Privacy Monthly: August 2023

Michelin chose Simple AnalyticsJoin them

European Commission finalizes US data transfer framework

On July 10, the European Commission adopted an adequacy decision for the United States. This is the final step in implementing the long-anticipated Trans Atlantic Data Privacy Framework, a bilateral framework between the EU and the US that allows for easier data flows between the US and EU/EEA Countries.

The framework is the EU and US’s attempt to solve the legal uncertainty surrounding data transfers as a result of the Schrems I and II rulings of the EU Court of justice. Not everyone is happy about it: the European Parliament opposed the framework by an overwhelming majority in a non-binding vote, and noyb- an NGO already involved in the legal drama surrounding data transfers- already announced that it will challenge the decision before the EU Court of Justice.

Only time will tell if the new framework will survive the Court’s scrutiny or meet the same fate as the Safe Harbor and Privacy Shield frameworks.

For more information about the framework, check out our blog.

European Commission looking to break up Google’s businesses

The European Commission informed Google owner Alphabet Inc. of its preliminary view that Google violates antitrust law and may be ordered to break up its businesses.

The communication results from an investigation of Google’s role in the online advertising market in which the Commission found that Google holds a dominant position in at least two distinct markets- publisher ad servers and online ad buying tools. The Commission holds that Google abuses its dominant position by favoring its own services in ad exchanges carried over its AdX platform.

In the Commission’s view, divesting some of Google’s services is the only way to stop the abuse. The investigation is still ongoing and is worth following closely.

Meta to change privacy policy again after CJEU ruling

In the recent Bundeskartellamt ruling, the EU Court of Justice held that Facebook’s tracking tools process sensitive data, and that Meta cannot track users for behavioral advertising without their consent.

The Court’s remarks on behavioral advertising in particular could mean the death of Meta’s new privacy policy. Meta recently announced their intention to collect user consent for targeted advertising. The announced changed would mark the second update to the company's privacy policy within the year, after Meta already changed its legal bases in response to the Irish privacy watchdog's fines.

In the meantime, the Norwegian data protection authority temporarily banned targeted advertisingon Facebook and Instagram because of the Court's ruling.

Bundeskartellamt is a very important decision, so we analyzed it in detail in two blogs (click here for part one).

EU moving forward with digital legislation

The European Parliament adopted a new version of the AI Act draft. The proposal now needs to be negotiated between the Parliament, the European Commission, and the European Council. The new draft currently includes stricter rules for generative AI and biometric surveillance in public spaces.

At the same time, the European Council and representatives of the Parliament reached an agreement over the Data Act draft. The proposal is now pending approval from the European Parliament and Commission. If finalized, the Data Act will enhance data portability rights across the EU and address contractual imbalances with regards to data sharing, in an attempt to move towards an internal data market.

24 US States call for damage control after Dobbs v. Jackson

24 US States, led by the Attorney Generals of California and New York, called for Congress to strengthen the HIPAA (Health Insurance Portability and Accountability Act), mere months after the US Health and Human Services urged the legislator to do the same.

The push for stronger protectionf for health data is a response to the Doobs v Jackson ruling of the US Court of Justice, which opened the gate to a wave of anti-abortion legislation in conservative States. This led to a large scale human rights and privacy crisis: women’s health data are often used to prosecute them and sit in the hands of companies who are often more than willing to sell them to the highest bidder.

French watchdog fines major adtech player € 40M

The French data protection authority (CNIL) fined online advertising company Criteo €40M for not being able to provide proof of consumer consent and for other issues including a lack of transparency.

The decision touches upon interesting legal issues. In the CNIL’s view, advertising intermediaries such as Criteo cannot take a hands-off approach to compliance and let their partners deal with consent entirely. Instead, they must require their partners to collect data lawfully and must be able to provide proof of user consent.

The CNIL is an influential authority in Europe. Should other authorities follow its lead, this approach could have a significant impact on the position of intermediaries on the online advertising market.

The EU Court of Justice clarified some important aspects of the damage system under the GDPR in a ruling involving the Austrian postal service.

The decision is fairly technical and revolves around the compensation system provided for by Article 82 of the Regulation. The Court stated that there is no threshold for damages under the GDPR. The Court also clarified that damage cannot be awarded for a mere violation of the GDPR: the claimant must have suffered some form of damage- whether material or non-material- as a result of the violation.

OpenAI faces class action over web scraping

A class action was filed against OpenAI in the San Francisco federal court. The claimants complain that the ChatGPT and DALL-E engines scraped enormous amounts of personal information from the Internet without informing Internet users or asking for permission.

Data scraping is a hot legal issue on both sides of the ocean. The scraping of the data of millions of unaware Internet users was one of the concerns that led to the one-month ban of ChatGPT from Italy. In the wake of the Italian investigation, other European watchdogs are currently looking into ChatGPT’s privacy issues, and the European Data Protection Board created a task force to coordinate their efforts.

Meta delays EU Threads launch

A Meta spokesperson announced that the Threads social platform will not be available in the EU. News sources including the Irish Independent and Politico report that the decision might be due to the EU’s Digital Markets Act, which prohibits gatekeeper companies from combining data sets from different platforms.

Incidentally, Meta is already merging data from Facebook and Instagram users. It will be interesting to see whether Meta will take steps to address DMA compliance with regards to the merging of databases.

US intelligence bought consumer data

In news that will surprise no one, a declassified report from the Office of the Director of National Intelligence confirms that US intelligence agencies bought consumer data from data brokers at least until 2022.

It is an open secret that intelligence agencies across the world are increasingly relying on commercially available information. This is a diplomatic way of saying that they buy enormous amounts of personal data from companies and data brokers. Buying data on the market is easier than collecting it directly and sometimes allows agencies to circumvent limitations that would otherwise apply to their operations. This practice raises issues with regards to privacy and civil rights, as highlighted by the report itself.