Welcome to our new monthly blog. We will briefly cover some of the most important privacy news once a month.
So what happened last month? Let’s find out!
- EU Parliament investigates State spyware, EDPS chimes in
- Get yourself a burner phone for the World Cup
- Google pays record settlement over location data
- Apple faces privacy lawsuit
- Indian government proposes new privacy bill
- Sunsetting of Google Analytics 360 delayed
- Class action against Github Copilot project
- Hungarian DPA rules against the use of Google Analytics
- Former Uber CSO convicted for obstruction of justice
- CJEU to rule on compensation for GDPR infringements
On November 8, a Committee of inquiry of the European Parliament published a report on the use of spyware by European Governments.
According to the findings, several EU Member States employed Pegasus and other surveillance software to monitor political opponents, journalists, activists, and high-profile figures in entrepreneurship and finance, both legally and illegally, typically under the justification of national security. The inquiry paints a drab picture and calls for urgent action, including a moratorium on the use and diffusion of spyware in the Union and the creation of a common legal framework for the use of spyware.
Shortly after the report was published, the European Data Protection Supervisor called for a general ban on military-grade spyware in its Opinion on the European Media Freedom Act proposal.
Between the inhumane treatment of the migrant workforce and allegations of corruption against FIFA officials, there is no lack of controversy around the Qatar World Cup. State spyware is the cherry on the cake.
The Kingdom of Qatar requires foreigners to install two apps on their phones to attend the World Cup. Several European data protection authorities recently found that these apps are highly invasive and cautioned against their use. According to the German DPA, the app processes much more data than its privacy notices suggest, to the point that the user's calls can be monitored. In other words, the apps are essentially State spyware. The Norwegian and French DPAs echoed these concerns and went as far as to recommend the use of burner phones to attend the World Cup.
On November 14, Google agreed to pay a 391 million dollar settlement for deceptively tracking user location in a settlement involving Advocates-General from 40 US States.
The investigation started in 2018 after an Associated Press article inquired about Google's processing of user location data. According to the Advocates-General, Google employed a deceptively designed interface that included separate and poorly explained opt-out mechanisms for location tracking, effectively tricking users into believing their location was not being tracked.
In addition to the record payout, Google undertook to employ a clearer interface and provide users with more information as part of the settlement.
On November 10, a lawsuit was filed against Apple in a California district Court. The company allegedly monitors activity on Apple apps, regardless of user preference. Two security researchers and Mysk employees using a jailbroken iPhone noticed a suspicious collection of device data on the App Store. According to news outlet Gizmodo, the tracking involves several other apps, including Apple Music, Apple TV, and Stocks.
This will surely be an interesting case. First-party data has been a strategic priority for Apple for a while now. Is Apple processing this data lawfully, and will it live up to its carefully constructed reputation as a privacy-minded company when its data processing undergoes legal scrutiny?
Last week the Indian government published the Digital Personal Data Protection draft, a highly anticipated proposal for a federal privacy law.
Another bill was introduced to the Parliament earlier this year and later withdrawn by the government. The new draft incorporates some of the numerous amendments the Parliament proposed for the scrapped bill. The bill will surely draw the attention of privacy professionals worldwide, as India is an important node for international data transfers.
On October 27, Google announced it would push back the sunsetting of Universal Analytics 360 properties to July 2024. Universal Analytics properties will still be deprecated in 2023 as planned.
This is the second time Google has delayed the deprecation of UA, which was initially scheduled for 2022. Earlier this year, the company also extended support for third-party cookies in Google Chrome. UA uses third-party cookies, so the delay for Universal Analytics has probably been on Google's mind for a while now.
This month a class action was filed in a California federal court against Github's Copilot project over copyright concerns.
Github is a software development hosting service that Microsoft acquired four years ago. Copilot is a generative AI project that writes code based on natural language instructions, allowing for faster code compilation. Copilot's AI is trained on the open source code hosted by the Github database and can reproduce lines of code hosted by Github. Proponents of the class action protest that the reproduction of code amounts to a violation of open-source license terms because Copilot fails to attribute the work to the original developer.
In a yet unpublished decision, the Hungarian data protection authority (NAIH) ruled against the use of Google Analytics over data transfer concerns, following the example set by the Austrian, French and Italian DPAs.
From what we know right now, the decision appears to be similar to the other European precedents. It revolves around the lack of effective safeguards against US surveillance over foreign data. The decision suggests that the trend towards strict enforcement of data transfer rules may continue despite the recent executive order from US President Joe Biden. We wrote more about the topic here.
Please note that gdprhub is the sole source of this news at the moment. The gdprhub is a project from noyb, a privacy NGO directly involved in the case. We consider the information to be reliable, but a warning is still due.
On October 3, former Uber Chief Security Officer Joe Sullivan was convicted of obstruction of justice.
In 2016 the Federal Trade Commission was investigating a massive breach of Uber drivers' and customers' data. A federal jury found that Mr. Sullivan covered up the data breach and failed to disclose information to the Federal Trade Commission. As highlighted by the IAPP, this is the first time in US case law a CSO was held criminally liable in relation to a data breach. The case may therefore set an important precedent.
Three years ago, the Austrian postal service was involved in a scandal for profiling citizens and selling the data to third parties for advertising and political propaganda. A citizen claimed compensation in an Austrian court after being labeled as a right-wing supporter by the postal service. The Austrian Supreme Court referred three questions to the Court of Justice.
The Court will clarify whether harm is a requirement for compensation for GDPR violations and whether mere upset over a violation amounts to harm. The Court will also deal with issues related to harmonizing of Member States' private law. The ruling may have far-reaching implications for GDPR enforcement in courts.
Advocate-General Campos Sánchez-Bordona issued his opinion on the case last month.