PRG News Roundup, February 16, 2022

During the third PRG meeting of the Spring 2022 semester, the following topics were discussed:

This week the UN convened an international committee of government experts to conduct preliminary negotiations on a new treaty regulating cybercrime. However, there are substantial divides over what types of actions could be regulated and over the definition of “cybercrime.” A number of nations have pushed to exclude broader issues of national security, cybersecurity, and cyberwar, warning against using preventing cybercrime as a tool to impose broader controls on the internet. Another major divide is over the inclusion of both content-based crimes and technology-facilitated crimes. Human rights groups have noted the importance of public interest safeguards, and the initial proposals of many states have reflected those concerns, calling for adherence to current standards and an awareness of possible adverse consequences.

French and Belgian data protection watchdogs followed the Austrian’s data protection watchdog ruling that the use of Google Analytics violated GDPR with their own rulings. The French watchdog held that the data transfer built into Google Analytics violated Article 44, while the Belgian Data Protection Authority held that IAB Europe’s Transparency and Consent Framework infringed on GDPR as a result of IAB Europe’s negligence. Such rulings are likely to continue until US and EU negotiators come to an agreement to replace the recently struck down Privacy shield agreement.

California lawmakers are introducing a new bill, similar to the UK’s recent children’s code, tightening regulation on tech companies’ collection and usage of children’s data.  Lawmakers noted that several platforms introduced changes to make their platforms less addictive and more safe for children prior to the passage of UK regulation, and are undoubtedly hoping for similar effects.

Following a $650 million settlement in a similar lawsuit from the Illinois Attorney General, the Texas Attorney General has sued Meta, alleging that it unlawfully collected biometric data and stored such identifiers as vioceprints, retina or iris scans, and hand and face geometry. It is possible that similar lawsuits will continue, particularly if the Texas case results in a court victory or another large settlement.

Android announced a multi-year Privacy Sandbox initiative, aiming to create tools to improve users’ control over their own data. This builds on their Advertising ID system, which aimed to help users exercise more control over their data. It promises to limit third-party data sharing, not rely on cross-app identifiers, and stop cover data collection.

Second sight, a company producing implants to help restore vision to blind patients, stopped servicing and maintaining its ocular implants as it shifted its attention to a neural rather than ocular interface. This raises interesting questions the obligations companies have to maintain equipment others depend on, even as they go through bankruptcy or reorganization.

Meta has warned that upcoming privacy legislation in India may impact their operations. The bill seeks local storage and processing of data.

India has also banned 54 apps over security and espionage concerns. This follows the banning of 59 other apps, including TikTok, in June 2020, and another 118 apps in September 2020. This seems to both be part of a broader pushback against China as well as against apps which collect and transmit data abroad.

The CIA has been collecting and analyzing information on Americans in bulk and without a warrant, according to a declassified letter from two senators. These activities took place under Executive Order 12333, or intelligence activities that Congress left unregulated by its ban on bulk communications under the Patriot Act and FISA.

(Compiled by Student Fellow Justin Jin)