Newsroom: Spring 2023
Masters of Privacy18 Juni 2023

Newsroom: Spring 2023

With Nina Müller, Ethical Commerce Alliance Director and host of the Ethical Allies podcast.

__

Notes:

A more comprehensive coverage of all relevant updates can be found on our blog. The topics below have been specifically addressed during this recording:

GDPR fines reached a new record when the Irish DPA, following considerable pressure from the EDPB, issued a 1.2bn EUR fine to Meta for its inability to comply with the Schrems II CJEU doctrine. The company behind Facebook, Instagram, and WhatsApp was also asked to cease all data transfers to the US. It was made clear that there is no possible way to either rely on SCCs (already updated to their latest post-Schrems II version, and already complemented with additional safeguards that only stopped short of end-to-end encryption) or any of the available derogations. This leaves the upcoming EU-US Data Privacy Framework as the only way out of the current deadlock, which affects a vast majority of businesses operating in the European Union.

LinkedIn is expecting its own GDPR fine in Ireland. Microsoft has set aside $425m for the expected DPC blow, as the supervisor completes an investigation initiated in 2018.

The Austrian supervisor sided with NOYB/Max Schrems and considered that a website had breached the GDPR through the inclusion of a Meta/Facebook pixel and Single Sign-On widget (resulting in a personal data transfer to the United States). It appears from the decision that isolating any of these two features would not have made a difference, and, as well explained by Jorge García Herrero (ES), this misses a few key technical details: Whereas the SSO will only result in a transfer of limited information from Meta to the website (ie. In the opposite direction), the Facebook pixel collects entirely new hits or “events” for existing users of the platform. Also, Meta was here considered a mere data processor despite the fact that the company seems to be in full control of the purposes and means of the processing (note: the EDPB Guidelines on targeting social media users make Meta a joint controller in the use of Facebook pixels for paid advertising scenarios).

TikTok suffered additional blows on the basis of both the privacy risks entailed in the Chinese Government accessing personal information about US or EU citizens, and the ability of its secret algorithm to curate the specific content made available to said individuals, thus exerting an undesirable level of influence. While its US CEO, Shou Zi Chew, testified before Congress, The US Federal Government, as well as many others throughout Europe, forbid their own personnel the use of the app on their official devices. Montana announced fines for the Google Play and Apple iOS stores if the app was not hidden for Montana-based individuals by January 1st 2024.

The EU Commission announced that it would stress-test Twitter’s ability to respond to disinformation in line with the upcoming Digital Services Act to ascertain whether it will already be at risk of breaching the new legal framework before it enters into force on August 25th. The company had announced its withdrawal from a voluntary code of conduct.

Filtering out the robots on a given website (through the typical prompt that only a human should be able to respond to successfully) has just become more expensive. France’s CNIL issued an #ePrivacy fine to scooter company Citiscoot for its retrieval of device information in the use of Google reCAPTCHA (it was accompanied by a separate breach of the GDPR due to its excessive collection of geo-location data). For its part, the Finnish DPO ordered (FI) the Finnish Meteorological Institute to disable the same tool (Google reCAPTCHA) on the basis of the resulting EU-US data transfers in the current post-SchremsII scenario - in this case Google Analytics was also involved in this decision for the same reasons, and the Institute ending up removing both tools from its website as well as being asked to delete all of the historical data available.

CNIL issued a 380k EUR fine to pan-European medical advice service Doctissimo for various GDPR infringements as well as a breach of the ePrivacy Directive (responsible for 100k of the total amount) consisting in serving two advertising cookies after users have selected the Reject All option in the website’s consent banner.

FTC enforcement actions involving the use website/app user data for digital marketing purposes (healthcare, children): GoodRx, Betterhelp, Edmodo, Premom.

The CNIL published the results of its own research on the use of cookies (assisted by CookieViz, an auditing tool developed internally, now open sourced) and the evolution of acceptance rates and third party cookie numbers over time. Other than a reminder of the 421 EUR piling up in cookie-related fines since 2020, the report contains interesting conclusions:

  • 68% of French internet users consider that the information provided by the advertising ecosystem is insufficient or non-existent

  • 39% are now rejecting all cookies, with 49% actively managing their consent preferences (analytics-related cookies are normally favored).

  • The share of sites serving more than 6 third-party cookies dropped to 12% from 24%, with 29% of all websites not serving any third-party cookies at all (vs. 20%)

The IAB released TCF 2.2 on May 16th, finally removing the extremely confusing legitimate interest selectors for advertising and content personalization, replacing purposes and feature descriptions with a more user-friendly language, standardizing information about vendors, and providing a path for end users to withdraw their consent. CMPs are due to implement these changes by September 30th 2023.

Following the TCF 2.2 announcement, Google has started reviewing and certifying Consent Management Platforms introducing new requirements under its Additional Consent Mode specification (important to remember that Consent Mode’s Ghost call is still considered in breach of ePrivacy unless consent is specifically requested).

Det här avsnittet är hämtat från ett öppet RSS-flöde och publiceras inte av Podme. Det kan innehålla reklam.

Avsnitt(124)

Erica Irvin (Lowe’s): the new boundaries of the discipline

Erica Irvin (Lowe’s): the new boundaries of the discipline

Are privacy compliance and AI governance poised to remain stand-alone practices within the large enterprise? What is their interplay with an all-encompassing compliance effort? How will we deal with c...

3 Aug 202525min

Christine Desrosiers (Boltive): Privacy Tech spotlight V - understanding Manipulative Design and rolling out comprehensive client-side monitoring

Christine Desrosiers (Boltive): Privacy Tech spotlight V - understanding Manipulative Design and rolling out comprehensive client-side monitoring

What is “manipulative design”? How does this concept differ from “dark patterns”? How could we expand website and mobile app monitoring to a company’s ad stack?  Boltive’s Christine Desrosiers has joi...

27 Juli 202532min

Ansuman Acharya (Airbnb): What is Privacy UX?

Ansuman Acharya (Airbnb): What is Privacy UX?

Could transparency and control requirements be seamlessly integrated within delightful customer journeys? How has a famously design-led company (Airbnb) mastered Privacy User Experience? Ansuman Achar...

19 Juli 202529min

Nathalie Barrera: NIS2 (EU) and the interplay between cybersecurity, privacy, AI, and IoT data laws

Nathalie Barrera: NIS2 (EU) and the interplay between cybersecurity, privacy, AI, and IoT data laws

Will EU cybersecurity laws result in new global standards? Should companies handle NIS2 compliance in concert with GDPR, AI Act, or Data Act requirements? Does it make sense to take data localization ...

13 Juli 202530min

Vaibhav Antil (Privado): Privacy Tech spotlight IV - from trust to evidence

Vaibhav Antil (Privado): Privacy Tech spotlight IV - from trust to evidence

How do we move from mere words to actual baked-in privacy? Can built-in alerts, code scanning tools, or server-side auditing make life much easier for DPOs and legal teams?  We are joined by Vaibhav A...

7 Juli 202528min

John Pavolotsky: How successful can US privacy laws be at regulating AI models and systems?

John Pavolotsky: How successful can US privacy laws be at regulating AI models and systems?

John Pavolotsky is a partner at Stoel Rives in San Francisco. He is co-chair of the firm's AI, Privacy & Cybersecurity group and focuses his practice on data privacy, information security, and complex...

30 Juni 202527min

Thomas Ghys: The privacy engineer as a translator, an auditor, and a programmer

Thomas Ghys: The privacy engineer as a translator, an auditor, and a programmer

Who can really claim to be a privacy engineer? Does this change in the digital marketing arena? What is the winning formula to integrate this role within the company’s privacy practice? Thomas Ghys ha...

21 Juni 202528min

Cillian Kieran (Ethyca): Privacy Tech spotlight III - compliance as an engineering challenge

Cillian Kieran (Ethyca): Privacy Tech spotlight III - compliance as an engineering challenge

Can we shift the focus from documentation to technical implementation? How can we bridge the cultural differences between legal teams and engineers? What do we mean with open-source data classificatio...

14 Juni 202527min

Populärt inom Business & ekonomi

badfluence
framgangspodden
varvet
dynastin
svd-tech-brief
uppgang-och-fall
rss-borsens-finest
avanzapodden
rss-inga-dumma-fragor-om-pengar
bathina-en-podcast
rss-dagen-med-di
tabberaset
fill-or-kill
market-makers
borslunch-2
rss-kort-lang-analyspodden-fran-di
lastbilspodden
rikatillsammans-om-privatekonomi-rikedom-i-livet
rss-dominoeffekten
rss-hos-psykologen