The Supreme Court should “narrow the scope” of Communications Decency Act Section 230 and reverse the 9th Circuit’s decision shielding YouTube from liability in Gonzalez v. Google (docket 21-1333), Texas Attorney General Ken Paxton (R) wrote in a merits-stage amicus brief announced Thursday (see 2212070026). The 9th U.S. Circuit Court of Appeals in June 2021 dismissed a lawsuit against YouTube for hosting and recommending ISIS proselytizing and recruitment videos. The 9th Circuit affirmed a decision from the U.S. District Court for the Northern District of California shielding YouTube and its algorithms from liability. Plaintiff in the litigation and SCOTUS petitioner is the estate of Nohemi Gonzalez, an American student who was killed in Paris in 2015 during an ISIS attack. The petitioner asked SCOTUS to revisit the 9th Circuit's decision. Google didn’t comment. The case is scheduled for oral argument on Feb. 21 (see 2212190042). Though Section 230 was designed in 1996 to allow online publishers narrow protections from defamation liability, courts have “misinterpreted the law and allowed it to become a nearly all-encompassing blanket protection for certain companies, specifically internet and Big Tech companies,” Paxton said. These limitless legal protections prevent states from holding Big Tech accountable for law violations, even when infractions are unrelated to content publishing, said Paxton.

Kansas Gov. Laura Kelly (D) on Wednesday signed an executive order banning the use of TikTok on state-issued devices. Kansas joins a number of states and Congress in banning the Chinese-owned app on government devices (see 2212200074). “I am taking common-sense steps to protect Kansans’ privacy and security,” said Kelly in a statement. “TikTok mines users’ data and potentially makes it available to the Chinese Communist Party -- a threat recognized by a growing group of bipartisan leaders across the United States.” Politicians with “national security concerns should encourage the Administration to conclude its national security review of TikTok,” the company said in a statement. “The agreement under review will meaningfully address any security concerns that have been raised at both the federal and state level. These plans have been developed under the oversight of our country's top national security agencies -- plans that we are well underway in implementing -- to further secure our platform in the United States, and we will continue to brief lawmakers on them."

Amazon will stop using non-public marketplace seller data for its retail business, among other commitments accepted Tuesday by the European Commission after an antitrust investigation. The EC in 2020 said the company's reliance on marketplace sellers' non-public business data to calibrate its retail decisions distorted fair competition on its platform and prevented effective competition. It also preliminarily decided Amazon was giving preferential treatment to its own retail business and to sellers that use its logistics and delivery services over other sellers who used Buy Box and Prime. In response, Amazon made several commitments, which the EC market-tested. Amazon then revised its proposal and agreed to commitments such as making the Buy Box offer more prominent; being more transparent with sellers and carriers about the commitments and their new rights under them; and introducing a centralized complaint mechanism for all sellers and carriers to use in case of suspected non-compliance. The EC said the final commitment would ensure the company doesn't use marketplace seller data for its own operations and that it gives non-discriminatory access to Buy Box and Prime. Amazon will be bound by several of the commitments for seven years, and by others for five years, to be monitored by an independent trustee. In case of non-compliance, the EC can, as one option, fine Amazon up to 10% of its total annual revenue without having to first find an infringement of EU antitrust rules. Amazon is pleased it has addressed the EC concerns and resolved the matters, a spokesperson emailed. "While we continue to disagree with several of the preliminary conclusions the European Commission made, we have engaged constructively to ensure that we can continue to serve customers across Europe and support the 225,000 European small and medium sized businesses selling through our stores." The European Consumer Group (BEUC) said the agreement should mean Amazon "will offer consumers greater choice on its online marketplace so that consumers can more easily shop around for the best deals." However, users will benefit only if the EC closely monitors compliance, BEUC added. Separately, the EC notified Meta Dec. 19 it tentatively concluded the company violated EU antitrust rules by distorting competition in the markets for online classified ads: "The Commission takes issue with Meta tying its online classified ads service, Facebook Marketplace, to its personal social network, Facebook." It's also concerned the company is "imposing unfair trading conditions on Facebook Marketplace's competitions for its own benefit." Meta can review the EC documents and request a hearing to present its side. The claims are "without foundation," Meta Head of EMEA Competition Tim Lamb emailed. Instead, Meta's product innovation is "pro-consumer and pro-competitive."

NTIA shouldn’t amend GoDaddy’s contractual obligations for domain name management in a way that caters to the EU’s general data protection regulation, Reps. Bob Latta, R-Ohio, and Jan Schakowsky, D-Ill., wrote the agency in a letter dated Dec. 14. The letter raised concerns about “ongoing efforts to modify the contractual obligations for WHOIS between” the U.S. and GoDaddy for “management” of the U.S.’s "country code top-level domain (ccTLD), .US WHOIS" (see 2112170062). Congress has been hard at work for more than a decade on privacy issues, they wrote NTIA Administrator Alan Davidson: “Until Congress passes a privacy bill that addresses these issues, it is not appropriate for the NTIA to pursue the European Union’s General Data Protection Regulation (GDPR) position over the United States’ existing position.” NTIA and GoDaddy didn’t comment.

Senate authors of the Open App Markets Act made the bill worse by removing a “digital safety” clause that allows platforms to handle content moderation violations, the Computer & Communications Industry Association said in a statement Friday (see 2207190043). “Protecting digital safety is a justification companies could use for denying an app for violations of existing content moderation terms of service regarding hate speech, safety, and misinformation,” said CCIA. President Matt Schruers called the change a “deliberate effort to limit content moderation efforts that companies use to eliminate hate speech and misinformation to keep devices safe.”

Europe intends to put people at the heart of the digital transformation, officials said Thursday. European Commission President Ursula von der Leyen, European Parliament President Roberta Metsola and Prime Minister Petr Fiala of the Czech Republic, which currently holds the Council presidency, signed the European Declaration on Digital Rights and Principles proposed by the EC in January. They said the six rights and principles will mean affordable, high-speed connectivity for everyone everywhere; well-equipped classrooms and digitally skilled teachers; seamless access to online public services; a safe digital environment for children; the right to disconnect after working hours; access to easy-to-understand information on the environmental impact of digital products; and ability to control how personal data is used and shared.

The U.S. now ensures an adequate level of personal data protection for trans-Atlantic data flows, the European Commission said Tuesday. It published a draft adequacy decision that it said would resolve the concerns of the European Court of Justice in Schrems II. The decision will now be vetted by the European Data Protection Board, EU governments and the European Parliament. It would require U.S. companies to commit to complying with a detailed set of privacy conditions, such as deleting personal data when it's no longer needed for the purpose for which it was collected, and ensuring that privacy protection continues when personal information is shared with third parties, the EC said. EU citizens would have several avenues for redress if their data is mishandled. U.S. laws provide limitations and safeguards on access to data by public authorities, such as for criminal law enforcement and national security purposes, including new rules introduced by an executive order that addressed issues raised in Schrems II. European companies would be able to rely on these safeguards for data transfers as well as when using other mechanisms such as standard contractual clauses and binding corporate rules. Once the proposed regime has been vetted, the EC will finalize an adequacy decision that will be subject to periodic review. The Computer and Communications Industry Association cheered the development, but warned "legal uncertainty will continue to persist for companies as long as today's draft decision has not been formally approved by EU Member States." It urged governments to "end the two-year impasse as soon as possible."

Facebook, Instagram and WhatsApp face more EU privacy fines. The European Data Protection Board issued binding dispute resolution decisions Tuesday in three cases involving the Meta companies. The decisions resolved differing opinions among various data protection authorities about whether the processing of personal data for the performance of a contract is a sound legal basis for behavioral advertising (Facebook and Instagram) or for service improvement (WhatsApp). It's now up to the Irish Data Protection Commission, which has lead jurisdiction, to adopt the EDPB decisions, after which they will be made public, the board said.

The FTC is seeking comments on a petition from some 20 groups advocating for a rule prohibiting internet services from using certain types of engagement-optimization practices on anyone under 18, the agency said Friday in a Federal Register notice. Comments are due Jan. 3 in FTC-2022-0073 docket. The groups include Center for Digital Democracy, Fairplay, Berkeley Media Studies Group, Center for Humane Technology, Children and Screens, Electronic Privacy Information Center and Public Citizen.

Meta violated EU privacy law by enabling automated "data scraping" of personal information, an Irish Data Protection Commission (DPC) investigation found. The inquiry launched in 2021 based on media reports of the discovery of a collated dataset of Facebook personal data on the internet. The DPC examined Facebook search, Facebook Messenger contact importer and Instagram contact importer tools about processing Meta carried out between May 2018 and September 2019. The main issues involved whether the company complied with the EU general data protection regulation's requirement for data protection by design and default, said a Monday news release. The decision, backed by all other EU data protection supervisory authorities, requires Meta to bring its personal data processing into compliance and to pay a $275 million (265 million euro) fine. A Meta spokesperson stressed the DPC didn't say the incident constituted a personal data breach, hack or security failing. Meta is cooperating fully and "made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers," he said: The company is "reviewing this decision carefully."