Privacy Monthly February 2024

This sure was a busy month in privacy! After long negotiations, the EU is one step closer to the AI Act. In the meantime, regulators issued important decisions against Uber and Amazon, the EDPB is working on the hot issue of pay-or-ok, the Senate heard social media CEOs on children online safety, and more!

Michelin chose Simple AnalyticsJoin them

EU moves closer to AI Act as Data Act enters into force

EU Member States unanimously voted for the AI Act. Three more votes are still needed, including the crucial plenary vote from the European Parliament in April.

In the meantime, the Data Act of the EU entered into force. The Regulation aims to facilitate the use and exchange of data, especially industrial and IoT data, while striking a balance with cybersecurity and user control.

EDPB discusses pay-or-ok

The EDPB (that is, the institution that brings EU privacy regulators together) discussed the pay-or-ok approach to privacy in January and intends to publish guidelines on the issue. In other words, the EDPB intends to clarify whether, and to what extent, companies can treat personal data as a commodity.

Pay-or-ok is a hot topic right now, as Meta’s latest compliance strategy is centered around offering paid, ad-free subscriptions for Facebook and Instagram as an alternative to its free subscriptions. But the issue is bigger than that and has enormous consequences for EU privacy law as a whole.

If you are curious about the topic, our blog explores Meta’s compliance strategies and the implications of pay-or-ok for the GDPR.

Heated Senate hearing over children safety

In response to increasing public concerns over children’s safety on social media, a US Senate committee questioned the CEOs of major social platforms over children’s online safety.

CEOs from Meta, X, Snap, TikTok, and Discord were present. The questioning was rather tense, with Mark Zuckerberg (Meta) and Shou Zi Chew (TikTok) taking most of the heat. Evan Spiegel (Snap) and Linda Yaccarino (X) expressed support for the Kids Online Safety Act, while other CEOs voiced skeptical positions.

Two large fines from the French watchdog

The French privacy regulator (CNIL) fined Amazon France for €32M over its workplace surveillance practices, and fined Yahoo for €10M for using tracking cookies. illegally.

The regulator sent a very strong signal that Amazon’s notoriously invasive workplace surveillance will not be tolerated in France: €32M is about 3% of Amazon France’s turnover for 2021 and is close to the maximum cap of 4% under the GDPR.

Dutch regulator strikes at Uber

The Dutch regulator fined Uber for €10M for failing to inform drivers of its data retention policies and making it difficult for drivers to access their personal data.

Control over data is crucial to the power balance between companies and gig economy workers. The right to access data can sometimes help workers wrestle their data back, tipping the balance in their favor. This happened not long ago in a landmark case that Uber lost (Uber BV v Aslam).

Following an official investigation, the Federal Trade Commission ordered X to tighten its privacy policies for location data. X will not be allowed to collect location data without consent, and will not be able to share “sensitive” location data (such as medical facilities or religious institutions) with its partners.

The FTC also [banned data aggregator InMarket Media from sharing precise geolocation data.

GPDP still not happy with ChatGPT

The Italian privacy watchdog issued a (yet unpublished) notice of alleged privacy violations for Open AI relative to ChatGPT . Future developments are worth watching closely, as generative AIs raise important and yet unresolved privacy issues.

The regulator first addressed ChatGPT last year when the company was ordered to halt service for Italian users over privacy issues (we discussed the case here). The authority later lifted the restriction, but only temporarily: the case was left open and the investigation eventually led to the January 2024 notice.

EU and US working on an agreement on police access to data

According to Politico, European Justice Commissioner Didier Reynders that the EU and the USwill reach an agreement on police access to personal data within the year.

The EU and the US already have a mutual assistance treaty in place, but the existing procedures for accessing data are slow and cumbersome. The controversial Cloud Act of the US can speed things up for US law enforcement, but raises issues under the GDPR and has been widely criticized because of its unilateral nature. A new agreement could fix some issues with the Cloud Act while also allowing EU law enforcement faster access to US data.

Of course, the future agreement needs to balance effective law enforcement with the right to privacy- and the European Data Protection Supervisor will no doubt chime in on that front.

EU Commission confirms 11 adequacy decisions

The European Commission reviewed and upheld the existing adequacy decisions for Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay. The decisions for Japan, South Korea, the U.K., and the U.S. have not been confirmed yet.

An adequacy decision is a unilateral decision that immensely simplifies data transfers by “greenlighting” a non-EU country as a safe destination for personal data. Adequacy decision are based on a complex assessment of the legal framework of the recipient country and need to be reviewed periodically.

Amazon now requires a warrant for Ring footage

Amazon announced that it now requires a warrant before sharing Ring footage with law enforcement. Hopefully Amazon will eventually address Ring’s other privacy issues, such as its severe cybersecurity vulnerabilities and Amazon’s irresponsibly lax data access policies for Ring employees.