Welcome to the CAVEAT Weekly Newsletter, where we break down some of the major developments and happenings occurring worldwide when discussing cybersecurity, privacy, digital surveillance, and technology policy.
At 1,750 words, this briefing is about an 8-minute read.
At a Glance.
- US reveals new rules to protect US bulk data.
- EU antitrust chief nominee signals greater Big Tech crackdowns.
Department of Justice proposes new rules to protect bulk data.
The News.
On Monday, the Department of Justice (DOJ) proposed new rules to better protect federal government data and Americans’ bulk personal data. These new rules were specifically designed to prevent this data from being taken by or sold to hostile nations such as China, Iran, Russia, Cuba, North Korea, and Venezuela by limiting specific business transactions. More specifically, these rules state that any human genomic data collected on over a hundred United States (US) citizens or personal health or financial data on over 10,000 people cannot be transferred to any of these “countries of concern.” Additionally, the proposal would also bar the transfer of precise geolocation data collected from over 1,000 US devices. Lastly, these rules would also allow the DOJ to enforce these compliance rules through both criminal and civil penalties.
With these proposed rules, the DOJ stated that they have created “categorical rules for certain data transactions that pose an unacceptable risk of giving countries of concern or covered persons access to government-related data or bulk US sensitive data.” With this proposal, there will be a thirty-day public comment period where the DOJ has requested feedback from industry leaders, trade association groups, civil societies, subject-matter experts, and entities that could be potentially impacted by these rules.
The Knowledge.
These proposed rules come in response to Executive Order 14117 which was previously issued by the Biden administration in February earlier this year. When originally signed, this order centered around preventing hostile access to both sensitive personal data and government data and aimed to reduce cyber attacks, espionage, and blackmailing efforts. While these rules do have some exemptions for telecommunications services and some special instances for clinical trial data, these rules would greatly limit where data brokers can sell and transfer their collected data. Here are some of the more specific restrictions on these rules:
- US individuals and companies would be barred from directly selling personal data to foreign entities that are at least fifty percent owned by or located in a country of concern or to individuals listed as covered persons.
- Companies will be required to report any third-party involvement in a covered data sale.
- Vendor, employment, and non-passive investment agreements would have to pass requirements related to encryption, data minimization, physical and privacy standards, and logical access control.
Aside from these rules, the DOJ also announced that it will issue special licenses to bypass these proposed rules; however, these special licenses will only be granted in “rare circumstances.”
Historically, the US has always lagged behind other nations, such as those in Europe, when it has come to protecting sensitive data and regulating data brokers. While the US attempted to improve data security earlier this year through the American Privacy Rights Act, this act has currently stalled in Congress and has not been passed by either the House or the Senate. For context, this act would have been a substantial revision to how data privacy is handled within the US including giving citizens the right to know what data has been collected, who can access that data, the right to delete data, and further defined how organizations needed to handle specific data. While that bill may not have passed, these proposed rules would help provide some better data security in place of that bill and could spurn some momentum in Congress to address these privacy concerns after the upcoming election is finished.
The Impact.
While these rules have not been formally implemented and won’t be passed for some time, these regulations could have notable impacts on companies that sell or transfer this sensitive data to any of these listed countries, most notably to China. While these rules undergo the public comment period, companies that would be impacted by these rules should take time to prepare for these potential impacts and ensure that they are compliant with any of the finalized rules. Additionally, impacted entities should use this public comment period to propose any rule changes as needed before the period comes to a close.
For US citizens, while it is unlikely that people will notice the impacts of these rule changes, people should know that these rules would, if passed, help better protect sensitive data. While these rules are not going to stop every avenue that these hostile actors can use to access this sensitive information, these rules will make it more difficult to access this data by closing some of the existing pathways that are currently being exploited.
EU antitrust chief nominee aims to intensify crackdowns on Big Tech.
The News.
On Wednesday, Teresa Ribera, the European Union’s (EU) current antitrust chief nominee, pledged to increase the governing body's crackdown efforts to reign in Big Tech companies. Aside from reigning these large tech companies, Ribera also stated that she intends to better protect EU companies from foreign competition being given unfair advantages through state subsidies to buy competition or take part in EU tenders.
During her statement, Ribera emphasized that she would “push for a vigorous enforcement of the DMA, sharing the Commission policy concerning this important new instrument, in order to deliver concrete results for European business and end users.” Ribera continued by stating that “we cannot afford unduly long antitrust investigations during which companies continue to benefit from their anticompetitive practices.” The European Parliament is set to hold hearings to assess nominated commissioners in November.
The Knowledge.
While Ribera has yet to be formally inducted into the EU’s antitrust chief role, her messaging indicates both her and the EU’s intentions to continue to enforce and increase the scope of its antitrust crackdowns. For several months now, the EU has continued to increase its pressure on the technology industry through the Digital Markets Act, or DMA. For context, the DMA was passed in 2022 and has been seen as a landmark piece of legislation that established clear criteria that the EU has used to identify several key “gatekeepers” that require additional government oversight. “Gatekeepers” are considered large digital platforms that connect users to businesses. Alphabet, Apple, Amazon, Meta, Microsoft, and ByteDance have all been identified as “gatekeepers, ” and the EU has already launched probes into Alphabet, Apple, and Meta for violating the DMA’s other rules.
This development echoes a growing pattern emerging both within the EU and the US where the two governments have continued to increase their oversight and pressure on major technology industries. Aside from the EU launching probes into the companies listed above, the US government has also filed two major antitrust lawsuits against Google, one of which already found the company guilty and is currently awaiting a second sentencing hearing. Aside from filing these lawsuits, the US has also launched a series of antitrust probes into other major companies, like Nvidia and Microsoft, to assess if these companies abused their market dominance.
The Impact.
Given the existing antitrust pressures on large technology companies, it is likely that the EU Parliament will heavily consider Ribera’s nomination. Ribera’s emphasis on both reigning in big tech companies as well as protecting EU firms from unfair foreign competition would go a long way in better protecting EU citizens and supporting the government’s agenda. For both EU citizens and smaller EU businesses, people should expect these efforts to better protect them; however, exact details on Ribera’s agenda are unclear.
For both gatekeepers and foreign businesses operating within the EU, businesses should be prepared to work with an administration that is seeking to increase its oversight of their activities. By ensuring that businesses are fully compliant with existing EU laws and are not gaining subsidy advantages within the EU, businesses can ensure they do not become the target of increased EU investigations.
Highlighting Key Conversations.
In this week’s Caveat Podcast, our team met with Eoin Hinchy, the Co-Founder and CEO of Tines, to share his perspective on the challenges associated with managing AI regulations across both the US and the EU. Throughout this conversation, we discussed how straddling these various regulations will be a critical and difficult challenge as the conversation surrounding establishing secure AI guardrails continues to grow and as various governments attempt to tackle these challenges in different ways.
Like what you read and curious about the conversation? Head over to the Caveat Podcast for the full scoop and additional compelling insights. Our Caveat Podcast is a weekly show where we discuss topics related to surveillance, digital privacy, cybersecurity law, and policy. Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com. Hope to hear from you.
Other Noteworthy Stories.
Massachusetts judge rules Meta must face state’s social media lawsuit.
What: A Massachusetts Superior Court judge ruled that Meta must face a state lawsuit alleging the company harmed young online users.
Why: Last week, Suffolk County Superior Court Judge Peter Krupp ruled that Meta would have to face a lawsuit alleging the company knowingly designed and implemented features that were harmful to young online users. This ruling came after Meta requested that the case be tossed arguing that the suit created a nuisance and violated Section 230 of the Communications Decency Act.
In his ruling, Judge Krupp wrote that Section 230 does not apply to the suit’s claims due to Meta’s statements about its platforms’ safety and publishing conduct. Judge Krupp also rejected Meta’s claims that the suit violates the First Amendment. A spokesperson from Meta stated that the company “disagrees” with the decision and that the company has “developed numerous tools to support parents and teens.”
Wall Street Journal, New York Post sue AI startup.
What: News Corp has filed a lawsuit against the AI startup company, Perplexity, alleging that the company has illegally used copyrighted news content to feed AI search queries.
Why: On Tuesday, the media conglomerate, News Corp, filed its lawsuit against Perplexity. With this lawsuit, News Corp stated that “this suit is brought by news publishers who seek redress for Perplexity’s brazen scheme to compete for readers while simultaneously freeriding on the valuable content the publishers produce.”
This lawsuit comes after Perplexity faced backlash several months ago after it began publishing summarized news stories that heavily echoed the other Forbes articles but did not cite the company or request permission from the publisher to use their content.