Privacy Insider: October 19, 2021

As proud as any American is to call ourselves such, a few things make us nervous when we fly overseas. For example, during the years that we invaded Iraq, I told people I was Canadian. It was going okay until that bar in Copenhagen where I tried telling a guy, who'd just bought me a drink, that I lived in Montreal. It turns out his sister did, too. And I couldn't name a single street there.

I thought St. Catherine's Street was a good guess? He did not.

But working in this field, I'm sheepish whenever a federal law comes up in conversation with a European colleague. At this point, it's a bit embarrassing to acknowledge that we Americans can't seem to get it done. It sort of feels like I missed a deadline and I'm trying to come up with reasons why. 

But here's the thing: The assignment was handed down 21 years ago.

It was one thing when the EU passed the General Data Protection Regulation. Already, it included a right to privacy within the European Convention of Human Rights in the 1950s. So perhaps that's why it led the world in passing a data privacy law in 2018. Obviously, a fundamental right was violated en masse when technology companies started vacuuming data for targeted advertising and other commercial purposes. What did the EU do? It did something about it and passed groundbreaking legislation, the General Data Protection Regulation (GDPR. It would change how companies think about and treat consumer data worldwide. In 2018 and forevermore, any company — EU-based or otherwise — doing business with EU citizens had to look closely at its data practices and clean them up or risk massive fines.

Since the GDPR, governments that understood how important a privacy framework would be to continue healthy commercial relationships with the West have passed national laws. China and Brazil both passed a general privacy law in the last two years, for example. Despite our global standing, the U.S. still hasn't managed to pass a privacy law. And it's causing all sorts of problems.

EU lawmakers have big concerns about the safety of EU citizens' data in the hands of any country without a legal framework that makes promises. For the last six years, the U.S. and EU have struggled to keep two crucial data transfer agreements afloat. First, the Safe Harbor agreement allowed U.S. companies to process EU citizens' data. As you likely know, the EU court canceled it. A Privacy Shield framework replaced it but similarly met its demise in 2020.

But this isn't a new problem here in the states. Back in 2000, the U.S. Federal Trade Commission called on Congress to pass a privacy law. There were hearings, but nothing happened. The same has continued every legislative session since.

Congress is a body with problems. We know this. But if we needed a privacy law in 2000, we definitely need it 21 years later. Facebook didn't even exist in 2000! Think of all the data we've all given up since then, just on that platform alone.

Often, the problem comes down to two major issues: Whether aggrieved consumers should have the right to sue if a company violates the law and whether federal law should trump state law. Industry has very different ideas about which rights consumers should have and vice versa. And so we talk circles at hearing after hearing with witness after witness and never get any closer.

It might be time to not let perfect be the enemy of the good. In this week's round-up, I've included the news that Google CEO Sundar Pichai has called on lawmakers to pass a privacy law. I'm always shocked when industry representatives call for rules: Why would anyone say, "Restrict me from doing whatever I may please!" But industry is struggling, too. Many companies are overwhelmed by state-by-state laws on what they can and cannot do and would prefer to rely on one clear standard.

As much as consumers benefit from rules that protect us, businesses say they would, too.

Google's Pichai certainly has more power than I could ever dream of, and perhaps he'll get his wish. Maybe Congress will get its act together and find a way to meet in the middle.

For my own selfish reasons, and before I get busted again for playing Canadian at some Copenhagen bar, I hope it does, too.

Enjoy reading this week's top privacy news, below, and I'll see you next week!

Critics say Facebook fine is a "GDPR bypass" for the company

Last week, the Irish Data Protection Commissioner's decided to fine Facebook between 28 million euros and 36 million euros. And that may indicate how much leeway companies have to process personal data, Politico reports. The fine alleges Facebook isn't transparent about what it does with the user data it collects, but privacy advocates say the decision amounts to a "GDPR bypass."
Read Story

Amazon appeals data protection authority's $865M fine 

Last week, Amazon filed an appeal at the Luxembourg Administrative Tribunal to challenge the $865 million fine the country's data protection authority (DPA) issued in July over violations of Europe's privacy law. The fine is the largest since the General Data Protection Regulation came into effect in 2018. Though neither Luxembourg's DPA nor Amazon has discussed the case's specifics, Bloomberg reports the is fine related to Amazon's personal data processing. 
Read Story

Twitch says major data breach didn't expose user passwords

Last week, livestreaming service Twitch announced a major data breach when leaked source code hit the web, The Verge reports. The company reported that an unauthorized third party accessed a server. Twitch was hacked in 2014 also and again in 2017, the report states. Digital Journal reports on why there are so many data leaks and how organizations can protect themselves, including "salting and hashing stored passwords …. or encrypting user data at rest" to minimize impact to users.
Read Story

Google CEO calls on US gov't to pass privacy law

This week, Google CEO Sundar Pichai said the U.S. government should use the EU's privacy law as a model to pass federal legislation, CNET reports. "I would really like to see a federal privacy standard in the US," he said. "I'm worried about a patchwork of regulations in states that adds a lot of complexity." An opinion piece for Roll Call discusses why the "U.S. cannot afford to fall further behind" countries that have passed a law, including China and Brazil. 
Read Story

Judge says Amazon Ring doorbell violated UK privacy laws

A judge in the U.K. has ruled that a man who installed an Amazon Ring doorbell violated his neighbor's privacy. The Ring doorbell captured images of the neighbor's house, garden and parking space. The judge found the audio data Ring collected violated the U.K. Data Protection Act and the U.K. General Data Protection Regulation because it collected images and conversations from people who weren't aware their data was being recorded.
Read Story