Subscribe and receive Social Media Watch in your inbox.
Table of Contents
- Legislative Landscape
- Government Access to Personal Information
- US Government institutions release data industry reports
Legislative Landscape
Top EU court orders Google to start “forgetting”
After lengthy court proceedings, the European Court of Justice ruled that Google must delete “inadequate, irrelevant or no longer relevant” data about an individual from its search results upon request. This is reportedly the first time such an order was passed onto a non-EU search engine. The ruling was the culmination of litigation around the so-called ”right to be forgotten” that began when a Spanish man sought to have a 1998 news article about the repossession of his house deleted from Google’s results. The individual argued the contentious article described a matter that was long since resolved and currently adversely affected his honour and dignity. The court based its decision on existing EU data protection laws, which recently have been the subject of legislative reform efforts aimed at adding explicit provisions clearly defining the right to be forgotten. These efforts have been strongly lobbied against by US tech companies and their representatives.
A number of civil society groups and newspaper editorial boards have criticized the ruling for legitimizing a form of censorship, particular with regard to press freedom. Harvard Professor Jonathan Zittrain argued that the ruling was overbroad for not clearly defining the conditions under which content could be removed, while also noting it was narrow in that the content in question could remain on the web, just not in Google’s results. Nevertheless, several privacy-focused advocacy groups have claimed the decision is “groundbreaking”, and a “strong statement in support of privacy”, with potentially huge repercussions on the Internet economy that would see companies required to take on more responsibility for supporting citizens’ rights to control information about themselves.
Google responded to the ruling by stating it was disappointed but would comply with the court’s instructions. Since then, the company has published an online form that expedites the process of submitting a request for removal. In the days following the release of the tool, the company reportedly received over 12,000 requests for deletion. Google has noted that any results found to meet the requirements for removal will only be unpublished for people accessing the service from within the EU and will be replaced with a notice explaining the rationale for the content deletion — the same policy it uses for other legally-mandated content takedowns around the world.
USA FREEDOM Act passes House as civil society groups withdraw support
The US House of Representatives recently passed the USA FREEDOM (Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-Collection and Online Monitoring) Act, originally intended to reign in the NSA’s bulk metadata collection practices. In its current form, the law requires American intelligence agencies to now seek advance permission from the secret Foreign Intelligence Surveillance (FISA) Court for targeted metadata collection activities, whose scope is delimited by a “specific selection term.” This term can be thought of as a sort of keyword used to specifically identify and extract information about a subject of interest from within a pool of otherwise sensitive and legally protected data.
However, the final text of the Act included revisions that privacy advocates, initially optimistic about the bill, deemed to have “gutted” the bill’s most substantial provisions. Specifically, critics pointed to the law’s revised definition of a “specific selection term,” which is now ambiguous enough (it includes the phrase “such as”) that groups fear it may be used as a loophole through which the FISA court could justify existing or new bulk collection practices.
The new version of the Act was introduced following more than a week of intense backdoor negotiations between lawmakers, the Obama administration, and the US intelligence community. The Act remains to be presented in the US Senate.
Government Access to Personal Information
Canadian Privacy Commissioner calls for clarity on social media monitoring
Former Interim Canadian Privacy Commissioner Chantal Bernier wrote to the country’s federal government to share her office’s concern about government access to social media data. Specifically, Bernier was concerned that a wide range of government entities are collecting large quantities of publicly-accessible information from social media platforms without proper oversight and guidelines, for unclear purposes, which could run afoul of the Privacy Act. Reportedly, the Commissioner’s concerns were rooted in the potential for government bodies to make administrative decisions about individuals based on unverified and potentially inaccurate and unaccountable information gathered from the web.
In response, President of the Treasury Board of Canada Tony Clement stated that his staff are looking into the matter and will engage with the Commissioner’s office. He noted that since the information is “publicly available,” Canadians shouldn’t be surprised that all sorts of parties are collecting it and, in the case of the government, putting it to use to learn about the “views” of Canadians. University of Ottawa Professor Michael Geist wrote that as long as the personal data being collected relates directly to an operating program or activity of the government, such data collection would be lawful under the Privacy Act. Geist went on to call for policies to be put in place that ensure the information is being used in an appropriate manner.
Airbnb enters into limited data-sharing agreement with NY state
Airbnb has agreed to provide “anonymized” records relating to all users who act as hosts within New York State to the state attorney general’s (AG) office. The agreement was reached following rounds of negotiations which began when the AG served the company with a subpoena demanding bulk access to personally-identifying user data for all hosts in the state. The AG sought to identify hosts that were breaking an NY State law regarding temporary housing. Supporting Airbnb, advocacy groups like the Electronic Frontier Foundation and the Centre for Democracy and Technology claimed that the original request was “far beyond the bounds if its [office of the AG] investigative powers.” While the original subpoena in question was quashed in the State’s Supreme Court, the final agreement between the parties provides the state with the anonymized records as well as abide by a 12-month window within which Airbnb must provide de-anonymized data about specific targets subject to investigations or enforcement actions by the AG. The data provided would be that which was redacted from the anonymized records (name, email address, physical address, tax id, and others).
US Government institutions release data industry reports
FTC report calls on US Congress to regulate data brokers
The Federal Trade Commission (FTC), an independent US government agency charged with consumer protection, released a report this month that surveyed the data broker industry and called on Congress to require the industry to adopt more transparent and accountable practices to counterbalance the vast knowledge they hold on people. The report, issued at the close of an 18-month investigation, describes how data brokers connect potentially “billions” of data points gathered from a wide range of sources like government records and shopping habits to develop highly-specialized and potentially “troubling” consumer profiles used to create targeted advertisements, combat fraud, and make opportunities available to consumers.
The report’s specific recommendations include providing consumers with the capacity to learn what data brokers know about them, where they acquired the data from, and to correct erroneous information. The Commission suggests that a centralized gateway that supports these activities would provide the most benefit to consumers. However, individuals associated with the data broker industry argue that these recommendations are “unnecessary and cumbersome”, and that the potential harms outlined in the report are “speculative” and not sufficient to demonstrate that industry’s self-regulation has failed. Conversely, Marc Rotenberg, executive director to Electronic Privacy Information Center, was quoted in the New York Times arguing that the Commission’s recommendations put too much responsibility on individuals to proactively protect their privacy rights, recommending instead that brokers take the lead and notify consumers prior to undertaking potentially privacy-sensitive operations. The American Civil Liberties Union went further, arguing that the FTC should move beyond reports that amount to “suggestions […] phrased in the weakest possible way” and utilize its existing authority to compel data brokers to adopt more privacy-protective practices.
White House report recommends regulations for data industry
A report authored by a senior White House advisor recommended the government develops limits to how private companies make use of the vast troves of data that they collect about people. This move towards the regulation of data usage could arguably signal a shift in thinking in the US executive branch, away from the existing “notice and consent” model of US privacy law towards one that puts less responsibility on the individual to protect his or her interests.
An analysis of the report by the Electronic Frontier Foundation (EFF) generally praised its call for reform to Electronic Communications Privacy Act (ECPA), a 1986 law that under certain cases permits law enforcement to access email content without a warrant. However, EFF went on to contest the report’s claim that experts are divided about the privacy sensitivity of “metadata,” data that provides rich contextual information pertaining to the “content” of a communication and is a key component of largely unregulated intelligence and ‘big data’ operations. Another key policy suggestion is the passing of a federal data breach law that would require companies to report the major loss of personal information. However, the recommendation lacks specifics, and EFF argued that a vague federal regulation could undermine existing state-level consumer protections in this area. The report also recommended that American privacy rights be extended to foreigners whose data is held by American companies, though again the details of that proposal are not explored in depth.