Privacy Roundup: Top 10 Stories of May

GDPR turned 4 on May 25th this year. While it has improved the privacy rights of millions of people in the EU, major data challenges remain today. EU continues to strengthen its data regime with new privacy proposals, while countries across the world have passed data privacy acts modeled around GDPR. Connecticut’s new privacy law is the latest to join the cohort of state-level privacy laws inspired by the GDPR. Here are the top stories from May that we don’t want you to miss.

Connecticut has joined ​​California, Virginia, Colorado, and Utah in enacting comprehensive data privacy legislation. The Connecticut Data Privacy Act (CTDPA), which will go into effect July 1, 2023, is now the fifth and latest comprehensive state consumer privacy law. The CTDPA draws from other state-level data privacy laws with only a few departures of significance. One of the most significant differences is that CTDPA is the first state law to explicitly carve out payment transaction data from its applicability threshold, a provision that was added to minimize the concerns of restaurants, small convenience stores, and similar businesses that use personal data for the sole purpose of completing a transaction. Read story

Google Play has launched its own version of privacy-related “nutrition labels” for apps providing details about what data apps collect, how it’s handled, and where the app might send the information. These labels will appear in a new Data Safety section for apps in the Google Play store, displaying details that developers will report about their apps’ privacy and security practices.  The information displayed is very similar to Apple’s App Store privacy labels. According to Google, they may take “enforcement action” against developers for inaccuracies in the information they supply. July 20 will be the final deadline for app developers to disclose the required information. Read story

The Federal Trade Commission (FTC) has ordered Twitter to pay a  $150 million fine for letting advertisers access personal data to target specific users without informing them. Twitter violated a 2011 FTC order that explicitly prohibited the company from misrepresenting its privacy and security practices. According to a complaint filed by the Department of Justice on behalf of FTC, from 2014 to 2019, more than 140 million Twitter users were asked to provide their phone numbers or email addresses for account security. But according to FTC, Twitter “failed to mention that it also would be used for targeted advertising,” allowing advertisers to target users by matching the information with data obtained from third-party data brokers. Read story

Facing regulatory scrutiny across the world, Facebook’s parent company Meta is finally updating its privacy policy after four years. The updated privacy policy aims to make it easier to understand and to reflect the latest products the company offers. “These Meta updates give us no new rights to people’s data. Our goal here is to be clearer and more transparent by adding more details and examples of our data practices,” according to the tech giant. The new policy will come into effect on July 26, 2022, and users don’t need to act on it to continue using their products. The redesigned policy covers Facebook,  Instagram, Messenger, and other Meta products, but does not cover WhatsApp, Workplace, Free Basics, Messenger Kids, or Quest devices used without a Facebook account. Read privacy policy

Google is facing a class-action lawsuit in the UK for allegedly using confidential health data belonging to 1.6 million people. The scandal first came to light in 2016 when it was found that Google’s AI division, DeepMind, allegedly passed data received from the Royal Free NHS Trust in London without the patients’ knowledge or consent. The misuse arose from a data-sharing agreement linked to the development of DeepMind’s mobile application called Streams, aimed at helping hospital staff monitor patient health. The agreement was subsequently found to be illegal by the UK’s ICO. Andrew Prismall whose records were passed to DeepMind has now filed a suit in the High Court of Justice of England & Wales. Read story

The EU Council has approved the Data Governance Act (DGA) which is set to provide a framework to increase a business’s ability to access public sector data. The European Parliament approved the Data Governance Act (DGA) on April 6, 2022, and the law was awaiting approval from the EU Council. The DGA will enable a new business model – data intermediation services – that will provide a secure environment in which companies or individuals can share data. The DGA creates “a mechanism to enable the safe reuse of certain categories of public-sector data that are subject to the rights of others. This includes, for example, trade secrets, personal data, and data protected by intellectual property rights.” Read story

Twitter announced today that it has rolled out a new browser-based web video game to make it easier for users to understand its privacy policy. The game, called Data Dash, seeks to help users learn how to “safely navigate the Twitterverse” and to educate people on the information that Twitter collects, how the information is used and what controls users have over it. In addition to this game, Twitter also announced it has rewritten its privacy policy to make it easier to understand. The game’s launch comes after Twitter’s new policy to crack down on “Copypasta and Duplicate Content” policy. Read story

The US-based facial recognition company Clearview AI has been fined £7,552,800 by the UK’s Information Commissioner’s Office (ICO) for breaching UK data protection laws. The ICO has ordered Clearview to delete data it has on UK residents and banned it from collecting anymore. the UK’s Information Commissioner John Edwards noted that “The company not only enables identification of those people but effectively monitors their behaviour and offers it as a commercial service. That is unacceptable”. This is not the first time that Clearview has faced regulatory heat for its data collection. Similar orders and fines were issued in Australia, France, and Italy. Read story

Privacy advocacy organization NOYB — founded by lawyer and activist Max Schrems — released an open letter stating its position on the new Trans-Atlantic Data Privacy Framework. The letter outlines several concerns that noyb.eu believes raise questions over the stability of future European Commission adequacy agreements and warns that the announced framework risks “sharing the same fate” as its two predecessors, the Safe Harbor and Privacy Shield 1.0 “unless substantive (legislative) reforms are conducted in the United States.” The letter coincides with an EU deligation’s visit to Washington DC to discuss EU-US cooperation in the protection of personal data. Read letter

The UK government has confirmed its plans to reform the country’s data laws in the Queen’s Speech, which sets out its legislative program for the months ahead. The speech comes after the UK government published a “consultation” in September 2021 that said the GDPR rules were a “regulatory burden” on businesses. The proposed Data Protection Reform Bill is expected to introduce significant changes to the UK GDPR and the Data Protection Act 2018. Read story