Privacy Insider newsletter: May 18, 2021

Welcome to Privacy Insider, a round-up of the week's most important stories.

"France must equip itself with a trusted cloud because data is strategic," said France Minister of the Economy Bruno Le Maire. "Much of the economic value in the 21st century will come from data, which is why it is essential to protect it." 

He means that American cloud services are making money off French data, and France needs to up its game to compete globally. As News in 24 reports, Amazon, Google and Microsoft own 70 percent of the European market.

And while Le Maire is an economics guy, he's pitching the development of a "trustworthy cloud" label to indicate companies that meet French standards set out by its cybersecurity agency, the ANSSI. 

The necessity to verify a company is trustworthy stems from French mistrust of U.S. data privacy because U.S. law allows national law enforcement agencies access to innocent peoples' data to fight crime. These policies have long been a point of contention between the EU and the U.S., as I discussed in last week's love letter to you. 

Reading the news that France is strategizing on keeping citizens' data on French soil isn't surprising, but it is disheartening. It's only the latest in countless stories in which government or private agencies note, rightly, that the U.S. isn't up to snuff on data privacy. It's the reason the Schrems II case continues, and it's the reason trans-border data-sharing frameworks keep burning to the ground. 

And while some say the U.S. should pass a privacy law that would assure its global partners their data will be protected in its hands, that conversation stalls whenever lawmakers hint that national security policies may have to change for that to happen. 

Of course, national security is essential, and there are many intelligent and reasonable people doing the intelligence work that helps keep us safe. But there also a lot of people and companies in the U.S. who want to do the right thing on data privacy, and it's a shame they -- in effect -- have to say to customers, "We will absolutely keep your data private, unless ... " 

As an American, it feels like: If we're going to lead the work in tech, we should also lead the world in protecting its users.

Enjoy reading, and I'll see you next week!

1. France unveils national strategy to keep data on French soil
   
   France unveiled its national strategy on cloud hosting services, VentureBeat reports. Amidst concerns about American surveillance policies, France is aiming to create a "sovereign cloud." But the government did say cloud services could host some of France's "most sensitive and corporate data" if companies like Google and Microsoft license their cloud technology to French companies, therefore keeping the data on French soil. 

   Read Story

   2. Google imposes privacy-disclosure requirements for apps

   Beginning next year, Google will require Android mobile apps to provide privacy disclosures. The new policy requires apps to include what personal information it collects, whether that information is shared and whether the app uses encryption, National Law Review reports. Apps must also disclose whether a third party has verified their claims are valid and whether users can delete their data. The news follows Apple's move last year to include privacy nutrition labels in its App Store. 
   Read Story

   3. GDPR fines since 2018 total €292 million

   It's been three years since the EU General Data Protection Regulation came into effect. Since then, every EU member state and the U.K. has issued at least one GDPR fine, according to a tracking dashboard. Italy, France, and Germany have given the highest amount in fines, while Spain, Italy, and Romania have issued the most penalties. 
   Read Story

   4. Facebook loses legal challenge to Irish regulator's data-transfer decision

   ComputerWeekly reports the Irish High Court has dismissed a legal challenge by Facebook. The company sought to fight the Irish Data Protection Commissioner's draft decision to suspend transfers of European data to the U.S. But the High Court said Facebook Ireland hadn't established any basis for "impugning" the judgment, the report states. The case stems from Max Schrems' claims that the transfers breach EU privacy law because they subject EU citizens to U.S. mass surveillance programs. The High Court decision allows the Irish DPC to continue its work on the case.
   Read Story 

   5. Eufy breach had users watching each others' camera streams

   A privacy breach at appliance-company Eufy meant strangers could view both live and recorded video from each others' home cameras. Affected users first reported the issue on Reddit, reports 9to5Mac. Eufy stated that a software bug caused the breach, affecting a limited number of users in the U.S., New Zealand and Australia, among others. The company resolved the problem within two hours, the company said.
   Read Story

   6. WhatsApp delays privacy policy changes in Brazil

   WhatsApp is delaying implementing its new privacy policy while Brazilian authorities look into its data privacy implications. WhatsApp users in Brazil will be able to use the app for three months before agreeing to the new policy. The decision comes after discussions between the messaging service and Brazil's National Data Protection Authority (DPA), among other stakeholders. The DPA will now investigate whether the new policy complies with the country's data protection regulation. 
   Read Story