Cyber Week in Review: December 18, 2015

Here is a quick round-up of this week’s technology headlines and related stories you may have missed. Given the upcoming holiday season, please note that this will be the last week in review post of the year.

1. The European Union agrees to a revamped data protection law. After nearly four years of negotiation, the European Parliament, the European Commission, and EU member states have agreed to a data protection legislative package. The package will provide EU residents with a right to know when their personal information held by a third party, such as a social network or data broker, has been compromised, a right to require the deletion of information collected about them, and a right to easily transfer data from one provider to another. Companies will be required to be more explicit in how they use customer data and seek customer consent every time the company wishes to use the data in a manner the customer has not explicitly authorized. Firms that run afoul of the new rules are liable to a fine of up to four percent of their global revenue. According to Ars Technica, if ever Google were found to have violated the law, it could face fines of about $2.5 billion. On the bright side, firms that collect personal data now only have to answer to one European-level regulator, not data protection authorities in each of the twenty-eight member states. Once the European Parliament provides final approval of the legislation in early 2016, EU member states will have two years to incorporate the changes into domestic law.

2. The UN General Assembly adopts WSIS+10 resolution. The review of the World Summit on Information Society (WSIS) goals concluded this week in New York, with UN member states adopting a resolution noting progress in improving access to information and telecommunications technologies (ICTs) but highlighting that more needs to be done. Launched in 2003 and 2005, the WSIS aims to bridge the digital divide and improve access to ICTs. (For a backgrounder on the WSIS, check out this Council on Foreign Relations interactive). As expected, cybersecurity, human rights and Internet governance were the main sticking points. Human rights groups, the United States and its allies were pleased that the resolution has strong references to the multistakeholder Internet governance model and reiterates that the same rights that people have offline apply online. According to the New York Times, China tried but failed to include language "that would have made authority for Internet-related public policy issues ’the sovereign right of states’" despite the fact that world leaders had agreed to identical language in 2005. However, China got a win when it obtained recognition that governments have the lead role "in cybersecurity matters relating to national security." Net Politics will have more analysis on the WSIS outcome next week. Stay tuned.

3. China hosts second World Internet Conference. The Chinese government held a conference promoting their view of the Internet this week in Wuzhen, China. The conference drew an even bigger crowd (and more foreign delegates) than last year, which China will likely use as evidence of the conference’s success. Chinese President Xi Jinping used parts of his remarks to rebutt the cyber norms promoted by the West and foreign delegates got swanky Xiaomi phones pre-loaded with credentials to bypass the Great Firewall. Last year, China tried to get conference attendees to sign onto a last-minute joint declaration that endorsed China’s views of "cyber sovereignty." So far, it seems like the organizers have learned their lesson as there haven’t been any last minute shenanigans this year. You can find my take on the Xi’s speech here.

4. The Cybersecurity Information Sharing Act (CISA) sneaks its way into an omnibus bill. CISA, the subject of much hand wringing over the past year despite being mostly a red herring, made its way into a must-pass budget bill that keeps the U.S. government running. Paul Rosenzweig at Lawfare has the essential details. In a nutshell, the Department of Homeland Security (DHS) becomes the hub for information sharing, meaning that companies looking to share cyber threat information with the U.S. government will have to go through them, not the NSA or the FBI. Information DHS receives could only be shared within government for cybersecurity purposes or preventing a specific threat of "death or serious bodily injury" or "serious economic harm." That last provision has some advocacy groups and some legislators up in arms. They would have preferred only allowing DHS to share information for cybersecurity purposes and requiring the private sector to implement more stringent requirements to strip out personally identifiable data from information being shared with government.

5. Facebook, Google and Twitter agree to a mechanism to remove hate speech in Germany. As a result of the deal, the U.S. companies will remove hate speech from their websites within twenty-four hours of being flagged, using the hate speech standard established by German law, not the companies’ terms of service. German authorities believe the deal will help stem the tide of hateful and xenophobic speech directed at the over 1 million refugees that have settled in Germany this year. The deal with German authorities comes at a time when some U.S. legislators want to create legal requirements for social media companies to report terrorist activities to the FBI.