Year: 2022

Google must face most of Texas AG’s antitrust lawsuit, which alleges, among other things, that the company illegally monopolized the advertising technology market. Google won its motion to dismiss an allegation that it entered into an anticompetitive agreement in 2018 with Meta’s Facebook—codenamed Jedi Blue—with respect to advertising auctions. Despite Google having to face all but the one claim in the suit, the company is considering the dismissal a win, asserting that the dismissal highlights the flawed nature of the AG’s case.

Google lost a challenge against an EU antitrust decision, resulting in a record fine of €4.1 billion for the company. Europe’s General Court broadly upheld the Commission’s decision concluding that Google imposed unlawful restrictions on Android mobile device manufacturers and network operators in order to support the dominance of its search engine. 

The Privacy and Civil Liberties Oversight Board (PCLOB) is seeking public comments related to its oversight project examining Section 702 of the Foreign Intelligence Surveillance Act. Section 702 is a key FISA provision permitting the government to conduct targeted surveillance of foreign persons located outside the United States, with the compelled assistance of electronic communication service providers, to acquire intelligence information.

At a “listening session” about tech platform accountability, the White House has renewed a call to remove the shield allowing platforms to disseminate content without liability. President Biden previously called for the revocation of the liability shield, also known as Section 230 of the Communications Decency Act, on the campaign trail in 2020. Biden will need Congressional action for the change, but there is limited bipartisan consensus on how to fix the law. 

Apple added multiple new privacy and security features in its newly released iOS 16. One of the privacy features is called Safety Check and allows people to quickly reset data and location access sharing. According to Apple, the feature is aimed at those in domestic or intimate partner violence situations. For non-emergency situations, Apple has rolled out a Manage and Sharing Access walkthrough that allows individuals to review sharing permissions and data access.

Apple, who for years has been a vocal critic of data-intensive online advertising models, is now making a push to become a bigger seller of ads. Apple will likely face criticism that it is acting hypocritical, given that many features across its devices, operating system, and its safari browser have been designed to block tracking technologies and limit the sharing of person or device-level information. In order to be successful with its advertising efforts, the company must integrate its advertising initiatives into its ecosystem without detrimentally impacting its renowned user experience.

Google and Meta were hit with a whopping fines totaling ~$71.8M (100 billion KRW) by South Korean authorities due to a finding that the companies violated the country’s privacy law. According to South Korea’s Personal Information Protection Commission (PIPC), Google and Meta failed to receive legitimate consent in the process of collecting information from users. These penalties are the largest to date in South Korea for violation of the personal information protection laws.

The FTC published an advanced notice of proposed rulemaking to request public comment on the prevalence of commercial surveillance and data security practices that harm consumers. The Commission is specifically inviting comment on whether it should implement new trade rules or other regulatory alternatives concerning the ways in which “companies collect, aggregate, protect, use, analyze, and retain consumer data, as well as transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive.” Comments must be received on or before October 21, 2022.

Upcoming NYC events:

• Simons Foundation Presidential Lecture: Algorithmic Fairness from a Sociotechnical Lens (Wednesday, September 21, 2022; 5:30pm doors)
• Cornell Tech’s 4th Annual Symposium on Applications of Contextual Integrity (Thursday, September 22-Friday, September 23)

(Compiled by Student Fellow Tanner Co)

The Ninth Circuit Court of Appeals held this week that web scraping of publicly accessible data is legal. The case initially arose when LinkedIn sued a company, Hiq Labs, for scraping data off its site in order to evaluate employee attrition. 

The Dutch tax authority was recently fined €3.7 million for GDPR violations stemming from the ‘child care benefits scandal’ first uncovered in 2019. The authority had utilized an algorithm that mistakenly flagged as high-risk tens of thousands of people––many belonging to low income or dual citizen households––as potentially engaging in child care benefits fraud. Mistakenly flagged individuals were denied certain services as a result of their high risk profile, including payment arrangements and debt restructuring. 

The 10th annual Freedom of Expression Scholars Conference will take place on Saturday, April 30 and Sunday, May 1st. It will be preceded by a Symposium organized by the Journal of Free Speech Law on Friday, April 29th at 5pm EST. As in previous years, the conference will be a mix of plenary sessions (one panel discussing multiple papers) and breakout sessions (simultaneous panels, each discussing one paper). All sessions will take place on Zoom. Papers can be found here.

(Compiled by Student Fellow Addison Yang)

Recently, the Cybersecurity and Infrastructure Security Agency issued a “shields up” message to U.S. organizations, warning of potential cyberattacks relating to the Russian invasion of Ukraine. While no definite threats have been confirmed or issued, the agency has provided guidance on vulnerabilities and common tactics and has cataloged known vulnerabilities. 

The Center for Social Media and Politics hosted a symposium on the future of social media. The panels at that symposium discussed how to cover, research, and regulate social media in the wake of the Facebook Papers.

(Compiled by Student Fellow Justin Jin)

The ACLU put out an op ed on the privacy implications of digital currencies, highlighting that the technology may pose more threats to privacy than previously anticipated.

The European Union court of justice (CJEU) ruled once again that EU continues to preclude the general and indiscriminate retention of traffic and location data relating to electronic communications for the purposes of combating serious crime.

The NYU Center for Social Media and Politics (CSMAP) is holding a virtual symposium on April 13, 2022: The Future of Social Media: Covering, Researching, and Regulating Platforms.

(Compiled by Student Fellow Margarita Boyarskaya)

Last week, the United States and the European Commission committed to a new Trans-Atlantic Data Privacy Framework, which will foster trans-Atlantic data flows and address concerns raised in 2020 by the Court of Justice of the European Union when it struck down the Commission’s adequacy decision underlying the EU-U.S. Privacy Shield framework.

Parliament and Council negotiators agreed on new EU rules to limit the market power of big online platforms. The Digital Market Act will ban certain practices used by large platforms acting as “gatekeepers” and enable the Commission to carry out market investigations to sanction non-compliant behavior.

On March 24, 2022, the Utah Consumer Privacy Act was signed into law by the Utah Governor. This bill will take effect on December 31, 2023.

The Center for Social Media and Politics will hold a half-day symposium on “The Future of Social Media: Covering, Researching, and Regulating Platforms” on April 13, 2022. 

The District Court for the Western District of Texas Austin found the state’s prohibition of the use of unmanned aerial vehicles (“UAV”) by journalists to be unconstitutional. 

Apple released its new privacy feature “Private Relay” and “Hide my Email” bringing new privacy protections months after releasing App Tracking Transparency. These features are only available to users who have an iCloud storage subscription.

(Compiled by Student Fellow Raisa Adila Andomi)

The Cyber Law and Policy Scholars Conference (CLPSC) published its Call for Papers. Submissions are due by May 1, 2022.

Last Friday, the Superior Court of the District of Columbia dismissed a lawsuit against Amazon.com Inc that accused the company of antitrust violations.  The Washington, D.C. attorney general filed the complaint last year, alleging that Amazon barred third-party sellers from offering better deals for their products elsewhere.

U.S. startup Clearview AI provided Ukraine’s defense ministry access to its facial recognition technology to use in the conflict with Russia.

The University of Florida is hosting The 2022 Technology, Media, & Privacy Law on Friday, March 25.

A federal class-action lawsuit filed in the Southern District of New York accused the NYPD of unconstitutionally collecting possible suspect DNA from cigarette butts, empty cans, or bottles left in interrogation rooms.

The Justice Department (anti-trust) is requesting the District Court for the District of Columbia to sanction Google for explicitly and repeatedly instructing its employees to shield important business communications from discovery by using false requests for legal advice, thus misusing attorney-client privilege.

Last week, the California Attorney General’s Office released an opinion clarifying that a consumer’s right to know under the California Consumer Privacy Act covers business-generated inferences unless there’s a proven statutory exemption.

A panel (April 4th, 2022, online) organized by S.T.O.P. will explore the NYC Mayors’ proposed expansion of municipal data collection and digitization of city services and the danger this plan poses to undocumented New Yorkers.

(Compiled by Student Fellow Uria Beeri)

President Biden signed an executive order calling for a comprehensive review of the federal government’s stance toward cryptocurrencies, including an assessment of the risks to consumers, the financial system, and the climate. Agencies and regulators will prepare reports on digital assets, and the government will explore the creation of a U.S. Central Bank Digital Currency.

The Utah legislature approved comprehensive privacy legislation, which would make Utah the fourth US state, and the first controlled by two Republican chambers, to do so, if the bill is signed by Governor Spencer Cox. The state privacy law lacks some measures preferred by privacy groups, such as a private right of action for violations.

Twitter became the latest tech company to launch a Tor onion service, which may allow users in Russia and around the world to bypass government censorship of the social network and news service. Twitter’s announcement may also further mainstream Tor’s network around the world.

A new report details profits made by prison telecommunication companies who distribute tablets to incarcerated populations and charge prisoners on a per-use basis for email “stamps,” video calls, and entertainment offerings. Use of tablets in prisons greatly expanded during the Covid-19 pandemic as other recreation and education programs were curtailed.

Amazon became the latest company to restrict services in Russia. In a blog post, the Seattle-based company announced suspension of all retail shipments and Prime Video streams to Russian customers, and noted they would stop accepting new AWS customers and third party sellers based in Russia or Belarus.

(Compiled by Student Fellow Corey Berman)

Google has temporarily disabled Google Maps features in Ukraine that provide live information about how busy roads and places are following the recent invasion of Russian forces.

A Virginia court refused to issue a geofence warrant, finding the warrant would be unconstitutional, as applied. The court held that the search warrant application, sought in relation to a shooting investigation, lacked sufficient probable cause and particularity to satisfy the demands of the Fourth Amendment.

The Irish data protection commissioner is seeking to suspend Meta data transfers from the European Union to the United States. This move comes after the existing transatlantic transfer pact was blocked by the European Union Court of Justice due to inadequate security protections of personal data once transferred to the United States.

In his State of the Union address, President Joe Biden called on Congress to strengthen online privacy protections for children, criticizing social media’s targeted advertising of children and widespread collection and use of children’s personal data.

The U.S. Senate has passed a major cybersecurity bill, the Strengthening American Cybersecurity Act. The bill, which has yet to be reviewed and passed by the House, would require critical infrastructure companies to report ransomware payments, cyberattacks, and data breaches.

Keller Lenkner, a Chicago-based law firm, is bankrolling customers bringing tens of thousands of arbitration claims against TurboTax-maker Intuit. The strategy is, in part, a response to a recent unsuccessful class action against Intuit, which had steered customers away from the Free File product developed in partnership with the IRS and toward a “Free Edition” of TurboTax that charged some users fees. 

(Compiled by Student Fellow Lorna Mosher)

On February 23d, the Privacy Research Group discussed the following current events:

The European Commission has put forth a proposal this week on industrial data regulation. The proposal, called the Data Act, is especially notable in its push for greater data-sharing and the right to data portability.

The PRG also discussed the National Institute of Standards and Technology’s plans to revise its Cybersecurity Framework. One particular aim of the revision is to improve cybersecurity guidance for supply chain risk management.

In media-related news, the New York Times has recently bought Wordle. The media company’s use of ad-trackers in the popular word game has led to privacy concerns and internet backlash.

On the other side of the pond, another news company has lost a landmark case on privacy. The UK Supreme Court has ruled against Bloomberg for publishing the private information of an individual facing criminal investigation. The court decision has prompted concerns over the future of journalism and the free press. 

(Compiled by Student Fellow Kiana Boroumand)

During the third PRG meeting of the Spring 2022 semester, the following topics were discussed:

This week the UN convened an international committee of government experts to conduct preliminary negotiations on a new treaty regulating cybercrime. However, there are substantial divides over what types of actions could be regulated and over the definition of “cybercrime.” A number of nations have pushed to exclude broader issues of national security, cybersecurity, and cyberwar, warning against using preventing cybercrime as a tool to impose broader controls on the internet. Another major divide is over the inclusion of both content-based crimes and technology-facilitated crimes. Human rights groups have noted the importance of public interest safeguards, and the initial proposals of many states have reflected those concerns, calling for adherence to current standards and an awareness of possible adverse consequences.

French and Belgian data protection watchdogs followed the Austrian’s data protection watchdog ruling that the use of Google Analytics violated GDPR with their own rulings. The French watchdog held that the data transfer built into Google Analytics violated Article 44, while the Belgian Data Protection Authority held that IAB Europe’s Transparency and Consent Framework infringed on GDPR as a result of IAB Europe’s negligence. Such rulings are likely to continue until US and EU negotiators come to an agreement to replace the recently struck down Privacy shield agreement.

California lawmakers are introducing a new bill, similar to the UK’s recent children’s code, tightening regulation on tech companies’ collection and usage of children’s data.  Lawmakers noted that several platforms introduced changes to make their platforms less addictive and more safe for children prior to the passage of UK regulation, and are undoubtedly hoping for similar effects.

Following a $650 million settlement in a similar lawsuit from the Illinois Attorney General, the Texas Attorney General has sued Meta, alleging that it unlawfully collected biometric data and stored such identifiers as vioceprints, retina or iris scans, and hand and face geometry. It is possible that similar lawsuits will continue, particularly if the Texas case results in a court victory or another large settlement.

Android announced a multi-year Privacy Sandbox initiative, aiming to create tools to improve users’ control over their own data. This builds on their Advertising ID system, which aimed to help users exercise more control over their data. It promises to limit third-party data sharing, not rely on cross-app identifiers, and stop cover data collection.

Second sight, a company producing implants to help restore vision to blind patients, stopped servicing and maintaining its ocular implants as it shifted its attention to a neural rather than ocular interface. This raises interesting questions the obligations companies have to maintain equipment others depend on, even as they go through bankruptcy or reorganization.

Meta has warned that upcoming privacy legislation in India may impact their operations. The bill seeks local storage and processing of data.

India has also banned 54 apps over security and espionage concerns. This follows the banning of 59 other apps, including TikTok, in June 2020, and another 118 apps in September 2020. This seems to both be part of a broader pushback against China as well as against apps which collect and transmit data abroad.

The CIA has been collecting and analyzing information on Americans in bulk and without a warrant, according to a declassified letter from two senators. These activities took place under Executive Order 12333, or intelligence activities that Congress left unregulated by its ban on bulk communications under the Patriot Act and FISA.

(Compiled by Student Fellow Justin Jin)