Data Protection News Update: 09 January 2023

United States

Facebook parent Meta agrees to pay $725 million to settle privacy lawsuit

  • Meta has agreed to pay $725 million to settle a class action lawsuit that claimed the social media giant gave third parties access to user data without their consent.
  • It is the largest recovery ever achieved in a data privacy class action and the most Facebook has ever paid to resolve a private class action.
  • The class action was prompted in 2018 after Facebook disclosed that 87 millions user’s information was improperly shared with Cambridge Analytica.
  • The case was broadened to look at Facebook’s overall data sharing practices.

For Sale on eBay: A Military Database of Fingerprints and Iris Scans

  • A German researcher, Mr. Marx, bought a machine designed to capture fingerprints and perform iris scans for $68.
  • The memory card had the names, nationalities, photographs fingerprints and iris scans of 2,632 people.
  • Most people in the database were from Afghanistan and Iraq, some were terrorists and wanted individuals but some were people who worked with the U.S. government.
  • The data on the machine included detailed descriptions of individuals with their photograph and biometric data.
  • The data collected on this machine was collected at detainment facilities, on patrols, during screenings of local hires and after the explosion of an improvised bomb.
  • Mr. Marx has bought five other biometric capture devices on ebay in the past year.
  • He has planned to present his findings at an event for hackers and after the biometric devices have been analysed he will delete the personally identifiable date.


Meta’s Ad Practices Ruled Illegal Under E.U. Law

  • European Union regulators found that Meta had illegally forced users to effectively accept personalized ads.
  • The decision includes a fine of 390 million euros.
  • The case hinges on how Meta receives legal permission from users to collect their data for personalized advertising in their terms-of-service agreement.
  • The language effectively meant that users had to agree to allow their data be used for personalised ads or stop using Meta’s social media platforms altogether.
  • Ireland’s DPC determined that having the legal consent in the terms of service forced users to accept personalised ads which violates the GDPR.
  • Meta has three months to outline how it will comply with the ruling.
  • The judgement puts 5 to 7% of Meta’s overall advertising revenue at risk.

Apple fined €8M in French privacy case

  • CNIL found that the U.S. tech giant did not “obtain the consent of French iPhone users (iOS 14.6 version) before depositing and/or writing identifiers used for advertising purposes on their terminals.
  • The CNIL’s restricted committee, a group of six people who decide on privacy penalties, decided to go further than the recommendations of the regulator’s rapporteur who argued for €6 million fine.
  • Apple says it will appeal the decision.


Twitter hacked, 200 million user email addresses leaked, researcher says

  • Hackers stole the email addresses of more than 200 million Twitter users and posted them on an online hacking forum.
  • Twitter has not commented on the report, nor responded to inquiries about the breach since that date.
  • There were no clues to the identity or location of the hacker or hackers behind the breach. It may have taken place as early as 2021, which was before Elon Musk took over ownership of the company last year.

Concern over moves to tighten NZ’s data privacy regulations

  • The New Zealand government is moving to change the Privacy Act to be more in line with regulations in the EU. There is a warning that children might be put in danger by the changes as it may discourage children from speaking openly.
  • This would mean that there would be an obligation to tell someone if their personal data was accessed by a third party.
  • Spy agencies SIS and GCSB are asking to be exempt.
  • The Ministry of Education – like many others – warned people would get “notification fatigue” if lawmakers were not careful.
  • Currently, a lot of personal information gets shared online with third parties, for government data-matching or the likes of marketing purposes. In many cases this occurs after a person has provided a general waiver.
  • The biggest opposition towards a stricter European approach was the real estate sector as they collect unconditional sales data including address and sale price, which is used for market appraisals.

United Kingdom

UK government code of practice for app store operators and developers

  • On 9 December 2022, the Department for Digital, Culture, Media and Sport (DCMS) published a new voluntary code of practice for app store operators and app developers.
  • The Code sets out minimum security and privacy requirements in the form of eight principles. These include, keeping apps updated, providing  security and privacy guidance to developers and ensuring apps adhere to baseline security and privacy requirements.
  • There will be a nine-month period for app store operators and app developers to adhere to the Code.

UK South Korea Adequacy Regulation now in effect

  • The Data Protection (Adequacy) (Republic of Korea) Regulations 2022 are now in force. 
  • They provide for frictionless transfers of personal data between the UK and South Korea without the need for a transfer impact assessment or the use of an additional transfer mechanism. 
  • The Regulations also cover data transfers including personal data relating to credit information – data which is not covered by the EU’s South Korea adequacy decision.


More Posts

Send Us A Message