Data Protection News Update 17 January 2023

United States

Google Agrees To $23M Settlement Over Data Leakage Claims

  • Google has agreed to pay $23 million to settle a lawsuit alleging that Google leaked customers’ personal information by transmitting their search queries to publishers.
  • Allegedly, these queries included names and other identifying information.
  • This settlement would allow 200 million U.S. web users who searched on Google to claim a portion of the settlement fund.
  • Google attempted to settle the lawsuit previously by agreeing to donate $5.3 million to six non-profits and schools, and more than $2.1 million to the attorneys who brought the lawsuit.
  • The lawyers did not think this was sufficient compensation and challenged up to the Supreme Court.
  • The Supreme Court returned the matter, whether, if true, these allegations would show that Google caused concrete harm to users by transmitting their search queries.

Biden says Republicans, Democrats should unite against Big Tech ‘abuses’ -WSJ

  • U.S. President Joe Biden has said that Democrats Republicans should come together to pass bipartisan legislation to hold major tech companies accountable.
  • Biden wants to see “serious federal protections for Americans’ privacy.”
  • This includes limits on how much data can be collected, and highlighted the risk to children citing youth’s struggle with violence, trauma and mental health.


EU leaders fire warning shots at TikTok over privacy

  • European Commission officials warned TikTok’s CEO to respect EU laws.
  • The Commission Vice President, Věra Jourová said, there could not be “any doubt that data of users in Europe are safe and not exposed to illegal access from third-country authorities.”
  • A series of Commission officials met with TikTok chief Shou Zi Chew after facing growing political pressure and the ban from the U.S.
  • Jourová also raised concerns with Chew about how the app was using the data of journalists to identify leaks in the company, according to a readout of the meeting. Chew admitted this was wrong.

CJEU asked to define scope of GDPR ‘legitimate interests’

  • The CJEU has been asked, by a district court, to rule on whether a purely commercial interest can be regarded as a ‘legitimate interest’ for the purposes of the GDPR and, if so, to outline the circumstances which will determine that.
  • The reference has been made by a district court in Amsterdam because of a dispute between the Dutch data protection authority and a sports association.
  • The DPA imposed a fine on the Royal Lawn Tennis Federation (KNLT) as they shared data of its members with sponsors in return for payment, and those sponsors used that data for promotional campaigns.
  • The Dutch DPA considered that the data had been shared unlawfully and in 2020 rejected an appeal from KNLT.
  • KNLT raised another appeal claiming that it had a lawful basis for sharing the data, legitimate interests. Arguing that a legitimate interest exists unless that interest is contrary to law.
  • The Dutch DPA considers that there must be a legitimate and therefore concrete interest pertaining to the law, constituting law, enshrined in a law, for it to constitute a legitimate interest for the purposes of the GDPR.
  • The Amsterdam court considered that it cannot answer if KNLT had a legitimate interest in processing the personal data in the way it did.

Facebook and Instagram decisions: “Important impact on use of personal data for behavioural advertising”

  • The EDPB decided that Meta IE inappropriately relied on contract as a legal basis to process personal data in the context of Facebook’s Terms of Service and Instagram’s Terms of Use for the purpose of behavioural advertising as this was not a core element of their services.
  • The EDPB found that Meta did not have a legal basis and therefore unlawfully processed this data. Thus, the EDPB instructed the IE DPA to amend its finding to include an order for Meta IE to bring its processing of personal data for behavioural advertising in the context of the Facebook and Instagram services into compliance with Art. 6(1) GDPR within three months.
  • The EDPB also decided that the IE DPA must also carry out a new investigation as the IE DPA did not assess for the processing of sensitive data, which was initially raised by the complainant.
  • The EDPB also instructed the IE DPA to impose an administrative fine for the lack of legal basis and for transparency infringements, with led to a significant increase in the fines to €210 million and €180 million in the final decisions respectively.


Roomba testers feel misled after intimate images ended up on Facebook

  • iRobot collects photos and videos from the homes of test users and employees and shares them with data annotation companies, which hire far-flung contractors to label the data that trains the company’s artificial-intelligence algorithms.
  • iRobot has shared users’ data in a global data supply chain where everything that was captured on the devices’ front facing camera could be seen by contractors outside the USA.
  • Almost a dozen people who participated in the data collection efforts of iRobot have shared concerns about how their data was handled and if these practices conformed with the company’s data protection promises.
  • iRobot notes that it is the controller of information, which comes with legal responsibilities under the EU’s GDPR to ensure that data is collected for legitimate purposes and securely stored and processed. The test users are looking for accountability from iRobot and are disappointed with the lack of action from iRobot.

Microsoft will add AI to Office applications – they help with writing texts

  • Microsoft plans to implement OpenAI artificial intelligence technologies in its Office applications.
  • Users will be able to add fragments of automatically generated text to documents based on a note, or create emails based on information the user wants to convey to the recipient.
  • A number of requirements must be met for the successful use of AI technologies especially concerning data protection. According to the source, Microsoft is working on privacy protection methods for OpenAI GPT-3 (Generative Pre-trained Transformer 3) and GPT-4 natural language processing algorithms.

United Kingdom

UK government launches consultation on greater data sharing across public sector

  • The Cabinet Office has opened consultation on proposals for new legislation to create a digital ID gateway to online public services.
  • These regulations would make online identity verification easier so that more people can access digital public services and give the government new powers and a stronger legal basis to share personal data for identity verification and identity reuse.
  • This proposed legislation will introduce a new identity verification system, GOV.UK One Login.
  • This will allow users to prove their identity and then reuse that verification to access all government services.
  • This will also save tax payers money by preventing duplicate identity checks being carried out across government and improve service delivery efficiency through joined-up working and protect against fraud.
  • Public bodies will only be allowed to access a minimum number of data items and any additional identifiers need to comply with data minimisation principles.
  • This initiative is part of the government’s Transforming for a Digital Future roadmap and the new regulations are proposed under the 2017 Digital Economy Act.


More Posts

Send Us A Message