Clarity On Who Is A Controller, Processor, and Joint Controller Under the GDPR, Part I

New antitrust suit filed against Google in the U.S.; House and Senate pass cyber and tech bills

Photo by USGS on Unsplash

The European Data Protection Board (EDPB or Board) issued final guidelines on how to determine who are controllers and processors under the General Data Protection Regulation (GDPR). Last September, the Board launched this initiative to update the guidance of the predecessor of the EDPB, the Article 29 Working Party 29, on controllers and processors under the GDPR’s predecessor regime. These guidelines should regularize across the European Union how controllers and processors are demarcated and ultimately regulated. Of course, the document can also help entities in the data collection and processing realm determine which role they have and therefore their responsibilities under the GDPR. Today, I will look at the first half of the document and finish up tomorrow.

At the beginning of the Board explained the purpose of the document:

The concept of controller and its interaction with the concept of processor play a crucial role in the application of the GDPR, since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The GDPR explicitly introduces the accountability principle, i.e. the controller shall be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data in Article 5. Moreover, the GDPR also introduces more specific rules on the use of processor(s) and some of the provisions on personal data processing are addressed - not only to controllers - but also to processors.

Much of the above seems straight forward and self-explanatory. Of course, who is and is not a controller is crucial under the GDPR, for one’s compliance responsibilities are determined in large part by who the party is.

The EDPB continued:

§  It is therefore of paramount importance that the precise meaning of these concepts and the criteria for their correct use are sufficiently clear and shared throughout the European Union and the EEA.

§  The Article 29 Working Party issued guidance on the concepts of controller/processor in its opinion1/2010 (WP169) in order to provide clarifications and concrete examples with respect to these concepts. Since the entry into force of the GDPR, many questions have been raised regarding to what extent the GDPR brought changes to the concepts of controller and processor and their respective roles. Questions were raised in particular to the substance and implications of the concept of joint controllership (e.g. as laid down in Article 26 GDPR) and to the specific obligations for processors laid down in Chapter IV (e.g. as laid down in Article 28 GDPR). Therefore, and as the EDPB recognizes that the concrete application of the concepts needs further clarification, the EDPB now deems it necessary to give more developed and specific guidance in order to ensure a consistent and harmonized approach throughout the EU and the EEA. The present guidelines replace the previous opinion of Working Party 29 on these concepts (WP169).

Uniformity among all the nations enforcing the GDPR on how the terms and their attendant obligations are construed is the primary goal of the document.

Moreover, the EDPB’s construction of these definitions flows the foundational principle of data protection law in the EU: accountability. Controllers, in particular, must be accountable for meeting all the obligations under the GDPR and be able to demonstrate compliance. The Board explained:

§  The GDPR, in Article 5(2), explicitly introduces the accountability principle which means that:

o   -  the controller shall be responsible for the compliance with the principles set out in Article 5(1) GDPR; and that

o   -  the controller shall be able to demonstrate compliance with the principles set out in Article 5(1) GDPR.

§  This principle has been described in an opinion by the Article 29 WP and will not be discussed in detail here.

§  The aim of incorporating the accountability principle into the GDPR and making it a central principle was to emphasize that data controllers must implement appropriate and effective measures and be able to demonstrate compliance.

The EDPB also stresses that controllers and processors are subject to some of the GDPR’s more specific accountability requirements that are not enumerated in Article 5. For example, the Board stated:

However, some of the more specific rules are addressed to both controllers and processors, such as the rules on supervisory authorities’ powers in Article 58. Both controllers and processors can be fined in case of non-compliance with the obligations of the GDPR that are relevant to them and both are directly accountable towards supervisory authorities by virtue of the obligations to maintain and provide appropriate documentation upon request, co-operate in case of an investigation and abide by administrative orders. At the same time, it should be recalled that processors must always comply with, and act only on, instructions from the controller.

Thus, the EDPB concludes its reasoning as to why the guidelines are needed:

The accountability principle, together with the other, more specific rules on how to comply with the GDPR and the distribution of responsibility, therefore makes it necessary to define the different roles of several actors involved in a personal data processing activity.

The EDPB makes clear, however, that the concepts of controller and processor have not changed since the Article 29 Working Party’s 2010 construction of them. Moreover, the terms have the same role in apportioning responsibilities. Consequently, discerning who is a controller and who a processor is necessarily a fact driven finding and will be made immaterial of whatever term a party may claim for itself or assign to another entity. This necessarily suggests data protection authorities (DPA) will need to dig into an entity’s contracts and business arrangements before it will deem a party a controller. Moreover, it is not hard to imagine resource deprived DPAs taking an extended period of time to make this threshold determination before it can properly conduct an investigation of GDPR compliance.

On this latter point, the EDPB concedes that controller and processor are terms with meanings in other legal and policy fields but stresses these terms have no place in the GDPR. One can imagine lawyers and companies trying to push back against a finding that an entity is a controller through the use of similar terms. The Board wants to foreclose that possibility through declaring the same term in other fields has no place in the EU’s data protection scheme.

The Board also advises that the determination of who is a controller should be made as widely as the GDPR will allow in order for EU and European Economic Area (EEA) residents to enjoy data protection rights but also to avoid gaps in the law.

The Board recites the GDPR’s definition of a controller and then analyzes each phrase:

“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”.

It is interesting that the EDPB makes the decision to functionally  restrict the definition of controller to organizations when the GDPR makes clear it can be any natural or legal person. The advocacy organization, none of your business, makes this point in their comment on the draft guidelines:

When reading the Guidelines it seems striking to us that -while highlighting that a controller may be a “natural person”-all examples and Guidelines are dealing with business to business or government relationships. The Guidelines currently leave the reader with the impression that natural persons are solely playing a role as data subjects. Nothing could be further from reality: Just like the example on page27 of the Guidelines that deals with the use of cloud services by a municipality, private users equally use cloud providers for their purposes, run their own servers and webpages or use their email accounts. Especially many open source projects and attempts to have users keep their own data locally or in a secure cloud environment aim to regain the factual and legal power of users over their personal data.

It seems like an unnecessary road to take. The plain language of the GDPR permits a person to be a controller, and the EDPB could have adopted language to the effect that most controllers are organizations or bodies. Nonetheless, the Board does stress that the people making decisions about data processing in any given organization are not controllers, and the organization itself is. This point needs making to forestall organizations blaming GDPR violations on employees.

The Board next construes “determines” in the definition of controller as being the portion from which constructions of “control” flow (i.e. “the controller’s influence over the processing, by virtue of an exercise of decision-making power.”) The Board hints that this finding should ideally be made on the basis of facts about the processing as opposed to working from legal analysis. Be that as it may, the EDPB stated:

In most situations, the "determining body" can be easily and clearly identified by reference to certain legal and/or factual circumstances from which “influence” normally can be inferred, unless other elements indicate the contrary. Two categories of situations can be distinguished: (1) control stemming from legal provisions; and (2) control stemming from factual influence.

Absent a legal responsibility that clearly makes one a controller, the EDPB advises that “[i]n many cases, an assessment of the contractual terms between the different parties involved can facilitate the determination of which party (or parties) is acting as controller.” Moreover, “[i]f one party in fact decides why and how personal data are processed that party will be a controller even if a contract says that it is a processor.”

In terms of the possibility of there being multiple controllers, the EDPB asserts that “several different entities may act as controllers for the same processing, with each of them then being subject to the applicable data protection provisions…[and] an organisation can still be a controller even if it does not make all the decisions as to purposes and means.” But more on joint controllers later.

The EDPB goes to lengths to explain that whoever determines the how and why of the processing (i.e. the purpose and means) will be found to be a controller regardless of title or role. And yet, the EDPB conceded that matters are sometime not so cut and dried and stated that “there is a need to provide guidance about which level of influence on the "why" and the "how" should entail the qualification of an entity as a controller and to what extent a processor may make decisions of its own.”

The Board declares that “[d]ecisions on the purpose of the processing are clearly always for the controller to make” (in other words, the why of the processing.) On the how, things get blurrier and will depend on whether the means of processing are essential or non-essential. The former “are traditionally and inherently reserved to the controller” and

are closely linked to the purpose and the scope of the processing, such as the type of personal data which are processed (“which data shall be processed?”), the duration of the processing (“for how long shall they be processed?”), the categories of recipients (“who shall have access to them?”) and the categories of data subjects (“whose personal data are being processed?”).

Non-essential means, on the other hand, are choices a processor will often make without consultation or input from a controller such as which hardware or software to use or appropriate security measures to implement.

The EDPB then turns back to joint controllers and remarks:

While the concept is not new and already existed under Directive 95/46/EC, the GDPR, in its Article 26, introduces specific rules for joint controllers and sets a framework to govern their relationship. In addition, the Court of Justice of the European Union (CJEU) in recent rulings has brought clarifications on this concept and its implications.

Not surprisingly, the determination of when there are joint controllers is mostly but not entirely fact driven. Titles and purported roles will count for little, and an organization or a DPA will need to dig into who is calling the shots with respect to the why of the data processing and also the how in terms of essential and non-essential means.

The EDPB explains:

Article 26 GDPR, which reflects the definition in Article 4 (7) GDPR, provides that “[w]here two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers.” In broad terms, joint controllership exists with regard to a specific processing activity when different parties determine jointly the purpose and means of this processing activity. Therefore, assessing the existence of joint controllers requires examining whether the determination of purposes and means that characterize a controller are decided by more than one party. “Jointly” must be interpreted as meaning “together with” or “not alone”, in different forms and combinations,

And yet, the EDPB cautions that the involvement of several entities in processing does not automatically give rise to a finding that there are joint controllers:

Not all processing involving several entities give rise to joint controllership. The overarching criterion for joint controllership to exist is the joint participation of two or more entities in the determination of the purposes and means of a processing. More specifically, joint participation needs to include the determination of purposes on the one hand and the determination of means on the other hand. If each of these elements are determined by all entities concerned, they should be considered as joint controllers of the processing at issue.

Moreover, the EDPB notes that “joint participation can take the form of a common decision taken by two or more entities or result from converging decisions by two or more entities regarding the purposes and essential means.”

The EDPB then pays heed to CJEU case law on joint controllers in noting:

The situation of joint participation through converging decisions results more particularly from the case law of the CJEU on the concept of joint controllers. Decisions can be considered as converging on purposes and means if they complement each other and are necessary for the processing to take place in such manner that they have a tangible impact on the determination of the purposes and means of the processing. It should be highlighted that the notion of converging decisions needs to be considered in relation to the purposes and means of the processing but not other aspects of the commercial relationship between the parties.

The EDPB concludes “[a]s such, an important criterion to identify converging decisions in this context is whether the processing would not be possible without both parties’ participation in the purposes and means in the sense that the processing by each party is inseparable, i.e. inextricably linked.”

Finally, the Board turns to processors and stated:

A processor is defined in Article 4 (8) as a natural or legal person, public authority, agency or another body, which processes personal data on behalf of the controller. Similar to the definition of controller, the definition of processor envisages a broad range of actors - it can be “a natural or legal person, public authority, agency or other body”. This means that there is in principle no limitation as to which type of actor might assume the role of a processor. It might be an organisation, but it might also be an individual.

It is interesting that the EDPB allows that a processor might be an individual, but that controllers are most likely organizations. Nevertheless, the EDPB stated that there can be multiple processors:

Processing of personal data can involve multiple processors. For example, a controller may itself choose to directly engage multiple processors, by involving different processors at separate stages of the processing (multiple processors). A controller might also decide to engage one processor, who in turn - with the authorisation of the controller - engages one or more other processors (“sub processor(s)”). The processing activity entrusted to the processor may be limited to a very specific task or context or may be more general and extended.

The Board reiterated that “[t]wo basic conditions for qualifying as processor are:

a) being a separate entity in relation to the controller and

b) processing personal data on the controller’s behalf.

Moreover, the facts of any given data processing must be examined closely, for an entity could be a processor in some circumstances and a controller in others. This consideration is pertinent in the case of a processor, for controllers that process personal data do not become processors as well. The opposite can be the case, however.

Other Developments

Photo by Kai Wenzel on Unsplash

§  A third antitrust suit has been filed against Google in the United States (U.S.), with this legal action alleging “exclusionary conduct relating to the Google Play Store for Android.” This action would seem to follow Epic Games’ suits against both Google and Apple for kicking their game, Fortnite, out of their app stores when the company began offering users the means to make in-game purchases outside the companies’ systems that entitles them to 30% of all such purchases. Utah Attorney General Sean Reyes, New York Attorney General Leticia James, North Carolina Attorney General Josh Stein, Tennessee Attorney General Herbert Slatery III are leading the suit and are joined by other states attorney general. This group filed suit in California “accuse Google of using its dominance to unfairly restrict competition with Google Play Store, harming consumers by limiting choice and driving up app prices” according to their press release. The attorneys general asserted:

o   According to the lawsuit, the heart of the case centers on Google’s exclusionary conduct, which substantially shuts out competing app distribution channels. Google also requires that app developers that offer their apps through the Google Play Store use Google Billing as a middleman. This arrangement, which ties a payment processing system to an app distribution channel forces app consumers to pay Google’s commission – up to 30% – on in-app purchases of digital content made by consumers through apps that are distributed via the Google Play Store. This commission is much higher than the commission that consumers would pay if they had the ability to choose one of Google’s competitors instead. The lawsuit alleges that Google works to discourage or prevent competition, violating federal and state antitrust laws. Google had earlier promised app developers and device manufacturers that it would keep Android “open source,” allowing developers to create compatible apps and distribute them without unnecessary restrictions.  The lawsuit says Google did not keep that promise. 

o   When Google launched its Android OS, it originally marketed it as an “open source” platform. By promising to keep Android open, Google successfully enticed “OEMs”—mobile device manufacturers such as Samsung—and “MNOs”—mobile network operators such as Verizon—to adopt Android, and more importantly, to forgo competing with Google’s Play Store at that time. Once Google had obtained the “critical mass” of Android OS adoption, Google moved to close the Android OS ecosystem—and the relevant Android App Distribution Market—to any effective competition by, among other things, requiring OEMs and MNOs to enter into various contractual and other restraints. These contractual restraints disincentivize and restrict OEMs and MNOs from competing (or fostering competition) in the relevant market. The lawsuit alleges that Google’s conduct constitutes unlawful monopoly maintenance, among other claims.

o   In aid of Google’s efforts discussed above, the AGs allege that Google also engaged in the following conduct, all aimed at enhancing and protecting Google’s monopoly position over Android app distribution:

§  Google imposes technical barriers that strongly discourage or effectively prevent third-party app developers from distributing apps outside of the Google Play Store. Google builds into Android a series of security warnings (regardless of actual security risk) and other barriers that discourage users from downloading apps from any source outside Google’s Play Store, effectively foreclosing app developers and app stores from direct distribution to consumers.

§  Google has not allowed Android to be “open source” for many years, effectively cutting off potential competition. Google forces OEMs that whish to sell devices that run Android to enter into agreements called “Android Compatibility Commitments” or ACCs. Under these “take it or leave it” agreements, OEMs must promise not to create or implement any variants or versions of Android that deviate from the Google-certified version of Android.

§  Google’s required contracts foreclose competition by forcing Google’s proprietary apps to be “pre-loaded” on essentially all devices designed to run on the Android OS, and requires that Google’s apps be given the most prominent placement on device home screens.

§  Google “buys off” its potential competition in the market for app distribution. Google has successfully persuaded OEMs and MNOs not to compete with Google’s Play Store by entering into arrangements that reward OEMs and MNOs with a share of Google’s monopoly profits.

§  Google forces app developers and app users alike to use Google’s payment processing service, Google Play Billing, to process payments for in-app purchases of content consumed within the app. Thus, Google is unlawfully tying the use of Google’s payment processor, which is a separate service within a separate market for payment processing within apps, to distribution through the Google Play Store. By forcing this tie, Google is able to extract an exorbitant processing fee as high as 30% for each transaction and which is more than ten times as high as the fee charged by Google’s competitors.

§  The House and Senate have passed a number of targeted cybersecurity and technology bills, the likes of which have proven to be the only types of bills that have a chance of making it into law.

o   Last week, the Senate sent the “National Cybersecurity Preparedness Consortium Act of 2021” (S.658) to the House. In the committee report, it was asserted:

§  The purpose of S. 658, the National Cybersecurity Preparedness Consortium Act of 2021, is to codify the Secretary of Homeland Security’s existing authority to work with a consortium, primarily composed of nonprofit entities and academic institutions with expertise in cybersecurity, to address cybersecurity risks and incidents. The Secretary may work with such a consortium to provide assistance to the National Cybersecurity and Communications Integration Center (NCCIC) within the Department of Homeland Security (DHS) to provide cybersecurity-related training and expertise to state and local first responders and critical infrastructure owners and operators.

o   This week, the House took up and passed the following bills, per House Majority Whip Jim Clyburn’s (D-SC) summaries:

§  H.R. 2668 – Consumer Protection and Recovery Act (Rep. Cardenas – Energy and Commerce). This bill restores the Federal Trade Commission’s longstanding authorities to pursue relief on behalf of consumers against corporations that violate federal law.  It responds to the Supreme Court’s recent decision to block the FTC from using this authority as it has for the last four decades to send billions in relief back into consumers’ pockets in cases of telemarketing fraud, anticompetitive pharmaceutical practices, data security and privacy, and others.

§  H.R. 3119 – Energy Emergency Leadership Act (Rep. Rush – Energy and Commerce). The bill creates a new Department of Energy Assistant Secretary position with jurisdiction over all energy emergency and security functions related to energy supply, infrastructure, and cybersecurity.

§  H.R. 2931 – Enhancing Grid Security through Public-Private Partnerships Act (Rep. McNerney – Energy and Commerce). The bill directs the Secretary of Energy, in consultation with States, other Federal agencies, and industry stakeholders, to create and implement a program to enhance the physical and cybersecurity of electric utilities.  The bill also requires an update to the Interruption Cost Estimate (ICE) Calculator, an electric reliability planning tool for estimating electricity interruption costs and the benefits associated with reliability improvements, at least once every 2 years.

§  H.R. 2928 – Cyber Sense Act of 2021 (Rep. Latta – Energy and Commerce). The bill requires the Secretary of Energy to establish the Cyber Sense Program.  This voluntary program would identify cyber-secure products that could be used in the bulk-power system.

§  H.R. 1754 – MEDIA Diversity Act of 2021 (Rep. Long – Energy and Commerce). This bill Requires the FCC to consider market entry barriers for socially disadvantaged individuals in the communications marketplace.

§  H.R. 3003 – Promoting United States Wireless Leadership Act of 2021 (Rep. Walberg – Energy and Commerce). This bill directs NTIA to encourage participation by trusted American companies and other stakeholders in standards-setting bodies, and to offer technical assistance to such stakeholders that elect to participate, in the course of developing standards for 5G networks and future generations of communications networks.

§  H.R. 3138 – State and Local Cybersecurity Improvement Act, as amended (Rep. Clarke – Homeland Security). This bill would authorize a new DHS grant program to address cybersecurity vulnerabilities on State and local government networks. The new grant program would be authorized at $500 million with a graduating cost-share that incentivizes States to increase funding for cybersecurity in their budgets. Under the bill, State, tribal, and territorial governments would be required to develop comprehensive cybersecurity plans to guide the use of grant funds. The bill also requires CISA to develop a strategy to improve the cybersecurity of State, local, tribal, and territorial governments, among other things, identify Federal resources that could be made available to State and local governments for cybersecurity purposes, and set baseline objectives for State and local cybersecurity efforts. CISA would also be required to assess the feasibility of implementing a short-term rotational program for the detail of approved State, local, Tribal, and territorial government employees in cyber workforce positions at CISA. Lastly, the bill establishes a State and Local Cybersecurity Resilience Committee comprised of representatives from State, local, tribal, and territorial governments to advise and provide situational awareness to CISA regarding the cybersecurity needs of such governments. In the 116th Congress, the House passed by voice vote a similar version of this bill (H.R. 5823) which was introduced by Rep. Richmond.

§  H.R. 1833 – DHS Industrial Control Systems Capabilities Enhancement Act of 2021, as amended (Rep. Katko – Homeland Security). This bill requires the Cybersecurity and Infrastructure Security Agency (CISA) to lead Federal efforts to detect and mitigate threats and vulnerabilities to industrial control systems. The measure also requires CISA to maintain cross-sector incident response capabilities, provide technical assistance to stakeholders and collect, coordinate, and provide vulnerability information about industrial control systems to stakeholders. Industrial control systems (ICS) monitor, control, and safeguard operational processes in critical infrastructure such as electric power generators, dams, water treatment facilities, medical devices, nuclear power plants, and natural gas pipelines. In the 115th Congress, a nearly identical version of the measure (H.R. 5733) passed the House by voice vote on June 25, 2018.

§  H.R. 2980 – Cybersecurity Vulnerability Remediation Act, as amended (Rep. Jackson-Lee – Homeland Security). This bill would authorize the Cybersecurity and Infrastructure agency (CISA) to develop and distribute “playbooks,” in consultation with private sector experts, to provide procedures and mitigation strategies for the most critical, known vulnerabilities – especially those affecting software or hardware that is no longer supported by a vendor. The playbooks would be available to Federal agencies, industry, and other stakeholders.  H.R. 2980 would also allow for the DHS Science and Technology Directorate (S&T), in consultation with CISA, to establish a competition program for industry, individuals, academia, and others to provide remediation solutions for cybersecurity vulnerabilities that are no longer supported.  The ANS is updated to emphasize the prioritization of industrial control systems of critical infrastructure that may be targeted like the systems that underpin water systems and pipelines.

§  H.R. 3223 – CISA Cyber Exercise Act (Rep. Slotkin – Homeland Security). This bill establishes a National Cyber Exercise program within CISA.  This legislation builds upon language in H.R. 6395, National Defense Authorization Act for Fiscal Year 2021, which directed the Secretary of Homeland Security, in coordination with the Attorney General, the Secretary of Defense, and the Director of National Intelligence, to carry out at least three exercises over 12 years to test the national capability to respond to cyber attacks involving critical infrastructure.  H.R. 3223 complements the capstone exercise program authorized in H.R. 6395 by directing CISA, in consultation with sector risk management agencies, as appropriate, to develop an exercise program that is designed to more regularly test and asses systemic preparedness and resilience to cyber attacks against critical infrastructure, including by developing model exercises that State and local governments and private sector entities can readily adapt.

§  H.R. 3264 – Domains Critical to Homeland Security Act (Rep. Katko – Homeland Security). This bill authorizes DHS to conduct research and development into supply chain risks for critical domains of the United States economy. The bill would require DHS to conduct a risk analysis for each critical domain to determine potential homeland security threats caused by disruption, corruption, exploitation, or dysfunction of the domain. Based on the results of the risk analysis, the bill would authorize the Department to do further research into those critical domains considered highest risk to analyze the industries within the domains, examine performance under varying conditions, and identify ways to establish supply chain resiliency, among other things. The bill directs the Secretary of Homeland Security to report annually to Congress through fiscal year 2026 on the results of the Department’s research, along with actions the Secretary has taken or plans to take in response to the results.

§  The European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) Committee issued a study it commissioned titled “Exchanges of Personal Data After the Schrems II Judgment” “examines reforms to the  legal framework for the exchange of personal and other data between the EU and the USA that would be necessary to ascertain that the requirements  of  EU  law   are  satisfied  and  that  the  rights  of   EU  citizens are respected, following the Schrems II judgment of the EU  Court of Justice.” The authors of the paper explained:

o   On 16 July 2020 the Court of Justice of the European Union (CJEU) invalidated the Commission Decision 2016/1250 on the adequacy of the protection provided by the EU-US “Privacy Shield” agreement, concerned US government surveillance powers are not limited as required by EU law, and that EU persons do not have effective means of redress. The judgment upheld the validity of standard contractual clauses to allow data transfers under the General Data Protection Regulation (GDPR), but requires data controllers to assess the level of data protection in the recipient’s country and to adopt “supplementary measures” if needed.

o   In this context the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) requested this study on reforms to the legal framework for the exchange of personal and other data between the EU and the USA to ensure EU law requirements are satisfied and EU citizens’ rights are respected.

o   Our analysis shows that no US federal or state privacy law is likely to provide “essentially equivalent” protection compared to the EU GDPR in the foreseeable future. Indeed, there are serious and in practice insurmountable US constitutional and institutional as well as practical/political obstacles to the adoption of such laws.

o   For the FTC to become an effective supervisory authority on the lines of the EU authorities, the FTC Act would likely have to be expanded or a new statute passed. Additionally, new or expanded Memoranda of Understanding should be signed among multiple US agencies, creating shared, coordinating enforcement teams.

o   It may not be possible to provide a right of action for individuals as broad as that envisaged in the GDPR. However, Congress could still significantly strengthen the right of action – and standing – of individuals, including non-US persons, who are significantly affected by privacy-related “unfair or deceptive acts or practices” committed by private entities.

o   If (i) the US and the EU were to take the legislative steps we outline relating to substance, enforcement and individuals’ rights of action and (ii) the US were to reform its surveillance laws and practices, thena new EU-US arrangement for self-certification by US entities could be achieved, under which the EU could issue a new positive adequacy decision on the USA, limited to personal data transfer red from the EU to entities that had self-certified their voluntary compliance with the EU GDPR substantive standards. Without these reforms, EU data protection authorities will be required to consider suspending t r a ns fers of personal data to the US even following an adequacy decision by the European Commission.

§  A Canadian federal court is permitting the Office of the Privacy Commissioner to continue to look into Google’s possible violation of Canada’s primary privacy statute, the “Personal Information Protection and Electronic Documents Act” (PIPEDA). The Privacy Commissioner posed two questions to the court and received the green light to continue investigating Google. The Federal Court stated:

o   This Reference is brought on the fringe of the Commissioner’s investigation of a complaint made in June 2017 against Google LLC [Google]. The Complainant states that Google contravenes the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 [PIPEDA] by displaying links to news articles that contained personal and sensitive information about him, when his name is searched using Google’s search engine. Information in the materials filed by the parties that could identify the Complainant will remain confidential in accordance with the Order of Madam Prothonotary Tabib dated November 2, 2018.

o   The Federal Court found:

§  To the question: Does Google, in the operation of its search engine service, collect, use or disclose personal information in the course of commercial activities within the meaning of paragraph 4(1)(a) of PIPEDA when it indexes webpages and presents search results in response to searches of an individual’s name?

·       The Court’s answer is: Yes

§  To the question: Is the operation of Google’s search engine service excluded from the application of Part 1 of PIPEDA by virtue of paragraph 4(2)(c) of PIPEDA because it involves the collection, use or disclosure of personal information for journalistic, artisticor literary purposes and for no other purpose?

·       The Court’s answer is: No

§  The Federal Trade Commission (FTC) and the United States (U.S.) Department of Justice (DOJ) reached a settlement with Toronto-based Kuuhuub Inc., along with its Finnish subsidiaries Kuu Hubb Oy and Recolor Oy that they violated the Children’s Online Privacy Protection Act Rule (COPPA Rule). In the FTC’s press release, the agency claimed:

o   The operators of an online coloring book app will be required to notify parents and offer refunds to current underage subscribers to settle Federal Trade Commission allegations that they violated a children’s privacy law by collecting and disclosing personal information about children who used the app without notifying their parents and obtaining their consent.

o   In a complaint filed by the Department of Justice on behalf of the FTC, the Commission alleged that the Toronto-based Kuuhuub Inc., along with its Finnish subsidiaries Kuu Hubb Oy and Recolor Oy, violated the Children’s Online Privacy Protection Act Rule (COPPA Rule). The Rule requires websites and apps to provide notice to parents and obtain verifiable parental consent before collecting personal information from children if the website or app—or even a portion of the website or app—is directed at children under 13.

o   The companies operate the Recolor coloring book app, which provides images that users can digitally color on their mobile devices. While billed as a “coloring book for adults,” a portion of the coloring book app was directed to children. The images are organized in a library with categories such as Movies and Animals. One popular category, called Kids, included images that would appeal to children, such as animated characters and cartoonish animals.

o   In addition to the coloring feature, the app, which generates revenues from ads and paid subscriptions, offers social media features such as the ability to upload images for others to view, comment on, and like. To access these social media features, users must register for an account by providing an email address, screen name, and an optional profile description and picture, which are made public to other users.

o   The FTC alleged that some children including those under 13 were able to register for accounts and use some of the social media features. The companies received dozens of complaints from parents and users who said that children were using the app’s social media features such as posting selfies and interacting with other users including adults.

o   In its complaint, the FTC alleged that the Recolor app collected personal information from children under the age of 13 who used the app’s social media features and allowed third-party advertising networks to collect personal information from users in the form of persistent identifiers, also known as cookies, for targeted ads. The companies failed to instruct the ad networks to refrain from using children’s persistent identifiers for behavioral advertising, according to the complaint. The FTC also alleged that the companies failed to provide notice to parents or obtain verifiable parental consent before collecting personal information from underage users of the Recolor app in violation of the COPPA Rule.

o   Under the settlement, the companies must delete all the personal information they collected from children under 13 unless they obtain parental consent, and must offer current paid subscribers of the Recolor app a refund if they were under the age of 18 when they signed up for the app. The companies also agreed to a $3 million monetary penalty, which will be suspended upon payment of $100,000 due to their inability to pay the full amount. They will be required to pay the full amount if they have misrepresented their finances. In addition, if they sell the app within a year following entry of the order, they must remit the net proceeds from the sale to the FTC, after the payment of debts and other related expenses.

o   The companies must notify users of the app about the alleged COPPA Rule violations and the steps that users can take in response to the settlement.

§  The Federal Communications Commission (FCC) announced that “schools and libraries can now begin to file applications for the $7.17 billion Emergency Connectivity Fund, the agency’s latest effort to connect Americans.” The agency stated:

o   Schools and libraries can apply for financial support to purchase laptops and tablets, Wi-Fi hotspots, modems, routers, and broadband connections to serve unmet needs for off-campus use by students, school staff, and library patrons.  From June 29 to August 13, eligible schools and libraries can submit requests for funding to purchase eligible equipment and services for the 2021-22 school year.

o   The American Rescue Plan of 2021 established the Emergency Connectivity Fund.  In May, the FCC adopted the Report and Order outlining how the program would be administered.  The Universal Service Administrative Company will serve as the program’s administrator with FCC oversight.  The Fund leverages the processes and structures used in the E-Rate program for the benefit of schools and libraries already familiar with the E-Rate program. You can find more information about the program at www.emergencyconnectivityfund.org or  www.fcc.gov/emergency-connectivity-fund and instructions on how to apply at www.emergencyconnectivityfund.org/application-process.

§  Senator Marco Rubio (R-FL) introduced the “Disincentivizing Internet Service Censorship of Online Users and Restrictions on Speech and Expression (DISCOURSE) Act” (S.2228) that would “halt Big Tech’s censorship of Americans, defend free speech on the internet, and level the playing field to remove unfair protections that shield massive Silicon Valley firms from accountability” per his press release. Rubio claimed his bill:

o   would hold Big Tech responsible for complying with pre-existing obligations per Section 230 of the Communications Decency Act (CDA) of 1996 and clarify ambiguous terms that allow Big Tech to engage in censorship.

o   Specifically, the DISCOURSE Act updates the statute so that when a market-dominant firm actively promotes or censors certain material or viewpoints -- including through the manipulative use of algorithms -- it no longer receives protections. The bill also limits Section 230 immunities for large corporations that fail to live up to the statute’s obligations. 

o   Rubio made available a one-page summary and offered this summary in his press release:

§  Holds Big Tech responsible for complying with Section 230’s existing obligations: 

·       Amends 230(c)(1) so that immunity guaranteed under the provision is only granted to big tech firms that comply with Section 230’s existing customer protection and information requirement.  

§  Amends Section 230(f)(3) to include the following activities for which an interactive computer service is defined as an “Information content provider” and is thus responsible for the information on its platform:

·       Amends Section 230(f)(3) to include the following activities for which an interactive computer service is defined as an “Information content provider” and is thus responsible for the information on its platform: 

o   1. Algorithmic amplification: The use of algorithmic amplification by a market-dominant firm to target the third-party provided content to users on the platform when the user has not requested or searched for the content. 

o   2. Moderation activity: Engaging in content moderation activity that reasonably appears to express, promote, or suppress a discernible viewpoint, including reducing or eliminating the ability of an information content provider to earn revenue. 

o   3. Information creation and development: Soliciting, commenting on, funding, contributing to, and modifying information provided by another person.  

·       For each of these categories, an interactive computer service is responsible for specific information if it has engaged in any of the actions with respect to any user content. However, if the company engages in a pattern or practice of such behavior, it is liable for all of the content on its site.  

§  Amends Section 230(c)(2) to replace vague and subjective language with defined and legal terms: 

·       Conditions the content moderation liability shield on an objective reasonableness standard. In order to be protected from liability, a tech company may only restrict access to content on its platform where it has “an objectively reasonable belief” that the content falls within a specified category;  

·       Removes “otherwise objectionable” and replaces it with concrete terms, including “promoting terrorism,” content that is determined to be “unlawful,” and content that promotes “self-harm.”  

·       Includes a religious liberty clause, which states explicitly that (c)(2) does not extend liability protections to decisions that restrict content based on their religious nature. 

§  Requires disclosures to inform and protect consumers: 

·       Requires interactive computer services to issue public disclosures related to content moderation, promotion, and curation so that consumers can make informed choices when it comes to the use of such services.  

§  Clarifies that Section 230 immunity is an affirmative defense in a criminal or civil action.

§  Senate Commerce, Science, and Transportation Committee Ranking Member Roger Wicker (R-MS) wrote the Departments of Education, Agriculture, and the Treasury “requesting the agencies to report on the disbursement of funds received for broadband deployment, adoption, or other connectivity initiatives from the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, Consolidated Appropriations Act of 2021, and American Rescue Plan Act of 2021” per his press statement. Wicker contended:

o   The Department of Education received funding through all three legislative packages, with significant flexibility to allocate the funds as needed to help schools re-open safely or facilitate the transition to distance learning when schools could not re-open. In addition, the Federal Communications Commission received $7.1 billion for distance learning. The letter to Secretary Miguel Cardona requests details on coordination between the two agencies. 

o   The ReConnect program at the Department of Agriculture received $100 million from the CARES Act and an additional $635 million in the Consolidated Appropriations Act of 2021 for rural broadband deployment. ReConnect was an existing program prior to the pandemic, but received supplemental funding through the relief packages.

o   The Treasury was responsible for administering billions of dollars in relief funds, including $150 billion from the CARES Act and $360 billion from the American Rescue Plan. These funds were to be used by state and local governments to cover costs incurred as a result of the pandemic, as well as for a wide range of infrastructure and capital initiatives. Broadband infrastructure and remote healthcare and education were among the eligible uses. Treasury has already issued a detailed report on the funds disbursed to this point, and, because of this existing reporting, the letter directed to Secretary Janet Yellen requests that this practice continue.

§  The Government Accountability Office (GAO) has issued a number of priority recommendations reports for various United States (U.S.) agencies over the last month. In the report to the Office of Management and Budget (OMB), the GAO explained the purpose of the document is to “provide an update on the overall status of the OMB’s implementation of GAO's recommendations and to call your personal attention to critical open recommendations that should be given high priority.” GAO stated:

o   In November 2020, we reported that on a government-wide basis, 77 percent of our recommendations made 4 years ago were implemented. As of June 2021, OMB’s recommendation implementation rate was 60 percent and OMB had 153 open recommendations. Fully implementing these open recommendations could yield significant savings and other improvements in executive branch agency operations.

o   Since our April 2020 letter, OMB has implemented four of our 35 open priority recommendations.

§  OMB, in coordination with the Department of the Treasury, issued additional guidance related to the Digital Accountability and Transparency Act of 2014 (DATA Act). The various guidance implements two priority recommendations that could help ensure that the integrity of certain data standards is maintained over time and improve the clarity, consistency, and quality of agency spending data.

§  OMB updated improper payment guidance, implementing two priority recommendations that will help agencies better address inconsistencies in improper payment estimations and improve congressional oversight of noncompliant programs.

o   Given the critical role OMB plays in providing oversight of vital government-wide performance and management issues, we ask for your attention to the remaining 31 open priority recommendations identified in the 2020 letter. We also are adding 13 new recommendations related to improving government performance, increasing availability and transparency of government data, improving acquisition management and reducing costs, reducing government-wide improper payments, improving federal real property asset management, and improving information management. This brings the total number of priority recommendations to 44….

o   The GAO highlighted priorities related to technology:

§  Improving acquisition management and reducing costs. Implementing 10 priority recommendations related to federal acquisitions would help agencies improve the management of high-priority information technology (IT) projects and achieve billions of dollars in other potential savings. For instance, the federal government spends more than $90 billion annually on IT investments. However, too often these investments have cost overruns and schedule delays. To enhance the oversight of high-priority IT projects, in November 2017 we recommended the Federal Chief Information Officer (CIO) become more directly involved in the oversight of these projects. In May 2020, OMB told us that its process for identifying high priority programs had evolved and been superseded by a process for identifying agencies’ most critical assets—known as high-value assets. The agency stated that both the Federal CIO and Federal Chief Information Security Officer were engaged in overseeing these assets through their involvement on the Federal CIO and Federal Chief Information Security Officer Councils. However, as of April 2021, OMB had not taken additional action to ensure that the Federal CIO was directly involved in the oversight of the full range of high priority programs across the federal government. As we reported, such oversight would improve accountability and achieve positive results for the federal government’s investments.

§  Category management is a government-wide initiative led by OMB that saves the federal government billions of dollars each year by improving how agencies buy common products and services. We are designating five recommendations that we made to the Director of OMB in November 2020 as priority recommendations. These relate to improving how agencies define requirements for common products and services, and leading efforts to address government-wide data challenges, among other things. OMB agreed with the substance of our recommendations, and reported in April 2021 some specific actions it plans to take in the coming year, such as updating its Fiscal Year 2022 Key Performance Indicators to include metrics for requirements definition.

§  Strengthening information security.Two priority recommendations are aimed at ensuring the security of federal information systems. Virtually all federal operations are supported by computer systems and electronic data, and agencies would find it difficult, if not impossible, to carry out their missions and account for their resources without these information assets. Safeguarding federal information systems has been a longstanding concern. We first designated it as a government-wide high-risk area in 1997.

§  One recommendation from July 2019 is for OMB to expand its coordination of meetings that engage agency leadership on cybersecurity—known as CyberStat meetings—to those agencies with a demonstrated need for assistance in implementing information security. By increasing the number of agencies participating in CyberStat meetings, OMB gains an opportunity to assist agencies with improving their information security posture. OMB also would increase its ability to oversee specific agency efforts to provide information security protections for federal information and information systems.

§  In March 2021, OMB officials stated that they have held numerous meetings with various agencies on CyberStat-related topics and are continuing to work with the Department of Homeland Security to update a concept of operations document. To fully implement this recommendation, OMB needs to finalize and release the CyberStat concept of operations document and increase agency participation in CyberStat meetings.

§  In December 2019, we recommended that OMB establish a process for monitoring and holding agencies accountable for authorizing cloud services through the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is intended to provide a standardized approach for selecting and authorizing the use of cloud services that meet federal security requirements. Greater OMB oversight through such a process could increase federal agency participation in the FedRAMP program and may provide greater assurance that agency information stored in a cloud environment is better protected and aligns with federal security requirements. In April2021, OMB stated that it was coordinating with federal agencies and the General Services Administration’s FedRAMP to improve administrative processes. To fully implement this recommendation, OMB needs to collect data on the extent to which federal agencies are using cloud services authorized outside of FedRAMP and oversee agencies’ compliance with using the program.

Further Reading

Photo by Pawel Czerwinski on Unsplash

§  “An Office Phone Flaw Can’t Be Fixed by Cisco Alone” By Lily Hay Newman — WIRED. Ang Cui has spent 10 years hacking into internet-connected office phones and other “embedded devices”—that is, devices that don't look like computers or servers but have all the trappings: a processor, memory, and, often, the ability to connect to other devices or the internet. As the founder of Red Balloon Security, Cui spends plenty of time evaluating sophisticated industrial control systems and even satellite infrastructure, but he still comes back to IP phones as a barometer for how much progress has been made securing the Internet of Things. His latest research indicates that there's still a long way to go.

§  “This Manual for a Popular Facial Recognition Tool Shows Just How Much the Software Tracks People” By Alfred Ng — The Markup. In 2019, the Santa Fe Independent School District in Texas ran a weeklong pilot program with the facial recognition firm AnyVision in its school hallways. With more than 5,000 student photos uploaded for the test run, AnyVision called the results “impressive” and expressed excitement at the results to school administrators. “Overall, we had over 164,000 detections the last 7 days running the pilot. We were able to detect students on multiple cameras and even detected one student 1100 times!” Taylor May, then a regional sales manager for AnyVision, said in an email to the school’s administrators.

§  “Vietnam orders Netflix to remove Australian spy show over South China Sea map” By James Pearson — Reuters. Netflix Inc (NFLX.O) has removed Australian spy drama "Pine Gap" from its services in Vietnam after a complaint from broadcast authorities in the Southeast Asian country about the appearance of a map which depicts Chinese claims in the South China Sea.

§  “UK’s largest chip plant to be acquired by Chinese-owned firm Nexperia amid global semiconductor shortage” By Sam Shead — CNBC. Newport Wafer Fab, the U.K.’s largest chip producer, is set to be acquired by Chinese-owned semiconductor company Nexperia for around £63 million ($87 million) next week, according to two sources close to the deal who asked to remain anonymous because the information is not yet public. Nexperia, a Dutch firm that is 100%-owned by China’s Wingtech Technology, told CNBC on Friday that the deal talks are ongoing.

§  “Facebook has become a $1 trillion company” By Mitchell Clark — The Verge. Facebook has joined the ranks of companies valued over a trillion dollars as of today’s market close. The company’s market cap is sitting at $1.008 trillion according to Yahoo Finance, putting it over the mark for the first time in its history. Some of the most notable of Facebook’s divisions are the Facebook site itself, along with Messenger, as well as Instagram, WhatsApp, and Oculus. On the listof US tech companiesthat have passedthe $1 trillion valuation mark, Facebook is the only one founded in the 2000s, making it the newest — as long as you’re counting from the date that Google was started (which was in 1998), instead of Alphabet (which was created 2015).

§  “New Laws Are ‘Probably Needed’ to Force US Firms to Patch Known Cyber Vulnerabilities, NSA Official Says” By Patrick Tucker — Nextgov. The vast majority of cyber attacks exploit known vulnerabilities that could be fixed by patching older software and replacing older computing gear. But that costs money, and legislation will likely be needed to force companies to make these fixes soon — before the kind of AI-powered tools used by Russia and China become commonplace among smaller-scale hackers, said Rob Joyce, who leads the National Security Agency’s Cybersecurity Directorate.

§  “AT&T gives investors and gov’t wildly different takes on need for fiber Internet” By Jon Brodkin — ars technica. AT&T says fiber Internet is a "superior" technology that is built for today and the future because of its ability to deliver symmetrical upload and download speeds of 1Gbps and higher. AT&T also says that "there is no compelling evidence" to support the deployment of fiber across the US and that rural people should be satisfied with nonfiber Internet access that provides only 10Mbps upload speeds.

§  “Elon Musk says Starlink will be available worldwide in August” By Marguerite Reardon — c/net. Elon Musk's satellite broadband service, Starlink, will be available worldwide except the North and South Poles starting in August, the billionaire entrepreneur said Tuesday during a talk at the virtual Mobile World Congress 2021. Starlink is "operational now in about 12 countries, and more are being added every month," Musk said.

§  “Hong Kong working to share its digital IDs with mainland China” By Laura Dobberstein — The Register. Hong Kong’s Office of the Government Chief Information Officer (OGCIO) has revealed that the territory is investigating the use of its digital ID in mainland China. In a Q&A, Secretary for Innovation and Technology, Mr Alfred Sit, said “the OGCIO is exploring with relevant authorities in the Mainland and Macao the collaboration opportunities between their identity authentication systems and iAM Smart.”

§  “Cybersecurity Funding Faces Political Clash During Appropriations Markup” By Mariam Baksh — Nextgov. A leading Republican on the House Appropriations Committee will not support a bill that significantly increases funding for the Cybersecurity and Infrastructure Security Agency due to disputes over immigration issues raised by the administration of former President Donald Trump. “For some of the bill's funding, we are in complete agreement: cybersecurity, [Transportation Security Administration], Secret Service, and Scientific and Technology, just to name a few,” said Rep. Chuck Fleischmann, R-Tenn., ranking member of Appropriation's subcommittee on Homeland Security. “The proposed investments are worthy of our support. However, in order to truly get across the finish line, we must come to a reasonable agreement on the immigration issues and until that is done, we just cannot support this bill in its current form.”

Coming Events

Photo by The Climate Reality Project on Unsplash

§  21 July

o   The Federal Trade Commission (FTC) will open its monthly open meeting with this agenda:

§  Care Labeling Rule: In July 2011, the Commission initiated a regulatory review proceeding of the Care Labeling Rule. As part of the proceeding, the Commission has solicited public comments on multiple proposals to change the rule, including a proposal to repeal the Rule entirely. The Commission will vote on whether to rescind the proposal to repeal the Care Labeling Rule.

§  Proposed Policy Statement on Repair Restrictions Imposed by Manufacturers and Sellers: The FTC Act authorizes the Commission to adopt policy statements. The Commission will vote on whether to issue a new policy statement, following the Commission's “Nixing the Fix” report which was unanimously agreed to and announced on May 6, 2021.

§  Policy Statement on Prior Approval and Prior Notice Provisions in Merger Cases: In 1995, the Commission adopted a policy statement regarding “prior approval” and “prior notice” remedies in merger cases. The Commission will vote on whether to rescind this policy statement.

o   The Senate Armed Services Committee will mark up its FY 2022 National Defense Authorization Act in a closed session.

o   The House Ways and Means Committee’s Trade Subcommittee will hold a hearing titled “The Global Challenge of Forced Labor in Supply Chains: Strengthening Enforcement and Protecting Workers.”

o   The Senate Environment and Public Works Committee will hold a hearing titled “Addressing Cybersecurity Vulnerabilities Facing Our Nation’s Physical Infrastructure.”

o   The House Veterans' Affairs Committee’s Technology Modernization Subcommittee will hold a hearing titled “Moving Forward: Evaluating Next Steps for the Department of Veterans Affairs Electronic Health Record Modernization Program.”

§  27 July

o   The Federal Trade Commission (FTC) will hold PrivacyCon 2021.

§  28 July

o   The House Armed Services Committee’s Cyber, Innovative Technologies, and Information Systems Subcommittee will mark up its portion of the committee’s FY 2022 National Defense Authorization Act (H.R.4395).

§  5 August

o   The Federal Communications Commission (FCC) will hold its monthly open meeting with this tentative agenda:

§  Establishing Two New Innovation Zones. The Commission will consider a Public Notice that would create two new Innovation Zones for Program Experimental Licenses and the expansion of an existing Innovation Zone. (ET Docket No. 19-257)

§  Numbering Policies for Modern Communications. The Commission will consider a Further Notice of Proposed Rulemaking to update the Commission’s rules regarding direct access to numbers by interconnected Voice over Internet Protocol providers to safeguard the nation’s finite numbering resources, curb illegal robocalls, protect national security, and further promote public safety. (WC Docket Nos. 13-97, 07-243, 20-67; IB Docket No. 16-155)

§  Appeals of the STIR/SHAKEN Governance Authority Token Revocation Decisions. The Commission will consider a Report and Order that would establish a process for the Commission to review decisions of the private STIR/SHAKEN Governance Authority that would have the effect of placing voice service providers out of compliance with the Commission’s STIR/SHAKEN implementation rules. (WC Docket Nos. 17-97, 21-291)

§  Modernizing Telecommunications Relay Service (TRS) Compensation. The Commission will consider a Notice of Proposed Rulemaking on TRS Fund compensation methodology for IP Relay service. (CG Docket No. 03-123; RM-11820)

§  Updating Outmoded Political Programming and Record-Keeping Rules. The Commission will consider a Notice of Proposed Rulemaking to update outmoded political programming rules. (MB Docket No. 21-293)

§  Review of the Commission’s Part 95 Personal Radio Services Rules. The Commission will consider a Memorandum Opinion and Order on Reconsideration that would grant three petitions for reconsideration of the Commission’s May 2017 Part 95 Personal Radio Services Rules Report and Order. (WT Docket No. 10-119)

§  1 September

o   The House Armed Services Committee will mark up the FY 2022 National Defense Authorization Act (H.R.4395).