Our weekly take on some of the biggest stories in startup and tech policy. 

CISA Sneaks into Omnibus. As Congress scrambled to clear its legislative calendar before leaving DC for the year, it packed a bunch of unrelated bills together into a 2,000 page omnibus spending bill that will need to pass in order to adequately fund the government. This potpourri approach to legislation raises serious concerns about government transparency and access, as all but the most well-connected groups are effectively blocked from the closed-door dealmaking that resulted in the omnibus. This year’s omnibus produced one notably terrible outcome: the resurrection of the much-maligned Cyber Intelligence Sharing Act (CISA), which is meant to allow companies to share information on cyber attacks with government in order to help prevent future hacks. Critics argue that the bill creates more problems than it solves by jeopardizing user privacy, incentivizing companies to secretly monitor user activity, and allowing the government to obtain consumer data without a warrant. With the ECJ’s nullification of the EU/U.S. data transfer safe harbor so fresh in policymakers’ minds, it is a particularly inopportune time to pass a bill that many believe is effectively an expansion of government surveillance authority.

EU Sets New Data Privacy Rules. On Tuesday, the European Parliament and Council effectively agreed upon a negotiated version of the EU Data Protection Reform originally drafted in 2012. The measures will be formally adopted in early 2016 and go into effect in 2018. US businesses are concerned with several of the law’s provisions that make compliance challenging and also expensive. Among their concerns: Companies that violate the rules could face fines of up to 4 percent of global sales; the law also formalizes the “right to be forgotten” statute, allowing users to not only correct inaccurate personal data, but also the right to remove irrelevant or outdated information; the age of consent for data processing is set at 16 years; companies must alert authorities within three days of a reported data breach; and larger “data-processing” companies must designate a data protection officer.

An Uber Union? Seattle has become the first city in the nation to allow on-demand drivers for companies like Uber and Lyft to unionize. The legislation, passed by Seattle’s city council on Monday, is seen as a test case for the changing 21st century workforce and will likely be contested in court. While some have argued that the new policy conflicts with federal law and raises antitrust concerns, others insist that the local law has teeth. Regardless of its merits, the law further complicates the broader debate around worker classification in the emerging “gig economy” and whether policies can support both innovation and workers.

California’s New Self-Driving Car Laws. A month after a study by California’s Department of Motor Vehicles, the state released proposed rules for driverless cars. Some of the rules came as no surprise to driverless car manufacturers such as Google, Tesla, and Ford: consumers must receive special training certificates and the autonomous vehicles must meet certain cybersecurity standards. However, one proposal, if passed, could significantly impede innovations in this emerging industry. The California DMV wants a licensed driver present in the vehicle, preventing the kinds of functions—package-delivering vehicles or transportation for the blind—that could truly revolutionize transit. This rule also complicates the liability question by making the licensed driver legally on the hook for any accidents. Google, on the other hand, has thus far stated that it is willing to take responsibility for any accidents on the road. There’s still room for debate though; these rules open for public comment next month.

BingeOn? Maybe Not Says FCC. In its net neutrality rules from earlier this year, the FCC declined to enact a flat ban on “zero rating” programs whereby ISPs exempt certain data from user data caps. Instead the FCC decided to tackle such issues on a case-by-case basis. Since then, ISPs have begun to test the FCC’s willingness to regulate data exemption policies, such as T-Mobile’s Music Freedom and BingeOn plans. While T-Mobile’s programs do not implicate the most concerning net neutrality problems by allowing any music or video streaming company to take advantage of the data exemption without payment, some net neutrality advocates have taken aim at T-Mobile’s policy of throttling all video traffic regardless of whether it is a part of the BingeOn program. FCC Chairman Tom Wheeler has previously applauded T-Mobile’s programs as creative, pro-consumer innovations, but now, the FCC wants to take a closer look. With the Commission’s data cap inquiry and the DC Circuit’s pending decision on the validity of the FCC’s net neutrality, 2016 looks to be an important year for the future of the open Internet.

Drone Registration Goes Live. The Federal Aviation Administration unveiled new recreational drone requirements this week. Starting December 21, drone hobbyists must register their unmanned aircrafts and pay a $5 fee through a new FAA web page. The registration requirements represent a mostly uncontroversial attempt to maintain safety and accountability in national airspace as more and more drones populate the skies.

GOP Misses on Tech Issues. While many observers called this week’s Republican debate the most “substantive” yet, tech experts heard uninformed positions and misconstrued information on issues such as surveillance, the operation of the Internet, and encryption. For instance, Gov. Kasich inaccurately assumed that encryption prevented law enforcement from collecting information that could have foiled the San Bernardino shootings. Yet, whether encryption played any role in law enforcement’s access to important digital communications has not been confirmed. Meanwhile, Mr. Trump suggested that parts of the Internet should be “closed,” a preposterous suggestion that would not only hinder communication amongst bad guys, but also the good guys who drive ambulances, operate hospitals, and alert the world to vital information. Such superficial positions on high-impact tech policy are disconcerting - legislating these areas will require thoughtful (and, frankly, more complicated) solutions.

Prisoners Turned Coders. San Quentin State Prison just graduated 21 inmates from its tech incubator, which teaches inmates to code as well as the skills it takes to design and pitch a business to investors and peers. The program,  made possible by The Last Mile organization, has become so popular that inmates are requesting transfers to San Quentin. Next up: A new program from The Last Mile will provide inmates with paid coding jobs for businesses outside prison walls.