News Alerts and Breach Report for Week of January 23, 2023
EU Takes Aim at TikTok Over Privacy Violations
Though the U.S. has been exploring ways to curtail or even ban popular social media platform TikTok, it’s possible that European regulators might be closer to taking action against the Chinese-owned company. German Member of the European Parliament Moritz Körner has been a longtime advocate for regulating TikTok, and CBS quotes him as approving of the U.S. government’s ban on TikTok for its officials, and saying that the platform “poses several unacceptable risks” for users, including “data access by Chinese authorities, censorship and the tracking of journalists.” In the EU, TikTok faces several legal changes by Ireland’s data protection authority over potential breaches of children’s protection laws and potentially illegal transfers of data to China. That’s in addition to an alleged violation of the EU’s Digital Services Act, which could result in a fine amounting to 6 percent of its annual revenue. Meanwhile companies like Facebook, Google, Microsoft, and Zoom have been targeted by a concerted effort on the part of Dutch regulators to adapt their policies to EU privacy laws, especially those related to children’s data privacy.
Meta Launches Privacy Control Settings
Meta is launching a new privacy control center to allow users to manage their privacy settings for Facebook and Instagram all in one place. It’s a good move for the social media giant, which has come under fire in recent weeks for obfuscating privacy controls and using deceptive practices. The center will allow users to adjust their preferences for how their data is used for targeted ads—and how their rights to know and control how their data is used for other business practices.
Biometric Privacy Cases Expand
Oregon is one of the latest locales for a biometric privacy lawsuit. Jacksons Food Stores, a regional convenience chain, is being sued in the U.S, District Court for the District of Oregon. On December 1, 2022, plaintiffs Brian Norby and Jacqueline May filed putative class action number 22CV40791, which seeks compensatory or statutory damages of $1000 for each day the company is in violation of Portland’s 2020 municipal ban on facial recognition in public places—or specifically, “places of public accommodation by any private entity.” The suit alleges that the convenience chain scans anyone who tries to enter one of its stores, and automatically bars entry to anyone whose picture is in its “persona non grata database.”
OECD Nations Sign Data Privacy Accord
The Organization for Economic Co-operation and Development (OECD) and the European Union have signed a privacy agreement, The OECD Declaration on Government Access to Personal Data Held by Private Sector Entities. The OECD’s December 14, 2022 announcement of the agreement notes that it “seeks to improve trust in cross-border data flows—which are central to the digital transformation of the global economy—by clarifying how national security and law enforcement agencies can access personal data under existing legal frameworks.” These frameworks come from OECD’s 38 member states, including the United States, Canada, Australia, New Zealand, Japan, Mexico, and Korea. According to CPO Magazine, “Seven specific principles are named in the agreement. The first is [the] establishment of a legal basis for government access to data in each member country that offers “sufficient guarantees against the risk of misuse and abuse” along with “purposes, conditions, limitations and safeguards” that are supported by rule of law.” CPO also included the viewpoint of David Maynor, Senior Director of Threat Intelligence for Cybrary, who noted that “This agreement makes all the typical missteps of focusing on theoretical or academic issues an agreement should also include provisions for the proper ongoing training for cybersecurity training for those involved in data handling since the two biggest threats affecting this type of data will be insiders performing attacks or mishandling data and ransomware actors.”
NIST Releases De-identification Guidelines
January 15 marks the deadline for public comment on updates to NIST Special Publication 800-188, which provides data de-identification guidance to federal agencies. In other federal data privacy and cybersecurity news, Congress’s 2023 Defense Authorization Act directs the Department of Defense (DoD) “to initiate a study across the military services to look at how much time and money is lost when software and technology underperforms.”
Breach Report
* * * * * * *
To read our latest article, Privacy and Cybersecurity Forecast for 2023 discussing the need for privacy professionals, which industry will be a big target for ransomware attacks, and what to make of potential federal privacy legislation, click here.
Does your organization invest in “Confidential Computing”? Should they? Click here to read our discussion on “Confidential Computing” to get a better understanding on how your organization could benefit from such an investment.
Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!
Our most recently released episodes:
84 | Internet Archive Project Related to Russia’s War with Ukraine (With guest Mark Graham)
83 | Geofence Warrants and January 6: Constitutional and Privacy Issues (with guest Matthew Esworthy)
82 | A Look at the Consequences of the Uber and Twitter CISO Cases (with guest Ron Raether)
To browse our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.