January Newsletter

News

1. EU Commission prepares national authorities for the implementation of the Digital Services Act

The Digital Services Act (DSA), a recently passed EU law to control the online distribution of content, goods, and services, was presented by the European Commission on Tuesday (24 January) during a webinar with the relevant national enforcement agencies.

The DSA is a piece of horizontal legislation that outlines obligations for all parties engaged in the digital world. For very large online platforms that have more than 45 million users in the EU and are thought to constitute a systemic risk to society as a whole, stricter criteria have been added. By February 17, platforms like Facebook and Instagram must disclose the number of people who regularly use their services. They will be classified under the DSA as a very large online platform as a result. The Digital Services Coordinator can be appointed by member states for one additional year. An essential part of this compliance is to put in place a risk management system to identify and mitigate potential risks for society, like harmful content.

Find out more here.

2. European Commission has released study on the impact of recent developments in digital advertising on privacy, publishers and advertisers.

The European Commission published a research on the effects of changes in digital advertising, and it makes a compelling argument for reform since the current situation is untenable for consumers, publishers, and advertisers. According to the report, there is "a need to boost accountability and transparency, give people more control over how their personal information is used for digital advertising, and remove a number of barriers that make it challenging for marketers and publishers to "know their audience."

Download study here

3. Data Protection Day

Data Protection Day is held annually on January 28 by Council of Europe member countries and EU entities. Wojciech Wiewiórowski, the European Data Protection Supervisor published his op-ed on the occasion. He says data protection is part of the human rights too often suspended at the borders of the EU. As long as we continue treating migration as a "problem", fundamental rights will remain compromised. The EDPS remains ready to assist Frontex, and other EU agencies involved in this field, to ensure the protection of fundamental rights not only within the territories of our familiar soil. Migration is a phenomenon, which indeed needs to be contextually understood with reference to the countries from where the migration originates.

Read that here.

Decisions

1. Whatsapp with another fine of €5.5 millions?

The Data Protection Commission imposed fine on Whatsapp for breaches od GDPR. The investigation centered on a complaint made on May 25, 2018, against WhatsApp by a German data subject. WhatsApp Ireland updated its Terms of Service in advance of May 25, 2018, the day the GDPR went into effect. Users were notified that they would need to click "agree and continue" to confirm their agreement with the updated Terms of Service in order to continue using WhatsApp after the GDPR went into effect. If users chose not to, the services would not be available. Contrary to WhatsApp Ireland's declared position, the complainant argued that WhatsApp Ireland was actually trying to utilize permission as a legal justification for processing user data. They claimed that WhatsApp Ireland was in fact "forcing" users to consent to the processing of their personal data for service development and security by making the use of its services contingent upon acceptance of the amended Terms of Service. This, according to the complainant, violated the GDPR. The final decision, which the DPC adopted on January 12, 2023, includes findings that WhatsApp Ireland is not authorized to rely on the contract as a legal justification for providing service and security upgrades for the WhatsApp service, and that its processing of such data up to that point, purportedly in reliance on the contract as a legal justification, violates Article 6(1) of the GDPR.

Read more here.

2. €400 millions euro fine for Meta - owner of Facebook and Instagram

The DPC has reached its final decisions, and Meta Ireland has been fined €210 million (for violations of the GDPR relating to its Facebook business) and €180 million (for breaches in relation to its Instagram service). The inquiries centered on two complaints that both raised the same fundamental problems with Facebook and Instagram services. An Austrian data subject filed one complaint (in connection with Facebook), and a Belgian data subject filed the second (in relation to Instagram). The terms of service for Meta's Facebook and Instagram services have been modified in 2018. Following the implementation of the GDPR, current (and new) users were prompted to click "I accept" to signify their approval of the amended Terms of Service if they wanted to keep using the Facebook and Instagram services. If consumers choose not to, the services won't be available. The DPC's decisions include conclusions that Meta Ireland is not permitted to rely on the "contract" legal basis in connection with the delivery of behavioral advertising as part of its Facebook and Instagram services, and that its purported processing of user data up to this point in reliance on the "contract" legal basis constitutes a violation of Article 6 of the GDPR.

Read more here.

3. Spyware company Intellexa fined €50,000?

The Israeli-owned spyware consortium Intellexa was fined €50,000 (about $54,000) by Greece's Data Protection Authority (DPA) for not cooperating with its inquiries into the usage of the contentious technology. The DPA's investigation was started in response to press allegations in Greece that alleged top public personalities, such as the head of the national defense command and the political opposition leadership, had been put under surveillance. When DPA personnel sought to conduct an audit at Intellexa's listed address in Athens, they discovered it was actually held by an accounting business utilized by Intellexa, according to an official document. The company's headquarters are located in Elliniko, a coastal town south of Athens. When the authorities went to conduct another examination there later, they discovered the three-story facility was "totally empty and without a functional network infrastructure or IT system." The examination had been announced to Intellexa in advance. The consortium then verbally agreed to cooperate with the inquiry and submit a number of required papers, but the DPA later said that it had penalized Intellexa for "unreasonable delays" in doing so and for failing to deliver the material that it is confident is in its possession.

Read more here.