Privacy Monthly April 2024

Image of Carlo Cilento

Gepubliceerd op 8 apr 2024 door Carlo Cilento

Deze inhoud is nog niet vertaald in het Nederlands. Hieronder staat de Engelse versie.

So, the EU finally adopted its highly anticipated, widely discussed AI Act- the first regulation of its kind worldwide. In the meantime, the US is moving towards limitation of data transfers towards "countries of concern"- and possibly, even towards divesting TikTok from its Chinese ownership!

  1. EU passes AI Act
  2. Congress may force Bytedance to divest TikTok
  3. US cracking down on data transfers to adversary countries
  4. Mark Zuckerberg involved in project Ghostbusters
  5. GM cuts ties with data brokers
  6. Meta to lower fees for no-ad service
  7. Google to delete user data after Incognito lawsuit
  8. 17 Countries issue statement on controlling commercial spyware
  9. Zoom faces damages in Brazil
  10. Fisa 702 expiring shortly, still pending reauthorization
  11. EDPS to suspend Office365 use by the Commission
  12. TC consent strings are personal data
Logo of MichelinMichelin chose Simple AnalyticsJoin them

Our Privacy Monthly discusses all of this and more. Let's dive in!

EU passes AI Act

With the final vote of the Parliament, the EU passed the highly anticipated AI Act. The Act will enter into force in 2026 but provides for different timelines for specific rules.

Under the AI Act, certain applications of AI such as social scoring are prohibited altogether, while high risk AI application and generative AI are subject to stringent rules. The Regulation also establishes an AI Office for enforcement.

Congress may force Bytedance to divest TikTok

The House of Representative passed a bill that would force Bytedance to divest TikTok in order to make the social network available in the US market. The unprecedented and controversial proposal now needs the vote of the Senate to become a law.

Supporters of the bill claim that ByteDance’s ties to the Chinese Communist Party would allow China to use TikTok to both collect fine-grained data on US citizens and influence political discourse.

US cracking down on data transfers to adversary countries

In closely related news, the US is becoming increasingly aware of the national security risk posed by the unrestricted trade of personal data. The US President issued an executive order limiting the transfer of personal data to “countries of concern”. Furthermore, a bill restricting data sales to certain countries (the Protecting Americans’ Data from Foreign Adversaries Act) was voted unanimously by the House of Congress and will likely be confirmed by the Senate.

Mark Zuckerberg involved in project Ghostbusters

Back in 2016 Meta (then Facebook) intercepted encrypted analytics for users of Snapchat and Youtube on a large scale through a Facebook-owned app in an operation nicknamed “Project Ghostbusters” by Meta staff. Project Ghostbusters might well be one of Meta’s worst privacy blunders to date, on par with Cambridge Analytica.

While Project Ghostbusters itself is not news, recently unsealed documents prove the direct involvement of top-level Meta executives, including Mark Zuckerberg himself. According to internal emails, Zuckerberg found it unacceptable that Facebook lacked analytics about users of other services. Yup, you read that right.

GM cuts ties with data brokers

General motors stopped sharing driver data with data brokers LexisNexis Risk Solutions and Verisk after the New York Times reported on the company’s invasive data sharing practices. The two data brokers used fine-grained personal data to build insurance risk profiles for drivers and sell them to insurance companies.

GM’s privacy blunder may not be an isolated case: months ago, a study by the Mozilla Foundation highlighted awful privacy practices across the entire automotive industry.

Meta to lower fees for no-ad service

According to Reuters, Meta offered EU regulators to lower the price of ad-free Facebook and Instagram subscriptions from €9.99 to €5.99, in an attempt to shield itself from ongoing legal challenge over its pay-or-ok approach to privacy.

noyb (one of the NGOs behind the legal challenges faced by Meta) was critical of the company’s decision and noted that lowering the prices doesn’t address any of the severe concerns raised by paid subscriptions. We don’t expect Meta’s other critics to be impressed with the price cut, either.

Meta’s paid subscriptions have been controversial in the privacy community since day one. If you are curious about this hot topic and its implications for privacy rights, feel free to check out our blog.

Google to delete user data after Incognito lawsuit

Following a class action in a federal court, Google pledged to delete user data about Incognito browsing on Google Chrome. According to the lawsuit, Google misrepresented data collection from Incognito mode.

Users will not receive damages as part of the class action, but may still take action individually against the company.

17 Countries issue statement on controlling commercial spyware

Governments from 17 Countries (including the US, the UK, France, and Germany) issued a statement on the need to control the distribution and proliferation of commercial spyware. The statement acknowledges that commercial spyware poses a threat to democracy and that stricter regulation is needed to control its development and sale.

The statement did not come a moment too soon: in 2022 a special inquiry committee from the EU Parliament found evidence of spyware abuse from at least four EU governments. In more recent news, commercial spyware was found on the devices of two EU MEPs during routine controls in February, as reported by Politico.

Zoom faces damages in Brazil

The Court of Maranhão found that Zoom illegally shared user data with Meta by including a “log in with Facebook” option for its service. The company will pay BRL20M (about €3.5M) in collective damages, as well as BRL500M (about 90€) to users involved in the breach.

Zoom stated that the sharing of user data was unintended and that the company had no data sharing partnership with Meta.

Fisa 702 expiring shortly, still pending reauthorization

Reauthorization of government surveillance under Section 702 of the Foreign Intelligence Surveillance Act (FISA) is due to expire on April 19. The controversial law authorizes broad government surveillance of foreign citizens but has frequently been abused to indirectly wiretap the communications of US citizens without a warrant.

As one of the most problematic US surveillance laws, FISA has been at the center of the Schrems ruling and the ensuing drama around EU-US data transfers.

EDPS to suspend Office365 use by the Commission

After a long investigation, the European Data Protection Supervisor ordered the Commission to suspend the use of Office365. The decision is highly technical in nature and revolves around the Commission’s failure to comply with the data transfer rules of Regulation 2018/1725 (a privacy law that applies to EU institutions in lieu of the GDPR).

TC consent strings are personal data

The Court of Justice found that the TC strings employed by the IAB Transparency and Consent Framework are personal data. The ruling may have an important impact on the ad tech market, as the IAB’s framework is one of the most widely employed by EU advertisers.

A summary for this highly technical decision can be found on the GDPRhub.

GA4 is complex. Probeer Simple Analytics

GA4 is als in de cockpit van een vliegtuig zitten zonder een pilotenlicentie

Start 14-dagen proefperiode