter to the FTC
Status
A group of eight Senators sent a letter to the Federal Trade Commission (FTC) proposing that the FTC develop through a rulemaking process a national standard for consumer data privacy and security. Specifically, the group requests that the FTC should consider protective standards for the data of "members of marginalized communities, prohibitions on certain practices (such as the exploitative targeting of children and teens), opt-in consent rules on use of personal data,"... and opt-out standards.
Status: this letter was dated September 20, 2021. The FTC has indicated it may seek a rule in 2022 on commercial surveillance "to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination."
