Privacy: a world tour of March news

The announcement of an agreement in principle for the return of transatlantic data transfers takes place even as Google decides to upgrade its analytics tool.

In France, mobile developers are encouraged to strengthen their compliance.

What to remember from the statements on an agreement in principle between the United States and Europe for transatlantic data transfers?

During his press conference with the President of the European Commission Ursula von der Leyen on March 25, US President Joe Biden Jr. announced the achievement of a “major breakthrough on transatlantic data flows” with a « new agreement [qui] strengthen the Privacy Shield framework, foster growth and innovation in Europe and the United States, and help businesses, large and small, to compete in the digital economy”, which “will enable the European Commission to re-authorize transatlantic data transfers”. Ursula von der Leyen for her part described the agreement as an “agreement in principle”, indicating that its details are not yet defined.

The previous version of the Privacy Shield was struck down by the Court of Justice of the European Union (CJEU) based on the finding that US surveillance laws are not sufficiently limited to what is strictly necessary and do not offer no effective remedies to data subjects, as required by the EU Charter of Fundamental Rights.

Although the press conference did not clarify the impact this new agreement will have on US surveillance laws, it seems at this stage that this decision will indeed pave the way for EU companies to transfer personal data to the United States.

On the way to Google Analytics 4

Google has announced that it will start phasing out Universal Analytics, the previous generation of Analytics, next year to move businesses to Google Analytics 4. Google Analytics 4 will no longer store IP addresses. In its announcement, Google notes that “these solutions and controls are particularly needed in today’s international data privacy landscape, where users expect more privacy protection and control over their data.”

The announcement comes weeks after complaints from privacy advocate None of Your Business (NOYB) led to decisions by French and Austrian data protection authorities over the analytics tool. The latter believe that the use of Google Analytics violates the GDPR by transferring a combination of unique identifiers (including the IP address) to Google in the United States without additional effective measures. Google’s announcement is likely, at least in part, a reaction to these decisions.

The CNIL, the French data protection authority, found in particular that the combination of unique identifiers with other elements (such as browser or device metadata and IP address) and the possibility of linking this information to a Google account make a person identifiable. In addition, for the CNIL Google’s response did not clearly indicate whether its IP anonymization function was effective in preventing potential access to the entire IP address before it was shortened.

Mobile developers encouraged to strengthen their compliance in France

In its strategic plan for 2022-2024, published recently, the National Commission for Information Technology and Liberties (CNIL) has chosen as one of its priorities regulatory actions targeted on subjects with high stakes for privacy. Among the latter, she cites the objective of making data flows visible in smartphone applications and of strengthening the compliance of mobile applications and their ecosystems in order to better protect the privacy of smartphone users.

Developers and other players in the mobile application ecosystem undoubtedly have every interest in drawing inspiration from these declarations from the French regulator and strengthening their compliance, particularly with regard to the transparency of data flows. This would allow them to anticipate and prepare for more in-depth checks in this area in the years to come.

On this subject, the CNIL published a GDPR guide for developers at the end of 2021 which provides step-by-step advice and examples of compliance. Consulting this document can be a good starting point for developers wishing to strengthen their compliance.

European Data Protection Supervisor warns of risks of targeted advertising

By indicating in a recent post that transparency is not enough to deal with the risks associated with targeted advertising, Wojciech Wiewiórowski, the European Data Protection Supervisor, suggests to us that the draft law adopted at the end of January by the European Parliament for the Digital Services Legislation does not go far enough for him.

This project, which will now be discussed at European Council level, gives users the possibility of refusing certain types of tracking directly from browser settings and allows users to learn about the characteristics relevant to them used by the industry to serve them targeted advertisements. These restrictions are actually much less stringent on digital advertising than some earlier proposals, which went so far as to suggest banning digital advertising altogether.

In his post, Wojciech Wiewiórowski suggests further restricting the categories of data that can be processed for this purpose, in particular to protect vulnerable populations, such as children. The European supervisor also said that regulatory incentives to favor less intrusive forms of advertising that do not require tracking of user interaction with content would be welcome.

Dark patterns on social networks: recommendations to avoid being trapped

The European Data Protection Board (EDPB) has published its recommendations for recognizing and avoiding dark patterns (“tricked interfaces” in French), in social media platforms. The document is open for comments until May 2, 2022.

These recommendations focus on many types of dark patterns involving risks for the protection of personal data. These include, for example, “dead end” dark patterns, when the user is offered an option related to data protection during the registration process that he cannot find later; misleading information, such as presenting users with a link to withdraw their consent to the ad targeting which directs to a page with general explanations instead of allowing them to remove it directly; or “obstructing” dark patterns, such as not providing direct opt-out access when consent (opt-in) only requires a click.

Although these guidelines are specific to social media, they provide information that can be applied to other platforms and contexts.

In Saudi Arabia, new deadline for full application of data protection law

The Saudi Data and Artificial Intelligence Authority posted a tweet announcing the postponement until March 17, 2023 of the full application of the Saudi Personal Data Protection Law. The decision was made in response to stakeholder feedback.

Approved in September 2021, the law was due to come into effect on March 13, giving covered entities just six months to prepare. Designed to protect against the collection and processing of personal data without consent, the law extends the rights of users to see, access or restrict the processing of personal data and to know the purposes of its processing.

We want to thank the author of this post for this remarkable material

Privacy: a world tour of March news

Check out our social media accounts and other related pages