Masters of Privacy: Summer Newsroom 2023
Have you spent the entire summer isolated from the world? Here’s a summary of a few things that we would like to remember and revisit at the intersection of data, marketing, privacy, and technology. With small changes to the usual five sections, and also available in audio version - on Masters of Privacy.
In order:
ePrivacy and regulatory updates
Enforcement
Spotify received a 5m EUR fine for an insufficient Privacy Notice (which is directly connected with the GDPR’s transparency principle). According to the Swedish DPA, Spotify’s Privacy Policy "does not inform clearly enough about how this data is used by the company." The IMY added that Spotify should be more transparent "about how and for what purposes individuals' personal data is handled." This enforcement originated in NOYB’s complaint concerning Spotify’s failure to respect access rights (by responding to data subject access requests), but the agency disagreed with the complaint on this particular issue.
Also in Sweden, Tele2 and others were pretty unlucky in terms of timing. The telco operator was fined 1m EUR, along with a few smaller companies, on July 3rd for using Google Analytics (i.e., sending data to the United States without enough additional safeguards to complement the Standard Contractual Clauses that the platform relied on after the PrivacyShield program was invalidated by Schrems II - a long debated impossible mission). The EU Commission found adequacy for such transfers under the new EU-US Data Privacy Framework seven days later.
Meta and Criteo got a taste of the headaches to come across multiple jurisdictions concerning their behavioral targeting practices. On July 4th, Norway asked the Facebook owner to stop processing personal data in the country while relying on contractual necessity or legitimate interest for ad targeting, while the CNIL imposed a 40m EUR fine on the latter for: a) Failing to verify that valid consent had been obtained from the estimated 370m EU-based individuals whose data it had been processing; b) Using an incomplete privacy policy in which certain processing purposes were missing and others were “expressed in vaguely and broad terms”; c) Failing to add key provisions concerning the exercise of user rights in its joint controllership agreements with partners; d) Failing to respect the individual rights of access, erasure, and consent withdrawal (identifiers remained in place even after blocking personalized ads on demand).
In parallel, Meta made a few important decisions in connection with the enforcement actions that have kept us entertained for many months now: On July 17th WhatsApp adopted legitimate interest as a legal basis (for its processing of personal data), while Facebook and Instagram will revert to consent (from the contractual necessity basis they adopted in the months that preceded the arrival of the GDPR). Aside from this, Meta chose not to make Threads, its X-Twitter killer app, available in the EU, dodging what some called a privacy nightmare.
Legal updates and guidelines
In case GDPR-related enforcement actions were not enough, additional headwinds are expected across the entire Real-Time Bidding/ programmatic advertising ecosystem worldwide in the face of: a) A string of State-specific privacy laws in the United States; B) The FTC’s specific agenda on this particular front; C) The EU Digital Services Act; D) The EU Digital Markets Act.
In particular:
The EU Commission gave the green light (ie. found “adequacy”) on the EU-US Data Privacy Framework (“DPF”) on July 10th. As shortly after clarified, this will not do away with the need for a Transfer Impact Assessment for Standard Contract Clauses and Binding Corporate Rules (which can however benefit from the new safeguards provided by the US Government), but temporary peace of mind is assured for EU businesses dealing with US providers which have registered under the DPF (it is mostly speculated that a new sequel of the Schrems saga will take some two years to spoil the party, but a French activist is already trying to beat the Austrian at his own game).
The Council and EU Parliament reached an agreement on the new Data Act, which will enhance the free flow of data generated by IoT devices and other digital products, effectively expanding portability rights beyond the two legal bases required by the GDPR for such a right to be triggered when personal data is involved (contractual necessity and consent).
A new CJEU ruling confirmed that the right of access could in certain cases include the need to know the identity of specific employees of the data controller, as well as the time and instances in which such employees had been accessing a data subject’s individual records.
Spain’s DPA (AEPD) updated its cookie consent guidelines, at long last aligning them with the EDPB’s published criteria. A “Reject All” button should now be offered on the first layer (rather than hidden under “Configuration”), although the door is now open to “cookie walls” akin to those used by publishers in France or Germany (consent or pay). Companies have a January 2024 deadline to adapt.
Cybersecurity-related laws keep piling up. As per new SEC rules, material cybersecurity incidents will have to be disclosed by public companies within four business days of a material determination. Also, an extended deadline expired at the end of June for financial services companies to comply with the FTC’s Safeguards Rule when it comes to holding customer records. For their part, EU-based financial institutions have until January 2025 to comply with DORA (importing the NIST Risk Management Framework for the detection, prevention, response to, and recovery from cybersecurity incidents).
Martech & AdTech
On September 7th the Privacy Sandbox reached general availability, after slowly finding its way into most instances of the Chrome browser. This was preceded by various updates on the manner in which the cookieless solution beats hushed email addresses or third party cookies in terms of performance.
The IAB's TCF 2.2 consent standard keeps making progress on the back of Google’s own auditing of consent signals for conformity with the so-called “Additional Consent Mode Technical Specification” prior to the September 30th deadline (see our Spring Newsroom update for further details).
Recommended by LinkedIn
Amazon has expanded its product ads to third party sites (Pinterest, Buzzfeed, Mashable, Life Hacker), happily walking the thin red line of cross-site tracking, but surely with a good plan in place.
The IAB released a first version of its Data Clean Room Guidelines for DCR interoperability (in terms of matching encrypted audiences, a still gray area when it comes to privacy compliance or the need for specific consent on both ends - check our Masters of Privacy interview with InfoSum’s Nicola Newitt for further analysis).
AI, Competition and Digital Markets
In early July the CJEU agreed with Germany’s Bundeskartellamt (Federal Court for matters of Unfair Competition) that privacy issues can be part of competition-related rulings. Specifically, the Bundeskartellamt had prohibited Meta from combining user data from several sources without specific consent from said users.
At the end of the same month, France’s competition regulator filed an action against Apple for applying different tracking standards to its own services after the App Tracking Transparency (“ATT”) policy change made it harder for third parties to rely on unique device identifiers (IDFA).
The aforementioned EU Digital Markets Act reached the “gatekeeper” designation date on September 6th. Amongst other things, Meta, Apple, Google, TikTok, Microsoft, and Amazon will have to introduce certain levels of interoperability (as well as share data with businesses operating on their platforms) by March 2024.
The hangover from OpenAI’s grand entrance in the public discourse continued to rip through existing regulatory initiatives: the last minute addition of article 28b to the EU AI Act (through the EU Parliament’s amendment) introduced a long list of obligations for foundation models, pitching open source Generative AI frameworks (Hugging Face, EleutherAI, etc.) against the commercial giants (Google’s Bard, OpenAI, Anthropic) and showed important cracks in the proposal. A Stanford University team attempted to expose the manner in which tools on both sides of the aisle would perform across various types of requirements.
An avalanche of AI Governance and Responsible AI frameworks is making it harder to pick the most appropriate one for a company’s intended use of foundation models. Two Georgetown University researchers released a matrix to help with the selection.
Copyright took center stage in the same Generative AI debate. While many in the industry consider data scraping of public content a “fair use” (or “fair dealing”) exception to copyright protection under existing legal frameworks, with Google and others introducing changes to their Terms of Service to make it clear that they would rely on publicly available data for AI training purposes, Adobe made it clear that its Firefly image generator was only trained on stock images it owned, and a bunch of authors sued OpenAI for the use of their work in order to train ChatGPT. The company has since helped website owners to opt out of future training data sets (by including the GPTBot in the good old “robots.txt” file), but the trend is most likely to entrench those who have already done the deed. Microsoft, for its part, offered legal protection to customers of its Office360 or GitHub Copilot products who choose to create content or code with its own OpenAI-powered tools.
Beyond copyrighted works, the very real possibility of dragging publicly-available personal information, often in the context of semi-public social media, into training data sets provoked a joint statement by multiple data protection agencies demanding compliance with the data protection frameworks already in place.
An even more concerning possibility of employing non-public personal data for said training purposes resulted in a separate public outcry. Zoom became an initial target after introducing this possibility in its updated Terms of Service - before it reverted to requiring prior user consent.
The biggest antitrust case in some twenty years will kick off this week, when the US Department of Justice faces Google. A summary judgment ruling was made available a few weeks ago, narrowing the scope of the battle that follows.
PETs and Zero-Party Data
The UK’s ICO issued new guidelines encouraging businesses to embrace Privacy Enhancing Technologies.The use of PETs is something that the US government has also been pushing for since at least 2021, and in fact both countries have joined forces to award specific prizes to companies innovating in the space.
Google and Meta released separate AI assistants (Duet and AI Personas respectively), while LinkedIn founder Reid Hoffman helped launch Inflection AI’s Pi, a new AI-powered personal assistant. Whether any of them can fulfill the promise of real individual agency or Zero-Party Data remains to be seen.
Future of Media
Google reached agreements with over 1,500 publications across 15 countries under the EU Copyright Directive.
Meta decided to stop sending traffic to Canadian publishers after a recent legal change (akin to Australia’s recent initiative, but lacking similar teeth) conditioned such links to economic compensation. The social media platform felt it was not worth the effort, as publishers get more value from that traffic than Facebook or Instagram do from said news in a world of infinite user-generated content.
Enjoy :)
Partner at finReg. Data Protection Expert (CIPP/E). IP & IT Lawyer
1y¡Qué buen repaso Sergio!
Digital Marketing Innovator. DataSapien: Personal Data & AI tech to empower customers. Originated "Omnichannel". Also: MyData Global, CitizenMe, MiniMBA Marketing, CLMP™, CIM.
1yAwesome summary Sergio Maldonado - thank you!