Welcome back to our privacy monthly! April has been an eventfuul month in privacy: the ChatGPT case sent waves across Europe, Meta are risking a Europe-wide Facebook blackout, the LIBE committee of the EU Parliament pushed against the EU-US data transfer framework, and more.
- A hot month for ChatGPT
- EU MEPs push against US adequacy decision
- EPPO investigates Pegasus use in Greece
- Is a Facebook blackout coming?
- EU Commission publishes first set of services affected by DSA
- Cambridge Analytica 2.0?
- France ratifies Convention 108+
- EDPB publishes workforce report on Google Analytics complaints
- Meta changes its privacy policies after EDPB decision
- TikTok mishandled children data, again
- US residents can apply for Facebook settlement
A hot month for ChatGPT
OpenAI’s popular ChatGPT AI has been at the center of the privacy debate lately. On March 30 the Italian data protection authority provisionally blocked ChatGPT over privacy issues (as we explained in detail). Open AI has since implemented some changes to ChatGPT’s data processing, which led the Italian authority to lift the ban on April 28. However, the authority is still carrying out an in-depth investigation and may take further action if needed.
The case set an EU-wide domino effect in motion. The European Data Protection Board (EDPB) created a task force to examine the legal issues posed by ChatGPT and coordinate the approach between authorities. In all likelihood, the impact of the task force’s work will extend beyond ChatGPT and impact regulation of generative AI. In the meantime, the French and German data protection authorities are both carrying out their own investigations on ChatGPT.
Last but not least, the European Parliament agreed upon a new draft of the AI Act proposal that classifies generative AIs such as ChatGPT as high risk, subjecting them to stricter risk management and data governance rules.
EU MEPs push against US adequacy decision
On April 13, the European Parliament Committee on Civil Liberties, Justice and Home Affairs unanimously voted against the European Commission’s upcoming adequacy decision for the US. The resolution is not binding for the Commission but is likely to influence the discussion over the new EU-US data transfer framework, especially considering the surprising unanimity behind the vote.t
The resolution acknowledges that the Trans-Atlantic Data Privacy Framework is an improvement over the Privacy Shield, but highlights issues including the criteria for bulk data collection, the data retention rules, and the transparency of the redress mechanism.
The draft adequacy decision is still likely to pass in the Commission. In all likelihood, the predictable legal challenge before the Court of Justice will be the trial by fire for the new data transfer framework.
EPPO investigates Pegasus use in Greece
Upon request of members of the European Parliament, the European Public Prosecutor's Office launched an investigation on the use and sale of the military-grade spyware in Greece.
The use of military-grade spyware (most notably Pegasus) by State actors is a hot topic at a European level and has been widely criticized by human rights organizations. Last year the PEGA Committee of the EU Parliament published a report that paints a worrisome picture of spyware use in the EU. Shortly thereafter, the European Data Protection Supervisor called for a ban of military-grade spyware in its Opinion on the European Media Freedom Act.
Greece is currently at the center of the spyware scandal. The Greek government allegedly used the Predator spyware to monitor politicians and journalists and sold Predator licenses to foreign countries ( including Sudan, now embroiled in a civil war).
Is a Facebook blackout coming?
According to the IAPP, the Irish Data Protection Commissioner may soon suspend EU-US data transfers for Facebook, potentially leading to an EU-wide Facebook blackout.
The decision will be a further step in a long legal battle over the GDPR’s data transfer rules involving privacy NGO noyb and the European Data Protection Board. The Board already solved the dispute on April 13 with a yet unpublished decision. The Commissioner, who is legally bound by the Board’s decision, is expected to publish her own final decision on May 12. Should the data transfers be suspended, Meta will surely challenge the decision in the Irish courts.
Numerous US companies have their European subsidiaries in the Republic of Ireland, including tech giants such as Meta, Google, and Apple. Consequently, the Commissioner’s decision could have a major impact on EU-US data transfers.
On April 25 the European Commissions published a first set of online platforms and search engines designed as “very large” for the purposes of the Digital Services Act.
These services include Facebook, the Apple App Store, TikTok, and several Google Services including Google Search and Youtube. Wikipedia is the only service on the list provided by a non-profit organization.
Under the Act, very large online platforms and search engines are subject to stricter rules regarding transparency, targeted advertising, content moderation, and minor protection.
Privacy NGO noyb filed a set of complaints against major political parties in Germany, claiming that they illegally micro-targeted electors for political advertising via Facebook during the 2021 federal election.
In the words of noyb member Felix Micolash, “any data on a person's political views is protected particularly strictly by the GDPR. Such data is not only extremely sensitive, but also allows large-scale manipulation of voters, as Cambridge Analytica has shown".
In a recent, high-profile case involving the NGO, the EDPB found that targeted advertising on Facebook was unlawful (as we explained on our blog). This precedent might give noyb the upper hand in the complaints.
Profiling based on sensitive data on social networks is an urgent privacy issue and one the Amsterdam District Court recently dealt with in a civil case (which we discussed in depth). Regardless of the outcome and merits of noyb’s legal action, it is reason for concern that Cambridge-Analytica style political microtargeting took place in Europe post-GDPR.
Coincidentally, the European Parliament and the European Data Protection Supervisor both called for a ban on political microtargeting in the proposed Regulation for the transparency and targeting of political advertising. Could they be onto something?
On March 30 France, already a party of Convention 108, ratified the modernised Convention 108 (best known as Convention 108+).
The original and modernised Conventions are Council of Europe treaties but are open to States outside the Council as well. To this date, the conventions are the only legally binding agreements on data protection under international law. Convention 108 has been ratified by 55 States across the world (most of them European), but not all of them signed and ratified Convention 108+.
In 2021 the EDPB formed a task force to deal with 101 complaints form NGO noyb against Google’s data transfers related to Google Analytics. A report for the task force’s work was published on March 28, after a surprisingly long delay.
The report is somewhat prudent in its tone, but highlights that standard contractual clauses for transferring data to the US need to be integrated by supplementary measures- as stated by the Court of Justice in the Schrems II ruling. It also highlightsGoogle Analytics’ IP anonymization option and Google’s (non end-to-end) encryption of data are not enough to keep personal data confidential.
This is nothing new, as several DPAs already stated the same in their rulings (we examined the issue in depth in our blog). Ultimately, the future of EU-US data transfers still hinges upon the upcoming Schrems III ruling over the Trans-Atlantic Data Privacy Framework.
On April 5 Meta changed the privacy policies for its Facebook and Instagram platforms. Under the new policies, Meta’s legal basis for providing targeted advertisement is legitimate interest. Additionally, users in the EU now have the option to opt out of targeted advertising.
The move comes after the Irish privacy watchdog fined the company for a total €390M for unlawfully targeting users of both platforms with personalized advertising. The fines were the outcome of a controversial, high profile case involving the EDPB (as we explained in our blog).
Noyb is skeptical about Meta’s new legal basis (rightly so, we believe) and announced their intention to further challenge Meta on the issue. They also offer an opt-out tool to help Facebook and Instagram users reject targeted advertising from the platforms.
On April 4 the UK privacy watchdog (ICO) fined TikTok £12.7M for unlawfully processing children’s data. According to the ICO, the social platform did too little to verify the age of new users and to remove existing accounts for children under 13.
This is not the first time TikTok gets in trouble with data protection authorities for its insufficient age verification policies. In 2021 the Italian GPDP suspended TikTok’s activities three times with regards to underage users. One year later, the Irish DPC drafted a decision to fine the platform for similar violations and submitted it to her European counterparts. At the present moment the procedure is still pending.
Last December Meta agreed to pay $725M to settle a class action related to the Cambridge Analytica scandal. According to the allegations, Meta (then Facebook Inc.) disclosed personal data to Cambridge Analytica without user consent, enabling the now-defunct British company to target US electors in the 2016 presidential election.
Facebook users now have a right to apply for the settlement, provided that they were US residents at any time between 2007 and 2022.