Privacy Monthly: October
Published on Oct 20, 2022 by Carlo Cilento
Welcome to our new monthly blog. We will briefly cover some of the most important privacy news once a month.
So what happened last month? Let’s find out!
- Biden signs executive order on surveillance
- EU Council approved Digital Services Act
- EDPS takes legal action against Europol
- CJEU cracks down on German surveillance law
- Irish DPC submits draft decision on Facebook data breach
- Record fine for Meta over Instagram children accounts
- U.S. Congress debates ADPPA preemption
1. Biden signs executive order on surveillance
On 7 October, US President Joe Biden signed a long-awaited executive order to curtail surveillance practices concerning European data.
The order results from lengthy negotiations between the White House and the European Commission and the first step toward a Trans-Atlantic Data Transfer Framework. The European Commission will almost certainly issue an adequacy decision based on the executive order. Ideally, European companies who are now relying on standard contractual clauses for US data transfers (see our blog on data transfers for more information) will be able to rely on the adequacy decision instead, greatly simplifying data flows.
The decision will likely be challenged in the EU Court of Justice as in the landmark Schrems I and II rulings. The new framework may be problematic in some respects, and it is hard to predict how Schrems III will play out.
2. EU Council approved Digital Services Act
On October 4, the European Commission approved the final version of the Digital Services Act. The Regulation applies to online platforms and intermediary services. It lays out rules for transparency and accountability, especially concerning content moderation, targeted advertising, and the provision of illegal goods and services. Special obligations apply to very large online platforms and search engines designated by the Commission.
The DSA is a new piece of the EU’s digital strategy. The strategy includes other regulations on data governance, such as the GDPR, the Digital Markets Act, and the proposed AI Act and ePrivacy Regulation. The DSA and the DMA sometimes overlap with the GDPR, so companies and privacy professionals will need to figure out the privacy implications of the new regulations.
3. EDPS takes legal action against Europol
On September 16, the European Data Protection Supervisor requested the Court of Justice to invalidate two articles of the recently amended Europol regulation.
Earlier this year, the EDPS ordered Europol to erase personal data for citizens not connected with criminal activity. The European legislator later amended Europol’s regulation to allow for broader processing of personal data. The EDPS claims the amendment amounts to retroactive legalization of Europol’s activities which violates the Rule of Law and threatens the independence of the EDPS. This will be a controversial and politically loaded case.
4. CJEU cracks down on German surveillance law
In a recent ruling, the Court of Justice clarified that “EU law precludes the general and indiscriminate retention of traffic and location data, except in the case of a serious threat to national security”.
The case was referred to the CJEU after Internet providers Telekom Deutschland and SpaceNet challenged a German law prescribing bulk data retention for telecom providers. The ruling is coherent with the Court’s own case law and consolidates the CJEU’s harder stance on data retention than the European Court of Human Rights.
5. Irish DPC submits draft decision on Facebook data breach
On October 3rd, the Irish DPC announced that it drafted a decision on a large Facebook data breach and submitted it to the EDPB. The draft decision follows an own volition investigation sparked by media reports of the breach.
This is not the only “pending” draft decision about Meta. In July, the DPC announced it drafted and submitted a decision to shut down Meta Platforms Ireland’s data transfers to the US.
6. Record fine for Meta over Instagram children accounts
The Irish DPC fined Meta Platform Irelands Ltd. € 405 million.
The authority found that Instagram violated the GDPR concerning processing personal data from children’s accounts. The platform violated the privacy by default principle by making profiles public by default and processing contact information for business accounts with no legal basis. The fine follows an own volition investigation from the Irish supervisor and consultation with the EDPB.
This is the second-highest fine ever issued under the GDPR. The highest so far is a € 746 million fine against Amazon issued by the Luxembourgish DPA last year.
7. U.S. Congress debates ADPPA preemption
Negotiations over the American Data Protection and Privacy Act continue in US Congress, and preemption is a hotly debated topic.
Interaction between the ADPPA and existing State legislation is a delicate issue. The ADPPA will be the first federal privacy law and set a protection standard for all U.S. citizens if approved. However, several States have already passed privacy bills of their own, which creates a legislative puzzle for Congress. On the one hand, the coexistence between State and federal privacy legislation will fragment the legal landscape across the US. On the other hand, if the ADPPA were to pre-empt state bills, States with their own privacy legislation would not be happy.
Who are we?