Privacy Monthly: March 2023

Image of Carlo Cilento

Published on Mar 30, 2023 and edited on Aug 15, 2023 by Carlo Cilento

It's a new season, and just in time for a new Privacy Monthly! It hasn’t been the greatest month for big tech. Meta may be forced to shut down Facebook for Europe in two months and might lose a lot of money in a class action. Google Analytics came under fire from more DPAs, and the Czech government is getting rid of it on its websites. In the meantime, TikTok is being banned from government devices left and right. Read to find out!

  1. Europe may face Meta blackout
  2. More bad news for Meta
  3. Bad news for Google, too
  4. EDPB issues a lukewarm opinion on the new data transfer framework
  5. More trouble for TikTok
  6. Encryption controversy continues
  7. EDPS might dismiss Microsoft Office
Logo of the Government of the United KingdomThe UK Government chose Simple AnalyticsJoin them

Europe may face Meta blackout

The Irish DPA drafted a decision to shut down Meta Ireland’s data transfers to the US last year and later submitted to the EDPB under the GDPR’s dispute resolution. Politico reported that the European Data Protection Board expects to settle the case on Meta’s data transfers by April 14. The Irish DPA will then have one month to implement the EDPB’s observation in its final decision.

All eyes are on this case. This is a high-profile case with EDPB involvement and will surely set an important precedent. Depending on the outcome, it may also bring a Facebook and Instagram blackout for Europe, as the Irish DPA may shut down Meta’s data transfers before the European Commission’s adequacy decision for the US is finalized.

More bad news for Meta

On March 15, Facebook lost a class action before the Amsterdam District Court. The ruling found that Facebook Ireland lacked a legal basis for serving personalized advertisement- in line with the recent decisions from the European Data Protection Board. The Court also found other infringements, including the unlawful processing of sensitive data and violations of the Unfair Commercial Practices Directive and its national implementations in Dutch law.

Damages will be awarded by another ruling and might be substantial since the class action involves around 190.000 users. Meta intends to appeal the decision.

Bad news for Google, too

The Finnish DPA found Google Analytics to be incompatible with the GDPR’s data transfer rules in a recent decision. The ruling is about the use of Google Analytics by an individual website but sets a precedent that practically amounts to a nationwide ban. The Norwegian DPA reached the same preliminary conclusion as its Finnish counterpart in a pending case.

The Finnish Data Protection Ombudsman is the fifth European authority to rule against using Google Analytics. The Austrian, French, and Italian authorities issued similar rulings following a coordinated set of complaints from privacy NGO noyb. The Danish authority also embraced the same stance in a press release.

At the same time, the Czech government is removing Google Analytics from many of its websites over privacy concerns. Czech privacy NGO IuRe played an important role in convincing the government that Google Analytics cannot ensure visitors' privacy.

EDPB issues a lukewarm opinion on the new data transfer framework

In late February, the EDPB issued its Opinion about the adequacy decision draft from the European Commission. The draft is pending Member State approval and is meant to implement the new EU-US data transfer framework (the Trans-Atlantic Data Privacy Framework).

The EDPB notes that the new framework is an improvement from the Privacy Shield (its predecessor) but also highlights some possible issues. These include the criteria for bulk collection of data, the scope of certain exemptions, the onward transfers of data, and specific aspects of the redress mechanism. Overall, the Opinion feels somewhat cautious and tepid.

Approval of the draft decision from Member States is virtually certain, but the decision is equally certain to be challenged in the Court of Justice. The real question is whether the new framework will survive a “Schrems III” ruling.

More trouble for TikTok

On February 23, the European Commission banned TikTok from corporate devices over security concerns. A few days later, Canada did the same and banned TikTok from government devices.

Canada and the European Commission are not the first to scrutinize TikTok and take a strong stance. Last December, the US Congress banned TikTok on all federal government devices, and many US States have laws to the same effect. A bill to ban TikTok from the US entirely was also introduced in Congress, and Senator Michael Bennet urged Apple and Google to remove the app from their stores.

TikTok CEO Shou Chew will be heard by the US Congress next Thursday, and given the recent developments, the atmosphere will likely be tense.

Encryption controversy continues

Whatsapp and Signal announced that they might stop providing their services in the UK if the Online Safety Bill were to pass. In its current draft, the pending bill requires the messaging service providers to scan messages for illegal and harmful content. Opponents of the bill consider the systematic scanning of content an unacceptable infringement of privacy. Scanning the content would also require implementing backdoors into end-to-end encrypted systems, which raises security concerns.

A similar debate has been going on for a while in the EU as well. A controversial EU Regulation against sexual child abuse was proposed last year. While substantially different from the UK draft bill, the proposed Regulation still mandates measures that undermine end-to-end encryption to counter the diffusion of child pornography.

The European Data Protection Board, and the European Data Protection Supervisor, both opposed the proposal. Last year, a joint opinion from the two institutions highlighted several issues with the draft and pointed out that undermining end-to-end encryption severely weakens the protection of privacy.

EDPS might dismiss Microsoft Office

The European Data Protection Supervisor intends to ditch Microsoft Office over privacy concerns related to the transfer of personal data to the U.S. In February, the Supervisor started implementing Nextcloud and Collabora Online, two-open source software based on LibreOffice code.

GA4 is complex. Try Simple Analytics

GA4 is like sitting in an airplane cockpit without a pilot license

Start 14-day trial