The FTC Files an Amicus Brief Arguing That COPPA Does Not Create a Blanket “Express Agency” Relationship Between School Districts and Parents
On August 19, 2024, the Federal Trade Commission (“FTC”) filed an amicus brief in Shanahan, et al. v. IXL Learning, Inc., stating its position that the Children’s Online Privacy Protection Act (“COPPA”) does not create an agency relationship between parents and school districts such that arbitration agreements between schools and third-party vendors would apply to suits by parents against those vendors/with respect to children’s data.
In Shanahan, a case pending in the Northern District of California, the plaintiffs are parents alleging that their school-aged children’s data was illegally collected, used, and sold by an education technology company, IXL Learning, Inc. (“IXL”). IXL was engaged by the children’s schools, but notably, the plaintiffs’ complaint does not allege that IXL violated COPPA. However, IXL has claimed that COPPA and FTC rules interpreting COPPA “created an express agency between [p]laintiffs and the relevant school districts as a matter of federal law.” IXL contends that, as a result, the plaintiffs are bound by the arbitration agreement contained in the schools’ contracts with IXL, meaning the case needs to be dismissed by the court and moved to arbitration.
The FTC’s amicus brief supports the plaintiffs’ position that their case against IXL should be litigated in federal court and should not be moved to arbitration. The Commission argues that the COPPA provisions cited by IXL are applicable only to “circumstances under which schools are acting as an agent for purposes of complying with COPPA’s notice and consent requirements.” The Commission further argues that COPPA does not establish an all-encompassing agency relationship between school districts and parents (or children) as it relates to children’s data.
Takeaway: The FTC’s filing of the Shanahan amicus brief reflects the FTC’s recent approach of using COPPA as a tool in its consumer protection arsenal. Previously, the FTC has done so by adopting regulations expanding the scope of COPPA. Here, the FTC has gone a step beyond direct enforcement by intervening in a lawsuit to support individual privacy litigation.
International Treaty Governing AI Safety and Ethics signed by EU, UK and U.S.
The first binding international treaty governing artificial intelligence (“AI”) safety was opened for signature this September and has been signed by various parties including the EU, UK and U.S. The treaty will enter into force three months after the date on which five signatories, including at least three member states of the Council of Europe, have signed it. The treaty, called the Council of Europe Framework Convention on Artificial Intelligence, and Human Rights, Democracy and the Rule of Law (“AI Convention”), was drafted under the auspices of the Council of Europe following work started in 2019.
The AI Convention mandates that signatories implement safeguards against any threats posed by AI to human rights, democracy, and the rule of law by adopting or maintaining “appropriate legislative, administrative or other measures.” It covers the use of AI by both public authorities and the private sector. Signatories must implement requirements for organizations using relevant AI systems to assess their potential impact on human rights and make that information public. People must be able to challenge decisions made by AI systems and lodge complaints with authorities. The AI Convention also stipulates that AI systems must comply with principles such as protecting personal data, non-discrimination, safe development, and human dignity.
The European Commission, which signed the AI Convention on behalf of the EU, stated that the treaty will be implemented by means of the EU AI Act. On the UK’s part, the UK government has indicated that it will enhance existing laws and work with regulators and local authorities so that the AI Convention is appropriately implemented, but it is maintaining the position that AI-specific legislation will be “highly-targeted.”
Takeaway: International co-ordination on AI regulation should be welcomed to support consistency for businesses offering or using AI across multiple jurisdictions. However, as is generally the case with government action in the AI space, the AI Convention primarily sets out guiding principles, leaving significant latitude for each signatory to determine how it will address its obligations.
The FTC Files an Amicus Brief Arguing That COPPA Does Not Create a Blanket “Express Agency” Relationship Between School Districts and Parents
On August 19, 2024, the Federal Trade Commission (“FTC”) filed an amicus brief in Shanahan, et al. v. IXL Learning, Inc., stating its position that the Children’s Online Privacy Protection Act (“COPPA”) does not create an agency relationship between parents and school districts such that arbitration agreements between schools and third-party vendors would apply to suits by parents against those vendors/with respect to children’s data.
In Shanahan, a case pending in the Northern District of California, the plaintiffs are parents alleging that their school-aged children’s data was illegally collected, used, and sold by an education technology company, IXL Learning, Inc. (“IXL”). IXL was engaged by the children’s schools, but notably, the plaintiffs’ complaint does not allege that IXL violated COPPA. However, IXL has claimed that COPPA and FTC rules interpreting COPPA “created an express agency between [p]laintiffs and the relevant school districts as a matter of federal law.” IXL contends that, as a result, the plaintiffs are bound by the arbitration agreement contained in the schools’ contracts with IXL, meaning the case needs to be dismissed by the court and moved to arbitration.
The FTC’s amicus brief supports the plaintiffs’ position that their case against IXL should be litigated in federal court and should not be moved to arbitration. The Commission argues that the COPPA provisions cited by IXL are applicable only to “circumstances under which schools are acting as an agent for purposes of complying with COPPA’s notice and consent requirements.” The Commission further argues that COPPA does not establish an all-encompassing agency relationship between school districts and parents (or children) as it relates to children’s data.
Takeaway: The FTC’s filing of the Shanahan amicus brief reflects the FTC’s recent approach of using COPPA as a tool in its consumer protection arsenal. Previously, the FTC has done so by adopting regulations expanding the scope of COPPA. Here, the FTC has gone a step beyond direct enforcement by intervening in a lawsuit to support individual privacy litigation.
U.S. Facial Recognition Company Clearview AI Fined Over €30m by Dutch Data Protection Authority
The Dutch Data Protection Authority (the “Dutch DPA”) has imposed a fine of €30.5 million on Clearview AI, the U.S.-based company that provides facial recognition services to intelligence and investigative services. Clearview AI had built a database consisting of over 30 billion photos taken from social media platforms and other internet sources. These images of persons from all over the world are converted by Clearview AI into a unique biometric code for each face, allowing their identification and tracking.
The Dutch DPA found the database to be illegal and in violation of the GDPR because Clearview AI did not have a lawful basis for processing this data, because persons in the database were not sufficiently informed about their photos being used, and because Clearview AI did not respond to requests from data subjects to access their data. Although Clearview AI is U.S.-based with no EU establishments, and no longer offers services within the EU, the Dutch DPA held that Clearview AI’s processing activities were in scope of the GDPR because those activities were related to monitoring behavior of EU data subjects. Further, it found that Clearview AI could not rely on the GDPR’s law enforcement exception because it is a private entity and not itself a law enforcement agency.
In a press release accompanying the decision, the Dutch DPA acknowledged the previous fines imposed by other European data protection authorities and notes that “the company does not seem to adapt its conduct.” As a result, the Dutch DPA indicated that it is looking into whether the directors of Clearview AI can be held personally responsible for its violations in an effort to get Clearview AI to change its practices.
Takeaway: The Dutch DPA is treating Clearview AI’s alleged activities very seriously, sending the message that even non-EU companies must play by the GDPR’s rules where their processing activities fall in scope. It will be interesting to see how enforcement of the decision plays out given Clearview AI’s statement to Reuters that Clearview AI “does not undertake any activities that would otherwise mean it is subject to the GDPR. This decision is unlawful, devoid of due process and is unenforceable.” That the Dutch DPA has indicated it will look into holding directors personally liable tells us that the trend by the SEC and FTC stateside to try to add teeth to its enforcement by going after individuals may be spreading.
HHS Withdraws Appeal in Case Striking Down Web-Tracking Guidance
On June 20, 2024, a federal court in the Northern District of Texas vacated guidance from the U.S. Department of Health and Human Services that had interpreted HIPAA as potentially prohibiting the use of web-tracking tools on the websites of HIPAA-covered entities. The government initially appealed the decision to the Fifth Circuit, but before filing its appeal brief filed a one-page voluntary dismissal. The government has not issued a statement explaining the decision to drop the appeal, but the effect is that the guidance in question is now a legal nullity. For a more detailed discussion of the facts and decision, see our previous article on this case in Issue 58.
European Commission is Consulting on New Standard Contractual Clauses for Data Export
The European Commission has announced a consultation on new Standard Contractual Clauses (“SCCs”) for exporting data outside the EU. The existing 2021 SCCs are designed to apply when the data importer is not itself subject to the GDPR. The new SCCs would complement the 2021 SCCs by covering situations where the data importer is directly subject to the GDPR (a situation not adequately provided for by existing data transfer tools). The consultation will allow stakeholders to provide input on these new clauses.
New Cooperation Agreement Between the UK ICO and NCA to Improve Cybercrime Resilience
The UK Information Commissioner's Office (“ICO”) and the National Crime Agency (“NCA”) have signed a joint Memorandum of Understanding (“MoU”) to help tackle cybercrime. The MoU sets out how the two government agencies will help UK companies become more resistant to cybercrime and governs the sharing of information and intelligence. The ICO and NCA will work together: (i) to assess and influence improvements in cyber security of regulated organizations, (ii) sharing information relating to entities subject to attack, (iii) on improving co-ordination between the NCA and the ICO in relation to incident management, and (iv) on public communications and press releases.
