It was an eventful month for data privacy with heavy GDPR fines, court rulings and new proposals. While we celebrated Data Privacy Day on January 28, privacy concerns for users seem to be rising with governments increasingly tightening regulations for Big Tech. Read the biggest stories in this Privacy Roundup for January. We will be back with the top stories next month!


France fines Google, Facebook €210m for cookie violation

France’s National Commission for Information and Liberty (CNIL) has fined Google and Facebook Ireland, a combined €210 million (£176m) in separate judgments for violating the French Data Protection Act (DPA). CNIL fined Google a record €150m and Facebook €60m for making it difficult for users to reject cookies on their sites. The privacy watchdog noted that the websites, and did not have a method to easily refuse cookies. Citing the example of Facebook, CNIL noted that “Several clicks are required to refuse all cookies, as opposed to a single one to accept them.” Read story


Belgium reinforces cookie consent rules

The Belgian Data Protection Authority has issued a decision reinforcing companies about the consent rules on the use of cookies/trackers. This decision is in response to a complaint by an individual concerning the use of cookies and its non-compliance with GDPR on a website. The decision also provides useful insight into best practices for cookie compliance and the conditions under which companies are allowed to track online user behaviour. The Belgian privacy watchdog has also been in news for its report on IAB Europe’s Transparency & Consent Framework (TCF) noting that it fails to comply with the GDPR principles of transparency, fairness and accountability and the lawfulness of processing. Read report. 


Facebook launches new Privacy Center

Meta (formerly Facebook) announced a new version of its Privacy Center, which will provide a comprehensive overview of data collection, sharing, security, data use and ads. Meta noted that Privacy Center will “educate people on their privacy options and make it easier to understand how we collect and use information”. Users can learn how apps like Facebook and Instagram collect and use data and figure out how to use the multitude of privacy and security controls available. The Privacy Center is currently available to a small number of Facebook desktop users in the US. It plans to roll it out to people in the coming months. People who have access can find the Privacy Center in the Settings > Privacy section. Read story.


Google pulls back on FLoC

Google is set to do away with the proposed Federated Learning of Cohorts (FLoC) with a new interest-based targeting proposal called Topics. Topics will work by identifying “a handful of topics, like ‘Fitness’ or ‘Travel,’ that represent your top interests for that week based on your browsing history,”. Google noted that it will launch a developer trial for the new API in Q1 2022 but hasn’t announced a date. FLoC, an interest-based tracking mechanism, was intended to replace third-party cookies. But it was met with privacy concerns and browsers like DuckDuckGo, Vivaldi, Brave, Edge and Mozilla had refused to use it. Watch video.


Google One VPN is now available for iPhone

Google’s VPN service that’s included with a Google One Premium subscription is finally available for iPhones and iPad users. The VPN is available to users in 18 countries, including the US, UK, France, Germany and Canada. The service, which was available on Android since October 2020, is available for Google One members who have the 2TB Premium plan. Google also announced new VPN features for Android users such as a “safe disconnect” that shuts off internet access when a user is disconnected from the VPN. Google One VPN works by assigning users an IP address based on their current location and allows them to browse through websites without revealing the IP address. Read story.


Austrian DPA rules use of Google Analytics unlawful

Austria’s Data Protection Authority recently published its decision that the use of Google Analytics on the Austrian website NetDoktor breached the European Union’s General Data Protection Regulation (GDPR).  The site’s use of Google Analytics involved a transfer of personal data to Google LLC in the US, which was in breach of Article 44 GDPR. According to the 2020 Schrems II ruling, sending personal data to a company in the US can happen only with EU sanctioned legal contracts i.e. Standard Contractual Clauses. The Norwegian Data Protection Authority also reached a similar conclusion this month hinting at wider implications for Google Analytics. Read story.


US lawmakers introduce TLDR Act

US lawmakers have introduced legislation that aims to simplify terms of service agreement which are often lengthy and complex legal documents that users must agree to before using websites and online services. The Terms-of-service Labeling, Design and Readability Act (TLDR Act) requires websites and mobile apps to create a “concise, easy to understand” summary of their terms of service that includes information on how personal information is collected and used. If passed, the TLDR Act will apply to large websites and apps and exempt small businesses. Read story.


Data breaches reached an all-time high last year

The overall number of data breaches (1,862) is up more than 68% compared to 2020 (1,108) according to the latest report published by the Identity Theft Resource Center (ITRC). A major concern outlined in the report is the increasing number of cyberattacks responsible for breaches. Over the past two years, ransomware-related data breaches have doubled while cyberattacks alone accounted for 1,600 compromises last year. Another concern that the report mentions is the lack of transparency in breach notifications. The companies that hold your data and then get hacked aren’t sharing as much as they did in the past. Read story


WhatsApp asked to clarify privacy policy changes

The EU Commission has informed WhatsApp that it has until the end of February to explain changes to its privacy policy in 2021. WhatsApp made changes to its privacy policy such that users would have to share their data with Facebook. The European Consumer Organization (BEUC) and eight of its members took their grievances to the EU executive and the European network of consumer authorities noting that WhatsApp was unfairly pressuring users to accept its new privacy policy. The concerns also include whether the company provides enough information to users about its new terms of service. Read story.


The UK gets a new Information Commissioner

John Edward has been appointed as the chief of the Information Commissioner’s Office (ICO). The former New Zealand privacy commissioner is taking charge during a critical point for the country’s data protection regime. Post-Brexit, the UK government has signalled that the country will begin to diverge from the European Union’s GDPR. Edwards will work with the government on the proposed reforms including facilitating data adequacy partnerships with non-EU countries and reforming data privacy laws to make them more business-friendly. He replaces outgoing ICO chief Elizabeth Denham, who was appointed to the role in 2016. Read story.