EU Judgments, Meta's Proposed Ban, Clearview AI Fine, Kochava Case

By Robert Bateman and Privado.ai

This week’s Privacy Corner Newsletter covers:

• Three fresh GDPR judgments from the EU’s top court.
• The FTC’s proposed order to stop Meta from profiting from children’s data.
• France’s second multi-million fine against Clearview AI.
• Kochava’s partial victory against the FTC’s privacy case.

---

Hear the news live on The Privacy Corner live stream scheduled for today: Register Now

---

EU’s Top Court Delivers Bounty of Data Protection Judgments

The Court of Justice of the European Union (CJEU) decided three GDPR-related cases in one day last week.

Here’s a key takeaway from each case, with links to each judgment:

• Case C-487/21: If someone makes a valid request for a copy of their personal data under the right of access, you must provide an actual copy of the data. A summary of the data won’t suffice.
• Case C-300/21: People can’t sue you for any GDPR violation. There has to be “damage.” But the GDPR doesn’t require a minimum amount of non-material damage to have occurred.
• Case C-60/22: People have the right to have personal data erased if it’s processed unlawfully. But this right doesn’t arise just because a controller has failed to comply with accountability requirements under Article 26 (joint controllers) or Article 30 (records of processing activities).

Some further thoughts…

These decisions help reinforce some GDPR fundamentals, but none is particularly surprising.

But the EU delivered some more interesting insights in previous weeks that are well worth checking out.

• Case T-557/20: This April 26 judgment from the EU’s General Court suggests that when personal data is shared and has been pseudonymized by the sender, the data might be considered anonymous if the recipient (not the sender) cannot reidentify the data subject.
• Advocate General Opinion on Case C?807/21: This non-binding opinion from April 27 states that the GDPR is not a “strict liability” law. Penalties for non-compliance require some degree of negligence or malice.

These decisions are less authoritative than the CJEU judgments above, but they’re still important—and worth reading in full.

FTC Threatens to Ban Meta From Monetizing Kids’ Data

The US Federal Trade Commission (FTC) has proposed an order to ban Meta from monetizing data about users under 18, among other measures.

• The FTC claims Meta breached the Children’s Online Privacy Protection Act (COPPA) and a 2020 FTC privacy order by allegedly:
• Misleading parents about who children could communicate with via Messenger Kids.
• Misrepresenting how developers could access private data following the Cambridge Analytica scandal.
• On top of preventing Meta from profiting from kids’ data, the FTC’s order proposes several other sanctions, including:
• A pause on the launch of new products.
• Strengthened privacy program requirements.
• Limits on how Meta uses facial recognition.

Some further thoughts…

As anyone interested in the US privacy scene will know, the FTC is very active right now, and the regulator is laser-focused on two particular issues: health privacy and kids’ privacy.

This order is the start of a process that could end in some serious sanctions for Meta—a company that is far more concerned about regulators closing off revenue streams than issuing large fines.

Unsurprisingly, Meta disputes the FTC’s claims—but the company’s denials seem even more belligerent than usual, with Communications Director Andy Stone calling the order a “political stunt” and an “abuse of authority”.

While other recent FTC enforcement activity against health apps GoodRX and BetterHelp ended in settlements, Meta won’t go down without a fight.

France Hits Clearview AI With Another Multi-Million Euro Fine

The French data protection authority (known as the “CNIL”) has fined NY-based facial recognition firm Clearview AI €5.2 million ($5.7 million).

• Clearview’s business model involves scraping facial images from the web, creating biometric information about individuals, and charging for access to its biometric database.
• This is the second CNIL fine against Clearview, which has allegedly failed to meet the requirements imposed by the French regulator back in October 2022.
• In that earlier decision, the CNIL ordered Clearview to pay a fine of €20 million ($22 million), stop collecting data about people in France, and delete the data it had already collected.

Some further thoughts…

Clearview has been fighting legal battles on all sides since 2020, including regulatory action in Australia, Austria, Canada, Germany, Greece, Italy, Sweden, and the UK—plus court cases in Illinois, New York, and Vermont.

Perhaps the most effective challenge to Clearview was an Illinois lawsuit by the?American Civil Liberties Union (ACLU), following which Cleaview agreed to significantly limit its activities in a May 2022 settlement.

While several European data protection authorities have imposed substantial fines against Clearview, the company maintains that it is not subject to European law.

Clearview is currently appealing a fine from the UK regulator issued last June. The case will test the UK courts’ interpretation of how the GDPR applies to foreign companies.

FTC Suffers Partial Defeat in Kochava Case

A US federal judge in Idaho has dismissed an FTC lawsuit against data broker Kochava—but is allowing the regulator to amend its case and try again.

• The FTC brought a civil action against Kochava last October, accusing the company of violating the FTC Act.
• Kochava was accused of selling sensitive location data and exposing people to risks of “stigma, stalking, discrimination, job loss, and even physical violence”.
• The judge found that the FTC should have made a stronger case about the harm caused by Kochava’s activities.
• But the judge also dismissed a parallel suit against the FTC by Kochava and allowed the regulator to amend its complaint within 30 days.

Some further thoughts…

The FTC’s Kochava case was an early example of the regulator’s reinvigoration following the appointment of Lina Khan as chair in June 2021.

Last July, the FTC accused Kochava of violating the FTC Act by selling data about people’s visits to sensitive locations such as abortion clinics, homeless shelters, and places of worship

The regulator told Kochava it would seek a court order to stop the company from selling sensitive location data.

But shortly before the FTC filed its case, Kochava lodged a somewhat dubious preemptive suit against the FTC, arguing that the regulator lacked the authority to bring its complaint. This claim was dismissed.

In a separate judgment, the court said the FTC had not done enough to demonstrate its allegations about consumer harms and was relying on "speculative hypotheticals about how unidentified third parties could potentially misuse Kochava's data.”

The amended case will be a test of the FTC’s approach to privacy regulation—and will need to show a clear link between Kochava’s activities and the injuries they allegedly cause to individuals.