US: APRA faces heat as 15 AGs criticize the draft bill UK: Blames China for cyberattack on military, exposing data
Privacy Corner Newsletter: May 10, 2024
By Robert Bateman and Privado.ai
In this week’s Privacy Corner Newsletter:
Fifteen US Attorneys General voice opposition to US federal privacy bill
A coalition of Attorneys General (AGs) has written to the US Congress urging lawmakers not to pass the American Privacy Rights Act (APRA) unless states can retain their powers to pass and enforce privacy laws.
? Which state AGs have signed?
AGs from the following states signed the letter :
Out of these 15 states, just five have enacted “comprehensive privacy laws”: California, Connecticut, Delaware, Maryland (as of Thursday), and Oregon. Authorities in states with stronger privacy laws have more to lose should the APRA pass., but—for whatever reason—many have not signed the letter.
Illinois, home of the notoriously tough Biometric Information Protection Act (BIPA), is also on the list, but the APRA would allow consumers to retain their private right of action under that law. Nevada, which has a relatively broad privacy policy requirement and a health privacy law, is also present.
Other signatory states have made significant progress toward stricter privacy laws, with Pennsylvania, Minnesota, New York, and Vermont considering active bills (among others).
? Why do these AGs oppose the APRA?
The issue is with how the APRA would preempt state laws.?
Over the past few years, many new privacy laws have emerged at the state level. Seventeen “comprehensive” state privacy laws have been enacted so far, with further such laws pending, and many states have also passed relatively strict sector-specific privacy laws?
A federal privacy law would provide some degree of uniformity across each US state, partly by stripping state AGs of certain investigation and enforcement powers and handing them to the Federal Trade Commission (FTC).
In their letter, the AGs argue that the APRA should be a “floor”—a national minimum standard upon which state legislators can build—rather than a “ceiling” above which privacy rights may not rise.
? But do they think the law is bad in itself?
The letter actually praises the APRA in certain respects, particularly its strict data minimization rules, “strong consent requirements,” and protections for minors.
Most of the letter’s arguments relate to preemption rather than issues with the law itself. For example, the AGs argue that by stripping states of their legislating and rulemaking powers, the APRA would inhibit the “flexibility” needed to “keep pace with technology.”
The letter cites the example of biometric identification, which was relatively uncommon when states started passing data breach notification laws in the early 21st century. But as biometrics have proliferated, states have amended their breach notification laws to help protect biometric information.
Also, consumers in many states are about to gain the right to opt out of targeted ads via mechanisms like the Global Privacy Control (GPC). While the APRA also includes such a right, it would take effect later. This means some people would experience a pause or delay to their opt-out rights (though of course, many others would gain this right for the first time).
Preemption was the nail in the coffin the first significant federal privacy bill, the ADPPA. While the APRA’s preemption doctrine is slightly softer than the ADPPA’s, this thorny issue is already proving to be a problem.
The UK military’s payroll has been hacked: Did China do it?
The UK government reportedly suspects China was behind a hack of an armed forces payroll system containing the personal data of military personnel.
领英推荐
? So was China responsible or not?
The government has not officially blamed China for this incident.
Addressing the House of Commons on Tuesday, the UK’s Defence Secretary Grant Schapps said the attack had likely been carried out by a “malign actor” and that the relevant systems had been taken offline in response.
Investigating the attack and gathering enough evidence to make a public accusation could take years. However, non-governmental politicians have speculated about Chinese involvement, and publications such as Sky News have reported that the government suspects China.
Tobias Ellwood, a Member of Parliament for the governing Conservative Party, said the breach’s characteristics “point to China,” and that the attack could be “part of a strategy” to coerce military personnel.
The Ministry of Defence’s payroll system was reportedly managed by a contractor. But, of course, the government could still be deemed responsible as the data controller under the GDPR.
? Didn’t this happen in March?
In March, as previously reported by The Privacy Corner newsletter, the UK government officially accused China of being responsible for a year-long attackagainst the country’s Electoral Commission discovered in 2023.
The accusation followed an investigation by the UK’s National Cyber Security Centre (NCSC). The government also said it was “near certain” that China was involved in a separate attempted cyberattack against China-sceptic politicians.
While the government is holding its tongue for now, the UK might formally accuse China of perpetrating the Ministry of Defence breach if an investigation confirms that state-backed actors were behind it.
Online store neglects data retention periods, requires customers to make an account, gets fined nearly $1 million
The Finnish Data Protection Authority (DPA) has fined retailer Verkkokauppa.com €856,000 ($919,000) for violating the GDPR’s data retention and legal basis requirements.
? That fine sounds quite harsh
The €856,000 fine is the Finnish DPA’s highest on record, followed by the €750,000 against debt collector Alektum in 2022.
However, Verkkokaupa is a big company, reporting a turnover of over half a billion euros in 2022 and nearly two million active customer accounts.
? What went wrong?
Despite the scale of Verkkokaupa’s operations, the company appears to have had no policy on retaining or systematically deleting account data.
In its response to the Finnish DPA’s investigation, Verkkokaupa said that “the retention period for personal data is as long as the customer wishes." The company would automatically delete data once a customer closed their account, but would retain it even when an account was inactive.
Verkkokpaupa appears to have systematically deleted credit reference data but argued that indefinitely retaining other personal data was a matter of good customer service. The Finnish DPA said that this practice shifted the responsibility for determining a retention period onto individual data subjects.
The DPA’s concerns were exacerbated by Verkkokaupa’s requirement that all shoppers create an account. This meant that the company was indefinitely retaining the personal data of hundreds of thousands of people making individual purchases.
Verkkoaupa pointed out that the GDPR does not specifically prohibit controllers from requiring customers to create an account before making a purchase, but the Finnish DPA found that this practice was a violation of Article 25(2)—”data protection by default.”
? What happens next?
Verkkoaupa is appealing the decision.?
In the meantime, the company says it will create a process for deleting accounts that have been inactive for six years (the mandatory retention period of certain purchase data under Finnish tax law). The Finnish DPA doesn’t appear to be satisfied with this proposal.
No mention is made of whether Verkkokaupa will change its policy of requiring customers to create an account. Given the relatively widespread nature of this practice among online retailers, an appeal that reaches the Court of Justice of the European Union (CJEU) could have wide-reaching implications.
What We’re Reading