The Public Policy Committee engages with government and support agencies across the globe and comments on issues that affect the industry’s ability to protect end-users. Members may subscribe to the committee mailing list on the Committee/SIGs page to stay up to date on current events and Initiatives that the committee is overseeing. All readers are encouraged to review published documents and comments on the Public Policy page which covers a broad range of policies.

Public Policy Updates for the US

• President Biden Issues Executive Order to Protect Americans’ Sensitive Personal Data
  • U.S. President Joe Biden announced plans for an executive order that would bar data brokers from selling U.S. citizens' sensitive personal data to entities located in or affiliated with adversarial countries. The executive order will direct the Department of Justice to develop regulations prohibiting data brokers from carrying out transfers to so-called "countries of concern" that involve troves of sensitive personal information. The designated countries of concern are China, Cuba, Iran, North Korea, Russia and Venezuela. The types of sensitive data to be protected under the order are "genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personal identifiers
    • https://www.whitehouse.gov/briefing-room/statements-releases/2024/02/28/fact-sheet-president-biden-issues-sweeping-executive-order-to-protect-americans-sensitive-personal-data/
• FTC's Bedoya discusses AI issues
  • As you’ve heard me talk about Commissioner Alvaro Bedoya, the U.S. Federal Trade Commissioner spoke with Tech Policy Press about how the agency is thinking about artificial intelligence in its wider regulatory purview. He discussed voice cloning, algorithmic fairness and what the future holds for AI.
    • https://www.techpolicy.press/ftc-commissioner-alvaro-bedoya-on-algorithmic-fairness-voice-cloning-and-the-future/
• FTC orders $16.5M fine over alleged data sales, false privacy claims
  • The U.S. Federal Trade Commission announced a US $16.5 million fine and corrective measures to software provider Avast over alleged unfulfilled privacy claims that led to nonconsensual sale of user browsing data. Avast allegedly indicated its products would block third-party tracking while collecting, retaining and selling data without proper notice or consent. Additional measures include a ban on "selling or licensing any web browsing data for advertising purposes."
    • https://www.ftc.gov/news-events/news/press-releases/2024/02/ftc-order-will-ban-avast-selling-browsing-data-advertising-purposes-require-it-pay-165-million-over
• FTC finds X, formerly Twitter, did not break data security agreement
  • The U.S. Federal Trade Commission concluded X CEO Elon Musk did not violate a settlement putting tight controls on user access data after trying to give an outside group of writers access to information, The Washington Post reports. The probe found employees at the site formerly known as Twitter upheld safeguards to protect user data.
    • https://www.washingtonpost.com/technology/2024/02/21/x-twitter-jordan-ftc-musk/
• CPPA to consider formal rulemaking on draft automated decision making regulations
  • The California Privacy Protection Agency Board will hold its next public meeting March 8th, 2024. The major agenda item is a discussion on taking potential action to advance draft automated decision-making technology regulations to the formal rulemaking phase. The board will consider similar action on draft risk assessment rules while revisiting potential updates to existing rules.
    • https://cppa.ca.gov/meetings/agendas/20240308_agenda.pdf
• NIST updates Cybersecurity Framework
  • The U.S. National Institute of Standards and Technology finalized an update of its Cybersecurity Framework, which was last updated in 2014. The CSF 2.0 supports implementation of the U.S. National Cybersecurity Strategy with a broadened scope beyond protecting critical infrastructure and includes resources and best practices applicable to organizations across all economic sectors. NIST indicated the updates also "added emphasis on governance."
    • https://www.nist.gov/news-events/news/2024/02/nist-releases-version-20-landmark-cybersecurity-framework

Public Policy Updates for the EU

• Chat Control
  • In May 2022, the EU Commission presented a proposal to combat “sexual abuse of children” online, but since then the EU member states have not been able to agree on a common position on so-called chat control. By order, providers of communication and hosting services should also scan the private content of their users in order to detect evidence of sexual violence against minors.

Since then there has been harsh criticism from many quarters, such as civil rights activists, child protection organizations, data protection experts and lawyers. This criticism has reached some of the Member States. After initial support from the German Interior Ministry, Germany argued in the Council against the proposal, which also envisages scanning encrypted communications. An agreement between the countries has repeatedly failed, and the EU committees recently extended the voluntary chat control that some platforms such as Facebook have been carrying out for several years through an exception.

But now the Council is taking action again under the presidency of Belgium. Member states met on Friday, March 8,  to discuss this “new approach” from the Council Presidency. 

• https://netzpolitik.org/2024/chatkontrolle-der-rat-will-es-nochmal-versuchen/#2024-02-22_Presidency_LEWP_CSAR_New-approach_6850

• Cyber Resilience Act
  • The EU’s Cyber Resilience Act (CRA) was introduced by the European Parliament in September 2022. Its purpose is to establish cybersecurity requirements for devices and software marketed in the EU. Everybody who places digital products in the EU market will be responsible for additional obligations around reporting and compliance, such as fixing discovered vulnerabilities, providing software updates, and auditing and certifying the products.

The CRA can be described as CE marking for software products and has four specific objectives. One is to require manufacturers to improve the security of products with digital elements “throughout the whole life cycle.” Second is to offer a “coherent cybersecurity framework” by which to measure compliance. Third is to improve the transparency of digital security in products, and fourth is to enable customers to “use products with digital elements securely."

The draft legislation includes an impact assessment that says “for software developers and hardware manufacturers, it will increase the direct compliance costs for new cybersecurity requirements, conformity assessment, documentation and reporting obligations.”

The Open Source Business Alliance (OSBA) had expressed concerns in advance in a statement that the regulatory initiative could cause overregulation and legal uncertainty due to textual vagueness and thus cause major damage to the German and European open source ecosystem.

The final text agreed in December 2023 now takes into account the special features of the open source sector and has allayed these concerns by making them more precise.

• Press Release European Council

https://www.consilium.europa.eu/en/press/press-releases/2023/11/30/cyber-resilience-act-council-and-parliament-strike-a-deal-on-security-requirements-for-digital-products/