- French MP challenges EU-US data transfer framework
- Google to pay $93M over location data settlement
- TikTok fined €345M for mishandling children’s data
- UK foreign surveillance violates the ECHR
- Google and X to face Dutch class actions
- Google Privacy Sandbox now widely available
- EDPB to deal with Meta advertising case
- Surveillance advertising ban proposed in US Congress
- European Data Governance Act now applicable
- UK Online Safety Bill to become law
- PCLOB weighs in on FISA
- Finnish DPA greenlights data transfers for Russian company
On September 6 French MP and CNIL member Philippe Latombe lodged a request to annul the EU-US Data Privacy Framework before the EU Court of Justice, as first reported by Politico.
Given the troubled legal history of EU-US data transfers, legal action against the new Trans-Atlantic Data Protection framework was largely expected. It is, however, unclear whether the Court will examine the merits of the case, as the procedural requirements for direct action are rather strict.
We discussed this news in greater detail on our blog.
Google reached a $93M settlement with the California Department of Justice over allegations of illegal collection of location data from users. The company was also ordered to prove more transparency about its handling of location data.
Google allegedly tracked and stored location data for profiling and advertising purposes without user consent. According to Advocate General Rob Bonta, the company also ignored the preferences of users who turned off the “location history” setting of their devices and opted out of targeted advertising based on location.
On September 1 the Irish data protection authority (DPC) fined TikTok for €345M over its handling of data from minor users. The European Data Protection Board was directly involved, as is often the case when the DPC is dealing with Big Tech.
According to the DPC, TikTok failed to consider the privacy impact of its default settings for child accounts. Additionally, the platform’s Family Pairing feature created serious risks for minor users as it was implemented without a verification process.
On September 12 the European Court of Human Rights (ECHR) condemned the UK for carrying out surveillance over foreign nationals without allowing for judicial redress.
In the case at hand, the UK targeted two foreign journalists with digital surveillance. The two brought the case to the Investigatory Powers Tribunal of the UK, but were not heard because they were not UK residents. In its ruling the ECHR held that the UK violated the European Convention of Human Rights by denying action to the journalists.
The lack of an effective redress system is a problematic aspect of EU-US transfers of personal data, and one of the main reasons the EU Court of Justice invalidated two data transfer frameworks with the US in the past. Could this lack of redress become an issue for EU-UK data transfers as well?
Google and X to face Dutch class actions
Google is facing a class action in the the Netherlands for alleged privacy violations. The case was brought by Dutch consumers’ association Consumentenbond and privacy advocacy group Privacy Protection foundation.
As stated in a joint press release, the complaints include the illegal transfer of personal data outside the EU, the illegal collection of location data, and the deliberate use of dark patterns to manipulate users into consenting to highly invasive data collection practices.
X Corp (formerly known as Twitter) is also facing a class action over illegal data collection, led by Dutch non-profid SDBN.
According to SDBN, the Twittter (now X) app and the MoPub mobile app platform (currently owned by a different company) collected personal data without collecting informed consent. It is worth noting that MoPub trackers are embedded in an enormous number of free apps, including widespread services such as Shazam, Duolingo, and Grindr.
In September the API for Google’s Privacy Sandbox became generally available to developers. The API’s release is an important step in Google’s announced strategy to phase out third-party cookies from its own environment.
The Google Privacy Sandbox uses browsing information to classify users into groups based on location, demographic, and interests. The core idea behind the Sandbox is that sharing data about these groups, and nothing else, allows for effective targeted advertising with a smaller impact on user privacy compared to traditional, cookie-based tracking strategies.
The Privacy Sandbox is a privacy-preserving system has been met with some degree of criticism.Let's see whether the Sandbox will actually deliver on its promises, or turn out to be a mere paint job for Google’s highly invasive business model.
On September 28 Norwegian data protection authority asked the European Data Protection Board for a binding decision on targeting advertising on Facebook and Instagram. The authority is seeking confirmation for a temporary ban on Meta’s personalized ads imposed months ago through an urgent procedure. Shortly before the ban, the EU Court of Justice found Meta’s advertising model to be illegal.
At its core, the case is about the lack of user consent to profiling and targeted advertising. The case is worth watching closely, as it may result in bans in other European countries, and may broadly impact the pay-with-your-data business model that powers many online platforms.
For more information, feel free to check out our blog on the Bundeskartellamt ruling of the Court of Justice.
Democrat Representatives introduced the Banning Surveillance Advertising Act in the US Congress on September 18.
The bill seeks to ban advertising based on information bought from data brokers as well as protected information such as race and religion. In the words of Representative Anna Eshoo, surveillance-based advertising is “a toxic business model that causes irreparable harm to consumers, businesses, and US democracy”.
The privacy situation in the US is far from rosy. Congress tried to push a federal privacy regulation (the ADPPA) but negotiations around the proposal have slowed down to a crawl. The Banning Surveillance Advertising Act could play a crucial role in protecting privacy rights until the ADPPA (hopefully) comes along.
The Data Governance Act (DGA) of the EU became applicable in September after a 15-month grace period.
The Act aims to foster the EU data space by allowing businesses and public organizations to share both personal and non-personal data with trusted intermediaries, who will then make the data available to other entities under certain conditions. For instance, manufacturers could entrust
However, the DGA creates no obligation to share data for organizations. In all likelihood, the success of the Digital Data Space will depend upon the Commission’s ability to convince large companies to share their data.
The controversial Online Safety Bill of the UK was voted by the Parliament on September 19 and will soon become law. The Bill includes content moderation obligations for online platforms and measures against the diffusion of child pornography (referred to as child sex abuse material or CSAM) through personal messaging platforms.
The controversy surrounding the Bill revolves around the obligation of personal messaging platforms to identify and take down illegal content, including CSAM. This obligation could force companies to break end-to-end encryption by implementing client-side scanning for their services, which raises privacy and security conscerns. Privacy advocacy groups and several messaging platforms have strongly opposed the bill, with Whatsapp and Signal going as far as to announce they would leave the UK market if the bill were to pass.
In related news, the U.S. Privacy and Civil Liberties Oversight Board reviewed the foreign surveillance activities carried out by the NSA under FISA section 702- one of the laws authorizing surveillance over foreign citizens. The Board’s report highlights that certain forms of data collection operations- specifically “US person queries” and “batch queries”- are potentially very intrusive and could be limited without severely impacting the efficacy of foreign surveillance.
Reauthorization for FISA is shortly due in Congress and the Board’s report may impact the negotiations process. The situation is worth monitoring, as operations carried out under FISA are at the center of decade-old legal issues with data transfers between the EU and the US.
On September 27 the Finnish data protection authority suspended a temporary data transfer ban issued in August for Yango- a Russian app-hailing app.
The original decision revolved around a new Russian law that allows surveillance agencies to request personal data from certain companies. Upon further examination, the Finnish authority held that the Russian law did not apply to ride-hailing services.