Kansas Gov. Laura Kelly (D) on Wednesday signed an executive order banning the use of TikTok on state-issued devices. Kansas joins a number of states and Congress in banning the Chinese-owned app on government devices (see 2212200074). “I am taking common-sense steps to protect Kansans’ privacy and security,” said Kelly in a statement. “TikTok mines users’ data and potentially makes it available to the Chinese Communist Party -- a threat recognized by a growing group of bipartisan leaders across the United States.” Politicians with “national security concerns should encourage the Administration to conclude its national security review of TikTok,” the company said in a statement. “The agreement under review will meaningfully address any security concerns that have been raised at both the federal and state level. These plans have been developed under the oversight of our country's top national security agencies -- plans that we are well underway in implementing -- to further secure our platform in the United States, and we will continue to brief lawmakers on them."

Amazon will stop using non-public marketplace seller data for its retail business, among other commitments accepted Tuesday by the European Commission after an antitrust investigation. The EC in 2020 said the company's reliance on marketplace sellers' non-public business data to calibrate its retail decisions distorted fair competition on its platform and prevented effective competition. It also preliminarily decided Amazon was giving preferential treatment to its own retail business and to sellers that use its logistics and delivery services over other sellers who used Buy Box and Prime. In response, Amazon made several commitments, which the EC market-tested. Amazon then revised its proposal and agreed to commitments such as making the Buy Box offer more prominent; being more transparent with sellers and carriers about the commitments and their new rights under them; and introducing a centralized complaint mechanism for all sellers and carriers to use in case of suspected non-compliance. The EC said the final commitment would ensure the company doesn't use marketplace seller data for its own operations and that it gives non-discriminatory access to Buy Box and Prime. Amazon will be bound by several of the commitments for seven years, and by others for five years, to be monitored by an independent trustee. In case of non-compliance, the EC can, as one option, fine Amazon up to 10% of its total annual revenue without having to first find an infringement of EU antitrust rules. Amazon is pleased it has addressed the EC concerns and resolved the matters, a spokesperson emailed. "While we continue to disagree with several of the preliminary conclusions the European Commission made, we have engaged constructively to ensure that we can continue to serve customers across Europe and support the 225,000 European small and medium sized businesses selling through our stores." The European Consumer Group (BEUC) said the agreement should mean Amazon "will offer consumers greater choice on its online marketplace so that consumers can more easily shop around for the best deals." However, users will benefit only if the EC closely monitors compliance, BEUC added. Separately, the EC notified Meta Dec. 19 it tentatively concluded the company violated EU antitrust rules by distorting competition in the markets for online classified ads: "The Commission takes issue with Meta tying its online classified ads service, Facebook Marketplace, to its personal social network, Facebook." It's also concerned the company is "imposing unfair trading conditions on Facebook Marketplace's competitions for its own benefit." Meta can review the EC documents and request a hearing to present its side. The claims are "without foundation," Meta Head of EMEA Competition Tim Lamb emailed. Instead, Meta's product innovation is "pro-consumer and pro-competitive."

NTIA shouldn’t amend GoDaddy’s contractual obligations for domain name management in a way that caters to the EU’s general data protection regulation, Reps. Bob Latta, R-Ohio, and Jan Schakowsky, D-Ill., wrote the agency in a letter dated Dec. 14. The letter raised concerns about “ongoing efforts to modify the contractual obligations for WHOIS between” the U.S. and GoDaddy for “management” of the U.S.’s "country code top-level domain (ccTLD), .US WHOIS" (see 2112170062). Congress has been hard at work for more than a decade on privacy issues, they wrote NTIA Administrator Alan Davidson: “Until Congress passes a privacy bill that addresses these issues, it is not appropriate for the NTIA to pursue the European Union’s General Data Protection Regulation (GDPR) position over the United States’ existing position.” NTIA and GoDaddy didn’t comment.

Senate authors of the Open App Markets Act made the bill worse by removing a “digital safety” clause that allows platforms to handle content moderation violations, the Computer & Communications Industry Association said in a statement Friday (see 2207190043). “Protecting digital safety is a justification companies could use for denying an app for violations of existing content moderation terms of service regarding hate speech, safety, and misinformation,” said CCIA. President Matt Schruers called the change a “deliberate effort to limit content moderation efforts that companies use to eliminate hate speech and misinformation to keep devices safe.”

Europe intends to put people at the heart of the digital transformation, officials said Thursday. European Commission President Ursula von der Leyen, European Parliament President Roberta Metsola and Prime Minister Petr Fiala of the Czech Republic, which currently holds the Council presidency, signed the European Declaration on Digital Rights and Principles proposed by the EC in January. They said the six rights and principles will mean affordable, high-speed connectivity for everyone everywhere; well-equipped classrooms and digitally skilled teachers; seamless access to online public services; a safe digital environment for children; the right to disconnect after working hours; access to easy-to-understand information on the environmental impact of digital products; and ability to control how personal data is used and shared.

The U.S. now ensures an adequate level of personal data protection for trans-Atlantic data flows, the European Commission said Tuesday. It published a draft adequacy decision that it said would resolve the concerns of the European Court of Justice in Schrems II. The decision will now be vetted by the European Data Protection Board, EU governments and the European Parliament. It would require U.S. companies to commit to complying with a detailed set of privacy conditions, such as deleting personal data when it's no longer needed for the purpose for which it was collected, and ensuring that privacy protection continues when personal information is shared with third parties, the EC said. EU citizens would have several avenues for redress if their data is mishandled. U.S. laws provide limitations and safeguards on access to data by public authorities, such as for criminal law enforcement and national security purposes, including new rules introduced by an executive order that addressed issues raised in Schrems II. European companies would be able to rely on these safeguards for data transfers as well as when using other mechanisms such as standard contractual clauses and binding corporate rules. Once the proposed regime has been vetted, the EC will finalize an adequacy decision that will be subject to periodic review. The Computer and Communications Industry Association cheered the development, but warned "legal uncertainty will continue to persist for companies as long as today's draft decision has not been formally approved by EU Member States." It urged governments to "end the two-year impasse as soon as possible."

Facebook, Instagram and WhatsApp face more EU privacy fines. The European Data Protection Board issued binding dispute resolution decisions Tuesday in three cases involving the Meta companies. The decisions resolved differing opinions among various data protection authorities about whether the processing of personal data for the performance of a contract is a sound legal basis for behavioral advertising (Facebook and Instagram) or for service improvement (WhatsApp). It's now up to the Irish Data Protection Commission, which has lead jurisdiction, to adopt the EDPB decisions, after which they will be made public, the board said.

The FTC is seeking comments on a petition from some 20 groups advocating for a rule prohibiting internet services from using certain types of engagement-optimization practices on anyone under 18, the agency said Friday in a Federal Register notice. Comments are due Jan. 3 in FTC-2022-0073 docket. The groups include Center for Digital Democracy, Fairplay, Berkeley Media Studies Group, Center for Humane Technology, Children and Screens, Electronic Privacy Information Center and Public Citizen.

Meta violated EU privacy law by enabling automated "data scraping" of personal information, an Irish Data Protection Commission (DPC) investigation found. The inquiry launched in 2021 based on media reports of the discovery of a collated dataset of Facebook personal data on the internet. The DPC examined Facebook search, Facebook Messenger contact importer and Instagram contact importer tools about processing Meta carried out between May 2018 and September 2019. The main issues involved whether the company complied with the EU general data protection regulation's requirement for data protection by design and default, said a Monday news release. The decision, backed by all other EU data protection supervisory authorities, requires Meta to bring its personal data processing into compliance and to pay a $275 million (265 million euro) fine. A Meta spokesperson stressed the DPC didn't say the incident constituted a personal data breach, hack or security failing. Meta is cooperating fully and "made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers," he said: The company is "reviewing this decision carefully."

Ireland’s Data Protection Commission is investigating TikTok’s data practices and data transfers to China, European Commission President Ursula von der Leyen confirmed in a letter Monday. FCC Commissioner Brendan Carr drew attention to the letter Tuesday. The DPC is investigating the company’s potential noncompliance with the general data protection regulation (GDPR), she said. She cited “several ongoing proceedings” involving data transfers to China, the processing of minors’ data and “litigation before the Dutch courts (in particular concerning targeted advertising regarding minors and data transfers to China).” She wrote the letter in response to members asking about Chinese government authorities potentially accessing the data of EU citizens. The GDPR applies to situations in which a company in the EU allows access to personal data to an affiliated company outside the EU, she said: The first company must ensure such data transfers don’t compromise EU data protections, specifically when public authorities are involved, she said. A TikTok spokesperson cited a company statement from earlier this year, saying the investigation was initiated in September 2021: "While we can't comment on an ongoing investigation, we're continuing to fully cooperate with the DPC. We're constantly reviewing our policies, processes and technologies to ensure that our community continues to enjoy a safe and secure experience on TikTok."