Privacy Law Update: September 6, 2022
The Federal Trade Commission (FTC) released the final agenda for its September 8, 2022 forum seeking public comment on the harms stemming from commercial surveillance and lax data security practices and whether new rules are needed to protect people’s privacy and information. The FTC recently announced an Advance Notice of Proposed Rulemaking (ANPR) seeking public comment as it explores possible new rules cracking down on lax data security and commercial surveillance, which is the business of collecting, analyzing, and profiting from information about people.
In a piece for Lawfare, Brookings Institution Tisch Distinguished Visiting Fellow Cameron Kerry discusses how proposed U.S. Federal Trade Commission privacy rulemaking is motivation, not a substitute, for passing the proposed American Data Privacy and Protection Act (ADPPA). Kerry breaks down the “long, tortuous road” that is the FTC rulemaking process while also explaining FTC commissioners “are conscious that the ADPPA addresses many of the issues raised,” with all five commissioners happy to defer to the ADPPA if U.S. Congress can finalize it before rulemaking is complete.
In the modern history of the privacy profession, the one constant dynamic has been the rapid development of new technologies has reflexively created an industry that is in a perpetual state of innovation. To better anticipate what role privacy will play in commerce in the near-to-long-term, the U.S. National Institute of Standards and Technology embarked on developing the new “Privacy Framework” document.
Meta’s Facebook settled a long-running lawsuit in a U.S. court seeking damages for letting third parties, including Cambridge Analytica, access the private data of users. The preliminary settlement was disclosed in a court filing late Friday. The terms were not disclosed. Lawyers for the plaintiffs and Facebook asked the judge to put the lawsuit on hold for 60 days to allow the parties to “finalize a written settlement agreement” and present it for preliminary approval by the court.
Two years ago, the Court of Justice of the European Union invalidated Privacy Shield, the legal framework for EU-U.S. data flows. The consequences of that ruling reinforce the EU’s digital sovereignty agenda, which increasingly sees data localization as one of its core elements. Since the “Schrems II” judgment by the CJEU, the U.S. presidential administration and European Commission have been working on replacing the trans-Atlantic agreement with a new one that could stand judicial review before Europe’s top court. In March 2022, U.S. President Joe Biden and Commission President Ursula von der Leyen announced an agreement in principle.