https://techcrunch.com/2018/01/20/wtf-is-gdpr/
GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out.
A major point of note right off the bat is that GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens need to comply. The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection. Also under GDPR, financial penalties for data protection violations step up massively.
GDPR aims to have every link in the processing chain be a robust one. Companies need to maintain up-to-date records to prove out their compliance and to appoint a data protection officer if they process sensitive data on a large scale or are collecting info on many consumers.
GDPR’s running emphasis on data protection via data security it is implicitly encouraging the use of encryption above and beyond a risk reduction technique. Another major change incoming via GDPR is ‘privacy by design’ no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.
GDPR also encourages the use of pseudonymization — such as, for example, encrypting personal data and storing the encryption key separately and securely — as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Data has to be rendered truly anonymous to be outside the scope of the regulation.
373 Comments
Tomi Engdahl says:
Daphne Leprince-Ringuet / ZDNet:
EU member states approve unimpeded data flows between EU and UK, deciding UK’s regulations are as good as GDPR, avoiding complex legal paperwork for businesses
A major international data flow problem just got resolved. But another row is already brewing
https://www.zdnet.com/article/a-major-international-data-flow-problem-just-got-resolved-but-another-row-is-already-brewing/
The EU has just green-lighted the free flow of personal data with the UK. But if the country now changes its data laws, it could bring an end to the agreement.
Tomi Engdahl says:
Clothilde Goujard / Politico:
EU’s new law will let tech companies scan their platforms for child sexual abuse material for the next three years without fear of violating EU’s privacy laws — The European Parliament on Tuesday approved a controversial law that would allow digital companies to detect and report child sexual abuse …
EU Parliament lets companies look for child abuse on their platforms, with reservations
Privacy-conscious lawmakers say the rules are ‘legally flawed’ and endanger privacy.
https://www.politico.eu/article/european-parliament-platforms-child-sexual-abuse-reporting-law/
Tomi Engdahl says:
https://m.facebook.com/story.php?story_fbid=10158532445378590&id=152072273589
Traficom julkaisee loppukesästä uuden evästeohjeistuksen. Luonnos on nyt kommentoitavana 9.8.2021 saakka. Blogissa analyysia luonnoksen yksityiskohdista.
Lyhyesti: ehdotettu malli on erittäin tiukka malli, jossa käytännössä 99% Suomen sivustoista joutuisi kysymään lupaa evästeisiin.
On vaikea kannattaa mallia, joka on noin tiukka, koska tämän jälkeen viimeistään käyttäjät lakkaavat välittämästä heitä kiusaavista kyselyistä. Fiksumpaa olisi, jos ainakin analytiikka sallittaisiin välttämättömyytenä, jolloin ainakin julkishallinto voisi suurimmaksi osin olla kyselemättä lupia evästeisiin.
Ehdotus on silti paljon enemmän oikein kuin väärin, jos vertaa aiempaan tilaan. Ehdotus tuleekin muuttamaan Suomen evästebannerit aivan totaalisesti, jos toteutuu nykymuodossaan (olettaen, että valvontaakin on).
Nykymuotoinen ehdotus iskee esimerkiksi mediataloihin ja verkkokauppoihin erittäin kovaa, koska jatkossa käyttäjille on tarjottava yhtä helppo valinta hyväksyä vain välttämättömät kuin hyväksyä kaikki.
Tulee olemaan mielenkiintoista myös seurata, että kiinnostaako mediataloja ja verkkokauppoja muuttaa omia evästebannereitaan uuden tiukan ohjeistuksen mukaisiksi!
Kuuma evästekesä 2021 on selvästi käynnissä! Kannattaa kommentoida!
Traficom pyytää kommentteja uuden evästeohjeistuksen luonnoksesta
https://vierityspalkki.fi/2021/07/27/traficom-pyytaa-kommentteja-uuden-evasteohjeistuksen-luonnoksesta/?fbclid=IwAR1dFOblTnwfx0dchHn4vZUl1LM68v4rjJLgouMtJSVFXj6SvouS76IEy0A
Tomi Engdahl says:
EU hits Amazon with record-breaking $887M GDPR fine over data misuse
https://techcrunch.com/2021/07/30/eu-hits-amazon-with-record-breaking-887m-gdpr-fine-over-data-misuse/?tpcc=ECFB2021
Luxembourg’s National Commission for Data Protection (CNPD) has hit Amazon with a record-breaking €746 million ($887 million) GDPR fine over the way it uses customer data for targeted advertising purposes.
The penalty is the result of a 2018 complaint by French privacy rights group La Quadrature du Net, a group that claims to represent the interests of thousands of Europeans to ensure their data isn’t used by Big Tech companies to manipulate their behavior for political or commercial purposes. The complaint, which also targets Apple, Facebook Google and LinkedIn and was filed on behalf of more than 10,000 customers, alleges that Amazon manipulates customers for commercial means by choosing what advertising and information they receive.
La Quadrature du Net welcomed the fine issued by the CNPD, which “comes after three years of silence that made us fear the worst.”
“The model of economic domination based on the exploitation of our privacy and free will is profoundly illegitimate and contrary to all the values that our democratic societies claim to defend,” the group added in a blog post published on Friday.
https://www.laquadrature.net/2021/07/30/amende-de-746-millions-deuros-contre-amazon-suite-a-nos-plaintes-collectives/
Tomi Engdahl says:
When the GDPR Meets (Public) Blockchains: Looking through the Lens of Public Communications to Users
https://pentestmag.com/when-the-gdpr-meets-public-blockchains-looking-through-the-lens-of-public-communications-to-users/
Tomi Engdahl says:
Amazon fined $887 million over EU privacy violations https://therecord.media/amazon-fined-887-million-over-eu-privacy-violations/
Luxembourgs data privacy regulator hit tech giant Amazon with a 746 million fine ($887 million) over claims that the companys processing of personal data did not comply with the European Unions General Data Protection Regulation. It is by far the largest-ever fine issued under the GDPR.. An Amazon spokesperson said the decision is without merit and plans to appeal
Tomi Engdahl says:
https://www.edita.fi/ajankohtaista/5-ajankohtaista-kysymysta-tietosuojasta/
Tomi Engdahl says:
https://www.rantalainen.fi/julkaisut/blogit-fi/henkilostotietojen-hallintaan-liittyy-riskeja-oletko-kartalla/?utm_source=facebook&utm_medium=targeted&utm_campaign=webinaarit&utm_content=HR-webinaari&hsa_acc=533269240711694&hsa_cam=23845508261830510&hsa_grp=23847593720390510&hsa_ad=23847593720490510&hsa_src=fb&hsa_net=facebook&hsa_ver=3&fbclid=IwAR0ZfbErdyRkjL083Hfelomh41MQ3Nufzd5pSz8F3bMjE4RHTSufudcbfUI
Tomi Engdahl says:
Madhumita Murgia / Financial Times:
UK ICO’s Age Appropriate Design Code, aimed at protecting data and limiting ads for kids, comes into effect next Thursday, with large fines for non-compliance
UK targets social media and gaming with new Children’s Code
Legislation aims to stop companies targeting children with ads and nudging them to stay online
https://www.ft.com/content/705e0468-bfcf-4f5d-b777-c25785d950cb
The UK will target social media companies, video streaming and gaming platforms as a sweeping set of new regulations to protect children’s data online comes into force on Thursday next week.
The rules proposed by the UK regulator, the Information Commissioner’s Office, seek to limit companies from tracking the location of children, personalising content or advertising for them, and serving up behavioural nudges, such as automatically playing videos.
“We have identified that currently, some of the biggest risks come from social-media platforms, video and music streaming sites and video gaming platforms,” said Stephen Bonner, the ICO’s executive director of regulatory futures. “This may include inappropriate adverts; unsolicited messages and friend requests; and privacy-eroding nudges urging children to stay online.”
Tomi Engdahl says:
Alex Hern / The Guardian:
UK government says it will move away from EU’s GDPR after Brexit, including possibly ending cookie consent popups, and names John Edwards as preferred ICO head
UK to overhaul privacy rules in post-Brexit departure from GDPR
https://www.theguardian.com/technology/2021/aug/26/uk-to-overhaul-privacy-rules-in-post-brexit-departure-from-gdpr
Culture secretary says move could lead to an end to irritating cookie popups and consent requests online
Tomi Engdahl says:
Viranomainen antaa evästeiden käytölle uudet ohjeet tarkoitettu suositusluonteiseksi dokumentiksi
https://www.tivi.fi/uutiset/tv/257a12d0-e6f1-45e8-8ed6-02a726639afa
Liikenne- ja viestintävirasto Traficom on valmistellut palveluntarjoajille ja loppukäyttäjille tarkoitettuja ohjeistuksia yhteistyössä tietosuojavaltuutetun toimiston kanssa. Hankkiakseen lisäviisautta se pyysi kesän mittaan julkisia kommentteja valmisteilla oleviin ohjeisiin. Ohjeistuksen piti alun alkaen valmistua kesän aikana, mutta vielä ei ole aivan valmista. Kommenttien alkuperäinen määräaika oli elokuun 9. päivä. Osa toimijoista pyysi kesälomien takia lisäaikaa lausunnon toimittamiseen.
Tomi Engdahl says:
Sam Schechner / Wall Street Journal:
Ireland’s Data Protection Commission, on behalf of the EU, fines WhatsApp €225M for privacy violations, the second-largest fine under GDPR; WhatsApp will appeal — Regulators say chat-service unit failed to disclose fully how it collected and shared data about its users
Facebook’s WhatsApp Fined Around $270 Million for EU Privacy Violations
https://www.wsj.com/articles/facebooks-whatsapp-fined-around-270-million-for-eu-privacy-violations-11630576800?mod=djemalertNEWS
Regulators say chat-service unit failed to disclose fully how it collected and shared data about its users
Tomi Engdahl says:
Käytätkö pilvipalveluja USA:sta – lue miksi viranomainen on sinusta nyt kiinnostunut
https://www.opsec.fi/fi/2021/08/25/kaytatko-pilvipalveluja-usasta-lue-miksi-viranomainen-on-sinusta-nyt-kiinnostunut/
EU:n yleisen tietosuoja-asetuksen (GDPR) mukaan henkilötietoja ei saa “siirtää” ETA-maiden ulkopuolelle tai kansainvälisille järjestöille, ellei henkilötiedoille voida taata yhtä hyvää suojaa, kuin mitä ne saavat EU:ssa.
Aihe tuli erityisen ajankohtaiseksi kesällä 2020, kun EU:n tuomioistuin kumosi EU:n ja Yhdysvaltojen välisen Privacy Shield -sopimuksen, jonka avulla yritykset saivat aikaisemmin siirtää henkilötietoja Yhdysvaltoihin. Nyt järjestely on kumottu ja Euroopan tietosuojaneuvosto on julkaissut uudet ohjeet, miten muuttuneessa tilanteessa on jatkossa toimittava.
Henkilötietojen “siirtämistä” ovat kaikki tilanteet, joissa henkilötietoja tallennetaan tai niitä voidaan tarkastella ETA-maiden ulkopuolelta. Siirtoja koskevat säännöt vaikuttavat käytännössä kaikkiin suomalaisiin yrityksiin: jos yritys käyttää mitään ostettuja ohjelmistoja, on todennäköistä, että yritys tekee siirtoja ETA-maiden ulkopuolelle. Jos henkilötietoja siirretään ETA-maiden ulkopuolelle ilman tietosuojaneuvoston ohjeiden noudattamista, voi tietosuojaviranomainen määrätä tästä hallinnollisen sakon tai määrätä siirron keskeytettäväksi ja kieltää yrityksen liiketoiminnalle kriittisen ohjelmiston käyttämisen. Nyt tietosuojavaltuutettu on ilmoittanut aloittavansa näiden sääntöjen tehokkaan valvonnan. Tämä tarkoittaa sitä, että yritysten tulisi viimeistään nyt tunnistaa omat siirtonsa ETA-maiden ulkopuolelle ja varmistaa niiden lainmukaisuus.
Mitä yrityksen pitää käytännössä tehdä?
Yrityksen täytyy seurata Euroopan tietosuojaneuvoston kansainvälisiä siirtoja koskevia ohjeita. Ohjeissa esitellään step-by-step -vaiheet, joiden avulla yritys voi määrittää, onko siirto ETA-maiden ulkopuolelle riittävän turvallinen ja sitä kautta lainmukainen. Vaiheiden läpikäynti on monimutkainen harjoitus, mutta tukea löytyy – esimerkiksi tietosuojavaltuutettu on julkaissut ohjeistusta ja aina voi kääntyä myös asiantuntijan puoleen.
Tomi Engdahl says:
https://scemosystems.fi/gdpr-tools
Tomi Engdahl says:
https://law.stackexchange.com/questions/28776/is-the-gdpr-applicable-to-data-stored-in-human-memory
The GDPR only applies to “processing” of personal data. What happens inside the human mind is not “processing” as defined by the GDPR – so there is no right to access and no right to erasure, etc.
Tomi Engdahl says:
Has Facebook Sidestepped GDPR’s User Consent Requirements?
https://www.securityweek.com/has-facebook-sidestepped-gdprs-user-consent-requirements
The Irish data protection commissioner (DPC) has produced a draft decision stating Facebook need not rely on user consent to process EU user data. Consent is a cornerstone of GDPR, but Facebook has effectively sidestepped the need for GDPR-relevant user consent.
This is achieved by simply adding data processing specifications into its general terms and conditions and effectively changing acceptance into a contract. The argument is that since there is now a contract between Facebook and the user, the usual understanding of consent is neither required from, nor can be revoked by, the user.
At the very moment that GDPR came into force at midnight on May 25, 2018, Facebook changed its terms and conditions statement into a ‘Terms of Service’ statement. By continuing to use Facebook, the user agreed to those terms as a contract. Included within the Terms is the statement:
For all people who have legal capacity to enter into an enforceable contract, we process data as necessary to perform our contracts with you (the Facebook Terms and Instagram Terms, together, ‘the Terms’). We describe the contractual services for which this data processing is necessary in the “Our Services” section of the Terms, and in the additional informational resources accessible from the Terms. The core data uses necessary to provide our contractual services are…”
Then follows a bullet-point list of what the contract allows, including, “To transfer, transmit, store, or process your data outside the EEA, including to within the United States and other countries.”
In short, the Irish data protection authority is confirming that Facebook is bound by neither GDPR’s definition of user consent, nor ‒ potentially ‒ the European Court’s Schrems II ruling. Schrems II effectively makes the transfer of European PII to the U.S. illegal under the Privacy Shield, and also raises questions on the validity of standard contractual clauses.
Schrems II is named after Max Schrems, an Austrian-born privacy activist in the EU, and founder of NOYB (none of your business). It was his activity that led the European Court to declare the earlier Safe Harbor agreement (allowing personal data transfer between the EU and U.S.) to be unconstitutional and therefore null and void. The Safe Harbor agreement was replaced by a new agreement called Privacy Shield – but Schrems again challenged this as not safeguarding the requirements of GDPR. The European Court agreed, and its consequent ruling, known as Schrems II, rules against the validity of Privacy Shield.
The new draft decision from the Irish DPC effectively means that Facebook can ignore the GDPR’s user consent requirements, while it weakens the Schrems II ruling. Schrems II is clear, but it is not yet enforced in the EU.
Facebook uses ‘standard contractual clauses approved by the European Commission’ to legalize its data transfers. Schrems II says contractual clauses may be legal, but raises concerns ‒ and these clauses will be challenged in court. While the delay in enforcing Schrems II is partly down to the various national authorities waiting on the outcome of current court cases, there is little doubt that international politics is also at play.
If Facebook’s contract can bypass user consent requirements, there is an implication that it might also bypass data transfer requirements. The EU national governments need a way to allow data transfer between the EU and U.S., and government lawyers will be examining the DPC draft decision to see if this is, or is at least partly, something that could indicate a solution.
Tomi Engdahl says:
Surveillance firm pays $1 million fine after ‘spy van’ scandal
https://www.bleepingcomputer.com/news/security/surveillance-firm-pays-1-million-fine-after-spy-van-scandal/
The Office of the Commissioner for Personal Data Protection in Cyprus has collected a $1 million fine from intelligence company WiSpear for gathering mobile data from various individuals arriving at the airport in Larnaca.
While this is just an administrative fine under the European Union’s General Data Protection Regulation (GDPR), it is related to a scandal two years ago widely publicized as the “spy van” case.
In 2019, a Chevrolet van packed with at least $3.5 million worth of equipment that could hack Android smartphones and steal data including WhatsApp and Signal messages, was stationed near the Larnaca airport.
Tomi Engdahl says:
WhatsApp-viestittely rikkoi gdpr:ää – suomalaisyritys sai huomautuksen
Antti Kailio8.12.202113:09|päivitetty8.12.202113:09PIKAVIESTIMETGDPRTIETOSUOJATIETOSUOJA-ASETUSDIGITALOUS
WhatsAppin käyttö on todennäköisesti johtanut asiakkaiden henkilötietojen siirtoon EU:n ulkopuolelle.
https://www.tivi.fi/uutiset/tv/79b9b028-c481-4f68-95a9-d24308b118aa?utm_medium=Social&utm_source=Facebook#Echobox=1638968234
Tomi Engdahl says:
https://www.innoclub.fi/b2b-markkinointi/gdpr-b2b-maailmassa/
Tomi Engdahl says:
https://techcrunch.com/2022/01/06/daily-crunch-frances-data-watchdog-bites-google-and-facebook-over-cookie-consent-violations/
Tomi Engdahl says:
European parliament found to have broken EU rules on data transfers and cookie consents
https://techcrunch.com/2022/01/10/edps-decision-european-parliament-covid-19-test-website/?tpcc=tcplusfacebook&guccounter=1&guce_referrer=aHR0cHM6Ly9sbS5mYWNlYm9vay5jb20v&guce_referrer_sig=AQAAAMotY38W2tl5EPWa80vdJQzRS9o0VFoyymtEx5oxRfXBoYbbrUaUM0GrmXkNV4SoXQtlgo40yLjn6vwQpcg8Tm_Vn4Ff87QYhVyu5ghl-7IeaRgyqtU3HMpjBSmryyL-WN-whXr8Sv7mSBtAob88KSUpRjrwnakXkH_pZ3dD-ZZF
The European Union’s chief data protection supervisor has sanctioned the European Parliament for a series of breaches of the bloc’s data protection rules.
The decision sounds a loud warning to sites and services in the region about the need for due diligence of personal data flows and transfers — including proper scrutiny of any third-party providers, plug-ins or other bits of embedded code — to avoid the risk of costly legal sanction. Although the parliament has avoided a financial penalty this time.
The European Data Protection Supervisor’s (EDPS) intervention relates to a COVID-19 test booking website which the European Parliament launched in September 2020 — using a third-party provider, called Ecolog.
Tomi Engdahl says:
https://techcrunch.com/2020/07/16/europes-top-court-strikes-down-flagship-eu-us-data-transfer-mechanism/
Tomi Engdahl says:
Austrian Regulator Says Google Analytics Contravenes GDPR
https://www.securityweek.com/austrian-regulator-says-google-analytics-contravenes-gdpr
A new ruling from the Austrian Data Protection Authority (DPA) traps EU/U.S. data transfers between a rock and hard place. The rock is GDPR. The hard place is FISA. And the two are fundamentally incompatible.
The purpose of GDPR is to protect the personal information of European citizens and residents. The purpose of FISA Section 702 (supported by EO 12333) is to ensure that U.S. intelligence agencies can collect data on foreign citizens for national security and cybersecurity purposes. GDPR is a consequence of the latter – a response to Edward Snowden’s revelations on the NSA’s global surveillance programs. Neither side will easily abandon its current position.
The Schrems II ruling in 2020 annulled the Privacy Shield agreement between the US government and the EC. This had been used to ‘legalize’ data transfers between the two trade blocs. The primary reason for the annulment was FISA 702, a statute that authorizes the collection of communications content stored by U.S. service providers such as Google, Facebook and Microsoft. U.S. telecom providers can be compelled to assist.
The Schrems II ruling effectively declares that so long as FISA 702 exists, EU personal data cannot be sent to the U.S. It does not rule out the use of standard contractual clauses to protect and legalize transfers, but insists that those clauses must solve the 702 issue. This is not possible.
Facebook has been relying on a version of SCCs for its data transfers, and has had some support from the Irish Data Processing Controller (DPC) – but it is thought the Irish ruling will not survive complaints from other European regulators. The result of this is still awaited.
Tomi Engdahl says:
Stephanie Bodoni / Bloomberg:
The EU levied €1.1B in GDPR fines during 2021, up from €158.5M in 2020, led by the €746M fine on Amazon and €225M fine on WhatsApp
https://www.bloomberg.com/news/articles/2022-01-18/eu-s-tough-data-privacy-rules-rake-in-biggest-annual-fines
Tomi Engdahl says:
Joka päivä tehdään 356 ilmoitusta GDPR-rikkomuksista
https://etn.fi/index.php/13-news/13050-joka-paeivae-tehdaeaen-356-ilmoitusta-gdpr-rikkomuksista
Tietosuoja-asetus GDPR on ollut voimassa toukokuusta 2018 lähtien. Viimeisen vuoden aikana tietoturvaloukkauksia koskevia ilmoituksia tehtiin yli 130 000. Tämä tarkoittaa 356 ilmoitusta joka päivä.
Euroopan yleisen tietosuoja-asetuksen (EU General Data Protection Regulation, GDPR) rikkomuksista on langetettu yhteensä lähes 1,1 miljardin euron edestä sakkoja. Kansainvälisen asianajotoimiston DLA Piperin mukaan viimeisen aikana määrättiin tietosuojarikkomuksista sakkoja 7-kertainen määrä edelliseen vuoteen verrattuna.
28.1.2021 alkaneella vuoden seurantajaksolla suurimmat yksittäiset sakot määrättiin Luxemburgissa (746 MEUR), Irlannissa (225 MEUR) ja Ranskassa (50 MEUR). Luxemburgissa ja Irlannissa langetettiin edellisestä vuodesta poiketen ennätyssuuret sakot, jotka veivät maat tämän tilaston kärkeen.
Tomi Engdahl says:
Google Analytics declared illegal in the EU https://tutanota.com/blog/posts/google-analytics/
When the Privacy Shield legislation was invalidated in 2020, this had far-reaching consequences for US online services operating in Europe:
They were no longer allowed to transfer data of European citizens to the US as this would make data of European citizens vulnerable to American mass surveillance – a clear violation of the European GDPR.
However, the Silicon Valley tech industry largely ignored the ruling.
Tomi Engdahl says:
EU institutions bolster Europols mandate for data-crunching activities https://www.euractiv.com/section/data-protection/news/eu-institutions-bolster-europols-mandate-for-data-crunching-activities/
The recast mandate adopted on Tuesday (1 February) gives the law enforcement agency a legal basis for storing and processing vast amounts of personal data, practices already in place that were at the centre of an inquiry of the European Data Protection Supervisor (EDPS).
Europes most used consent system deemed incompatible with EU privacy rules https://www.euractiv.com/section/digital/news/europes-most-used-consent-system-deemed-incompatible-with-eu-privacy-rules/
The Belgian authority found that IAB Europe did not have a legal basis for processing personal data, and the legal grounds for sharing that data with vendors was inadequate. The DPA has made explicit what many observers have been saying for some time: that legitimate interests is not a valid legal basis for processing personal data obtained via non-essential cookies, Robert . Bateman, research director at the GRC World Forums, told EURACTIV.
Tomi Engdahl says:
GDPR penalty for passing on of IP address to Google by using Google Fonts
https://news.ycombinator.com/item?id=30135264
Tomi Engdahl says:
https://google-webfonts-helper.herokuapp.com/fonts/
Tomi Engdahl says:
Michiel Willems / City A.M.:
In its annual SEC report, Meta repeats its warning that it may be forced to shut down “significant” services in Europe if the EU adopts new data transfer rules — If Meta is not given the option to transfer, store and process data from its European users on US-based servers …
Mark Zuckerberg and team consider shutting down Facebook and Instagram in Europe if Meta can not process Europeans’ data on US servers
https://www.cityam.com/mark-zuckerberg-and-team-consider-shutting-down-facebook-and-instagram-in-europe-if-meta-can-not-process-europeans-data-on-us-servers/
If Meta is not given the option to transfer, store and process data from its European users on US-based servers, Facebook and Instagram may be shut down across Europe, the social media giants’ owner reportedly warned in its annual report.
The key issue for Meta is transatlantic data transfers, regulated via the so-called Privacy Shield and other model agreements that Meta uses or used to store data from European users on American servers. The current agreements to enable data transfers are currently under heavy scrutiny in the EU.
In its annual report to the U.S. Securities and Exchange Commission, Meta warns that if a new framework is not adopted and the company is no longer allowed to use the current model agreements “or alternatives,” the company will “probably” no longer be able to offer many of its “most significant products and services,” including Facebook and Instagram, in the EU, according to various media reports, including in iTWire, The Guardian newspaper and Side Line Magazine.
Tomi Engdahl says:
Shoshana Wodinsky / Gizmodo:
Adtech experts explain how GDPR has proven ineffective thanks to the ingenuity of adtech firms, which have managed to effectively skirt its consent requirement
The Hidden Failure of the World’s Biggest Privacy Law
The EU’s landmark privacy law, GDPR, was supposed to change the world of tech privacy forever.
What the hell happened?
https://gizmodo.com/gdpr-iab-europe-privacy-consent-ad-tech-online-advertis-1848469604?scrolla=5eb6d68b7fedc32c19ef33b4
This week, European authorities struck a massive blow to the digital data-mining industrial complex with a new ruling stating that, quite simply, most of those annoying cookie alert banners that sites were forced to onboard en masse after GDPR was passed haven’t… actually been compliant with GDPR. Sorry.
The ruling, announced on Wednesday by Belgium’s Data Protection Authority, comes at the tail-end of a years-long investigation into one of the biggest advertising trade groups in EU, Interactive Advertising Bureau Europe (or IAB Europe, for short). In 2019, about a year after GDPR rolled out, the Data Protection Authority reports it started getting a stream of complaints against the IAB for “breaching various provisions of the GDPR” and countless people’s privacy with the technical standards it created to govern those consent pop-ups.
Now, three years later, it looks like those tips were right; the Authority fined IAB Europe $280,000, ordered the group to appoint a data protection officer, and gave a two-month deadline to get its tech into compliance. Any data that the group collected from this illicit tech also needs to be deleted.
The ruling is great news for privacy buffs that have been calling out those ugly, oftentimes downright manipulative cookie pop-ups from the get-go, but it’s also not necessarily a surprise. In an apparent attempt to get ahead of the bad press, IAB Europe issued a statement last November that the upcoming ruling would “apparently identify infringements of the GDPR by IAB Europe,” but that those infringements would be fixable, and those cookie consent banners would keep on chugging within months of the Belgium ruling.
But that statement came in 2021. For those who work on the so-called “sell-side” of the digital ad industry—tech operators who work hand-in-hand with digital media outlets and other sites across the web—this decision was inevitable. I
While the ruling showed that GDPR is very much still in effect, it doesn’t do a lot to explain how blatant some of these infringements were, or how loudly critics inside the industry had been raising red flags. Simply put, when the GDPR asked the adtech industry to get consent from users before tracking them, the IAB responded with a set of guidelines with loopholes large enough that data could still get through, anyway, without consent. And now that these practices are out in the public, nobody seems sure how to make them stop.
But to really explain how IAB Europe fell afoul of GDPR is complicated, even by adtech’s already impossibly confusing standards. So instead, I’m going to explain it using an analogy that pretty much everyone can understand: a bad date.
I know it sounds wild to compare a sweeping piece of European tech legislation to someone’s nightmare Tinder experience, but both are centered around the same thing: consent. That’s why regulatory types will often champion GDPR as the gold standard of privacy laws—while laws like CPRA in the U.S. allow people to claw back their data from the companies after they’ve mined it, the California law doesn’t change the fact that this mining happened in the first place, regardless of whether users wanted it to happen or not. GDPR, on the other hand, mandates that sites obtain users’ consent to track them before that tracking happens, the same way a decent date would (hopefully) ask to make out before slobbering all over you at the bar.
On paper, consent is just an agreement between two people (or a person and a website). But your Tinder date might have different thoughts about what “an agreement” means than you do.
even if you can’t articulate what consent looks like in the moment, you probably know in your gut what it feels like: Consent is a “yes” that’s unambiguous and freely given.
That’s exactly how GDPR defines the term, too. In order for a site to track you, Article 4 of the regulation notes that it needs to obtain a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” And no pre-ticking consent boxes, either, buster.
But that little tick is, quite literally, just a tiny pile of snow at the top of a massive iceberg. On every page you’re visiting, there could be a few, or dozens, or even hundreds of tiny tech companies working together to take whatever data gets exposed through the webpage you’re visiting into some kind of targeted ad. By the time that annoying ad for some ugly t-shirt pops up on a blog you’re reading, there have already been countless algorithmic bidding wars on that ad space—the spot on the page where an ad appears—that are each their own Olympic feats of Big Tech gymnastics. If this all wasn’t so invasive and upsetting, it would almost be kind of impressive.
In other words, the way web tracking works isn’t really like a single guy being a sleaze at the bar; it’s more like a conga line of sleazes. And in order to get your consent, this Tinder guy (let’s call him ‘Devin’) that you just met is being legally required to go with you down the row and, one by one, consent to smooching up on each of these other guys before a single smooch could ever happen.
You might be thinking, “Geez, if I was the Devin in this scenario, I’d just give up on getting consent for all my weird friends, and just try to be sleazy on someone with lower standards.” And you’re not alone! In the leadup to GDPR going into effect, countless recipe blogs, news outlets, and just regular-old personal blogs looked at this seemingly impossible standard EU regulators were now mandating from them and just… panicked. Who could blame them?
“The thing that almost every publisher was worried about was that they were going to do all this work and get hit by regulators anyway,”
Rather than try to parse a law that was, as he put it, “both not specific enough and too specific,” to actually be effective, some publishers just left. In GDPR’s immediate aftermath, more than 1,000 news sites were suddenly unavailable trying to visit from the EU, with the bulk being smaller, local outlets, according to a list that one researcher compiled at the time. That’s not a coincidence; while the New York Timeses and Washington Posts could afford a legal team and tech setup to stay put without being threatened with GDPR’s massive fines, local outlets were already struggling.
But this still left countless websites active in the EU that needed consent from their visitors once GDPR came into force.
So, naturally, IAB Europe was responsible for coming up with the standards for websites that wanted to obtain user consent without effectively breaking their site in the process. And then, according to the industry experts I spoke with, they kept waiting. In April 2018—literally a month before GDPR was set to come into effect—IAB Europe debuted its new standards: the so-called “GDPR Transparency and Consent Framework” (or TCF) that websites were told would collect consent in a comprehensive, standardized way, while also funneling that consent back to the third-party partners each site works with.
This framework, to be blunt, looked like a hot mess.
As one person in charge of advertising revenue at a major publication put it, IAB’s standards seemed bent on adhering to the letter of the law while ignoring the spirit of the law. Another industry expert thought the TCF standards seemed purposefully complicated to allow publishers to skirt regulation.
But without other options, publishers—begrudgingly or otherwise—decided to follow the TCF standards anyway. As one expert explained, the implicit understanding was that if anyone would take the fall for shoddy privacy compliance, it would be the IAB, and not them. . And so far, at least, that’s exactly what’s happened. While the Data Protection Authority fined IAB Europe, it hasn’t gone after publishers themselves, even though they’re also breaking GDPR by using the TCF standards.
To follow the framework, publishers were required to onboard another third-party piece of ad software called a “consent management platform,” or CMP, that would be responsible for collecting consent from users and beaming it where it needed to go. Those CMPs—and there are dozens of different ones—need to be registered with the IAB for “compliance” purposes, which also means forking over a roughly $1,700 fee upfront, and again each year they’re on the list.
These CMPs are the ones responsible for plopping the dreaded cookie banner on the site. Behind the scenes, when you press “yes” or “no” on a site’s request to track you, that choice gets stored in the form of a “consent string” on your browser. Unless you clear your browser cache (which, let’s be honest, you should probably do), that webpage will load up that string every time you visit and pass it on to any third parties involved with serving an ad on the site—you know, that aforementioned chain of sleazy dudes.
Pretty quickly, though, it became clear that the rules laid out by TCF weren’t going to cut it, and the cookie banners created in its wake were blatantly violating some of GDPR’s core rules in all sorts of shady ways.
What eventually brought Google onboard was the IAB’s new and improved TCF 2.0, which debuted about a year and a half after GDPR rolled out. We won’t go into every change (you can read about those here), but in a nutshell: This new framework promised more power to publishers, more privacy to end-users, and less of a legal shitshow overall. But when digital advertising is a field that’s flush with hundreds of billions of dollars per year and not nearly enough legal oversight, bad actors are going to be bad.
In some absolutely cursed scenarios, CMPs began forging consent signals from end-users—literally turning their requests not to be tracked into a “yes, please track me”—with nobody, even the IAB, checking in initially. Even after the trade group started auditing the vendors it worked with last fall, researchers outside the adtech sphere found that consent fraud was still very much happening, with seemingly no easy way to get bad actors to stop.
As one adtech executive speaking about the issue to Digiday put it, “not many businesses are incentivized to completely clamp down on it because everyone’s motivations are commercial. No one gets a bonus for being legally compliant, they get a bonus for hitting their numbers. It’s a frustration for any exchange that’s following the rules because it puts them at a massive commercial disadvantage. We’re sticking to the IAB’s rules, but it is hurting us to do so.”
You could say their dilemma is a microcosm of regulators’ attempts—in the EU and abroad—to get the digital data industrial complex under control. When regulators set standards that are too tough for anyone to practically follow, talking heads within the industry create their own response that ticks every legal box while also enabling anyone creative enough to continue with business as usual anyway. And when publishers are literally stuck between “too easy to cheat,” and “impossible to adhere to,” which one do you think they’ll choose?
The full ruling against IAB Europe doesn’t address the bad behavior of these downstream parties. Instead, it’s going after IAB Europe’s awful standards, and its consent strings, specifically.
For starters, the ruling alleges that IAB Europe “failed to establish any sort of legal basis for the processing of these consent strings under GDPR,” and failed to keep that data “confidential,” by GDPR standards, once it was collected. On top of that, the new ruling agrees with the same complaints a lot of us have had about those cookie pop-ups for years: They’re too vague, too hard to opt-out of, and just clearly don’t do what they’re promised to do.
“The information provided to users through the CMP interface is too generic and vague to allow users to understand the nature and scope of the processing, especially given the complexity of the TCF,” the Authority wrote, noting how “difficult” this makes it for any user to actually have the control over their data that GDPR warrants,
So what comes next? Well right now, nobody seems to know. IAB Europe put out a terse statement on the ruling that noted how the group “[looks] forward to working with [the Belgian Data Privacy Authority] on an action plan to be executed within the prescribed six months that will ensure the TCF’s continuing utility in the market.”
“As previously communicated, it has always been our intention to submit the Framework for approval as a GDPR transnational Code of Conduct,” the group wrote.
Tomi Engdahl says:
Charlie Taylor / The Irish Times:
EU ombudsman opens an inquiry into how GDPR is applied in Ireland, after claims that 98% of privacy infringement complaints to the Irish DPC remain unsolved
https://www.irishtimes.com/business/technology/emily-o-reilly-opens-inquiry-into-european-commission-policing-of-gdpr-in-ireland-1.4798907
Tomi Engdahl says:
Stephanie Bodoni / Bloomberg:
France’s CNIL data regulator says Google Analytics fails to sufficiently protect EU citizens’ data from potentially illegal US surveillance and could be banned
https://www.bloomberg.com/news/articles/2022-02-10/google-analytics-risks-french-ban-over-u-s-data-spying-fears
Tomi Engdahl says:
Jälleen uusi kolaus Google Analyticsin käytölle verkkosivustolle annettiin kuukausi aikaa lopettaa palvelun käyttö https://www.tivi.fi/uutiset/tv/6f27534b-8a23-4698-9112-ff340cea4abe
Ranskan tietosuojaviranomainen CNIL on linjannut, että Google Analytics -palvelun käyttö voi rikkoa EU:n tietosuoja-asetusta eli gdpr:ää. Tammikuussa Google Analyticsin käytön linjattiin rikkovan gdpr:ää Itävallassa. Tämän seurauksena Itävallan tietosuojaviranomainen kielsi Google Analyticsin jatkuvan käytön.
Google Analytics on erittäin laajalti käytetty verkkosivustojen analytiikkapalvelu, jolla seurataan sivustojen kävijämääriä ja liikennettä.
Tomi Engdahl says:
EU to probe use of cloud services across EU bodies, overseas data transfers https://therecord.media/eu-to-probe-use-of-cloud-services-across-eu-bodies-overseas-data-transfers/
The European Data Protection Board (EDPB) has announced plans to probe the use of cloud-based services across EU public bodies as part of an effort to investigate GDPR compliance and detect possible data transfers of EU data overseas.
Tomi Engdahl says:
Clearview AI fined 20M for collecting Italians’ biometric data https://www.bleepingcomputer.com/news/legal/clearview-ai-fined-20m-for-collecting-italians-biometric-data/
The Italian privacy guarantor (GPDP) has imposed a fine of 20, 000,
000 on Clearview AI for implementing a biometric monitoring network in Italy without acquiring people’s consent. This decision resulted from a proceeding that launched in February 2021, following relevant complaints about GDPR violations that stemmed directly from Clearview’s operations. More specifically, the investigation revealed that the American facial recognition software company maintains a database of 10 billion images of people’s faces, including Italians, who had their faces extracted from public website profiles and online videos.
Tomi Engdahl says:
Irish Regulator Fines Facebook for Privacy Law Violations
https://www.securityweek.com/irish-regulator-fines-facebook-privacy-law-violations
Ireland’s privacy watchdog has fined Facebook’s parent company, Meta, 17 million euros, or about $19 million, for violating Europe’s privacy law.
Tomi Engdahl says:
US, EU Sign Data Transfer Deal to Ease Privacy Concerns
https://www.securityweek.com/us-eu-sign-data-transfer-deal-ease-privacy-concerns
The European Union and United States made a breakthrough in their yearslong battle over the privacy of data that flows across the Atlantic with a preliminary agreement Friday that paves the way for Europeans’ personal information to be stored in the U.S.
President Joe Biden and European Commission President Ursula von der Leyen announced the deal during Biden’s stop in Brussels while on a European tour amid Russia’s war in Ukraine.
Business groups hailed the announcement, saying it will provide relief to thousands of companies, including tech giants like Google and Facebook, that faced uncertainty over their ability to send data between the U.S. and Europe, which has much stricter regulations on data privacy.
The agreement came hours after EU officials agreed on sweeping new digital rules to rein in the power of big tech companies such as Facebook and Google.
“Today we’ve agreed to unprecedented protections for data privacy and security for our citizens,” Biden said. “This new arrangement will enhance the Privacy Shield framework, promote growth and innovation in Europe and the United States, and help companies — both small and large — compete in the digital economy.”
Von der Leyen said the agreement “will enable predictable and trustworthy data flows between the EU and the U.S., safeguarding privacy and civil liberties.”
Tomi Engdahl says:
Natasha Lomas / TechCrunch:
Report: the real-time bidding industry exposes a person’s online activity and location 747 times per day on average in the US and 376 times per day in Europe — New data about the real-time-bidding (RTB) system’s use of web users’ info for tracking and ad targeting, released today …
Report spotlights vast scale of adtech’s ‘biggest data breach’
https://techcrunch.com/2022/05/16/iccl-rtb-report-google-gdpr/
New data about the real-time-bidding (RTB) system’s use of web users’ info for tracking and ad targeting, released today by the Irish Council for Civil Liberties (ICCL), suggests Google and other key players in the high velocity, surveillance-based ad auction system are processing and passing people’s data billions of times per day.
“RTB is the biggest data breach ever recorded,” argues the ICCL. “It tracks and shares what people view online and their real-world location 294 billion times in the U.S. and 197 billion times in Europe every day.”
The ICCL’s report, which is based on industry figures that the rights organization says it obtained from a confidential source, offers an estimate of RTB per person per day across U.S. states and European countries which suggests that web users in Colorado and the U.K. are among the most exposed by the system — with 987 and 462 RTB broadcasts apiece per person per day.
Tomi Engdahl says:
When the GDPR Meets (Public) Blockchains: Looking through the Lens of Public Communications to Users
https://pentestmag.com/when-the-gdpr-meets-public-blockchains-looking-through-the-lens-of-public-communications-to-users/
One unique technical feature of almost all existing blockchain systems is that, once a piece of data is stored on chain, it will remain there permanently. This feature is particularly important for public blockchains due to the lack of a centralised trusted party. It cannot be easily fixed by tweaking a blockchain system’s design and implementation details. This immediately leads to a direct conflict with the right to be forgotten defined in the GDPR, and users would have to give up this right forever if they want to use a blockchain system. In addition, blockchain systems, especially public ones, also have other tricky GDPR compliance issues to address, such as how to define the data controllers and data processors (who are responsible for data protection), how to obtain explicit consents and support withdrawal of consents, etc. It deserves noting that, due to the distributed and (pseudo)anonymous nature of most public blockchain systems, and according to the territorial scope of the GDPR (see the 2019 dedicated guidelines from the European Data Protection Board), the GDPR should apply because data subjects and/or data controllers/processors can be from the EU or EEA.
The tension between blockchains and the GDPR has been noticed by the blockchain community.
Tomi Engdahl says:
How GDPR Is Failing
https://www.wired.com/story/gdpr-2022/
The world-leading data law changed how companies work. But four years on, there’s a lag on cleaning up Big Tech.
ONE THOUSAND FOUR hundred and fifty-nine days have passed since data rights nonprofit NOYB fired off its first complaints under Europe’s flagship data regulation, GDPR. The complaints allege Google, WhatsApp, Facebook, and Instagram forced people into giving up their data without obtaining proper consent, says Romain Robert, a program director at the nonprofit.
The complaints landed on May 25, 2018, the day GDPR came into force and bolstered the privacy rights of 740 million Europeans. Four years later, NOYB is still waiting for final decisions to be made. And it’s not the only one.
Since the General Data Protection Regulation went into effect, data regulators tasked with enforcing the law have struggled to act quickly on complaints against Big Tech firms and the murky online advertising industry, with scores of cases still outstanding.
While GDPR has immeasurably improved the privacy rights of millions inside and outside of Europe, it hasn’t stamped out the worst problems: Data brokers are still stockpiling your information and selling it, and the online advertising industry remains littered with potential abuses.
Now, civil society groups have grown frustrated with GDPR’s limitations, while some countries’ regulators complain the system to handle international complaints is bloated and slows down enforcement.
“To say that GDPR is well enforced, I think it’s a mistake. It’s not enforced as quickly as we thought,” Robert says. NOYB has just settled a legal case against the delays in its consent complaints. “There’s still what we call an enforcement gap and problems with cross-border enforcement and enforcement against the big players,”
Lawmakers in Brussels first proposed reforming Europe’s data rules back in January 2012 and passed the final law in 2016, giving companies and organizations two years to fall in line.
The number of fines has ramped up as the legislation has aged, hitting a running total of €1.6 billion (around $1.7 billion). The biggest? Luxembourg fined Amazon €746 million ($790 million), and Ireland fined WhatsApp €225 million ($238.5 million) last year. (Both companies are appealing the decisions).
DESPITE CLEAR ENFORCEMENT problems, GDPR has had an incalculable effect on data practices broadly. EU countries have made decisions in thousands of local cases and issued guidance to organizations to say how they should use people’s data.
Some of GDPR’s impact is also hidden—the law isn’t just about fines and ordering companies to change—and it has improved company behaviors. “If you compare the awareness about cybersecurity, about data protection, about privacy, as it looked like 10 years ago and it looks today, these are completely different worlds,” says Wojciech Wiewiórowski, the European Data Protection Supervisor
Companies have been put off using people’s data in dubious ways, experts say, when they wouldn’t have thought twice about it pre-GDPR. One recent study estimated that the number of Android apps on Google’s Play store has dropped by a third since the introduction of GDPR, citing better privacy protections. “More and more businesses have allocated significant budgets to doing data protection compliance,”
“There is a lag, especially on Big Tech, enforcing the law on Big Tech—and Big Tech means cross-border cases, and that means the one-stop-shop and the cooperation among the data protection authorities,”
The one-stop-shop was created under GPDR, meaning the process has started with teething problems, but four years in, a lot still needs to be improved.
The French data regulator has, in some ways, sidestepped the international GDPR process by directly pursuing companies’ use of cookies. Despite common beliefs, annoying cookie pop-ups don’t come from GDPR—they’re governed by the EU’s separate E-Privacy law, and the French regulator has taken advantage of this.
IN THE LAST year, there have been growing calls to change how GDPR works. “Enforcement should be more centralized for big affairs,” Viviane Redding, the politician who proposed GDPR back in 2012, said of the data law in May last year. The calls have come as Europe passed its next two big pieces of digital regulation: the Digital Services Act and the Digital Markets Act.
The laws, which focus on competition and internet safety, handle enforcement differently from GDPR; in some instances, the European Commission will investigate Big Tech companies. The move is a nod to the fact that GDPR enforcement may not have been as smooth as politicians would have liked.
Tomi Engdahl says:
Four Takeaways as the European Union’s General Data Protection Regulation (GDPR) Turns 4 https://www.crowdstrike.com/blog/four-takeaways-as-gdpr-turns-4/
May 25, 2022, marked four years since the European Union’s General Data Protection Regulation (GDPR) went into effect. Although the scope of the law is limited to personal data originating from activities in the European Economic Area, the ensuing requirements have had a global impact. This is evident in similar laws that have been proposed or passed and measures multinational organizations have taken to comply with privacy requirements. In parallel, there has been a convergence of a principles-based approach to cybersecurity in many jurisdictions worldwide. In light of the trends of the past four years, there are four clear takeaways for organizations seeking to meet their GDPR obligations.
Tomi Engdahl says:
Puhelinmyyntiyritys sai 8300 euron gdpr-sakot viisveisasi tietosuojavaltuutetun määräyksestä https://www.tivi.fi/uutiset/tv/dc1bfc05-8b8d-4b36-833d-9fe5fe48fcfa
Suomalainen telemarkkinointiyritys on saanut 8300 euron suuruisen hallinnollisen seuraamusmaksun tietosuojavaltuutetun määräyksen noudattamatta jättämisestä. Kyseessä on ensimmäinen tietosuojavaltuutetun toimiston päätös, jossa rekisterinpitäjälle annetaan seuraamusmaksu sen vuoksi, että se ei ole noudattanut annettua määräystä.
Tomi Engdahl says:
https://pentestmag.com/when-the-gdpr-meets-public-blockchains-looking-through-the-lens-of-public-communications-to-users/
Tomi Engdahl says:
Clearview AI fined $20 million, banned from processing biometric data in Greece after GDPR violations https://therecord.media/clearview-ai-fined-20-million-banned-from-processing-biometric-data-in-greece-after-gdpr-violations/
Greece’s privacy authority has fined facial recognition company Clearview AI 20 million for violating parts of Europe’s General Data Protection Regulation (GDPR). The Hellenic Data Protection Authority
(HDPA) released a 22-page decision demanding Clearview AI stop processing biometric data on individuals in Greece and said the company must delete all the data it has already amassed. The decision stems from a complaint filed by a number of privacy organizations including Homo Digitalis, Privacy International, Hermes Center, and noyb in May 2021 with authorities in Greece, the U.K., Italy, Austria and France. The complaint questioned Clearview AI’s practice of scrapping selfies and photos from public social media accounts and including it in its facial recognition database of some 10 billion facial images. The company sells its facial recognition tools to law enforcement agencies around the world and says it wants to reach 100 billion images in the coming years.
Tomi Engdahl says:
https://techcrunch.com/2022/09/07/iab-europe-tcf-gdpr-breach-appeal/?tpcc=tcplusfacebook
Tomi Engdahl says:
Instagram receives record fine of $400M for abuse of children’s data https://www.malwarebytes.com/blog/news/2022/09/instagram-receives-record-fine-of-400m-for-abuse-of-childrens-data
Ireland’s Data Protection Commissioner (DPC), the lead regulator in Europe for Meta and other tech giants, has slapped Instagram with a fine of 405Mroughly equivalent to $402Mfollowing an investigation on how the company handled children’s data.
Tomi Engdahl says:
Biden Signs Executive Order on US-EU Personal Data Privacy
https://www.securityweek.com/biden-signs-executive-order-us-eu-personal-data-privacy
Executive order requires that US signals intelligence activities be conducted “only in pursuit of defined national security objectives”
US President Joe Biden signed an executive order on Friday designed to protect the privacy of personal data transfers between the EU and the United States and address European concerns about US intelligence collection activities.
The executive order provides a new legal framework for trans-Atlantic data flows that are critical to the digital economy, the White House said.
It will be subject to review and ratification by the European Commission, a process expected to take several months.
“This is a culmination of our joint efforts to restore trust and stability to trans-Atlantic data flows,” Commerce Secretary Gina Raimondo told reporters.
“It will enable a continued flow of data that underpins more than a trillion dollars in cross-border trade and investment every year.”
US tech giants have faced a barrage of lawsuits from EU privacy activists concerned about the ability of US intelligence services to access the personal data of Europeans.
Europe’s top court has invalidated previous arrangements after hearing complaints that US laws violate the fundamental rights of EU citizens.
The White House said the executive order addresses concerns raised by the Court of Justice of the European Union when it ruled that the previous framework known as Privacy Shield did not provide adequate protection.
Privacy Shield, struck down in July 2020, was the successor to another EU-US deal, Safe Harbor, which was itself torpedoed by a court ruling in 2015.
Businesses have since resorted to legally uncertain workarounds to keep the data flow moving, with hope that the two sides could come up with something stronger in the long term.
US officials acknowledged that the new pact will almost certainly face intense legal scrutiny that began after revelations by Edward Snowden of mass digital spying by US agencies.
Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities
https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/
Tomi Engdahl says:
https://www.karhuhelsinki.fi/blogi/privacy-shield-uudistuu-tuoko-se-helpotuksen-it-jattien-gdpr-ongelmiin/
Tomi Engdahl says:
Mitä Privacy Shieldille tapahtuu seuraavaksi?
Uuden Privacy Shieldin odotetaan siirtyvän EU-komission käsittelyyn, jonka on arvioitu kestävän noin puoli vuotta. Mikäli kaikki etenee sujuvasti, uusi järjestelmä voisi olla käytössä maaliskuussa 2023.
Toivomme, että uusi Privacy Shield parantaa verkkosivustojen ja muiden digipalveluiden käyttäjien ja omistajien asemaa Suomessa ja että järjestelmä saadaan pikaisesti käyttöön.
https://www.karhuhelsinki.fi/blogi/privacy-shield-uudistuu-tuoko-se-helpotuksen-it-jattien-gdpr-ongelmiin/