Archives

digital rights

A new senate bill would create a US data protection agency

Europe’s data protection laws are some of the strictest in the world, and have long been a thorn in the side of the data-guzzling Silicon Valley tech giants since they colonized vast swathes of the internet.

Two decades later, one Democratic senator wants to bring many of those concepts to the United States.

Sen. Kirsten Gillibrand (D-NY) has published a bill which, if passed, would create a U.S. federal data protection agency designed to protect the privacy of Americans and with the authority to enforce data practices across the country. The bill, which Gillibrand calls the Data Protection Act, will address a “growing data privacy crisis” in the U.S., the senator said.

The U.S. is one of only a few countries without a data protection law, finding it in the same company as Venezuela, Libya, Sudan and Syria. Gillibrand said the U.S. is “vastly behind” other countries on data protection.

Gillibrand said a new data protection agency would “create and meaningfully enforce” data protection and privacy rights federally.

“The data privacy space remains a complete and total Wild West, and that is a huge problem,” the senator said.

The bill comes at a time where tech companies are facing increased attention by state and federal regulators over data and privacy practices. Last year saw Facebook settle a $5 billion privacy case with the Federal Trade Commission, which critics decried for failing to bring civil charges or levy any meaningful consequences. Months later, Google settled a child privacy case that cost it $170 million — costing the search giant about a day’s worth of its revenue.

Gillibrand pointedly called out Google and Facebook for “making a whole lot of money” from their empires of data, she wrote in a Medium post. Americans “deserve to be in control of your own data,” she wrote.

At its heart, the bill would — if signed into law — allow the newly created agency to hear and adjudicate complaints from consumers and declare certain privacy invading tactics as unfair and deceptive. As the government’s “referee,” the agency would let it take point on federal data protection and privacy matters, such as launching investigations against companies accused of wrongdoing. Gillibrand’s bill specifically takes issue with “take-it-or-leave-it” provisions, notably websites that compel a user to “agree” to allowing cookies with no way to opt-out. (TechCrunch’s parent company Verizon Media enforces a ‘consent required’ policy for European users under GDPR, though most Americans never see the prompt.)

Through its enforcement arm, the would-be federal agency would also have the power to bring civil action against companies, and fine companies of egregious breaches of the law up to $1 million a day, subject to a court’s approval.

The bill would transfer some authorities from the Federal Trade Commission to the new data protection agency.

Gillibrand’s bill lands just a month after California’s consumer privacy law took effect, more than a year after it was signed into law. The law extended much of Europe’s revised privacy laws, known as GDPR, to the state. But Gillibrand’s bill would not affect state laws like California’s, her office confirmed in an email.

Privacy groups and experts have already offered positive reviews.

Caitriona Fitzgerald, policy director at the Electronic Privacy Information Center, said the bill is a “bold, ambitious proposal.” Other groups, including Color of Change and Consumer Action, praised the effort to establish a federal data protection watchdog.

Michelle Richardson, director of the Privacy and Data Project at the Center for Democracy and Technology, reviewed a summary of the bill.

“The summary seems to leave a lot of discretion to executive branch regulators,” said Richardson. “Many of these policy decisions should be made by Congress and written clearly into statute.” She warned it could take years to know if the new regime has any meaningful impact on corporate behaviors.

Gillibrand’s bill stands alone — the senator is the only sponsor on the bill. But given the appetite of some lawmakers on both sides of the aisles to crash the Silicon Valley data party, it’s likely to pick up bipartisan support in no time.

Whether it makes it to the president’s desk without a fight from the tech giants remains to be seen.

Google’s location tracking finally under formal probe in Europe

Google’s lead data regulator in Europe has finally opened a formal investigation into the tech giant’s processing of location data — more than a year after receiving a series of complaints from consumer rights groups across Europe.

The Irish Data Protection Commission (DPC) announced the probe today, writing in a statement that: “The issues raised within the concerns relate to the legality of Google’s processing of location data and the transparency surrounding that processing.”

“As such the DPC has commenced an own-volition Statutory Inquiry, with respect to Google Ireland Limited,  pursuant to Section 110 of the Data Protection 2018 and in accordance with the co-operation mechanism outlined under Article 60 of the GDPR. The Inquiry will set out to establish whether Google has a valid legal basis for processing the location data of its users and whether it meets its obligations as a data controller with regard to transparency,” its notice added.

We’ve reached out to Google for comment.

BEUC, an umbrella group for European consumer rights groups, said the complaints about ‘deceptive’ location tracking were filed back in November 2018 — several months after the General Data Protection Regulation (GDPR) came into force, in May 2018.

It said the rights groups are concerned about how Google gathers information about the places people visit which it says could grant private companies (including Google) the “power to draw conclusions about our personality, religion or sexual orientation, which can be deeply personal traits”.

The complaints argue that consent to “share” users’ location data is not valid under EU law because it is not freely given — an express stipulation of consent as a legal basis for processing personal data under the GDPR — arguing that consumers are rather being tricked into accepting “privacy-intrusive settings”.

It’s not clear why it’s taken the DPC so long to process the complaints and determine it needs to formally investigate. (We’ve asked for comment and will update with any response.)

BEUC certainly sounds unimpressed — saying it’s glad the regulator “eventually” took the step to look into Google’s “massive location data collection”.

“European consumers have been victim of these practices for far too long,” its press release adds. “BEUC expects the DPC to investigate Google’s practices at the time of our complaints, and not just from today. It is also important that the procedural rights of consumers who complained many months ago, and that of our members representing them, are respected.”

Commenting further in a statement, Monique Goyens, BEUC’s director general, also said: “Consumers should not be under commercial surveillance. They need authorities to defend them and to sanction those who break the law. Considering the scale of the problem, which affects millions of European consumers, this investigation should be a priority for the Irish data protection authority. As more than 14 months have passed since consumer groups first filed complaints about Google’s malpractice, it would be unacceptable for consumers who trust authorities if there were further delays. The credibility of the enforcement of the GDPR is at stake here.”

The Irish DPC has also been facing growing criticism over the length of time it’s taking to reach decisions on extant GDPR investigations.

A total of zero decisions on big tech cases have been issued by the regulator — some 20 months after GDPR came into force in May 2018.

As lead European regulator for multiple tech giants — as a consequence of a GDPR mechanism which funnels cross border complaints via a lead regulator, combined with the fact so many tech firms choose to site their regional HQ in Ireland (with the added carrot of attractive business rates) — the DPC does have a major backlog of complex cross-border cases.

However there is growing political and public pressure for enforcement action to demonstrate that the GDPR is functioning as intended.

Even as further questions have been raised about how Ireland’s legal system will be able to manage so many cases.

Google has felt the sting of GDPR enforcement elsewhere in the region; just over a year ago the French data watchdog, the CNIL, fined the company $57 million — for transparency and consent failures attached to the onboarding process for its Android mobile operating system.

But immediately following that decision Google switched the legal location of its international business to Ireland — meaning any GDPR complaints are now funnelled through the DPC.

Tech companies, we see through your flimsy privacy promises

There’s a reason why Data Privacy Day pisses me off.

January 28 was the annual “Hallmark holiday” for cybersecurity, ostensibly a day devoted to promoting data privacy awareness and staying safe online. This year, as in recent years, it has become a launching pad for marketing fluff and promoting privacy practices that don’t hold up.

Privacy has become a major component of our wider views on security, and it’s in sharper focus than ever as we see multiple examples of companies that harvest too much of our data, share it with others, sell it to advertisers and third parties and use it to track our every move so they can squeeze out a few more dollars.

But as we become more aware of these issues, companies large and small clamor for attention about how their privacy practices are good for users. All too often, companies make hollow promises and empty claims that look fancy and meaningful.