Privacy Insider newsletter: May 11, 2021

Welcome to Privacy Insider, a round-up of the week's most important stories.

When the European Commission issued its draft decision deeming the U.K. an adequate third-country for data transfers from the EU on Feb. 19, it seemed all but a done deal. Indeed companies who rely on forward-transfers of data must have done a wee jig at the news. 

But there's a wrinkle. This week, members of Parliament's LIBE committee, charged with protecting human rights, issued a notice asking the Commission to reconsider the decision. 

To recap: Countries outside of the EU have to prove their privacy laws are comparable enough to the EU's to achieve "adequacy." That is, EU citizens will still enjoy sufficient data protections even if their data moves across borders. 

And while the U.K.'s data protection law builds on an EU framework, MEPs say U.K. law contains national security exemptions that effectively weaken protections for EU citizens. The LIBE MEPs cite the lack of oversight into bulk security agencies' data collection practices, among other concerns, as a reason for pause. After all, national security relies in large part on secrecy. 

In addition, the MEPs say, U.K. legislation "allows for bulk data access without suspicion of crime and bulk retention of data."

It's a significant issue because it's not a unique issue. You may recall that the EU shuttered both the U.S. Privacy Shield and Safe Harbor programs over similar concerns about data privacy given national law enforcement's access to bulk data. Of note: Those data-sharing agreements were necessary because the U.S. has not been deemed an adequate country. Heck, we don't even have a privacy law to offer up for consideration.

And so while the U.K.'s problem may not be unique, it's a big problem. Both the U.S. National Security Administration or the U.K. Secret Intelligence Service will testify in any court that bulk data is essential to protecting citizens. And they aren't going to go quietly into the night if there are renewed pushes (there have been many) to amend the laws granting them those crime-fighting tools. 

So if law enforcement won't budge, and countries like the EU won't budge until they budge, data transfers under any "adequacy" ruling could be in peril. 

I'm not panicking because the ability to transfer data across international borders makes the world go round. It's too important in modern-day commerce for any particular country to lose. 

We're going to figure it out, but it will take either major concessions from both U.S. and U.K. national agencies, or else a European Union willing to look the other way. For now,  the Commission will debate all of this at a plenary meeting next week, and plans to issue a final decision in the coming months. 

Enjoy reading, and I'll see you next week!

1. MEPs say EU should suspend UK data transfers if laws aren't amended 

   The Civil Liberties Committee (LIBE), a group under EU Parliament, has asked the European Commission to amend its draft decision granting the U.K. "adequacy." Since its departure from the European Union, the U.K. had to ask the Commission to deem its data privacy laws sufficient enough to protect data transferred out of the EU and into the U.K. But a LIBE press release states that if changes aren't made to U.K. national security law and U.K. data-sharing agreements with the U.S., the EU should suspend data transfers to the U.K. 
   Read Story

   2. FTC settlement requires consent-management changes for facial-recognition app 

   The U.S. Federal Trade Commission has finalized a settlement with a photo-app developer over alleged deceptive behavior. In its complaint, the FTC said Everalbum, Inc. misled its users when it told them it wouldn't apply facial recognition technology to their photos without their permission but did so automatically. In addition, the agency said Everalbum said it would delete user photos when they deactivated their account but retained them "indefinitely." The settlement requires changes to Everalbum's consent management process. 
   Read Story

   3. DPA to fine hosting service $3M, claiming it tracked users without consent

   Norway's data protection authority (DPA) has notified a U.S.-based company of its intent to issue a 2.5 million-euro fine (about $3 million) for alleged violations of EU privacy law, TechCrunch reports. The DPA said Disqus, a blog comment hosting service often used by news websites, tracked users without consent. In its notice, the DPA also warned publishers to remember that they are "also responsible under the GDPR for which third parties they allow on their websites." 
   Read Story 

   4. Bipartisan bill would update children's privacy law 

   The Children and Teens' Online Privacy Protection Act, drafted by Sens. Ed Markey (D-Mass.) and Bill Cassidy (R-La.), would update the Children's Online Privacy Protection Act (COPPA) by prohibiting sites from collecting personal information from kids 13-15 without user consent. It would also create an "eraser button" to allow users to delete their data and establish a Youth Privacy and Marketing Division at the Federal Trade Commission, which enforces COPPA. 
   Read Story

   5. WhatsApp users must accept data-sharing policy or lose functionality 

   Under WhatsApp's new privacy policy, some users will lose functionality until they click "yes" to the terms, 9to5Mac reports. The new policy dictates that WhatsApp will share data with parent company Facebook. Starting May 15, users who don't accept the terms will first lose the ability to chat and then make calls. Next, the video call function will deactivate, and then users will lose the ability to receive new message notifications. 
   Read Story

   6. Attorneys general tell Facebook to ditch Instagram-for-kids plans

   A group of 44 attorneys general has called on Facebook to abandon plans to "Instagram Youth," a version of Instagram aimed at pre-teens, Bloomberg reports. In a letter, the attorneys general wrote that "Facebook has historically failed to protect the welfare of children on its platforms" and that social media "can be detrimental to the health and well-being of children … ." In a statement, Facebook said it would prioritize privacy and safety. 
   Read Story