There were lots of news in privacy over the last month! The city of New York filed a lawsuit against social platforms over children's safety and mental health, spyware was found on MEPs devices, and a new ruling may halt attempts to undermine encryption in the EU. Let's dive in!
- NYC sues social media giants over children mental health
- Pegasus spyware found on MEPs devices
- Pay-or-ok saga drags on
- ECtHR defends end-to-end encryption
- CMA halts Google Privacy Sandbox over competition concerns
- China to relax Shangai data transfer rules
- EU legislation moving forward
- Apple to implement PQ3
- Data broker bankruptcy raises privacy concerns
- Bavaria DPA launches large-scale cookie investigation
NYC sues social media giants over children mental health
The city of New York took legal action against Facebook, Instagram, Tiktok, Snapchat, and Youtube. The NYC major claims that these platforms are fuelling a youth mental health crisis by exposing children and teens to harmful content.
Children safety on online platforms is currently at the center of a nationwide debate in the US: last month, a tense congressional hearing with Big Tech representatives led to unsatisfying responses.
Pegasus spyware found on MEPs devices
The Pegasus spyware was found on the devices of two Members of the European Parliament during routine IT checks, as reported by Politico and LePoint.
This is not the first time European politicians are targeted with spyware. In 2022 researchers found that numerous Catala politicians were targeted by spyware and special inquiry committee from the European Parliament uncovered illegal surveillance from at least four EU governments(https://www.politico.eu/article/eu-spyware-probe-slams-government-leaders-as-perpetrators-of-abuse/)
Pay-or-ok saga drags on
Following a request from MEPs, the European Commission issued a formal request of information over Meta’s new subscription-based business model. In the meantime, consumer groups from the Bureau of European consumers filed privacy complaints against Meta’s subscriptions, in addition to the BEUC’s older complaint grounded in consumer law.
As our blog explains, pay-or-ok is a crucial issue in the EU privacy space and a battlefield for radically incompatible views of privacy. Meta’s paid, ad-free subscriptions are fiercely opposed by privacy advocates- including the 28 organizations that urged the European Data Protection Board to take a stance against pay-or-ok in its soon-expected guidance.
ECtHR defends end-to-end encryption
In its Telegram v. Russia ruling, the European Court of Human Rights defended end-to-end encryption against Russian laws that would weaken it. The Court held that mandating communication companies to implement backdoors around encryption would compromise user privacy to an unjustifiable degree.
This could be a major privacy win. All EU Member States are part of the Council of Europe and bound by the ECtHR's decisions: so, the ruling will likely halt legislative proposals seeking to weaken end-to-end encryption in the EU. The ruling will probably not impact Russian policy as the country is no longer a member of the Council.
CMA halts Google Privacy Sandbox over competition concerns
The UK competition authority halted the roll-out of Google’s Privacy Sandbox over monopoly concerns. This could further delay the long-announced phasing out of third-party cookies from Google Chrome.
The authority is (understandably) worried that the deprecation of third-party cookies will hugely benefit Google’s ad tech properties at the expense of its competitors and kill off competition in an already monopolized market.
China to relax Shangai data transfer rules
According to Reuters, the Chinese government is looking to relax data transfer rules for the city of Shanghai. The 24M city is a free trade zone under Chinese law and a major center for economic relationships with Western companies.
EU legislation moving forward
The EU’s transparency rules for political advertising were voted by the Parliament and are now pending Council approval. The proposal includes stricter consent rules, a ban on ads targeted on the basis of sensitive data, and a ban on non-EU ads before elections.
As for the long-anticipated AI Act, the final vote is scheduled for March 13.
Apple to implement PQ3
Apple announced the implementation of PQ3 for its iMessage service. PQ3 is a post-quantum cryptographic protocol and a significant improvement over traditional encryption protocols.
Data broker bankruptcy raises privacy concerns
US Senator Rob Wyden urged the FTC to take action in order to prevent sensitive location data of US citizens from being sold by Near during its bankruptcy proceedings. Near is a major India-based data broker that allegedly controls personal data from 1.6 billion people worldwide.
Then again, any sensitive data held by the company were likely sold already. The company sold sensitive data of pregnant women to US anti-abortion groups. We suspect that Near was not terribly careful with the rest of their dataset, either. Bottom line, the cat is out of the bag and the FTC can only do so much in terms of damage control.
Bavaria DPA launches large-scale cookie investigation
The Bavaria privacy authority launched a large-scale investigation on non-compliant cookie use on Bavarian websites. The authority’s press conference highlighted the use of automated tools for investigations and explained the importance of properly designed cookie banners for GDPR compliance.
If you want to know more about the investigation, head over to our blog.