- EU adopts Data Act
- Meta faces wave of litigation in the EU
- Dutch privacy watchdog investigates tax authority
- noyb challenges European Commission over political advertising
- The US is spying on itself
- Privacy advocate challenges YouTube’s crackdown on ad-blockers
- Is Brazil next in line for an adequacy decision?
- Irish Data Protection Commissioner to leave her position
EU adopts Data Act
On November 27 the Council of the European Union adopted the Data Act. The new Regulation is a key part of the EU’s data strategy, along with the Digital Services Act and the Digital Markets Act.
The Act aims to facilitate the sharing of data generated by interconnected products. The end goal is to foster economic growth by tapping into the EU’s vast amounts of unused industrial data.
It will be interesting to see how the data sharing obligations under the Data Act interact with the GDPR. In all likelihood, it will take a while for the legal community to iron out all the kinks.
Meta faces wave of litigation in the EU
In October meta started offering paid, ad-free subscriptions to EU users in alternative to its free, advertising-powered service model. The move is part of Meta’s new compliance strategy: the company is hoping to convince regulators that non-paying users are free to consent to the extensive profiling required for targeted advertising.
This new strategy was immediately challenged by privacy NGO noyb and by the European Consumer Organization. The two organizations are challenging Meta’s policies on different grounds, but both ultimately claim that users are not meaningfully free to consent to profiling and targeted advertising, with or without the option to pay for an ad-free subscription.
The same week 83 Spanish media outlets filed a class action, claiming €550M in damages. According to the media outlets, Meta gained an unfair competitive advantage by unlawfully processing personal data over a five year time span. Meta’s lawyers are going to be busy during the holidays.
The Dutch data protection authority (AP) is investigating the Tax and Customs Administrations for alleged privacy violations related to its past use of a risk analysis model for tax fraud.
The system was discontinued in 2018 and contained large amounts of information on Dutch taxpayers, including data collected by other PA systems and information scraped from social media. According to the AP, the system allowed for discriminatory searches based on taxpayer nationality and was not properly protected from insider attacks.
The tax authority’s track record with risk analysis systems is less than stellar: not long ago the childcare benefit scandal inflicted enormous damage on thousands of low income households, raised serious issues about racial biases in AI systems, and eventually led to the resignation of the Dutch government.
In a complaint filed before the European Data Protection Supervisor, noyb claims that the European Commission’s political advertising violated the GDPR.
According to noyb, the Commission used sensitive data to target users of the X platforms with political ads in favor of a controversial legislative proposal on chat control. This looks quite embarrassing for the Commission: by the looks of it, they engaged in the very Cambridge Analytica-style strategies that the EU is looking to ban with future legislation.
The complaint also raises concerns regarding X. In theory, the platform does not allow advertising based on sensitive data, but in practice, it may not do much to prevent it .
The US is spying on itself
Two projects- one from Duke University, the other from the Irish Council of Civil Liberties - independently researched the ad tech environment and found that personal information on US service members can be easily bought from data brokers. This further confirms what privacy advocates have been repeating for years now: in its current state, the ad tech industry is a severe thread to both individual privacy and national security.
In a nutshell, the US is spying on itself through online tracking and web analytics, and data brokers are more than happy to sell the intelligence to anyone willing to pay. This surveillance free-for-all can be easily capitalized upon by actors such as criminal groups or foreign intelligence agencies (and, in all likelihood, has already been).
While both studies focused on the US, we do not expect the EU to fare much better.
Privacy advocate challenges YouTube’s crackdown on ad-blockers
In November Youtube started blocking video playback for ad-blocker users. These users were required to either subscribe to the ad-free Youtube Premium plan, or disable ad blockers and view the platform’s ads.
YouTube has since been playing a game of cat and mouse against the Internet: ad-blockers and browsers keep finding ways to get around Youtube’s ad-blocking detection scripts, forcing the platform to catch up on a daily basis.
YouTube’s war on ad-blockers could also have legal consequences. Privacy activist Alexander Hanff filed a complaint against Youtube before the Irish Data Protection Commission. According to Hanff, the Java scripts that power YouTube’s ad-blocker detection measures fall within the scope of the ePrivacy Directive and cannot be deployed without the user’s consent- much like browser cookies.
Is Brazil next in line for an adequacy decision?
EU Commissioner for Justice Didier Reynders announced the Commission’s intention to organize a conference bringing together current and prospective partners for international data flows. According to Reynders, the Commission is also considering Brazil as a candidate for an adequacy decision (a legal act from the Commissions that immensely facilitates data flows between the EU/EEA and a non-EU Country).
Irish Data Protection Commissioner to leave her position
Helen Dixon announced that she will not be reappointed as the Data Protection Commissioner of Ireland after her mandate expires next February.
Dixon faced plenty of criticism through her ten year tenure at the Commission: many voices within the privacy community- especially privacy advocates- criticized her for treating Big Tech with kid’s gloves.
The Commission has long been stuck between a rock and a hard place. While the Commission’s mandate is to enforce the law, the Republic of Ireland has a thinly veiled interest in appeasing Meta, Google, and numerous other multinational corporations with European headquarters in Dublin.
Unsurprisingly, the Commission’s action against Big Tech has been timid and untimely. This hampered the resolution of important cross-bordered cases and essentially turned Ireland into an enforcement bottleneck for Europe.
Over time this situation drove a wedge between the Commissioner and her peers. As Dixon’s tenure comes to an end, the Commission is politically isolated within the European Data Protection Board and frequently sees high-stakes decisions overturned by the Board.
Healing the Commission’s relationship with the Board will not be easy, but should be a priority for the next Commissioner nonetheless.