Weekly Privacy News - Week #9
Published on 2023-2-28European Commission Proposes New Regulation to Improve GDPR Enforcement
The European Commission has announced a new regulation designed to “harmonise some aspects of the administrative procedure” in cross-border GDPR enforcement cases.
The proposal follows long-standing criticism of the GDPR’s “One-Stop Shop” mechanism, which aims to resolve disputes between regulators and ensure the consistent application of data protection enforcement.
Online Safety Bill: Signal Threatens to Pull Out of UK Over Encryption Proposals
The CEO of privacy-focused messaging app Signal has said that the company would “absolutely, 100% walk" from the UK market if plans to scan encrypted messages proceed.
As part of its Online Safety Bill, the UK government proposes forcing apps to scan messages for suspected illegal content. Signal CEO Meredith Whitaker told the BBC that the policy would “undermine the trust” of the app’s users.
Tesla Improves Camera Privacy Following Dutch DPA’s Investigation
Tesla has agreed to substantially limit how its cars record public places following an investigation by the Dutch data protection authority (DPA). The changes affect Tesla’s “Sentry Mode”, which activates a car’s cameras to record suspicious activity.
Among other changes, the car’s maximum recording time will reduce from one hour to ten minutes, the car’s owner will need to proactively enable Sentry Mode, and the car will alert passersby that they are being recorded.
European Commission Bans TikTok From Work Devices
European Commission staff have until 15 March to delete TikTok from corporate devices due to concerns over how the social media app processes data. The policy follows similar moves by US state and federal government bodies.
TikTok has previously confirmed that some user data was accessible to its Chinese parent company, ByteDance. However, a TikTok representative said the Commission’s policy was “misguided and based on fundamental misconceptions.”
Meta Faces Italian Tax Bill Over Data “Exchange”
The Italian tax authorities are pursuing Meta for €870 million in unpaid VAT, arguing that the company’s business model involves a taxable exchange of user data for services.
The investigation was triggered by the Luxembourg-based European Public Prosecutor's Office (EPPO). Authorities allege that Meta is liable for sales tax on revenues generated by businesses selling goods and services on Facebook and Instagram.
European Data Protection Board Publishes Three Sets of Finalised GDPR Guidance
Following a plenary session, the European Data Protection Board (EDPB) has released three sets of guidelines on various aspects of GDPR compliance.
The guidelines cover the GDPR’s extraterritorial effect, certification schemes for international data transfers, and deceptive design in social media platforms.
Enforcement Tracker
In addition to the decisions covered in the stories above, here are some other GDPR-related cases published by regulators and courts over the past week.
Denmark
In this decision concerning two website operators, the Danish DPA greenlights “cookie walls”.
Spain
The Spanish DPA published a series of decisions about CCTV-related violations on 21 Feb:
- A private person was fined €600
- Comandanica de Lleida was fined €300
- Super 24H Los Rosales was fined €180
- Planet Costa Dorada Sociedad was fined €300
Successful Appeals
A decision by the Spanish DPA against BBVA was overturned. The bank had been accused of violating Articles 6, 13, and 14 GDPR.
Experian was partly successful in its appeal against the UK DPA. The Information Rights Tribunal ruled that the company must provide notice to some data subjects under Article 14 GDPR, but dismissed other aspects of the regulator’s decision.
A Belgian court overturned a decision against a company director who processed the personal data of an ex-employee.