Privacy Watch: FTC, Facebook, EU, the Cloud Act, & More CA bills

Privacy issues continued to boil to the surface in February. In part, it’s a reflection of the long tail of consequences that began in early 2018 when the broader public learned that Facebook had shared data from millions of user profiles with now-shuttered political marketing firm Cambridge Analytica.

The consequences of that wider public awareness are now spreading to technology companies in general.

While Facebook (NASDAQ: FB) continues to be a big focus for regulatory agencies in both the United States and abroad, public concerns over individual data privacy have prompted a more expansive look by governments at the legal frameworks that shield personal data—or fall short.

The U.S. Federal Trade Commission, which is already considering billions of dollars in fines against Facebook for alleged privacy violations, took action Tuesday on what consumer advocates see as a related issue—the market dominance of a small number of huge tech giants in areas such as social media. This can leave users with little choice if they don’t like a company’s privacy policies, for example.

The FTC’s Bureau of Competition announced that it has created a Technology Task Force to watch out for anticompetitive moves among information technology companies. The unit’s mission will include evaluations of planned mergers, but also of mergers that have already been completed. The bureau’s director, Bruce Hoffman, said it’s possible that companies could be forced to unravel some mergers to allow their acquired companies to become competitors again, The Verge reported. Hoffman didn’t point to any specific companies.

Advocacy groups have been pressing the FTC since last year to order social media leader Facebook to spin out Instagram and WhatsApp, arguing that Facebook’s dominant position gives it outsized influence over political discourse and the economy, USA Today reported.

The FTC has authority as a consumer watchdog over both anticompetitive practices and fraud, such as deceptive privacy policies that don’t reveal to users the full extent of the data harvested about them from their online activity.

But momentum has been building for the passage of laws that actually specify how companies must handle personal data, and how much control consumers must retain over it. A number of statutes have been proposed before Congress—some of them adopting provisions similar to those in the European Union’s strict General Data Protection Regulation (GDPR). Tech companies have declared that they’re open to some regulation, and some observers, such as Cameron Kerry, a fellow at the Brookings Institution’s Center for Technology Innovation, speculate that a new privacy law in some form might have a shot in the current session of Congress.

Europe keeps up pressure

Meanwhile, European authorities are continuing their sweeping examination of U.S. technology companies and their compliance with GDPR and other statutes.

A committee of the U.K. parliament issued a report in mid-February concluding that Facebook “intentionally and knowingly violated both data privacy and anti-competition laws.’’ It called for further investigation of Facebook’s practices in sharing user data for its own business purposes.

The committee urged the British government to establish an independent regulatory body and enact new laws that would hold tech companies to a compulsory code of ethics, and require them to remove hate speech, disinformation, and other harmful content from social media platforms.

The U.K.’s digital minister, Margot James, indicated that officials are in fact preparing to announce the establishment of an independent regulatory body that could fine companies such as Facebook and Google (NASDAQ: GOOGL) as much as 4 percent of their annual global revenue if they fail to eliminate pernicious content, according to an interview with James published on Thursday by Business Insider.

Meanwhile, European officials are grappling with the prospect that a new U.S. law known as the “Cloud Act” could put the data of European citizens and companies into the hands of American law enforcement authorities, Bloomberg reported. The law would allow U.S. officials to order U.S.-based cloud service providers—including Amazon (NASDAQ: AMZN), IBM (NYSE: IBM), and Microsoft (NASDAQ: MSFT)—to turn over data stored in their servers, even if they are located outside the United States.

California goes its own way

At the same time, California continues to try to set its own privacy rules in its own backyard. California legislators, who have already passed a stringent state privacy law inspired by the EU’s data protection statute, are considering new provisions to add further consumer rights.

A bill proposed by state Senator Hannah-Beth Jackson (D-Santa Barbara) would establish the rights of individuals to sue companies for improper handling of their data. Under the existing terms of the California Consumer Privacy Act, passed last year, individuals could only sue companies in the event of a data breach. California Attorney General Xavier Becerra announced Monday that he is endorsing the bill, SB 561. (The California Consumer Privacy Act is set to take effect on on January 1, 2020.)

Another privacy bill, AB 1760, would require companies to seek permission from users before sharing their data. A company would also have to inform users when it has shared their data, reveal who received the data it shared, and for what purpose. The bill was introduced by state Assemblymember Buffy Wicks (D-Oakland), and is supported by the ACLU of California and a coalition of advocacy groups.

Image credit: Depositphotos.

Trending on Xconomy