?? FTC v Kochava, WhatsApp in UK ?? & more

Lucid Friends,

Hello, and we hope you’re liking the?NEW?Lucid Privacy Digest! We bring to you to the privacy news that matters???. You’ll also find our?FREE?Readiness Tools???at the bottom of this Digest to use with your teams.

In today’s issue, we bring:

• A Federal judge tells the FTC to locate their case ()
• The UK faceplants on messaging encryption
• Lucid cartoon!
• India pro unlocking data

And more…

From our bullpen to your screens,

Colin O'Malley and the Lucid team

HEADLINES

NORTH AMERICA

???Location Broker Kochava Wins Round 1 Against FTC, For Now

While today’s FTC is reinvigorated and active?“under the visionary, muscular leadership”?of Lina Khan, it is still fallible. An Idaho federal court sent FTC to the drawing board to argue actual and not theoretical injury from Kochava’s location-data brokering.?

• An underwhelming overture.?The presiding judge disagreed that Kochava brokered sensitive and private data, countering that location-based inferences are unreliable, and that the data was publicly accessible in any event. (We??tech savvy judges.)?
• A glimmer of justice. The judge agreed the FTC raised valid concerns in a post-Roe v Wade world, but that they still had to do more than point to Section 5 of the FTC Act. (We??you too.)??

The agency’s setback highlights two issues undermining privacy enforcement in the US.

1. Limited powers.?“Congress has given the FTC very constrained and antiquated tools that limit its ability to tackle emerging privacy concerns.” --?Daniel Kaufman, BakerHostetler
2. Legal standing.?“Courts struggle with privacy harms because they often involve future uses of personal data that vary widely… these harms do not fit well with existing cramped judicial understandings of harm.” --?Profs Danielle Citron & Daniel Solove

Privacy harms?run a spectrum from the obvious, like financial damage from identity theft, to the ephemeral, like emotional distress. A meaningful privacy risk assessment should take stock of these possibilities. Creative enforcers like the FTC will find a way to show probable harm.??

?? Apple and Google,?the toothsome twosome, are partnering with the venerable Internet Engineering Task Force (IETF) on a standardized anti-stalking and anti-theft specification.?As recently?reported by the Washington Post, stalkers can receive regular notifications detailing their victims’ location.

EUROPE

???WhatsApp Could Disappear from the UK

The UK’s?Online Safety Bill?has left politicians in a stand-off with WhatsApp and privacy advocates.

• Protecting kid’s safety is the core tenet of the UK’s legislative efforts and the Bill wants to give the online regulator (Ofcom) the power to require tech companies to identify child sex abuse material in private messages.
• Critics say the Bill wants to ban?end-to-end encryption. This is catnip for conspiracy theorists, who see this as dangerous government overreach, putting the UK on the same setting as Russia & China in allowing access to private messages.?
• WhatsApp and Signal have both given strong signals,?claiming?they would rather withdraw from the U.K. than compromise on user privacy.

Under the Bill, WhatsApp and others would need to provide authorities with evidence of illegal activity including user location data, contacts lists and group names. Security experts feel that the Bill's demands are incompatible with a desire to protect encryption and assert that user privacy is not a ‘fungible issue’ -- services either have it or they don't.

?

???Digital Services Act: Public Comment on Independent Audits Opened. The EU has launched a consultation on draft rules on how independent audits should be conducted under the Digital Services Act (DSA) for Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs).

?

???European Parliament Raises Concerns, Some Hope for EU-US Data Transfers. The European Parliament has rejected the proposed EU-US Data Privacy Framework. The MEPs declared the framework an improvement over its predecessor but claimed more is needed to offer an adequacy decision and a level of protection equivalent to that of the EU.

???EU High Court: Harm, Proof Needed for GDPR Damages. European courts are tackling ever more GDPR cases -- from regulators and through private claims. With severe pain possible, Europe’s highest court said claims must pass a three-pronged test. While there’s no threshold of seriousness for harm, harm must be proven.

WORLD

???India on Data Localization: It's Anti-Innovation

Unlocking Data: Choices, Reforms, and Innovations?is the approach that government officials in India are taking towards Data Protection. Rajeev Chandrasekhar, the Minister of State for Electronics and Information Technology, and Skill Development and Entrepreneurship, emphasized the changes in the?Digital Personal Data Protection Bill?that certainly land well with companies and startups.

1. Removing Data Localization barriers, allows options to leverage best technology and pricing for data processing and storage.
2. Transfer of Personal Data Allowed, departing from special localisation provisions for cross-border transfer of sensitive and critical personal data.?
3. Independent Data Protection Board, that is transparent, accountable, is the future of oversight.
4. Angel Tax?reform is likely and necessary to achieve parity with international methods.
5. Up-Skilling?the workforce to create a talent pool to address its ambitions and global expectations.

An evolving legislative framework, criticism of data localization requirements, providing choices to companies is the right chord to strike for pro-innovation, but this seems quite contrary to its neighbor’s hardline stance, and may not dance to its tunes.

???China Races Ahead of U.S. on AI Regulation. China is looking to build public and economic trust by leapfrogging the U.S. on AI rules. For the CCP,?regulation on security, privacy and now AI is good industrial policy and socioeconomic politics to maintain centralized power. China (and the EU) know the U.S. excels at producing but not regulating nextgen tech.?

READINESS TOOLS

??Pan-US Readiness Record (US)??

? Utah Readiness Record (UCPA)?

??California Readiness Record (CCPA/CPRA)

??Virginia Readiness Record (VCDPA)

??Colorado Readiness Record (CPA)

??Connecticut Readiness Record (CTDPA)

??Transfer Impact Assessment Template