?? The Uncrumbling

Lucid folks,

One day, the week of July 22, 2024 may be called the Great Dropping Out. Yes, for presidential reasons here in the States, but also for the nary-stunner from Google.?

In this issue:

• Here we go again on the cookie roundabout .
• Was the CrowdStrike-fueled meltdown also the largest personal data breach?
• The US Postal Service has?pixel troubles too

…and more.

From our bullpen to your screens,

Colin O'Malley & Lucid Privacy Group Team

?? If this is the first time seeing our Privacy Bulletin in your feed, give it a read and let us know what you think. For more unvarnished insights, visit our Blog.

Your comments and subscriptions are welcome!

Third-Party Cookies Live to Crumble Another Way

Five years, hundreds of engineering hours and millions of dollars for naught? Perhaps not in the long run, but Google’s decision to not nix third-party cookies (3PCs) in Chrome offers new uncertainties.

New path, same pathfinder: There is a lot to unpack with the “new path for Privacy Sandbox on the web” , but the most immediate questions here are: What exactly does Google mean by “informed choice”?

• Anthony Chavez, VP, Privacy Sandbox: “We are proposing an updated approach that elevates user choice. Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time. We're discussing this new path with regulators, and will engage with the industry as we roll this out.”?

Hello ‘GTT’? True to Google fashion the details are TBD, but we share others’ premonitions of an opt-in-to-opt-out framework?like Apple’s App Tracking Transparency (ATT).

• As Lucid’s Ben Isaacson discusses in his 2021 blog , ATT offered users a binary and context-free privacy experience that swung too far away from the “level of control that most website visitors may never utilize” when interacting with modern Consent Management Platforms (i.e. cookie banners).?
• In his blog , mobile ad industry analyst Eric Seufert calls Apple’s ATT consent prompt a “foreboding and intimidating” experience that UK Competition and Markets Authority (CMA) agrees “may not maximise user comprehension and thus limit the extent to which ATT empowers users to make effective choices about their data.”

Selfless self-interest: While it is possible, likely even, that a ‘GTT’ alongside Privacy Sandbox will offer an opt-in choice, it doesn’t seem likely for Google to make the same architectural choices as Apple. It just wouldn’t be in Google’s economic interest.

• Google has a robust CMP, Google Consent Mode , and supports authorized third-party CMPs who must support IAB Europe’s granular Transparency and Consent Framework. (Google also supports IAB’s Global Privacy Platform and US opt-out signals.) Their new choice prompt could align to TCF.
• The Privacy Sandbox brought new advertising-privacy setting s to Chrome. Google’s “updated approach” could see those and other privacy controls reorganized and brought closer to the surface (hello, newly -pro-ad Firefox ).
• Yet, a new competition issue is brewing here too. Even if the CMA and ICO are fine with the Sandbox’s current prompting (probably not), third-party CMPs will object to being disintermediated in the process.?

Zooming out: Whatever Google does next, they are aiming to keep their Q2Y2025 timetable. And while much remains to be seen, three things are clear: (1) the Sandbox will now have to compete with 3PCs, alternative IDs etc on its own merits, (2) the UK CMA and ICO, as well as the adtech industry will have a chance to weigh in. Whether Chrome will remain the last bastion of 3PCs for the long haul is yet to be seen, but none of this should foreclose on innovation in privacy-protective advertising.

-AK

Which Breach? Global IT Outage Splits Privacy Community

As a large swathe of the online globe endured the CrowdStrike/Microsoft incident last week, the hot topic in the privacy community was whether the event represented a personal data breach under the GDPR.

Jon Baines ’ posted a Linkedin poll asking: “If a controller temporarily can’t access personal data on its systems …..is it a personal data breach?”.

Surprisingly, the poll returned an exact 50/50 split opinion, sparking an important debate within the privacy community.

What happened: Many Windows machines supporting the world’s critical infrastructure experienced the dreaded Blue Screen of Death (BSOD).

• The cause? A faulty update by CrowdStrike, whose software for various reasons runs like a system driver in kernel mode , causing issues deep within Windows.
• The result? Something like a self-inflicted ransomware attack making systems -- and dependent [personal] data processing activities -- unavailable.?

If you’d like deeper insight into why this happened, check out this breakdown by David Plummer, a former Microsoft developer.

Why it matters: Y2K24, melting everything from productivity apps to air travel to emergency rooms . Disruptions ranged from temporary to still being remediated, from inconvenient to life-affecting.

The legal background: Article 4(12) GDPR defines a "personal data breach" (PDB) as a "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed".?

• The UK ICO , the European Data Protection Board (EDPB) among other authorities have interpreted a PBD-level "loss" to potentially include temporary loss of availability because it can significantly impact data subjects.?
• The CrowdStrike incident certainly disrupted people’s lives.?

What they said: The can be viewed as between the Purists -- those who view temporary unavailability as a security breach only given the letter of the GDPR, and the Expansionists -- those who, like the EDPB and DPAs, view the incident as a personal data breach too (the Expansionists).?

The Purists -

• Peter Craddock : “Some seem to suggest that "unavailability of IT system = security incident = personal data breach". While #dataprotection authorities regularly suggest unavailability is a breach, the main EU law on data protection, the #GDPR, doesn't say so… For that to be the case, a breach of security would normally have to lead to... something other than unavailability.”
• Alexander Hanff : “...we need to look at the growing body of case law here from the CJEU as well…There are many types of breaches in the GDPR and 'personal data breach' has a very specific definition - which doesn't match what happened today with CrowdStrike.”
• Jon Baines : “EDPB want it to mean [it is a personal data breach], but they can't change by guidance what's plain on its face... I would say that from an English law perspective, an argument that temporary unavailability equates to [personal data] “loss” would fail to persuade any judge.”

The Expansionists -?

• Teresa Lopez Carro : “Art. 4(12) is concerned about nouns (for the types of breaches - destruction, loss..-) and adjectives (for the intentions -accidental/unlawful - behind the breach but not for the types of breaches). Therefore I could very well follow the argument that a "temporary" loss (adjective) is covered by the noun "loss" art. 14(2) ... why would the EDPB say temporary unavailability needs to be documented according to 32(5) if there is no chance it could be a personal data breach?”
• Phillip Giede B?ving : “At what point do you believe that the data controller has to accept that something is truly lost - and for how long will you accept that the data controller claims it is simply unavailability, because they have a hope to rectify the issue? If we cannot provide a clear distinction, then it does not seem like a true distinction - only wishful thinking.”?
• Robin Nariman : “A loss does not have to be definitive. Even temporary loss of personal data can have profound impact on the protection of natural persons fundamental rights and freedoms and lead to damages.”

Zooming out: While the letter of the GDPR seems to favor the Purists, given the regulators’ inclinations and the breadth of disruption caused, affected organizations might still choose to treat the loss of availability (and arduous restoration) as a regulator-notifiable incident. Whether they do so under the EU’s cybersecurity Directive (NIS2 ) or the GDPR is up to counsel, but either way some regulatory goodwill may be in order.

PS: Here are updated takeaways from Peter (thank you).

PPS: In case you missed it, Microsoft blamed the European Commission, who also regulates competition at the EU level, for preventing MSFT from… preventing CrowdStrike’s mistake.

-RW, AK

Other Happenings

1. UK GDPR Reforms Back on Track? The new Labour government in the UK has unveiled its immediate legislative agenda in last week's King’s Speech . Although there is a lot of detail missing, we were told that the plans reflect “a comprehensive approach to modernizing the UK's data protection framework, enhancing cyber resilience, and addressing AI development”. Key privacy and data protection developments will include the introduction of a Digital Information and Smart Data (DISD) Bill, which inherits elements from the defunct Tory Data Protection and Digital Information (DPDI) Bill, and the Cyber Security and Resilience (CSR) Bill. Watch this space.
2. Privacy After All: Oracle Settles $115M Case After Shuttering Data Biz . Oracle has agreed to settle its alleged unauthorized data collection and sales. This follows Oracle's decision to shut down its adtech business, now reduced from $2 billion to $300 million. Notably, Oracle agreed to delete customer data once its contractual obligations have been met, preventing any final data sales to cover the settlement. Accused of privacy violations under ECPA and CIPA, Oracle struggled to innovate, losing relevance as competitors adapted to privacy regulations. Despite hopes that Oracle would challenge these weak legal claims for precedential value, Lucid’s Ben Isaacson thinks the cost-benefit analysis just wasn't there.?
3. USPS Probes Postal Pixel Privacy Problems . The U.S. Postal Service (USPS) is in hot water after revelations that its website was inadvertently sharing customer addresses with Meta, LinkedIn, and Snap through tracking pixels. Despite USPS’s statement of never providing personal information to outside parties, this directly contradicts its privacy promises. The USPS claims it was unaware of the issue and has ceased the practice, but questions remain about if this was an act of negligence, configuration issue or oversight in using third-party advertising tools in the first place.?
4. Dutch Drugstore Website fined for Consent Shortfall . Whilst this week's focus might be on Google's 3PC plans, here is a reminder that regulators are still displaying increasing vigilance on individual organizations' transparency and data use. Despite having a cookie banner and a privacy statement, the consent implementation was flawed as third-party tracking cookies were still placed on Kruidvat.nl before and after consent. As a drugstore website much of kruidvat.nl user data could be classified as sensitive as customers search for health issues.

-RGE, RW

Lucid Resources

• Vendor Security & Privacy Impact Assessment (VSPA)
• Pan-US Data Protection Impact Assessment (US DPIA)
• Pan-US Readiness Record (US RR)
• China PIPL Readiness Record (CHN RR) ?
• EU-US DPF Readiness Record (DPF RR)
• Transfer Impact Assessment (TIA)
• California Readiness Record (CCPA)
• Virginia Readiness Record (VCDPA)
• Colorado Readiness Record (CPA)
• Connecticut Readiness Record (CTDPA)
• Utah Readiness Record (UCPA)
• China Personal Information Processing Impact Assessment Template (PIPIA)