Meta Threads Launch Delayed, US-EU Data Adequacy Decision, Massachusetts Location Data Ban and more
By Robert Bateman and Privado.ai
This week’s Privacy Corner Newsletter covers:
Third Time’s a Charm? EU Adopts US Data ‘Adequacy Decision’
The European Commission has adopted a long-awaited “adequacy decision” that will make it (much) easier to transfer personal data from the European Economic Area (EEA) to the US.
Some further thoughts…
Since Edward Snowden revealed the full extent of the US National Security Agency (NSA)’s surveillance activities in 2013, transatlantic data transfers have provided countless hours of complex work for privacy professionals, NGOs, and tech firms’ legal teams.
After three years in limbo, the European Commission adopted a new US “adequacy decision” on Monday.?
The decision means that US businesses will once again have a workable solution for importing personal data from the EEA—and European companies will be able to send personal data to the US without breaking the law.
The European Commission can bequeath an “adequacy decision” upon any jurisdiction whose data protection standards it deems “essentially equivalent” to those enjoyed in the EU.
The US lost its previous two adequacy decisions after the Court of Justice of the European Union (CJEU) found that the country offers no meaningful redress to individuals who believe their fundamental rights have been violated by the government (among other issues).
The Biden administration addressed these concerns via an executive order that reins in intelligence services and establishes a new Data Protection Review Court (DPRC).
On top of this reformed legal regime, the EU-US Data Privacy Framework (EU-US DPF) will require participating US businesses to adhere to data protection standards roughly similar to those imposed on EEA-based organizations under the GDPR.
But the development should make things easier even for EEA businesses relying on another transfer mechanism known as “standard contractual clauses” (SCCs).
According to the Commission, it is no longer necessary to assess whether SCCs are an appropriate way to facilitate a data transfer to the US, as has been necessary since July 2020.
SCCs are now good enough by default because the new-and-improved US legal environment is “essentially equivalent” to that of the EU.
That’s the Commission’s view, at least.
Privacy campaigner Max Schrems thinks otherwise. His legal challenges killed off both of the EU-US DPF’s predecessors—and he’s preparing for round three at the CJEU.
Schrems says the new scheme fails to solve America’s underlying privacy problems. Many others agree, including the European Parliament and, to a lesser extent, the European Data Protection Board (EDPB)—agree.
But for now, at least, data transfers should take up considerably less time for privacy professionals on both sides of the North Atlantic.
And for UK and Swiss readers: US businesses can certify with the “extension” program for each country from July 17—but we’ll have to wait for those countries’ governments to recognize US adequacy before their businesses can take advantage of the framework.
Massachusetts Considering Total Ban on Location Data
A privacy bill in Massachusetts would impose a blanket ban on the sale of location data collected from mobile phones.
Some further thoughts…
It’s hard to overstate how much the US privacy landscape has changed since California passed the country’s first comprehensive state privacy law in 2018.
The Privacy Corner Newsletter has reeled off these stats before, but they bear repeating:?
领英推荐
Over 20% of states now have comprehensive privacy laws—with six such laws having been passed this session—and several further states have powerful new sector or data-specific privacy laws.
There has never been a busier time for privacy professionals working with US companies.?
Some of these laws are fairly strict and unexpectedly broad (see Washington’s My Health My Data Act). Some are relatively “business friendly” (the Utah Consumer Privacy Act). Some, frankly, are ambiguous and possibly counterproductive (e.g. Florida’s Digital Bill of Rights).
Massachusetts’ active bills, known collectively as the Location Shield Act, are narrowly focused on one type of data that has major privacy implications: location data collected from people’s phones.
Many other states, sometimes motivated by last year’s Supreme Court ruling on abortion, have included precise GPS location information as a category of “sensitive data”. But even under these laws, businesses can still sell location data—often without consent.
Many people could see a total prohibition on the sale of location data as a sensible move. The American Civil Liberties Union (ACLU) of Massachusetts certainly thinks so—and 92% of the state’s residents reportedly agree.
Meta Delays Threads App Rollout in the EU, But Not the UK…
Meta has delayed the EU launch of its new app, Threads—reportedly due to concerns over compliance with the EU GDPR and the Digital Markets Act (DMA).
Some further thoughts…
It’s fair to say that Meta is having a particularly bad year under EU regulation.
In January, Meta was ordered to stop using its terms of service to justify targeting ads at Facebook and Instagram users.?
Last month, the company received the largest GDPR fine of all time (€1.2 billion) for unlawfully transferring Facebook users’ personal data to its US parent company.
And in last week’s Privacy Corner Newsletter, we examined the dire implications of a CJEU antitrust ruling which could shut off even more of Meta’s European revenue streams.
So it might not be surprising that Meta seems to be taking a cautious approach to the EU launch of its new app, Threads.
Threads has many similarities to Twitter, including relatively short posts (500 characters compared to Twitter’s 280) and “retweet” and “quote tweet”-style functionality—but it lacks the option to view a chronological feed populated exclusively by accounts the user follows.
Despite this small difference, it’s fair to conclude that Meta CEO Mark Zuckerberg hopes to eat Twitter’s (already somewhat stale) lunch. Twitter’s lawyers wrote to Meta last week, accusing the company of stealing Twitter’s commercial secrets.
But along with the aforementioned series of disfavorable legal and regulatory decisions, the EU’s Digital Markets Act (DMA) is likely a bigger concern for Meta than Elon Musk’s legal posturing.
While Meta has not set out clear reasons for delaying Threads’ EU launch, the app’s emphasis on personalized feeds and its close ties to Instagram might not fully comply with the DMA’s rules on algorithmic transparency and combining user data from across different platforms.
But across the English Channel, UK users can sign up to Threads already—assuming they are not deterred by the app’s allegedly excessive data collection practices.
In the Spring, Meta informed UK Facebook and Instagram users that their services would be provided Meta’s US parent company, Meta Platforms, Inc., rather than its European arm, Meta Platforms Ireland.
The UK has no CJEU to repeatedly rule Meta, no EDPB to push for harsher interpretations of the GDPR, no new laws like the DMA, and a relatively tame data protection regulator.?
As such, it’s not hard to see why Meta feels more comfortable releasing data-hungry new products into the UK market.
What We’re Reading
Here are some recommendations for the best privacy-related reading published this week.