Week of August 9, 2021
August 16, 2021
Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
The Austrian privacy watchdog group, Noyb, reported that it filed over 400 complaints this week in 10 countries based on alleged violations of the GDPR. The group, which is led by longtime privacy activist Max Schrems, put 516 companies on notice in May and reported Tuesday that 82% of those companies had not fully stopped violating the GDPR, resulting in this week’s complaints. Noyb reported on Friday that it filed an additional 7 complaints against major German and Austrian news websites based on allegations that the sites are not obtaining “freely given” consent.
Noyb’s allegations are largely based on interpretations of GDPR that have yet to be tested in European courts. It may be months or years before we know whether Noyb’s claims have merit; in the meantime, we may see a wide range of responses from publishers in the industry, depending on their risk tolerance and internal interpretation of GDPR.
The France DPA (CNIL) published a list of 8 recommendations to protect children in the digital world, calling on public authorities to take the recommendations into account. The recommendations include providing age-appropriate and accessible information about how data is used, and including specific protection measures by design on websites and apps children are likely to use.
With mounting pressure from parents and advocacy groups (particularly arising out of the Covid-19 pandemic), we are likely to see an increase in legislation and guidelines addressing children’s privacy. (For example, this week’s action from Google against ad targeting of children.)
A new draft of China’s Personal Information Protection Law (PIPL) will go through its third review by the Legislative Affairs Commission of the National People’s Congress August 17-20. A full copy of the latest draft has not been publicly released, but a spokesperson commented on Friday that the new draft makes targeted norms on the use of personal information for automated decision making. The law is expected to roll out later this year.
PIPL will be China’s first comprehensive data protection law, often referred to as “China’s GDPR”. Although the latest revisions have not been released, the previous drafts included risk assessment and transparency requirements, extended certain user rights, imposed restrictions on the use of publicly available personal information, and included an extraterritorial extension similar to that in GDPR.
A working group of the Mongolia Parliament met this week to discuss a draft law on the Protection of Personal Information. The purpose of the law would be to govern the collection, processing, use and security of personal data. The law would come into force November 1, if approved.
Like China’s PIPL, this will be Mongolia’s first comprehensive data protection law. Likely largely due to pressures from the EU, we are seeing an increase in comprehensive data protection legislation across the global, largely modeled after at least certain aspects of the GDPR.
Google announced, among the rollout of other controls and features aimed at protecting children, that the company will be blocking ad targeting based on the age, gender or interests of children under 18, to be rolled out in the coming months.
Google’s announcement follows a similar announcement from Facebook last month that it would restrict ad targeting based on interests and activity of users under 18. These changes are likely a response to increasing regulation directed at protecting children (e.g., the UK Age Appropriate Design Code that comes into force next month) in combination with mounting pressure from parents and advocacy groups.
Facebook announced plans for a multi-year effort to collaborate with academics, global organizations and developers on privacy-enhancing technologies (PETs) such as private computation, on-device learning and differential privacy to minimize data that’s processed for ad personalization and measurement solutions. As part of such efforts, Facebook has open-sourced a framework for private computation to allow developers to create privacy-centric measurement products using Facebook’s secure multi-party computation model.
We are seeing an increase in the introduction of privacy features by large tech platforms in parallel with increasing government and consumer pressure. This growing trend likely represents a fundamental shift, not necessarily away from ads personalization, but towards a form of ads personalization that is less reliant on the collection, storage and sharing of identifiable personal data.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy.
A Little Privacy weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
The U.S. Department of Justice announced a $115,054 settlement...
The consultation, which ran for 10 weeks ending in...
Privacy for America, a coalition that includes several ad...
Latest White Papers
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.