January 2021: Key Privacy Developments

Only one month into 2021, privacy remains prominent. Below are some highlights from January, and a few dates to note ahead.

1.    Continued Battle Between Apple and Facebook

As the winter of their discontent wears on, each of these tech giants has unleashed new salvos. In late January, Apple published a white paper outlining its vision for transparency of personal data tracking, and explicitly cited eight external articles critical of Facebook’s more oblique approach. On the other hand, news reports indicate that Facebook has been working with the Department of Justice, and building an antitrust case against Apple.

The specific trigger for this battle is Apple’s decision to launch “App Tracking Transparency,” which will require that all apps in its iOS store receive explicit permission from consumers before tracking their data. Apple announced the change last year, and now intends to roll out the requirement “in early spring” of 2021.

Facebook’s business model relies on data collection and the company has begun testing a pop-up alert to extol the benefits of personal data sharing. Perhaps relatedly, its subsidiary WhatsApp has postponed modifications to its privacy policy (and possibly expanded data sharing) from February 8 to May 15.

Even as spring approaches, this fight is far from over.

2. HIPAA Changes on the Horizon

Originally passed in 1996, HIPAA was one of the first extensive privacy laws in the United States, though it exclusively focused on healthcare and personal health information (PHI). HIPAA has seen several revisions in the years since, including HITECH (2009), which was intended to encourage interoperability (and hence usability) of health data. On January 21, 2021, new proposed changes were published in the Federal Register.

There are a number of significant changes set forth, including a shortened timeline for covered entities to provide patient records (30 days to 15 days); an expanded right for patients to examine PHI in-person; reduced requirements for identity verification; and modified fee regulations. Public comments are open until March 22.

3. Regulatory Fines on the Rise

While there are disparate privacy laws across the globe, regulators have been universally clamping down on violations of late.

According to estimates by DLA Piper, in 2020, EU regulators issued GDPR-related fines of nearly $200 million. This was a 39% increase from the preceding 20-month period (May 2018 to December 2019). Through Article 83, the GDPR enables fines of up to 20 million euros or 4% of a company’s annual global turnover, whichever is greater. The full extent of these penalties has not yet been unleashed, but regulators are dialing up the heat.

Facebook is in the crosshairs of Ireland’s Data Protection Commission, with a 50 million euro fine expected to soon fall. Non-EU European nations are taking action as well, including Norway and the UK. And in the Asia-Pacific region, privacy-related fines are also on the rise, though largely focused on financial data.

In the United States, the FTC, DOJ, and bipartisan state attorneys general have all been pursuing Big Tech feverishly. On January 13, the Supreme Court heard arguments in AMG v. FTC. Until now, the FTC has been the primary federal privacy regulator in the United States, in part through its fining capabilities.  However, AMG challenges the FTC’s ability to levy fines, and some early predictions are that the justices will not favor the agency. One way or the other, the ruling will be an impactful one.

4. Cybersecure the World

Even before the spread of coronavirus, the world was becoming digital. More and more personal data flowed online, leaving more data accessible. The Solar Winds breach was just the latest in a long line of attacks, but it has renewed calls for the US government to overhaul its security.

The Trump Administration created CISA in 2018 to coordinate cybersecurity infrastructure. While he trimmed other elements of cybersecurity, President Trump also proposed creation of a new cyberspace bureau (CSET) to address additional digital challenges. However, in a late January report, government watchdog GAO found the specifics ill-conceived, particularly in contrast to a previously proposed bill (H.R. 739, The Cyber Diplomacy Act of 2019). The GAO report may provide the contours of new cybersecurity mobilization at the federal level. President Biden’s new team will likely have a say as well, since he has indicated that cyber is a key priority, and hired a number of public sector veterans.

Another element of cybersecurity is cyberespionage. National economies have bled as the long-established way of commerce became impossible during the COVID-19 pandemic. Reportedly seeking a leg up on their perceived competitors, state actors are probing other nations’ vulnerabilities and racing to access vaccine-program data. Nonstate actors are, as expected, also working on overdrive to exploit vulnerabilities.

5. Surveillance Reform

Government surveillance can play a pivotal role in national security and public health efforts. Inevitably, however, surveillance also poses a risk to civil liberties. Further complicating the picture is that governments seek data-sharing agreements, but different regimes have different restrictions.

Concerns with US government data collection led to the EU’s invalidation of the EU-US Privacy Shield last year—a situation which remains unresolved. Those underlying concerns were amplified last month, with release of a memo by the Defense Intelligence Agency outlining its restrictive interpretation of the Carpenter v. US (2018) ruling. In turn, this memo dials up the heat on the largely unregulated data broker industry, both in the US and abroad.

Private companies have inescapably been pulled into the surveillance picture. In its bi-annual transparency report released at the end of January, Amazon reported that government demands for user data increased by nearly 800% from the first half of 2020 to the second.

Relatedly, with a new administration in office, there may now be renewed momentum towards US surveillance reform. The new House Foreign Affairs Committee is seeking to overturn the Authorization for Use of Military Force (AUMF) that has provided the legal foundation for US mass surveillance.

6. News Regulation

Big Tech companies have increasingly been tasked with content moderation. For instance, they directly receive and mediate “Right to Be Forgotten” requests from EU consumers. In the United States, this has fed calls to reform “Section 230” (which limits the companies’ liability for false content) and increase accountability for the tech giants.

Debate about “Section 230” in Congress is likely to be contentious, even though both President Biden and his predecessor have criticized it. Nevertheless, it’s notable that in late January, Facebook’s internal Oversight Board overturned several decisions made by the company to remove content. Moreover, in Australia, Google is battling with the Australian government over a proposed code of conduct that would make tech giants compensate Australian media for any links to homegrown content. If the code is finalized, Google has threatened to leave the Land Down Under.

Upcoming Dates/Deadlines to Note

• Thursday, February 4 (12 pm EST): Hearing before Congress on “Safeguarding American Consumers: Fighting Fraud and Scams During the Pandemic”
• Thursday, February 25 (12-1 pm EST): ITIF Webinar on “Section 230”
• Thursday, March 4: Comments due for NIST’s “5G Cybsersecurity (Preliminary Draft)”
• Monday, March 22: Public comments due for proposed HIPAA modifications

For a review of major privacy developments in 2020, see here.

About the Author: Achutha is the founder of 4PrivacyMatters, an information privacy consultancy firm. He is committed to fostering diverse and actionable discussions on privacy topics. Please reach out with questions, comments, or additional perspectives.