The heads of House Commerce panels want the big four wireless carriers and other CEOs to describe location sharing deals, which have drawn scrutiny in recent days as some operators end the practice. Commerce Committee ranking member Greg Walden, R-Ore., Communications Subcommittee ranking member Bob Latta, R-Ohio; Consumer Protection Subcommittee ranking member Cathy McMorris Rodgers, R-Wash., and Oversight Subcommittee ranking member Brett Guthrie, R-Ky., requested information from T-Mobile, AT&T, Sprint and Verizon and aggregators Zumigo and Microbilt. "This practice of selling and sharing of location information through multiple entities potentially impacts hundreds of millions of American customers," they wrote the companies Wednesday. "We are deeply troubled because it is not the first time we have received reports and information about the sharing of mobile users’ location information involving a number of parties who may have misused personally identifiable information.” Legislators want answers to several questions by Jan. 30. Like AT&T and Verizon, Sprint will end location data-sharing agreements (see 1901110042) with third parties, including deals companies consider beneficial to customers like roadside assistance, a spokesperson emailed Wednesday. Sprint ended deals with data aggregators last year but maintained arrangements impacting things like roadside assistance and bank fraud, the spokesperson said: “We implemented new, more stringent safeguards to help protect customer location data, but as a result of recent events, we have decided to end our arrangements with data aggregators.” The FCC didn’t comment. AT&T cited a previous statement about ending such agreements, and the others didn't comment.

FCC Chairman Ajit Pai should enforce customer proprietary network information rules protecting privacy for VoIP data, Public Knowledge said Wednesday. PK, which also asked for FTC collaboration, demanded action after a report claiming Voipo allegedly “exposed millions of consumer call logs and text messages stored on an ‘improperly secured’ ElasticSearch database for several months” before it was found by a security researcher. Pai must “hold companies that fail to adequately protect call records accountable. Failure to do so will make it clear to carriers, Congress and consumers that the supposed ‘cop on the beat’ is asleep at the wheel,” said PK Senior Vice President Harold Feld. The FCC and FTC didn't comment during their partial shutdown. A Voipo spokesperson cited comments from CEO Timothy Dick that there's no reason to believe any customers were affected "based on log data and analysis," but any "potential exposure is unacceptable."

Companies that don't properly consider human rights risk "reputational harm, financial loss ... shareholder lawsuits, and dissatisfaction" from employees and customers, a group of nearly 50 investors said in endorsing New America's index (see 1804250022) from April. Investor Alliance for Human Rights members Boston Common Asset Management, Mercy Investment Services, NEI Investments and Robeco signed. The index recommends tech and telecom companies not wait for new laws to pass to improve data privacy policies. It suggests regular impact assessments to determine how products and services affect user expression and privacy, “effective grievance and remedy mechanisms” and comprehensive transparency reports on data collection.

The National Institute of Standards and Technology should offer best practices (see 1812170032) so companies can demonstrate compliance with various national privacy “obligations,” Information Technology Industry Council commented Monday. Develop a road map with the framework, providing accessible language for “identifying, assessing, managing and communicating privacy risks,” ITI asked. The U.S. is at a “critical” moment for evaluating consumer privacy protections, said BSA|The Software Alliance Policy Director Shaundra Watson, and hopefully NIST’s effort leads to “a useful tool that will help companies strengthen their privacy practices.”

Congress should replace a patchwork of state and federal privacy laws with one “common set of protections,” the Information Technology & Innovation Foundation said Monday. That single federal data privacy law should pre-empt state laws and replace laws like the Health Insurance Portability and Accountability Act and Gramm-Leach-Bliley Act, said Vice President Daniel Castro and Senior Policy Analyst Alan McQuinn. They said the law should promote business and innovation, saying economies with strict privacy laws like the EU are falling behind: “Of the top 200 digital firms, only 8 are European.”

Sen. Ron Wyden, D-Ore., is urging the FCC and the FTC to investigate whether AT&T, T-Mobile and Sprint sold customers' real-time location data to bounty hunters (see 1901080046), a Wyden aide said Wednesday. Wyden told reporters that companies will continue to abuse data unless they are faced with real penalties under a new privacy law, calling it “wash, rinse and repeat.” FCC Commissioner Jessica Rosenworcel also called for her agency to investigate. Motherboard reported Sens. Kamala Harris, D-Calif., and Mark Warner, D-Va., also urged investigations. Agencies and Congress "should continue to hold hearings to shine a light on these practices, and look at regulations to ensure companies are actually upfront with consumers about whether and how their sensitive data is being used and sold," Warner said through a spokesperson. Harris' office didn't comment immediately. Wyden previously called for a probe.

Telcos selling location data of Americans is “a nightmare for national security,” Sen. Ron Wyden, D-Ore., tweeted Tuesday. He responded to a report claiming AT&T, T-Mobile and Sprint sold customers' real-time location data, which ended up in bounty hunters’ possession. Wyden cited T-Mobile CEO John Legere for allegedly telling the lawmaker “his company would stop selling customer location data to shady third parties.” FCC Commissioner Jessica Rosenworcel urged an immediate investigation. “We only permit sharing of location when a customer gives permission for cases like fraud prevention or emergency roadside assistance, or when required by law,” an AT&T spokesperson said. “Over the past few months, as we committed to do, we have been shutting down everything else. We have shut down access for Microbilt as we investigate these allegations.” T-Mobile and Sprint didn't comment.

Former AT&T Senior Executive Vice President Bob Quinn said he joined Wilkinson Barker (see the personals section of the Jan. 4 issue) with an eye on building its privacy practice. Chief privacy officer at AT&T for five years, Quinn left in May because of controversy over the company's hiring of Donald Trump personal lawyer Michael Cohen (see 1805110029). Now, Quinn said he wants to focus on privacy. “With all of the data breaches, companies have spent a lot of money in the area of cyber focused on data breach and trying to understand where their weaknesses are, because nobody wants to be the next headline,” Quinn told us Thursday. “In the area of privacy, I don’t think people have spent the money to understand what data they’re holding onto, what data they’re collecting, how they’re using it, what disclosures they’re making to consumers.” Lack of focus on the collection of data “left a bad taste in the mouth” of European regulators and that’s why they approved the EU general data protection regulation, he said. Similarly, that’s why California lawmakers approved a state privacy law last summer (see 1806280054), he said. “Ultimately, we’re going to have a federal law and right now is the time where people are really kind of screaming for more information on privacy, especially with this debate heating up in the next year on Capitol Hill,” Quinn said. “I think a privacy law is coming.” How GDPR unfolds will have an impact in the U.S., he said.

Facebook partnerships with other companies didn’t allow access to personal data without consent, nor did they violate a 2012 consent decree with the FTC, Director-Developer Platforms and Programs Konstantinos Papamiltiadis responded Tuesday. The New York Times reported, based on 2017 documents, Facebook gave access to personal data, sometimes allegedly without consent, to Microsoft, Apple, Netflix, Spotify, Amazon, Yahoo and Russia Kremlin-linked search company Yandex. The agreements let users integrate Facebook features on other apps, Papamiltiadis said, and it has since ceased many such partnerships. Agreements remain active with Amazon, Apple, Alibaba, Mozilla and Opera, he said. Authorization to the data is granted when a user logs into apps through Facebook, he said. The FTC should consider these new allegations in its current Facebook investigation, and Congress needs to move forward with legislation in 2019, Public Knowledge Policy Counsel Charlotte Slaiman said. Washington, D.C., Attorney General Karl Racine (D) Wednesday sued Facebook for mishandling user data in the Cambridge Analytica scandal and failing to report the breach. Racine seeks “monetary and injunctive relief, including relief for harmed consumers, damages, and penalties to the District” for violating D.C.'s Consumer Protection Procedures Act. “We’re reviewing the complaint and look forward to continuing our discussions with attorneys general,” a Facebook spokesperson emailed. "If there's one complaint filed in court in the District of Columbia you consider reading today, make it this one: http://oag.dc.gov/sites/default/," tweeted FCC Commissioner Jessica Rosenworcel.

U.S. authorities "are living up to their commitments" and Privacy Shield works, but the European Commission may be forced to act if no permanent ombudsman is appointed by Feb. 28, European Justice, Consumers and Gender Equality Commissioner Vera Jourova told reporters Wednesday. Such actions could include limiting access by U.S. government bodies to Europeans' personal information or even suspending PS, she said. Despite the warning, the EC's second review of the trans-Atlantic personal data transfer system showed the U.S. has implemented most recommendations from last year's report, she said. Asked why it has taken so long to put an ombudsman in place, Jourova said that in March 2017, the U.S. administration asked her to be patient because so many posts needed Senate confirmation. Now, she said, "my patience is coming to an end." The report noted that as of now, "the Ombudsman mechanism had not yet received any requests," but a complaint to the acting ombudsman "had been submitted to the Croatian data protection authority and the relevant checks were ongoing." If the EC is "forced to take steps" over the appointment, it could amend PS in ways that could make compliance by U.S. companies more cumbersome or suspend the system altogether, Jourova said. The review found the Department of Commerce boosted its certification process and introduced new oversight procedures, including requiring first-time applicants to refrain from advertising their membership until their certification is complete. DOC also is "actively" using tools to catch companies that falsely claim membership and has referred more than 50 cases to the FTC, which took enforcement actions when needed, the EC said. The FTC has started issuing administrative subpoenas to seek information from some shield participants, it said. The review noted growing discussion in DOC and FTC on a federal approach to data privacy, and cheered the naming of a full quorum of Privacy and Civil Liberties Oversight Board members. The FTC "welcomes the European Commission’s conclusion that Privacy Shield continues to provide an adequate level of protection," a spokesperson emailed. The DOC and its NTIA and International Trade Administration had no comment. The Computer & Communications Industry Association commended the "thorough review."