WhatsApp Ireland owes $6 million (5.5 million euros) for data processing violations, the Irish Data Protection Commission said Thursday. The investigation arose from a 2018 German complaint. Before the EU general data protection regulation (GDPR) took effect May 25, 2018, the company updated its terms of service to tell users that if they wanted to have continued access to the service under the GDPR, they would have to click "agree and continue" to accept the revised terms. WhatsApp contended that once the terms of service were accepted, a company-user contract existed and the processing of user data in connection with the delivery of WhatsApp services was necessary for performance of the contract, making its processing operations legal under the GDPR's "contract" legal basis. The complainant argued that WhatsApp Ireland was trying to rely on consent as the legal basis for processing, and that by forcing users to consent to having their data processed for service improvement and security, the company breached the GDPR. The DPC said WhatsApp breached its obligation for transparency by not making its legal basis clear to users, leaving them uncertain about what processing operations were being carried out on their personal data, for what purposes and under what GDPR legal basis. That lack of transparency violated the regulation, but the DPC, having imposed a fine of 225 million euros on the company earlier, didn't suggest another penalty. The regulator also found, however, that in principle, the GDPR didn't preclude WhatsApp from relying on the contract legal basis. Several other data protection authorities objected to the conclusions, so the DPC referred the disputed points to the European Data Protection Board. It backed Ireland's findings of a breach of transparency obligations but rejected its view that WhatsApp could rely on the contract legal basis for processing people's personal data. The board's decision is binding, and WhatsApp now has six months to comply with the GDPR. The EDPB also ordered the DPC to look into all of WhatsApp Ireland's processing operations, but the DPC said the board doesn't have jurisdiction to order an "open-ended and speculative investigation." If the order amounts to EDPB overreach, the DPC said, it could appropriately ask the European Court of Justice to annul it. A similar dispute between the EDPB and DPC arose earlier this month involving Meta Ireland (see 2301040014). WhatsApp said it will appeal the decision. The company believes "the way the service operates is both technically and legally compliant," a spokesperson emailed.

Wisconsin became the latest state to ban the use of TikTok on government devices (see 2212280048). Gov. Tony Evers (D) announced an executive order Thursday banning the Chinese-owned app on state-issued devices. TikTok has been banned on federal government devices (see 2212270051) and government devices in more than 20 states. The list includes Alabama, Florida, Georgia, Idaho, Louisiana, New Jersey, New Hampshire, Maryland, Ohio, Pennsylvania, South Carolina, Texas, Utah and Virginia.

The National Institute of Standards and Technology’s Information Security and Privacy Advisory Board will meet March 1 and 2, starting at 10 a.m. each day, said a Thursday Federal Register notice. The meeting will be at the Grand Hyatt Washington, Quarter Penn A, 1000 H St. NW. Discussion topics include “Risk Framework Uses by U.S. Federal Agencies” and Office of Management and Budget Memo M–22–18 on “Enhancing the Security of the Software Supply Chain Through Secure Software,” the notice said.

Antitrust enforcers should “redouble” efforts to ensure competitive markets as Big Tech companies look to “entrench” themselves in the auto industry, more than 20 advocacy groups wrote FTC Chair Lina Khan and DOJ Antitrust Division Chief Jonathan Kanter Wednesday. Demand Progress, Fight for the Future, Media Alliance, Open Markets Institute, Our Revolution, Progress America, Public Citizen and Tech Oversight Project signed the letter. Google, Apple, Meta and Amazon are expanding into auto markets, the letter said, and “will ignore plain-language laws and regulations designed to protect competition, circumvent consumer privacy laws, and use their considerable market weight to disadvantage smaller competitors.”

TikTok isn’t a national security threat and shouldn’t be subject to a government ban, said Georgia Institute of Technology’s Internet Governance Project in a report this week (see 2212270051). The group said all “evidence indicates that TikTok is a commercially motivated enterprise and not a tool of the Chinese state,” saying the app isn’t “exporting censorship” and the personal data it collects “is very similar to the data collected by its peer competitors.” A ban on the app, as several U.S. lawmakers have proposed (see 2212200074), would “impose unfair harms on millions of innocent American users of the app” and “risk retaliation against American businesses by China,” said the group, composed of professors, researchers and students at Georgia Tech's School of Public Policy. A ban could give other countries “fuel for hitting US firms with tech-nationalist and data protectionist policies." The “attack” on TikTok is “really a kind of proxy war waged by a specific political faction” in the U.S. that “wants to fully decouple the US and Chinese economies because it sees US-China relations entirely as a zero-sum struggle for world dominance, and rejects peaceful co-existence,” the report said. “This faction can further its agenda by presenting any form of economic interaction with the Chinese economy as a national security threat. The attack on TikTok takes this logic to an absurd extent. Our analysis of the national security risks of TikTok exposes how indiscriminate and weak their case is, and how destructive it can be.” The Biden administration and TikTok in September reportedly drafted a preliminary agreement to resolve national security concerns raised by ByteDance, TikTok’s Chinese owner, which would ultimately involve a mitigation agreement overseen by the Committee on Foreign Investment in the U.S.

Meta Ireland owes $414 million (390 million euros) for data processing breaches in connection with its Facebook and Instagram services, the Irish Data Protection Commission said Wednesday. It fined the company $223 million for EU general data protection regulation (GDPR) violations by Facebook and $191 million for those by Instagram. It gave Meta three months to bring its data processing operations into compliance. Meta said it will appeal. The 2018 cases involved complaints about the two services over whether Meta could lawfully, under the then newly effective GDPR, change the legal basis it relied on to legitimize the processing of users' personal data for such things as behavioral advertising from user consent to a "contract" basis. The DPC provisionally found several breaches and submitted its findings to other data protection regulators, some of which objected to various parts of the decisions. When no agreement could be reached, the DPC referred the disputed points to the European Data Protection Board. It largely upheld Ireland's position that Meta couldn't rely on the "contract" legal basis for delivery of behavioral advertising and that its processing of user data to date, in reliance on that legal basis, violated the GDPR. However, the DPC said, the board tried to order it to launch a new investigation into all of Facebook and Instagram's data processing operations. The EDPB, however, "does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation." If the EDPB is overreaching, the DPC said, it will ask the European Court of Justice to annul the order. Meta said it intends to appeal the "substance of the rulings and the fines." The debate on legal bases for processing personal data "has been ongoing for some time and businesses have faced a lack of regulatory certainty in this area." Meta believes it fully complies "with the GDPR in relying on Contractual Necessity for behavioural ads given the nature of our services."

Conflict between the FTC and DOJ over antitrust jurisdiction is “infrequent” despite jurisdictional overlap, the GAO said Tuesday. There have been questions about “areas of conflict” between DOJ and FTC over antitrust enforcement actions, the report said, citing a House report included in the Consolidated Appropriations Act directing GAO to study DOJ and FTC antitrust actions. GAO found DOJ and the FTC have “an interagency clearance process to identify which agency will take on an antitrust case, and instances of conflict rarely occur,” the GAO said. “In addition, after an investigative agency is determined through the clearance process, the other agency rarely interferes or comments on that investigation.”

One of President Joe Biden’s top advisers on competition and tech policy is leaving the White House. Tim Wu, special assistant to the president for competition and tech policy, confirmed the news Tuesday on Twitter, saying this is his last week at the White House: “It has been a terrific ride and we did more over the last 2 years than I would have imagined possible.” Wu’s progressive views on reining in Big Tech have been compared to those of FTC Chair Lina Khan and DOJ Antitrust Division Chief Jonathan Kanter (see 2107200070). The White House said Wu plans to return to teaching at Columbia University. Bharat Ramamurti, deputy director-National Economic Council, will oversee the White House’s competition and tech agenda. Elizabeth Kelly, NEC special assistant to the president, will cover tech policy, and Hannah Garden-Monheit, also special assistant, will cover competition policy, “with additions to the competition team in the coming months,” the White House said.

The tech industry’s “scare tactic” ad campaigns have resulted in weaker consumer protection in the U.S. than in the EU, former FCC Chairman Tom Wheeler blogged Wednesday. The estimated $100 million the industry has spent in recent ads against privacy and antitrust legislation doomed bipartisan bills that advanced through various committees on Capitol Hill, he wrote for the Brookings Institution, where he's a visiting fellow. Wheeler lamented the failure of Congress to pass the Kids Online Safety Act (see 2212200069), the Open App Markets Act and the American Innovation and Choice Act, as well as the American Data Protection and Privacy Act. Meanwhile, the EU enacted the Digital Markets Act. The “actions of American companies appear to only benefit European consumers,” he wrote. “It will be interesting to see what Big Tech and their industry association do in the next Congress” when confronted with consumer needs in the U.S.

The Supreme Court should “narrow the scope” of Communications Decency Act Section 230 and reverse the 9th Circuit’s decision shielding YouTube from liability in Gonzalez v. Google (docket 21-1333), Texas Attorney General Ken Paxton (R) wrote in a merits-stage amicus brief announced Thursday (see 2212070026). The 9th U.S. Circuit Court of Appeals in June 2021 dismissed a lawsuit against YouTube for hosting and recommending ISIS proselytizing and recruitment videos. The 9th Circuit affirmed a decision from the U.S. District Court for the Northern District of California shielding YouTube and its algorithms from liability. Plaintiff in the litigation and SCOTUS petitioner is the estate of Nohemi Gonzalez, an American student who was killed in Paris in 2015 during an ISIS attack. The petitioner asked SCOTUS to revisit the 9th Circuit's decision. Google didn’t comment. The case is scheduled for oral argument on Feb. 21 (see 2212190042). Though Section 230 was designed in 1996 to allow online publishers narrow protections from defamation liability, courts have “misinterpreted the law and allowed it to become a nearly all-encompassing blanket protection for certain companies, specifically internet and Big Tech companies,” Paxton said. These limitless legal protections prevent states from holding Big Tech accountable for law violations, even when infractions are unrelated to content publishing, said Paxton.