Weekly Privacy News - Week #7
Published on 2023-2-14Biden Calls for Stronger Privacy Protections in State of the Union Address
US president Joe Biden has called for legislation that will “stop big tech from collecting data on kids and teenagers”, “ban targeted advertising to children”, and “impose stricter limits” on the amount of data that large tech companies collect on everyone in the US.
The president’s remarks, made in his State of the Union Address on 7 Feb, could suggest that he continues to support the American Data Privacy Protection Act (ADPPA), a comprehensive federal privacy law that failed to pass last year.
EU Greenlights Carrier-Level Single ID Platform for Ads Preferences
The European Commission has approved a joint project between telecoms providers Deutsche Telekom, Orange, Telefónica, and Vodafone Group to create a “platform to support brands and publishers' digital marketing and advertising activities” across France, Germany, Italy, Spain, and the UK.
The platform would transmit a user’s advertising consent preferences across websites. Following a merger investigation, the Commission said the project raised “no competition concerns” and that it had “consulted data protection authorities” about the scheme.
TikTok Faces Human Rights Questions About New ‘Focused View’ Feature
Human rights group Access Now has written to TikTok a new “pay-if-users-engage” feature that supposedly measures whether a user is “emotionally and tangibly engaged” with an ad.
Among other questions, the group has asked TikTok what personal data it processes for these purposes and whether the social media firm has carried out a data protection impact assessment (DPIA) to assess the human rights risks associated with the feature.
Meta and Law Firm Sanctioned By California Court Over ‘Delay, Misdirection, and Frivolous Arguments’
Meta and its legal team, Gibson Dunn, have been ordered to pay over $925,000 (€866,000) in costs due to their “unusually egregious and persistent… delay, misdirection, and frivolous arguments” in a consumer-led case over Cambridge Analytica.
According to the judge, Meta (then Facebook) and Gibson Dunn falsely stated that non-privileged information was confidential and repeatedly made “ridiculous” arguments, including that Facebook was not required to reveal to plaintiffs what information had been collected about them.
UK and Irish Regulators ‘Engaging’ With Twitter Over Right-to-Erasure Requests
Twitter is facing questions from the UK and Irish data protection authorities (DPAs) following complaints that it does not fulfil its users’ requests to delete their direct messages.
On receiving requests to delete direct messages, the social media firm reportedly advised users to deactivate their accounts. Complainants allege this violates Article 17 of the GDPR.
The UK Information Commissioner’s Office (ICO) has asked Twitter to respond further to UK academic Michael Veale, who complained after Twitter failed to fulfil his request that “no copies of any direct messages sent by (his) account should remain on Twitter’s or their data processors’ servers.”
Enforcement Tracker
Here are some of the data protection decisions published this week across the EU.
Court of Justice of the European Union (CJEU)
The CJEU gave its judgment in C-453/21 (X-FAB Dresden), a case about the duties of a data protection officer (DPO). The court found that:
- Member states can pass national laws providing additional employment protections for DPOs that go beyond those found in the GDPR. However, these provisions must not interfere with the protection of personal data.
- A DPO may complete other duties in addition to their data protection responsibilities as long as they do not present a conflict of interest. Duties present a conflict of interest if they involve determining the objectives and methods of data processing.
Belgium
- An unnamed controller was sanctioned for failing to respond to a data subject request. The email inbox set up to receive requests was not functional.
- The Belgian DPA dismissed a complaint by a person alleging that his employers had read his email, finding no violation of the GDPR.
Romania
- Medijobs Platform SRL received a €5,000 fine for failing to implement reasonable security measures in violation of Article 32 of the GDPR.