Privacy Beat

Your weekly privacy news update.

The stringent requirements of the California Consumer Privacy Act have the big-data tech companies trying to get something less burdensome out of Congress. But this week we feature an analysis that suggests CCPA could continue to govern Internet privacy even if a federal law attempts to pre-empt it. Meanwhile, privacy promises don’t mean much if you can’t read them, and a New York Times story found most of them are unreadable.  And they also aren’t much use if antitrust law isn’t enforced, claimed some witnesses at a Capitol Hill hearing. Regulation aside, there is evidence a business-case for privacy technology is emerging, and Omidyar Network is pushing on that. One investing area — technologies that help to “de-identify” personal data. And should that anonymized data be controlled by a nonprofit? All that plus a quote and tidbits, in Privacy Beat. 

1.  As efforts to enact federal privacy law stalls, one legal review suggests scenarios in which CCPA could survive a legal challenge regardless

Could application of the U.S. Constitution’s interstate commerce clause — generally leaving nationwide business exchange to Congress to regulate — derail the California Consumer Privacy Act (CCPA)?

That’s the question posed in a legal review by a University of Chicago pre-law student, Zoe Kaiser. The review, completed this month, examines the issues. The answer is, possibly not, but Kaiser doesn’t reach a firm conclusion.

The question is timely. Despite hearings and multiple proposals, a new report in the Financial Times (subscription) on Tuesday says talks on Capitol Hill to create the US’s first national data-privacy law “have ground to a halt” over whether it should be stricter or looser than CCPA.

In a blog post and the underlying legal review, Kaiser suggests at least two scenarios:

  • Because the location of web users can be tracked by their IP number, California could argue that the CCPA can be applied only to California residents, and therefore it is not governed by the interstate commerce clause. The decision of companies outside California to follow its rules for non-California residents is a business decision, not a regulatory mandate. On this theory, a constitutional challenge to the CCPA would fail.

  • Because the act imposes restrictions and obligations on California companies rather than granting them any easing of regulation, it is not an undue burden on interstate commerce and is therefore valid.

Another scenario not examined in Kaiser’s paper is this one: What if the U.S. Congress, bowing to tech lobbyists, enacts a federal privacy law that claims to “pre-empt” any state regulation? Could that portion of the federal law be overturned as it applies to the CCPA, leaving the CCPA in functional control of internet privacy standards?

The Financial Times quoted an unnamed Democratic advisor: “If the industry simply wants a bill that is going to water down California, they haven’t got a hope. There is no way the Democrats will agree to anything like that…talks are at a standstill now. I wouldn’t be surprised if we don’t manage to come up with a draft at all.” A key sticking point, the article said, is whether federal law should allow a “private right of action” by citizens who believe their privacy rights have been violated.  The tech and advertising industries are pushing instead for giving the Federal Trade Commission or a new government watchdog new enforcement powers.

2. NYTimes survey finds most privacy policies unreadible for average American; commends the BBC’s as well done

The New York Times posted June 12 an interactive study of of 150 privacy policies and data journalist Kevin Litman-Navarro concludes that most of them are written in language that most Americans would struggle to understand, based on literacy standards.  He commends the BBC for an “unusually readable privacy policy” written in short, declaring sentences and plain language.

3. Scholars and congressional witnesses explore the relationship between policies on antitrust and privacy

Increasingly scholars, analysts, and politicians are starting to see overlapping effects between antitrust, competition and privacy laws. It played out this week in a U.S. House Antitrust Subcommittee hearing and shows up in web essays.

“Privacy law is increasingly entangled with competition policy in today’s conversations concerning what should be done about dominant tech companies,” says Mark MacCarthy, a Georgetown University senior fellow and faculty member. “Privacy rules can be adjusted to achieve competition policy goals,” he writes in a blog essay at Forbes.com, adding “and conversely, pursuing competition policy goals can increase privacy protection.”

The blog essay by MacCarthy, who was formerly a policy executive at the Software & Information Industry Association, makes these other points:

  • Rigorous privacy rules could disadvantage small innovators over big-tech platforms if the costs of compliance are too great.

  • Take-it-or-leave-it policies on consent such as employed by Facebook are not a real choice if there is no effective competitor to switch to in the social media marketplace.

  • An argument can be made that big data sets pose more potential privacy risk than smaller ones, and that can be one justification for breaking up the biggest data platforms.

During Tuesday’s House antitrust hearing, “Online Platforms and Market Power, Part 1: The Free and Diverse Press,” one witness commented on privacy and antitrust.

“Privacy is an aspect of product quality,” said David Pitofsky, general counsel for Rupert Murdoch’s News Corp., which owns The Wall Street Journal and The Times of London.  “And antitrust just hasn’t really stretched its muscles in a long time to understate those kinds of quality issues.”

4. Privacy emerges as a business opportunity – and eBay co-founder Pierre Omidyar wants to push it along

For at least two decades, entrepreneurs have attempted to turn privacy management into a business and it wasn’t always easy. Scientific surveys would consistently find the public expressing a desire for greater privacy but Silicon Valley said that rarely showed up in actual behavior.

But now behaviors are starting to shift, and that is ushering in both ongoing reports of commercial privacy initiatives – as well as a social-venture initiative lead by Omidyar Networks to accelerate the trend.

  • This week a British company, Privitar Ltd., received $40 million in new venture-capital funding for its technology that allows banks and health-care providers to “anonymize” their databases so that otherwise highly sensitive personal data can be modified so that research can be done on like cohorts with no change of “re-identifying” individuals.

  • Information-service companies such as Portland, Oregon-based Exterro are working to add data-privacy capabilities to their portfolio through acquisition.

  • The local media trade-industry website StreetFight has started a 20-article (so far) series called “Pursuing Privacy” to keep track of all the developments including a listing of five new privacy-focused data marketplaces.

In another promising development, Omidyar Network, the social-investing and philanthropy hybrid of eBay co-founder Pierre Omidyar and his wife Pam, has embraced a concept called GoodID, and is looking to encourage investments in both identity and privacy. 

“There has been a noticeable increase in enterprises’ appetite for buying data privacy technology in recent years,” asserted venture-capitalist Seth Pierrepont of Accel in a statement about their Privitar Ltd. investment. 

Omidyar’s leaders believe a case can now be made for multiple investment returns (profits and social good) from backing services that manage user identity in both government and private-sector applications.

“We believe an emphasis on privacy, inclusion, user value, user control, and security create the foundation for impact and mitigate many risks of digital identity,” writes Omidyar’s Abiah Weaver.

“Good ID is inclusive, offers significant personal value, and empowers individuals with privacy, security, and control,” says Omidyar’s May white-paper on its initiative. “Good ID builds trust with transparency and accountability. Good ID seeks to address exclusion, discrimination, surveillance, consent, and other key issues of our time.”

(Disclosure: A director of Privitar, John Taysom, is an ITEGA director)

5. Needed: open, anonymized datasets of user information for innovation overseen by independent accrediting body, investor says

An “independent accrediting body” may be needed to help draw the line between user privacy and the need to access data in order to innovate, says a British-based venture-capital investor, Ed Stacy of IQ Capital Partners LLP.

“Recent history has shown that individual, for-profit organizations aren’t best placed to identify the boundaries of what is acceptable and what isn’t,” Stacey writes in a June 7 Forbes.com guest blog post. “It’s time that an independent accredited body steps up to oversee the creation and responsible use of open data sets, with the key objectives to support tech innovation and the public good.”

Cambridge, U.K.-based IQ Capital was among investors a $40-million venture round to British company Privitar Ltd, which calls itself an “engineering privacy” software firm. Stacey sits on Privitar’s board.

In his essay, Stacey suggests it is reasonable for consumers to share some of their data to enable innovation if the data is anonymized. Universally available data sets that are governed for privacy protection could help level the playing field between large companies that can afford to meet privacy standards and smaller companies that cannot, or must rely on obtaining data from third parties in order to innovate.

(Disclosure: A director of Privitar, John Taysom, is an ITEGA director)

RELATED LINK:

Companies struggling to adapt to new regulations https://www.propertycasualty360.com/2019/06/07/us-companies-repeating-data-privacy-compliance-mistakes-study-shows-414-156444/?slreturn=20190512095705

6. Does Reuters Institute report trend show opportunity for cross-site content and user sharing?

The Reuters Institute at Oxford has surveyed since 2012 and published annual reports on the state of the news industry and the trends reported this year are unchanged — an ongoing decline in print advertising and reach and surging digital use — especially via mobile.  But, as noted in a Nieman Lab wrapup on the report, the newest emerging trend is that, while in the United States, 16 percent of news readers are paying in some way, most of them surveyed are unwilling to pay for more than a single news subscription. The report lends credence to the idea that news organizations could benefit by user- and content-sharing syndication. A summary of the overall report’s key findings can be found on Page 10 of the PDF download.

UPCOMING EVENTS
DC law firm offering June 19 online webinar “Operationalizing the CCPA”

The Washington, D.C. law firm of Hogans Lovells International LLP is inviting public participation in a Wed., June 19, online webinar, “Operationalizing the California Consumer Privacy Act”. It says the webinar will cover key terms, interactions with existing regulations, how the “private right of action” under the law will work, and a comparison of provisions with the GDPR.

“Privacy regulation would also help because it is this 360-degree view of users, collecting their data all across the web that allows these disinformation agents to then precisely target people on the data collected about them. So if we collected less data about people, especially not in ways that they would not expect, there would be less ability to hyper-target them with disinformation.”

Sally Hubbard, Director of Enforcement Strategy, Open Markets Institute, testifying June 11 before the U.S. House Antitrust Subcommittee hearing on “Online Platforms and Market Power.”

TIDBITS

New York Times editorial urges federal privacy law
https://www.nytimes.com/2019/06/08/opinion/sunday/privacy-congress-facebook-google.html

Harvard experiment on data preferences
http://www.law.harvard.edu/programs/olin_center/fellows_papers/pdf/Svirsky_81_revision.pdf

Privacy Paradox
 https://www.nytimes.com/2019/05/17/opinion/sunday/google-privacy.html
 

UK consumers are resigned to poor data security, research finds
http://telecoms.com/497800/uk-consumers-are-resigned-to-poor-data-security-research-finds/

Apple restricts ads and third-party trackers in iPhone apps for kids
https://techcrunch.com/2019/06/03/apple-kid-apps-trackers/

Microsoft Removes Face Recognition Photos Amid Privacy Controversy
http://fortune.com/2019/06/07/microsoft-facial-recognition/

Warner Media discussing Ad Free plan
https://www.wsj.com/articles/at-t-eyes-16-to-17-a-month-streaming-service-in-strategy-shift-11559842992

Legal AI’s Insufficiencies in Data Privacy https://www.law.com/therecorder/2019/06/05/the-human-touch-legal-ais-insufficiencies-in-data-privacy/ 

Does surveillance tech begin with the poor?
https://onezero.medium.com/privacy-is-just-the-beginning-of-the-debate-over-tech-8807c2f8458f

India proposed Data Privacy Bill https://www.moneycontrol.com/news/economy/policy/privacy-matters-indias-resolute-stand-on-data-protection-is-a-challenge-to-tech-giants-business-ambitions-4079641.html

https://www.sundayguardianlive.com/news/eye-data-privacy-india-strives-data-localisation

German National Police want access to data https://www.cnn.com/2019/06/09/europe/germany-privacy-fears-ger-intl/index.html

Brazil’s New Data Protection Law
https://brazilian.report/money/2019/06/07/prepare-lgpd-brazil-new-data-protection-law/

 

Like what you see? Then recommend to a friend.

Share

Tweet

Forward

Copyright © *|CURRENT_YEAR|* *|LIST:COMPANY|*, All rights reserved.
*|IFNOT:ARCHIVE_PAGE|* *|LIST:DESCRIPTION|*

Our mailing address is:
*|HTML:LIST_ADDRESS_HTML|* *|END:IF|*

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

*|IF:REWARDS|* *|HTML:REWARDS|* *|END:IF|*