Clarity On Who Is A Controller, Processor, and Joint Controller Under the GDPR, Part II

France fines and enjoins Google over media remuneration law; one state passes a law against intimate image distribution, and another places restrictions on government facial recognition technology

Photo by Son Tung Tran from Pexels

Yesterday, I looked in to the first half of the European Data Protection Board’s (EDPB or Board) final guidelines on how to determine who are controllers and processors under the General Data Protection Regulation (GDPR). Today, I will examine the second half of the guidelines, which detailed the consequences of the terms controller, processor, joint controller, and others.

In the second half of the guidelines, the EDPB turned to the consequences of these terms and relationships between them. The Board stated:

A distinct new feature in the GDPR are the provisions that impose obligations directly upon processors. For example, a processor must ensure that persons authorised to process the personal data have committed themselves to confidentiality (Article 28(3)); a processor must maintain a record of all categories of processing activities (Article 30(2)) and must implement appropriate technical and organisational measures (Article 32). A processor must also designate a data protection officer under certain conditions (Article 37) and has a duty to notify the controller without undue delay after becoming aware of a personal data breach (Article 33(2)). Furthermore, the rules on transfers of data to third countries (Chapter V) apply to processors as well as controllers. In this regard, the EDPB considers that Article 28(3) GDPR, while mandating a specific content for the necessary contract between controller and processor, imposes direct obligations upon processors, including the duty to assist the controller in ensuring compliance.

Under the GDPR, controllers are generally responsible in the ordinary course of processing (unless a processor starts processing data for its own purposes or some of the other processor-specific responsibilities are at play) and is responsible for a processor’s guarantees regarding the security of the processing, to cite one area. Accordingly, the Board contended that controllers must use “only processors providing sufficient guarantees to implement appropriate technical and organisational measures.” And so, the EDPB continues, controllers must assess the sufficiency of a processor’s guarantees, which will often “will require an exchange of relevant documentation.” The Board cautions that as the circumstances of personal data processing differ widely from controller to controller and processor to processor, it is not possible to “provide an exhaustive list of the documents or actions that the processor needs to show or demonstrate in any given scenario” whether the processor possesses the appropriate technical and organizational measures. The Board suggests some of the types of documents and processes that may suffice but leaves this consideration open-ended. Nonetheless, the EDPB does offer general guidance:

§  The following elements should be taken into account by the controller in order to assess the sufficiency of the guarantees: the processor’s expert knowledge (e.g. technical expertise with regard to security measures and data breaches); the processor’s reliability; the processor’s resources. The reputation of the processor on the market may also be a relevant factor for controllers to consider.

§  Furthermore, the adherence to an approved code of conduct or certification mechanism can be used as an element by which sufficient guarantees can be demonstrated. The processors are therefore advised to inform the controller as to this circumstance, as well as to any change in such adherence.

The EDPB stressed that controllers have an ongoing responsibility to ensure a processor offers sufficient guarantees that does not end when a contract of legal instrument for the processing is signed.

The Board provides its advice on what contracts between controllers and processors should look like. The EDPB recites Article 28(3) all data processing must be performed pursuant to a contract or “other legal act” between a controller and processor. This instrument must be written and in an electronic form, and all non-written contracts will be per se illegal under the GDPR. The Board clarified “legal act” as a national law “or other legal instrument” and stated that unless the legal act contains all the elements of an agreement between controllers and processors, there must be a supplemental contract.

The Board noted parties can negotiate their own contracts or use standard contractual clauses (SCC) adopted either by the European Commission or a supervisory authority. The Board stressed that SCCs need not be used and either a contract or SCCs may meet the GDPR’s requirements. However, the EDPB observed that the data protection clauses of an agreement must match those of a SCC if this is what the parties are relying upon and additional language may be added so long as it does not contradict the SCCs. In any event, the EDPB emphasized that whatever the form of the agreement, it cannot merely be a recitation of the provisions of the GDPR and must “include more specific, concrete information as to how the requirements will be met and which level of security is required for the personal data processing that is the object of the processing agreement.” The Board added that agreements should also “take into account ‘the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject.’” The EDPB stated contracts should fit the risks involved in the particular data processing and overly restrictive terms would not likely fit processing with low risks.

The Board interpreted Article 28(3) with respect to the required contents of a contract between controllers and processors:

§  the subject-matter of the processing (for instance, video surveillance recordings of people entering and leaving a high-security facility). While the subject matter of the processing is a broad concept, it needs to be formulated with enough specifications so that it is clear what the main object of the processing is;

§  the duration of the processing: the exact period of time, or the criteria used to determine it, should be specified; for instance, reference could be made to the duration of the processing agreement;

§  the nature of the processing: the type of operations performed as part of the processing (for instance: “filming”, “recording”, “archiving of images”, ...) and purpose of the processing (for instance: detecting unlawful entry). This description should be as comprehensive as possible, depending on the specific processing activity, so as to allow external parties (e.g. supervisory authorities) to understand the content and the risks of the processing entrusted to the processor.

§  the type of personal data: this should be specified in the most detailed manner as possible (for instance: video images of individuals as they enter and leave the facility). It would not be adequate merely to specify that it is “personal data pursuant to Article 4(1) GDPR” or “special categories of personal data pursuant to Article 9”. In case of special categories of data, the contract or legal act should at least specify which types of data are concerned, for example, “information regarding health records”, or “information as to whether the data subject is a member of a trade union”;

§  the categories of data subjects: this, too, should be indicated in a quite specific way (for instance: “visitors”, “employees”, delivery services etc.);

§  the obligations and rights of the controller: the rights of the controller are further dealt with in the following sections (e.g. with respect to the right of the controller to perform inspections and audits). As regards the obligations of the controller, examples include the controller’s obligation to provide the processor with the data mentioned in the contract, to provide and document any instruction bearing on the processing of data by the processor, to ensure, before and throughout the processing, compliance with the obligations set out in the GDPR on the processor's part, to supervise the processing, including by conducting audits and inspections with the processor.

Again, the EDPB explained its view on how this requirement under the GDPR is constructed and then left an out (or uncertainty if one is trying to gauge her compliance) in asserting “other relevant information may need to be included, depending on the context and the risks of the processing as well as any additional applicable requirement.” The Board does not even hint at what “other relevant information” could be required.

The EDPB stated “[t]he processor must only process data on documented instructions from the controller (Art. 28(3)(a) GDPR),” a somewhat self-evident observation under the GDPR the Board expands upon. Controllers should provide documented instructions to processors for each processing activity, and if processors stray outside these instructions, they breach the GDPR and may even become controllers and face additional liability. The Board added that controllers and processors should pay special attention to the transfers of personal data to other nations, particularly in the situation where a processor is suing a subcontracting processor. Each party is such a situation must obey EU law with respect to transfers and is accountable for transfers to nations that do not have adequacy decisions with the EU (e.g., the United States.) Moreover, the controller may have issued instructions to the processor on transfers, and the latter is bound by the former’s directives so long as they comport with the GDPR and EU law. The Board noted EU or member state law may direct processing or transfers by law, and in these circumstances, the agreement can be superseded.

The Board continued by noting that contracts must heed the GDPR on the confidentiality obligations of those people processing personal data. The EDPB also expanded on the “technical and organisational measures” controllers must ensure processors are putting in place:

The contract needs to include or reference information as to the security measures to be adopted, an obligation on the processor to obtain the controller’s approval before making changes, and a regular review of the security measures so as to ensure their appropriateness with regard to risks, which may evolve over time.

The Board reminded controllers that any agreement for processing must specify that processors cannot engage other processors unless the controller is informed. The EDPB added that processors have a duty to aid controllers in responding to a person’s exercise of her GDPR rights. The Board further explained processors must help controllers meet other obligations under the GDPR, and these obligations should be identified in the agreement between them to process data. The Board then detailed some of these obligations:

§  Moving on to the specific obligations, the processor has, first, a duty to assist the controller in meeting the obligation to adopt adequate technical and organisational measures to ensure security of processing. While this may overlap, to some extent, with the requirement that the processor itself adopts adequate security measures, where the processing operations of the processor fall within the scope of the GDPR, they remain two distinct obligations, since one refers to the processor’s own measures and the other refers to the controller’s.

§  Secondly, the processor must assist the controller in meeting the obligation to notify personal data breaches to the supervisory authority and to data subjects. The processor must notify the controller whenever it discovers a personal data breach affecting the processor’s or a sub-processor’s facilities / IT systems and help the controller in obtaining the information that need to be stated in the report to the supervisory authority. The GDPR requires that the controller notify a breach without undue delay in order to minimize the harm for individuals and to maximize the possibility to address the breach in an adequate manner. Thus, the processor’s notification to the data controller should also take place without undue delay. Depending on the specific features of the processing entrusted to the processor, it may be appropriate for the parties to include in the contract a specific timeframe (e.g. number of hours) by which the processor should notify the controller, as well as the point of contact for such notifications, the modality and the minimum content expected by the controller. The contractual arrangement between the controller and the processor may also include an authorisation and a requirement for the processor to directly notify a data breach in accordance with Articles 33 and 34, but the legal responsibility for the notification remains with the controller. If the processor does notify a data breach directly to the supervisory authority, and inform data subjects in accordance with Article 33 and 34, the processor must also inform the controller and provide the controller with copies of the notification and information to data subjects.

§  Furthermore, the processor must also assist the controller in carrying out data protection impact assessments when required, and in consulting the supervisory authority when the outcome reveals that there is a high risk that cannot be mitigated.

The Board stated processors must make available all information necessary for controllers to ensure compliance with the GDPR, including audits and inspections. The EDPB conceded the GDPR is silent on whom shall pay for audits but opined that the agreement for processing should not set an “clearly disproportionate or excessive” cost on audits, regardless of whom is paying, for this would lend itself to audits not occurring.

The EDPB then tries to resolve the tension in the GDPR between a processor’s obligations to follow a controller’s instructions and its obligation to immediately inform the controller if any such instructions impinge the law. Thereafter, a controller must assess whether the instruction does violate the GDPR and then proceed accordingly. However, the Board does not advise a processor to report a controller’s alleged impingement to a supervisory authority.

The next part of the guidelines worth attention pertain to the consequences of joint controllership. The Board observes “Article 26(1) of the GDPR provides that joint controllers shall in a transparent manner determine and agree on their respective responsibilities for compliance with the obligations under the Regulation.” The EDPB construes the word “respective” as entailing a responsibility among joint controllers to determine which shall do what with respect to meeting compliance obligations. The Board envisions a clear allocation of data protection compliance among the parties, most likely so that there are no misunderstandings, gaps, or opportunities for joint controllers to try and pin non-compliance on other controllers. The EDPB suggested “the compliance measures and related obligations joint controllers should consider when determining their respective responsibilities, in addition to those specifically referred in Article 26(1), include amongst others without limitation:

§  Implementation of general data protection principles (Article 5)

§  Legal basis of the processing73 (Article 6)

§  Security measures (Article 32)

§  Notification of a personal data breach to the supervisory authority and to the data subject74 (Articles 33 and 34)

§  Data Protection Impact Assessments (Articles 35 and 36)75

§  The use of a processor (Article 28)

§  Transfers of data to third countries (Chapter V)

§  Organisation of contact with data subjects and supervisory authorities

As is the case elsewhere in these guidelines, there may always be additional considerations for joint controllers, and the EDPB declined to offer a definitive or exhaustive list of items joint controllers should decide upon.

However, the EDPB pointed out that the GDPR does not require an agreement between joint controllers as it does between controllers and processors, but “for the sake of legal certainty, even if there is no legal requirement in the GDPR for a contract or other legal act, the EDPB recommends that such arrangement be made in the form of a binding document such as a contract or other legal binding act under EU or Member State law to which the controllers are subject.” The EDPB noted the GDPR requires that the ‘essence” of a joint controllership arrangement be available to data subjects (i.e. the people whose data is being processed) but is also silent on what constitutes an essence. The EDPB suggests some ways joint controllers could meet this requirement but leaves matters open. The Board also reiterates that people are not bound by the arrangement and may exercise their rights against any or all of the joint controllers regardless of how the processing obligations have been apportioned. Likewise, data protection authorities are not bound by joint controller arrangements and may contact any of the parties for purposes of compliance and enforcement.

The EDPB provided a flowchart “for applying the concepts of controller, processor and joint controllers in practice:”

Other Developments

Photo by cottonbro from Pexels

§  France’s Autorité de la concurrence fined Google “up to 500 million euros for having disregarded several injunctions issued in the context of its interim measures’ decision of April 2020 (decision 20-MC-01 of 9 April 2020 regarding requests for interim measures presented by Syndicat des éditeurs de la presse magazine, Alliance de la presse d'information générale e.a. and Agence France-Presse).” The he Autorité “also orders Google to present a remuneration offer for the current use of their protected content to press publishers and agencies that have referred the case to the Autorité and to provide them with the necessary information for evaluating such offer, under periodic penalty payment of up to 900,000 euros per day of delay, if Google has not done so within two months.” This fine represents the latest development in a long running saga between the search engine giant and nations over what, if anything, it should pay for linking and using the articles and content of the news media. The Autorité explained:

o   As a reminder, in its interim measures decision 20-MC-01, the Autorité noted that following the adoption of Law No. 2019-775 of 24 July 2019 aiming to create a related right for the benefit of press agencies and publishers, transposing Directive No. 2019/790 of 17 April 2019 on copyright and related rights in the digital single market, Google had unilaterally decided that it would no longer display extracts from articles, photographs and videos within its various services, unless the editors give it permission free of charge. The Autorité considered that this behaviour could constitute an abuse of a dominant position and that it caused serious and immediate harm to the press sector. It had issued, pending a decision on the merits, seven injunctions against Google. This decision was confirmed by the Paris Court of Appeal in a ruling of 8 October 2020, and has become final (Google has not lodged an appeal before the French Supreme Court).

o   In particular, Google had been ordered to:

§  enter into negotiations in good faith with press publishers and agencies who so desire (Injunction No. 1) for a period of three months from the request of the publisher or the press agency (Injunction No. 4);

§  communicate the information necessary for the transparent assessment of the remuneration provided for in Article L. 218-4 of the Intellectual Property Code (the "CPI") (Injunction No. 2);

§  ensure that a principle of strict neutrality is respected during negotiations, so as not to affect the indexing, classification and presentation of protected content taken up by Google on these services (injunction No. 5); the decision stated in this regard that: "This is to prevent publishers from suffering unfavourable consequences on the usual conditions of display, indexing and ranking of their content on Google, because or related to ongoing negotiations”. The Paris Court of Appeal in its ruling of 8 October 2020 clarified the scope of injunction No. 5, indicating that: “This injunction does not prevent improvements and innovations in the services offered by Google LLC companies, Google Ireland Ltd and Google France, provided that they do not lead, directly or indirectly, to any prejudicial consequence to the interests of the holders of related rights concerned by the negotiations provided for in Articles 1 and 2 of this decision”;

§  ensure respect for a principle of strict neutrality of negotiations on any other economic relationship that may exist between Google and press publishers and agencies (injunction No. 6); the decision specified in this regard that: "This is to prevent Google from voiding negotiations on related rights by offsetting the remuneration paid to publishers for related rights on other activities. It is also to prevent Google from using its dominant position in the market for general search services to force, during negotiations with press publishers and agencies, the use of some of its services";

§  send the Autorité regular reports on the modalities of implementation of the decision (Injunction No. 7).

§  The National Institute of Standards and Technology (NIST) found “[t]he most accurate face recognition algorithms have demonstrated the capability to confirm airline passenger identities while making very few errors” and released “Face Recognition Vendor Test (FRVT) Part 7: Identification for Paperless Travel and Immigration (NISTIR 8381), [that] focus on face recognition (FR) algorithms’ performance under a particular set of simulated circumstances: matching images of travelers to previously obtained photos of those travelers stored in a database.” NIST added that “[a]mong the report's findings are:

o   The seven top-performing algorithms can successfully identify at least 99.5% of passengers the first time around if the database contains one image of a passenger. If the database contains a single image of each individual, the study shows that for as many as 428 of 567 simulated flight boarding processes, with each flight carrying 420 passengers, the most accurate FR algorithm can identify passengers for boarding without any false negatives (meaning the software fails to match two images of the same person). Stated in terms of error rates, this corresponds to at least 99.87% of travelers being able to board successfully after presenting themselves one time to the camera. Six additional algorithms give better than 99.5% accuracy.

o   Performance improves dramatically if the database contains multiple images of a passenger. The database gallery can contain more than one image of a single passenger. When an average of six prior images of a passenger are in the gallery, then all algorithms realize large gains: The most accurate algorithm will check the identities of passengers on 545 of 567 flights without any errors, and at least 18 developers' algorithms are effective at identifying more than 99.5% of travelers accurately with a single presentation to the camera.

o   Demographic differences in the dataset have little effect. The team explored differences in performance on male versus female subjects and also across national origin, which were the two identifiers the photos included. National origin can, but does not always, reflect racial background. Algorithms performed with high accuracy across all these variations. False negatives, though slightly more common for women, were rare in all cases.

§  Senator Elizabeth Warren (D-MA) wrote Federal Trade Commission (FTC) Chair Lina Khan “calling for a "broad" and "meticulous" review of Amazon's acquisition of Metro-Goldwyn-Mayer Studios (MGM) consistent with Section 7 of the Clayton Act, legislation that prohibits any acquisition whose effect "may be substantially to lessen competition, or to tend to create a monopoly" in "any line of commerce or in any activity affecting commerce." Warren asserted:

o   This $8.45 billion deal would ostensibly help Amazon attract consumers to its subscription streaming services. But because this service is tied to a wide range of additional Amazon products and services that affect broad sectors of our
economy, this transaction requires meticulous antitrust scrutiny. I support the Federal Trade Commission’s (FTC) review of this deal, which is consistent with your ongoing investigation into Amazon’s anticompetitive business practices.

o   On May 26, 2021, Amazon—which is worth $1.64 trillion—announced its intent to purchase the MGM movie studio for $8.45 billion. MGM holds the rights to around 4,000 films and 17,000 hours of television8 that would provide content for Amazon’s streaming video service, Amazon Prime Video. The problem is that this streaming service is only available to paid subscribers of Amazon Prime—a bundled service that includes streaming content in addition to exclusive deals and fast delivery on various products sold through Amazon’s online market platform and Whole Foods Market. Amazon’s streaming competitors are already at a disadvantage because of Amazon’s broad range of services that are tied to its streaming service through an annual $119 Prime membership “whose value proposition is to help you buy more products.”

o   As of April 2021, there were nearly 150 million Prime subscribers in the U.S. and 200 million Prime members worldwide, up from around 10 million members in 2012. A decade ago, analysts estimated that Amazon was operating at a loss in part because of Prime, but over the course of the COVID-19 pandemic, the company’s profits increased 220 percent—partially due to the addition of around 50 million Prime subscribers (nearly 30 million in the U.S.) who could easily make purchases on Amazon’s platform. The Prime membership is so sticky that “less than 1% of Prime members are likely to consider other mass-market retail sites,” and reports have estimated that households with a Prime membership spend about $3,000 a year on Amazon—more than double the amount spent by those that do not, which suggests a sizable competitive advantage for the bundled services that has only increased over time.

o   Amazon’s tactic to operate at a financial loss and use low prices to lure in customers and capture the market has worked before, and the FTC must determine whether this vertical acquisition is truly an entertainment strategy or merely another step towards unfettered monopolization. MGM is reportedly valued at $6.5 billion in equity, yet its acquisition by Amazon is valued at $8.45 billion—the second largest acquisition in Amazon’s history. This acquisition presents an important opportunity to ensure that the FTC approaches vertical transactions involving tech platforms with the proper dosage of antitrust scrutiny.

§  Staff at the United States (U.S.) Consumer Product Safety Commission submitted a Congressionally required report on its work on ensuring the flow of consumer products into the United States are being adequately inspected. The “Consolidated Appropriations Act, 2021” (P.L. 116-260) “directed CPSC to “identify the steps the Commission has taken and plans to take to mitigate [the risks associated with the reduction in Commission port inspection activity], such as recalls, inspections of product inventory, consumer warnings, and other appropriate measures.” Staff detailed the agency’s experience during the pandemic after it stopped sending inspectors to ports to physically examine imports. Staff asserted:

o   Although remote work reduced the number of shipments CPSC staff examined, CPSC staff developed a number of alternative means to protect the public during this period, including continual risk assessment of imported shipments, remote enforcement procedures, internet surveillance, recalls, and outreach to industry and government partners.

o   Furthermore, data from the first 6 months of the pandemic indicate that there was a significant drop in trade (see Section 2 of this report), and a corresponding reduction in the number of products flowing through traditional ports, a likely factor in the reduction of the number of inspections conducted during this period. At the same time, data indicate that there was a significant increase in eCommerce activity involving de minimis shipments arriving at express courier and other similar facilities, where CPSC has never had a presence (although as noted in Section 6, the agency seeks to do so as expeditiously as possible). Thus, potentially violative products that might have entered the country in this manner resulted from a lack of an established CPSC presence at these facilities rather than from the remote status of CPSC personnel who were unavailable at traditional ports.

o   It should also be noted that a similar gap in resources exists at traditional ports. Of the roughly 327 ports nationwide, CPSC maintains a physical presence at 18 of those ports, staffed by 32 fulltime equivalents (FTEs). Thus, although CPSC’s port inspection activity declined during the first 6 months of the pandemic, our overall lack of adequate resources for nationwide port coverage accounts for the small fraction of inspection activities we can undertake, even when fully staffed.

o   In addition to the need to increase staffing in the traditional and eCommerce port environments, CPSC must secure improved information technology (IT) and targeting capabilities to better risk assess shipments and to address the overlap between intellectual property (IP) infringements and safety violations. The funding recently appropriated to CPSC under the American Rescue Plan Act (ARPA) of 2021 has allowed the agency to begin meeting those needs. Specifically, the Commission has allocated ARPA funds to increase the number of traditional ports of entry where CPSC has a physical presence, as well as ports where large volumes of de minimis shipments arrive. It is an important first step toward addressing the risk posed by the influx of consumer products, especially those arriving by eCommerce.

§  In a blog post, Google responded to the most recent antitrust suit filed by state attorneys general over its allegedly anti-competitive App Store practices and drew distinctions between its practices and rules and those of Apple’s. Google asserted:

o   We built Android to create more choices in mobile technology. Today, anyone, including our competitors, can customize and build devices with the Android operating system — for free. 

o   We also built an app store, Google Play, that helps people download apps on their devices. If you don’t find the app you’re looking for in Google Play, you can choose to download the app from a rival app store or directly from a developer’s website. We don’t impose the same restrictions as other mobile operating systems do.

o   So it’s strange that a group of state attorneys general chose to file a lawsuit attacking a system that provides more openness and choice than others. This complaint mimics a similarly meritless lawsuit filed by the large app developer Epic Games, which has benefitted from Android’s openness by distributing its Fortnite app outside of Google Play.

o   Here’s more detail on how this lawsuit gets it wrong:

o   Google Play competes vigorously and fairly

o   The complaint limits its definition of the app marketplace to Android devices only. This completely ignores the competition we face from other platforms such as Apple's incredibly successful app store, which accounts for the majority of mobile app store revenues according to third-party estimates. We compete for both developers and consumers, and if we’re not providing them with the best experience on Google Play, they have other alternatives to choose from.

o   Android increases competition and choice

o   This complaint alleges that consumers and developers have no option other than to use Google Play. But that’s not correct. Choice has always been a core tenet of Android. Device makers and carriers can preload competing app stores alongside Google Play on their devices. In fact, most Android devices ship with two or more app stores preloaded. And popular Android devices such as the Amazon Fire tablet come preloaded with a competitive app store and no Google Play Store.

o   Consumers can also “sideload” apps, meaning they can download them from a developer’s website directly without going through Google Play at all. People sideload successful apps like Fortnite, as well as entire app stores like the Amazon Appstore, neither of which are distributed through Google Play.

o   Contributing to this openness and choice, we also give developers more ways to interact with their customers compared to other operating systems. For example, Google Play allows developers to communicate with their customers outside the app about subscription offers or a lower-cost offering on a rival app store or the developer’s website.

§  The Federal Communications Commission’s (FCC) Wireline Competition Bureau (WCB) submitted a report to Commission on the Lifeline marketplace that “provides a summary of the state of the Lifeline marketplace as directed by FCC in the 2016 Lifeline Order.” The WCB explained:

o   This Report informs the Commission about the current state of the Lifeline marketplace, identifies areas for future Commission consideration regarding the continued transition of the Lifeline program from a program that primarily supports Lifeline voice services to one with a greater focus on supporting Lifeline broadband Internet access service, and offers potential considerations relevant to the Lifeline Program’s continued ability to ensure that low-income Americans have access to affordable communications services. In developing the Report, the Bureau relied on information about the Lifeline marketplace from the Lifeline administrator, the Universal Service Administrative Company (USAC), publicly available information about general market trends, and comments submitted by various Lifeline stakeholders.

o   [T]his Report details:  the data collection efforts undertaken by the Bureau; the current state of the Lifeline subscriber base; the pace of change in adoption of voice and broadband services; an assessment of the Lifeline minimum
service standards; an examination of the phase-down in support for Lifeline voice-only services, including an assessment of the affordability of voice and broadband services; and an initial look at the interconnections between the Lifeline program and the recently launched EBB Program. Throughout this Report, the Bureau identifies issues for Commission consideration regarding these areas of discussion.

o   The Lifeline program remains a key component of the Commission’s efforts to address broadband availability and affordability across the country. Over the past several years, the Commission has taken important steps to transition the Lifeline program to a program that supports access to broadband Internet access services, allowing Lifeline eligible consumers to benefit from these services in a modern world. This Report details the current state of the Lifeline program, how the transition to a more broadband-focused program was executed, the impacts to key stakeholder populations, and the potential intersection between the Lifeline program and the Emergency Broadband Benefit Program. While progress has been made to advance affordability, this Report offers several areas of consideration for the Commission.

§  The Senate Judiciary Committee’s Competition Policy, Antitrust, and Consumer Rights Subcommittee Ranking Member Mike Lee (R-UT) and the full committee Ranking Member Chuck Grassley (R-IA) introduced the “Tougher Enforcement Against Monopolies” (TEAM Act) (S.2039) that would:

o   The TEAM Act, in addition to consolidating our antitrust enforcement agencies into one, streamlined agency, strengthens our ability to prevent and correct antitrust harm in three main ways:

o   The TEAM Act strengthens antitrust laws. It includes a market share-based merger presumption, improves the HSR Act, codifies the consumer welfare standard, and makes it harder for monopolists to justify or excuse anticompetitive conduct.

o   The TEAM Act strengthens antitrust enforcers. In addition to consolidating federal antitrust enforcement at the Department of Justice, the bill also includes a version of the Merger Filing Fee Modernization Act, introduced by Senators Klobuchar and Grassley. And most significantly, the bill roughly doubles the amount of money appropriated to federal antitrust enforcement, ensuring that our antitrust enforcers have all of the resources they need to protect American consumers.

o   The TEAM Act strengthens antitrust remedies. The bill repeals Illinois Brick and Hanover Shoe, to ensure that consumers are able to recover damages from anticompetitive conduct. Even more significantly, the bill allows the Justice Department to recover trebled damages on behalf of consumers, and imposes civil fines for knowingly violating the antitrust laws.

§  Senate Armed Services Committee Ranking Member James Inhofe (R-OK) and Senators Tammy Duckworth (D-IL) and Mike Rounds (R-SD) introduced the “Recognizing and Ensuring Taxpayer Access to Infrastructure Necessary for GPS and Satellite Communications Act” (RETAIN GPS and Satellite Communications Act) (S.2166) and released a section-by-section summary. Inhofe, Duckworth, and Rounds claimed:

o   The April 2020 Ligado Order from the FCC recognized the likelihood of interference to GPS signals and requires Ligado to pay the federal government the costs for repairs. However, 99 percent of the more than 900 million GPS devices found in the United States are used by the private sector, consumers, as well as state and local governments; under the current Order, they—or their consumers—would have to bear the costs.

o   The bipartisan legislation will require Ligado to cover the cost for correcting any interference their operations create for the public or private sector. While the Ligado Order says that they must upgrade or replace government devices that are impacted by the order, it isn’t specific about what those costs are and is silent on the private sector. This bill specifically outlines that all the areas of potential costs that must be borne by Ligado, including but not limited to engineering, construction, site acquisition, research, personnel or contracting staff, labor costs, etc, and specifically notes that these apply to those impacted in the private sector as well.

o   In April 2020, Inhofe and the three other tops Members of the Armed Services Committees penned an op-ed, in which they claimed “the [FCC] has used the [COVID-19] crisis, under the cover of darkness, to approve a long-stalled application by Ligado Networks — a proposal that threatens to undermine our GPS capabilities, and with it, our national security.” They claimed:

§  So, we wanted to clarify things: domestic 5G development is critical to our economic competiveness against China and for our national security. The Pentagon is committed working with government and industry to share mid-band spectrum where and when it makes sense to ensure rapid roll-out of 5G.

§  The problem here is that Ligado’s planned usage is not in the prime mid-band spectrum being considered for 5G — and it will have a significant risk of interference with GPS reception, according to the National Telecommunications and Information Administration (NTIA). The signals interference Ligado’s plan would create could cost taxpayers and consumers billions of dollars and require the replacement of current GPS equipment just as we are trying to get our economy back on its feet quickly — and the FCC has just allowed this to happen.

§  Representatives Elaine Luria (D-VA) and John Katko (R-NY) introduced the “Ensuring Phone and Internet Access for SNAP Recipients Act of 2021” (H.R.4275) that “would lower the cost of phone and internet access for households that benefit from the Supplemental Nutrition Assistance Program (SNAP).” Luria explained in her press release:

o   SNAP recipients automatically qualify for the Federal Communications Commission’s (FCC) Lifeline Program, which offers discounted phone and internet service. Yet, only 15 percent of eligible Virginian households participated in the Lifeline Program, according to the Universal Service Administrative Company (USAC). Congresswoman Luria’s bill would require the FCC and U.S. Department of Agriculture (USDA) to survey SNAP recipients to learn if they are enrolled in the Lifeline Program. If SNAP recipients are not enrolled, the survey would encourage their participation. This survey would present a five-year projection on enrollment and would show how the FCC can improve its Lifeline Program’s outreach efforts.  

§  The Electronic Privacy Information Center (EPIC) issued a report titled “What the FTC Could Be Doing (But Isn’t) To Protect Privacy: The FTC’s Unused Authorites.” EPIC contended:

o   Defenders of the FTC’s lack of effective privacy enforcement have argued that the agency does not have sufficient regulatory or penalty authorities to address the privacy threats posed by modern internet services. And it is true that there are significant limitations in the patchwork of data protection authorities at the FTC’s disposal. For example, the procedures by which the FTC can define unfair and deceptive practices are unnecessarily onerous, and the Commission is limited in its ability to penalize first-time data protection offenders. For these (and many other) reasons, Congress must move quickly to establish a strong, independent, and adequately funded data protection agency.

o   But the FTC’s failure to rein in the widespread misuse of personal data is not just a function of its limited statutory powers. Too often, the FTC has neglected to use the authority Congress has already given it. The Commission’s repeated failure to take meaningful enforcement action and to block harmful mergers has allowed abusive data practices by Facebook, Google, and other industry giants to flourish. Some statutory authorities, including the FTC’s power to promulgate trade rules, have simply never been used to advance the Commission’s data protection mission.

o   The purpose of this report is to highlight some of the unused and underused authorities in the FTC’s toolkit. Until Congress acts to create a modern data protection agency in the United States, is critical that the Commission deploy every available tool to safeguard privacy rights and stem the tide of exploitative data practices. This report is meant as a starting point for the FTC to make the most of the data protection authority it already has.

§  Amnesty International’s Security Labs issued the Forensic Methodology Report that “accompanies the release of the Pegasus Project, a collaborative investigation that involves more than 80 journalists from 17 media organizations in 10 countries coordinated by Forbidden Stories” of the NSO Group’s Pegasus spyware. The Security Labs alleged:

o   Amnesty International’s Security Lab has performed in-depth forensic analysis of numerous mobile devices from human rights defenders (HRDs) and journalists around the world. This research has uncovered widespread, persistent and ongoing unlawful surveillance and human rights abuses perpetrated using NSO Group’s Pegasus spyware.

o   As laid out in the UN Guiding Principles on Business and Human Rights, NSO Group should urgently take pro-active steps to ensure that it does not cause or contribute to human rights abuses within its global operations, and to respond to any human rights abuses when they do occur. In order to meet that responsibility, NSO Group must carry out adequate human rights due diligence and take steps to ensure that HRDs and journalists do not continue to become targets of unlawful surveillance.

o   In this Forensic Methodology Report, Amnesty International is sharing its methodology and publishing an open-source mobile forensics tool and detailed technical indicators, in order to assist information security researchers and civil society with detecting and responding to these serious threats.

o   This report documents the forensic traces left on iOS and Android devices following targeting with the Pegasus spyware. This includes forensic records linking recent Pegasus infections back to the 2016 Pegasus payload used to target the HRD Ahmed Mansoor.

o   The Pegasus attacks detailed in this report and accompanying appendices are from 2014 up to as recently as July 2021. These also include so-called “zero-click” attacks which do not require any interaction from the target. Zero-click attacks have been observed since May 2018 and continue until now. Most recently, a successful “zero-click” attack has been observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021.

§  Wyoming enacted a bill, HB0085, establishing “the crime of unlawful dissemination of an intimate image” The Wyoming legislature provided this summary of the bill:

o   The bill draft creates a crime for the nonconsensual dissemination of an intimate image.

o   The bill provides definitions for relevant terms including: "displaying sexual acts"; "disseminate"; "image"; "intimate image"; "intimate parts"; "sexual acts" and "social media".

o   The bill criminalizes the acts of a person eighteen (18) years of age or older who:

§  Disseminates an intimate image of another person;

§  Knew or should have known that the depicted person had a reasonable expectation that the image would remain private and did not expressly give consent to the dissemination; and

§  Intended to humiliate, harm, harass, threaten or coerce another, or disseminated the image for sexual gratification or arousal of others.

o   The bill provides that unlawful dissemination of an intimate image is a misdemeanor, punishable by not more than one (1) year imprisonment, a fine of not more than five thousand dollars ($5,000.00) or both.

o   The bill provides that the newly created crime shall not be construed to impose criminal liability on the provider of an interactive computer service, an information service or a telecommunications service for content provided by another person.

§  In Maine, a law was enacted restricting how state agencies may use facial recognition technology (FRT), one of the first state-wide limitations on FRT. LD 1585/HP 1174 stipulates that except for limited circumstances, “a department, public employee or public official may not:

o   (1)  Obtain, retain, possess, access, request or use a facial surveillance system or information derived from a search of a facial surveillance system;

o   (2)  Enter into an agreement with a 3rd party for the purpose of obtaining, retaining, possessing, accessing or using, by or on behalf of a department, public employee or public official, a facial surveillance system or information derived from a search of a facial surveillance system; or

o   (3)  Issue a permit or enter into any other agreement that authorizes a 3rd party to obtain,  retain,  possess,  access  or  use  a  facial  surveillance  system  or  information derived from a search of a facial surveillance system.

o   Agencies may use FRT if investigating a serious crime or to identify missing or deceased people

o   Moreover, FRT cannot establish probable cause “justifying arrest, search or seizure” without other evidence.

Further Reading

Photo by SCREEN POST from Pexels

§  Here is Forbidden Stories website with all the partner publications’ articles on the NSO Groups’ Pegasus spyware. Below are the artciles in English that have been published thus far.

§  “Private Israeli spyware used to hack cellphones of journalists, activists worldwide.” By Dana Priest, Craig Timberg, and Souad Mekhennet — The Washington Post. Military-grade spyware licensed by an Israeli firm to governments for tracking terrorists and criminals was used in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, business executives and two women close to murdered Saudi journalist Jamal Khashoggi, according to an investigation by The Washington Post and 16 media partners. The phones appeared on a list of more than 50,000 numbers that are concentrated in countries known to engage in surveillance of their citizens and also known to have beenclients of the Israeli firm, NSO Group, a worldwide leader in the growing and largely unregulated private spyware industry, the investigation found.

§  “Jamal Khashoggi’s wife targeted with spyware before his death” By Dana Priest, Souad Mekhennet, and Arthur Bouvart — The Washington Post. NSO Group’s Pegasus spyware was used to secretlytargetthe smartphones of the two women closest tomurdered Saudi columnist Jamal Khashoggi, according to digital forensic analysis. The Android phone of his wife, Hanan Elatr, was targeted by a Pegasus user six months before his killing, but the analysis could not determine whether the hack was successful. The iPhone of his fiancee, Hatice Cengiz, was penetrated by spyware days after the murder, the forensics showed.

§  “Despite the hype, iPhone security no match for NSO spyware” By Craig Timberg, Reed Albergotti, and Elodie Guéguen — The Washington Post. The text delivered last month to the iPhone 11 of Claude Mangin, the French wife of a political activist jailed in Morocco, made no sound. It produced no image. It offered no warning of any kind as an iMessage from somebody she didn’t know delivered malware directly onto her phone — and past Apple’s security systems. Once inside, the spyware, produced by Israel’s NSO Groupand licensed to one of its government clients, went to work, according to a forensic examination of her device by Amnesty International’s Security Lab. It found thatbetween October and June, her phone was hacked multiple times with Pegasus, NSO’s signature surveillance tool, during a time when she was in France.

§  “‘Somebody has to do the dirty work’: NSO founders defend the spyware they built” By Elizabeth Dwoskin and Shira Rubin — The Washington Post. It was a proposition that would change everything. Two 20-something Israeli entrepreneurs who had been running a small customer service start-up for mobile phones were at a client meeting in Europe in 2009 when they received a visit from law enforcement officials. The entrepreneurs’ first instinct was fear. Maybe they had done something wrong that they weren’t aware of, Shalev Hulio and Omri Lavie recalled in interviews this week with The Washington Post.

§  “Key question for Americans overseas: Can their phones be hacked?” By Craig Timberg, John Hudson, and Kristof Clerix — The Washington Post. Israeli spyware company NSO Group has said repeatedly that its surveillance tools do not work against smartphones based in the United States, but Americans traveling overseas and using foreign cellphones may not enjoy that protection. A list of more than 50,000 phone numbers that included some for documented surveillance targets also included the overseas phone numbers for about a dozen Americans, including journalists, aid workers, diplomats and others, according to an investigation by The Washington Post and 16 other news organizations.

§  “NSO Group vows to investigate potential spyware abuse following Pegasus Project investigation” By Drew Harwell and Craig Timberg — The Washington Post. The head of the Israeli surveillance giant NSO Group pledged Sunday to investigate potential cases of human rights abuses following a sweeping report by The Washington Post and other media organizations that uncovered how NSO’s government clients had deployed its spyware tool Pegasus against activists, journalists and private citizens around the world. The company has raced to address growing outrage from human rights activists, technology executives, political dissidents and the general public over the widespread hacking and surveillance revealed in the Pegasus Project, an investigation by The Post and 16 international media partners. By Monday, government and political opposition leaders from the European Union and France, India, Hungary and other countries had expressed fury and demanded answers as to whether the surveillance system had been abused.

§  “Revealed: leak uncovers global abuse of cyber-surveillance weapon” By Stephanie Kirchgaessner, Paul Lewis, David Pegg,Sam Cutler,Nina Lakhani and Michael Safi — The Guardian. Human rights activists, journalists and lawyers across the world have been targeted by authoritarian governments using hacking software sold by the Israeli surveillance company NSO Group, according to an investigation into a massive data leak. The investigation by the Guardian and 16 other media organisations suggests widespread and continuing abuse of NSO’s hacking spyware, Pegasus, which the company insists is only intended for use against criminals and terrorists.

§  “French minister’s phone shows traces linked to NSO spyware” By Angelique Chrisafis and Stephanie Kirchgaessner — The Guardian. The mobile phone of a serving French minister showed digital traces of activity associated with NSO Group’s spyware, according to forensic analysis undertaken by the Pegasus project investigation. François de Rugy, who was environment minister at the time of the activity, said he was “astonished” by the disclosure, which raises fresh questions over the use of spyware by customers of NSO, an Israeli surveillance company. His details appeared on a leaked database, which also included mobile numbers for the French president, Emmanuel Macron, and the majority of his 20-strong cabinet, along with the then prime minister Édouard Philippe.

§  “Macron orders multiple inquiries into leaked Pegasus project data” By Angelique Chrisafis — The Guardian. The French president, Emmanuel Macron, has ordered multiple investigations to be carried out after his phone number, as well as those of his former prime minister and the majority of his 20-strong cabinet, appeared in the leaked database at the heart of the Pegasus project. The French prime minister, Jean Castex, said on Wednesday the Elysée had “ordered a series of investigations”, after vowing to “shed all light on the revelations”. But Castex said it was too early to comment or announce any new security measures or other action without knowing “exactly what happened”. He said: “We are going to look at this very closely, given the potential seriousness.”

§  “UAE linked to listing of hundreds of UK phones in Pegasus project leak” By Dan Sabbagh, David Pegg, Paul Lewis and Stephanie Kirchgaessner —  The Guardian. A member of the House of Lords is among more than 400 people whose UK mobile phone numbers appear in a leaked list of numbers identified by NSO Group’s client governments between 2017 and 2019, the Guardian can reveal. The principal government responsible for selecting the UK numbers appears to be the United Arab Emirates, according to analysis of the data. The UAE is one of 40 countries that had access to the NSO spyware that is able to hack into and secretly take control of a mobile phone. Dubai, the emirate city ruled by Sheikh Mohammed bin Rashid al-Maktoum, is also believed to have been an NSO client.

§  “Dubai suspected after Princess Haya listed in leaked Pegasus project data” By David Pegg and Paul Lewis — The Guardian. As her plane touched down in April 2019, Princess Haya bint al-Hussein, who was accompanied by her two children, might have hoped she was beyond the reach of her ex-husband, the emir of Dubai, Sheikh Mohammed bin Rashid al-Maktoum. Similarly, when he commenced custody proceedings in the high court of justice the following month, she might have imagined that the dispute would be settled in a courtroom, purely on the basis of its legal merits. She did not know, however, it was likely mobile phone numbers belonging to her, her closest aides, advisers and friends, were being entered into a computer system operated by agents of the emirate of Dubai, one of the clients of spyware manufacturer NSO Group.

§  “Data leak raises new questions over capture of Princess Latifa” By Dan Sabbagh — The Guardian. For a few days Princess Latifa had dared to think she could relax. An extraordinary plan to escape from a father she said had once ordered her “constant torture” was looking as if it might work, as she sat on a 30-metre yacht on the Indian Ocean, her home city of Dubai further and further away. Yet the daughter of Sheikh Mohammed bin Rashid al-Maktoum, the ruler of the glittering Emirati city, still wanted to connect with home, to tell family and friends something of her new-found freedom, sending emails, WhatsApp messages and posting on Instagram from what she thought were two secure, brand new “burner” pay-as-you-go mobile phones.

§  “Ban Amnesty over Pegasus leaks role, Indian politician urges” By Hannah Ellis-Petersen — The Guardian. The chief minister of the Indian state of Assam has called for Amnesty International to be banned in the country and accused it of a conspiracy to “defame” the prime minister, Narendra Modi, over its role in the explosive Pegasus leaks, which have put heavy pressure on Modi’s government. Himanta Biswa Sarma, the chief minister of the state of Assam and a member of Modi’s Bharatiya Janata party (BJP), claimed that Amnesty’s role in the investigation into numbers of citizens and political leaders in countries across the world, including India, appearing on a leaked data list was part of a “long history of hatching conspiracies against India’s democratic fabric and its leadership”. He alleged that Amnesty International worked “to encourage leftwing terrorism in India and defame India and PM Modi” as well as “create dissatisfaction among the sections of Indian society”.

§  “Modi accused of treason by opposition over India spyware disclosures” By Hannah Ellis-Petersen and Michael Safi — The Guardian. Narendra Modi’s government has been accused of treason and “unforgivable sacrilege” by the political opposition in India following a series of reports by the Pegasus project revealing several journalists, activists and an opposition election strategist had their phone numbers included in a data leak of more than 50,000 numbers that, since 2016, are believed to have been selected as those of persons of interests by government clients of NSO Group. The stories, published in the Guardian and in partner media outlets around the world on Sunday and Monday, revealed details of hundreds of verified Indian phone numbers that appear in leaked records of numbers. They include two phone numbers belonging to India’s most prominent political opposition figure, Rahul Gandhi, who led the Congress party to defeat in the 2019 elections. The leaked records show his number was selected as a possible target the year before and in the months after the vote.

§  “Israel ‘creating task force’ to manage response to Pegasus project” By Bethan McKernan and Paul Lewis — The Guardian. Israel’s government is reportedly setting up a task force to manage the fallout from Pegasus project revelations about the use of spying tools sold to authoritarian governments by the Israeli surveillance firm NSO Group. A team including representatives from the defence ministry, ministry of justice, foreign ministry, military intelligence and the Mossad, the national intelligence agency, is poised to conduct an investigation into whether “policy changes” are needed regarding sensitive cyber exports, several Israeli media outlets reported on Tuesday night, quoting unnamed officials. The reports come as diplomatic pressure mounts on Israel over concerns the government has enabled abuses by repressive states around the world by granting NSO export licences for the spyware.

§  “Telegram founder listed in leaked Pegasus project data” By Shaun Walker — The Guardian. Amid the varied cast of people whose numbers appear on a list of individuals selected by NSO Group’s client governments, one name stands out as particularly ironic. Pavel Durov, the enigmatic Russian-born tech billionaire who has built his reputation on creating an unhackable messaging app, finds his own number on the list. Durov, 36, is the founder of Telegram, which claims to have more than half a billion users. Telegram offers end-to-end encrypted messaging and users can also set up “channels” to disseminate information quickly to followers. It has found popularity among those keen to evade the snooping eyes of governments, whether they be criminals, terrorists or protesters battling authoritarian regimes. In recent years, Durov has publicly rubbished the security standards of competitors, particularly WhatsApp, which he has claimed is “dangerous” to use. By contrast, he has positioned Telegram as a plucky upstart determined to safeguard the privacy of its users at all costs.

§  “FT editor among 180 journalists identified by clients of spyware firm” By David Pegg and Paul Lewis, Michael Safi, and Nina Lakhani — The Guardian. The editor of the Financial Times is one of more than 180 editors, investigative reporters and other journalists around the world who were selected as possible candidates for surveillance by governmentclients of the surveillance firm NSO Group, the Guardian can reveal. Roula Khalaf, who became the first female editor in the newspaper’s history last year, was selected as a potential target throughout 2018.

§  “Dalai Lama’s inner circle listed in Pegasus project data” By Michael Safi — The Guardian. China’s nearest observation posts are hundreds of miles from Dharamsala, the city in the foothills of the Indian Himalayas that hosts Tibet’s government-in-exile and its highest spiritual leader, the Dalai Lama. Still, Tibetans there have often felt closely watched. Suspected Chinese spies have regularly been detected in the hill station. A decade ago, a digital security specialist watched in disbelief as sensitive files on Tibetan government computers were extracted on the screen before his eyes – activity that led to the unearthing of a massive cyber-espionage network, known as GhostNet, which was largely traced to Chinese servers. Surveillance technology has evolved, and leaked data points to another possible interest in Tibetan communications – this time from a less obvious source.

Coming Events

Photo by mentatdgt from Pexels

§  27 July

o   The Federal Trade Commission (FTC) will hold PrivacyCon 2021.

§  28 July

o   The House Armed Services Committee’s Cyber, Innovative Technologies, and Information Systems Subcommittee will mark up its portion of the committee’s FY 2022 National Defense Authorization Act (H.R.4395).

§  5 August

o   The Federal Communications Commission (FCC) will hold its monthly open meeting with this tentative agenda:

§  Establishing Two New Innovation Zones. The Commission will consider a Public Notice that would create two new Innovation Zones for Program Experimental Licenses and the expansion of an existing Innovation Zone. (ET Docket No. 19-257)

§  Numbering Policies for Modern Communications. The Commission will consider a Further Notice of Proposed Rulemaking to update the Commission’s rules regarding direct access to numbers by interconnected Voice over Internet Protocol providers to safeguard the nation’s finite numbering resources, curb illegal robocalls, protect national security, and further promote public safety. (WC Docket Nos. 13-97, 07-243, 20-67; IB Docket No. 16-155)

§  Appeals of the STIR/SHAKEN Governance Authority Token Revocation Decisions. The Commission will consider a Report and Order that would establish a process for the Commission to review decisions of the private STIR/SHAKEN Governance Authority that would have the effect of placing voice service providers out of compliance with the Commission’s STIR/SHAKEN implementation rules. (WC Docket Nos. 17-97, 21-291)

§  Modernizing Telecommunications Relay Service (TRS) Compensation. The Commission will consider a Notice of Proposed Rulemaking on TRS Fund compensation methodology for IP Relay service. (CG Docket No. 03-123; RM-11820)

§  Updating Outmoded Political Programming and Record-Keeping Rules. The Commission will consider a Notice of Proposed Rulemaking to update outmoded political programming rules. (MB Docket No. 21-293)

§  Review of the Commission’s Part 95 Personal Radio Services Rules. The Commission will consider a Memorandum Opinion and Order on Reconsideration that would grant three petitions for reconsideration of the Commission’s May 2017 Part 95 Personal Radio Services Rules Report and Order. (WT Docket No. 10-119)

§  1 September

o   The House Armed Services Committee will mark up the FY 2022 National Defense Authorization Act (H.R.4395).