Issue 30 — Schrems v. Musk: The saga begins

Oh Hey! Welcome to The Privacy Beat Newsletter!

Here’s the gist: Written by longtime privacy journalist Angelique Carson, director of content strategy at TerraTrue, you can come here for insights on the hottest topics in privacy. Told through some of our peers’ social posts, this quick read aims to arm you with the knowledge you need to walk into any happy hour or team meeting and sound like the absolute baller you are. No current topic gets by you!

It’s a Friday, the sun is shining, and my neighbor gave me leftover cookies from her office party’s holiday bake-off. She came in second to the Twix cookies, but I told her she should have come in first. Because those are the kinds of things you say to your friends.

In worse news though, ugh. There was a SITUATION yesterday. I woke up with a bottom lip that had nearly exploded. Like, do you remember the Nutty Professor, that scene where his lips bulge? That is what my bottom lip looked like. Or, as my colleague Haleigh put it, like a real housewife of D.C. And, I was hosting a fireside chat with Steve Stalder from Ancestry at 2 p.m. Eastern, so …

Tag me on social if you want to see the lip, but, trust me: IT WAS A PROBLEM. But the show must go on, so, I sat as far back from my screen as possible and tried to dim the room like a date was coming over so I could hide in the shadows.

My PrivacyNerd™️ friends did say it was kind of hot and we considered whether I should in fact start getting lip fillers and just enter, as Cobun put it, “my pouty era.”

I’m mulling.

This week, we’ve got a new Schrems complaint, FISA’s Section 702 got re-authorized for now, and some ideas about what will or won’t be allowed as an opt-out mechanism under Colorado’s privacy law.

Schrems v. Elon begins

Max Schrems, the man you love 2 love or love 2 hate, depending on your job requirements, has launched a complaint with the Dutch data protection authority alleging X unlawfully used political and religious beliefs to target users with ads, in violation of the GDPR.

CNBC reported Schrems says X showed him an ad from the European Commission promoting online content regulation in the name of thwarting child sex abuse. The complaint says the ad explicitly targeted users from the Netherlands, excluding 44 targeting segments based on right-leaning political parties.NYOB also accuses the European Union of using X to target users based on political or religious beliefs. The European Commission said it’s conducting a thorough review and that in October, it advised the Commission’s social media managers to” refrain from advertising at this stage on X.”

Of course, as Austin Mooney describes in his tweet (above), you have to wonder how any changes (or lack thereof) might impact our new agreement with the EU on data transfers. You know Schrems is just waiting to file

The site formerly known as X hasn’t yet commented.

Section 702 springs ahead … to April

Congress approved a short-term extension of the government’s warrantless surveillance powers, as The Hill reports. A defense policy bill headed to the president includes a measure that would extend Section 702 of the Foreign Intelligence Surveillance Act until mid-April. As a refresher, Section 702 allows U.S. law enforcement agencies to sweep up digital communications without a warrant within the U.S. as long as the surveillance is directed at catching foreigners that pose a threat.

Potential implications for data transfers. An expansion of 702 could become a catalyst for Schrems III. Also wonder if it could undermine the DPF adequacy decision. https://t.co/6Up8Hn5TIL

— Austin Mooney (@austinjmooney) December 8, 2023

Critics say too many innocent Americans’ communications get surveilled as a result, and that violates their civil rights. 

Section 702 was set to expire on December 31, and privacy advocates have been pushing for a revision to any new agreement that would require law enforcement to get a warrant for information on Americans. But the bill that passed on a House vote of 310-118 does not include that provision, so for now the current version of Section 702 is funded until April 2024.

Colorado attorney general to list acceptable opt outs under CPA

This one felt like a snoozer to me, but the PrivacyNerd™️ besties have been all lit up about it on the text thread this morning, so we should talk about it. This week, on Dec. 13 to be exact, the Colorado attorney general’s office closed the comment period for its short-list of potential universal opt-out mechanisms it’ll recognize under California’s privacy law. Colorado came into effect July 1 of this year, as you’ll recall, but it’s not until July 1, 2024 that organizations captured under the CPA have to allow consumers to opt out of allowing organizations to use their personal data or sell their personal data for targeted advertising. The Colorado attorney general’s office has until January 1, 2024 to release the list of recognized UOOMs that controllers will have to recognize to facilitate requests.

What has the PrivacyNerds™️all excited is how this works in the wild. The individual UOOM specifications require a certain amount of bespoke work at the hands of a browser that will implement them, or a plug-in that the user installs to send the opt-out signal for them. And that means it’s not plug-and-play, which is kind of the idea of a universal mechanism. How are we going to implement these things?

For now, we await guidance from the Colorado attorney general.

Check out the latest from me!

In this friendly chat, Ancestry’s Steve Stalder and I talk about how he’s been able to get eyeballs on what’s happening with data at his organization, and how’s he’s been able to maximize his time by eliminating the silly, duplicative work in reviews that prevent him from getting to the important, nuancy stuff. I made that word up, but you get it.

Happy holidays! I really appreciate you reading this year. I’ll see you in January.

XO,

Angelique