Because it encompasses the lazy days of summer, Q3 is often a slower roll in the world of privacy — and July and August did not disappoint. Those of us following the privacy space got a much-needed break. However, as August wrapped up, Washington resumed its busy state of affairs, Europe returned to business as usual, and it quickly became clear that the privacy space had had lost no momentum.
U.S. Federal Privacy
The Federal Trade Commission (FTC) won big this quarter. On September 13, President Biden nominated privacy advocate Alvaro Bedoya, founding director of the Center on Privacy and Technology at Georgetown Law, to serve as FTC commissioner. This nomination was celebrated by privacy professionals as a signal for greater subject visibility and experience at the federal level as well as a perceived commitment to push consumer protections.
Just before the quarter wrapped up, Senate Commerce Chair Maria Cantwell (D-Wash.) convened the first of a series of Senate hearings on September 29 entitled, “Protecting Consumer Privacy.” Witnesses offered broad support for increased funding for the Federal Trade Commission, all noting a need for additional staff and authority, and they advocated for a comprehensive federal framework for privacy.
There is a growing consensus that the FTC needs a boost if the United States is to address privacy and data protection adequately. Over the past few months, the FTC has undeniably demonstrated a dedication to broadening its impact and reach, with FTC Commissioner Lina Khan setting the tone by bringing seriousness to rein in big tech in both privacy and anti-trust matters.
Lawmakers are taking note. On September 20, a group of senators sent a letter to Khan, encouraging the FTC to begin a rule-making process that sets a national standard for data privacy and security. In the letter, they called on the FTC to undertake rule-making to protect consumer data including a prohibition on certain processing activities, opt-in consent rules, and global opt-out standards.
President Biden’s Executive Order on Promoting Competition in the American Economy issued in July also encouraged the FTC to take up rule-making to address “unfair data collection and surveillance practices,” particularly in the tech industry. Through this E.O., President Biden has seemingly given the FTC a go-ahead to institute comprehensive federal privacy rules.
Despite this renewed vigor, the FTC continues to be a government agency that is chronically underfunded and understaffed. So, the recent announcement that the FTC is set to receive $1 billion over the next 10 years to develop a privacy bureau has been met with real excitement and relief by advocates. For context, of the $351 million allocated to the FTC for its 2021 fiscal year budget, about $13 million was dedicated to privacy and identity protection services. The funding has been passed by the House Energy and Commerce Committee but needs further congressional approval to move forward.
Combined, the takeaway for U.S. privacy is significant. The call from senators, the EO, the most recent congressional hearing, and the potential funding all point to the FTC getting the broad support it needs to tackle privacy.
International Considerations
While the United States looks to be organizing a privacy plan behind the FTC, the current reality is that the country lags behind the global community in consumer privacy protections. Countries and regions worldwide continue to advance standards; this quarter saw China, Quebec, Saudi Arabia, Japan, Sri Lanka, and the United Kingdom actively pursue privacy.
China’s introduction of both the Personal Information Protection Law and Data Security Law added to an overarching framework of data protection. With DSL effective as of September 1 and PIPL to follow on November 1, businesses should waste no time getting their programs in shape. The law has an extraterritorial scope, serious fines, and requirements that largely mirror those of the EU General Data Protection Regulation -– proving, once again, that the momentum behind privacy legislation knows no bounds as it continues to sweep the globe.
As the EU and United States work to repair a strained relationship following the invalidation of Privacy Shield, the inaugural meeting of the Trade and Technology Council on September 29 brought together top officials from both sides of the Atlantic to discuss a wide range of topics. Meanwhile, we saw the United Kingdom begin in earnest to navigate its independent approach to data protection and identify a process for achieving its own data transfer process with trading partners. How the United Kingdom navigates the flow of data with the United States, which was identified as a top priority, will give significant insight into how the country interprets privacy and data protection.
In addition to the announcement that New Zealand’s privacy commissioner, John Edwards, will succeed UK Information Commissioner Elizabeth Denham when her term ends, the country also marked the beginning of a 10-week consultation process on proposed changes to its data protection framework. Signaling a divergence from the EU’s approach, the Department for Digital, Culture, Media and Sport introduced changes that are viewed as offering more flexibility. If the UK goes ahead with the proposed changes, Edwards warned the country must carefully balance finding its path forward on data protection and satisfying its EU counterparts. Referring to the invalidation of Privacy Shield, Edwards said, "I think that the one thing that U.K. needs to be conscious of ... is the very antagonistic approach that we see Europe taking to the U.S.,” and he warned of aligning too closely with the United States.
Enforcement
In July, Luxembourg’s data regulator fined Amazon $888 million for breaching GDPR rules around the use of consumer data in advertising and, in doing so, broke the record for the largest fine introduced under the GDPR. While the specifics of the alleged violation have not been released, the Luxembourg National Commission for Data Protection said the company’s processing of personal data did not comply with GDPR. In a filing with the U.S. Securities and Exchange Commission, Amazon disclosed the fine, adding the decision was “without merit” and that it has plans to appeal.
Lastly, in September, Ireland’s Data Protection Commission announced a $266 million fine against WhatsApp for failing to tell users enough about what it does with their data.
Looking Ahead
We’re expecting that a relatively quiet third quarter may mean a strong finish for the year. Here’s what we will be watching:
- Will the UK pursue changes to its data protection regime?
- What will the final push for state privacy look like (lookin’ at you, Massachusetts)?
- How will the U.S. congressional hearings on privacy change the landscape?
About the Authors:
Molly Hulefeld is a Privacy Content Analyst with Ethos Privacy. Molly entered the world of privacy through the International Association of Privacy Professionals (IAPP), where she worked as Associate Editor for the publications team. Now she works to develop Sentinel’s privacy program management technology, Ethos, making it easier for businesses to meet their obligations and develop a culture of privacy.
Emily Leach is the privacy content director at Ethos Privacy, overseeing framework analysis and creation for the company’s privacy program management technology. Emily has been working in data privacy for 14 years, spending 11 years at the IAPP as manager of its online resource center and editor of the Privacy Tracker, among other responsibilities. Emily holds both CIPP/US and CIPP/E certifications from the IAPP.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Previous Privacy Roundups
Privacy in Q2: In Like a Lion, Out Like a … Lion