WhatsApp started notifying its 2 billion users last month about an update to its privacy policy. Most of its users probably didn’t look at the details, and simply clicked “I agree” when the notice popped up on their phones. (To use the app, one must click “I agree.”) There has been a backlash from privacy advocates, which is worth noting here in case you missed that news. WhatsApp has delayed the implementation of the terms of the new privacy policy for a few months so it can address those concerns.

If you are a WhatsApp user and you click “I agree” to that pop-up that you don’t read, here’s a synopsis (not comprehensive) of what you are agreeing to that is not protecting your privacy:

  • WhatsApp can share all data it collects about you with the entire Facebook network, (including Instagram), even if you don’t have an account with other parts of the network (e.g., Instagram).
  • If you don’t accept the new terms, you will not have full functionality of the app (which is reported to go live in May).
  • WhatsApp is monetizing the data it collects from you and asks for your consent to use your data to make money.
  • WhatsApp will be providing more information about the changes to the privacy policy through a banner in WhatsApp—this writer thinks you may wish to read the banner and the privacy policy a bit more carefully before you agree.
  • Although your conversations in WhatsApp are private and encrypted, WhatsApp has access to your usage data and your unique identifier, which may be linked to your identity. This is one of the reasons they are asking you to accept the new terms.
  • Facebook is monetizing your data and increasing its revenue by using your usage of WhatsApp to push targeted ads to you on Facebook and Instagram.

The changes to the privacy policy are not really designed to protect your privacy, but rather to get consent to sell your information so businesses can sell things to you. It’s not really a “privacy” policy, it is a “let me monetize your data” policy.

Some users are taking note that they will not agree to the new “privacy” policy and are defecting to Signal, which as a privacy pro, I prefer for messaging. WhatsApp users may wish to take a look at Signal’s privacy policy and compare it to WhatsApp’s. It can be accessed here.

The Irish Data Protection Commission (DPC) fined Twitter 450,000 euros (about US$546,000) for failing to timely notify the Irish DPC within the required 72 hours of discovering a Q4 2018 breach involving a bug in its Android app, and also for failing to adequately document that breach.  The bug caused some 88,726 European Twitter users’ protected tweets to be made public.

The case is notable because it is the first fine levied against a U.S. technology company in a cross border violation under the EU’s General Data Protection Regulation’s (GDPR), which went into effect in 2018.  Under the GDPR, the member state of the foreign company’s EU headquarters takes the lead on inquiries on behalf of all the EU’s 27 member states. Because Twitter EU’s headquarters are in Ireland, the DPC took the lead on the investigating the 2018 breach incident, which Twitter attributed to poor staffing during the holidays.

Pursuant to Article 60 of the GDPR, the Irish DPC submitted its draft decision last May to the other EU DPAs. In the draft decision, the Irish DPC found Twitter’s violations to be negligent, but not intentional or systematic.  Other member states disagreed with the Irish DPC draft decision, due in part to the small proposed fine.  The Irish DPC‘s proposed fine was only a small fraction of the maximum fine amount permitted, which under GDPR is up to 4% of a company’s global revenue or 20 million euros ($22 million), whichever is higher. Twitter’s global annual revenue was reportedly about $60 million in 2018.

The Irish DPC responded to the criticisms from other member states by stating that its proposed fine under the GDPR was an “effective, proportionate and dissuasive measure” and brought the matter before the European Data Protection Board, which upheld most of the decision but directed Ireland to increase the fine.

The Twitter case is just the first of many cases involving U.S. companies before the Irish DPC, as there are some 20 other pending inquiries. Ireland also serves as the EU headquarters for U.S. technology companies such as Facebook, Apple and Google.

The decision is available here.

How will a Biden-Harris presidency affect the U.S. privacy landscape? Let’s take a look.

Federal Privacy Legislation

On both sides of the political aisle there have been draft proposals in the last 18 months on federal privacy legislation. In September, movement actually happened on federal privacy legislation with the U.S. Setting an American Framework to Ensure Data Access, Transparency and Accountability Act. To read the bill, visit https://www.billtrack50.com/BillDetail/1242877.

With a Biden-Harris administration, there is potential for continued movement on federal privacy legislation. This movement would likely come from Congress since both the Republicans and Democrats have previously supported (and are pushing for) privacy bills.

E.U.-U.S. Privacy Shield and Data Transfers

With the 2020 “Schrems II” decision  looming over international data transfers, the Biden-Harris administration is likely to pave the way for negotiations with the European Commission for a new version of the Privacy Shield. However, the Schrems II ruling will continue to be a real challenge. The hope is that there can be effective, productive dialogue with the E.U. and that the U.S. can convey the fact that there is a mutually beneficial relationship with intelligence agencies in the U.S. and member states of the E.U.

FTC Enforcement and FCC Rules

During Chairman Joseph Simons’ tenure, the Federal Trade Commission (FTC) has been very active on privacy issues. Examples include the FTC’s enforcement actions against Facebook, Google and YouTube, as well as the Children’s Online Privacy Protection Act (COPPA) rulemaking proceeding held in 2019. Just this past week, the FTC announced a settlement with Zoom for alleged data security failings. While the FTC was certainly busy under a Republican-led agency, it is likely that we will see a heightened level of scrutiny and more enforcement under a Biden-Harris administration. While Chairman Simons can serve until 2024, he might step down, and it is also likely that the FTC will gain more Democratic commissioners.

For the Federal Communications Commission (FCC), a Biden-Harris administration may also lead to a revival of the net neutrality rules.

Cybersecurity

Many experts agree that cyber-attacks are the number one national security threat in the U.S., both from a geopolitical and an economic standpoint. A recent report, the Cyberspace Solarium Commission report, states that one of the biggest reasons for continued cybersecurity issues in the U.S. is the failure of strategy and leadership in this arena, and that now is the time for greater accountability of the government to defend against cyber-attacks.

Big Tech and the U.S.’s International Relationships

There has been a lot of scrutiny on how a Biden-Harris administration will regulate Big Tech in Silicon Valley. Biden has already pledged to create a task force for investigating online harassment, extremism and violence, so it is likely that there will be a focus on privacy, surveillance and hate speech online through some of the Big Tech players in Silicon Valley. We may also see some shifts in the U.S.’s relationship with China when it comes to privacy.

Of course, none of this change will happen overnight, so we’ll be watching as the train chugs forward.

The misinformation on social media about the election results (and other topics) is rampant. Social media companies like Twitter and Facebook are struggling with the balance between the First Amendment right to free speech and false information or exaggerated reports on their platforms and are hiding or flagging those they deem to be false or misleading.

Misinformation and false information does not help anyone get to the truth. Getting news from reliable sources and news outlets, instead of through social media platforms and websites, is usually more reliable because there are standards in the news industry that must be followed by major news organizations regarding content.

In addition, going to unreliable websites to obtain information may put you at a higher risk of a cyber-attack. Cyber criminals and foreign adversaries develop fake websites and when individuals click on such a website, they introduce malware or ransomware into the system.

Don’t be fooled by false or misleading information on social media platforms or websites. Go directly to the source to stay informed and to stay cyber-safe.