Privacy Roundup: Top 10 Stories of February 2023

From the European Commission to California’s Attorney General, regulators are looking at strengthening enforcement and keeping a closer eye on investigations. Meanwhile, Governments are looking into drafting new laws to navigate the privacy risk surrounding the burgeoning of AI. Take a look at all the top stories from last month.

The European Commission is set to propose a new law that aims to monitor how data protection authorities in EU Member States enforce GDPR and improve cooperation between member states. The initiative  “will harmonise some aspects of the administrative procedure the national data protection authorities apply in cross-border cases”, the Commission wrote on its website. The commission has also noted that it will require national data protection authorities to file a bi-monthly overview of large-scale cross-border investigations under the GDPR. Read more

Google is rolling out a beta version of its Privacy Sandbox for a small percentage of Android 13 devices. “The Privacy Sandbox Beta provides new APIs that are designed with privacy at the core, and don’t use identifiers that can track your activity across apps and websites,” noted Google. Devices selected for the Beta test can access Privacy Sandbox from Settings where they can control their participation and manage their top interests as determined by the Topics API to serve relevant ads. The sandbox is an initiative that attempts to protect user privacy by reducing cross-site and cross-app tracking and replacing third-party cookies. Read more

The California Privacy Protection Agency Board voted to finalise the proposed California Privacy Rights Act regulations, without any substantive changes. The CPRA regulations now begin the final rule-making process. By March 29, 2023, the California Office of Administrative Law (OAL) will review the proposed final draft of CPRA regulations. The final draft will be submitted to the California Secretary of State for filing if approved. 

The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs has recommended that the European Commission reject the proposed EU-US Data Privacy Framework. The Committee has stated that the proposed framework law does not offer adequate levels of protection for the personal data of EU users of US companies. The committee noted that it wants “meaningful reforms” in any EU-US data transfer agreement, particularly regarding intelligence gathering and national security purposes. The EU Parliament is expected to vote on the proposed framework in the first half of 2023. Read more

Months after issuing its first-ever CCPA fine of $1.2 million against Sephora, the California Attorney General announced an “investigative sweep”, sending letters to mobile apps that allegedly ignore consumer opt-out requests or sell users’ data, a requirement under CCPA. The action specifically focuses on apps in the retail, travel, and food service sectors as well as businesses that failed to process consumer requests submitted via an authorized agent. Read more

Privacy regulators in the EU are tightening their scrutiny of companies’ use of artificial intelligence. Data protection authorities in France, Spain and the Netherlands are opening units dedicated to investigating AI and potential violations of the GDPR.  Meanwhile, the highly-anticipated AI Act is expected to be up for voting by the European Parliament at the end of March, when the member states will begin negotiating the final terms of the legislation. Read more

Denmark’s data protection authority published guidance on the use of cookie walls in the wake of two relevant decisions and publishes a set of general guidelines for assessing the use of cookie walls. The criteria will be the starting point for the Danish Data Protection Authority’s assessment of whether the use of a cookie wall in specific cases is in accordance with the rules. The four criteria are – a reasonable alternative, a reasonable price, limited to what is necessary and processing of personal data when the visitors have paid. Read more

Google has announced the availability of client-side encryption (CSE) for Gmail and Calendar. Users can create meetings, and send and receive emails that are encrypted “before it reaches Google servers” to other members of their organizations or other third parties. According to Google, the data privacy restriction will allow “even more businesses to take charge of their data and the single party selecting who has access to it.” The solution, Google says, aims to reduce the compliance burden for enterprises and public sector organizations, ensuring that no third party, including Google, can access confidential data. Read more

Meta launched an updated version of the “Why am I seeing this ad?” tool that will include information on how they use machine learning to deliver advertisements based on user’s activity on and off its platforms such as Facebook and Instagram. According to Meta, they collaborated with privacy experts and stakeholders to gather feedback on increasing transparency in their ads system in order to help users feel more secure and increase their accountability. Read more

TikTok has been fined TL 1.75 million ($93,000) by Turkish authorities for processing children’s personal information without parental consent and unauthorized data collection. The Personal Data Protection Board (KVKK) determined that TikTok did not take the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of personal data. The data protection authority has directed TikTok to translate its Terms of Service into Turkish and update its privacy and cookies policy as per the country’s regulations. Read more