Major News from Osano!
Hello all, and happy Thursday!Read Now
December 22, 2020
Welcome to the latest edition of the Privacy Insider newsletter. Each week, we send you the latest and smartest news in the world of data privacy.
It might be the end of 2020, but that doesn't mean on privacy and data protection news slows down. This week, Facebook announced changes to its product to comply with a new EU privacy rule in effect. The ePrivacy Directive's rules have expanded to accommodate more forms of communication.
In addition, a new privacy enforcement agency, established under the law that California voters passed in November, is beginning to take shape. The agency will oversee the implementation of the Consumer Privacy Rights Act, and it's an interesting story because it's unprecedented here in the U.S. The EU's data protection authorities are becoming well seasoned regulators, having overseen compliance with the EU General Data Protection Regulation for two years now. But in the U.S., we've historically had to look to attorneys generals to enforce their state's privacy laws, given the absence of a federal privacy law in the U.S. Most agree they've done a great job, but their mandate is much broader than just privacy. The new agency has a singular purpose.
What's more, the establishment of the California agency could ostensibly be the start of something good here in the U.S. If other states follow suit, perhaps the EU will look more kindly on the seriousness with which the U.S. takes protecting privacy, a shift the U.S. very much needs if it wants to continue a collaborative relationship on both fighting terrorism and commerce, among other priorities.
In fact, a story in today's Privacy Insider looks at one of those important relationships and the privacy criticisms levied against it.
Stay safe and warm this holiday season, and we hope you enjoy this week's edition.
Here are the top stories you might have missed:
New Enforcer of California Privacy Rights Act is faceless, for now
In November, California voters approved Proposition 24, the Consumer Privacy Rights Act (CPRA). The law will replace the California Consumer Privacy Act (CCPA) when it comes into force in January 2023. Importantly, the new law assigns a new data privacy cop on the beat, changing enforcement responsibilities from the state’s attorney general to the California Privacy Protection Agency, reports this Osano blog post.
Facebook announces ‘messaging’ changes to accommodate ePrivacy Directive expansion
Responding to changes in the EU’s Privacy and Electronic Communications Directive, which become effective this week, Facebook has announced changes to its messaging products for users, SocialMediaToday reports. The ePrivacy Directive will now cover more forms of digital communication. Facebook said, "People using our messaging and calling services in Europe or interacting with friends and family in Europe may notice some changes to features on Messenger, Instagram and Facebook. In order to comply with the law, we needed to adjust the way our services work, such as further segregating messaging data from other parts of our infrastructure."
New Zealand’s updated law carries an ‘I’m sorry’ provision
On Dec. 1, New Zealand’s revised privacy law came into effect. Compliance Week reports on a provision that hasn’t made as much news as the law’s mandatory breach reporting and potential fines: the ability to apologize without admitting guilt. “This brings a very human touch to the legislation that will likely make a big difference in the mediation and settlement process. …. Being able to say ‘I’m sorry this happened to you’ is very different than ‘I’m sorry I caused you harm,’” the report states.
Privacy International, a U.K.-based advocacy charity, has found that menstruation apps are unnecessarily storing personal information, The Guardian reports. The group studied five of the most popular menstruation apps and found companies storing “intimate information on users,” including the medication she takes, birth control plans and sexual habits. The group is calling on apps to restrict the amount of information they store and allow for registration to be optional, omitting the requirement for an email address.
In an opinion piece for The Hill, a member of the U.S. Civil Liberties and Oversight Board describes the board’s recent review of the Terrorist Finance Tracking Program (TFTP). The program allows the U.S. to provide “a steady dream of valuable intelligence to EU member states” to thwart terrorism on both sides of the Atlantic. However, writes board member Adam Klein, EU officials have repeatedly expressed concerns about the program’s impact on privacy, which Klein calls “legitimate and important,” but notes TFTP “is a truly cooperative arrangement that works well for both sides.”
In a Christmas letter, European Data Protection Supervisor Wojciech Wiewiórowski describes his first year in the role under “these extraordinary circumstances.” The EDPS writes that the global COVID pandemic has “served as a magnifying glass for global trends that pervade our societies” and “risks being the perfect occasion for some to exploit the most sensitive attributes of human beings, health data.”
JD Supra reports on an on-the-rise trend: state attorneys general coordinating data breach enforcement. The “AG community is now motivated and experienced when it comes to pursuing such settlements, said Tennessee's chief deputy attorney general Jonathan Skrmetti. His office recently let a joint effort on a Community Health Systems breach in which 6.1 million records were hacked. Collaborating allows the regulators to leverage each others’ resources and experiences, Skrmetti said.
In a legal analysis published Dec. 19, privacy think-tank the Future of Privacy Forum called on a Florida county’s sheriff’s office and schools to change a program that uses student data to predict future criminality. “The Sheriff’s Office’s current data practices violate not only its contract with the school board but also the privacy protections required by the federal education privacy law,” said the Future of Privacy Forum. It called for “increased transparency, additional training and proactive steps from school administrators to mitigate legal and ethical issues.”
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”