Kickin off 2024 with yet another Privacy Monthly- and this time around, Google steals the spotlight. The Silicon Valley giant lost a major antitrust case over its Play Store, had to settle a privacy class action over Chrome’s Incognito mode, and must deal with a major (and yet unpatched) exploit in its widely used OAuth authorization system. Google aside, the EU is close to finalizing the AI Act, Meta is (finally) encrypting Messenger chats, and more!
- Big trouble for Google
- AI Act nearly finalized
- Messenger now encrypted by default
- Congress temporarily extends FISA 702
- EDPB discusses pay-or-ok approach to privacy
- Landmark CJEU rulings on credit scoring
- X under DSA investigation
- Noyb challenges X over political advertising
- Morgan Stanley reaches settlement over embarrassing data breach
Big trouble for Google
In December Google settled a class action over Incognito mode tracking. The lawsuit claimed $5 billion in damages but the amount of the settlement is undisclosed. We wrote more about Google’s Incognito mode blunder here.
In the meantime, the Icelandic privacy authority fined several municipalities for using Google Workspace and other Google Cloud services in schools. While Google itself was not responsible for any violation, the decision suggests that some of its services might be too privacy-invasive for use in an educational setting.
In non-privacy related news, Google lost a major antitrust lawsuit against Epic Games over the Google Play Store. If Google were to lose on appeal, the case might create a dangerous precedent for Google and weaken the Play Store’s lucrative monopoly over app distribution on the Android platform.
As if legal issues weren’t enough, a security researcher recently disclosed a major vulnerability in Google’s OAuth systems. An oversight in the email linking system for Google accounts allows former employees to retain access to their organizations’ service providers after their company Google account has been deactivated. This vulnerability could result in breaches of personal data as well as invaluable business information, including trade secrets.
The researcher informed Google in August and only went public with the details after Google failed to address the vulnerability. Major service providers such as Slack were informed of the vulnerability ahead of time, in order to limit the negative consequences of the disclosure. To date, Google has not mentioned this vulnerability on its blog or announced a fix.
After a three-day negotiatory marathon, EU legislators reached a provisional agreement on the AI Act.
The agreement was made possible by mutual concessions between the Parliament and the Council: for instance, the Parliament agreed to carve out narrow exceptions for the use of real-time biometric identification in law enforcement, in exchange for a ban on emotion recognition technology in workplaces and schools.
The Act will probably be finalized soon, as EU legislators intend to push for the finishing line before a new Parliament is elected.
Meta announced that it is rolling out end-to-end encryption for Messenger. Messenger’s end-to-end encryption uses the same Signal protocol that power WhatsApp’s.
End-to-end encryption was already available since 2016 through user settings but will now be default. Better late than never, I suppose.
The US Congress extended FISA Section 702 by four months, postponing the proposed and hotly debated reform of the law. The proposed reforms aim to limit reverse targeting- a form of warrantless surveillance that bypasses some of the protections afforded to US citizens under the law.
FISA is quite relevant to EU privacy law. By allowing for extensive surveillance over European data, Section 702 creates a privacy risk for EU-US data transfers. A reform of Section 702 could have important consequences for data transfers and for the future of the new data privacy framework between the EU and the US.
EDPB discusses pay-or-ok approach to privacy
In December the European Data Protection Board (that is, the European body that brings all the EEA’s data protection authorities together) discussed the pay-or-ok approach to privacy and its compatibility with the GDPR. The Board did not publish any documents on the topic yet.
While pay-or-ok is by no means a new issue, it became a hot topic after Meta started offering paid, ad-free subscriptions as part of its new (and controversial) compliance strategy for targeted advertising. It's a long story and we wrote about it here.
The EU Court of Justice issued two rulings on credit scoring practices. Given the increasingly widespread use of credit rating, these rulings could play an important role in the future.
The main takeaway is that individuals affected by credit scoring enjoy specific rights and safeguards under the GDPR (specifically, those provided for certain forms of automated decision-making under Article 22). The Court also held that a credit scoring agency cannot store information on insolvency for a longer time than public registers.
On December 18 the European Commission started investigating X’s compliance with the Digital Services Act- a recent Regulation that imposes content moderation duties on major online platforms.
This is not surprising. X (then still named Twitter) abandoned the EU code of practice on disinformation in June 2023, right before the DSA entered into force. Effectively, the platform turned its back on voluntary commitments that would become legal obligations in a matter of months. This confusing move made the platform an obvious target for DSA enforcement and drew criticism from the EU Commission.
Long story short, the investigation was to be expected, and X is off to a bad start.
In more X-related news, NGO noyb filed a complaint over targeted political advertising carried out by X on behalf of the European Commission. This complaint is a follow-up to another recent complaint against the Commission itself.
Noyb claims that a Dutch citizen was shown ads based on politics-related keywords, including names of prominent right-wing politicians. The organizations believes this targeting strategy is a violation of both the GDPR and the Digital Services Act (and we agree, for what it’s worth).
Bottom line, the** Commission engages in the very practices the EU is trying to ban**. This case is quite embarrassing for the Commission regardless of the outcome.
Finance giant Morgan Stanley reached a $6.5M settlement over a data breach. The lawsuit was initiated by a multi-state coalition after the company compromised personal data by failing to erase it from decommissioned devices.
Morgan Stanley outsourced the decommission to a moving company with no IT expertise. This resulted in company computers and servers being sold on the market with company data and personal data still available in the device’s memory- sometimes in unencrypted form.