Welcome to the privacy monthly January 2023 edition. We will briefly cover some of the most important privacy news once a month.
So, what happened last month? Let’s find out!
- European Commission drafts adequacy decision
- EU signs declaration of digital rights
- More legal trouble for Meta
- Slovenia passes Personal Data Protection Act
- Office 365 not GDPR-compliant according to German watchdogs
- US Senate votes to bans TikTok on federal government devices
- Meta bans surveillance-for-hire companies
- Record settlements for Epic Games
- UK watchdog naming and shaming companies for data breaches
On December 13, the EU Commission published a draft for the adequacy decision for the US. The next step in the procedure will be a non-binding opinion from the European Data Protection Board. Finally, the draft will be voted by Member States and formally adopted by the Commission.
Approval of the draft is virtually certain, given the lengthy negotiations between the EU and the US over the Trans-Atlantic Data Privacy framework. However, the upcoming adequacy decision is also virtually certain to face legal scrutiny in the Court of Justice. The CJEU already invalidated two data transfer frameworks in the Schrems I and II cases, and it’s hard to say how a “Schrems III” case will play out- but the European Data Protection Board may give us some hindsight in their upcoming opinion.
On January 15 the declaration on European digital rights and principle was signed by the European Commission, the Council of Europe, and the President of the European Parliament. The declaration aims to promote a digital transition based on a human-centric vision.
The declaration is built upon six principles (people at the center, solidarity and inclusion, freedom of choice, participation, safety and security, sustainability) and is meant to complement the EU digital strategy. In practical terms, the declaration is not binding, but might serve as an inspiration and a point of reference for the interpretation of the GDPR and the EU data protection framework in general.
More legal trouble for Meta
On December 22 Meta Platforms agreed to a $725 million settlement for a class action over the Cambridge Analytica case. Facebook was already fined a staggering $5 billion by the US Federal Trade Commission over the scandal, on top of paying a 500.000 pound fine to the British privacy watchdog.
Additionally, on January 4 the Irish watchdog fined Meta Platforms Ireland for a total €390 million for unlawfully targeting Facebook and Instagram users with personalized advertising. The fine follows a decision from the European Data Protection Board under the GDPR’s dispute resolution mechanism. We covered the EDPB’s decision in more depth on our blog.
Finally, the EU Court of Justice rejected an action by Meta subsidiary Whatsapp Ireland against an EDPB decision. The procedure relates to a €225 fine imposed by the DPC in 2021. The action was rejected on procedural grounds, as the EDPB’s decision is only binding for the DPC and does not directly concern Whatsapp.
On December 15 the National Assembly of the Republic of Slovenia adopted the Personal Data Protection Act.
Slovenia has been subject to the GDPR since its entry into force, as EU regulations are directly applicable. However, the GDPR calls for national implementation of specific rules, and the lack of implementation made enforcement problematic. With the new law, Slovenia finally became the last EU Member State to implement the GDPR in its national legislation.
The German Data Protection Conference highlighted in a recent report that the Office 365 suite from Microsoft is not compliant with certain key provisions of the GDPR.
The German Data Protection Conference (DSK) is a committee formed by the federal data protection authority of Germany and by the data protection authorities from individual German states. The report was published in late November and is the result of two years of consultations between a DSK working group and Microsoft itself. The report highlights several compliance issues, including insufficient safeguards for EU-US data transfers, lacking data retention policies, and an overall lack of clarity about Microsoft’s role as a controller or processor with regards to individual data processing operations.
Microsoft recently announced that they would roll out their EU Data Boundary Program in 2023 in order to reduce data transfers to the EU. Microsoft’s move might be key for compliance with the GDPR. However, Microsoft’s new policies for European data will surely require scrutiny- as some data transfers to the US will likely still be necessary in certain scenarios.
The working group’s report is available on the DSK’s website (German only).
On December 14 the US Senate unanimously voted a bill to ban federal employees from downloading the TikTok app on their devices. In order to become law, the proposal still needs to be approved by the Congress and signed by the US President.
US politicians from both parties are concerned that TikTok might be used by the Chinese government to collect intelligence information. Additionally, the app is undergoing security review before the Committee on Foreign Investment in the U.S. (CFIUS), after TikTok owner ByteDance bought the musical.ly app in 2019 and merged its user base with TikTok’s.
On December 14 Meta announced it banned seven surveillance-for-hire companies from Facebook, preventing them from promoting their services through the social network. The company also presented a policy paper, urging governments to take action against the surveillance industry.
According to Meta, spyware and surveillance-for-hire businesses are a significant privacy and societal threat. Many such companies are present on Facebook, and some of them carry out their operations on the platform, using fake accounts and spyware links to spy on their marks. While Meta has been prioritizing anti-spyware action on their platform, it points out that action from policy-makers is needed in order to counter the threats posed by the surveillance-for-hire business.
The Federal Trade Commission and Fortnite creator Epic Games reached two agreements with the Federal Trade Commission for a record $520M. The sum covers a $275M fine for violating the Children’s Online Privacy Protection Act through Fortnite’s default privacy settings, as well as a large refund for unintentional purchases driven by deceptive design. Epic will also be required to change Fortnite’s default privacy settings, requiring an opt-in for the in-game text and voice chat for users under 13.
In a rather unusual move, the UK data protection authority (ICO) started publishing comprehensive lists of companies reprimanded for data breaches. Commissioner John Edwards explained the motives behind the decision in a recent speech, highlighting the need for transparency and certainty in rule enforcement, as well as the importance of accountability for companies.