Privacy News: November 4

Concerned about what’s happening on Twitter?  
Check out the Nexus of Privacy’s Dreamwidth community – or follow us on Mastodon!

Musk’s Twitter takeover raises more questions than answers about data privacy

Katie Wedell on USA TODAY (usatoday.com)

Actually I think the answer is pretty clear: assume that everything you’ve ever done on Twitter (including your location) is going to be shared and sold broadly.  We talked about one of the issues last week in A new Chief Twit – and a big Twitter privacy issue – private messages aren’t encrypted, and there’s now way to delete them – but that only scratches the surface.  As Wedell details, Twitter, already has a history of missteps when it comes to guarding user data.  And since this article was published, Twitter’s illegal mass layoffs make it even less likely they can protect the data against hackers – and highlight that the new management will just ignore laws they don’t like.

ALSO:

The NYPD is joining Ring’s neighborhood watch app amid privacy and racial profiling concerns

on Engadget (engadget.com)

The NYPD is joining Ring’s Neighbors app despite concerns about privacy and profiling.  What could possibly go wrong?

The New York-based Surveillance Technology Oversight Project (STOP) is concerned support for Neighbors will lead to more police violence, racial profiling and vigilantes. The technology “isn’t keeping people safe” and even puts people in danger, Executive Director Albert Fox Cahn claims. He cites an incident in October where a father and son shot at a woman in response to a Ring doorbell notification. The woman delivered a package sent to the wrong address.

ALSO:

Why Bad Privacy Happens to Good People

Paul Ohm on Technology Law (cyber.jotwell.com)

Ohm review’s Ari Ezra Waldman’s, Industry Unbound: The Inside Story of Privacy, Data, and Corporate Power.  I’ve recommended this book,  to dozens of people and Ohm agrees.

Waldman conducted 125 interviews over four years and insinuated himself into product design meetings, industry conferences, and company breakrooms, revealing a rigorous and detailed description of the way privacy is subverted and denied inside these companies…. Waldman’s conclusions are laayered and sophisticated and hard to do justice to in a short review….

There is so much I like (lots!) about this book. It provides deep, rich, and rigorously gathered empirical data about the forces that keep privacy at bay inside technology companies. It synthesizes these observations into compelling explorations of the mechanisms at play. It engages deeply and efficiently with multiple vast literatures, making it a readable and concise recommendation for newcomers to the field

FIND OUT MORE:

  • How Big Tech Turns Privacy Laws Into Privacy Theater, on Slate, is a good short introduction to how  well-intentioned privacy professionals are shut out of the process – and often don’t even realize their complicity.
  • Privacy, Practice, and Performance, in the California Law Review, goes into more detail on how today’s privacy law has been “endogenously created by industry practices that legitimize data extraction.”

State privacy legislation

Modified California Consumer Privacy Act Regulations

California Privacy Protection Agency (cppa.ca.gov)

The California Privacy Protection Agency (CPPA) is working on regulations that will go into effect at the beginning of 2023.  These latest modifications were just released, and there’s a short time for public comments in response.  Comments are due by November 21 – the same day as the FTC comment deadline!

Colorado AG Publishes Draft Colorado Privacy Act Rules

Hunton Andrews Kurth’s Privacy and Cybersecurity on The National Law Review (natlawreview.com)

A summary of the Colorado Attorney General Office’s draft rules implementing and enforcing the Colorado Privacy Act.  There are “stakeholder meetings” on November 10 and November 15.  The comment deadline is February 1, 2023.

Minor Keys: Major Takeaways from New California Online Children’s Privacy Law

Sean Fernandes on JD Supra (jdsupra.com)

An analysis of the new California Age-Appropriate Design Code Act.

Automated Decision Systems

Algorithms Quietly Run the City of DC—and Maybe Your Hometown

Khari Johnson on WIRED (wired.com)

EPIC Privacy’s new report Screened & Scored in DC finds that municipal agencies in Washington deploy dozens of automated decision systems, often without residents’ knowledge.  And guess what, these systems don’t treat everbody equally.

“More often than not, automated decisionmaking systems have disproportionate impacts on Black communities,” [EPIC AI and human rights expert Ben] Winters says. The project found evidence that automated traffic-enforcement cameras are disproportionately placed in neighborhoods with more Black residents.

Huh.  Just like how ShotSpotter is primarily deployed in Black and Latinx neighborhoods.  Funny how that works.

Europe at a Crossroads over Planned Use of Biometrics

Elizabeth M. Renieris on cigionline.org

Due to go live in May 2023, the European Union’s Entry/Exit System could cost half a billion euros in the first few years, but the potential cost to the European Union’s moral authority is much higher.

Challenging algorithmic profiling: The limits of data protection and anti-discrimination in responding to emergent discrimination

Monique Mann and Tobias Matzner in Big Data & Society (journals.sagepub.com)

From the abstract:

We contend that with increased algorithmic complexity, biases will become more sophisticated and difficult to identify, control for, or contest. In order to harness anti-discrimination regulation, it needs to confront emergent forms of discrimination or risk creating new invisibilities, including invisibility from existing safeguards. Finally, we outline suggestions to address emergent forms of discrimination and exclusionary invisibilities via intersectional and post-colonial analysis.

And

TikTok privacy update in Europe confirms China staff access to data as GDPR probe continues

Natasha Lomas on TechCrunch (techcrunch.com)

An incoming privacy policy change made by TikTok yesterday for users in Europe names China as one of several third countries where user data can be remotely accessed.

ALSO:

Schrems: round three (podcast)

Luca Bertuzzi on EURACTIV (euractiv.com)

Last month, an executive order detailed the EU-US Privacy Shield 2.0, a new legal framework for transatlantic data flows made necessary by the Schrems II ruling. Bertuzzi and Max Schrems, the privacy activist who gave the name to the two landmark verdicts, discuss the new arrangement and the potential implications of a Schrems III. They also touched upon what is currently wrong with the GDPR enforcement and what more can be done to fix it in the near future.

Mozilla launches $35M venture capital fund for early-stage ‘responsible’ startups

Paul Sawers on TechCrunch (techcrunch.com)

Mozilla Ventures is Mozilla’s new $35 million VC fund targeted at early-stage startups working on “responsible” technologies.

GDPR and the AI Act interplay: Lessons from FPF’s ADM Case-Law Report

Sebastião Barros Vale on Future of Privacy Forum (fpf.org)

GDPR’s protections for individuals against forms of Automated Decision-Making (ADM) and profiling go significantly beyond Article 22 – which provides for the right of individuals not to be subject to decisions based solely on automated processing that produces legal effects or significantly impacts them, and are currently being applied by courts and Data Protection Authorities (DPAs) alike. These range from detailed transparency obligations to applying the fairness principle to avoid situations of discrimination and strict conditions for valid consent in ADM cases.

Chat Control – A Good Day for Privacy

on Startseite (epicenter.works)

The Austrian parliament’s EU voted to reject to the proposal for the controversial child sexual abuse regulation (dubbed “chat control”) unless it is not brought in line with fundamental rights

ICO and Cabinet Office reach agreement on New Year Honours data breach fine

UK Information Commissioner’s Office (ico.org.uk)

Back in 2019, the Cabinet Office published a file on GOV.UK containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list. The UK Information Commissioner (ICO) originally announced a £500,000 fine, but has now reduced it to £50,000.  The ICO says this reflects their “new approach to working more effectively with public authorities.”

‘Contentious’ US tech firm to harvest patient data in NHSE waiting list push

Nick Carding on Health Service Journal (hsj.co.uk)

NHS England has ordered the collection of identifiable patient data from hospitals by US data firm Palantir, for a pilot scheme aimed at accelerating recovery of elective waiting lists.

Seeking Psychedelics? Check the Data Privacy Clause

Mason Marks on WIRED (wired.com)

Colorado’s Proposition 122 wants to let people take psilocybin at healing centers. But sensitive data isn’t covered by medical privacy protections.

Australia to introduce world-leading privacy breach penalties

James North on Corrs Chambers Westgarth (mondaq.com)

Companies must act to ensure that their privacy regimes and data security capabilities are up to date and appropriate.

We need to start recognizing privacy as a basic human right

Arjun Bhatnagar on fastcompany.com

The CEO of Cloaked argues that the only way to successfully build businesses is to acknowledge every person’s ownership over who they are and how others perceive them.

White House’s ‘AI Bill of Rights’ Codifies Ethical Use, Privacy

Sarah Sybert on Home (governmentciomedia.com)

The collaborative document aims to keep AI ethical and equitable while standardizing best practices at the federal level.

The hidden market for your location data : The Indicator from Planet Money

Wailin Wong on NPR (npr.org)

Your smartphone is pretty bad at keeping secrets – if it keeps track of your location, someone (or some app) almost definitely knows where you are. Today, the murky market for personal location data.For sponsor-free episodes of The Indicator from Planet Money, subscribe to Planet Money+ via Apple Po…

Amazon Must Turn Over Extensive Records in Alexa Privacy Lawsuit

Christopher Brown on Request a Free Demo (news.bloomberglaw.com)

Amazon.com Inc. must produce millions of documents in response to discovery requests in a potential class action over the marketing of its Alexa-enabled devices and their recording of users’ conversations, a federal judge ruled.

When Your Neighbor Turns You In

Thor Benson on WIRED (wired.com)

Authoritarian societies depend on people ratting each other out for activities that were recently legal—and it’s already happening in the US.

Fizz compromised users’ privacy. It may do so again.

Joyce Chen on The Stanford Daily (stanforddaily.com)

Last fall, Stanford student researchers found a large vulnerability in Fizz’s security. The founders’ response raises questions about the app today, writes Joyce Chen.

Parties to Zoom Privacy Litigation Seek Tentative Ruling from Court Regarding Objectors’ Appeals

Christina Tabacco on Law Street Media (lawstreetmedia.com)

A joint filing by Zoom Video Communications Inc., the plaintiffs prosecuting a class action against it, and several objectors asked Magistrate Judge to issue a tentative ruling as to whether she would accept the settlements reached by the three objectors who disapproved of the original $85 million class settlement.

Google says privacy key as NZ Identity Check system planned

Phil Pennington on RNZ (rnz.co.nz)

Google says it is supporting efforts between countries to fix a lack of “legal stability” around the flow of people’s data and privacy.

Gathering CLOUD Requests Forecast for Technology and Communications Service Providers

on Morrison Foerster (mofo.com)

As a result of a recent agreement between the United Kingdom and United States, technology and communications service providers should prepare for changes in the landscape of data access requests by UK and U.S. law enforcement agencies.

Looking to a New EU-US Data Privacy Framework

on JD Supra (jdsupra.com)

As we wrote in July 2020, the European Court of Justice issued a landmark decision that invalidated the Privacy Shield as untenable under the European…

GAO report: government departments need dedicated leaders to oversee privacy goals

Christopher Burgess on CSO Online (csoonline.com)

A US Government Accountability Office report is calling for a host of changes to improve privacy within various federal agencies and departments. How those changes get implemented will depend largely on the establishment of new privacy leaders.

Privacy commissioner slams government for not sharing health-care bill ahead of 2nd reading

Read more articles by Alex Kennedy on CBC (cbc.ca)

The bill would amalgamate Newfoundland and Labrador’s four health authorities, but Michael Harvey and opposition parties say they weren’t given the legislation to prepare or ask questions ahead of its second reading on Tuesday.

Danish DPA Follows Suit and Becomes the Latest EU Data Protection Authority to Conclude that the Use of Google Analytics is Unlawful Without Supplementary Measures

on orrick.com

In a recent announcement, Datatilsynet, the Danish Data Protection Authority declared that the Google Analytics tool does not comply with the GDPR’s requirements for international transfers.  The latest decision by the Danish DPA builds upon the growing sentiment among EU regulators as to the legality of Google Analytics and follows similar rulings by the Austrian, French and Italian data protection authorities.

Retailers are wading deeper into customer data. States are raising the alarm.

Dani James on Retail Dive (retaildive.com)

Brands from Walmart to Peloton are now able to access more personal customer data, including biometric identifiers, as they expand their digital capabilities. Where does that leave them legally?

Free privacy for all: Ghostery users can now pay with their expertise instead

Chiara Castro on TechRadar pro (techradar.com)

The privacy firm is committed to build a user-first internet


Image credit: Originally by Nick Youngson, licensed from Alpha Stock Images under CC BY-SA 3.0 via Picpedia