The #bigtech companies have masterfully muddled the definitions of advertisement and #tracking, making them indistinguishable for a typical person. I see the #Facebook#privacy tax being compared to the #Youtube Premium all the time, so let me explain the difference and why one of them is unlawful in the eyes of #GDPR.
UK Competition and Markets Authority asked Google to delay the phaseout of third-party cookies to early 2025, the soonest. This new report considers also data protection! Finally!
Some ad industry market participants argue that Privacy Sandbox goes beyond what is needed by legal requirements when it comes to data protection. They would prefer weaker stuff. Would you believe that? #GDPR
Changes in the UK Data Protection and Digital Information Bill will exacerbate the existing power imbalances that migrants, refugees and asylum seekers have over their data.
The European Committee on Civil Liberties, Justice and Home Affairs has issued a new warning that the Data Protection and Digital Information Bill puts the UK's adequacy agreement with the EU in question.
A move that would take chunks out of the UK economy and our data rights.
"The concerns of the LIBE committee highlights how the data rights of people in the UK will be reduced compared to people living in Europe. This should not be acceptable to our parliamentarians.”
Privacy Sandbox regulatory scrutiny is the biggest (ever!) case of a privacy-competition trade-off that we've ever seen. It's so fascinating particularly to me, having done a PhD in privacy systems (real-time bidding), and LL.M. in Information Technology Law, so viewing the industry for >10 years now, from many sides. #GDPR#ePrivacy#APRA
That #google uses my cpu and electricity to auction adds furthermore invades my privacy in a second way. I might not have choices because they are more powerful than me. So #gdpr is certainly involved. That is how I see it at first glance. I might be wrong of course (2/2)
Prof. David Erdos has shared his latest (excellent) research “showing i) little UK GDPR enforcement, ii) worrying gap with formal law expectations & iii) limited accountability for this.”
A less polite version would be: the 🇬🇧 government has demonstrated how a law on the books it dislikes (the General Data Protection Regulation) can be undermined by the appointment of supine or actively hostile Information Commissioners. (As prime minister, Margaret Thatcher was against its predecessor Data Protection Directive from the start; not much has changed.)
I hope the European Commission is not going down the same route with the Digital Markets Act’s Art. 7 (on NIICS interoperability), which it was hostile to from start (early 2020) to finish (enforcement). Legislators learned from the GDPR that it is too easy for national regulators to be deliberately undermined by governments looking to attract technology firm investment (see also: Ireland and Luxembourg). The Commission therefore has a central enforcement role. So I’m especially disappointed by the flimsiness of its finally-published decision not to designate iMessage as a DMA gatekeeper NIICS. It hardly justifies the “exceptional” non-designation decision (Art. 3(5)), or “manifestly call[s] into question” the quantitative tests it meets [1]. I wonder if Meta now feels slightly foolish to have obeyed that provision in (somewhat) good faith 🫠
I still remember the jaw-dropping moment the new 🇬🇧 Information Commissioner in 2009 told a law conference (just about his first public appearance) he didn’t think data protection law should apply to the private sector. (He previously ran the advertising “self-regulatory” Advertising Standards Authority.) It’s fortunate indeed for GDPR enforcement it contains rights of private action, so effectively taken up by Max Schrems. Meanwhile, the Commission’s lack of legal action to force some member states to properly implement the legislation, enchantment with mass surveillance/data retention, and some of its adequacy decisions, are much less impressive than the Court of Justice’s judgments on Schrems’ two cases.
I was reminded last week talking to a BigTech competitor these much smaller firms have to be extremely cautious about upsetting a company they may rely on for key resources, and the Commission has spent most of its time preparing for DMA enforcement talking to those two groups. So perhaps Schrems’ None of Your Business, or something similar, will have to take up the rights of the individuals the legislation is ultimately supposed to help 🤷🏻♂️ Fortunately the DMA also contains rights of private action, as well as the ability of organisations to take representative actions (thanks to campaigning by consumer and digital rights groups in its final stages). As with the Schrems I and II cases, these apparently small issues can ultimately have enormous global impact [2].
[1] Where does the DMA talk about the relative intensity of use of one core platform service versus another? This provides two of three reasons for the decision! Who cares if iMessage for Business is lightly used, given it’s likely iMessage itself is used by many microbusinesses, very few of whom I imagine were part of the “corporate users of iPhone to whom the Commission reached out during the market investigation”? Really, the EC didn’t even bother with a large-scale survey, and/or demand data from Apple?
I also heard from an impeccable source Apple threatened to withdraw iMessage from the EU if it had been DMA-designated. The EC should not be rewarding such blackmail, even if it was highly likely to be a bluff.
[2] For now, we might have to rely on technology and philanthropy to improve messenger interoperability, such as this great project: a cross-platform, memory-safe OpenMLS library to enable interoperable, end-to-end encrypted messaging (E2EE) in multiple clients, combining “Matrix’s decentralized and federated infrastructure with Signal’s low metadata footprint.” 🎯
What’s happening with TikTok in the US is a strong reminder about the vulnerability of centralized platforms to censorship and surveillance. The Open Technology Fund notes Signal “provides a high level of metadata protection, but is centralized and thus easily censored. In addition, Signal cannot efficiently provide E2EE for large-group communications.” I hope Signal will move in this direction over time, as well as towards interoperability with other platforms implementing its own protocol (with metadata guarantees) as well as the IETF’s open Messaging Layer Security standard.
I'm making a deep jump in #GDPR vs #APRA (American Privacy Rights Act). It goes well beyond GDPR, and the technical implications would be substantial. Perhaps I should write down some of my observations (meanwhile, some of it becomes a non-public note).
@mihira@EU_Commission Yeah, it's currently really hidden, you have to click on "More share options".
At least all Social Media account that are selfhosted(by the #EU) or/and #GDPR compliant should always be visible if any social media button is displayed at all.
Only afterwards show biggest or "More share options" button IMHO.
My quick lunch read of this is that EDPB just ruled Meta’s forced consent (“pay or ok”) is a valid tactic (page 20). Prepare to pay for your right to click “deny all”. What a gross undermining of GDPR’s intent…
#SocialMedia#Facebook#Meta#EU#GDPR#DataProtection#AdTech#Privacy: "Today, the EDPB has issued its first decision on "Pay or Okay" in relation to large online platforms such as Instagram and Facebook, as first reported by Politico. This decision prohibits Meta from using an unlawful consent request processing personal data. It seems that by now, Meta has run out of options to continue using people's data for advertising in the EU without a consent mechanism that actually complies with the law." https://noyb.eu/en/statement-edpb-pay-or-okay-opinion
In the latest #EDRigram, we draw your attention to:
🇬🇷 Record-high #GDPR fine for Greece's Migration Ministry
🇪🇺 @europarl_en vote in favour of discriminatory #MigrationPack
💰Meta's harmful push to charge for privacy
& more!