Government Agrees to Indonesian Data Protection Authority
Indonesia’s House of Representatives and relevant government agencies agreed to the creation of a supervisory authority that will oversee the enforcement of the Personal Data Protection Bill. Authorization for the authority will come through a presidential decree after lawmakers and government agencies debated whether the proposed regulator would be an independent body. The PDPB and the authority are expected to be approved during the first period of the 2022-2023 legislative session.
US Senators Introduce Bill to Enhance Credit Unions’ Cybersecurity
U.S. Senators Mark Warner, Jon Ossoff, and Cynthia Lummis, introduced the Improving Cybersecurity of Credit Unions Act. The bill’s goal is to protect credit union customers from cyberthreats. It would give the National Credit Union Administration the authority to examine cybersecurity risks credit unions face.
Leading US Demographers ask Census Bureau to Drop Differential Privacy Algorithms
Demographers asked the U.S. Census Bureau to cease using differential privacy algorithms to protect participants’ confidentiality. In a letter to Census Bureau Director Robert Santos, demographers requested the agency halt future plans for using the algorithms for annual population estimates and American Community Survey data sets. Differential privacy algorithms “are inappropriate for (these) critically important data sets, which are fundamental to American democracy and to equity in redistricting, fund allocation and planning for government services of all kind(s),” the letter stated. The 2020 census marked the first time differential privacy algorithms were used.
Final Decision on Meta’s EU-US Data Transfers Delayed
Objections to the Irish Data Protection Commission’s order to halt Meta’s EU-U.S. data transfers will delay a final decision. A DPC spokesperson said fellow data protection authorities raised concerns during the mandated four-week consultation under Article 60 of the EU General Data Protection Regulation and it may take months to resolve the discrepancies. If issues go unresolved, the Article 65 dispute resolution mechanism will be triggered.
India’s Next Data Protection Bill May Drop DPA
Members of Indian Parliament could exclude provisions for a data protection authority when drafting a fresh data protection bill, the Hindustan Times reports. An official familiar with Parliament’s negotiations said many proposed DPA functions “were out of its remit” and dropping the DPA would help “to not overwhelm one authority and increase compliance costs for small companies.” The new bill may add a consumer redress mechanism in lieu of a regulator.
Apple Reports ‘Serious’ Security Vulnerabilities in Multiple Devices
Apple announced iPhones, iPads and Macs are vulnerable due to ‘serious’ security flaws. These flaws could give hackers the ability to remotely take over a device. The company published two security reports on the vulnerabilities Aug. 17, which cite an “anonymous researcher.” Security experts advised users to update their software on iPhone 6s models and later, fifth generation iPads and later models, and Macs running MacOS Monterey.
EDPB Issues Article 65 Decision on CNIL Fine
The European Data Protection Board issued a binding decision under the EU General Data Protection Regulation’s Article 65 dispute resolution mechanism related to a 600,000 euro fine handed down by France’s data protection authority. The Article 65 procedure was triggered by concerned supervisory authorities’ issues with the proposed sum of the CNIL fine. The violation by French hotel chain Accor stemmed from alleged nonconsensual distribution of marketing messages to customers.
Congressmen Seek Information on Personal Data Purchases by Federal Law Enforcement
U.S. Reps. Jerrold Nadler, D-N.Y., and Bennie Thompson, D-Miss., issued a letter to seven federal law enforcement agencies inquiring about alleged purchases of Americans’ data. In the letter, the congressmen alleged agencies, including the Department of Homeland Security and the Federal Bureau of Investigation, purchased citizens data from data brokers and location aggregators to sidestep (search) warrant requirements. The congressmen wrote, “While law enforcement investigations necessitate some searches, improper government acquisition of this data can thwart statutory and constitutional protections designed to protect Americans’ due process rights.”
The FTC’s Privacy Rule-Making: Risks and Opportunities
The U.S. Federal Trade Commission’s privacy and data security rulemaking proposal could prove to be a lofty undertaking despite some advanced planning. IAPP Westin Emeritus Fellow and Goodwin Procter Partner Omer Tene said the broad nature of the agency’s recently issued Advance Notice of Proposed Rulemaking brings part risk and opportunity. Tene explains the potential ups and downs of the rulemaking proposal while suggesting ideas to “rein in the process and focus on results that are attainable.”
NIST Releases Latest AI Risk Management Framework Draft
The U.S. National Institute of Standards and Technology is seeking public comments on the second draft of its Artificial Intelligence Risk Management Framework. NIST said the voluntary guide aims to “improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.” The public consultation on the latest draft runs through Sept. 29 while NIST will also solicit feedback during a workshop concerning the guidance Oct. 18-19.
Council of the European Union Offers Latest Data Act Compromise Text
The Czech Presidency of the Council of the European Union released its latest compromise text for the proposed Data Act. The latest text offers changes to conditions for allowing public entities to demand access to privately held data. The proposal frees most EU institutions from requirements under the law and adds provisions to allow public sector bodies to use data from a private company in exceptional cases.
California Attorney General Serves First-Ever CCPA Fine
California Attorney General Rob Bonta announced the first enforcement action under the California Consumer Privacy Act, a $1.2 million settlement with multinational retailer Sephora over violations of the law’s “Do Not Sell” provisions. Sephora’s violation specifically relates to failures to inform individuals about the sale of their data and process sale opt-outs through the Global Privacy Control. The retailer did not utilize the 30-day cure period allowed under the CCPA. The landmark settlement also includes required operational improvements.
India’s Revised Data Protection Bill to Parliament by Early 2023
The Hindu reports Indian Minister of Railways, Communications and Electronics and Information Technology Ashwini Vaishnaw indicated a fresh data protection bill will be published for public comments soon and hopefully be tabled during Indian Parliament’s Budget Session in January 2023. Vaishnaw said the bill will reflect modern thinking around data protection, adding that “it should not be like we are trying to create a paper system for a digital world.” The upcoming draft may include reported changes to the structure and independence of the proposed data protection authority.