While the ongoing pandemic has kept strategic initiatives across the digital workplace to a minimum as millions of workers remain working from home, concerns about personal data and privacy have not disappeared. In fact, over the past month, several major issues have come to the fore again, with laws and regulations around digital privacy once more dominating the space. Take the example of San Francisco-based Facebook, which has gone to court in Europe and the United States simultaneously to protect what appears on Facebook pages from automated social media scrappers.According to a Facebook blog by Jessica Romero, director of platform enforcement and litigation in the case of the U.S., the accused was using a data scraping service called Massroot8. The case, which was filed in the federal court San Francisco, explained that Massroot8 asked people to provide their Facebook login credentials on the Massroot8 website.
The credentials were then used by the service created by Mohammad Zaghar to scrape user data from Facebook. Zaghar collected the data by using a computer program to control a network of bots, which pretended to be an Android device connected to the official Facebook mobile app. The defendant engaged in this abuse even after Facebook sent a cease and desist letter and disabled his accounts.
The European case involved Facebook and Facebook Ireland, which sued MGP25 Cybernet Services and its founder in the commercial court of Madrid. In this case the company provided automation software to distribute fake likes and comments on Instagram. The service was designed to evade Instagram’s restrictions against fake engagement by mimicking the official Instagram app in the way that it connected to the systems. The defendants did this for profit, ignoring a cease and desist letter sent by Facebook, which had also disabled their accounts.
There are many interesting aspects to this case, not least of which is the use of automation to harvest data like this. It is also notable for being one of the first times a social media company is using coordinated, multi-jurisdictional litigation to protect its users.
California To Extend Digital Privacy Protections?
Indeed, the fact that Facebook has gone to the courts to protect itself, demonstrates how increasingly complex the issue of privacy is getting. In California, it is also likely to get a lot more complex with the possible introduction of further new laws in November that will expand the reach of the California Consumer Protection Act (CCPA) that was passed in 2018.
The proposed Act, which California Secretary of State Alex Padilla approved for inclusion on the ballot of November 3rd will, if implemented, be called the California Privacy Rights Act, with the initiative being pushed by Californians for Consumer Privacy the same group behind the ballot initiative that inspired. It will include additions in three principle areas:
- Protect personal information: Create new rights stopping businesses from using sensitive personal information, including health or finances, and exact location, without consent.
- Safeguard children’s privacy: It will triple 2018’s California Consumer Privacy Act fines for collecting and selling children’s private information.
- Establish an enforcement arm: Establish a new authority to protect these rights, the California Privacy Protection Agency. Increase transparency through this agency, giving consumers back control over their data.
- Data Breach Liability Provision: The CPRA would amend the data breach liability provision of the CCPA to clarify that breaches resulting in the compromise of a consumer’s email address in combination with a password or security question and answer that would permit access to the consumer’s account are subject to the relevant provision.
On its website, explaining the push for wider legislation, a statement reads:
“In the two years since introducing legislation that passed as the California Consumer Privacy Act (CCPA), which gives nearly 40 million people in this state the strongest data privacy rights in the country, we’ve realized the immense power consumers are up against when it comes to having true control over our own data. It is for this reason that we are proposing a November 2020 ballot measure to strengthen the law: the California Privacy Rights Act (CPRA)… CPRA will give you the power to take back control over your personal information, expand consumer rights, create more transparency and establish an enforcement arm to protect these rights.”
Citing a recent poll by Goodwin Simon Strategic Research Californians are overwhelmingly supportive of being in control of their most sensitive personal information, and they also want control over how their children’s data is used. In fact, according to the pool 88% would support a ballot measure expanding privacy protections for personal information.
EU To Extend Digital Privacy Too?
However, it is not the only jurisdiction that is considering new laws around digital privacy. European lawmakers are also looking at it too. While there isn’t a lot of detail about what it likely to happen between now and the end of the year, when a little bit more clarity is expected, the new Digital Services Act (DSA) will contain guarantees of transparency in use of personal data by organizations.
According to the European Commission website — the EC is the executive branch of the European Union — the new Digital Services Act package should modernize the current legal framework for digital services by means of two main pillars:
- New rules: Clear rules framing the responsibilities of digital services to address the risks faced by their users and to protect their rights. The legal obligations would ensure a modern system of cooperation for the supervision of platforms and guarantee effective enforcement.
- New platforms: Propose rules covering large online platforms acting as gatekeepers, which now set the rules of the game for their users and their competitors. The initiative should ensure that those platforms behave fairly and can be challenged by new entrants and existing competitors, so that consumers have the widest choice of digital offerings.
As yet, nothing is set in stone, but the EC is asking both European and non-Europeans to make submissions on the act, an indication that European legislators are aware of how difficult it is for U.S. tech companies toget their point across. Submissions are open on this until September 8.
GDPR Believed To Be A Success
Not that Europe is short of legislation. The General Data Protection Regulation being a case in question. Last week, just over two years it came into force, the European Commission (EC) published an GDPR evaluation and how it is impacting businesses. According to the paper, the report shows the GDPR has met most of its objectives, by offering citizens a strong set of enforceable rights and by creating a new European system of governance and enforcement. It also concludes that harmonization across European countries is increasing, although there is a fragmentation across the block that needs to be monitored. It also finds that businesses are developing a compliance culture and increasingly use strong data protection as a competitive advantage. There are a few findings that are worth noting. Among them are:
- Citizens are more empowered and aware of their rights
- Data protection rules are fit for the digital age
- Data protection authorities are making use of their stronger corrective powers
Data protection authorities are working together in the context of the European Data Protection Board (EDPB), an independent European body whose purpose is to ensure consistent application of the General Data Protection Regulation and to promote cooperation among the EU’s data protection authorities
Last week the Commission also published a Communication that identifies ten legal acts regulating processing of personal data by competent authorities for the prevention, investigation, detection, or prosecution of criminal offences. There will be a lot more on this over the coming months.