March Privacy Sum Up

News and Events:

1. Google Android Data Collection - A research paper by Trinity College Dublin professor revealed questionable data collection practices from Android phones. Google has been able to collect extensive data on Android phone users by exporting data to its servers through the phone and text message apps. While data collection for the purposes of improving the service or personalisation of ads is something most Google users are aware of, the export of this particular data was carried out without informing users or obtaining appropriate, explicit consent. This practice may result in further action against Google, especially as regards the quality of consent, or lack thereof, given by users to process their data. According to the GDPR, consent should be a freely given, specific, informed and unambiguous indication of the data subject's wishes regarding the processing of their personal data. Read the full article here.
2. Privacy Shield 2.0 - Taking centre stage on the privacy scene in March was definitely the announcement on the 25th of an agreement "in principle" regulating transatlantic data flows between the EU and the US. The details of what has been agreed are not yet known, and according to TechCrunch (read article here) "since the sustainability of the deal will hinge on exactly that fine detail, there is little that can be taken away from [the] announcement beyond the political gesture." However, even as a political gesture, the announcement of a Privacy Shield 2.0 does not sit well in the aftermath of the recent Fazaga vs FBI Supreme Court judgment. The FBI had allegedly unlawfully targeted Muslim community members for surveillance because of their religion, however the decision did not affirm this, but rather makes it significantly harder for people to pursue similar surveillance cases in the future. It was thought that the above decision "undercuts the Biden administration’s efforts to show that the United States has sufficiently strong privacy protections to sustain a new Privacy Shield agreement" (read article form The Hill here), but yet here we are, just a few weeks later. Find Max Schrems' first reaction here.
3. Irish DPC Lawsuit - The announcement of this news truly turned the tables around. Ireland's Data Protection Commission was sued by the Irish Council of Civil Liberties (ICCL) for years of inaction regarding several complaints back in 2018, when the GDPR initially came into force. The complaints concerned Google's adtech practice of "high-velocity trading of people’s data for real-time ad auctions (real-time bidding, or RTB)" and the lack of attention to security measures in this process. Now that the ICCL has finally got the High Court's attention, they plan to "force Ireland to investigate the security of RTB, an issue the regulator has so far seemed keen to avoid." Find out more here.

Decisions:

1. Clearview AI, Italy - The Italian DPA, Garante per la protezione dei dati personali, published its decision to fine American facial recognition company Clearview AI an incredible € 20 million, making it one of the highest GDPR fines yet. The investigation launched in 2021 following complaints and alerts from several organisations and individuals and revealed a breach of several GDPR provisions, "such as transparency, purpose limitation, and storage limitation; it failed to provide the information set out by Article 13-14, to provide information on an action taken on a request under Article 15 within the due timeframe, and to designate a representative in the EU." This decision once again highlights the differences between US and EU privacy laws, as Clearview's legitimate interest is not enough to process personal data of EU citizens lawfully and it does not provide an appropriate legal basis to do so under the GDPR. Not only did the company collect personal data in the form of photographs of people's faces, it later converted images into biometric and geolocation data. The Italian Garante ordered the deletion of all obtained data, assignment of an EU representative and banned further data collection on top of the substantial fine. Read more about the decision here.
2. BREBAU Germany - BREBAU, a housing association in the German city of Bremen, was fined an imposing € 1.9 million by the local authority due to insufficient legal basis for processing of personal data and issues with transparency. The Bremen Commissioner found that the association had processed data sets of over 9000 potential tenants including sensitive data, for example "information about the skin color, ethnic origin, religious affiliation, sexual orientation and health status of the data subjects" as well as personal information that was completely unnecessary for the purposes of performance of the association's service. Additionally, BREBAU purposefully made it difficult for data subjects to find out how their data is being processed. Despite this aggravating factor, the association cooperated with the authority closely and took steps to mitigate the situation, which in turn served to substantially lower their initial fine. You can read more on the decision here.