CURRENT MONTH (May 2021)
Data Privacy
FTC Orders Destruction of Algorithms Derived From Privacy Violations
By Dredeir Roberts, Business Law Fellow and In House Counsel at Core States Group
On May 6, 2021 the Federal Trade Commission (FTC) approved its Final Order against Everalbum, Inc. (Ever) for privacy violations under Section 5 of the FTC Act. Ever is a cloud photo storage app that was found to have misrepresented to its users the full extent of its use of users’ photos. Ever created facial recognition algorithms and models by using app users’ photos without their permission. As such, the FTC ordered Ever not only to destroy its users’ data, but also the algorithms and models that Ever created from its misuse of the data. This Order serves as an escalation of the FTC’s enhanced focus on algorithms created by a company’s misuse of user data.
Cybersecurity
Biden Executive Order Seeks Greater Cybersecurity Measures
Delali Agblevor, University of Maryland Carey School of Law
On May 12, 2021, President Joe Biden issued an executive order to improve cybersecurity in the federal government. Exec. Order No. 14028, 86 Fed. Reg. 26,633 (May 17, 20201). The order is intended to enhance and standardize cybersecurity measures throughout the federal government, with a particular focus on mitigating problems that led to recent major cyber incidents and threats. To accomplish this, President Biden highlights the need to modernize federal government cybersecurity through measures such as increasing cloud security and utilizing more early detection programs for cyber incidents. This also includes requiring the private sector to partner with the government to secure U.S. cyberspace through:
A. Government review and update of the language of operational technology (systems that run safety machinery) and information technology (systems that process data) service contracts to require private sector service providers to collect, preserve, and share data related to actual or potential cyber incidents that occur in systems they control that the federal government uses.
B. The government will publish guidelines to secure the “critical software” (software that performs functions such as providing elevated system privileges or direct access to the network) supply chain, requiring private sector developers and suppliers to use enhanced security measures in their production and delivery of critical software.
C. Homeland Security and the Attorney General will establish a Cyber Safety Review Board comprising of government officials and private stakeholders that will review and assess threat activity, vulnerabilities, mitigation, and agency responses to significant cyber incidents.
Dial It Up, America! – Mere Statutory Violations Do Not Rise to the Level of “Injury-in-Fact” for TCPA Standing.
By Alyssa M. Radovanovich, University of Maryland Francis King Carey School of Law
In a non-precedential decision, the U.S. Court of Appeals for the Third Circuit held that a mere statutory violation cannot alone fulfill the “injury in fact” element of Article III standing to sue under the Telephone Consumer Protection Act of 1991 (“TCPA”). Leyse v. Bank of Am. Nat’l Ass’n, No. 20-1666 (3d Cir. filed May 19, 2021).
On March 11, 2005, Mark Leyse answered a call from DialAmerica Marketing, Inc.—on behalf of Bank of America—on his shared landline. DialAmerica did not have a sales representative available for the call and played a prerecorded-telemarketing message. Leyse sued Bank of America in a class action lawsuit with the complaint containing a single count alleging violation of the TCPA.
Leyse did not allege that he suffered any nuisance, annoyance, inconvenience, wasted time or other injury. Accordingly, the district court found that Leyse suffered no harm and had failed to establish Article III standing, and granted summary judgment in favor of Bank of America.
On appeal, Leyse argued that Article III standing does not require any allegations of harm beyond the statutory violations under the TCPA. The Court of Appeals maintained that the TCPA is intended to prevent harm relating to nuisance, invasion of privacy and other such injuries. Leyse failed to allege even one of those injuries. Without a concrete harm, the Court of Appeals concluded that Leyse lacked Article III standing and affirmed the district court’s grant of summary judgment.
CRS Issues Report on FERPA Privacy Concerns
By Soumya Venkateswaran, Temple University Beasley School of Law
In May 2021, the Congressional Research Service (CRS) issued a report on the Family Educational Rights and Privacy Act, also known as FERPA, a federal statute that regulates the handling, and protects the privacy of student education records. Jared P. Cole, U.S. Congressional Research Service, The Family Educational Rights and Privacy Act (FERPA): Legal Issues (R46799; May 24, 2021). Generally, FERPA gives parents the right to access and review their children’s education records, but also prohibits schools from releasing personally identifiable information in students’ education records without the written consent of parents. FERPA only applies, however, to educational agencies and institutions that receive certain types of financial assistance from the U.S. Department of Education.
The report discusses what qualifies as an “education record,” what material is explicitly or implicitly exempted from FERPA coverage, and, if material can be exempted from FERPA coverage, what requirements a school or school official must satisfy to support an exemption from FERPA coverage.
Concerns about protecting education records and students’ information from improper disclosure have increased due to the major expansion of third-party software used by schools, for at-home student learning, during the COVID-19 pandemic. In light of the pandemic and concerns about the maintenance and use of student records by third parties authorized to receive them for a particular purpose, the CRS report suggests that Congress might be persuaded to amend FERPA. Congress, for instance, might decide to define schools’ and other parties’ obligations more narrowly or even consider providing students or parents a private right of action to sue for FERPA violations.
