Under Section 702 of the Foreign Intelligence Surveillance Act (FISA) , the National Security Agency (NSA) is authorized to collect and analyze communications of non-U.S. persons located outside the United States for foreign intelligence purposes. Section 702 allows the NSA to compel U.S.-based service providers, such as AWS or Microsoft, to provide access to data without requiring a warrant from the Foreign Intelligence Surveillance Court (FISC) if certain criteria are met.

Key Aspects of Section 702:

Scope of Surveillance: Section 702 applies to non-U.S. persons located outside the United States . It cannot be used to target U.S. citizens or individuals located within the United States, even if they communicate with non-U.S. persons.

Provider Obligations: The NSA can compel U.S.-based service providers (e.g., AWS, Microsoft) to disclose information about communications involving foreign individuals if the data is relevant to foreign intelligence purposes.

Explanation of the Options:

A. Compel AWS to disclose Jane ' s email communications with a Taiwanese national residing in Taiwan: Incorrect. Jane is a U.S. citizen, and Section 702 cannot be used to directly target U.S. persons or their communications, even if the other party in the communication is a non-U.S. person.

B. Compel AWS to disclose email communications between two Chinese nationals residing in the EU: Correct. Section 702 allows the NSA to target non-U.S. persons located outside the U.S. without a warrant, even if their communications are hosted by a U.S.-based service provider like AWS. This scenario falls directly under the scope of Section 702.

C. Compel Microsoft to disclose Patrick ' s Skype calls with a Brazilian national living in Peru: Incorrect. Patrick is a U.S. resident , even though he is a French citizen. Section 702 cannot be used to target individuals who are lawfully residing in the United States.

D. Compel Jane to disclose the PIN code for her corporate mobile phone: Incorrect. Section 702 applies to electronic communications data held by service providers, not to individuals. Compelling an individual to disclose a PIN code would require a different legal authority, such as a court-issued subpoena or warrant.

Legal Framework:

Section 702 of FISA: Provides the NSA with the authority to compel U.S.-based service providers to assist in collecting data on non-U.S. persons located outside the U.S. for foreign intelligence purposes.

Targeting Limitations: Section 702 cannot be used to intentionally target U.S. persons or anyone located within the United States.

Service Providers: Examples include U.S.-based companies such as Amazon AWS, Microsoft, and Google.

Practical Considerations for Jones Labs:

Jones Labs should be aware that:

Data stored with U.S.-based providers (even if located in the EU) may still be subject to Section 702 requests.

International data transfer compliance may require careful consideration of Standard Contractual Clauses (SCCs) or other safeguards to align with EU privacy regulations, such as the GDPR , in light of the extraterritorial nature of U.S. surveillance laws.

References from CIPP/US Materials:

FISA Section 702 (50 U.S.C. § 1881a): Outlines the legal authority for targeting non-U.S. persons located outside the United States.

IAPP CIPP/US Certification Textbook: Discusses Section 702 and its implications for U.S.-based service providers handling international data.

Schrems II Decision: Highlights conflicts between U.S. surveillance laws and EU privacy laws, particularly for data stored by U.S. companies overseas.

The Fair and Accurate Credit Transactions Act (FACTA) is an amendment to the Fair Credit Reporting Act (FCRA) that was enacted in 2003. FACTA aims to enhance consumer protection against identity theft and fraud by requiring various measures, such as free annual credit reports, fraud alerts, and identity theft prevention programs. One of the consumer protections that FACTA requires is the truncation of account numbers on credit card receipts. This means that only the last four or five digits of the account number can be printed on the receipt, while the rest must be masked or deleted. This reduces the risk of unauthorized access or use of the account number by third parties who may obtain the receipt.  References:

IAPP CIPP/US Body of Knowledge, Section III, B, 1

[IAPP CIPP/US Study Guide, Chapter 3, Section 3.2]

[FACTA, Section 113]

Web scraping to collect personal data can pose significant legal and ethical risks, particularly when it involves professional networking sites or other platforms where terms of service (ToS) explicitly prohibit such activity. To limit liability, the software company must take proactive measures to comply with applicable laws (such as privacy laws) and contractual obligations (e.g., terms of use on the scraped websites).

Adding a notice to the company website ' s terms of use would be the least effective action , as it does not address the legal and ethical issues associated with scraping data from third-party websites. Simply adding a notice about the company ' s use of scraping does not mitigate liability for violating the ToS of professional networking websites or violating privacy rights under laws like the GDPR or CCPA .

Explanation of Options:

A. Following the terms of use posted on professional networking websites that are scraped: This is one of the most effective ways to limit legal liability. Violating ToS can result in lawsuits or legal penalties, so adhering to them is critical.

B. Adding a notice to the company website ' s terms of use disclosing the use of web scraping: This is the least effective action. Including this notice on the company ' s own website does not address potential violations of third-party website ToS or the privacy rights of affected individuals.

C. Limiting the amount of the personally identifiable information they collect: Minimizing the amount of data collected aligns with data protection principles, such as data minimization under the GDPR, and can reduce privacy risks.

D. Deidentifying the scraped data before selling it to any third parties: Deidentifying or anonymizing data is a critical step for reducing legal liability and complying with privacy laws. However, the company should also ensure that the deidentification is robust and irreversible.

References from CIPP/US Materials:

GDPR Article 5: Establishes principles such as data minimization and accountability for data processing.

IAPP CIPP/US Certification Textbook: Highlights the risks of web scraping and the importance of adhering to contractual obligations and privacy laws.

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. FERPA generally requires that schools obtain written consent from students (or their parents if the student is a minor) before disclosing personally identifiable information from education records. However, FERPA allows specific exceptions where disclosures can be made without consent.

One of these exceptions is when a school discloses education records to another school where the student seeks or intends to enroll . This allows educational institutions to share information for legitimate educational purposes, such as transferring transcripts between schools when a student moves or applies for enrollment elsewhere.

Explanation of Options:

A. If the disclosure is not to be conducted through email to the third party: FERPA does not prohibit disclosures via email as long as the recipient is authorized and the disclosure meets FERPA requirements. The medium of disclosure is not a determining factor.

B. If the disclosure would not reveal a student ' s student identification number: FERPA restricts the disclosure of personally identifiable information but does not specifically regulate disclosures based on whether a student ID number is included unless the number itself compromises the student ' s privacy.

C. If the disclosure is made to practitioners who are involved in a student ' s health care: FERPA does not specifically provide an exception for health care practitioners unless the disclosure falls under the " health and safety emergency " exception, which does not apply to general health care.

D. If the disclosure is for the purpose of providing transcripts to a school where a student intends to enroll: This is correct and aligns with one of the exceptions outlined in FERPA. Schools are permitted to share student records with other educational institutions where a student seeks or intends to enroll without requiring consent.

References from CIPP/US Materials:

FERPA (20 U.S.C. § 1232g): Governs the disclosure of student education records and details specific exceptions to the consent requirement.

IAPP CIPP/US Certification Textbook: Explains FERPA’s consent requirements and exceptions, including disclosures for enrollment purposes.

The Children’s Online Privacy Protection Act (COPPA) is a federal law that protects the privacy of children under 13 who use online sites and services. COPPA requires operators of such sites and services to obtain verifiable parental consent before collecting, using, or disclosing personal information from children, and to provide notice of their information practices to parents and the public.  COPPA also gives parents the right to access, review, and delete their children’s personal information, and to limit further collection or use of such information. 1

One way for operators to comply with COPPA is to participate in an approved self-regulatory program, also known as a “safe harbor” program. These are programs that are run by industry groups or other organizations that set and enforce standards for privacy protection that meet or exceed the requirements of COPPA. Operators that join a safe harbor program and follow its guidelines are deemed to be in compliance with COPPA and are subject to the review and disciplinary procedures of the program instead of FTC enforcement actions.  The FTC has approved several safe harbor programs, such as CARU, ESRB, iKeepSafe, kidSAFE, PRIVO, and TRUSTe. 2

By participating in an approved self-regulatory program, the marketer in the scenario could have best changed its privacy management program to meet COPPA “Safe Harbor” requirements. This would mean that the marketer would have to adhere to the guidelines of the program, which would likely include obtaining verifiable parental consent before collecting personal information from children, providing clear and prominent privacy notices on its website and emails, honoring parents’ choices and requests regarding their children’s data, and ensuring the security and confidentiality of the data collected.  The marketer would also benefit from the oversight and assistance of the program in ensuring compliance and resolving any complaints or disputes. 3   References:   1 : Complying with COPPA: Frequently Asked Questions 4 , Section A 2 : COPPA Safe Harbor Program 3 : IAPP CIPP/US Certified Information Privacy Professional Study Guide, page 143.

The Privacy Protection Act of 1980 (PPA) is a federal law that protects journalists and newsrooms from search and seizure by government officials in connection with criminal investigations or prosecutions. The PPA prohibits the government from searching for or seizing any work product materials or documentary materials possessed by a person who intends to disseminate them to the public through a newspaper, book, broadcast, or other similar form of public communication, unless certain exceptions apply. The PPA was drafted in response to the Supreme Court’s decision in Zurcher v. Stanford Daily, which upheld the constitutionality of a police search of a student newspaper’s office without a subpoena, based on probable cause that the newspaper had evidence of a crime.  The PPA was intended to protect the First Amendment rights of the press and the privacy interests of journalists and their sources from unreasonable government intrusion 1 2 3 .  References:

1 : IAPP, Privacy Protection Act of 1980, https://epic.org/the-privacy-protection-act-of-1980/

2 : DOJ, Privacy Protection Act of 1980, https://www.justice.gov/archives/jm/criminal-resource-manual-661-privacy-protection-act-1980

3 : Wikipedia, Privacy Protection Act of 1980, https://en.wikipedia.org/wiki/Privacy_Protection_Act_of_1980

The Telemarketing Sales Rule (TSR) is a federal regulation that applies to telemarketing calls, which are defined as " a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call. " 1  The TSR requires telemarketers to make specific disclosures, prohibit misrepresentations, limit the times and number of calls, and set payment restrictions for the sale of certain goods and services.  The TSR also gives consumers the right to opt out of receiving telemarketing calls by registering their phone numbers on the National Do Not Call Registry. 2

The TSR applies to both for-profit and not-for-profit organizations, but there are some exemptions and partial exemptions for certain types of entities, calls, and transactions. For example, the TSR does not apply to nonprofit organizations calling on their own behalf, as they are not considered to be engaged in telemarketing. However, if a nonprofit organization hires a for-profit telemarketer or telefunder to solicit charitable contributions on its behalf, the for-profit entity must comply with the TSR, as it is engaged in telemarketing. Similarly, the TSR does not apply to for-profit organizations calling businesses when a binding contract exists between them, as they are not considered to be inducing the purchase of goods or services.  However, if a for-profit organization calls businesses to sell additional services to established customers, the TSR applies, as it is considered to be inducing the purchase of goods or services. 3

Therefore, among the four options, only for-profit organizations and for-profit telefunders regarding charitable solicitations must comply with the TSR, as they are engaged in telemarketing and do not fall under any of the exemptions or partial exemptions.  References:   1 : eCFR :: 16 CFR Part 310 – Telemarketing Sales Rule 3 , Section 310.2 2 : Telemarketing Sales Rule | Federal Trade Commission 1 , Rule Summary 3 : Complying with the Telemarketing Sales Rule - Federal Trade Commission 2 , Exemptions to the TSR.

Privacy by Design is a concept that the FTC endorsed in its 2012 report on protecting consumer privacy 1 .  It seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice 2 .  It asserts that data held by an organization ultimately belongs to the consumer and organizations should ensure that data subjects are properly informed about how their data is collected and used 3 .  Privacy by Design requires companies to build in consumers’ privacy protections at every stage in developing their products, including reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy 1 .  References:   1 : FTC Report of 2012, p.  22-23;  2 : Global Data Review 3 ;  3 : Termly 4 .

The data privacy leader needs to identify all the personal data that the Company has received from the retailer, as well as the purposes, retention periods, and sharing practices of such data. Since the data inventory is obsolete, the data privacy leader cannot rely on it to provide accurate and complete information. Therefore, the next best source of information is to interview the key marketing personnel who are responsible for the partnership with the retailer and the use of the personal data. The marketing personnel can provide insights into the data flows, the data categories, the data processing activities, and the data protection measures that the Company has implemented. They can also help the data privacy leader to locate the relevant documents, contracts, and records that can support the investigation.  References:  [IAPP CIPP/US Study Guide], Chapter 5: Data Management, p. 97-98;  IAPP Privacy Tech Vendor Report , Data Mapping and Inventory, p. 9-10.

The FTC is the primary federal agency responsible for enforcing privacy and data security laws in the United States. The FTC has broad jurisdiction over most commercial entities that collect, use, or share personal information from consumers. The FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce, which includes unfair or deceptive privacy practices. The FTC can bring enforcement actions against companies that violate their own privacy policies, fail to provide adequate notice or choice to consumers, engage in unfair or harmful data practices, or breach consumers’ reasonable expectations of privacy. The FTC can also issue rules, guidelines, and reports on privacy and data security issues, as well as conduct investigations, workshops, and educational campaigns.  References:

IAPP CIPP/US Body of Knowledge , Section I.A.1.a

IAPP CIPP/US Textbook , Chapter 1, pp. 9-12

FTC Privacy and Security Enforcement