BCI Technical and Policy Recommendations to Mitigate Privacy Risks
This is the final post of a four-part series on Brain-Computer Interfaces (BCIs), providing an overview of the technology, use cases, privacy risks, and proposed recommendations for promoting privacy and mitigating risks associated with BCIs.
Click here for FPF and IBM’s full report: Privacy and the Connected Mind. In case you missed them, read the first, second, and third blog posts in this series. The first post unpacks BCI technology. The second and third posts analyze BCI applications in healthcare and wellness, commercial, and government, the risks associated with these applications, and the implicated legal regimes. Additionally, FPF-curated resources, including policy & regulatory documents, academic papers, thought pieces, and technical analyses regarding brain-computer interfaces are here.
I. Introduction: What are BCIs?
BCIs are computer-based systems that directly record, process, or analyze brain-specific neurodata and translate these data into outputs. Those outputs can be used as visualizations or aggregates for interpretation and reporting purposes and/or as commands to control external interfaces, influence behaviors, or modulate neural activity. BCIs can be broadly divided into three categories: 1) those that record brain activity; 2) those that modulate brain activity; or 3) those that do both, also called bi-directional BCIs (BBCIs).
BCIs can be invasive or non-invasive and employ a number of techniques for collecting neurodata and modulating neural signals. Neurodata is data generated by the nervous system, which consists of the electrical activities between neurons or proxies of this activity. This neurodata may be “personal neurodata” if it is reasonably linkable to an individual.
II. Stakeholders Should Adopt Both Technical and Policy Guardrails to Promote Privacy and Responsible Use of BCIs
From healthcare to smart cities, BCI-facilitated data flows can augment society by improving operations and offering novel insights into long-term problems. However, this nascent technology also creates privacy risks and raises other concerns. As BCIs spread to new realms of activity, existing accountability and enforcement structures may not respond to the challenges raised by these novel BCI applications. Some regulators have already reacted to these perceived inadequacies by creating and reforming policy and legal frameworks. To promote privacy and responsible BCI use, novel technical and policy approaches may also be required to mitigate against potential risks.
A. Technical Recommendations
Providing On/Off and App Controls to Users: Privacy risks arise when a BCI device continuously collects data or is unintentionally switched on. These features may prevent users from exercising control over personal neurodata, because they are unaware that the collection is occurring in the first place. On/off and granular controls on devices and in companion apps can mitigate against these privacy risks by enhancing a user’s ability to manage neurodata flows.
End-to-End Encryption of Sensitive Neurodata and Privacy Enhancing Technologies: Developers should explore a variety of measures to promote privacy and protect neurodata during collection and processing. End-to-end encryption can be used to protect sensitive personal neurodata in transit and at rest. Privacy enhancing technologies (PETs) such as differential privacy and de-identification methods—Privacy Preserving Data Publishing (PPDP) for stored and shared data, to name one—can also help BCI developers maximize neurodata’s utility while protecting the identity of the person to whom the neurodata belongs.
B. Policy Recommendations
Rethinking Transparency and Control: A BCI’s technological capabilities, purposes, and user bases will impact the privacy risks these devices pose, and they may shift with changes in context. These variations will inform the appropriate levels and methods of transparency required to encourage informed consent and provide insights into device capabilities, data flows, data storage, and who controls and has access to the data.
Developers and regulators should therefore identify measures facilitating a level of transparency that both gives users meaningful control over personal neurodata and reflects a particular BCI application’s privacy risks. While privacy policies and similar documents are often required by law, these policies frequently fail to provide sufficient levels of transparency. Even if the document’s contents are accurate, users may not read them or, if they do, may still find it challenging to understand what is happening with their data. On-device indicators could be marshaled to ameliorate this notice problem; visual or audio indicators may improve transparency and control by informing users when neurodata collection or modulation occurs.
Institutional Review Boards, Ethical Review Boards, and Multi-Stakeholder Engagement: Collecting neurodata and deploying BCI technology may require review and/or approval. BCI providers that are gathering primary research data from human subjects or pre-registering clinical trials may need to complete an institutional review board (IRB) review. Other organizations may need to obtain approval from bodies, such as the Food and Drug Administration (FDA), before selling a BCI product. However, many consumer-facing BCIs are not subject to these requirements. Providers of consumer-facing BCIs that want to have strong privacy protections can still subject these BCIs to ethical review board (ERB) oversight. ERBs can consider questions, including those relating to neurodata collection, use, access—when neurodata is sought for research purposes, but obtaining user consent is impractical, for instance—and storage.
When appropriate, organizations developing BCIs should also facilitate multi-stakeholder engagement during the BCI’s development and deployment lifecycle. The consultations should consist of those affected BCIs, and not just researchers, policymakers, and initial adopters. Individuals who are impacted by BCIs include people from marginalized communities, such as the disabled and historically-surveilled populations. BCI developers should actively seek out and incorporate these communities’ feedback into product development and deployment decisions. Developers should also recognize that a product may need to be heavily altered or scrapped to respect community input or avoid harm.
Standards Setting and Other Agreements: Companies, research institutions, and policymakers should set policy and technical standards for BCI research, development, and use that can adapt to changes in the technology, user base, and applications. Some of these standards may be taken from existing policy frameworks, but the unique risks posed by BCIs may require novel approaches, too. As previous blog posts discuss, there is no consensus on the types of neurodata that can or will be interpreted as biometric data under current laws. This impacts whether some regulations apply to neurodata, resulting in categories of data such as Brittan Heller’s “biometric psychography” potentially lying outside any law. Policymakers may therefore need to re-evaluate conceptions of biometrics to account for BCI applications. Alongside technical and policy standards, industry and regulators should promote up-to-date training for developers around processes such as data handling and de-identification learned from academia.
Open Neurodata Standards and Open Licenses for De-Identified Data: There are large barriers affecting the deployment of BCIs due to the high cost of research and development. Proprietary systems may hinder the exchange of best practices and tools that are needed to fuel a thriving research and development environment. To prevent stagnation, stakeholders should collaborate to develop and adopt open neurodata standards and also consider whether using open licenses for de-identified neurodata research sets is possible and appropriate.
III. Conclusion: Balancing New Data Flows Against BCI Privacy Risks
As BCIs evolve and become more available across numerous sectors, stakeholders must understand the unique risks these technologies present. Key to this understanding is an assessment of how these technologies work and what data is necessary for them to function, as many risks attributed to BCI applications flow from these devices processing certain data.
The adoption of technical and policy recommendations that can make BCI data less identifiable, less potentially harmful, and more secure could minimize privacy and data governance risks. However, the evolution of BCIs will require developers, researchers, and policymakers to differentiate between the risks that exist now and those that may emerge in the future. Only though this careful assessment can stakeholders identify the issues that require immediate attention versus those that need proactive solutions.
BCIs will also likely augment and be combined with many existing technologies that are currently on the market. This means that new technical and ethical issues are likely to arise and existing issues could be compounded by one another. In the near future, BCI providers, neuroscience and neuroethics experts, policymakers, and societal stakeholders will need to come together to consider what constitutes high-risk use in the field and make informed decisions around whether certain BCI applications should be prohibited, a position around which more robust and critical discussion is needed.
Finally, and perhaps more fundamentally, it is also possible that the future of privacy itself and our notions of what it means to have or obtain privacy at basic human or societal levels could be challenged in ways that we cannot currently comprehend or anticipate. We hope this report and our ongoing work helps support the technical, legal, and policy developments that will be required to ensure the advances in this sector are implemented in ways that benefit society.
How the Kenyan High Court (temporarily) struck down the national digital ID Card: Context and Analysis
The High Court of Kenya, by virtue of a judicial review application, delivered a landmark judgment declaring the proposed national digital ID card (Huduma Card) unconstitutional on October 14, 2021 – a judgment that is now part of the growing data protection and privacy jurisprudence in the country.
Kenya enacted its first Data Protection Act (KDPA) in 2019, as part of a growing wave of privacy and data protection laws being adopted across African jurisdictions. While discussions of data protection and privacy in Africa are still at their infancy stage, they are constantly developing. Cape Verde was the first country to enact a data protection law in 2001. Countries such as Zimbabwe enacted their data protection law as recently as December 2021. This blog analyzes the landmark judgment of the High Court of Kenya in the Huduma Card case, putting it in context with regard to broader privacy and data protection law developments in the country and the continent.
1. Background of the case and brief history
The matter, Republic v Joe Mucheru, Cabinet Secretary Ministry of Information Communication and Technology and others ex parte Katiba Institute and Yash Pal Ghai concerned the process of launching the “Huduma Card”, Kenya’s proposed first national digital ID card. According to the applicants, Katiba Institute, a constitutional research, policy and litigation institute in Kenya, and Yash Pal Ghai, a ‘data subject’ as defined by the KDPA, the process of launching the Huduma Card was done in violation of the KDPA.
Specifically, they argued that the executive order adopted on November 18, 2020 by the country’s Ministry of Interior, the body in charge of rolling out Huduma Cards to registered persons, violated section 31 of the KDPA. Section 31 provides that “where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes, a data controller or data processor shall, prior to the processing, carry out a data protection impact assessment”. The KDPA describes processing as “any operation or sets of operations which are performed on personal data or on sets of personal data whether or not by automated means”. It includes activities such as:
collection, recording, organisation, structuring;
storage, adaptation or alteration;
retrieval, consultation or use;
disclosure by transmission, dissemination, or otherwise making available; or
alignment or combination, restriction, erasure or destruction.
On November 24, 2020, the applicants filed for judicial review of the executive order launching the Huduma Card. In the motion, the applicants asked the court to grant three orders:
To prohibit the rolling out of Huduma Cards.
To reverse the decision to roll out Huduma Cards.
To issue an order compelling the respondents to conduct a data protection impact assessment before processing of data and rolling out Huduma Cards.
The court granted the last two orders.
2. Putting the Huduma Card into Context
For purposes of clarity, it is fundamental to locate Huduma Card in the larger context within which it exists. Huduma Card, akin to India’s Aadhaar Card, is the final step in the process of registration in Kenya’s proposed digital identification system – the National Identity Integrated Management System (NIIMS). NIIMS was introduced through the Statute (Miscellaneous Amendments) Act, No. 18 of 2018 which amended Kenya’s civil registration law, the Registration of Persons Act (RPA) in 2018. The amendment involved introduction of a new section, section 9A that established NIIMS.
On January 18, 2019, the RPA amendment came into force. Pursuant to the introduction of NIIMS, the government began a nationwide exercise of collection of personal data including biometric data on March 15, 2019. Soon after, the legal validity of NIIMS and its subsequent implementation were challenged before the High Court. One of the grounds for challenging the implementation included that, in its original state, NIIMS would pose a threat to rights and freedoms protected under the Constitution. Specific to the right to privacy guaranteed under article 31 of the Constitution, issues raised by the different petitioners included the fact that:
There was no law to guarantee the privacy provisions under the Constitution. At the time, the KDPA was not yet enacted.
Collection of GPS coordinates, DNA and other forms of biometric data would violate the privacy rights of registrants. This was a concern since at the time, GPS coordinates and DNA were a registration requirement.
On January 30, 2020, the High Court rendered a decision on this petition. It held that:
Implementation of NIIMS would proceed. Processing and use of data collected in NIIMS would proceed on the condition that an appropriate and comprehensive regulatory framework on the implementation of NIIMS that is compliant with the applicable Constitution requirements as identified in the judgment is first enacted.
Collection of DNA and GPS coordinates was found to be intrusive and unnecessary as it violated the right to privacy under the Constitution.
While the above petition was pending determination, the KDPA was enacted and became applicable in November 2019. The court directed that processing of data collected under NIIMS should not happen before the KDPA is operationalized and a regulatory framework put in place. The KDPA is now in operation with the creation of the Office of the Data Protection Commissioner.
In October 2020, the government published two regulations specifically for NIIMS; Registration of Persons (National Integrated Identity Management System) Rules (2020) and the Data Protection (Civil Registration) Regulations. The former recognizes NIIMS as the primary source of identification in Kenya while the latter creates a legitimate basis for processing NIIMS data. The Huduma Bill, a comprehensive national digital ID law was also proposed as another regulation measure to guide the implementation of NIIMS. Therefore, protection of data collected under NIIMS is presently governed by the Constitution of Kenya, the KDPA, the Registration of Persons Act, the Registration of Persons (National Integrated Identity Management System) Rules (2020), and Data Protection (Civil Registration) Regulations. It is under these circumstances that the Ministry of Interior through an executive order announced the rollout of the Huduma Card, which led to the judicial review before the High Court.
3. Understanding Kenya’s Automated Processing of Personal Data Ecosystem
Before delving into the impact of this recent decision, a brief overview of Kenya’s automated processing of personal data ecosystem is necessary. From a consumer perspective, Kenya’s internet connectivity is growing. As of January 2021, it was reported to be at 40%. This has created a market for internet supported applications such as digital finance applications, and social media applications among many others. Most of these applications collect personal data in the course of usage or require personal data to operate. Of particular interest is the proliferation of digital finance applications in Kenya. This has created a market for more sophisticated, personal data reliant digital finance applications. A number of these financial service providers rely on alternative scoring models to provide credit. Many of these models rely on highly personal data to determine loan eligibility. Some applications require constant permission to location data while another requires access to the microphone.
At the government level, the concept of digitization of information systems is close to the heart of the Kenyan government as seen in large scale projects such as NIIMS and the National IT policies. Other government maintained information systems that contain personal data include the biometric voter registration system, electronic voter identification system and health information systems in public health facilities. In a bid to conduct these data processing activities, some data controllers rely on third party data processors to conduct processing activities. A good example is Kenya’s election management body which outsources election kits and the systems used to run them.
All these commercial and government systems hold personal data that now fall within the scope of the KDPA. It is for these reasons that a landmark decision on the enforcement of the KDPA bears relevance.
4. Key Issues for Analysis in the Huduma Card Case
The questions of whether to conduct a data protection impact assessment (DPIA) or not as well as the procedure of handling complaints are key issues in the judgment that have the ability of influencing data protection expectations for both data subjects and data controllers/processors handling personal data that falls under the KDPA’s scope.
4.1 Conducting a DPIA
In the judicial review application, Katiba Institute (the applicant) submitted that the respondents did not conduct a DPIA which was in violation of the KDPA and Order III of the 2020 petition. In rebutting this, the respondents argued that the KDPA was not envisaged to apply to data under NIIMS. The court upheld the applicant’s arguments and ordered for a DPIA to be conducted before any further steps to issue Huduma Cards are undertaken. This decision was upheld, partly due to the fact that some of the parties in the 2020 petition who were also respondents in this matter, submitted to the court that there were legal safeguards underway to ensure protection of data under NIIMS. The legal safeguard, in this case, was the Data Protection Bill, now the KDPA. The court, therefore, did not see why the Bill which is now law should not apply in the present matter.
The question of whether or not to conduct a DPIA remains a subjective one, at least for civil registration entities. The Data Protection (Civil Registration) Regulations, adopted in the implementation of the KDPA but only relating to public bodies with a civil registration function, do not state whether it is mandatory to conduct a DPIA for information systems held by civil registration entities such as NIIMS and its components. Under Regulation 19, it provides that a data protection impact assessment may be conducted on condition it is required in accordance with section 31 of the KDPA. On the other hand, Section 31(6) of KDPA provides that: “The Data Commissioner shall set out guidelines for carrying out an impact assessment under this section”. While indeed the Data Commissioner did develop the Data Protection (General) Regulations, 2021 that attempts to set the criteria of conducting a DPIA by delineating processing activities that would amount to “high risk, the Regulations are not applicable to civil registration entities where NIIMS falls under. Regulation 3 of the General Regulations provides that: “These Regulations shall not apply to civil registration entities specified under the Data Protection (Civil Registration) Regulations, 2020”.
Interestingly, the High Court did not make any findings with regard to what specifically constitutes “high risk” processing of personal data related to the Huduma Card in this judgment. However, when adjudicating on the initial 2020 petition, the Court implied an overall high risk of the entire NIIMS system. For instance, in prohibiting collection of GPS coordinates and DNA data, the Court stated that collection of such data would be intrusive and carries with it the risk of privacy violations and surveillance.
However, there have been attempts elsewhere to make the DPIA triggering criteria objective through denoting situations that amount to “high risk”. Kenya’s KDPA adheres to the “high risk” criteria, similar to EU’s General Data Protection Regulation (GDPR).
Beyond the scope of NIIMS, the fact that the data protection regulations have not yet come into force to provide clarity around the situations that necessitate a DPIA as well as how to proceed with carrying out a DPIA, could negatively affect other data controllers and processors and consequently, the data subjects. The Regulations are currently before the Delegated Legislation Committee in Parliament awaiting comments. These Regulations will be deemed to have been approved after 28 days from the publication date. Nevertheless, the fact that the conditions triggering the obligation to carry out a DPIA have not yet come into force does not diminish the data controllers’ general obligation to implement measures to appropriately manage risks for the rights and freedoms of data subjects. Even without the explicit requirement to conduct a DPIA, controllers must continuously assess the risks created by their processing so as to identify when a processing is likely to result in a high risk to rights and freedoms of data subjects.
In light of the present judgment, it will be interesting to see whether data collected and held in information systems created before the KDPA came into force and after the Constitution was adopted in 2010 will be subjected to DPIAs, if they meet the criteria for conducting a DPIA. This is crucial as the Huduma Card case shows that the KDPA could act retroactively. If the court’s rationale in the Huduma Card case is anything to go by, it is likely that the KDPA could apply retroactively for such information systems. The court in its analysis stated: “it is clear that the Act was intended to be retrospective to such an extent or to such a time as to cover any action taken by the state or any other entity or person that may be deemed to affect, in one way or the other, the right to privacy under Article 31 (c) and (d) of the Constitution”.
4.2 Dispute Resolution in Data Protection Cases
In addition to the issue of conducting a DPIA that formed the main argument, the court also deliberated on the issue of handling complaints under the KDPA that could have persuasive impact on future data protection cases. In deciding whether to give an audience to the applicants, the court dealt with the issue of whether it had jurisdiction to hear the matter. The question of jurisdiction, as presented by the interested party (the Data Protection Commissioner) arose from the fact that one of the applicants, Yash Pal Ghai, described in the matter as an affected data subject, claimed that rolling out Huduma Cards without a DPIA would prejudice his rights as a data subject under the KDPA.
Owing to objections raised by the interested party, the Data Protection Commissioner (DPC), the court found that the applicant could not, in the given circumstances, approach the court directly. To obtain redress, the data subject was required to first exhaust all other available dispute resolution means as stipulated in the KDPA and the Data Protection (Civil Registration) Regulations before seeking court intervention. The Data Protection (Civil Registration) Regulations provides an internal complaint handling procedure. Regulation 23(1) provides that an aggrieved data subject may lodge a complaint with the civil registration entity.
Further, Regulation 23(6) provides that a data subject has a right to appeal to the Data Commissioner if the data subject is dissatisfied with the decision of the civil registration entity.Section 56(1) of the KDPA provides that “A data subject who is aggrieved by a decision of any person under this Act may lodge a complaint with the Data Commissioner in accordance with this Act”. If the data subject wanted to opt out of dispute resolution mechanisms under the KDPA and the Data Protection (Civil Registration) Regulations, they had to make an application to court explaining why such mechanisms are not efficient. The court upheld this objection. Katiba Institute, however, was allowed to bypass the dispute resolution mechanisms provided under the KDPA and the Data Protection Regulations for two reasons:
They do not fall under the category of a data subject. The KDPA describes a data subject as an identified or identifiable natural person who is the subject of personal data.
Their application was based on grounds of public interest. Article 22(2)(c) of the Constitution permits instituting court proceedings by a person acting in the public interest.
The court thus found that Katiba Institute had sufficient interest in decisions made by any person under the KDPA despite not being a data subject.
Effective handling of complaints related to data protection is crucial for consumers and businesses. As personal data processing activities in Kenya are now subject to the KDPA unless they fall under exemptions (even then there are minimum requirements of processing) it is important that institutions involved are clear on their respective obligations. This decision is a good starting point on who and when a data protection dispute can be brought to court. With respect to maintaining institutional autonomy, this is a significant move as it indicates the court’s intention to not interfere with nascent administrative bodies with quasi-judicial functions.
While the Office of the Data Protection Commissioner (DPC) and the civil registration entities are being granted independence to oversee enforcement of the KDPA and related regulations, it will be important to further delineate how far such bodies can go with regards to dispute resolution. When can an aggrieved data subject or data controller bypass the DPC and approach the court where their rights and freedoms under the DPA are violated or obligations are under threat respectively? This begs the question, how will the DPC interact with the courts? To explore this, it is crucial to first highlight the role of the court in data protection dispute resolution as per the KDPA:
Issuing a search warrant to enter a premise for the purpose of discharging any function (including dispute resolution) or power under the KDPA.[1]
Hearing appeals against administrative actions such as enforcement and penalty notices taken by the DPC.[2]
Issuing preservation orders to preserve personal data that is vulnerable to loss or modification.[3] This is useful during investigations.
Thus far, the role of the court appears to be secondary in first instance dispute resolution with the DPC having priority to determine the existence of an infringement. This can be justified under the Fair Administration Act (FAA), the legislation that deals with administrative action.[4] On the other hand, the Constitution provides citizens with the right to approach courts where their rights and freedoms are violated.[5] This includes the Constitutionally protected right of privacy from which the KDPA emanates. As for judicial and quasi-judicial decisions, the Constitution provides that “the High Court has supervisory jurisdiction over the subordinate courts and over any person, body or authority exercising a judicial or quasi-judicial function, but not over a superior court”. Based on these court findings, the court appears to recognize the importance of a data protection authority. However, it shall have to balance this against the Constitutionally protected right to institute court proceedings by anyone whose rights and freedoms are affected.
Conclusion
Pursuant to the High Court order for a DPIA to be conducted, the relevant ministry complied and conducted the assessment pointing to an acknowledgment of the importance of accountability with regards to sensitive citizen data. The assessment is not yet public. As the DPIA was the sole requirement to proceed with issuing the Huduma Card, it is expected that the rollout will continue, unless further challenges are successfully made.
Case law is key in providing guidance on interpreting statutes. It is for this reason that this latest judgment is of great significance to both the future of government led digital ID initiatives such as Huduma Namba, data subjects and businesses as it could shape how the implementation of the KDPA proceeds in the future. Given that a key focus in data protection now is initial implementation of the KDPA, clarity in issues such as whether to conduct DPIAs and forum for dispute resolution will be crucial in ensuring that data processing activities are performed in compliance with the law.
BCI Commercial and Government Use: Gaming, Education, Employment, and More
This post is the third in a four-part series on Brain-Computer Interfaces (BCIs), providing an overview of the technology, use cases, privacy risks, and proposed recommendations for promoting privacy and mitigating risks associated with BCIs.
Click here for FPF and IBM’s full report: Privacy and the Connected Mind. In case you missed them, read the first and second blog posts in this series. The first post unpacks BCI technology, while the second analyzes BCI applications in healthcare and wellness, the risks associated with these applications, and the implicated legal regimes. Additionally, FPF-curated resources, including policy & regulatory documents, academic papers, thought pieces, and technical analyses regarding brain-computer interfaces are here.
I. Introduction: What are BCIs?
BCIs are computer-based systems that directly record, process, or analyze brain-specific neurodata and translate these data into outputs. Those outputs can be used as visualizations or aggregates for interpretation and reporting purposes and/or as commands to control external interfaces, influence behaviors or modulate neural activity. BCIs can be broadly divided into three categories: 1) those that record brain activity; 2) those that modulate brain activity; or 3) those that do both, also called bi-directional BCIs (BBCIs).
BCIs can be invasive or non-invasive and employ a number of techniques for collecting neurodata and modulating neural signals. Neurodata is data generated by the nervous system, which consists of the electrical activities between neurons or proxies of this activity. This neurodata may be “personal neurodata” if it is reasonably linkable to an individual.
II. BCIs are Entering into the Commercial and Enterprise Market in the Fields of Gaming, Employment, Education, and other Future-Facing Areas.
Gaming: BCIs could augment existing gaming platforms and offer players new ways to play using devices that record and interpret their neural signals. Current examples of BCI gaming combine neurotechnology with existing gaming devices or platforms. These devices attempt to record the user’s electrical impulses, collecting and interpreting the player’s brain signals during play. While most gaming BCIs are single-player, researchers are exploring whether BCIs can provide multiplayer experiences using multi-person non-invasive brain-to-brain interfaces (BBIs). One example of a multiplayer BCI is BrainNet, where three participants exchange neural singles to play a Tetris-like game. BCI can also be applied to augment games on extended reality (XR) devices.
Today’s BCI games are not fully immersive experiences. Players can use neurotechnology to perform only discrete actions. Future BCI games may offer greater immersion by combining neurodata with other biometric and psychological information, which could allow players to control in-game actions using their conscious thoughts.
Employment: BCIs can monitor worker engagement to improve safety, alert workers or supervisors of dangerous situations, and help make operational or employment decisions. Life and AttentivU are examples of BCIs that track and promote worker attentiveness during tasks. These BCIs can also provide notifications when an employee exhibits fatigue or drowsiness. Other employment BCIs measure neurodata to determine a worker’s emotional state. Management could choose to use this neurodata to gauge efficiency, manage workloads, determine worker happiness levels, or make hiring, firing, or promotion decisions.
Employment BCIs can also be used to modulate workers’ brain activity for purposes of improving performance. Transcranial direct current stimulation (tDCS) could be used to promote multitasking with this goal in mind. Invasive BCIs, such as Elon Musk’s Neuralink, are also being evaluated for their potential to increase efficiency during high-pressure and time-sensitive tasks.
Education: BCI technology could be implemented in learning environments to gather student neurodata. This neurodata could reveal whether a student is finding an assignment challenging, which creates opportunities to moderate the amount and level of work, or help teachers and parents assess and improve classroom engagement.
Researchers have used neurotechnology to record physiological and neural signals with varying degrees of accuracy. Recorded neurodata can reveal a consumer’s mood, motivations, and preferences when they buy and use a product or service. Product makers and advertisers can utilize this data to better understand consumer choices.
III. Privacy and Other Risks Associated With BCIs in Gaming, Employment, Education, and Future-Facing Fields: From Profiling to Neurodata-based Decision Making.
BCI applications in these spaces present common and area-specific risks and considerations.
Powered-up Profiling: Gaming and neuromarketing BCIs involve neurodata collection, including user reactions to content in a virtual world. AI and machine learning models can be trained on this neurodata, in combination with other biological changes in response to content, to associate user-specific changes in neural signals to certain physiological states. Neurodata could therefore facilitate the creation of granular profiles on individuals. Since neurodata can capture an individual’s reactions to sensitive content, these profiles may offer intimate portraits into the user’s health, sexual preferences, and even vices.
Organizations could use these profiles to make inferences and decisions. Recognizing this neurodata’s value, organizations collecting and retaining neurodata across sectors may also be incentivized to share or sell it with advertisers. Advertisers could take this information and use it to create more directed behavioral ads, which could encourage unhealthy habits.
Lack of Transparency and Control Over Disclosure: Unlike some other personal information sources, users cannot control the electrical impulses that create neurodata. Whether participating in BCI games or acting online more generally, users are therefore often unaware of neurodata tracking. This means users have less control over personal neurodata flows, which increases the likelihood that this data will be used for purposes unrelated to those it was collected for. Even when a person has control—by requiring opt-in consent, for example—over neurodata monitoring, the individual may feel compelled to share neurodata with someone (e.g., an employer) to avoid retaliation or disparate treatment.
Neurodata-Based Decision Making and BCI Accuracy: The amount and sensitive nature of some neurodata generated in entertainment, employment, education and neuromarketing could inform important decisions. These decisions could impact a person’s life, from the content a user receives in virtual game worlds to whether an employee is promoted or discharged. Concerns about neurodata informing decisions are exacerbated by BCIs collecting inaccurate data. Decisions informed by inaccurate neurodata may contribute to diverse harms, including the perpetuation of feedback loops that fuel societal division.
Chilling Speech and Creating Distrust in Institutions: BCI-enabled monitoring may chill speech and reduce trust in institutions among employees, students, and the general public. Employees who know that they are constantly monitored may place less trust in their employer, lose morale, or refrain from certain behavior. Monitoring may cause students, especially those from communities that have been historically targeted by surveillance or suffer from learning differences, to refrain from certain speech and thoughts in order to avoid retaliation or stigmatization. BCIs incorporated into smart city infrastructure could generate new sources of personal data and enable more invasive surveillance.
IV. Regulations that Might Cover BCIs and Neurodata Include Comprehensive Privacy Laws, Sectoral Privacy Laws, and Self-Regulatory Frameworks.
Comprehensive Privacy Laws and Agency Authority: Both US and foreign comprehensive privacy laws may regulate BCI use and the processing of neurodata. The EU’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA) define biometric information broadly, meaning that neurodata may fall within these laws’ scope. However, both laws are framed in terms of whether the data is actually used to or could be used to single out an individual. Concepts such as Brittan Heller’s “biometric psychography”—information from the body used to determine interests, not identity—may not be interpreted as covered, because this information is neither used nor could be used to facilitate identification.
If triggered, the GDPR and CPRA impose obligations on regulated organizations and grant rights to data subjects. Neurodata processing may implicate special rules under these laws. For example, an organization using personal neurodata in marketing would trigger CPRA’s opt out right for “cross-contextual advertising.” While US law generally gives companies significant discretion when writing privacy policies affecting at-will employees, the GDPR indicates that a worker’s consent cannot serve as a lawful basis for processing the employee’s personal data. US Administrative Agencies may also have powers enabling the policing of certain BCI applications. The Federal Trade Commission (FTC) has authority to investigate and enforce penalties against organizations for unfair and deceptive practices, such as those related to advertising, for example.
Sectoral Privacy Laws: The Children’s Online Privacy Protection Act (COPPA) may apply to game operators if they collect, use, or disclose “personal information,” and either target games toward children under 13 or have actual knowledge that such children are using the game. Whether gaming BCIs are regulated under COPPA in part depends on the meaning of “personal information.” Neurodata collected by gaming BCIs could be “personal information” under COPPA if it is considered a “persistent identifier”—a kind of personal information—or if the FTC changes “personal information” to cover biometric data. COPPA gives rights to parents and guardians over their children’s personal information, including access and deletion rights. The statute also imposes obligations on operators, such as obtaining parental consent before collecting information from the child.
Biometric-specific state laws in the US, such as Illinois’ Biometric Information Privacy Act (BIPA), may impact neurodata processing across sectors. Whether these laws apply, however, depends on the meaning of “biometric identifiers.” Under BIPA, this term is important, as it affects what “biometric information” can be based on. While other state biometric laws, such as Washington’s statute, contain broad definitions, BIPA defines “biometric identifier” narrowly to include “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Neurodata-based information used as an identifier will therefore more likely fall outside of BIPA’s scope, since it is not considered a “biometric identifier.”
BCIs used to monitor workers may implicate employment law. The Electronic Communications Privacy Act (ECPA) limits some types of employee monitoring. However, ECPA permits employers to monitor workplace communications, especially when those conversations take place on company devices like company-owned computers and telephones. Anti-discrimination laws, like the Americans with Disabilities Act (ADA), may stop employers from using BCI results in hiring and firing decisions if the results reflect a disability.
Federal, state, and local student data laws may grant rights to students and parents while imposing requirements on schools and neurotech companies with respect to the processing of personal neurodata. BCI use may be impacted by the Family Educational Rights and Privacy Act (FERPA), which protects education records—including biometric education records—at schools that receive federal funding. A student’s personal neurodata could be part of this record and would therefore receive FERPA protections. These protections include rights for parents and children over 17 years, and obligations on schools. All 50 states and Washington, DC have introduced student privacy legislation, and some could impact BCI use in schools. District and school-level rules may also affect neurodata collection and processing.
Self-regulatory initiatives: Beyond laws and agency enforcement, voluntary self-regulation also impacts the use of BCIs. Neuromarketing is an example of this, where the Neuromarketing Science & Business Association’s (NMSBA’s) Code of Ethics identifies several commitments ranging from consent and transparency that organizations should follow when using BCIs for neuromarketing purposes.
V. Conclusion
Commercial and government BCIs could deliver dividends ranging from novel gaming experiences to more efficient workforces. However, such applications also create privacy risks. While the law could affect how these technologies are used, the scope of existing rules means that certain applications of BCIs are not addressed by current regulatory structures.
Privacy Best Practices for Rideshare Drivers Using Dashcams
FPF & Uber Publish Guide Highlighting Privacy Best Practices for Drivers who Record Video and Audio on Rideshare Journeys
FPF and Uber have created a guide for US-based rideshare drivers who install “dashcams” – video cameras mounted on a vehicle’s dashboard or windshield. Many drivers install dashcams to improve safety, security, and accountability; the cameras can capture crashes or other safety-related incidents outside and inside cars. Dashcam footage can be helpful to drivers, passengers, insurance companies, and others when adjudicating legal claims. At the same time, dashcams can pose substantial privacy risks if appropriate safeguards are not in place to limit the collection, use, and disclosure of personal data.
Dashcams typically record video outside a vehicle. Many dashcams also record in-vehicle audio and some record in-vehicle video. Regardless of the particular device used, ride-hail drivers who use dashcams must comply with applicable audio and video recording laws.
The guide explains relevant laws and provides practical tips to help drivers be transparent, limit data use and sharing, retain video and audio-only for practical purposes, and use strict security controls. The guide highlights ways that drivers can employ physical signs, in-app notices, and other means to ensure passengers are informed about dashcam use and can make meaningful choices about whether to travel in a dashcam-equipped vehicle. Drivers seeking advice concerning specific legal obligations or incidents should consult legal counsel.
Privacy best practices for dashcams include:
Give individuals notice that they are being recorded
Place recording notices inside and on the vehicle.
Mount the dashcam in a visible location.
Consider, in some situations, giving an oral notification that recording is taking place.
Determine whether the ride sharing service provides recording notifications in the app, and utilize those in-app notices.
Only record audio and video for defined, reasonable purposes
Only keep recordings for as long as needed for the original purpose.
Inform passengers as to why video and/or audio is being recorded.
Limit sharing and use of recorded footage
Only share video and audio with third parties for relevant reasons that align with the original reason for recording.
Thoroughly review the rideshare service’s privacy policy and community guidelines if using an app-based rideshare service, and be aware that many rideshare companies maintain policies against widely disseminating recordings.
Safeguard and encrypt recordings and delete unused footage
Identify dashcam vendors that provide the highest privacy and security safeguards.
Carefully read the terms and conditions when buying dashcams to understand the data flows.
Uber will be making these best practices available to drivers in their app and website.
Many ride-hail drivers use dashcams in their cars, and the guidance and best practices published today provide practical guidance to help drivers implement privacy protections. But driver guidance is only one aspect of ensuring individuals’ privacy and security when traveling. Dashcam manufacturers must implement privacy-protective practices by default and provide easy-to-use privacy options. At the same time, ride-hail platforms must provide drivers with the appropriate tools to notify riders, and carmakers must safeguard drivers’ and passengers’ data collected by OEM devices.
In addition, dashcams are only one example of increasingly sophisticated sensors appearing in passenger vehicles as part of driver monitoring systems and related technologies. Further work is needed to apply comprehensive privacy safeguards to emerging technologies across the connected vehicle sector, from carmakers and rideshare services to mobility services providers and platforms. Comprehensive federal privacy legislation would be a good start. And in the absence of Congressional action, FPF is doing further work to identify key privacy risks and mitigation strategies for the broader class of driver monitoring systems that raise questions about technologies beyond the scope of this dashcam guide.
The Children’s Online Privacy Protection Act (COPPA), enacted by Congress in 1998, aims to give parents more control over the information collected about their children online. The law requires operators of games, websites, apps, and other online services catered to users under the age of 13 to obtain permission from a child’s parent before collecting information about them. Protected data includes a child’s personal details, such as name, home address, email address, and phone number; geo-location information; online activity tracking data; and photo, video, and audio files.
Interest in children’s online privacy and safety is high and likely to continue to grow in the coming months. Congressional activityis picking up, and the FTC’s latest review of the COPPA rule is ongoing, with a draft rule expected at some point in 2022. Policymakers must understand the current state of play for kids online as they continue to have these important discussions, and we welcome the opportunity to discuss these issues further. Please feel free to contact us here at any time.
BCIs & Data Protection in Healthcare: Data Flows, Risks, and Regulations
This post is the second in a four-part series on Brain-Computer Interfaces (BCIs), providing an overview of the technology, use cases, privacy risks, and proposed recommendations for promoting privacy and mitigating risks associated with BCIs.
Click here for FPF and IBM’s full report: Privacy and the Connected Mind. In case you missed it, read the first blog post in this series, which unpacks BCI technology. Additionally, FPF-curated resources, including policy & regulatory documents, academic papers, thought pieces, and technical analyses regarding brain-computer interfaces are here.
I. Introduction: What are BCIs?
BCIs are computer-based systems that directly record, process, or analyze brain-specific neurodata and translate these data into outputs. Those outputs can be used as visualizations or aggregates for interpretation and reporting purposes and/or as commands to control external interfaces, influence behaviors or modulate neural activity. BCIs can be broadly divided into three categories: 1) those that record brain activity; 2) those that modulate brain activity; or 3) those that do both, also called bi-directional BCIs (BBCIs).
BCIs can be invasive or non-invasive and employ a number of techniques for collecting neurodata and modulating neural signals. Neurodata is data generated by the nervous system, which consists of the electrical activities between neurons or proxies of this activity. This neurodata may be “personal neurodata” if it is reasonably linkable to an individual.
II. Health-related BCIs Diagnose Medical Conditions, Modulate Brain Activity for Cognitive Disorder Management, and Promote Accessibility
Facilitating Diagnoses: BCIs can be used to help make certain diagnoses by providing a means for practitioners to quantify fatigue, identify depression, and measure stress. Diagnostic BCIs can also assist even when a patient is unable to provide responses. These situations may occur when patients experience disorders of consciousness, such as locked-in syndrome, whereby individuals are fully conscious but unable to move, speak, or explain how they are feeling. Additionally, current research efforts focus on BCI applications that diagnose the stage and advancement of progressive conditions, such as glaucoma.
Modulating the Brain to Treat or Overcome Conditions: While diagnosis typically involves simply recording brain activity, other health-related BCI uses may actively modulate patients’ brains and nervous systems. For example, brain modulation can be used to disrupt seizures for epilepsy patients. Recent advances in interventive BCI modulation include a vision restoration study in which the image bypasses the eye and the optic nerve in order to feed directly to the brain—resulting in low-resolution vision capabilities.
Improving Accessibility and Rehabilitation Opportunities: The latest prosthetic limbs (i.e., neuroprosthetics) rely on BCIs, which enable the limbs to move in response to thought stimuli. Examples of this BCI application include robotic arms, as well as BCI-powered automatic wheelchairs. User control over neuroprosthetics and personal devices are operated by BCIs collecting neurodata about intended limb movements or an activity associated with what the user wants to do. An example of the latter involves users thinking of physical activities like “eating,” rather than specific words like “table,” to direct their chair to a nearby object. BCIs can also act as the channel for providing haptic feedback or haptic sensory replacement within prosthetics and exoskeletons for purposes of patient rehabilitation, regaining sensation, and an increased ability for patients to perform previously inaccessible tasks.
There are also efforts to connect BCIs with smart devices and the Internet of things (IoT), which could provide individuals experiencing neurological disorders or motor impairments with greater independence in the ability to perform daily living activities. These efforts could improve or sustain a user’s quality of life through increased accessibility within their home environment.
Beyond Medicine – BCIs and Commercial Wellness: BCIs are also starting to emerge in the commercial wellness space as a method of personal data tracking, intended as a means of improving cognitive abilities (such as attention) and/or mental and physical health (such as sleep monitoring). Many of these wellness BCIs overlap with functions included in the gaming and toy space. The NeuroSky Mindwave Mobile 2: Brainwave Starter Kit provides the user with information about their brain’s electrical impulses when relaxing and when listening to music. The product includes an EEG-fitted headband and connects to companion apps via Bluetooth. The device also provides training games purported to help improve meditation, attention, and enhance the user’s learning effectiveness. Further, the device includes tools for players to create their own brain-training games.
III. Health-related BCI Risks Include Security Breaches, Infringement on Mental Privacy, and Data Inaccuracy
Security Breaches: Security breaches are some of the most prominent risks in the health BCI space. Like other technology-based medical devices, BCIs are vulnerable to cyber risks. Researchers recently showed that hackers, through imperceptible noise variations of an EEG signal, could force BCIs to spell out certain words that do not align with the wearer’s actual thoughts or intentions. The consequence of these security vulnerabilities can range from user frustration to severe misdiagnosis and physical harm. Breaches of BCIs may also compromise sensitive health information that could be captured or inadvertently shared.
BCI Accuracy: An equally important risk among health-related BCIs is the extent to which device accuracy is verifiable and sufficient. In many applications, high reliability of medical BCIs is critical because inaccurate interpretation or modulation of a patient’s brain could result in serious consequences, including death. Patients relying on modulating BCIs to help mitigate cognitive disorders, such as epilepsy, could suffer grave health consequences if the BCI failed to work as intended and anticipated. Risks are particularly acute when patients rely on BCIs to communicate crucial information, such as their choices regarding treatment or even end-of-life decisions. Accuracy is also crucial to reliable, continuous accessibility, as prosthetic limbs, wheelchairs, and other devices controlled via BCIs must operate correctly and safely according to users’ intentions.
Infringement on Mental Privacy and BCI-informed Decision Making: Finally, BCIs also present privacy risks. These risks refer to unauthorized access to personal information, including the inferences drawn from an individual’s conscious or unconscious behaviors and intentions. In addition to the existing privacy risks around all personal health data, BCIs raise new mental privacy risks due to the capacity of the neural networks underpinning many of these devices to associate certain thoughts and the ability of BCIs to define and interpret subconscious or causally-connected intentions on a wider scale. For example, a BCI-controlled wheelchair and its underlying neural network might not only deduce that the user is thinking about food, therefore directing the chair to move toward the table, but also draw other conclusions about the individual’s biology and preferences, such as whether or not an individual is hungry or thirsty and at what times. These additional inferences capture new information about an individual’s thoughts, intentions, or interests, many of which are related to an individual’s specific biology and unique preferences.
Privacy risks are magnified when these new inferences are combined with other personal information to make decisions that impact the person’s life, potentially without their knowledge or consent. Organizations collecting and processing brain signals, leading to granular inferences tied to an individual, could have incentives to repurpose this data for unrequested treatments or non-medical purposes, many of which may expose potentially sensitive biological information to third parties. Additionally, the sharing of patient data associated with BCI use could potentially disclose an individual’s medical condition to employers, private companies, public entities, or governments.
IV. Some Health BCIs are Subject to Common Rule Requirements, FCC Oversight, or International Frameworks
Common Rule: Some of the advancements in health BCIs involve human subject research, which is governed by a complex regulatory framework. U.S. researchers whose projects are federally funded are typically required to obtain subjects’ informed consent for data collection based on approval from a Common Rule-based Institutional Review Board (IRB) prior to undertaking studies.
FCC Oversight: Wireless IoT BCI devices are likely subject to Federal Communications Commission (FCC) oversight because of their designation as connected wearables. However, given the lack of regulations around consumer wellness technologies, devices marketed outside of the physician regulated context—such as brain training games and meditation-aiding devices—may lack strict oversight. For example, the Health Insurance Portability and Accountability Act (HIPAA) regulates covered entities such as physicians and health insurers that collect, use, process, and share health information, but does not usually apply to wellness device companies.
International Frameworks: In Europe, the Global Data Protection Regulation (GDPR) is the applicable framework for any processing of personal data for the purposes of scientific research, including where the research relies on special categories of personal data, such as data related to health, and biometric data processed for identification. There are several lawful grounds for processing under Article 6(1) that would allow the necessary processing of personal data for BCI research, as well as several permissions under Article 9(2) for the use of sensitive personal data. In some situations, this could allow data controllers to conduct this type of research even without individual consent for the processing of the data, specifically when sensitive data is necessary for public health purposes or for research in the public interest; however, there are many complexities surrounding this sort of processing, with the European Data Protection Board (EDPB) expected to adopt Guidelines on processing of personal data for scientific research purposes in the near future. Given the complexities surrounding privacy in human subject research, health researchers and other stakeholders seeking to develop or adopt BCIs must understand and verify how the product fits into this shifting regulatory landscape.
The EU’s recently proposed draft AI regulation covers all AI systems, including those relying on biometric data—and is likely to be relevant for future regulation of personal neurodata, significantly altering the regulatory landscape around BCIs and neurotech. It specifically focuses on AI systems that pose high risks to individuals’ “health, safety and fundamental rights.” BCIs that might be considered “high risk” AI systems under the proposed regulation could trigger requirements prior to entering the market, such as going through a conformity assessment, adoption of adequate risk assessment, security guarantees, and adequate notice to the user, among others. If considered a “low risk” system, organizations would still have to fulfill transparency requirements. The full scope and impact of the EU’s AI regulation on the development and use of BCIs remains subject to the ongoing legislative process.
V. Conclusion
Health BCIs are set to influence and potentially improve healthcare by expanding accessibility and rehabilitation opportunities, as well as by giving medical practitioners new ways to diagnose and treat conditions. However, these applications are not without risk. The data flows that underpin medical BCIs raise privacy considerations, as well as risks in regard to how neurodata is secured and whether such data is accurate. Companies dealing with medical BCIs must remain abreast of these challenges and analyze how medical BCIs interact with a dynamic, global body of regulation.
Understanding why the first pieces fell in the transatlantic transfers domino
The Austrian DPA and the EDPS decided EU websites placing US cookies breach international data transfer rules
Two decisions issued by Data Protection Authorities (DPAs) in Europe and published in the second week of January 2022 found that two websites, one run by a contractor of the European Parliament (EP), and the other one by an Austrian company, have unlawfully transferred personal data to the US merely by placing cookies (Google Analytics and Stripe) provided by two US-based companies on the devices of their visitors. Both decisions looked into the transfers safeguards put in place by the controllers (the legal entities responsible for the websites), and found them to be either insufficient – in the case against the EP, or ineffective – in the Austrian case.
Both decisions affirm that all transfers of personal data from the EU to the US need “supplemental measures” on top of their Article 46 GDPR safeguards, in the absence of an adequacy decision and under the current US legal framework for government access to personal data for national security purposes, as assessed by the Court of Justice of the EU in its 2020 Schrems II judgment. Moreover, the Austrian case indicates that in order to be effective, the supplemental measures adduced to safeguard transfers to the US must “eliminate the possibility of surveillance and access [to the personal data] by US intelligence agencies”, seemingly putting to rest the idea of the “risk based approach” in international data transfers post-Schrems II.
This piece analyzes the two cases comparatively, considering they have many similarities other than their timing: they both target widely used cookies (Google Analytics, in addition to Stripe in the EP case), they both stem from complaints where individuals are represented by the Austrian NGO noyb, and it is possible that they will be followed by similar decisions from the other DPAs that received a batch of 101 complaints in August 2020 from the same NGO, relying on identical legal arguments and very similar facts. This piece analyzes the most important findings made by the two regulators, showing how their analyses were in sync and how these analyses likely preface similar decisions for the rest of the complaints.
1.“Personal data” is being “processed” through cookies, even if users are not identified and even if the cookies are thought to be “inactive”
In the first decision, the European Data Protection Supervisor (EDPS) investigated a complaint made by several Members of the European Parliament against a website made available by the EP to its Members and staff in the context of managing COVID-19 testing. The complainants raised concerns with regard to transfers of their personal data to the US through cookies provided by US based companies (Google and Stripe) and placed on their devices when accessing the COVID-19 testing website. The case was brought under the Data Protection Regulation for EU Institutions (EUDPR), which has identical definitions and overwhelmingly similar rules to the GDPR.
One of the key issues that was analyzed in order for the case to be considered falling under the scope of the EUDPR was whether personal data was being processed through the website by merely placing cookies on the devices of those who accessed it. Relying on its 2016 Guidelines on the protection of personal data processed through Web Services, the EDPS noted in the decision that “tracking cookies, such as the Stripe and Google Analytics cookies, are considered personal data, even if the traditional identity parameters of the tracked users are unknown or have been deleted by the tracker after collection”. It also noted that “all records containing identifiers that can be used to single out users, are considered as personal data under the Regulation and must be treated and protected as such”.
The EP argued in one of its submissions to the regulator that the Stripe cookie “had never been active, since registration for testing for EU Staff and Members did not require any form of payment”. However, the EP also confirmed that the dedicated COVID-19 testing website, which was built by its contractor, copied code from another website run by the same contractor, and “the parts copied included the code for a cookie from Stripe that was used for online payment for users” of the other website. In its decision, the EDPS highlighted that “upon installation on the device, a cookie cannot be considered ‘inactive’. Every time a user visited [the website], personal data was transferred to Stripe through the Stripe cookie, which contained an identifier. (…) Whether Stripe further processed the data transferred through the cookie is not relevant”.
With regard to the Google Analytics cookies, the EDPS only notes that the EP (as controller) acknowledged that the cookies “are designed to process ‘online identifiers, including cookie identifiers, internet protocol addresses and device identifiers’ as well as ‘client identifiers’”. The regulator concluded that personal data were therefore transferred “through the above-mentioned trackers”.
In the second decision, which concerned the use of Google Analytics by a website owned by an Austrian company and targeting Austrian users, the DPA argued in more detail what led it to find that personal data was being processed by the website through Google Analytics cookies, under the GDPR.
1.1 Cookie identification numbers, by themselves, are personal data
The DPA found that the cookies contained identification numbers, including a UNIX timestamp at the end, which shows when a cookie was set. It also noted that the cookies were placed either on the device or the browser of the complainant. The DPA affirmed that relying on these identification numbers makes it possible for both the website and Google Analytics “to distinguish website visitors … and also to obtain information as to whether the visitor is new or returning”.
In its legal analysis, the DPA noted that “an interference with the fundamental right to data protection … already exists if certain entities take measures – in this case, the assignment of such identification numbers – to individualize website visitors”. Analyzing the “identifiability” component of the definition of “personal data” in the GDPR, and relying on its Recital 26, as well as on Article 29 Working Party Opinion 4/2007 on the concept of “personal data”, the DPA clarified that “a standard of identifiability to the effect that it must also be immediately possible to associate such identification numbers with a specific natural person – in particular with the name of the complainant – is not required” for data thus processed to be considered “personal data”.
The DPA also recalled that “a digital footprint, which allows devices and subsequently the specific user to be clearly individualized, constitutes personal data”. The DPA concluded that the identification numbers contained in the cookies placed on the complainant’s device or browser are personal data, highlighting their “uniqueness”, their ability to single out specific individuals and rebutting specifically the argument the respondents made that no means are in fact used to link these numbers to the identity of the complainant.
1.2 Cookie identification numbers combined with other elements are additional personal data
However, the DPA did not stop here and continued at length in the following sections of the decision to underline why placing the cookies at issue when accessing the website constitutes processing of personal data. It noted that the classification as personal data “becomes even more apparent if one takes into account that the identification numbers can be combined with other elements”, like the address and HTML title of the website and the subpages visited by the complainant; information about the browser, operating system, screen resolution, language selection and the date and time of the website visit; the IP address of the device used by the complainant. The DPA considers that “the complainant’s digital footprint is made even more unique following such a combination [of data points]”.
The “anonymization function of the IP address” – which is a function that Google Analytics provides to users if they wish to activate it – was expressly set aside by the DPA, considering that during fact finding it was shown the function was not correctly implemented by the website at the time of the complaint. However, later in the decision, with regard to the same function and the fact that it was not implemented by the website, the regulator noted that “the IP address is in any case only one of many pieces of the puzzle of the complainant’s digital footprint”, hinting therefore that even if the function would have been correctly implemented, it wouldn’t have necessarily led to the conclusion that the data being processed was not personal.
1.3 Controllers and other persons “with lawful means and justifiable effort” will count for the identifiability test
Drilling down even more on the notion of “identifiability” in a dedicated section of the decision, the DPA highlights that in order for the data processed through the cookies at issue to be personal, “it is not necessary that the respondents can establish a personal reference on their own, i.e. that all information required for identification is with them. […] Rather, it is sufficient that anyone, with lawful means and justifiable effort, can establish this personal reference”. Therefore, the DPA took the position that “not only the means of the controller [the website in this case] are to be taken into account in the question of identifiability, but also those of ‘another person’”.
After recalling that the CJEU repeatedly found that “the scope of application of the GDPR is to be understood very broadly” (e.g. C-439/19B, C-434/16Nowak, C-553/07Rijkeboer), the DPA nonetheless stated that in its opinion, the term “anyone” it referred to above, and thus the scope of the definition of personal data, “should not be interpreted so broadly that any unknown actor could theoretically have special knowledge to establish a reference; this would lead to almost any information falling within the scope of application of the GDPR and a demarcation from non-personal data would become difficult or even impossible”.
This being said, the DPA considers that the “decisive factor is whether identifiability can be established with a justifiable and reasonable effort”. In the case at hand, the DPA considers that there are “certain actors who possess special knowledge that makes it possible to establish a reference to the complainant and identify him”. These actors are, from the DPA’s point of view, certainly the provider of the Google Analytics service and, possibly the US authorities in the national security area. As for the provider of Google Analytics, the DPA highlights that, first of all, the complainant was logged in with his Google account at the time of visiting the website.
The DPA indicates this is a relevant fact only “if one takes the view that the online identifiers cited above must be assignable to a certain ‘face’”. The DPA finds that such an assignment to a specific individual is in any case possible in the case at hand. As such, the DPA states that: “[…] if the identifiability of a website visitor depends only on whether certain declarations of intent are made in the account (user’s Google account – our note), then, from a technical point of view, all possibilities of identifiability are present”, since, as noted by the DPA, otherwise Google “could not comply with a user’s wishes expressed in the account settings for ‘personalization’ of the advertising information received”. It is not immediately clear how the ad preferences expressed by a user in their personal account are linked to the processing of data for Google Analytics (and thus website traffic measurement) purposes, and it seems that this was used in the argumentation to substantiate the claim that the second respondent generally has additional knowledge across its various services that could lead to the identification or the singling out of the website visitor.
However, following the arguments of the DPA, on top of the autonomous finding that cookie identification numbers are personal data, it seems that even if the complainant wouldn’t have been logged into his account, the data processed through the Google Analytics cookies would have still been considered personal. In this context, the DPA “expressly” notes that “the wording of Article 4(1) of the GDPR is unambiguous and is linked to the ability to identify and not to whether identification is ultimately carried out”.
Moreover, “irrespective of the second respondent” – so even if Google admittedly did not have any possibility or ability to render the complainant identifiable or to single him out, other third parties in this case were considered to have the potential ability to identify the complainant: US authorities.
1.4 Additional information potentially available to US intelligence authorities, taken into account for the identifiability test
Lastly, according to the decision, the US authorities in the national security area “must be taken into account” when assessing the potential of identifiability of the data processed through cookies in this case. The DPA considers that “intelligence services in the US take certain online identifiers, such as the IP address or unique identification numbers, as a starting point for monitoring individuals. In particular, it cannot be ruled out that intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant.”
To show that this is not merely a “theoretical danger”, the DPA relies on the findings of the CJEU in Schrems II with regard to the US legal framework and the “access possibilities” it offers to authorities, and on Google’s Transparency Report, “which proves that data requests are made to [it] by US authorities.” The regulator further decided that even if it is admittedly not possible for the website to check whether such access requests are made in individual cases and with regard to the visitors of the website, “this circumstance cannot be held against affected persons, such as the complainant. Thus, it was ultimately the first respondent as the website operator who, despite publication of the Schrems II judgment, continued to use the Google Analytics tool”.
Therefore, based on the findings of the Austrian DPA in this case, at least two of the “any persons” mentioned in Recital 26 GDPR that will be considered when deciding who can have lawful means to identify data so that the data is deemed personal are the processor of a specific processing operation, as well as the national security authorities that may have access to that data, at least in cases where this access is relevant (like in international data transfers). This latter finding of the DPA raises questions whether national security agencies in general in a specific jurisdiction may be considered by DPAs as an actor who has “lawful means” and additional knowledge when deciding if a data set links to an “identifiable” person, also in cases where international data transfers are not at issue.
The DPA concluded that the data processed by the Google Analytics cookies is personal data and falls under the scope of the GDPR. Importantly, the cookie identification numbers were found to be personal data by themselves. Additionally, the other data elements potentially collected through cookies together with the identification numbers are also personal data.
2.Data transfers to the US are taking place by placing cookies provided by US-based companies on EU-based websites
Once the supervisory authorities established that the data processed through Google Analytics and, respectively, Stripe cookies, were personal data and were covered by the GDPR or EUDPR respectively, they had to ascertain whether an international transfer of personal data from the EU to the US was taking place in order to see whether the provisions relevant to international data transfers were applicable.
The EDPS was again concise. It stated that because the personal data were processed by two entities located in the US (Stripe and Google LLC) on the EP website, “personal data processed through them were transferred to the US”. The regulator strengthened its finding by stating that this conclusion “is reinforced by the circumstances highlighted by the complainants, according to which all data collected through Google Analytics is hosted (i.e. stored and further processed) in the US”. For this particular finding, the EDPS referred, under footnote 27 of the decision, to the proceedings in Austria “regarding the use of Google Analytics in the context of the 101 complaints filed by noyb on the transfer of data to the US when using Google Analytics”, in an evident indication that the supervisory authorities are coordinating their actions.
In turn, the Austrian DPA applied the criteria laid out by the EDPB in its draft Guidelines 5/2021 on the relationship between the scope of Article 3 and Chapter V GDPR, and found that all the conditions are met. The administrator of the website is the controller and it is based in Austria, and, as data exporter, it “disclosed personal data of the complainant by proactively implementing the Google Analytics tool on its website and as a direct result of this implementation, among other things, a data transfer to the second respondent to the US took place”. The DPA also noted that the second respondent, in its capacity as processor and data importer, is located in the US. Hence, Chapter V of the GDPR and its rules for international data transfers are applicable in this case.
However, it should also be highlighted that, as part of fact finding in this case, the Austrian DPA noted that the version of Google Analytics subject to this case was provided by Google LLC (based in the US) until the end of April 2021. Therefore, for the facts of the case which occurred in August 2020, the relevant processor and eventual data importer was Google LLC. But the DPA also noted that since the end of April 2021, Google Analytics has been provided by Google Ireland Limited (based in Ireland).
One important question that remains for future cases is whether, under these circumstances, the DPA would find that an international data transfer occurred, considering the criteria laid out in the draft EDPB Guidelines 5/2021, which specifically require (at least in the draft version, currently subject to public consultation) that “the data importer is located in a third country”, without any further specifications related to corporate structures or location of the means of processing.
2.1 In the absence of an adequacy decision, all data transfers to the US based on “additional safeguards”, like SCCs, need supplementary measures
After establishing that international data transfers occurred from the EU to the US in the cases at hand, the DPAs assessed the lawful ground for transfers used.
The EDPS noted that EU institutions and bodies “must remain in control and take informed decisions when selecting processors and allowing transfers of personal data outside the EEA”. It followed that, absent an adequacy decision, they “may transfer personal data to a third country only if appropriate safeguards are provided, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available”. Noting that the use of Standard Contractual Clauses (SCCs) or another transfer tool do not substitute individual case-by-case assessments that must be carried out in accordance with the Schrems II judgment, the EDPS stated that EU institutions and bodies must carry out such assessments “before any transfer is made”, and, where necessary, they must implement supplemental measures in addition to the transfer tool.
The EDPS recalled some of the key findings of the CJEU in Schrems II, in particular the fact that “the level of protection of personal data in the US was problematic in view of the lack of proportionality caused by mass surveillance programs based on Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order (EO) 12333 read in conjunction with Presidential Policy Directive (PPD) 28 and the lack of effective remedies in the US essentially equivalent to those required by Article 47 of the Charter”.
Significantly, the supervisory authority then affirmed that “transfers of personal data to the US can only take place if they are framed by effective supplementary measures in order to ensure an essentially equivalent level of protection for the personal data transferred”. Since the EP did not provide any evidence or documentation about supplementary measures being used on top of the SCCs it referred to in the privacy notice on the website, the EDPS found the transfers to the US to be unlawful.
Similarly, the Austrian DPA in its decision recalled that the CJEU “already dealt” with the legal framework in the US in its Schrems II judgment, as based on the same three legal acts (Section 702 FISA, EO 12333, PPD 28). The DPA merely noted that “it is evident that the second respondent (Google LLC – our note) qualifies as a provider of electronic communications services” within the meaning of FISA Section 702. Therefore, it has “an obligation to provide personally identifiable information to US authorities pursuant to 50 US Code §1881a”. Again, the DPA relied on Google’s Transparency Report to show that “such requests are also regularly made to it by US authorities”.
Considering the legal framework in the US as assessed by the CJEU, just like the EDPS did, the Austrian DPA also concluded that the mere entering into SCCs with a data importer in the US cannot be assumed to ensure an adequate level of protection. Therefore, “the data transfer at issue cannot be based solely on the standard data protection clauses concluded between the respondents”. Hence, supplementary measures must be adduced on top of the SCCs. The Austrian DPA relied significantly on the EDPB Recommendation 1/2020 on measures that supplement transfer tools when analyzing the available supplementary measures put in place by the respondents.
2.2 Supplementary measures must “eliminate the possibility of access” of the government to the data, in order to be effective
When analyzing the various measures put in place to safeguard the personal data being transferred, the DPA wanted to ascertain “whether the additional measures taken by the second respondent close the legal protection gaps identified in the CJEU [Schrems II] ruling – i.e. the access and monitoring possibilities of US intelligence services”. Setting this as a target, it went on to analyze the individual measures proposed.
The contractual and organizational supplementary measures considered in the case:
notification of the data subject about data requests (should this be permissible at all in individual cases),
the publication of a transparency report,
the publication of guidelines “for handling government requests”,
careful consideration of any data requests.
The DPA considered that “it is not discernable” to what extent these measures are effective to close the protection gap, taking into account that the CJEU found in the Schrems II judgment that even “permissible (i.e. legal under US law) requests from US intelligence agencies are not compatible with the fundamental right to data protection under Article 8 of the EU Charter of Fundamental Rights”.
The technical supplementary measures considered were:
the protection of communications between Google services,
the protection of data in transit between data centers,
the protection of communications between users and websites,
“on-site security”,
encryption technologies, for example encryption of data at rest in data centers,
processing pseudonymous personal data.
With regard to encryption as one of the supplementary measures being used, the DPA took into account that a data importer covered by Section 702 FISA, as is the case in the current decision, “has a direct obligation to provide access to or surrender such data”. The DPA considered that “this obligation may expressly extend to the cryptographic keys without which the data cannot be read”. Therefore, it seems that as long as the keys are kept by the data importer and the importer is subject to the US law assessed by the CJEU in Schrems II (FISA Section 702, EO 12333, PPD 28), encryption will not be considered sufficient.
As for the argument that the personal data being processed through Google Analytics is “pseudonymous” data, the DPA rejected it relying on findings made by the Conference of German DPAs that the use of cookie IDs, advertising IDs, and unique user IDs does not constitute pseudonymization under the GDPR, since these identifiers “are used to make the individuals distinguishable and addressable”, and not to “disguise or delete the identifying data so that data subjects can no longer be addressed” – which the Conference considers to be one of the purposes of pseudonymization.
Overall, the DPA found that the technical measures proposed were not enough because the respondents did not comprehensively explain (therefore, the respondents had the burden of proof) to what extent these measures “actually prevent or restrict the access possibilities of US intelligence services on the basis of US law”.
With this finding, highlighted also in the operative part of the decision, the DPA seems to de facto reject the “risk based approach” to international data transfers, which has been specifically invoked during the proceedings. This is a theory according to which, for a transfer to be lawful in the absence of an adequacy decision, it is sufficient to prove the likelihood of the government accessing personal data transferred on the basis of additional safeguards is minimal or reduced in practice for a specific transfer, regardless of the broad authority that the government has under the relevant legal framework to access that data and regardless of the lack of effective redress.
The Austrian DPA is technically taking the view that it is not sufficient to reduce the risk of access to data in practice, as long as the possibility to access personal data on the basis of US law is actually not prevented, or in other words, not eliminated. This conclusion is apparent also from the language used in the operative part of the decision, where the DPA summarizes its findings as such: “the measures taken in addition to the SCCs … are not effective because they do not eliminate the possibility of surveillance and access by US intelligence agencies”.
If other DPAs confirm this approach for transfers from the EU to the US in their decisions, the list of potentially effective supplemental measures for transfers of personal data to the US will remain minimal – prima facie, it seems that nothing short of anonymization (per the GDPR standard) or any other technical measure that will effectively and physically eliminate the possibility of accessing personal data by US national security authorities will suffice under this approach.
A key reminder here is that the list of supplementary measures detailed in the EDPB Recommendation concerns all international data transfers based on additional safeguards, to all third countries in general, in the absence of an adequacy decision. In the decision summarized here, the supplementary measures found to be ineffective concern their ability to cover “gaps” in the level of data protection of the US legal framework, as resulting from findings of the CJEU with regard to three specific legal acts (FISA Section 702, EO 12333 and PPD 28). Therefore, the supplementary measures discussed and their assessment may be different for transfers to another jurisdiction.
2.3 Are data importers liable for the lawfulness of the data transfer?
One of the most consequential findings of the Austrian DPA that may have an impact on international data transfers cases moving forward is that “the requirements of Chapter V of the GDPR must be complied with by the data exporter, but not by the data importer” – therefore, under this interpretation, the organizations that are on the receiving end of a data transfer, at least when they are a processor for the data exporter like in the present case, cannot be found in breach of the international data transfers obligations under the GDPR. The main argument used was that “the second respondent (as data importer) does not disclose the personal data of the complainant, but (only) receives them”. As a result, Google was found not to breach Article 44 GDPR in this case.
However, the DPA did consider that it is necessary to look further, and as part of separate proceedings, into how the second respondent complied with its obligations as a data processor, and in particular the obligation to process personal data on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization, as detailed in Article 28(3)(a) and Article 29 GDPR.
3.Sanctions and consequences: Between preemptive deletion of cookies, reprimands and blocking transfers
Another commonality of the two decisions summarized is that neither of them resulted in a fine. The EDPS issued a reprimand against the European Parliament for several breaches of the EUDPR, including those related to international data transfers “due to its reliance on the Standard Contractual Clauses in the absence of a demonstration that data subjects’ personal data transferred to the US were provided an essential equivalent level of protection”. It is significant to mention that the EP asked the website service provider to disable both Google Analytics and Stripe cookies in a matter of days after being contacted by the complainants on October 27, 2020. The cookies at issue were active between September 30, when the website became available, and November 4, 2020.
In turn, the Austrian DPA found that “the Google Analytics tool (at least in the version of August 14, 2020) can thus not be used in compliance with the requirements of Chapter V GDPR”. However, as discussed above, the DPA found that only the website operator – as the data exporter – was in breach of Article 44 GDPR. The DPA decided not to issue a fine in this case.
However, the DPA pursues to impose a ban on the data transfers or a similar order against the website, with some procedural complications. In the middle of the proceedings, the Austrian company that was in charge of managing the website transferred the responsibility of operating it to a company based in Germany, therefore the website is not under its control any longer. But since the DPA noted that Google Analytics continued to be implemented on the website at the time of the decision, it resolved to refer the case to the competent German supervisory authority with regard to the possible use of remedial powers against the new operator.
Therefore, it seems that stopping the transfer of personal data to the US without appropriate safeguards seems to be the focus in these cases, rather than sanctioning the data exporters. The parties have the possibility to challenge both decisions before their respective competent Court and require a judicial review within a limited period of time, but there are no indications yet whether this will happen.
4. The big picture: 101 complaints and collaboration among DPAs
The decision published by the Austrian DPA is the first one in the 101 complaints that noyb submitted directly to 14 DPAs across Europe (EU and the European Economic Area) at the same time in August 2020, from Malta, to Poland, to Lichtenstein, with identical legal arguments centered on international data transfers to the US through the use of Google Analytics or Facebook Connect, and all against websites of local or national relevance – so most likely these complaints will be considered outside the One-Stop-Shop mechanism.
The bulk of the 101 complaints were submitted to the Austrian DPA (about 50), either immediately under its competence, as in the analyzed case, or as part of the One-Stop-Shop mechanism where the Austrian DPA acts as the concerned DPA from the jurisdiction where the complainant resides, which likely needed to forward the cases to the many lead DPAs in the jurisdictions were the targeted websites have their establishment. This way, even more DPAs will have to make a decision in these cases – from Cyprus, to Greece, to Sweden, Romania and many more. About a month after the identical 101 complaints were submitted, the EDPB decided to create a taskforce to “analyse the matter and ensure a close cooperation among the members of the Board”.
In contrast, the complaint against the European Parliament was not part of this set, it was submitted separately at a later date to the EDPS, but relying on similar arguments on the issue of international data transfers to the US through Google Analytics and Stripe cookies. Even if it was not part of the 101 complaints, it is clear that the authorities indeed cooperated or communicated, with the EDPS making a direct reference to the Austrian proceedings, as shown above.
In other signs of cooperation, both the Dutch DPA and the Danish DPA have published notices immediately after the publication of the Austrian decision to alert organizations that they may soon issue new guidance in relation to the use of Google Analytics, specifically referring to the Austrian case. Of note, the Danish DPA highlighted that “as a result of the decision of the Austrian DPA” it is now “in doubt whether – and how – such tools can be used in accordance with data protection law, including the rules on transfers of personal data to third countries”. It also called for a common approach of DPAs on this issue: “it is essential that European regulators have a common interpretation of the rules”, since data protection law “intends to promote the internal market”.
In the end, the DPAs are applying findings from a judgment made by the CJEU, which has ultimate authority in the interpretation of EU law that must be applied across all EU Member States. All this indicates that it is likely a series of similar decisions will be successively published in the short to medium future, with small chances of seeing significant variations. This is why these two cases summarized here can be seen as the first two pieces that fell in a domino.
This domino, though, will not only be about the 101 cases and the specific cookies they target – it eventually concerns all US based service providers and businesses that receive personal data from the EU potentially covered by the broad reach of FISA Section 702 and EO 12333; all EU based organizations, from website operators, to businesses, schools, and public agencies, that use the services provided by the former or engage them as business partners, and disclose personal data to them; and it might as well affect all EU based businesses that have offices and subsidiaries in the US and that make personal data available to these entities.
5 Tips for Protecting Your Privacy Online
Today, almost everything we do online involves companies collecting personal information about us. Personal data is collected and regularly used for a number of reasons – like when you use social media accounts, when you shop online or redeem digital coupons at the store, or when you search the internet.
Sometimes, information is collected about you by one company, and then shared or sold to another. While data collection can offer benefits to both you and businesses – like connecting with friends, getting directions, or sales promotions – it can also be used in ways that are intrusive – unless you take control.
There are many ways you can protect your personal data and information and control how it is shared and used. On this Data Privacy Day – recognized annually on January 28 to mark the anniversary of Convention 108, the first binding international treaty to protect personal data– the Future of Privacy Forum and other organizations are raising awareness and promoting best practices for data privacy.
For the second year in a row, FPF is partnering with Snap to provide a privacy-themed Snap filter to spread awareness of the importance of data privacy to your networks. Scan the Snapcode below to check it out:
Share the pictures you took using our interactive lens on social media using the hashtag #FPFDataPrivacyDay2022.
You should know that there are steps you can take to better protect your privacy online. Below, we’ve listed five tips you can follow to better protect your privacy when using your mobile device.
1. Check Your Privacy Settings
Many social media sites include options on how you can tailor your privacy settings to limit the ways data is collected or used. Snap provides privacy options that control who can contact you, and many other options. Start with the Snap Privacy Center to review your settings. You can find those choices here.
Snap provides options for you to view any data they have collected about you, including the date your account was created and the devices that have access to your account. Downloading your data allows you to view the types of information that has been collected and modify your settings accordingly.
Instagram allows you to manage a variety of privacy settings, including who has access to your posts, who can comment on or like your post, and manage what happens to posts after you delete them. You can view and change your settings here.
TikTok allows you to decide between public and private accounts, decide which accounts can view posted videos, and allows you to change your personalized ad settings. You can check your settings here.
Twitter allows you to manage if they share your information with third-party businesses, if the site can track your internet browsing outside of Twitter, and allows you to choose if you’d like ads to be tailored to you. Check your settings here.
Facebook provides a range of privacy settings that can be found here.
What other apps do you use often? Check to see which settings they provide!
2. Limit Sharing of Location Data
Most social media sites will ask for access to your location data. Do they need it for some reason that is obvious, like helping you with directions or showing your nearby friends? Feel free to say no. And be aware that location data is often used to tailor ads and recommendations based on locations you have recently visited. Allowing access to location services may also permit the sharing of location information with third-parties.
Snap has a variety of ways to control who is able to view your location. On their settings page, you can select whether no one, just select users, or all friends will be able to view your location on Snap Map. You can also choose to deny individual users from viewing your location.
To check the location permissions allowed to social media sites on an iPhone or Android, follow the below steps.
Navigate to “Settings”, then “Location,” and then “App Permissions”
Select the social media app you’d like to prevent from accessing your location
Make sure “Don’t Allow” is selected or “Allow only while using the app”.
3. Keep Your Devices & Apps Up to Date
Keeping software current and up to date is the only way to make sure that your device is protected against the latest software vulnerabilities. Having the latest security software, web browser, and operating system installed is the best way to protect against various online threats. By enabling automatic updates on your devices, you can be sure that your apps and operating system are always up to date.
Users can check the status of their operating systems in the settings app. For iPhone users, navigate to “Software Update,” and for Android devices, look for the “Security” page in settings.
4. Use a Password Manager
Utilizing a strong and secure password for each web-based account you have helps ensure personal data and information are protected from unauthorized use. It can be difficult to remember complex passwords for every account and using a password manager can help. Password managers save passwords as you create and log in to your accounts, often alerting you of any duplicates and suggesting the creation of a stronger password. For example, when signing up for new accounts and services, if you use an Apple product, you can allow your iPhone, Mac, or iPad to generate strong passwords and safely store them in iCloud Keychain for later access. Some of the best third-party password managers can be found here.
5. Enable Two-Factor Authentication
Two-factor authentication adds an additional layer of protection to your accounts. The first authentication is the normal username and password combination that has been used for years. The second factor is either a text message or email including a code that is sent to a personal device. This added step makes it harder for malicious actors to gain access to your accounts. Two-factor authentication only adds a few seconds to your day, but can save you from the headache and harm that comes from compromised accounts. To be even safer, use an authenticator app as your second factor.
As many of us continue to work and learn remotely, it’s important to stay aware of the information you share on and offline. Remember to adjust your settings regularly, staying on top of any privacy changes and updates made on the web applications you use daily. Take charge of protecting your personal data and encourage others to look at the information they may be sharing. By adjusting your settings and making changes to your web accounts and devices, you can better maintain the security and privacy of your personal data.
If you’re interested in learning more about one of the topics discussed here or about other issues that are driving the future of privacy, sign up for our monthly briefing, check out one of our upcoming events, or follow us on Twitter and LinkedIn. FPF brings together some of the top minds in privacy to discuss how we can all benefit from the insights gained from data, while respecting the individual right to privacy.
Five Burning Questions (and Zero Predictions) for the U.S. State Privacy Landscape in 2022
Entering 2022, the United States remains one of the only major economic powers that lacks a comprehensive, national framework governing the collection and use of consumer data throughout the economy. An ongoing impasse in federal efforts to advance privacy legislation has created a vacuum that state lawmakers, seeking to secure privacy rights and protections for their constituents, are actively working to fill.
Last year we saw scores of comprehensive privacy bills introduced in dozens of states, though when the dust settled, only Virginia and Colorado had joined California in successfully enacting new privacy regimes. Now, at the outset of a new legislative calendar, many state legislatures are positioned to make progress on privacy legislation. While stakeholders are eager to learn which (if any) states will push new laws over the finish line, it remains too early in the lawmaking cycle to make such predictions with confidence. So instead, this post explores five key questions about the state privacy landscape that will determine whether 2022 proves to be a pivotal year for the protection of consumer data in the United States.
1. Will A Single (State) Framework Emerge Supreme?
A common refrain heard in the U.S. privacy debate is that each state creating its own data privacy rules threatens to create a confusing and costly “patchwork” of divergent laws. While some degree of tension between different state privacy laws is already baked into the landscape, regulated entities may be hoping that a particular regulatory approach emerges as an interoperable norm across the states. Some of the likely contenders for this title are laid out below.
California Model
California was the first mover on comprehensive privacy legislation, enacting the California Consumer Privacy Act (CCPA) in June 2018. At the time, many observers predicted that the “California effect” would establish the CCPA as a de-facto national standard and drive the adoption of similar laws throughout the nation (reminiscent of breach reporting statutes in the 2000s). True to form, 2019 and 2020 saw dozens of CCPA-style copycat bills introduced; however, no such bill has yet proven successful. One possible reason is that California’s approach to privacy has been something of a ‘moving target’ – having undergone multiple amendments, an extended Attorney General rulemaking process, the conversion of the CCPA into the California Privacy Rights Act (CPRA) by ballot initiative, and the recent launch of a new CPRA rulemaking process.
Virginia/Colorado Model
In 2021, a new challenger appeared with the enactment of the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA). While containing multiple important distinctions (that will be explored in a subsequent post), these laws generally adhere to the same basic framework for establishing consumer privacy rights and dividing business obligations between data “controllers” and “processors.” The Virginia/Colorado model also exceeds California in certain key areas, including by requiring affirmative consent for the processing of “sensitive” personal data. As a result, this framework could represent a more stable approach to protecting privacy than California that may be palatable to consumer and industry stakeholders alike.
Other Models
While California and the Virginia/Colorado models are the clear favorites, they are not the full field of contenders that could emerge as the dominant U.S. privacy framework. Last July, the Uniform Law Commission (ULC) finalized its model privacy law, the “Uniform Personal Data Protection Act,” which has already been introduced in the District of Columbia (CB 24-451), Nebraska (LB 1188), and Oklahoma (HB 3447). Notably, the ULC model significantly conflicts with established privacy frameworks and has received reactions ranging from skepticism to hostility from both industry and consumer advocacy groups, creating questions about its political viability.
There is also pending legislation in several states that, if enacted, would constitute distinct regulatory approaches from the adopted laws. For example, there are bills to watch in Massachusetts (S 46) (establishing fiduciary-style obligations on businesses); New Jersey (A 505) (including a ‘legitimate interest’ basis for data processing); and Oklahoma (HB 2969) (containing expansive use limitation requirements).
In surveying the state privacy bills introduced this year, a clear divide between the California and Colorado/Virginia frameworks is evident. State bills in Alaska (HB 222) and Indiana (HB 1261) include California-style rights for consumers to opt-out of the sale and sharing of personal information and to limit the use and disclosure of sensitive personal information. Elsewhere in Hawaii (SB 2797) and Pennsylvania (HB 2257), legislative proposals more closely follow the Virginia/Colorado approach to requiring affirmative consent for processing “sensitive data” in addition to creating opt-out rights for data sales, targeted advertising, and profiling.
2. Where Will Regulatory Processes Lead?
While much attention will be paid to the state legislative horse race, two states with laws on the books will undertake important privacy rulemaking processes this year. In California, the newly constituted California Privacy Protection Agency (CPPA) is directed to conduct a wide-ranging rulemaking that will clarify key definitions and compliance issues left open under the CPRA. Rulemaking subjects include the CPRA’s new right of correction, valid uses of data for ‘business purposes,’ and the application of the law to automated decision-making processes. In Colorado, the Attorney General has similarly been delegated broad rulemaking authority and is specifically tasked with the adoption of “rules that detail the technical specifications for one or more universal opt-out mechanisms” (discussed further below).
California and Colorado’s rulemaking processes will likely have significant impacts on the ultimate implementation and exercise of consumers’ new privacy rights in these states. Furthermore, while the CPRA and CPA statutes specifically direct the development of rules governing certain issues, their grants of rulemaking authority are open-ended, meaning that final regulations may potentially broaden the consumer rights and business compliance obligations established under these laws. However, such an expansive regulatory approach would likely be strongly contested. For example, the CPPA’s request for comment on preliminary rulemaking activity surfaced significant fault lines in stakeholder expectations for what CPRA rulemaking can and should entail for significant elements of the law.
Not all new state privacy laws will necessarily provide for open-ended rulemaking processes and Virginia’s privacy law lacks a rulemaking process entirely. Privacy bills under consideration in 2022 have largely followed an ‘all-or-nothing’ approach to rulemaking with legislation such as Maryland (SB 11) and Washington (HB 1850) seeking to give the state Attorney General or other regulators broad rulemaking authority and bills like Ohio (HB 376) providing for no rulemaking at all. Going forward, the inclusion of rulemaking authority in new privacy laws could create additional divergences between different state approaches. However, rulemaking may also help state laws remain flexible in light of changing technology and allow lawmakers to delegate some of the more nuanced technical issues to experts with the benefit of public participation.
3. How will State Activity Impact the Federal Debate?
Despite the introduction of over a dozen federal bills and numerous hearings since 2018, bipartisan federal collaboration on comprehensive privacy legislation has repeatedly stalled out. Key lawmakers remain divided over critical issues such as private rights of action, preemption, and how to regulate against discriminatory uses of data.
Advancements in privacy at the state level will likely breathe new life into the dormant federal debate – but its impact remains uncertain. One possibility is that the adoption of additional state privacy laws may ultimately create so much regulatory complexity for industry that breakthrough on federal privacy legislation becomes inevitable.
Alternatively, the enactment of even a single state law that contains a broad private right of action may push concerned industry stakeholders towards compromise over a federal privacy bill. Most industry participants view private lawsuits as particularly ‘Ill-Suited’ for the privacy context, and no state has yet enacted comprehensive privacy legislation providing for expansive private lawsuits. A range of approaches to the issue of private lawsuits have been taken in the legislation under consideration this year. In addition to bills that would establish expansive causes of action such as New York (S 6701) or explicitly disclaim such suits like Florida (SB 1864), some bills would restrict lawsuits to particular violations like Florida (HB 9) or permit lawsuits but restrict statutory damages such as Washington State (SB 5813).
Finally, the successful enactment of state privacy laws containing novel approaches to protecting privacy could inform new legislative proposals at the federal level. Given that the only states to enact comprehensive privacy laws have had (at the time) unified Democratic governments, the adoption of a privacy law by a Republican-led state could impact the contours of the federal conversation. Serious efforts to enact privacy legislation have been undertaken in Republican controlled state legislatures in Florida, Ohio, and Oklahoma, with more likely on the way.
4. Will ‘Universal’ Privacy Controls be the Next Big Thing?
Many stakeholders have expressed concern that leading privacy frameworks rely too heavily on individual controls and consent options that are overwhelming and unscalable for ordinary consumers in practice. One response to this criticism has been the development and legal recognition of ‘user-selected universal opt-out mechanisms,’ often exercised through browser settings or plug-ins, that signal a consumer’s request to exercise their privacy rights to the websites they visit. Under present law, such privacy controls are omitted from the VCDPA; recognized, but not clearly mandated under the CPRA; and will be required in Colorado come 2024.
As a newer approach to expressing privacy preferences, stakeholders have raised questions about the legal and practical effects that this class of ‘universal’ controls should carry. For example, how businesses should respond if they receive multiple, conflicting signals from different browsers or devices used by the same person. Furthermore, the potential development of separate processes governing the adoption of new signal mechanisms and likely state-by-state differences in the underlying privacy rights these controls will exercise could further complicate their use.
Nevertheless, ‘universal’ privacy controls represent a significant opportunity to advance consumer privacy interests and appear poised to become an increasingly prominent aspect of the privacy debate in the years to come. At present, the majority of active state bills would give businesses flexibility in determining context-appropriate methods for the exercise of consumers privacy rights including in Florida (SB 1864) and Kentucky (SB 15). However, bills in Maryland (SB 11) and Alaska (HB 159) would join Colorado in providing for the mandatory recognition of such signals.
5. Will Sectoral Privacy Laws Lead the Way?
This post has focused on ‘comprehensive’ privacy legislation, broad-based legal frameworks that would establish baseline, industry and technology neutral rules for the protection of personal data throughout a state’s economy. However, state lawmakers are also on track to propose hundreds of more narrowly focused privacy bills that would regulate either particular industries such as data brokers (Delaware HB 262) or ISPs (New York S 3885); categories of information such as childrens’ data (Washington State HB 1697) or biometrics (Kentucky HB 32); or establish specific business obligations such as reasonable security practices (West Virginia HB 2925) or transparency requirements (New Jersey A 1971). While some of these proposals are particularly narrow or limited in scope (for example, establishing a commission to study a particular issue), others could serve as both templates and catalysts for sweeping change in Americans’ privacy expectations and outcomes.
Conclusion
This commentary has noted several states where privacy legislation is already under serious consideration for the 2022 legislative calendar. However, the past informs us that fast-shifting local political dynamics can kick up surprises for state privacy efforts. Last year’s adoption of new privacy laws in Colorado and Virginia took many observers by surprise, and successful legislation may emerge from unexpected jurisdictions again this year. This post has posed many questions but can offer only one clear forecast: a turbulent and exciting year for consumer privacy legislation is just beginning. Be sure to follow the Future of Privacy Forum for updates on the U.S. privacy landscape throughout the year.
Addressing the Intersection of Civil Rights and Privacy: Federal Legislative Efforts
Last month, the National Telecommunications and Information Administration (NTIA) hosted virtual listening sessions on the intersection of data privacy, equity, and civil rights. Around the same time, the FTC announced that they will begin rulemaking on discriminatory practices in automated decision making, and currently, an influx of state legislation containing civil rights provisions have been introduced.
Decades of research demonstrate the effects of data processing on existing structural inequalities such as race, gender, and disability, and there have been numerous attempts by federal and state governments to regulate the disparate impacts of data practices on protected classes. Though the intersection of data privacy and civil rights has been discussed in policy circles for years, these bills containing civil rights provisions have been surprisingly under-analyzed.
In the coming weeks and months, FPF will be publishing a blog series to provide an informative overview of government efforts to regulate discriminatory data practices through proposed legislation and executive agency enforcement. This blog is the first in the series and will cover federal legislative efforts.
In sum:
In recent years, both Democrats and Republicans have introduced several comprehensive data privacy bills that would prohibit data processing that violates anti-discrimination laws. There is party division in areas of auditing/reporting burdens and enforcement.
There is also division on the scope of civil rights protections. While some proposals intend to apply data processing activities to what is prohibited under the existing federal anti-discrimination framework, others propose effectively expanding civil rights laws, such as expanding the definition of “protected classes” and extending public accommodation law (which has traditionally only applied to physical spaces) to online sellers of goods and services.
Some representatives and advocates remain concerned about the effects and enforcement of adtech and targeted advertising on marginalized and vulnerable populations.
Leading Federal Comprehensive Data Privacy Bills
Members of Congress have introduced a number of comprehensive data privacy bills in recent years, some of which contain civil rights provisions. The leading proposals from Democratic and Republican leaders in the Senate Commerce Committee are the Consumer Online Privacy Rights Act (COPRA) and the SAFE DATA (Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act).
Table 1 (below) provides a helpful comparison of the key civil rights provisions in each bill. In general, COPRA contains more comprehensive civil rights provisions than the SAFE DATA Act, which mainly codifies unlawful data processing activities under federal anti-discrimination laws and permits the FTC to inform other agencies about potential violations.
Under COPRA, it would be unlawful to conduct discriminatory data processing in areas covered by federal anti-discrimination laws, such as housing, employment, and education, on the basis of a protected class. Protected classes would include those already protected under the law (race, sex, disability, etc.), as well as include new ones such as source of income, familial status, and biometric information. COPRA would also require entities to conduct impact assessments on the accuracy, bias, and potential discrimination of their algorithms. Violations of the law would be enforced through the FTC, state AGs, or through a private right of action, where a plaintiff could recover up to $1,000 per violation per day. Small businesses, however, would be exempt. In comparison (see Table 1), the SAFE DATA Act contains few civil rights provisions.
Table 1.
COPRA, Section 108
SAFE DATA, Section 201
Discrimination Provisions
A covered entity shall not process or transfer covered data on the basis of [protected class] for the purpose of:
(A) advertising, marketing, soliciting, offering, selling, leasing, licensing, renting, or otherwise commercially contracting for a housing, employment, credit, or education opportunity, in a manner that unlawfully discriminates against or otherwise makes the opportunity unavailable to the individual or class of individuals; OR
(B) in a manner that unlawfully segregates, discriminates against, or otherwise makes unavailable to the individual or class of individuals the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation.
Whenever the Commission obtains information that a covered entity may have processed or transferred covered data in violation of Federal anti-discrimination laws, the Commission shall transmit such information…to the appropriate Executive agency or State agency with authority to initiate proceedings relating to such violation.
Algorithmic Decision-making
[A] covered entity engaged in algorithmic decision-making…to make or facilitate advertising for housing, education, employment or credit opportunities…or restrictions on the use of, any place of public accommodation, must annually conduct an impact assessment of such algorithmic decision-making that—
(A) describes and evaluates the development of the covered entity’s algorithmic decision-making processes including the design and training data used to develop the algorithmic decision-making process, how the algorithmic decision-making process was tested for accuracy, fairness, bias, and discrimination; and
(B) assesses whether the algorithmic decision-making system produces discriminatory results on the basis of an individual’s or class of individuals’ [protected class]
The Commission shall conduct a study…examining the use of algorithms to process covered data in a manner that may violate Federal anti-discrimination laws.
Enforcement
FTC, state attorneys general, and by individuals through a private right of action.
A plaintiff bringing suit would not be required to prove injury in fact (a violation alone is the injury) and could seek damages up to $1000/violation (or actual damages, if greater).
The bill would also invalidate any pre-dispute arbitration agreement that waives claims arising under this law.
FTC, or other appropriate state or federal agency.
Table 1
Federal Sectoral Legislation
In some cases, sectoral efforts have taken a more dynamic approach to addressing specific harms. For example, Senator Markey (D-MA) introduced the Algorithmic Justice and Online Platform Transparency Act, which would prohibit unlawful discrimination in automated decision-making (as opposed to general data processing, as in COPRA and SAFE DATA) and impose transparency requirements mandating review and assessment of algorithms for disparate impact on protected classes.
Importantly, the bill would explicitly extend public accommodation law to “any commercial entity that offers goods and services through the internet to the general public.” Currently, Title II and III of the Civil Rights Act of 1964 prohibit discrimination on the basis of race, color, national origin, or disability in places of “public accomodation,” such as hotels, restaurants, theaters, and similar physical spaces. The law has not been amended to extend to online commerce (and federal circuit courts are split on the issue with respect to Title III). While COPRA includes “places of public accommodation” within its scope of entities that may not conduct discriminatory data processing, it does not explicitly expand federal anti-discrimination law to online retailers and marketplaces. Markey’s bill would.
In a more recent example, the “Banning Surveillance Advertising Act,” introduced by Anna Eshoo (D-CA) this week, would flatly prohibit targeted advertising based on protected characteristics under current federal anti-discrimination law – such race, color, sex (including sexual orientation and gender expression), and disability. Unlike COPRA, the SAFE DATA Act, and the Markey bill, this legislation contains no small business exemption.
Advocates’ Goals
Most proposals have not gone as far as some civil rights advocates have proposed. For example, the Lawyers’ Committee for Civil Rights Under Law and Free Press introduced a comprehensive Model Bill in March 2019, that would not only would prohibit discriminationin economic opportunities (housing, employment, credit, insurance, or education) and in public accomodations (including any business that offers goods or services through the internet, as in the Markey bill), but also in any manner that would interfere with a person’s right to vote. Similar to COPRA, the Model Bill would also impose auditing requirements for discriminatory processing.
In the Lawyers’ Committee proposal, the law would be enforced by the FTC, the states, the DOJ Civil Rights Division, or through a private right of action. The civil penalty for violation would be heftier than other legislation, with $16,500 per violation (or up to 4% of annual revenue if punitive damages are warranted or the action is brought by the state).
Other notable provisions in the Model Bill which are not in COPRA nor the SAFE DATA Act include:
Expanded Definition of “Privacy Risk.” The expanded definition would include intangible harms such as psychological harm (anxiety, embarrassment, fear), stigmatization or reputational harm, and disruption from unwanted commercial solicitations.
Shifting Burden of Proof. Typically, a party bringing a civil suit has a duty to prove each assertion or claim. Similar to existing civil rights law, however, the Model Bill would utilize a burden-shifting framework: where if the plaintiff demonstrates disparate impact on the basis of a protected characteristic from a data processing activity, the burden would shift to the defendant to show that such processing was necessary to achieve a substantial, legitimate, and nondiscriminatory interest. If the defendant meets that burden, the burden shifts back to the plaintiff to demonstrate that an alternative policy or practice could serve such interest with a less discriminatory effect.
Affirmative Duty to Interrupt. Entities would have a duty to prevent or aid in preventing civil rights violations under the law, where any entity that makes a conscious effort to avoid actual knowledge of violation and has the ability to prevent or halt such violation shall also be liable.
Targeted Advertising. At least some forms of targeted advertising would be regulated as an unfair and deceptive practice through the FTC, taking into consideration factors like predatory or manipulative practices that harm marginalized populations, as well as methods for promoting diversity and inclusion of small businesses owned by underrepresented populations, amongst others.
We anticipate that the debate regarding the scope and substance of civil rights protections in data privacy policy is just beginning. The NTIA intends to publish a Notice and Request for Comments in the Federal Register regarding this topic, where members of the public unable to participate in the Listening Sessions are encouraged to respond.
