Meta Threads Launch Delayed, US-EU Data Adequacy Decision, Massachusetts Location Data Ban and more

Meta Threads Launch Delayed, US-EU Data Adequacy Decision, Massachusetts Location Data Ban and more

By Robert Bateman and Privado.ai

This week’s Privacy Corner Newsletter covers:

  • The EU’s US adequacy decision: A look at the implications for businesses relying on standard contractual clauses (SCCs) and organizations based in the UK and Switzerland.
  • Two privacy bills in Massachusetts that would ban the sale of location data (with or without consent).
  • Meta’s decision to postpone the EU launch of its new “Threads” platform following a barrage of legal issues—and why the app nonetheless launched on time in the UK.
  • What we’re reading: Recommendations for the best privacy-related words published this week

Third Time’s a Charm? EU Adopts US Data ‘Adequacy Decision’

The European Commission has adopted a long-awaited “adequacy decision” that will make it (much) easier to transfer personal data from the European Economic Area (EEA) to the US.

  • To regain its coveted “adequate” status, the US has developed a new voluntary data protection framework and implemented legal reforms to restrain its intelligence services and provide new legal rights for EU individuals.
  • US businesses can now certify with the EU-US Data Privacy Framework (EU-US DPF). EU-based organizations will be able to freely share personal data with EU-US DPF-certified businesses.
  • The Commission’s previous two US adequacy decisions have been overturned following legal cases brought by privacy campaigner Max Schrems—who has confirmed that he will also challenge the new framework.

Some further thoughts…

Since Edward Snowden revealed the full extent of the US National Security Agency (NSA)’s surveillance activities in 2013, transatlantic data transfers have provided countless hours of complex work for privacy professionals, NGOs, and tech firms’ legal teams.

After three years in limbo, the European Commission adopted a new US “adequacy decision” on Monday.?

The decision means that US businesses will once again have a workable solution for importing personal data from the EEA—and European companies will be able to send personal data to the US without breaking the law.

The European Commission can bequeath an “adequacy decision” upon any jurisdiction whose data protection standards it deems “essentially equivalent” to those enjoyed in the EU.

The US lost its previous two adequacy decisions after the Court of Justice of the European Union (CJEU) found that the country offers no meaningful redress to individuals who believe their fundamental rights have been violated by the government (among other issues).

The Biden administration addressed these concerns via an executive order that reins in intelligence services and establishes a new Data Protection Review Court (DPRC).

On top of this reformed legal regime, the EU-US Data Privacy Framework (EU-US DPF) will require participating US businesses to adhere to data protection standards roughly similar to those imposed on EEA-based organizations under the GDPR.

But the development should make things easier even for EEA businesses relying on another transfer mechanism known as “standard contractual clauses” (SCCs).

According to the Commission, it is no longer necessary to assess whether SCCs are an appropriate way to facilitate a data transfer to the US, as has been necessary since July 2020.

SCCs are now good enough by default because the new-and-improved US legal environment is “essentially equivalent” to that of the EU.

That’s the Commission’s view, at least.

Privacy campaigner Max Schrems thinks otherwise. His legal challenges killed off both of the EU-US DPF’s predecessors—and he’s preparing for round three at the CJEU.

Schrems says the new scheme fails to solve America’s underlying privacy problems. Many others agree, including the European Parliament and, to a lesser extent, the European Data Protection Board (EDPB)—agree.

But for now, at least, data transfers should take up considerably less time for privacy professionals on both sides of the North Atlantic.

And for UK and Swiss readers: US businesses can certify with the “extension” program for each country from July 17—but we’ll have to wait for those countries’ governments to recognize US adequacy before their businesses can take advantage of the framework.

Massachusetts Considering Total Ban on Location Data

A privacy bill in Massachusetts would impose a blanket ban on the sale of location data collected from mobile phones.

  • Two active Massachusetts privacy bills, H.357 and S.148, would prohibit the “selling, leasing, trading, or renting” of location data.
  • The bills would also require covered businesses to only process location data for a set of pre-determined “permissible purposes”, and only with the data subject’s opt-in consent.
  • Disclosing location data to law enforcement agencies would be permitted subject to a valid warrant, a legal obligation, or at the data subject’s request.

Some further thoughts…

It’s hard to overstate how much the US privacy landscape has changed since California passed the country’s first comprehensive state privacy law in 2018.

The Privacy Corner Newsletter has reeled off these stats before, but they bear repeating:?

Over 20% of states now have comprehensive privacy laws—with six such laws having been passed this session—and several further states have powerful new sector or data-specific privacy laws.

There has never been a busier time for privacy professionals working with US companies.?

Some of these laws are fairly strict and unexpectedly broad (see Washington’s My Health My Data Act). Some are relatively “business friendly” (the Utah Consumer Privacy Act). Some, frankly, are ambiguous and possibly counterproductive (e.g. Florida’s Digital Bill of Rights).

Massachusetts’ active bills, known collectively as the Location Shield Act, are narrowly focused on one type of data that has major privacy implications: location data collected from people’s phones.

Many other states, sometimes motivated by last year’s Supreme Court ruling on abortion, have included precise GPS location information as a category of “sensitive data”. But even under these laws, businesses can still sell location data—often without consent.

Many people could see a total prohibition on the sale of location data as a sensible move. The American Civil Liberties Union (ACLU) of Massachusetts certainly thinks so—and 92% of the state’s residents reportedly agree.

Meta Delays Threads App Rollout in the EU, But Not the UK…

Meta has delayed the EU launch of its new app, Threads—reportedly due to concerns over compliance with the EU GDPR and the Digital Markets Act (DMA).

  • Threads is a “micro-blogging” platform that aims to compete with Twitter.
  • The app launched on Thursday in the US, UK and several other markets—but not the EU, where Meta faces tighter regulation.
  • The UK’s version of the GDPR has not been substantially amended since Brexit. But UK businesses are not directly subject to CJEU case law or more recent EU legislation.

Some further thoughts…

It’s fair to say that Meta is having a particularly bad year under EU regulation.

In January, Meta was ordered to stop using its terms of service to justify targeting ads at Facebook and Instagram users.?

Last month, the company received the largest GDPR fine of all time (€1.2 billion) for unlawfully transferring Facebook users’ personal data to its US parent company.

And in last week’s Privacy Corner Newsletter, we examined the dire implications of a CJEU antitrust ruling which could shut off even more of Meta’s European revenue streams.

So it might not be surprising that Meta seems to be taking a cautious approach to the EU launch of its new app, Threads.

Threads has many similarities to Twitter, including relatively short posts (500 characters compared to Twitter’s 280) and “retweet” and “quote tweet”-style functionality—but it lacks the option to view a chronological feed populated exclusively by accounts the user follows.

Despite this small difference, it’s fair to conclude that Meta CEO Mark Zuckerberg hopes to eat Twitter’s (already somewhat stale) lunch. Twitter’s lawyers wrote to Meta last week, accusing the company of stealing Twitter’s commercial secrets.

But along with the aforementioned series of disfavorable legal and regulatory decisions, the EU’s Digital Markets Act (DMA) is likely a bigger concern for Meta than Elon Musk’s legal posturing.

While Meta has not set out clear reasons for delaying Threads’ EU launch, the app’s emphasis on personalized feeds and its close ties to Instagram might not fully comply with the DMA’s rules on algorithmic transparency and combining user data from across different platforms.

But across the English Channel, UK users can sign up to Threads already—assuming they are not deterred by the app’s allegedly excessive data collection practices.

In the Spring, Meta informed UK Facebook and Instagram users that their services would be provided Meta’s US parent company, Meta Platforms, Inc., rather than its European arm, Meta Platforms Ireland.

The UK has no CJEU to repeatedly rule Meta, no EDPB to push for harsher interpretations of the GDPR, no new laws like the DMA, and a relatively tame data protection regulator.?

As such, it’s not hard to see why Meta feels more comfortable releasing data-hungry new products into the UK market.

What We’re Reading

Here are some recommendations for the best privacy-related reading published this week.


要查看或添加评论,请登录

Privado.ai的更多文章

社区洞察

其他会员也浏览了