Ireland's data protection agency has fined Twitter $547K for exposing private user tweets to the public. The breach resulted from a bug in Twitter's "Protect my tweets" tool that affected Android phone users. The fine was issued for Twitter's inadequate notification and documentation.

More:

• This marks the Irish regulator's first fine on a multinational tech firm for violating the EU's General Data Protection Regulation (GDPR).
• The data protection agencies from Austria, Germany, Italy, and Hungary objected that the fine was too low and would not dissuade companies from future GDPR violations.
• In response to the criticism, the Irish Data Protection Commissioner asserted that the fine was "effective, proportionate, and dissuasive."

The Federal Trade Commission (FTC) is requiring nine social media and video streaming sites and apps to provide details about how they collect and use consumers' personal information. The companies must also provide data on advertising, user engagement practices, and practices related to children and teens.

More:

• The companies are Facebook, Twitter, Amazon, YouTube, Discord, Reddit, Snap, WhatsApp, and ByteDance, owner of TikTok.
• In particular, the FTC wants to know whether the companies apply algorithms or data analytics to personal information.
• Three of the commissioners issued a statement accompanying the order in which they warned: "Never before has there been an industry capable of surveilling and monetizing so much of our personal lives." 
• The companies have 45 days to respond to the FTC. 

Apple is rolling out new data privacy labels for apps on the Apple App Store. The labels describe the privacy practices of the app so users can see them before they download the app.

More:

• Developers and their third-party partners are required to provide information on the types of data their apps collect and whether it is used to track them.
• Apple is exempting certain data from health research apps and regulated financial services apps from the label requirement.
• Developers will be able to explain their reasons for their data collection, but users will have to click through two sets of links to see those reasons.

Facebook intends to have its U.K. users sign user agreements with its headquarters in California next year, moving them out of reach of the European Union's data privacy laws. Currently, U.K. users have agreements with Facebook's Irish unit, which is covered by the General Data Protection Regulation (GDPR).

More:

• The U.K. users will still be subject to the U.K. privacy law, which for now correspond with the GDPR.
• The British government is currently negotiating its final exit deal with the European Union.
• Google plans a similar move to shift U.K. users to U.S. user agreements.

Given the wave of new privacy laws and a shift in consumer expectations, privacy can no longer be treated as a bolt-on feature for business, argues Mike Farrell, Transcend's chief technology officer. Farrell lays out six engineering principles that CPOs can employ to enable their firms to keep up with these laws and expectations. Here are two of them:

1. Employ a clean technical framework that scales
2. Improve inconsistent or unreliable services

For more, please click on this link.

California has launched a new COVID-19 exposure notification app that could pose privacy and data security risks. The mobile app, CA Notify, is based on the API developed by Google and Apple and in use by 20 other states. The app uses the phone's Bluetooth feature to alert users if they have been in close contact with someone who tested positive for COVID-19.

More:

• The Electronic Frontier Foundation (EFF) expressed concern that the API has not been subject to third-party audits and penetration testing.
• At the same time, EFF said the API allows informed, voluntary, opt-in consent and data minimization and enables users to uninstall the app, turn off the functionality, and opt-out.
• In addition, the API does not track user location, and it keeps all the user’s identifiers on the device. 

There is a global trend toward stricter data privacy regulations and higher penalties for violators. The trend was kicked off by the EU's General Data Protection Regulation (GDPR) in 2018 and led to new data privacy laws in Brazil, Kenya, New Zealand, and the U.S. state of California. Next up appears to be Canada, which recently introduced an overhaul of its data privacy law modeled on GDPR.

More:

• The Canadian legislation, Bill C-11, would significantly expand the privacy rights of individuals and impose hefty fines for violators. 
• Brazil's new privacy law, modeled on GDPR, took effect in August of this year. 
• New Zealand's updated Privacy Act 2020 went into force earlier this month.

QUICK HITS:

• Next year, some states are likely to follow the New York Shield Act in setting clear regulatory standards for reasonable data protection.
• Skyflow, a Palo Alto, Calif.-based privacy API startup, has raised $17.5M in a Series A funding round led by Canvas Ventures.
• The ACLU of Louisiana has obtained emails that show the New Orleans Police Department has been using facial recognition technology despite repeated denials.