Privacy Roundup: Top 10 Stories of July 2023

The EU and US took a major step by adopting the long-awaited Data Privacy Framework. While the decision has come as a relief for businesses in the US like Meta and Google, whether the framework will survive legal challenges, only time can tell. Here’s what else happened in the month of July.

The European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF) on July 10, 2023. Personal data can now be transferred from the EU to US companies which self-certify under the DPF. These companies do not have to rely on other data transfer mechanisms (like Standard Contractual Clauses or Binding Corporate Rules). The US Department of Commerce is responsible for administering and monitoring the program. Read more 

Google Analytics 4 (GA4) has been declared legal in Europe after the European Commission adopted the EU-US Data Privacy Framework. Under the new framework, Google is an approved business. Last year, many EU regulatory bodies like CNIL and the Austrian Data Protection Authority ruled Google Analytics illegal citing concerns over surveillance risks posed by the export of European user’s personal data to the US. Read more

Oregon and Delaware became the 11th and 12th state to enact a comprehensive privacy legislation in the US. On July 18, 2023, the Oregon State Governor signed the Oregon Consumer Privacy Act (OCPA) into law. With this law, Oregon became the sixth state in 2023 to pass a privacy law joining Iowa, Indiana, Montana, Tennessee, and Texas. Delaware legislature also passed the Delaware Personal Data Privacy Law which is expected to be signed into law soon. Read more

Google continues the rollout of its Privacy Sandbox APIs (namely Frenced frames and Topic API) with the launch of Chrome 115. Privacy Sandbox, first announced in August 2019, is Google’s initiative to replace third-party browser cookies. Currently, Privacy Sandbox will run in parallel with third-party cookies in the browser. By early 2024, Google will deprecate third-party cookies for 1% of Chrome users and will cover all users by the second half of 2024. Read more

The UK Parliament is currently reviewing the Online Safety Bill before passage in the House of Lords. Stakeholders like the Electronic Frontier Foundation (EFF) have raised concerns regarding the Bill’s potential risks to internet privacy, including challenges to preserve end-to-end encryption. Messaging services such as WhatsApp, Signal and Apple’s iMessage have warned they could pull their services from the UK if the bill passes in its current form. Read more

Google’s privacy policy update now allows the company to use public data to train AI models. Google changed the wording of its policy and switched the term “AI models” to “language models.” and stated that it could use publicly available information to build full products like “Google Translate, Bard, and Cloud AI capabilities.” This move by Google raises legal concerns about data scrapping and the potential misuse of data. Read more

Facebook and Instagram face a 3-month temporary ban from showing targeted advertisements for users in Norway unless consent is obtained. The Norwegian Data Protection Authority ordered Meta to stop all behavioural advertising in the wake of CJEU’s ruling that Meta is unlawfully collecting personal data without explicit consent and based on legitimate interest. The ban starts on 4 August and will last for three months, or until Meta demonstrates compliance. Read press release

Meta’s new micro-blogging platform has still not been launched in the EU due to regulatory concerns about the service’s use of personal data. According to reports, the EU’s upcoming Digital Markets Act which restricts the sharing of user data across different platforms, poses an impediment to Threads. In May 2023, Meta was fined a record €1.2 billion for a breach of GDPR and ordered to suspend the transfer of user data from the EU to the US. Read more

Apple is implementing a new policy that requires developers to explain their need for access to select data, aiming to reduce misuse of APIs. The policy aims to prevent developers from using APIs for device fingerprinting to collect user data,  even if the user has given the app permission for tracking. Apple is set to enforce this requirement in fall 2023. Developers need to provide an approved reason for API use in their app’s privacy manifests before resubmitting apps. Read more

A data breach at Maximus, a US government services contractor, may have exposed the personal information of at least 8 million individual’s protected health information. Maximus is one of the hundreds of companies that have been recently affected by the MOVEit ransomware attack by Clop, a Russia-linked data extortion group. Maximus contracts with US federal, state and local governments to manage and administer government-sponsored programs including Medicaid and Medicare healthcare reform. Read more