Privacy Roundup: Top 10 Stories of March

March saw important privacy regulations being introduced that could fundamentally change how businesses deal with consumer data, including Utah’s new law, Digital Markets Act and the latest cross-border transfer agreement between the EU and US. While tech firms continue to face the heat with more files piling up for violations of data privacy laws. Take a quick glance at the top stories and we will be back with the top stories next month!

Utah will become the fourth US state to adopt comprehensive consumer privacy legislation, following California, Virginia, and Colorado, with the passage of the Utah Consumer Privacy Act (UCPA). On March 24 Governor Spencer Cox signed the Utah Consumer Privacy Act into law. The UCPA shares many similarities with other state laws such as the Virginia Consumer Data Privacy Act (CDPA) which grants consumers certain rights to their personal data. Businesses in Utah or those serving consumers in Utah are required to be compliant when the law goes into effect on December 31, 2023.  Read story.

Google’s Universal Analytics (UA) will be phased out by Google next year and replaced with Google Analytics 4 (GA4), the company announced. Google cited the need to understand multi-platform user journeys and privacy as the reasons for pulling the plug on UA. Google noted that UA’s measurement methodology is “quickly becoming obsolete” and that GA4 doesn’t require cookies and won’t store IP addresses in order to help brands comply with privacy laws. Read story.

The European Union (EU) members have reached an agreement on the landmark bill, the Digital Markets Act (DMA). On March 24, 2022, the EU  unveiled the final text of the Act that is set to introduce drastic changes to how tech giants do business.  The Act will affect “core platform services”, which have a value of more than €75 billion and at least 45 million monthly users. In a release, the EU noted, “The Digital Markets Act (DMA) will blacklist certain practices used by large platforms acting as gatekeepers and enable the commission to carry out market investigations and sanction non-compliant behaviour.” Read story.

The EU and US have reached an agreement “in principle” on a new framework for EU-US data transfers. The news was announced in a joint press conference held by European Commission President Ursula von der Leyen and US President Joe Biden, without divulging details on its workings. “This framework underscores our shared commitment to privacy, to data protection, and to the rule of law,” noted Joe Biden. Privacy Shield was invalidated in July 2020, after the EU’s top court ruled in favour of Max Schrems, an Austrian privacy activist who argued the existing framework did not protect EU data from US surveillance. Read story.

Italy’s Data Protection Authority, the Garante, fined American facial recognition company Clearview AI €20M for breach of GDPR including the provision for transparency, purpose limitation, and storage limitation. Clearview AI is reported to have a database of more than 10 billion images that is claimed to be taken from various social media platforms and other websites where the information is publicly available. The fine is the latest that the controversial company has faced from European data privacy regulators after France fined the company in December last year. Read story. 

Mozilla is rolling an  HTTPS-only mode feature to Firefox Focus on Android, its privacy-focussed mobile browser. When enabled, for every website you visit, the browser will automatically connect you to a secure and encrypted connection over HTTPS, even if you manually enter HTTP in the address bar or click on a legacy link. This comes after Mozilla introduced its Total Cookie Protection feature to Firefox Focus on Android, which is used to combat cross-site tracking, to Firefox Focus on Android. Read story.

Microsoft and Okta have both confirmed suffering data breaches after a hacking group, Lapsus$, claimed to target them. The group Lapsus$ had recently announced that it had gained access to the source code of Microsoft products such as Bing and Cortana. Okta, which provides online authentication services to several prominent companies, had initially denied a breach, but later released a statement saying that around 366 of its customers were likely impacted. Read story.

According to a new study, Google has been collecting its users’ call logs and text messages without consent. The research paper “What Data Do The Google Dialer and Messages Apps On Android Send to Google?”, published by Professor Douglas Leith, notes that Google Dialer and Google Messages sent messages and call information back to Google. Both the applications are the default apps on over a billion Android devices. Google also does not provide specific privacy policies for the two apps, even though Google requires that third-party developers do provide privacy policies. Read story.

The UK High Court of Justice has ruled that a class-action lawsuit against TikTok for children’s privacy violations can proceed. The privacy suite is seeking damages on behalf of millions of children for alleged abuse of their information, as per a report by TechCrunch. The social media app has been allegedly processing youngsters’ data without adequate security measures, transparency, the consent of guardians or legitimate interest. The claimant has support from Anne Longfield, the former Children’s Commissioner for England who argues TikTok has broken data protection laws in the EU and UK. Read story.

The Irish Data Protection Commission (DPC) has fined Meta (formerly Facebook) €17 million fine, following an inquiry into a series of 12 data breach complaints received by the DPC between June and December 2018. The DPC found that Meta failed to implement appropriate technical and organizational measures to protect EU users’ data. While regulators of Germany and Poland raided objections initially, a consensus was achieved and this decision marks the first time that an issue has been resolved under Article 60 of the GDPR, which focuses on cooperation between different regulators. Read story.