Privacy Roundup: Top 10 Stories of September

A cookie banner task force? Yes, you heard that right. From EDPB’s task force to WhatsApp’s €225 million fine, a lot happened in the privacy world in the last month. While the UK is inching towards a new post-Brexit privacy regime, the US is still in talks for federal privacy law. 

Here are the important stories in this Privacy Roundup for September. We will be back with the top stories next month! 

In September, the European Data Protection Board (EDPB) announced that it has established a task force to address the complaints raised by various data protection authorities (DPAs) and the privacy rights group Noyb. In May 2021, privacy activist Max Schrems’ organization Noyb filed over 500 complaints on unlawful cookie banners.

According to the EDPB website, the task force was established as per  Art. 70 (1) GDPR and aims to promote cooperation and information sharing between the DPAs. It will: 

• exchange views on legal analysis and possible infringements;
• provide support to activities on the national level;
• streamline communication.

Read EDPB’s statement

Ireland’s data regulator on Thursday fined WhatsApp €225 million (£193m) for violating Europe’s privacy rules. It is the second-highest GDPR fine after the record-setting €746 million fine on Amazon issued by the Luxembourg data protection authority. The fine relates to an investigation that began in 2018, for failure to meet the transparency requirements of Articles 12-14 of the EU GDPR. 

In the 266-page ruling the Irish commissioner, Helen Dixon, said the company provided only 41% of prescribed information to users of its service. Due to the cross-border nature of WhatsApp’s data processing, the Irish DPC’s draft decision was reviewed by relevant supervisory authorities, as required by the cooperation and consistency mechanism of the GDPR. Read story

The Irish Data Protection Commission (DPC), the lead regulator of TikTok in the EU, is investigating the short-video platform for two privacy-related issues. The first investigation is related “to the processing of personal data in the context of platform settings for users under age 18 and age verification measures for persons under 13,” the DPC noted.

The second investigation will focus on data transfers by TikTok to China and whether the company complies with EU rules on transfers to “third countries”. TikTok is owned by Chinese company ByteDance and has faced accusations that it shares data with Chinese companies. Read story

After the big Whatsapp and Amazon fines, Deliveroo is the latest business to face a GDPR fine. The Italian Data Protection Authority (Garante) has fined Deliveroo Italy €2.5 million for the unlawful processing of the personal data of approximately 8,000 Deliveroo riders. As per Garante, Deliveroo breached the principles of storage limitation, data minimisation, transparency and lawfulness under Article 5 of the GDPR.

Garante established that Deliveroo had a centralised computer system that had a scoring algorithm that used their personal data to distribute work to its riders. The Italian DPC  also raised concerns that this personal data such as the rider’s precise geo-location was captured every 12 seconds and stored for up to six months. Read story

Zoom agreed to settle a lawsuit that alleged that the video communication platform violated privacy rights by sharing user’s personal data with Facebook, Google and LinkedIn. The lawsuit filed in 2020, in California alleged that Zoom failed to ensure the security of its platform that led to hackers entering Zoom meetings and displaying inappropriate content, a practice called “Zoombombing”. 

As per the settlement agreement, those who subscribed to the class action will be eligible for a 15 percent refund on their core subscription or $25, whichever is larger. Read story

In December, Google plans to reset app permissions on older versions of Android, from Android 6.0 and above, extending the privacy protection feature introduced in Android 11. The apps that haven’t been used for a while will automatically lose their permissions to access features like device storage, the camera or the microphone. 

In a blog, Google software engineers Peter Visontay noted that “This feature helps protect user privacy by automatically resetting an app’s runtime permissions – which are permissions that display a prompt to the user when requested – if the app isn’t used for a few months.” This change is likely to affect about 2 billion devices that run on Android versions lower than 11.

Read story

In September, the UK Government’s Department of Digital, Culture Media & Sport published its consultation paper (Data: A new direction) on proposals to reform the UK’s data protection laws. The consultation is intended to “create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data”. 

The consultation looks at several key areas, with a focus on innovation, reducing the burden on businesses, data transfers and reducing trade barriers, and reforming the Information Commissioner’s Office (ICO). It is the first post-Brexit review of the GDPR in the UK.  The deadline for responding to the consultation is 19 November 2021. You can file your response here. 

The US Senate Commerce Committee expressed the importance of a comprehensive federal data privacy law in the US during the year’s first senate hearing on consumer data privacy on September 29. The hearing, titled “Protecting Consumer Privacy, addressed the potential $1 billion earmarked to strengthen the Federal Trade Commission’s (FTC), the future of a national privacy and data protection law, and children’s privacy.

Updated versions of the Data Protection Act of 2020 and the SAFE DATA Act were reintroduced in the U.S. Senate in 2021. However, the Acts have failed to advance beyond committee assignment. Read story

A coalition of digital marketing firms filed a formal complaint with the European Commission against Google’s Privacy Sandbox. The group “Movement for an Open Web” (MOW), in a press release, announced that they have provided the Commission with “evidence of Google’s technology changes, how they impact choice and competition”, and offered some “potential remedies”. 

Google’s Privacy Sandbox is a set of web technology proposals that were introduced to address covert tracking technologies and aims to phase out third-party cookies by 2022. The MOW noted that Google’s proposed changes will limit independent analytics, advertising and increase the value of data collected by Google. Read press release

US luxury retail giant Neiman Marcus has contacted 4.6 million digital customers regarding a data breach dating back to May 2020. As per the company, it learned of a May 2020 data breach only in September 2021 and has sent notifications to its 4.6 million online customers. 

In a press release, the company noted that the stolen data involves payment cards and virtual gift card information. According to the company, more than 85 percent of the data affected “were expired or invalid,” and no active store-brand credit cards were affected. Read press release