October was an eventful month, to say the least. Meta is in the regulator's crosshair once again as the EDPB bans personalized advertising on Facebook and Instagram; countries around the world keep pushing forward with AI regulation; California passes an innovative law on the right to delete, and more. Oh, and did we mention one of the worst data breaches in history?
- EDPB bans personalized advertising for Meta.
- Large-scale genetic data breach confirmed
- One hot month for AI regulation
- German competition authority rules against Facebook
- Amazon launches European cloud
- UK passes controversial Online Safety Law
- First legal action against data transfer framework rejected
- Congress considers temporary FISA reauthorization
- Developments in California privacy law
- Argentina moving towards new data protection law
EDPB bans personalized advertising for Meta.
On 27 October the European Data Protection Board issued an urgent and binding decision to be implemented by the Irish privacy watchdog. While the decision has not been published yet, it is clear from the Board’s press release that it practically amounts to an EU-wide ban of personalized advertising on Facebook and Instagram.
For almost a year now Meta has been struggling to justify its data-driven business model based on user profiling and targeted advertising. Two different versions of Meta’s privacy policy were struck down by EU regulators over issues related to personalized advertising on Facebook and Instagram, and the Norwegian privacy authority later issued a temporary ban against targeted advertising with regards to Norwegian users. At last, the EDPB’s urgent decision turned the Norwegian ban into a permanent, EU-wide ban to be issued by the Irish data protection authority in the near future.
On a side note, Meta recently announced that it will make paid, ad-free Facebook subscriptions available to European users as an alternative to its current free, ad-powered memberships. We suspect that this controversial move is largely motivated by the need to legitimize the current business model with regards to non-paying users- who will, in all likelihood, account for the vast majority of Facebook’s user-base in the future.
Large-scale genetic data breach confirmed
US based genetic testing company 23andMe suffered a large-scale data breach The full extent of the breach is not known, but early reports indicate that genetic data for at least 4 million users were leaked.
Earlier this month a hacker announced that they hacked and leaked the data on the Dark Web. 23andMe first announced that they were analyzing the leaked data to verify the claims. The company later sent warning emails to affected users, implicitly confirming that the leaked data are genuine.
Leaks of genetic data are particularly risky as they affect not only the people, to whom the leaked data belong, but their relatives as well- whether they use genetic testing services or not. In the case of large-scale data leaks from commercially available services, even distant relatives of users may be affected.
One hot month for AI regulation
October was an eventful month for AI regulation. The UN established a global AI advisory board; the G7 agreed on a code of conduct for AI development; the UK AI safety summit reached important results, including an AI testing agreement between 27 governments; and the US President signed off an executive order addressing the safety and privacy concerns of AI.
As for the EU, Euractiv reports that an agreement on the AI Act may be close at hand. The final draft of the Act is trying to secure a deal by finding a middle ground between the Parliament and the Commission: the Parliament might be willing to leave a little room for real-time biometric identification in the context of law enforcement, in exchange for a longer list of prohibited AI applications.
German competition authority rules against Facebook
Following an investigation from the German competition regulator (Bundeskartellamt), Google committed to giving users more control over the cross-use of data between distinct Google services, as well as the combination of data collected through third-party apps and services. In other words, consumers will now have the option to opt-out of the cross-use of data when it is not necessary.
The authority announced that similar investigations are pending against other Big Tech.
This decision is related to the recent Bundeskartellamt ruling of the EU Court of Justice- an important decision that we discussed extensively in this blog.
Amazon launches European cloud
Amazon recently announced the AWS European Sovereign Cloud, a new and EU-based cloud service. The service aims to help companies and public organizations comply with data privacy standards and data localization rules.
Amazon is not the only data-driven giant to bet on data localization: in January Microsoft rolled out the EU Data Boundary program for its Microsoft Cloud service. These services make Microsoft and Amazons attractive providers for governments, public organizations, and companies handling large amounts of sensitive data.
UK passes controversial Online Safety Law
The Online Safety Act of the UK became law on October 26. The Act includes content moderation obligations for platforms and will come into force gradually as the UK telecom authority rolls out new regulation.
The Act also requires the providers of messaging services to scan image files in order to identify and flag child sex abuse material. This forces some providers to build backdoors into end-to-end encryption, potentially undermining communication privacy and security. Privacy advocates harshly criticized the bill in the drafting phase, while Whatsapp and Signal threatened to leave the UK market if the law were to pass.
First legal action against data transfer framework rejected
The General Court of the European Union denied Philippe Latombe’s request to suspend the adequacy decision for the US over procedural issues. According to the International Association of Privacy Professionals, Mr. Latombe appealed the Court’s decision.
The EU Commission’s adequacy decision for the US is the last step in the US and EU’s joint effort to solve long-standing legal issues with data transfers. The EU Court of Justice invalidated two EU-US data transfer framework over the last decade. The current framework- to which the adequacy decision relates- will surely faces more legal challenges in the future.
Congress considers temporary FISA reauthorization
As negotiations around FISA reauthorization slow down in the US Congress, some congressmen are considering a temporary reauthorization as a way to avoid a stall.
The Foreign Information Surveillance Act (FISA) is a US law regulating the surveillance activities of US intelligence agencies over foreign citizens. The future of FISA could have an important impact on EU-US data transfers, as the broad surveillance powers conferred by the law were a crucial legal issue in the Schrems I and II rulings of the EU Court of Justice.
Developments in California privacy law
On October 11 the California governor signed the Delete Act into law. The Delete act strengthens the right to delete of California residents by designing a one-stop system for deletion requests addressing data brokers. So, California residents will be able to require all data brokers to delete their personal information by forwarding a single request.
The Delete Act is an ambitious and innovative law, and will likely have a significant impact on the digital advertising market as well as other markets driven by commercially available personal information. We discussed the Act in further detail in this blog.
The State also amended the California Consumer Privacy Act (CCPA) to ensure better protection for immigration status and reproductive health data.
Argentina moving towards new data protection law
The Argentinian government presented the Draft Law on the Protection of Personal Data. The new bill is based on a draft from the Argentinian privacy authority and should replace the Country’s current data protection law. The proposal provides for the extraterritorial reach of privacy rules, similar to regulations such as the GDPR, the Brazilian LGPD, and the California CCPA.
It is worth noting that Argentina is one of a handful Countries for which an adequacy decision is available under EU law. Therefore, personal data of people in the EU and the European Economic Area can be easily sent to the Country.