May was eventful. That one long-awaited decision on data transfers finally came along, wrapped in a ten-digit fine for Meta. Linkedin is next in line for the big GDPR fines. The EU Parliament opposed the Trans-Atlantic Data Privacy Framework and more.
And let’s not forget: There is a privacy and human rights mess going on in post-Dobbs v. Jackson America, and Big Tech is (unsurprisingly) on the wrong side.
- Facebook hit by data transfers ban and record fine
- EU Parliament against US data transfer framework
- Google promises to delete sensitive location data, fails to deliver
- Linkedin to face large fine over targeted advertising
- Proposed chat control regulation likely illegal
- Two more US privacy laws
- Ana Talus voted EDPB chair
- Twitter cannot quit the DSA
Let’s dive in!
Facebook hit by data transfers ban and record fine
On May 22 the Irish Data Protection Commissioner ordered Meta Platforms Ireland to suspend data transfers for Facebook and issued a record €1.2 billion fine. Meta was also ordered to delete personal data already transferred to the US.
The decision results from a decade-long legal battle involving privacy advocate Max Schrems, the DPC, the Irish justice system, the EU Court of Justice, and the European Data Protection Board. The Board played a key role in the decision by pushing the DPC to impose a fine and to order the erasure of personal data.
Meta intends to challenge the decision and seek a stay of the DPC’s order. This buys the company some timeuntil the Trans-Atlantic Data Privacy Framework is fully implemented, thereby avoiding an EU-wide Facebook blackout.
This is a landmark case for the enforcement of the GDPR’s data transfer rules, and we discussed it in depth on our blog.
EU Parliament against US data transfer framework
The EU Parliament’s LIBE Committee unanimously rejected the proposed Trans-Atlantic Data Privacy Framework in April. On May 11, the EU Parliament followed. Neither vote is legally binding on the European Commission.
The Parliament acknowledged that the framework is a step up from its predecessor (the Privacy Shield) but also voiced concerns over bulk intelligence collection and a lack of transparency in the redress mechanism, among others. The Parliament also questions whether the new framework will survive scrutiny from the EU Court of Justice.
The Parliament’s vote is unlikely to stop the Commission from fully implementing the framework. In all likelihood, the predictable legal challenge before the Court of Justice will be a baptism by fire for the new framework and the moment of truth for EU-US data transfers.
Google promises to delete sensitive location data, fails to deliver
A recent investigation by The Washington Post found that Google is not delivering on its promise to erase health clinics and other “sensitive” locations from location history
The stakes are high: one year ago, the US Supreme Court overturned the landmark Roe vs. Wade ruling, which allowed States to ban abortion. Conservative States quickly passed anti-abortion laws right away, and now the police are prosecuting abortion seekers through data provided by Big Tech.
Privacy is a crucial issue for American women, and Big Tech is not helping- to put it mildly.
Linkedin to face large fine over targeted advertising
According to Reuters, Microsoft expects a fine in the range of €400M from the Irish Data Protection Commission for targeted advertising on the Linkedin social network. No other details about the decision are known.
Months ago, the DPC fined Meta Ireland for a total of €390M over illegal targeted advertising across its Facebook and Instagram platforms. The expected fine against Microsoft would make Linkedin the third social network to incur large fines over targeted advertising in a short time span.
Proposed chat control regulation likely illegal
As reported by The Guardian, leaked internal EU legal advice suggests that the Commission’s controversial proposal for a Regulation against child sexual abuse might be illegal.
According to the documents, the draft violates the electronic surveillance standards established in the Court of Justice case law. This means the Court will likely invalidate a future Regulation upon judicial review.
The proposed Regulation requires providers of communication services to scan videos and images to detect child pornography. But scanning systems cannot be implemented without compromising the end-to-end encryption implemented by popular messaging services such as WhatsApp, Telegram, and Signal.
Because of its impact on encryption, the proposal is at the center of a heated legal and political debate involving advocacy organizations, governments, and European institutions.
A similar debate surrounds the draft for the UK Online Safety Bill, which is opposed by many advocacy organizations and service providers alike. WhatsApp even threatened to leave the UK market should the draft become law.
Two more US privacy laws
On May 8, the State of Florida passed a new privacy bill. A data privacy bill was also adopted by the Texas legislator and is expected to become law on the weekend.
Both laws focus on businesses and data subject rights and contain exemptions for small businesses. Notably, this exemption is very broad under the Florida bill as opposed to the Texas draft.
The US does not have a general federal privacy law. The only federal data protection rules are found in sectorial legislation such as HIPAA and COPPA. Negotiations over a federal privacy law (the ADPPA) have slowed down to a crawl, and in the meantime, more and more States are adopting privacy bills of their own.
Ana Talus voted EDPB chair
On May 25 Ana Talus, head of the Finnish data protection authority, became the new Chair of the European Data Protection Board. Cypriot Irene Loizidou Nikolaidou will serve as Deputy Chair.
The EDPB has played a pivotal role in the enforcement and interpretation of the GDPR so far. Guidance documents by the Board have deeply impacted the interpretation of the GDPR and of other sources of EU data protection law. And recently, the Board itself has been directly involved in several high-profile decisions involving Meta Ireland.
The former and first EDPB Chair was Andrea Jelinek, head of the Austrian data protection authority.
Twitter cannot quit the DSA
In a rather confusing move, Twitter quit the EU Code of Practice on Disinformation on May 26, months before the content moderation obligations rules of the Digital Services Act will enter into force.
The move prompted snarky remarks from European Commissioners Thierry Breton and Vera Jourova. Considering that the Commission itself enforces the DSA, this is probably not the best start.
Compliance with the DSA will not be easy for online platforms, and considering the unpredictable and capricious management style of its new ownership, we expect Twitter to struggle more than others.