Privacy Insider newsletter: March 23, 2021

Welcome to Privacy Insider newsletter, a round-up of the week's most important privacy news.

When lawmakers can finally boast that they've completed the ePrivacy Regulation, it will be a big deal. It will update a now 20-year-old law, the ePrivacy Directive, and keep electronic communications protected. Updating the Directive means it will apply to telecommunications and internet companies that the law currently covers, but also other technology services such as web-based email and social media messaging services 

Of note: A regulation updating what can and can't be done with electronic data is not something that thrills the ad tech industry, for one.

I have to admit that I frequently roll my eyes when the ePrivacy Regulation comes up in conversation. It's sort of akin to the U.S. talking about a federal privacy law. Though a direct comparison wouldn't be accurate, both have struggled legislatively to gain enough traction to become real-life laws. While the European Commission adopted a proposal in 2017, progress has stalled throughout several leadership changeovers (the Council of the European Union rotates member-state presidencies every six months). It's stalled for four straight years under nine different presidencies, despite promises from each that they'd be the country to get it done.

Now, Portugal holds the presidency and has reportedly made substantial efforts to jumpstart negotiations again. For the draft to become final, it must go through the "Trilogue" process, negotiations between the European Commission, the European Parliament and the Council. 

While European politicians and onlookers alike were thrilled when, on Feb. 10 of this year, the European Council found agreement on the text and moved it along to negotiations with the European Parliament, it doesn't mean the draft is signed, sealed, delivered. 

Margrethe Vestager, executive vice president of the European Commission, said this week she's worried that the Regulation as drafted doesn't align with the EU General Data Protection Regulation as intended. 

So, while things are looking up, and even Vestager admits that "things are finally happening and moving forward," there's a whole lot to negotiate — like data retention requirements and rules on processing metadata — before compliance planning can begin.

Enjoy reading, and I'll see you next week!

1. Coalition calls for a ban on 'surveillance advertising'

   A group of nearly 40 organizations has called for a ban on "surveillance advertising," TechCrunch reports. In an open letter, the organizations write, "Social media giants are eroding our consensus reality and threatening public safety in service of a toxic, extractive business model. That's why we're joining forces in an effort to ban surveillance advertising." The groups include privacy, antitrust, consumer protection and civil rights groups. 
   Read Story

   2. California appoints five privacy experts to inaugural privacy enforcement agency 

   On March 18, California government officials announced the five experts in privacy and technology to lead the administrative agency responsible for enforcing California's privacy law. Five experts in privacy, technology and consumer rights will staff the Consumer Privacy Protection Board, Lake County News reports. The California Privacy Rights Act (CPRA) established the board's existence. The CPRA passed the ballot in 2020 and will supplant the California Consumer Privacy Act. 
   Read Story

   3. EU Commissioner: Current ePrivacy proposal needs work

   The executive vice president of the European Commission said she has reservations about the Portugal presidency's bid to push the ePrivacy Regulation forward. The regulation has been in limbo for years, though it was meant to pass at the same time as the EU General Data Privacy Regulation (GDPR) in 2018. Margrethe Vestager said Portugal's proposal, which the European Council approved, doesn't align with the GDPR's rules as intended. "They are not supposed to play the same role, but they should be aligned, and we will work on that issue," Vestager said. 
   Read Story

   4. Privacy commissioner wants more protections in data-sharing bill

   The Australian privacy commissioner has called for additional privacy protections in a proposed law to facilitate government data sharing. The commissioner's office said the Data Availability and Transparency Bill must contain other safeguards and has asked that it incorporate the same definitions as those in the country's Privacy Act. Digital Rights Watch also has problems with the draft text, citing it would make it easier for government agencies to share individuals' personal data among themselves and accredited third parties. 
   Read Story

   5. Advertisers unclear on what to expect from Google in a post-third-party cookie world

   Google's Privacy Sandbox and its plans to replace third-party cookies in the coming year are causing some confusion. It's not entirely clear what advertisers can do with their first-party data once Chrome makes the change. "I think the issue is people refer to the Google Privacy Sandbox as one thing when it's really a collection of many potential solutions," said one stakeholder. Digiday reports on what we know so far. 
   Read Story

   6. NIST wants feedback on new BYOD privacy and security guide

   The National Institute of Standards and Technology (NIST) has released draft guidance for enterprise bring-your-own-device policies, Health IT Security reports. The guidance aims to "provide system administrators with a standards-based approach" to employee mobile devices that might contain company data. NIST has asked stakeholders for feedback on the guidance by May 3. 
   Read Story