Big Tech Under Fire: EU Privacy Group Files Complaints Against Meta & Microsoft, Australia Shifts Probe Focus
Privacy Corner Newsletter: June 7, 2024
By Robert Bateman and Privado.ai
In this week’s Privacy Corner Newsletter:
Noyb hits Meta with eleven complaints about AI training policy
Privacy group noyb, headed by campaigner Max Schrems, has submitted complaints to 11 Data Protection Authorities (DPAs) about Meta’s use of personal data for AI-training purposes.
⇒ How is Meta justifying its decision?
Meta is relying on “legitimate interests” to use certain Facebook and Instagram content to develop its AI products. The company says it has implemented several mitigations, which noyb says derive from a “likely agreement with the Irish Data Protection Commission (DPC).”
“Meta delayed the launch following a number of enquiries from the DPC which have been addressed,” says a Meta press release quoted in noyb’s complaint to the Irish DPC.
The measures implemented by Meta include the following in respect of “EU users”:
⇒ So what’s noyb’s problem?
Noyb alleges many GDPR compliance issues based on Meta’s 127-page privacy notice.
Fundamentally, the campaign group alleges that Meta’s policy is non-transparent and vague. Meta uses terms such as “artificial intelligence technology” that could cover many different processing operations.
Likewise, noyb claims that Meta’s broad privacy statements mean that the company may use any personal data, collected on or off Meta platforms, besides private messages—without specifying the purposes for which different types of data will be used.
Meta also intends to use historic data and data from inactive accounts, which noyb claims is a violation of the “storage limitation” principle. The company also appears not to have identified a condition under Article 9 of the GDPR for processing special categories of personal data revealed in users’ posts.
⇒ But Meta is allowing users to opt out, right?
Meta’s “right to object” method requires users to:
Meta will then review the user’s submission and decide whether to honor the request.
Noyb describes this review process as “fake.” When testing the objection mechanism, noyb found that requests were generally approved within 50 seconds regardless of the contents of the form. As such, the group says that the process amounts to a “dark pattern” designed to deter users from opting out.
For these and many other reasons, noyb says that Meta fails the “balancing test” and cannot rely on “legitimate interests.”
Because GDPR complaints can take such a long time, the group is urging EU DPAs to act under the GDPR’s “urgency procedure” before Meta’s policy kicks in on June 26.
Controller or processor? Noyb (again) targets Microsoft’s edtech products with two Austrian complaints
Privacy campaign group noyb has submitted a complaint against Microsoft, alleging that the tech giant “violates children’s privacy.”
Recommended by LinkedIn
⇒ Aren’t schools “determining the purposes and means” of processing by using Microsoft’s products?
While Microsoft claims that schools are the controllers when using its Microsoft 365 Eduction software suite, noyb claims that the situation is more complicated.
Microsoft has allegedly “cornered the market” for education software services, and due to its “enormous market power” can “de facto dictate the contracts and GDPR compliance documents of (its) software products.”
The complainant in noyb’s first case submitted a subject access request to Microsoft on behalf of his daughter, whose school uses Microsoft Education 365. Microsoft suggested that the complainant direct his request to the school, which is the data controller according to the data processing agreement.
The school’s headteacher was unable to adequately respond to the complainant’s request. Noyb says this demonstrates that Microsoft is effectively the controller in respect of this data, even though the company claims to be the processor in its contracts with schools.
⇒ What’s the second Microsoft complaint about?
In its second complaint, also submitted to the Austrian DPA, noyb criticizes Microsoft’s collection of “telemetry data” via Microsoft 365 Education.
The complainant, in this case a student, created a Word document using her Microsoft school account, resulting in several cookies being placed on her device and 20 requests being made to two Microsoft domains.
According to noyb’s reading of Microsoft’s privacy information, some of the relevant cookies are used for tracking, advertising, and analytics purposes and would thus require consent.
⇒ Is noyb likely to win these complaints?
Noyb’s usual approach when tackling tech giants like Google and Meta has been to target the users of the relevant products. For example, the campaign group submitted 101 complaints against websites that had implemented Google Analytics or the Meta Pixel following the Schrems II decision in 2020.
These Microsoft complaints target the software provider directly. This approach brings an additional challenge—establishing that Microsoft is indeed the controller of the relevant personal data.
The complaints highlight what is arguably a problem with the GDPR’s construction. Almost all liability falls on the controller—which can be a private individual, a one-person business, or a school—rather than the processor—which can be a multi-billion dollar corporation.
Australian privacy regulator declines TikTok investigation, picks up Medibank case
The Office of the Australian Information Commissioner (OAIC) decided not to pursue a case against TikTok’s use of pixels, a week before announcing proceedings against healthcare company Medibank.
⇒ Privacy Act… 1988?!
Yes, Australia’s privacy law is old. And while the Privacy Act 1988 has been subject to some piecemeal updates over the last three decades, the law still imposes fewer obligations—and applies much more narrowly—than data protection legislation in other comparable economies.
“Our legislation, written more than three decades ago, has struggled to keep pace with advances in technology and business practices,” wrote Commissioner Kind last week, explaining her decision not to pursue an investigation into TikTok’s use of pixels and other tracking technologies.
“The law permits organisations to determine what and how much personal data they need for their activities, and does not require them to consider the impact of collecting this data on individual privacy,” Kind said. “We urgently need reform of the Privacy Act.”
Such reform is underway, but it has been slow. The Privacy Act Review report recommended a substantial overhaul of Australian privacy law in 2022, and last month the government said it would expedite the implementation of some proposals.
⇒ What about the Medibank case?
The Medibank case is somewhat more straightforward, even under Australian privacy law.
The healthcare provider allegedly failed to secure personal data relating to nearly 10 million Australians, which was compromised in a data breach in October 2022.
If proven, the allegations could violate the Privacy Act 1988’s data security provisions. However, for the relevant violation during the relevant period, fines under the Act are capped at AUD 2.22 million (USD 1.47 million) per violation.
The courts will decide whether to issue a penalty and, if so, how high it should be.
If the Privacy Act’s “per violation” means “per individual whose data has been compromised,” even Australia’s relatively mild penalty regime could provide a highly effective sanction.
If “per violation” effectively means “per data breach,” the law’s relatively low fines might be another provision worthy of an update.
What We’re Reading