Personal Data Protections, Digital IDs, And Targeted Advertising: The EU Debates Your Online Future

The February 2020 Developers Alliance EU Policy Update.

EU Sets Out Its High Ambitions To Lead The Global Regulatory Frameworks Of Digital Markets And New Technologies.

On February 17, the EU presented its expectations for a renewed multilateral system. The EU promotes the modernisation of global institutions such as the WTO and WHO and the development of norms, standards, and cooperation frameworks at the international level. 

On digital services and new technologies, the Joint Communication of the Commission and the High Representative of the Union for Foreign and Security Policy stated: “Strong non-state actors, including digital platforms and multinationals, have become shapers of international norms outside established channels…” They concluded the statement with a declaration, “The EU will therefore continue to push for more ambitious global standards and regulatory approaches in the digital economy.” Additionally, the document mentions the EU as a leader in regulating digital services, making reference to the recently proposed Digital Services Act and Digital Markets Act. 

The EU To Give The UK The Personal Data Transfer Green Light

The European Commission has started the process for the adoption of two adequacy decisions for transfers of personal data to the United Kingdom. The first, under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive (LED). Afterward, the European Data Protection Board’s (EPDB) opinion must be taken into account and then the European Commission can request the green light from Member States’ representatives. The draft adequacy decisions concern the flow of data from the EU to the UK. The UK previously decided that the EU ensures an adequate level of protection. Therefore data can flow freely from the UK to the EU. Since January 1 2021, data flows from the UK to the EU fall under UK legislation, which is based on the GDPR and the LED. 

The e-Privacy Regulation Proposal Moves Forward

The representatives of the EU Member States agreed on a negotiating mandate for revised rules on the protection of privacy and confidentiality in the use of electronic communications services. The ‘ePrivacy’ regulation was proposed by the European Commission in 2017, as an update of the current ePrivacy Directive (so-called “Cookie Law’). The new rules will regulate the way service providers are allowed to process electronic communications data or have access to data stored on end-users’ devices. 

Here’s a short recap of the proposed rules:

• Any interference, including listening to, monitoring, and processing of electronic communications data by humans or machines will require end-users’ consent. 

• The rules also cover machine-to-machine data transmitted via a public network, such as public hotspots and WiFi. 

• The strict confidentiality rule of consent is also applied to metadata (e.g. location, time, date, duration).

• There are a few proposed exceptions from users’ consent:

• ensuring the integrity of communications services, 

• checking for the presence of malware or viruses, 

• or cases where the service provider is bound by EU or member states’ law for the prosecution of criminal offences or prevention of threats to public security. 

• As for metadata, it may be processed for instance for billing, for detecting or stopping fraudulent use, or to protect users’ vital interests during natural and man-made disasters (for example in monitoring pandemics).

• Users must be given a ‘genuine choice’ to accept cookies or other similar identifiers. To avoid cookie consent fatigue, an end-user can give consent by whitelisting one or more providers in their browser settings.

• There are also rules for online identification, public directories, as well as both unsolicited and direct marketing.

• The regulation would apply to end-users who are in the EU, even if the processing of their data takes place outside the EU or the service provider is established or located outside the EU.

The final text will be the outcome of negotiations between the Council of the EU and the European Parliament. The latter adopted its position in autumn 2017 and has been waiting for negotiations to begin since then. 

The EU’s Data Protection Watchdog Calls For A Ban On Online Targeted Advertising

The European Data Protection Supervisor (EDPS) published “Opinions on the European Commission’s proposals for a Digital Services Act and a Digital Markets Act.” The EDPS welcomed the two legislative proposals. On the Digital Services Act, the EDPS recommends additional measures to better protect individuals with regards to content moderation, online targeted advertising, and the recommender systems used by online platforms, such as social media and marketplaces. It explicitly suggests a ban on online targeted advertising “based on pervasive tracking and restricts the categories of data that can be processed for such advertising methods.” 

On the Digital Markets Act, the EPDB supports increased interoperability to “help to address user lock-in and ultimately create opportunities for services to offer better data protection.” It also stated a desire for a clear legal basis and structure for closer cooperation between the relevant oversight authorities for data protection, consumer protection, and competition.

On the same note, the European Socialists Political Group (S&D) launched the petition #AdsZuck for a ban of targeted advertising. 

European Co
nsumer Associations Complain About Tiktok

The European Consumer Organisation (BEUC), together with consumer organisations in 15 countries, filed complaints against TikTok. The alleged multiple consumer law breaches are:

• unclear, ambiguous T&Cs, 

• misleading practices for the processing of users’ personal data, 

• and both unfair terms and misleading practices for the ‘Virtual Item Policy. 

• This manages the feature that allows users to collect coins which they use for virtual gifts for TikTok celebrities whose performance they like. 

• As well as a failure to protect children and teenagers from hidden advertising and potentially harmful content on its platform.

The Italian Data Protection Authority Pursues Strict Enforcement 

The Italian Data Protection Authority (AGCM) fined Facebook a total of €7 million for failing to implement the ‘remedies’ of the decision issued against them in November 2018. The Authority found that Facebook, despite having eliminated claims that the service was costless from its user registration, has not yet provided immediate and clear information on the collection and use of user data for commercial purposes. According to the Authority, consumers need this information in order to decide whether to join the platform, considering the economic value of the data which needs to be transferred to Facebook for the use of its services.

After investigating TikTok last month, the AGCM has now set its eyes on Clubhouse. According to wired.it, the authority sent a formal request to the app to find out how it protects subscriber information and how it adapted GDPR. 

Public Authorities Cannot Escape Data Protection Fines Either

The Swedish Authority for Privacy Protection has fined the Swedish Police Authority €250,000 fine for processing personal data in breach of the Swedish Criminal Data Act for using facial recognition tech developed by the controversial U.S. firm Clearview AI to identify individuals.

Epic Games’ Dispute With Apple Reaches The EU

Epic Games has filed a formal antitrust complaint against Apple to the European Commission, in addition to those already filed in the US, UK, and Australia. Epic’s EU grievances are the same as those filed elsewhere, they concern the App Store’s policies on payments and app distribution. These include the much-discussed 30% of sales taken by Apple from App Store purchases.

Cybersecurity Updates

Although the public and political interest in cybersecurity has never waned, a report released this month by AtlasVPN notes that cybercrime cost over US$1 trillion in 2020. This means that 1% of 2020’s global GDP was lost to cybercrime. AtlasVPN also found that “One in five organizations do not have any cyber incident prevention plan.”

France’s cybersecurity agency ANSSI published a report this month on an “intrusion campaign” that affected several French entities, including businesses and governmental authorities. The campaign was conducted by hackers allegedly linked to Russian military intelligence agency GRU. The campaign started in late 2017 and lasted until 2020, mostly affecting web hosting providers. It targeted the French software firm Centreon in order to install two pieces of malware into its clients’ networks. The ANSSI statement makes direct reference to the hacker group Sandworm who are commonly linked to GRU by cybersecurity authorities and experts. They were thought to be behind several severely damaging cyberattacks, such as the ransomware NotPetya in 2017 and the attacks on the Winter Olympics in South Korea. The intrusion campaign is also similar to the more recent cyberattack on SolarWinds in the US.

The European Union Agency for Cybersecurity (ENISA) published a report on pseudonymisation for personal data protection: “Data Pseudonymisation: Advanced Techniques and Use Cases – providing a technical analysis of cybersecurity measures in personal data protection and privacy.”

ENISA also released two reports on cryptography. One focuses on the progress of post-quantum cryptography standardisation, while the other explores the technologies under the hood of crypto-assets.

Finally, a recently published report shows that the UK’s growing cyber industry attracted record investment in 2020. Following the record £800 million of investment, the number of active cybersecurity firms in the UK grew 21 percent, increasing the sector’s worth to an estimated £8.9 billion.

The Future Of e-IDs

The UK government has officially presented its vision for governing the future use of digital identities. The proposed ‘trust framework’ lays out a set of rules for  organisations to follow: 

1. How organisations should handle and protect people’s data, 

2. what security and encryption standards should be followed, 

3. how user accounts should be managed,&nb
   sp;

4. and how to protect against fraud and misuse. 

Once finalised, the framework will be brought into law. The stakeholders are invited to comment, however, until March 11, 2021.

Meanwhile, the EU is preparing its own regulation for digital identities, the EU ID. In September, 27 Heads of State and Government asked the European Union to create an “EU-wide secure public electronic identification (e-ID) to provide people with control over their online identity and data as well as to enable access to cross-border digital services.” The EU’s answering legislative proposal is underway and is expected to be published by the European Commission in April 2021.

Risky Ranking For Online Platforms

On February 15, Google was fined €1.1 million in France for the misleading ranking of hotels in search results. Google noted that it uses its own criteria to determine a hotel’s star rating, instead of using Atout France’s official classification. 

Additionally, the Netherlands Authority for Consumers and Markets (ACM) published a study on paid ranking. ACM found that paid search ranking comes with chilling risks to competition and potential removal of consumer choice. They are currently conducting a follow-up study into the role of transparency with regard to paid ranking.