?? 2024-W17: US possible ban on TikTok, Senate renews FISA, New privacy complaint again OpenAI and more
Eli Atanasov, CIPP/E, PhD
?? I help businesses and their DPOs put privacy compliance on autopilot, saving them time and money in the process.
Hi privacy navigators,
Here is the latest from the ???Privacy Navigator?- your one-stop destination for everything privacy. Another week full of news and resources passed by. Here are the highlights:
U.S. Senate Enacts Bipartisan Legislation to Ban TikTok
On April 24th, the Senate passed a law in a bipartisan vote of 79-18 that could lead to a national ban of TikTok, posing a significant threat to the app's operations in the U.S. This legislation, signed into law by President Biden the following day, stipulates that ByteDance, TikTok's parent company based in China, must divest its stake within a year to keep the platform operational in the U.S. Failure to comply would result in TikTok being barred from app stores and web hosting providers, effectively banning it. ?
The inclusion of the "Protecting Americans' Data From Foreign Adversaries Act of 2024" in the aid package was key to garnering bipartisan support. It reflects growing concerns over data privacy and national security, particularly the potential for misuse of TikTok by the Chinese government to surveil U.S. citizens. Under the new law, ByteDance must complete the divestiture by January 15, 2025, although this deadline could extend to April 19, 2025, if the President grants a one-time extension based on active sale negotiations.
Lawmakers insist the goal is not a total ban but to mitigate security risks by forcing a sale, although this is complicated by Chinese opposition to such a move. Senator Mark Warner stated that the legislation aims to protect Americans from foreign threats rather than suppress free speech, amid widespread public skepticism and undisclosed security concerns shared in Congress.
In response to these allegations, TikTok is preparing to challenge the constitutionality of this ban in federal court, defending what it claims are the First Amendment rights of its approximately 170 million American users. Yet, sources close to the matter suggest that ByteDance would rather cease TikTok's U.S. operations than sell it if their legal challenges falter. The company values the proprietary algorithms—critical to TikTok's success and shared with ByteDance's other platforms—too highly to include in any sale.
The debate extends beyond security, touching on issues of free expression and government overreach, with critics like Senator Ed Markey framing the law as a form of censorship and Senator Rand Paul warning it could set a precedent for governmental power over private companies. As the situation unfolds, this law could not only reshape the landscape of social media but also set significant legal precedents concerning privacy, security, and free expression in the digital age.
This week's edition is sponsored by?Conformally.
If you are a privacy professional and want to do your job even better and faster check out Conformally. Manage and collaborate on everything - DPIAs, Vendors, DSARs, Policies, and more. Try free for 7 days.?
Senate Renews Key FISA Surveillance Power Just After Expiration Deadline
The U.S. Senate has reauthorized Section 702 of the Foreign Intelligence Surveillance Act (FISA), a key surveillance tool deemed vital by the government for counterterrorism efforts, with a final vote of 60-34. This legislation, now headed to President Joe Biden for his signature, extends FISA for an additional two years.
Despite objections from both progressive and conservative senators regarding the broad surveillance powers and potential infringements on civil liberties, the bill passed just after a near-miss with its expiration deadline. These concerns echo the long-standing issues raised by the USA Patriot Act, passed in 2001 and re-authorized in 2005, which expanded FISA's reach allowing government access to the personal records of Americans from libraries and Internet Service Providers without direct ties to terrorism— a major sticking point in discussions about the U.S.'s data privacy adequacy.
Senate Majority Leader Chuck Schumer emphasized the importance of the reauthorization, stating that allowing FISA to lapse could jeopardize national security. The House had already passed this renewal after narrowly defeating an amendment that would have required a warrant for searching Americans' communications collected during foreign surveillance.
Critics like Senator Ron Wyden argue that the reauthorization includes problematic provisions, such as compelling service providers to assist in surveillance with no option for appeal. Conversely, proponents like Senate Intelligence Committee Chair Mark Warner and Attorney General Merrick Garland insist that the renewal is crucial for national security and includes safeguards to protect Americans' privacy.
This reauthorization continues to spark a heated debate between the need for robust intelligence capabilities and the protection of individual privacy rights, reflecting the ongoing tension between security measures and civil liberties in U.S. law.
领英推荐
NOYB Files EU Privacy Complaint Against OpenAI
On April 29, the advocacy group NOYB filed a privacy complaint against Microsoft-backed startup OpenAI with the Austrian data protection authority. The complaint accuses OpenAI of violating EU privacy rules through its generative AI chatbot, ChatGPT, which provided incorrect information about a public figure's birthday and subsequently refused to correct the error. ?
ChatGPT, a leader in the GenAI movement since late 2022, is known for its ability to mimic human conversation and perform various tasks, such as summarizing texts, composing poems, and brainstorming ideas for theme parties. Despite its capabilities, the chatbot reportedly continued to deliver inaccurate data about the complainant's birthday instead of indicating the absence of the necessary information. OpenAI allegedly claimed it was impossible to rectify the data and also failed to provide transparency about the data's processing, origins, or destinations.
NOYB's complaint seeks to prompt an investigation into how OpenAI processes personal data and the accuracy of the data handled by its large language models. Maartje de Graaf, a data protection lawyer for NOYB, stressed the importance of legal compliance for technology, stating, "If a system cannot produce accurate and transparent results, it cannot be used to generate data about individuals." She emphasized that technology must conform to legal standards rather than the other way around.
OpenAI has previously recognized the challenge of its AI producing "plausible-sounding but incorrect or nonsensical answers." This complaint underscores the necessity for companies like OpenAI to ensure their technologies comply with EU privacy laws, particularly concerning the accuracy and management of personal data.
Health Data Space approved from the EU Parliament
On April 24th, the European Parliament approved the establishment of a European Health Data Space, designed to facilitate the secure access and sharing of health data across EU member states. The vote saw 445 members in favor, 142 against, and 39 abstentions. This new legislation will allow patients to access their electronic health records (EHR) from any EU country and enable health professionals to consult patient files across borders, with the patient's consent.
The Health Data Space will support primary uses of health data such as patient summaries, electronic prescriptions, medical imagery, and laboratory results. It will also bolster secondary uses for research and public interest purposes, including processing data for policy-making, statistics, and finding treatments for rare diseases, though it prohibits use for commercial purposes such as advertising or insurance assessments.
Robust privacy safeguards are a key feature of the law, ensuring that patients can control the use of their data. They will have the option to refuse access to their data for certain non-essential purposes and will be informed each time their data is accessed. Corrections to inaccurate data can also be requested by the patient.
Notable quotes from Parliament members highlight the significance of this legislation. Tomislav Sokol remarked on the potential for improved healthcare research and continuity across borders, while Annalisa Tardino emphasized the enhanced access to healthcare data this law will bring, alongside patient safeguards.
The law's final approval is pending confirmation by the Council, and upon publication in the EU's Official Journal, it will become effective twenty days later. Full application of the new regulations will follow two years after enactment, with phased implementation of data usage provisions extending up to six years. This legislative move aligns with citizen-driven recommendations from the Conference of the Future of Europe on health data and artificial intelligence.
?? Privacy Navigator
We have added new resources to the Privacy Navigator. You can enjoy:
That's all for now, see you next week!
Eli
email:?[email protected]