Hi there! The Privacy Monthly is back and the news is as juicy as ever. The EU Commission weighs in on the pay-or-ok saga, Meta delay AI features, Julian Assange is back home, the Clearview AI settlement sets a terrible precedent, and more.
- Meta delays AI features.
- Congress questions Microsoft over data breach
- Meta under fire over pay-or-ok and DMA compliance
- Unorthodox privacy settlement sets bad precedent
- Biden administration bans Kaspersky
- Bad news from US Courts
- Julian Assange freed after guilty plea
- France imposed TikTok black-out in New Caledonia
- Massive AT&T insider attack comes to light
Let’s dive in!
Meta delays AI features.
Meta delayed the implementation of AI-powered features on Facebook and Instagram upon request of the Irish privacy watchdog. The Irish request relates to a legal challenge from privacy NGO noyb over the allegedly illegal use of user data for AI training. Shortly thereafter, the Brazilian privacy watchdog halted Meta from training its models on the personal data of Brazilian users over similar concerns.
AI is a hot topic in the privacy community, and not just because of the AI Act. Last May an EDPB report highlighted some crucial and yet unsolved privacy issues with ChatGPT. Between the line, the report hinted at a somewhat hard stance from privacy regulators. The next few months may be crucial to the commercial future of generative AI across the EU bloc and EU privacy watchdogs will likely play a key role.
Congress questions Microsoft over data breach
On June 13 a House homeland security panel questioned Microsoft president Brad Smith over the 2023 hack of State Department officials. Smith came under fire during the hearing over “avoidable errors” that facilitated the alleged Chinese hack and took responsibility for the cybersecurity mistakes of the tech giant.
Despite being a key contractor for the US government and many other governments around the world, Microsoft’s track record for cybersecurity has been quite questionable lately. According to a recent investigation by Propublica, the devastating Solarwind attack of 2020 was enabled by an irresponsible corporate culture that prioritized the company’s positioning on the key cloud computing market over security- including the security of the US government.
Meta under fire over pay-or-ok and DMA compliance
The European Commission believes that Meta breaches the Digital Markets Act by forcing users to consent to the combination of their data across Instagram and Facebook. The findings of the investigation are still preliminary but could lead to a fine up to 10% of Meta’s yearly global turnover.
Meta’s handling of user consent is also being challenged by civil society organizations. There are, however, some differences at play in that the Commission’s preliminary findings are grounded in the DMA and only concern the combination of user data across platforms.
Feel free to check out our blog on pay-or-ok if you are curious about the challenge to Meta’s business model and its (enormous) implications for privacy law.
Unorthodox privacy settlement sets bad precedent
Facial recognition company Clearview AI proposed an unprecedented agreement in a class action over the allegedly illegal scraping of pictures from the Internet. Under the terms of the agreement, the company will essentially pay the plaintiffs based on a share of the company's potential value.
I believe this settlement sends an incredibly dangerous message to a tech industry that is already... struggling with compliance, so to speak. Allowing companies to shoulder compliance risks by leveraging their (often inflated) projections for growth, is a recipe for disaster if I’ve ever seen one.
Clearview AI is not new to privacy violations: the company has been forbidden from collecting personal data of Australian, Italian, French, and Greek citizens over non-compliance with privacy legislation. It probably ignores all of these orders, as it openaly admitted that it [cannot sort data by nationality] (https://www.crikey.com.au/2024/02/08/clearview-ai-australia-facial-recognition-data/]).
Biden administration bans Kaspersky
The US Administration banned Russian company Kaspersky Lab from distributing its widely used antivirus software in the US. As a result, the company is shutting down its US operations.
The administration fears that Russia could leverage its influence over the company to endanger US cybersecurity. Much like every antivirus, Kaspersky needs privileged access to systems, which opens up countless avenues for attack for the antivirus’ developer.
Bad news from US Courts
In a case involving Google, the US Court of Appeals ruled that **geofencing (that is, using device location data to identify all the people in a specific area) is not a search under US law and does not require a warrant.
In the meantime, HIPAA guidelines of the US Health and Human Services were declared illegal by a Texas court. As a result, health-related websites will have more leeway to track users with web analytics tools- even when doing so could expose health information. This is especially worrisome for women, as their health data have become insanely sensitive after the Dobbs v. Jackson ruling of the Supreme Court.
Julian Assange freed after guilty plea
Following a deal with the US Department of Justice, Julian Assange pleaded guilty to a charge of espionage and was sentenced to 62 months- a time he already served in UK prisons. The Australian born journalist and Wikileaks founder has since returned to his home country as a free man.
The deal with the DOJ marks the end of a long-running legal battle that started with the 2010 Wikileaks scandal. Julian Assange has since spent seven years in the Ecuadorian embassy and five years imprisoned in the UK.
France imposed TikTok black-out in New Caledonia
The French government shut down TikTok for two weeks in the oversea territory of New Caledonia. The block was imposed during a state of emergency in order to counter the spread of rioting.
Partial or total Internet shutdowns are not uncommon around the world but are relatively infrequent for EU countries- although New Caledonia is not formally part of the EU.
Massive AT&T insider attack comes to light
US telecom giant AT&T said call logs for 109 million customers were breached in a 2022 insider attack. According to the company, the logs only contain communication metadata. The company declared that the FBI is on the case and that one person has been arrested so far.