Privacy Roundup: Top 10 Stories of July

July was a happening month in the world of data privacy. Europe adopted the Digital Services Act and Digital Markets Act while the US took a step closer to getting a federal privacy law with the American Data Privacy and Protection Act. In another news to internet publishers, Google has once again pushed back the timeline on phasing out third-party cookies in Chrome to 2024. Here are all the top stories that we don’t want you to miss.

The European Parliament adopted the Digital Services Package, consisting of the Digital Services Act (DSA) and the Digital Markets Act (DMA), with an overwhelming majority in the plenary vote.  The DMA will introduce new ‘ex ante’ competition rules for gatekeeping tech giants, with at least 45 million users to ensure fair competition. The DSA which applies to both large and small platforms will crack down on online misinformation and illegal content, including hate speech. The regulations are expected to be applicable from early next year after the formal adoption process is completed. Read story.

Google has announced that it will delay the plan to phase out third-party cookies on its Chrome browser until the “second half of 2024.”  Anthony Chavez, Google’s VP of Privacy Sandbox, noted that they received feedback from developers, publishers, marketers, and regulators for “more time to evaluate and test the new … technologies before deprecating third-party cookies in Chrome.” The company has been working on its plan to replace cookies through an initiative known as the Privacy Sandbox since 2019. Read story.

The United States Congress is debating the American Data Privacy and Protection Act (ADPPA), a bill that will regulate how organisations collect,  process, manage, and store personal information. The ADPPA would preempt most existing state laws, like the California Consumer Privacy Act and Colorado Privacy Act. The federal privacy bill provides data subject rights like access, delete or port data, allows consumers to opt-out of targeted advertisements, and includes provisions for protection for children and minors. ADPPA ​​is the first comprehensive national data privacy framework that has bipartisan support, more than any other federal privacy legislation introduced in the US in the past. Read story.

The European Commission (EC) is to face a lawsuit over allegations it is violating its own data protection rules when transferring personal data to the United States. The lawsuit filed by an unnamed German citizen, alleges that EC’s own website, Conference of the Future of Europe, is hosted by Amazon Web Services and hence when the visitors register on the site, personal data such as the IP address is transferred to servers based in the United States. International data transfers were ruled illegal by the EU Court of Justice two years ago in the landmark Schrems II ruling. Web Services Read story.

The American Data Privacy and Protection Act (ADPPA) has undergone further amendments in an effort to get the bill out of committee and ready for a vote. Some of the notable changes include changing the private right of action’s effective date from four years to two years and keeping the California Privacy Protection Agency (CPPA) around to enforce the ADPPA in California. CPPA has voiced its opposition to the proposed ADPPA as it would preempt California’s privacy laws – both the California Consumer Privacy Act and the California Privacy Rights Act. Read more.

Ireland’s Data Protection Commission (DPC), EU’s lead regulator for Meta may block its services over illegal data transfers. The DPC sent a draft decision to its EU counterparts and proposes to halt Meta from transferring personal data from the EU to the US. If approved by the other DPAs, Meta-owned services like Facebook and Instagram may be shuttered in the EU. Meta has warned a stoppage will likely leave it unable to offer significant services such as Facebook and Instagram in Europe without a new transatlantic data transfer framework. Read story.

TikTok has agreed to pause its privacy policy update in Europe, in which the platform would stop asking users for their consent for targeted advertising. Following scrutiny from the Irish Data Protection Commission (DPC), TikTok’s lead privacy regulator, the social media company has suspended changes to its privacy policy.  “While we engage on the questions from stakeholders about our proposed personalised advertising changes in Europe, we are pausing the introduction of that part of our privacy policy update”, as per the company statement. Read more.

Denmark’s data protection authority, Datatilsynet, has banned the use of Google Workspace and Google Chromebooks in schools and municipalities amid concerns around international data transfers and GDPR non-compliance. The agency revealed that data processing involving students using Google’s cloud-based Workspace software suite — which includes Gmail, Google Docs, Calendar and Google Drive — “does not meet the requirements” of the GDPR. Datalisynet has further stated that parties who do not comply with the ban could be imprisoned. Read story.

Clearview AI has been hit with another fine for breaching GDPR, by the Hellenic Data Protection Authority (HDPA). In response to a complaint filed by several privacy organizations like Homo Digitalis, Privacy International, Hermes Center, and noyb,  the DPA issued a €20 million fine against Clearview AI for illegally collecting and processing facial recognition data. It must now delete all collected data on Greek subjects. The AI-based facial recognition company also faces a €20 million fine from the Italian regulator and a  £7.5 million fine issued by the UK regulator. Read story.

The European Data Protection Board (EDPB) adopted a  Statement on Personal Data Transfers to the Russian Federation, in which it confirmed that data transfers to Russia require a data transfer impact assessment (DTIA). The EDPB opines that Russia is “no longer a contracting party” to EU legal frameworks and protocols. As Russia does not benefit from an adequacy decision of the European Commission, transfers of personal data to Russia must be carried out using one of the other transfer instruments listed in Chapter V of the GDPR. Read statement.