?? Trust busting

Lucid folks,

The US Justice Department is suing Apple for blocking rivals’ from accessing hardware and software features on the iPhone. The move is part of a wider competition fight by the Biden Administration targeting the largest of tech giants. The DOJ’s case reflects learnings from the FTC’s suit against Google, and the European Commission’s analogous actions against Apple.?

If successful, the lawsuit will make it much harder for Apple to maintain tight control over its user experience, which is the whole point for fans and critics alike. But this is not the only remarkable point here -- the complaint itself is a clear, big picture ode to consumer protection.?

• “This case is about freeing smartphone markets from Apple’s anticompetitive and exclusionary conduct and restoring competition to lower smartphone prices for consumers, reducing fees for developers, and preserving innovation for the future.”?

In this issue:

• New public resource!
• On breaches of visceral privacy
• Glassdoor has some ‘splainin to do
• Europe starts Big competition fights

…and more.

From our bullpen to your screens,

Colin O'Malley & Lucid Privacy Group Team

?? If this is the first time seeing our Privacy Bulletin in your feed, give it a read and let us know what you think. For more unvarnished insights, visit our Blog. Your comments and subscriptions are welcome!

Introducing Lucid Privacy’s Universal DPIA Template

The Lucid Privacy Group is pleased to offer a new public resource.

The Lucid Privacy Universal Data Protection Impact Assessment (UDPIA) is a flexible, consolidated worksheet for companies to identify and reduce the privacy risks of their data uses wherever they operate.?

The UDPIA incorporates essential guidance from European, Canadian and US state authorities, focusing on common requirements and goals that can be addressed using a single form.

Download it here

Of Queens and Cookies: the UK’s Tabloid Saga Continues

The London Clinic, a private hospital, is facing an investigation following allegations that hospital staff tried to access the personal medical records of Princess Catherine while she was a cancer patient there. The UK ICO is assessing the breach, focusing on whether the hospital delayed reporting the incident as required under GDPR regulations.?

The rules: GDPR Art. 33 requires that organizations notify their data protection supervisory authority of a personal data breach “without undue delay” and within 72 hours. The ICO has taken great pains to publish helpful guides that start with an Adamsian ‘Don’t Panic’.???

Why this matters: If true, the case is one of breached trust made worse by the Princess’s acutely vulnerable situation. Public figures are not without recourse, however, and the Royal family has experience using the GDPR to enforce invasions into their private lives.

• Under the UK GDPR, it is an offense to obtain or disclose personal data without the permission of the data controller. In turn, the data controller must ensure such access is lawful, proportional to the need and otherwise secure.?
• Under the UK healthcare privacy guidelines, it is an offense (and an ethical fail) to access or release medical records without the patient’s authorization, with few exceptions.?
• Did hospital staff plan to leak information to UK tabloids? Satisfy their curiosity? The ICO is on the case and can prosecute individuals for criminal violations too.?

Between the lines: The ICO is incentivized to make a strong showing of a judicious hand. Just last week, The Open Rights Group published a scathing view of the ICO’s effectiveness in enforcing UK GDPR. The embarrassing headline reads “The ICO Isn’t Working and How Parliament Can Fix It”.?

• The ORG report suggests that political pressure is limiting the ICO's ability to operate effectively, including on the issue of UK news publishers monetizing user data (really, attention) to keep afloat… let alone fund investigative journalism (i.e. not about photoshopped family photos).

Zooming out: It is not surprising that news publishers still hold onto the hope that the forthcoming Data Protection & Digital Information Bill (DPDI), still in committee, will provide some pro-business respite from current cookie rules. Politics will tell if the ICO will get leave to OK sensible exemptions for ad measurement… while having the independence they need to tackle visceral privacy abuses.?

—RW, AK?

Glassdoor Deanonymizes Accounts, Antagonizes Users

Glassdoor, once celebrated for its platform's anonymity, is now under scrutiny for a policy shift that requires users to disclose their real names, sparking privacy concerns among its users.

• Business pressure: New social features and a changed sign-up process can be interpreted as strategic maneuvers to show ROI on Glassdoor’s recent acquisition of Fishbowl, a networking app. Having a Glassdoor account triggers a Fishbowl account, and the latter requires a real name while the former does not.
• Market competition: The integration of Fishbowl's features and the transition to a model requiring real-name disclosures reflects Glassdoor's efforts to diversify and stay afloat in a crowded market. A freemium service, coupled with increased competition from newer services like Blind, likely influenced these decisions.
• User trust: Glassdoor positions verification of identities and employment information to foster authentic conversations and enhance user engagement. However, critics argue that Glassdoor risks compromising user privacy and undermining its core value of anonymity.
• Data breach risks: With the collection and storage of real names, job titles, and employer details could make the platform a target for malicious actors seeking to exploit sensitive user data.
• FTC implications: User complaints regarding transparency, allegations of names being added without consent and difficulty in removing them signal dark patterns, its handling of reviews within new feature set, and its handling of user data raise questions about potential FTC scrutiny.

Zooming out: The historically off-brand nature of the platform’s current actions underscores the delicate balance that Glassdoor needs to strike under growing market pressure. Time will tell whether the new Glassdoor will be able to retain its old users.?

—RGE

Swisher Talks Tech Optimism with EU's Outgoing Competition Chief Vestager

The European Commission’s Executive Vice President Margrethe Vestager sat down with Kara Swisher to discuss the future of Digital Europe and the opportunities strong competition enforcement can unlock.?

• Dubbed Europe’s ‘Big Tech Tormentor in Chief’ by Swisher in 2021, Vestager expresses regret for the EU Government taking so long to crack down on giant ‘gatekeepers’.?
• Vestager cites a previous lack of legal tools that the DMA and DSA now give EU trust busters.
• Pressed by Swisher on why Europe looks like they would rather regulate US-born tech than build its own, Vestager explained how a historically fragmented investment market made it more difficult for tech startups that grow to a Google’s size, Spotify being a notable exception.
• By creating and then enforcing a fairer, more open single market, particularly for competitive AI products, Vestager believes Europe can foster a Silicon Valley that benefits European society.

Asked if Vestager has any sage advice for her US counterpart, FTC Chair Lina Khan, the outgoing competition chief diplomatically declined, echoing what she told Swisher in their 2019 interview. “We’re quite busy in the day job doing our own cases so we do not sort of try to correct or do better with our colleagues because they know perfectly well their marketplace.”?

Sage words indeed. The competition commissioner knows the FTC and DOJ are tuning in.

Listen here

—AK

Other Happenings

1. EU Launches DMA Investigations of Apple, Google and Meta. The EU Antitrust Bosses are coming after FAANGs’ core business practices (and compliance theatrics). Investigative outcomes are not expected for a year and shakeups may not stop at the DMA’s eye-watering fines of 10% of global revenues. The FTC and DOJ are following along and coordinated breakups may well be on docket.
2. EU General Assembly Adopts Landmark AI Resolution. A week after the EU passed the AI Act, the UN has moved its own AI Gov chess pieces forward, calling for a dedicated entity modeled after the International Atomic Energy Agency (IAEA). The agency would promote the safety and security of AI systems, with a concerted focus on how this ‘nuclear’ tech can amplify cybercrime, disinformation and socio-economic disparity through algorithmic biases -- critically, against women.?
3. DOT Launches Investigation into Big Air Privacy Practices. From tool-laden websites to sophisticated loyalty program partnerships, today’s operators fly flush with people’s data. With? operating costs staying high, airlines are exploring all monetization avenues while raising baggage and other fees. Inevitably, one is breached and federal watchdogs are forced to react. This time is different, however. Big Air is now on notice they will be help responsible for more than junk fees. The DOT will now be conducting “regular” sweeps for jank data practices too. Flyers can lodge their platinum privacy complaints here.
4. Tik-Tok, TikTok. House Passes Ban on Sensitive Data Sales. Is Congress finally waking up on data privacy? Groggily and selectively, but this is progress still. A bipartisan bill to ban sensitive data sales to a short list of “foreign adversaries”, including China, is on its way to the Senate. If the country blacklist approach sounds eerily familiar, it should. Hello OFAC!? Meanwhile, Bytedance is whistling past its graveyard on the way to a selloff ultimatum. We live in interesting times.

Lucid Resources

• Universal Data Protection Impact Assessment (UDPIA)
• Pan-US Data Protection Impact Assessment (US DPIA)
• Pan-US Readiness Record (US)
• China PIPL Readiness Record?
• EU-US DPF Readiness Record
• Transfer Impact Assessment Template
• California Readiness Record (CCPA/CPRA)
• Virginia Readiness Record (VCDPA)
• Colorado Readiness Record (CPA)
• Connecticut Readiness Record (CTDPA)
• Utah Readiness Record (UCPA)
• Pan-US Readiness Record (US)
• China Personal Information Processing Impact Assessment Template (PIPIA)