Weekly Privacy News - Week #10
Published on 2023-3-7EU-US Transfer Framework: EDPB ‘Welcomes Improvements’ But ‘Expresses Concern’
The European Data Protection Board (EDPB) has adopted an opinion on the European Commission’s draft US adequacy decision. The EDPB’s opinion is a formal part of the EU’s adequacy mechanism but does not have binding effect.
The EDPB recognises several improvements over the EU-US Data Privacy Framework (DPF)’s predecessor (Privacy Shield), but the board strongly criticises the framework’s principles and redress mechanism, among other issues.
Online Therapy Provider BetterHelp Fined Over Ads Violations
California-based therapy services provider BetterHelp has been sanctioned by the US Federal Trade Commission (FTC). The FTC states that Betterhelp made false promises about confidentiality and shared highly sensitive data with advertisers without notice or consent.
BetterHelp must pay $7.8 million (€7.3 million) in partial refunds to its customers, and the company is banned from sharing health data for advertising purposes, among other sanctions.
Privacy Campaigner Sues YouTube Over Children’s Data Allegations
Campaigner Duncan McCann has lodged a complaint with the UK Information Commissioner’s Office (ICO) over allegations that YouTube collects personal data in violation of the Children’s Code.
The Children’s Code is a code of practice designed to ensure online services comply with the GDPR when processing the personal data of children in the UK. McCann brought a class action lawsuit against YouTube in 2020 on similar grounds.
Norwegian Regulator: Google Analytics ‘Not in Line With Privacy’
The Norwegian data protection authority (DPA) has joined several other European regulators in declaring that the use of Google Analytics violates the GDPR’s international data transfer rules.
In a preliminary decision, the DPA states that Google Analytics is “not in line with privacy” and that Norwegian website operators should consider alternative providers. The DPA also warns that updates in Google Analytics 4 do not appear to resolve the platform’s compliance issues.
Domestic Searches Under FISA 702 Decline as Renewal Deadline Approaches
Warrantless searches against US individuals under the controversial surveillance law “FISA 702” have “dramatically decreased”, according to a Department of Justice report. FISA 702 was a key reason for the downfall of the EU-US Privacy Shield framework in July 2020.
Around 3.4 million warrantless searches against US people occurred in 2021, when the Supreme Court criticised the FBI for excessive use of the law. FISA 702 will expire by the end of this year unless Congress passes new legislation.
AI Recruitment Tool Workday Accused of Racist and Agist Bias
A class action lawsuit lodged in California accused HR software provider Workday of “discrimination” against people who are Black, disabled, or over 40. The case alleges that Workday’s recruitment-screening AI systems are biased.
Derek Mobley, the representative plaintiff, alleges that Workday’s AI systems have caused discrimination against him and other users. Mobley claims to have been rejected for up to 100 jobs advertised by employers that use Workday’s AI-based screening tools.
Enforcement Tracker
In addition to the cases referenced above, here’s a round-up of GDPR enforcement decisions published by EU DPAs this week.
Spain
Norconsulting Group was fined €15,000 for violations relating to the rights to access and erasure.
Europymes Servicios Integrales was fined €800 for failing to fulfill a request under the right to erasure.
Finland
The Finnish DPA issued a €400,000 penalty against a local subsidiary of Entento Group over issues with the accuracy of data kept on consumer credit files.
Italy
The Garante fined Edison Energy €4.9 million for direct marketing violations.