Privacy Monthly: February 2023

The privacy monthly is back with juicy news: the European Data Protection Board has been up to some important stuff, Google faces yet another antitrust lawsuit in the US, and more. Oh, and the US no-fly list was stolen- yup, you read that right.

The UK Government chose Simple AnalyticsJoin them

Let’s dive in!

Crucial data transfer case goes to EDPB

In yet another chapter of the data transfer saga, the European Data Protection Board (the Board composed of all European data protection authorities as well as the European Data Protection Supervisor) will have the final word on the Irish data protection authority’s investigation of Meta Ireland’s data transfers. The authority already drafted a decision to shut down data transfers for Facebook last July, but other data protection authorities objected, so the EDPB will settle the matter with a binding decision.

This is a high-profile case with EDPB involvement, so the outcome will surely have a significant impact on the way DPAs will handle similar cases. The Board’s decision will make for an interesting read and give us some insight as to where individual DPAs stand on the controversial issue of data transfers.

The legal issues with data transfers are a long story by now. If you’re curious, we wrote about it here.

No Fly list stolen

The US Transportation Security Administration is currently investigating the leak of the 2019 version of the federal No Fly list. The hacking was claimed by a Swiss hacktivist who allegedly found the list on an unsecured server of US airline CommuteAir. The hacktivist did not publish the list but said she will make it available to selected journalists and researchers.

The No Fly list is a list of known or suspected terrorists who are not allowed to board flights. The list is highly controversial and has been widely criticized for its lack of transparency and bias against the Muslim religious minority. According to the hacktivist, the version in her possession contains names and birthplaces for more than one million individuals, both US nationals and foreigners.

Antitrust lawsuit against Google

The US Department of Justice and the Attorney Generals of eight States filed an antitrust lawsuit against Google’s parent company Alphabet Inc., seeking to break up the company and lessen its control of the digital advertising market.

Google is not new to antitrust litigation: a lawsuit over Google’s monopoly over the Internet search market was filed by the DOJ in 2020 and dismissed. Other big tech companies are under fire as well: Meta is involved in two lawsuits over its dominant position on the social network market, and the proposed acquisition of VR company Within. And recently the Federal Trade Commission brought Microsoft to court in an attempt to stop its acquisition of video game company Activision Blizzard.

Overall the DOJ seems to be taking a very proactive stance on antitrust issues under the Biden administration, which could lead to interesting developments in the future.

DPC fines Meta, announces legal action against EDPB

As covered in the January privacy monthly, the Irish DPA (DPC) fined Meta Ireland for €390M for unlawfully targeting Facebook and Instagram users with personalized advertising. The DPC’s early (and very lenient) decisions were reviewed by the EDPB under the dispute settlement mechanism and were mostly overturned, which led the authority to issue new decisions.

The story is not quite over yet. The EDPB later settled a third, almost identical dispute revolving around Whatsapp. This resulted in the DPC fining Meta-owned WhatsApp Ireland for another €5M on 12 January- a rather small amount, given the number of users affected. The DPC also announced legal action in the EU Court of Justice, as it seeks to annul the EDPB’s order to further investigate Meta’s data processing operations. According to the DPC, the order is a violation of its independence, as the EDPB lacks authority to direct a DPA’s investigation.

All decisions highlight radical disagreement between the DPC and other DPAs, with numerous authorities objecting to the DPC’s views and pushing for a far stricter interpretation of the GDPR. Legal action from the DPC is likely to further increase the friction with its European counterparts.

Yup, this was a busy month for the EDPB. Last year the Board established a cookie banner task force to coordinate response to numerous complaints filed by NGO noyb against deceptive cookie banners. On January 17 the task force published its report.

The document deals with common instances of deceptive design in cookie banners, such as forcing the user to go through extra steps to reject cookies or making the reject option scarcely visible. The task force largely agreed that such practices are illegal. The document is not legally binding on DPAs, but in practice, it might be a step towards a crackdown on deceptive banners on a European level.

If you want to know more, we covered the report on our blog.

After action from the Irish Council of Civil Liberties and an exchange with the EU Ombudsman, the European commission committed to regularly monitor the investigation of large-scale, cross-border GDPR cases throughout Europe. DPAs of each Member State will report their progress on such cases every two months. The Commission will publish a report of their own on the information they receive, offering the public some insight on the state of GDPR enforcement.

Many important privacy cases against big tech stem from cross-border complaints, and resolution often take ages. The DPC’s recent fines against Meta are a good example- the complaints were fined back in 2018! Hopefully the new reporting system will speed things up.

French watchdog on a fining spree

The French DPA (CNIL) has been quite active lately, and it has been bad news for big tech. Within one month both TikTok and Microsoft were fined over non-compliant use of cookies and deceptive cookie banners (for €8M and €60M respectively), and Apple were fined €8M for illegally tracking users of iOS 14.6 for advertising purposes.

The timing is very appropriate: the decisions against TikTok and Microsoft perfectly line up with the recently published report from the EDPB cookie banner task force. The CNIL is an influential DPA and its decisions will hopefully set an example for other authorities to handle cookie cases strictly.

EU may crack down on political advertising

The Internal Market and Consumer Protection Committee (IMCO) of the European Parliament agreed on a draft regulation to tighten the rules for political advertising. Members of the Parliament are also proposing to ban non-EU entities from funding political advertising in the EU.

Should the Union follow through on the IMCO’s draft, political ads will only be allowed based on personal data expressly provided for that specific purpose. This would effectively kill targeted political advertising on social networks- and in light of the Cambridge Analytica scandal, that’s probably for the best.

TikTok CEO to testify before Congress

TikTok CEO Shou Zi Chew agreed to testify before the House Energy and Commerce Committee of the US Congress in March. Mr. Chew will attempt to reassure the Congress and rebuke the claims that the app makes user data available to the Chinese Communist Party.

TikTok’s alleged security issues have been a controversial topic for years now. The Trump administration attempted to ban TikTok, but his executive order was challenged in court and later revoked by the Biden Administration. TikTok’s alleged security issues have been a hot topic ever since. TikTok is banned in 24 States and on some government devices, and the U.S. House Foreign Affairs Committee will hold a vote to ban TikTok this month.