A US federal privacy law may actually happen this time, but does it matter?

Hi there,  

Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.  

‍

This month:

• Russian military-linked hackers are claiming credit for sabotaging US water utilities.
• A faulty app update meant Qantas customers could access others’ account details.
• Do we need privacy laws that protect our brain waves? According to Colorado, yes.

But first: as a new effort to pass US federal privacy regulation begins, a reminder that even if the new law doesn’t pass, federal agencies are cracking down on companies’ collection and usage of personal information.

If you only read one thing:  

Once more, into the breach

With the proposal of the American Privacy Rights Act (APRA), United States lawmakers are once again seeking a comprehensive privacy law, aiming to succeed where the previous attempt, the American Data Privacy and Protection Act (ADPPA) failed.

Check out our September 2022 edition of FILED for a recap on the ADPPA legislation. Since then, privacy regulation has become more of a state-level pursuit, with 15 states establishing their own laws, following in the footsteps of California’s CCPA. Federal lawmakers have been more focused on efforts to ban TikTok, protect children, and to worry about the implications of AI.

Many experts believe APRA has a decent chance of passing. For one thing, the bill enters a more favorable environment, with lawmakers “fired up” to pass privacy legislation and less inclined towards the arguments of big tech lobbyists. The law will also provide a simplified privacy regime for organizations currently navigating a patchwork of state laws.

In a recent episode of FILED, filerskeepers co-founder Wanne Pemmelaar said of the 300,000 legal citations his platform has, a third are from the United States. Companies in the US are spending considerable time and energy ensuring they comply. A 2022 study from the Information Technology & Innovation Foundation estimated the costs for complying with 50 state data privacy laws at over $1 trillion over 10 years, with at least $200 billion hitting small businesses.

Critics have pointed to the lack of a universal data deletion mechanism, a lax approach to government data collection, and the fact the law would preempt state laws. There is also criticism the law is too strict, with personal information only allowed to be collected to provide or maintain a specific product or service requested by the individual, or for a specific list of 15 purposes outlined in the act.

This differs from the GDPR, under which companies must demonstrate that the purpose for the collection of private information overrides the privacy interest.

To summarize the response, APRA is a good start, but needs work.  

The FTC won’t let me be

But it may not matter. Whether or not the bill becomes law, companies are facing a strengthened enforcement environment. Whether it’s the Federal Communications Commission (FCC) fining wireless carriers US $200m for illegally sharing users’ locations, or the Federal Trade Commission’s (FTC) case against Amazon’s Ring doorbell cameras or probe into MGM, the executive branch isn’t waiting around to crack down on companies’ use of personal information.

The FTC will also soon roll out rules for commercial surveillance (broadly: "collecting, analyzing, and profiting from information about people"), focused on data minimization and data security, amidst what Bureau of Consumer Protection Director Samuel Levine cited as "momentum to push back against unchecked surveillance.”

In this environment, I would strongly recommend you behave as if APRA is a certainty. Ensure you can discover, understand, and manage your data, so you can remove what you don’t need (minimize, per the FTC) and protect the rest. The agencies aren’t standing still, and neither should you.

In Australia, privacy reform moves closer

The United States in not the only country moving closer to more modern privacy regulation. Australia Attorney General Mark Dreyfus announced late last month (right in time for Privacy Awareness Week) that the tabling of promised reform of the country’s Privacy Act would be brought forward to August. In his announcement and follow-up comments from new Privacy Commissioner Carly Kind, it became clear that proposed reforms will likely include new maximum/minimum retention periods, a "fair and reasonable" test for the collection, use and disclosure of personal info, a right to erasure (and de-index search results), and a right to sue for invasions of privacy.

This blog post from Civic Data’s Chris Brinkworth does a great job of summarizing the tenor of the announcements. Chris will be a guest on the FILED podcast later this month, so look out for that (you’re subscribed, right?) as we will be getting stuck into these proposals and their likely impact on businesses.

‍

🕵️ Privacy & governance

The US has charged a Russian man as the boss of the LockBit Ransomware Group.

Grindr is facing a mass data protection lawsuit from UK users who say they allegedly had their private information, including HIV status, shared with third parties without consent.

New data privacy concern dropped: your brain waves. But a Colorado law aims to help by extending privacy rights to neural data.

In the Netherlands, the latest privacy concern is internet-enabled traffic lights.

ChatGPT’s hallucinations have drawn a privacy complaint from an EU resident. He says the generative AI model guessed his birthday, which breaches the GDPR’s principle of accuracy, and the right to correct inaccurate information.

A proposed AI security bill would establish a US Artificial Intelligence Security Center at the National Security Agency, leading research on how to manipulate AI systems.

🔐 Security

A hacker accessed Dropbox passwords and authentication during a data breach, the company says. In addition, people who received or signed a document through Dropbox Sign, but never created an account, had their email addresses and names exposed.

A state-actor (Sky News says China, but the UK government has not named the actor) hacked the UK Ministry of Defence, with the target a payroll system containing details of serving personnel as well as some veterans.

Qantas passengers’ personal data was exposed last month, due to a faulty mobile app update, with customers temporarily able to view others’ account details.

Russian military-linked hackers are claiming credit for sabotaging US water utilities.

A new service is scraping data from chat app Discord’s servers and selling it for as little as $5.

Android TVs can expose users’ email inboxes – though an attacker requires physical access.

📣 The latest from RecordPoint  

📖 Read:  

We’re witnessing a growing realization among leadership teams that they need to understand all the data they possess. But how? The first step is to find your data, no matter where it’s located. Read our ultimate guide to data discovery to understand the scope of the issue along with tips for getting started.  

🎧 Listen:

If you’re a global business—which is increasingly the case for most businesses—then the proliferation of data privacy and records laws should be a growing concern. How do you keep them all straight? Anthony speaks to one CEO, Wanne Pemmelaar from filerskeepers, whose tool aims to do just that.

Watch a snippet below or click through to hear the whole conversation.