As China’s new privacy law comes into effect and with India tabling the privacy bill, the biggest internet economies are putting privacy on the centre stage. This month saw record fines and anti-trust cases that continue to plague big tech, all reflecting on data privacy becoming a non-negotiable right. 

Read the important stories in this Privacy Roundup for November. We will be back with the top stories next month!

01

IAB Europe found in breach of GDPR

The Belgian Data Protection Authority (DPA) has found the International Advertising Bureau (IAB) Europe in breach of the GDPR with its Transparency & Consent Framework (TCF), according to a statement by the Irish Council for Civil Liberties (ICCL). In a statement on their website, IICL noted that: “The online advertising industry and its trade body, IAB Europe, have been found to have deprived hundreds of millions of Europeans of their fundamental rights.” The Belgian DPA found that the TCF didn’t comply with the GDPR’s transparency guidelines and processed sensitive data without explicit consent. Read more

02

China’s privacy law comes into effect

China’s new privacy law, Personal Information Privacy Law, came into effect on November 1. China enacted the law earlier in November, to become the second major nation-state after Europe to pass a sweeping data privacy regulation. The law laid down rules for how businesses can collect, use, process, share and transfer personal information. Similar to the GDPR, China’s law has broad extraterritorial reach and companies who violate the law could be subject to fines of up to 5% of annual revenue or 50 million yuan ($7.5 million). Read story

03

Meta plans to remove sensitive ad targeting

In a major move after rebranding as Meta, Facebooks parent company is now planning to eliminate ad targeting based on users’ interactions with content related to health, race and ethnicity, political affiliation, religion, sexual orientation and other topics. Meta announced that starting January 19, 2022, it will no longer allow advertisers to select terms for ad targeting that are related to “sensitive” topics on Meta’s applications such as Facebook, Instagram, Messenger and the company’s Audience Network, which places ads in third-party apps. Read story

04

Federal Trade Commission to target ‘dark patterns’

The Federal Trade Commission (FTC) recently issued a new enforcement policy statement warning companies against using dark patterns that trap consumers into subscription services or contracts. Dark patterns are design tactics used to encourage consumers into making choices that they didn’t necessarily want to do. The FTC warned companies of legal action if they employ harmful negative option marketing (such as automatic renewals, continuity plans, free-to-pay or fee-to-pay conversions). The FTC also sets out guidance and key requirements for companies. Read statement

05

Google updates privacy settings on Chrome and Android

Google has announced new Privacy and Security settings in its latest Chrome beta release. The reconfigurations will allow users to understand how sites store data on them and delete all data stored by an individual site with one click. Google also released the Android 12  with new privacy and security instalments including hibernating apps you haven’t used for a long time and making location data less precise. Android 12 also introduces a privacy dashboard (Settings>Privacy>Privacy Dashboard) to help increase permissions transparency. Read story

06

Facial recognition firm Clearview AI faces potential £17m fine

US facial recognition company Clearview AI is facing a potential £17m fine after the Information Commissioner’s Office (ICO) found it had committed “serious breaches” of data protection law. The firm has collected more than 3 billion images from websites such as Facebook, Twitter, Google, YouTube, Venmo and LinkedIn. Clearview was found to not have higher data protection standards required for biometric data under the GDPR and failed to inform individuals in the UK of how their data was being processed. The Australian Information Commissioner, who was part of this joint investigation by ICO, has ordered the company to stop collecting photos taken in Australia and remove ones already in its collection. Read story

07

WhatsApp rewrites privacy policy for Europe after record fines

WhatsApp has rewritten its privacy policy for European users after getting a record €225 million fine (the second-largest GDPR fine) by the Irish Data Protection Commission’s (DPC) earlier in 2021. The new privacy policy includes more detail about how WhatsApp works with its parent company Meta, how it collects and uses customer data, how it is stored and when it is deleted. While WhatsApp is appealing against the fine, it is amending the policy in Europe and the UK in response to the findings. Meta and WhatsApp are also required to remove the Legal Basis Notice and the Facebook FAQ from their platforms until they are compliant with all GDPR requirements. Read story

08

Google wins UK class-action suit, loses EU anti-trust case

Google won a £3.3 billion lawsuit filed on behalf of more than 4 million Apple iPhone users over Google’s alleged tracking of personal data. The lawsuit was filed by consumer rights campaigner, Richard Lloyd in 2017 alleging that Google overrose iPhone users’ privacy settings to track them on Apple’s Safari browser between 2011 and 2012. In November, Google lost a €2.42 billion antitrust case after the General Court of Luxembourg ruled that the company abused its dominant position to beat the competition in eCommerce. Read story

09

Indian Parliamentary Committee adopts report on Personal Data Protection Bil

The Joint Parliamentary Committee (JPC) adopted the final report on the Personal Data Protection Bill with stricter compliance requirements for companies and lighter obligations on government agencies. The Personal Data Protection Bill was introduced in Parliament in 2019 and stems from a 2017 judgment by the Supreme Court of India that recognised privacy as a fundamental right protected by the Constitution. The JPC’s report will be presented in the Winter Session of Parliament, and if passed will be the first comprehensive data privacy regulation for India, which has nearly 800 million internet users. Read story 

10

Italy fines Apple, Google over the use of consumer data

Italy’s competition and market authority (AGCM) has fined Apple and Google €10 million each for “aggressive practices” and not obtaining a user’s consent before using their data for commercial purposes. ​​The AGCM has accused Apple of failing to provide users with clear information when they create an Apple ID or access its digital stores, such as the App Store. Google is accused of not providing enough information to users on how personal data will be used when they are creating accounts or using its services. Both companies have also been accused of designing their account creation processes that makes sharing personal data as the default. Read story