Month: November 2021

The Knight First Amendment Institute at Columbia University filed an amicus brief in a case challenging a Florida law limiting the power of social media companies to moderate speech on their platforms. The Knight Institute urges the Eleventh Circuit Court of Appeals to affirm the district court’s decision to block the law on the grounds of its constitutionality, including the law’s specific targeting of platforms perceived to have a liberal bias (e.g. Facebook and Twitter), but not of smaller, conservative-leaning platforms. In addition, the law carves out an exception to platforms which own a Florida theme park—a clear reference to Disney. 

The Surveillance Technology Oversight Project (S.T.O.P.), a privacy and civil rights group, and the Harvard Law School Cyberlaw Clinic jointly filed an amicus brief with Massachusetts Supreme Judicial Court, arguing police searches of cell tower data are unconstitutional. The filing came in Commonwealth v. Perry, supporting the defendant Jerron Perry’s appeal of his motion to dismiss evidence obtained through cell tower dumps, which included data on more than 50,000 individuals.

Québec’s updated privacy law imposes additional compliance requirements on businesses. Bill 64 requires companies to conduct privacy impact assessments for the transfer of personal information outside of Québec and appoint designated privacy officers. Québec is one of the few Canadian provinces to have a stand-alone private sector privacy law; among other obligations, it requires businesses to report to the Québec privacy regulator and notify individuals of data breaches where there is risk of “serious prejudice.” The law gives Québec’s Commission d’accès à l’information, the province’s privacy regulator, the ability to fine entities that break the law. The law’s provisions take effect from 2022-2024. 

India’s national cybersecurity coordinator is starting a project to assess privacy and security loopholes in mobile devices and apps. The project is called Indian Citizens Assistance for Mobile Privacy & Security (I-CAMPS), and it will provide a technology platform with an associated mobile application and desktop site to support Indian citizens in mitigating the vulnerabilities in their mobile handsets. Relatedly, India’s new data privacy bill is expected to be placed before parliament in the upcoming winter session. The bill has various provisions addressing privacy holistically, and proposes bringing in a single regulator for data protection in tandem with international laws. 

United States House and Senate bills (S. 2875; H.R. 5440) advancing through Congress would require critical industries to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (“CISA”), which was created in 2018. High-profile cyber incidents, such as the Colonial Pipeline ransomware attack, have lawmakers pushing for mandatory cyber incident reports; the bills would require certain critical infrastructure operators designated by CISA to report incidents no later than 72-hours after the event. If passed, the legislation has the potential to give CISA more regulatory authority.

In apparent contradiction to Meta/Facebook’s announcement this summer that it would limit advertisers’ targeting of minors, the company is accused of continuing to track teens for targeting on its social platforms. This came to light in new research from Fairplay, Global Action Plan and Reset Australia, claiming that the company has retained its algorithms’ abilities to track and target kids. In response, Meta denied using the tracking data it is linking to teens’ accounts to for ad personalization purposes. 

The United States Senate confirmed notable big tech critic and progressive antitrust reformer Jonathan Kanter to lead the Justice Department’s antitrust division. Kanter has a history of representing technology companies, such as Yelp, Microsoft, and Spotify in antitrust suits against big tech competitors. With his confirmation, Kanter will inherit a lawsuit against Google filed during the Trump administration, accusing the company of anticompetitive behavior in the digital advertising market. At this point, it’s unclear if Kanter will recuse himself from the case, given his prior involvement in suits defending Google’s rivals. Relatedly, Federal Trade Commission nominee Alvaro Bedoya signaled support for addressing big tech regulation and privacy reform (specifically discussing facial recognition technology regulation) during a Senate confirmation hearing. If appointed, Bedoya is expected to take over the FTC’s “privacy portfolio.” Bedoya’s nomination is planned to advance to a full Senate vote shortly after Thanksgiving.

(Compiled by Student Fellow Tanner Co)

A bipartisan group of House lawmakers has introduced the filter bubble Transparency Act which requires companies like Meta (then known as ‘Facebook’) and YouTube to offer a version of their platforms that runs on an “input-transparent” algorithm that doesn’t pull on user data to generate recommendations. In other words, under the proposed legislation these companies have to offer an alternative version of their apps that doesn’t manipulate a recommendation based on secret algorithms driven by user-specific data. This would give people more control over the algorithms to shape their online experience.

The Israeli military is using a facial recognition tool on Palestinians as a surveillance initiative in the occupied West Bank. This surveillance initiative rolled out over the past two years, involves in part a Smartphone technology called “Blue Wolf” that captures photos of Palestinians’ faces and matches them to a database of images so extensive. The phone app flashes in different colors to alert soldiers if a person is to be detained, arrested, or left alone. On one hand, it raises major privacy and basic human rights concerns of Palestinians however; on the other hand, it also raises a question that whether this facial recognition surveillance is accurate and reliable enough, with individuals being put in jeopardy by being misidentified? 

Google loses key appeal against €2.4 billion in European Union (‘EU’) shopping antitrust case. The General Court held that “self-preferencing” is not in itself a breach of EU antitrust law but its potential harmful effects like stifling better products made by rivals are. Google now has the option to appeal the decision before the EU’s highest court, the European Court of Justice (‘ECJ’). On the other hand, Amazon was reportedly in talks with the EU to settle the antitrust investigation relating to self-preferencing. With Google losing this key appeal in the EUshopping antitrust case it would be interesting to see how things in Amazon investigation proceed. 

Meta will delete ‘sensitive’ ads targeting groups linked to race/ethnicity, religious views, political beliefs, sexual orientation, health, etc. from its platform. However, targeting groups based on age, gender, and location is still available. 

The Dalles City Council approved a deal with Google that will enable the technology giant to build more water-guzzling data centers. However, some residents worry about the drought and secrecy of part of the arrangement. On Monday, November 08, 2021, the council unanimously approved the $28.5 million deal that will enable Google two build two more data centers. 

The online advertising industry and its trade body, “IAB Europe”, have been found to have deprived hundreds of millions of Europeans of their fundamental rights by violating General Data Protection Regulation (‘GDPR’). It is important to note that Google and the entire tracking industry rely on IAB Europe’s consent system, which has now been found to be illegal. IAB Europe created a fake consent system that spammed everyone, every day, and served no purpose other than to give a thin legal cover to the massive data breach at the heart of online advertising. The Belgian Data Protection Authority’s decision is a draft decision that will now be shared with some other European data protection authorities so that it can be finalized and enforced.

Google wins an appeal against £3 billion privacy case that could have allowed users to claim money from the search giant. The UK Supreme Court in the case of Lloyd v. Google LLC has blocked a planned 3.2 billion pound ($4.3 billion) British class action against Google over allegations the internet giant unlawfully tracked the personal information of millions of iPhone users. Copy of the judgment is attached here. 

(Compiled by Student Fellow Lokesh Bulchandani)

Upcoming Events

Guarini Colloquium: Regulating Global Digital Corporations – Monday November 8, 2021, 17:20 – 18:20. In this NYU Law School colloquium, Hong Shen, the author of Alibaba: Infrastructuring Global China Routledge 2021) will be joining to discuss Alibaba’s role in China’s digital economy and beyond. If you are interested in attending, please email guariniglobal@nyu.edu (NYU Law community members can attend in person).

News Items 

Facebook announced that it plans to shut down its decade-old facial recognition system this month due to Societal Concerns. Facebook’s facial-recognition software had allowed it to build one of the largest repositories of digital photos in the world. This decision will result in deleting the face scan data of more than one billion users and effectively eliminating a feature that has fueled privacy concerns, government investigations, a class-action lawsuit and regulatory woes.

Yahoo is pulling out of China, ending its few remaining operations, as the country’s new strict regulations over data and gaming go into effect. Yahoo will be joining LinkedIn and Epic Games’ Fortnite to announce downsize China operations in the past month. The new Chinese data regulation requires a security assessment from a government authority, as well as certain contractual clauses about the government’s access to people’s personal data and restrictions on where that data can be stored. Also, a new gaming law attempts to prevent anyone under 18 years old from playing more than three hours of video games a week.

Facial recognition firm Clearview AI has been ordered to cease collecting photos of Australians from the internet and destroy all images and facial templates belonging to individuals living in Australia by the country’s national privacy regulator after it was revealed police in some states had trialed the technology. Clearview, which claims to have scraped 10 billion images of people from social media sites in order to identify them in other photos, sells its technology to law enforcement agencies. Following an investigation, Australia’s privacy regulator has found that the company breached citizens’ privacy according to the Australians Privacy Act 1988. 

Last week, India’s Supreme Court ordered an independent probe into reports that the government used the NSO’s surveillance software “Pegasus” to spy illegally on journalists, activists, and political opponents. The top court appointed a three-member committee to investigate the allegation, and its report will be submitted in two months.

Meta (Facebook’s owner) denies a claim by the Kazakhstan government that it had been granted exclusive privileges to remove ‘harmful’ content from Facebook. The Kazakh government had published what it called a “joint statement” with Facebook, alleging that it granted exclusive access to Facebook’s content reporting system that would streamline the process of removing content deemed illegal by Kazakhstan. In response, Meta spokesman Ben McConaghy said Facebook had dedicated online channels for governments to report content that they believe violates local law, and that “This process is the same in Kazakhstan as it is for other countries around the world,” additionally, he added that the government released their own statement, independent from Facebook. 

(Compiled by Student Fellow Amit Shoval)