Saying that April was a hot month, might very well be an understatement. There is plenty of news from US Congress, including unprecedented legislation against Tiktok and a new, bipartisan privacy bill. Meanwhile, Apple caved in to regulatory pressure in China and the EDPB took a stance against Meta in a key, high-profile legal battle.
There’s a lot to discuss, so let’s dive in!
- US Congress discusses federal privacy bill, bans TikTok
- More from Congress: FISA 702 reauthorized, 4th Amendment Not For Sale Act
- Personal data not a commodity, says EDPB
- Apple removes encrypted services from Chinese App Store
- Mass US data leakage
- ByteDance suspends TikTok Rewards program in Europe
- US government tightens HIPAA rules for reproductive health data
- Google delays cookie deprecation-again.
- Grindr faces lawsuit over HIV data
- Google pays $62M settlement over location data
- AI keeps raising privacy issues
US Congress discusses federal privacy bill, bans TikTok
A bicameral federal privacy bill was unexpectedly proposed in Congress. The bill, named American Privacy Right Act (APRA), includes a comprehensive set of privacy protections, including data minimization and transparency requirements, new consumer rights, and a private right of action subject to certain limitations.
State preemption is likely to be a thorny issue in future negotiations. Some States already afford strong privacy protections to their citizens and will not be happy to see federal law undermine them.
In the meantime, Congress finalized unprecedented legislation that forces Chinese giant ByteDance to divest ownership in TikTok under threat of a ban from the US market. According to Reuters, ByteDance is ready to challenge the constitutionality of the law but would rather leave the US market than divest ownership if push came to shove.
More from Congress: FISA 702 reauthorized, 4th Amendment Not For Sale Act
In other news from the US Congress, FISA Section 702 was finally reauthorized for two years in the nick of time.
FISA authorizes surveillance over foreign citizens but has been abused in the past in order to monitor Americans’ communication without a warrant. Privacy and civil rights advocates have long criticized the weak safeguards surrounding the law and are not happy to see it extended without any amendment.
In happier news, the House passed the 4t Amendment Is Not For Sale Act, a bill that prohibits law enforcement and intelligence agencies from buying personal information from data brokers with no warrants of safeguards (which they do all the time). We hope to see this become law.
Personal data not a commodity, says EDPB
In its highly anticipated Opinion on pay-or-ok, the EDPB clarified that personal data are not a commodity and took a clear stance against Meta’s data mining. In all likelihood, the Court of Justice will have the last word in Meta’s long GDPR compliance saga, but the EDPB’s Opinion is a very good sign nonetheless.
This is a really big deal for privacy because many services monetize on user data in similar ways to Meta. Check out our blog to learn more about the EDPB’s Opinion, the story behind it, and its potential impact on the privacy of EU citizens.
Apple removes encrypted services from Chinese App Store
Apple removed four apps from the Chinese version of the App Store upon an order of Chinese authorities. The list includes the Threads platform and three popular end-to-end encrypted messaging apps (WhatsApp, Telegram, and Signal).
This is not the first time the Chinese government orders Apple to make software unavailable: the company was already forced to remove a VPN app in 2017. It is superfluous to highlight the possible harms to users when privacy-preserving apps are removed from the closed iOS environment, especially in a country like China.
As an Apple spokesperson told the WSJ, the company must comply with the laws even if it dislikes them. Still, none of this would have happened if it simply allowed Chinese iOS users to sideload apps, as EU users are able to do under the Digital Markets Act. By choosing to retain complete control over the iOS environment in China, Apple is knowingly putting itself in a position where it can be bullied by the government into harming its users.
Mass US data leakage
The Federal Communications Commission fined several US wireless carriers for non-consensually disclosing customers’ location data to data brokers. The fines amount to a total of $200M between Verizon, AT&T, T-Mobile, and Sprint (now owned by T-Mobile).
This is a data leakage of catastrophic proportions. The carriers sanctioned by the FCC are some of the largest on the US market, with Verizon alone accounting for almost 150 million customers.
ByteDance suspends TikTok Rewards program in Europe
As if the TikTok ultimatum from Congress wasn’t enough, the EU Commission announced an investigation into TikTok Lite’s reward program for potential infringements of the Digital Services Act. The investigation prompted ByteDance to suspend the program on the EU market.
TikTok Lite’s “Task and Reward Program” rewards users for engaging with the platform and performing certain tasks such as liking content and inviting friends to join TikTok. The Commission notes that ByteDance failed to properly assess the risks of Task and Reward, and suspects that the program could have addictive effects and cause mental health harms to the platform’s (mostly quite young) audience .
US government tightens HIPAA rules for reproductive health data
The Department of Human Health and Services issued new rules to restrict data disclosures under HIPAA in order to protect women seeking reproductive health care in sanctuary States. Crucially, the new rule forbids disclosures for the purpose of investigating reproductive health care that was lawfully provided.
The confidentiality of reproductive health care data became a key human rights issue in 2022, when the Dobbs v. Jackson ruling opened the floodgates to anti-abortion legislation in conservative States. Strengthening the HIPAA is a step in the right direction, but enormous amounts of health data still fall outside the narrow scope of the law and can be used by law enforcement and other actors in ways that harm women and health care providers.
Google delays cookie deprecation-again.
Google delayed the deprecation of third-party cookies once again. The announcement came days after the Washington Post reported on regulatory pushback against the Sandbox due to privacy vulnerabilities.
To learn more about the news and the Privacy Sandbox, head over to our blog.
Grindr faces lawsuit over HIV data
Grindr will face a class action in the UK over the non-consensual disclosure of sensitive data, including HIV data. The lawsuit involves hundreds of users and revolves around personal data disclosures between 2018 and 2020.
Grindr, a popular dating app catering to the queer audience, was already fined in Norway for non-consensually sharing sensitive data with advertisers. According to Grindr’s own policy, such disclosures are still taking place, albeit with the user’s consent (or, in all likelihood, under a fiction of consent, as is typically the case for dating apps).
Google pays $62M settlement over location data
Stop me if you’ve heard this before, but Google signed a settlement over location data.
You know the story by now: Google likes “giving user control” over their data by tying location data collection to multiple, unclear settings found in all sorts of different places on Android devices. This may or may not be done to preventing users from entirely turning off location data collection. Google's settings are so intentionally obtuse, that even a Google engineer was not able to disable tracking.
AI keeps raising privacy issues
A recent report from the New York Times describes how OpenAI, Google, and Meta plunder the Internet for training data to develop their cutting-edge AIs. As they race each other to build bigger and more powerful models, these giants scrape data comes from all sorts of sources, including Facebook and Youtube content.
The NYT has an axe to grind with OpenAI but still raises some fair points. Big Tech’s scraping of the Web skirts company policies, exploits gaps in copyright law, and raises severe privacy concerns which are yet to be addressed. Similar privacy concerns were raised by the Italian privacy watchdog in its pending investigation on Open AI and in a parallel investigation on Sora, OpenAI’s text-to-video tool.
In the meantime, privacy advocate noyb filed a complaint against OpenAI after it failed to correct false personal information provided by ChatGPT. The complaint raises a thorny issue: under the GDPR, OpenAI has a duty to ensure that personal data are accurate, which entails ensuring that ChatGPT’s output is accurate. Good luck with that.