EU Parliament Adopts Amended Digital Services Act by a Wide Margin

On January 21, 2022, the members of the EU Parliament approved by a large majority (77%) an amended draft of the Digital Services Act (“DSA”).

The DSA proposal, put forward by the EU Commission back in December 2020, aims to provide for a common set of obligations and accountability rules for online intermediaries while safeguarding consumers’ fundamental rights. Key provisions of the DSA relate to the control of illegal goods, services or online content and better traceability and transparency. The DSA would apply to various types of online intermediary services providers (Internet providers, cloud services providers, etc.), with a strong focus on online platforms (marketplaces, app stores, collaborative economy platforms and social media platforms) and very large online platforms (i.e., reaching more than 45 million consumers in the EU). Once in force, online intermediary services providers would need to comply with this new set of rules or risk facing fines of up to 6 percent of their annual turnover.

The EU Parliament introduced several changes to the Commission proposal, including:

• The prohibition of deceiving or nudging techniques to influence users’ behavior, i.e. “dark patterns”, including mechanisms asking users to accept cookies after they have explicitly refused, e.g. via a specific setting in their browser.
• Further regulation of targeted advertising, including the prohibition of targeted advertising for children, better transparency, and the possibility to opt-out of targeted advertising.
• The obligation for very large online platforms to offer at least one content recommendation system that is not based on profiling.
• A requirement for providers to respect the freedom of expression and pluralism of the media in their terms and conditions.
• Stronger content moderation rules including a requirement to process notices in a non-arbitrary and non-discriminatory manner. The EU Parliament, however, limited the territorial scope of content removal orders to the issuing Member State territory unless the content violates EU law.

The EU Parliament’s approval signals the start of the “trialogue”, i.e., negotiations between the EU Council (representing Member States governments), the EU Commission and the EU Parliament to reach an agreement on the final version of the text. Debates are likely to be lively, in particular with regards to targeted advertising, as lawmakers will need to arbitrate between NGOs’ demands for a complete prohibition of target advertising versus the need to avoid harming companies that rely on this tool for their business. Recent claims that the contemplated EU rules discriminate against US companies will also likely figure in the discussions. Finally, it remains to be seen how the new DSA will interact with other pending regulations, such as the Digital Markets Act or the e-Privacy Regulation (for more detail, see our OnPoint).

Takeaway: Providers of online intermediation services should continue to monitor developments related to the DSA and raise their concerns with their government or MEPs before an agreement is reached. This is particularly key as the EU is at the forefront of online content regulation and the final regulation, like the GDPR, could influence regulations worldwide.

_____________________________________________________

SEC Chair Gensler Signals Renewed Focus on Cybersecurity Risk Management

On January 24, 2022, SEC Chairman Gary Gensler delivered an address that mapped out a number of new and enhanced cybersecurity rules that the SEC is currently considering to more effectively protect investors from cyber threats and bolster the disclosure of cybersecurity risks.

Chairman Gensler noted that he has asked the SEC staff to consider how to “broaden and deepen” Regulation Systems Compliance and Integrity (“Reg SCI”), which currently applies to stock exchanges, clearinghouses, alternative trading systems, and self-regulatory organizations, and requires that such entities have sound technology programs, business continuity plans, testing protocols, and data backups. Specifically, the SEC staff is considering whether to apply Reg SCI to other large entities, such as the largest market-makers, broker-dealers and large Treasury trading platforms. Chairman Gensler also indicated that he has asked the staff to make recommendations around “how to strengthen financial sector registrants’ cybersecurity hygiene and incident reporting” with respect to the broader group of financial sector registrants not governed by Reg SCI, including investment companies, investment advisers and broker-dealers.

The Chairman also discussed the staff’s considerations regarding how to modernize and expand Regulation S-P (“Reg S-P”), which requires SEC-registered broker-dealers, investment companies and investment advisers to deliver privacy notices to consumers and “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” Given the evolution of technology and cybersecurity threats since Reg S-P was adopted over twenty years ago, Chairman Gensler has asked the staff for recommendations on “how customers and clients receive notifications about cyber events when their data has been accessed.”

Chairman Gensler also indicated that he has asked for staff recommendations on potential enhancements to public companies’ “cybersecurity practices and cyber risk disclosure,” as well as potential enhancements to public companies’ notification requirements when a cyber event has occurred. The Chairman further noted that the staff is considering recommendations about how to address cybersecurity risk that comes from service providers, which could include a variety of new measures, such as “requiring certain registrants to identify service providers that could pose [cybersecurity] risks.”

Takeaway: Chairman Gensler’s remarks indicate that the SEC believes it has a clear interest in enhancing its cybersecurity rules across the financial services industry to address the ever-evolving threat of cyber-attacks and risks resulting from threat actors gaining access to sensitive financial data. Cybersecurity will continue to be a key priority for the SEC. Businesses should continue to monitor for new developments and proposals from the SEC regarding their obligations with respect to data privacy and cybersecurity.

_____________________________________________________

IRS Gives Up Facial Recognition Plans After Objections From Public and Other US Governmental Actors

On February 7, 2022, the IRS announced that it is halting its plans to require taxpayers to verify their identities using facial recognition technology on IRS online accounts, after facing backlash from US lawmakers, privacy advocates and the public.

The IRS announced in November 2021 that it would utilize facial recognition technology, essentially to prevent identity theft. This security system was to be operated by a commercial provider, ID.me, which has reportedly provided such services to other federal government agencies and a number of state governments. Taxpayers who chose to use the IRS’s website would have been required to provide ID.me with a photo of an identity document, such as a driver’s license or passport and then take a picture of themselves, using a mobile phone or webcam, in order for ID.me’s facial recognition software to confirm that the user’s face matches the photo in the identity document provided.

Once announced, the IRS’s plans attracted expressions of concern and outright opposition from public interest groups and government officials, including lawmakers from both parties. The criticisms ranged from now-familiar concerns about the accuracy of facial recognition technology generally, to concerns about whether other US government agencies would have access to the data collected for the IRS’s purposes, and what uses other government agencies might make of the biometric data the IRS planned to collect. In addition to these concerns, Senator Ron Wyden expressed concern about the IRS’s decision to use technology from a private vendor rather than facial recognition technology developed and operated by the government. Finding it “alarming that the IRS and so many other government agencies have outsourced their core technology infrastructure to the private sector,” Senator Wyden asserted that, “[T]he infrastructure that powers national identity, particularly when used to access government websites, should be run by the government."

In the wake of this criticism, the IRS announced in a press release that it will “transition away from using a third-party service for facial recognition to help authenticate people creating new online accounts,” promising to “quickly develop and bring online an additional authentication process that does not involve facial recognition.” The Release quoted IRS Commissioner Chuck Rettig as assuring taxpayers that the IRS “takes taxpayer privacy and security seriously,” and that his agency understood “the concerns that have been raised.” “Everyone,” he continued, “should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.” The Release also confirmed that the agency’s change of plans on this issue should not have any other impact on the current tax season.

Takeaway: This history of the IRS’s short-lived facial recognition program suggests continuing concerns about how governments will use the technology, and what steps they will take to prevent unauthorized access to and uses of the data collected. Some officials are clearly uncomfortable with governmental use of facial recognition technology that they believe is capable of violating privacy and civil rights. Governments interested in promoting greater use of this technology can still expect to be challenged to make the case that facial recognition can be deployed with the safeguards necessary to assure the public that the technology will not be abused, or lead to unfair outcomes or invasions of privacy.

_____________________________________________________

EU to Adopt Common Framework to Cyber Incidents Posing a Systemic Risk to the Financial System

On January 27, 2022, the European Systemic Risk Board (“ESRB”) has published a Recommendation for the establishment of a pan-European systemic cyber incident coordination framework (“EU-SCICF”).

Cyber incidents, including cyberattacks, could pose a systemic risk to the financial system given their potential to disrupt critical financial services and operations and thereby impair the provision of key economic functions.

With this in mind, the ESRB report “Mitigating systemic cyber risk” explains in detail how the EU-SCICF would facilitate an effective response to a major cyber incident.

To mitigate the risks of a cyber incident becoming a system risk, the report says stakeholders need to make sure they are ready for rapid coordination, while authorities will need to offer clear and consistent communication to shore up confidence. It concludes that the macroprudential mandate and toolkits of financial authorities need to be expanded to include cyber resilience.

Takeaway: This initiative comes after multiple incidents resulting in networks belonging to EU organizations being breached last year. In the coming months, the ESRB and its dedicated European Systemic Cyber Group (“ESCG”) will focus on testing the cyber resilience of the financial system through scenario analysis. We will monitor the outcome closely as changes to relevant EU legislation may come as a solution.

_____________________________________________________

Google Sued by Three US State AGs and the D.C. AG for Allegedly Engaging in “Deceptive” Location Tracking

On January 24, 2022, attorneys general from Indiana, Texas, Washington state and the District of Columbia filed separate lawsuits against Google, alleging that Google violated consumer protection laws by using deceptive practices to obtain consumers’ location data.

The lawsuits allege that Google led consumers to believe they could prevent Google from storing their location data by changing their account and device settings to turn off “location history.” In practice, Google continued to collect consumer location data via other settings and methods, even after a consumer turned “location history” off. The lawsuits also allege that Google used “dark patterns” (i.e., deceptive design choices supposedly intended to guide users toward behavior that benefits Google) described in the complaints as “repeated nudging, misleading pressure tactics, and evasive and deceptive descriptions of location features and settings, to cause consumers to provide more and more location data.” By engaging in these practices, each attorney general claims that Google made material misrepresentations to consumers and engaged in unfair trade practices in violation of consumer protection laws. The allegations involving “dark patterns” build off the Federal Trade Commission’s work in this space. Google denied the allegations.

The lawsuits ask the courts to block Google from continuing to engage in the allegedly deceptive practices and seek civil penalties and a disgorgement of profits attributed to the company’s allegedly deceptive practices.

Takeaway: The lawsuits demonstrate that attorneys general are taking consumer privacy into their own hands in the absence of comprehensive federal action. In addition to ensuring that consumer privacy disclosures are transparent and accurate, now is the time for businesses to review how users experience design choices to identify techniques that a regulator could see as improperly guiding consumers toward one or more choices so as to constitute deceptive “dark paterns."