WebProNews

Tag: gdpr

  • Norway On the Verge of Banning Google Analytics

    Norway On the Verge of Banning Google Analytics

    Norway may soon join the list of EU countries banning Google Analytics following an initial conclusion that it violates the GDPR.

    Google Analytics has increasingly come under fire by EU jurisdictions, accused of violating European data protection laws, specifically the GDPR. According to Simple Analytics, the Norwegian data protection authority (Datatilsynet) has issued a preliminary decision that “the use of Google Analytics was in violation of the GDPR’s transfer rules.”

    At the heart of the issue is a 2020 EU ruling that US cloud providers are not in compliance with the GDPR. There have long been concerns regarding the transmission of EU user data to US cloud providers, especially given US cloud providers’ obligation to assist US intelligence agencies.

    When Austria became one of the first jurisdictions to issue an adverse ruling against Google Analytics, Max Schrems, honorary chair of The European Center for Digital Rights (noyb), predicted it would simply be the first of many such rulings.

    “We expect similar decisions to now drop gradually in most EU member states,” Schrems said. “We have filed 101 complaints in almost all Member States and the authorities coordinated the response. A similar decision was also issued by the European Data Protection Supervisor last week.

    “This is a very detailed and sound decision,” Schrems continued. “The bottom line is: Companies can’t use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.”

    As Simple Analytics points out, it is possible — although unlikely — that Norway’s final conclusion will differ from its initial conclusion. If Norway’s final decision is in line with its preliminary one, it will join Austria, Denmark, Finland, France, and Italy, all of whom have ruled against Google.

  • Privacy and Cybersecurity Challenges in 2023 – Part One

    Privacy and Cybersecurity Challenges in 2023 – Part One

    With a new year comes new privacy and cybersecurity challenges for companies large and small, not the least of which is new regulation. The tech industry is facing new regulations in 2023, some of which will have profound impacts on day-to-day business and carry heft penalties for non-compliance.

    Here’s some of the top regulatory issues companies need to be aware of:

    Voluntary Cooperation Is Out; Regulation Is In

    One of the major changes moving forward in 2023 is an expected change in the US government’s approach to cybersecurity. In the past, the government was largely willing to allow companies to handle cybersecurity issues on a voluntary basis, but those days appear to be over.

    The White House Office of the National Cyber Director is expected to unveil major new initiatives in the first half of 2023, and many of them will be mandatory.

    “We’ve been working for about 23 years on a largely voluntary approach,” said Mark Montgomery, the senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. “The way forward is going to require thinking about regulation.”

    California Consumer Privacy Act of 2018

    One of the biggest regulatory challenges businesses will face is the California Consumer Privacy Act of 2018 (CCPA), including the Proposition 24 amendments that were passed in 2020 and expanded the scope of the CCPA.

    Per the California Attorney General’s office, the CCPA guarantees the following rights:

    • The right to know about the personal information a business collects about them and how it is used and shared;
    • The right to delete personal information collected from them (with some exceptions);
    • The right to opt-out of the sale or sharing of their personal information; and
    • The right to non-discrimination for exercising their CCPA rights.

    In addition, the Proposition 24 amendments add the following:

    • The right to correct inaccurate personal information that a business has about them; and
    • The right to limit the use and disclosure of sensitive personal information collected about them.

    The latter two rights, in particular, are of special note since they went into effect on January 1, 2023.

    Most important, however, is a provision that allows customers to take legal action against companies that fail to properly protect their data and expose such data as a result of a breach. This places a tremendous responsibility on companies to ensure all possible measures are being taken to reduce their possible liability.

    Increased GDPR Enforcement

    Another major hurdle many businesses will face is increased enforcement of the European Union’s GDPR. While the GDPR has been in effect for years, companies on both sides of the Atlantic have largely ignored some of its provisions.

    The EU sent a clear message in 2022, however, that companies will continue to ignore the GDPR at their own peril. For example, in January 2022, the Austrian Data Protection Authority ruled that Google Analytics violated the GDPR and was therefore illegal, impacting countless EU-based companies and websites.

    At the heart of the issue is the protection of EU citizens’ data when it is in the hands of US-based companies. The EU is especially concerned that US intelligence agencies could have unwarranted access to such data. While the US and EU are working to establish a new data-sharing deal that would address such concerns, such a deal is still a ways off, leaving companies to navigate the complicated situation on their own.

    In the meantime, the EU has made it clear it will continue to go after companies that ignore its privacy and cybersecurity regulations.

    “Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice,” says Max Schrems, honorary chair of The European Center for Digital Rights. “Many EU companies have followed the lead instead of switching to legal options.”

    General Issues

    In addition to the above specific concerns, there are a number of general concerns companies face. Ransomware attacks have been a growing threat in recent years, especially attacks that target vital infrastructure.

    As a result of the growing threat, cybersecurity has been a major focus of the Biden administration, with multiple executive orders, memorandums, and fact sheets addressing the issue. Some of these include unprecedented requirements, including mandatory measures to improve the overall cybersecurity of US businesses and agencies.

    Dealing With the Challenges

    Understanding the challenges is just the first step in properly preparing for and dealing with them. In Part Two of this series, we’ll look at some specific steps companies and organizations can take.

  • Google Will Be Required to Delete False Search Results About People

    Google Will Be Required to Delete False Search Results About People

    EU citizens will have the ability to take back their online presence, thanks to a new ruling requiring Google to delete inaccurate results.

    According to Politico, the ruling came about in a case involving two investment managers that wanted Google to delete search results linking to articles about them, articles they said contained inaccurate claims. Google refused, saying it had no knowledge of the accuracy of the claims.

    The Court of Justice of the European Union has ruled in favor of the investment managers, allowing them to trigger the EU’s GDPR “right to be forgotten” clause.

    “The right to freedom of expression and information cannot be taken into account where, at the very least, a part – which is not of minor importance – of the information found in the referenced content proves to be inaccurate,” the court said in a press release.

    The court ruled that citizens would need “to provide only evidence that can reasonably be required of [them] to try to find,” to prove that search results contain inaccurate claims about them.

    “We welcome the decision, and we will now study the text of the CJEU’s decision,” a spokesperson for Google told Politico. “The links and thumbnails in question are not available via the web search and image search anymore; the content at issue has been offline for a long time.”

  • France the Latest Country to Crack Down on Google Analytics

    France the Latest Country to Crack Down on Google Analytics

    France is the latest country to crack down on Google Analytics, over concerns it violates the GDPR the EU’s privacy legislation.

    In mid-January, the Austrian Data Protection Authority ruled that Google Analytics was illegal due to conflicts with the GDPR. Essentially, the GDPR prohibits countries from exporting EU citizen data to the US. Much of the concern stems from the fact that US intelligence agencies can force companies to give them access to such data, without the protections EU citizens are normally afforded.

    France has now joined Austria, according to Le Monde, via AppleInsider. The National Commission for Informatics and Liberties (CNIL) has ordered a company to stop using Google Analytics.

    “The CNIL notes that Internet users’ data [collected by Google Analytics] are transferred to the United States in violation of…GDPR,” reads the statement Le Monde gained access to. “It therefore requires the site manager to bring these processing into compliance with the GDPR, if necessary by ceasing to use the Google Analytics feature (under current conditions) or by using a tool that does not result in a transfer outside the EU.”

    The CNIL has given the site manager one month to stop using Google’s platform. This latest development does not bode well for Google. When Austria made its ruling, experts believed other countries would soon follow suit. Austria and France are likely just the first elements of what may become a wave of losses for the Google Analytics platform.

    National Commission for Informatics and Liberties (CNIL) has issued a formal statement regarding the unnamed company. “The site manager has one month to comply,” says the statement (in translation), as seen by Le Monde.

    “The CNIL notes that Internet users’ data [collected by Google Analytics] are transferred to the United States in violation of…GDPR,” continues the statement. “It therefore requires the site manager to bring these processing into compliance with the GDPR, if necessary by ceasing to use the Google Analytics feature (under current conditions) or by using a tool that does not result in a transfer outside the EU.”

  • Meta Walks Back Comments About Leaving EU Market

    Meta Walks Back Comments About Leaving EU Market

    Meta is walking back comments about the possibility of leaving the EU market over data regulations, saying “we have absolutely no desire to withdraw from Europe.”

    Meta made headlines when it seemed to indicate it may pull out of the European market over limitations the GDPR imposes on the transfer of data between the EU and the US. Meta is now saying news reports, including from WPN, about threats to pull out of the EU market are “simply not true.”

    WPN, like most outlets, simply quoted Meta’s own words in its SEC filing, which are included below (italics ours):

    If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations.

    Meta has chalked the statement up to the kind “material risk” statement publicly traded companies are required to make.

    Nonetheless, it should be noted that Meta did not say in its filing that it may be forced to alter the services it offers, or make concessions to remain compliant with EU law. Instead, the company said it may be “unable to offer a number of our most significant products and services, including Facebook and Instagram.”

    However much Meta may be trying to walk back its SEC filing statements, that certainly sounds like a threat to leave the EU market.

  • Meta May Leave EU Market Over Privacy Regulations

    Meta May Leave EU Market Over Privacy Regulations

    Meta is threatening to leave the EU market if it’s not allowed to share EU user data with its US-based data centers.

    The EU ruled in 2020 that using US cloud providers was a violation of the GDPR. Because they are often required to hand over data to intelligence agencies, US companies are not capable of being compliant with the privacy protections the GDPR provides EU citizens. While many companies, on both sides of the Atlantic, have ignored the ruling, the Austrian Data Protection Authority recently ruled that it is illegal for EU companies to use Google Analytics.

    It appears Meta is preparing for the worst, according to iTWire, warning in an SEC filing that it may pull Facebook and Instagram out of the EU market if a replacement for the Privacy Shield legislation is not enacted. Privacy Shield governed the transfer of data between the EU and the US, prior to the 2020 ruling.

    In August 2020, we received a preliminary draft decision from the Irish Data Protection Commission (IDPC) that preliminarily concluded that Meta Platforms Ireland’s reliance on SCCs in respect of European user data does not achieve compliance with the General Data Protection Regulation (GDPR) and preliminarily proposed that such transfers of user data from the European Union to the United States should therefore be suspended. We believe a final decision in this inquiry may issue as early as the first half of 2022. If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations.

    It remains to be seen if Meta’s threat is genuine or idle, but its statement is another indication of the headwinds the company faces as privacy increasingly becomes a major issue.

  • Google Analytics Is Illegal in Austria, Violates the GDPR

    Google Analytics Is Illegal in Austria, Violates the GDPR

    In what may be the first of many such rulings, Austria has ruled that Google Analytics violates the GDPR and is therefore illegal.

    Google Analytics is the premier tool available to website operators to gauge their traffic, and better understand how they’re engaging with visitors. Unfortunately for Google, Google Analytics seems to run afoul of the GDPR, the EU’s privacy legislation.

    The issue is the result of a 2020 EU ruling that using US cloud providers violates the GDPR. Because US cloud providers are legally compelled to help US intelligence agencies, they were deemed inherently incapable of being GDPR-compliant. As a result, data on EU citizens could no longer be sent to US companies as freely as it once was. Google Analytics runs afoul of this law because it transmits user IP addresses and other identifiable information to the US.

    Unfortunately for users’ privacy, many companies — both in the US and EU — are choosing to ignore the law and continue with business as usual. The European Center for Digital Rights (noyb) has filed 101 cases against such companies, and the Austrian Data Protection Authority (“Datenschutzbehörde” or “DSB”) has ruled on one of them, concluding that Google Analytics is illegal.

    EU authorities have been cooperating on such cases, acting as a task force, making it likely that Austria’s ruling is just the first of many that will soon be handed down.

    “We expect similar decisions to now drop gradually in most EU member states,” said Max Schrems, honorary chair of noyb.eu. “We have filed 101 complaints in almost all Member States and the authorities coordinated the response. A similar decision was also issued by the European Data Protection Supervisor last week.

    “This is a very detailed and sound decision,” Schrems continued. “The bottom line is: Companies can’t use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.”

    Schrems also highlighted the need for the US to adopt its own data protection laws, something prominent US executives have also advocated for, lest platforms and services be splintered.

    “In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU,” Schrems noted. “I would personally prefer better protections in the US, but this is up to the US legislator – not to anyone in Europe.”

  • Ireland’s Data Protection Commission Fines WhatsApp $267 Million

    Ireland’s Data Protection Commission Fines WhatsApp $267 Million

    WhatsApp has been fined €225 million ($267 million) for violations of the EU’s GDPR.

    The GDPR is one of the most comprehensive pieces of privacy legislation in the world, and strictly regulates how companies may process and use customer data. WhatsApp ran afoul of the law as a result of how data is processed between WhatsApp and Facebook’s other companies.

    Ireland’s Data Protection Commission (DPC) made the announcement:

    On 28 July 2021, the European Data Protection Board (EDPB) adopted a binding decision and this decision was notified to the DPC. This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision and following this reassessment the DPC has imposed a fine of €225 million on WhatsApp.

    Although this investigation began in December 2018, data-sharing between WhatsApp and Facebook’s other companies has been an ongoing issues. Most recently, Facebook ignited a firestorm of controversy when it announced it would expand WhatsApp’s data-sharing.

  • UK Looks to Revamp Privacy Policy Post-Brexit

    UK Looks to Revamp Privacy Policy Post-Brexit

    The United Kingdom is looking to revamp its privacy policy in the wake of Brexit, making a break from the EU’s GDPR.

    The EU’s General Data Protection Regulation (GDPR) is one of the most comprehensive privacy legislation to ever be passed into law. As long as the UK was part of the EU, it was subject to the GDPR, the same as any other European country. With Brexit, however, UK regulators are looking to chart their own path.

    Oliver Dowden, the Secretary of State for Digital, Culture, Media and Sport, spoke of the work John Edwards, New Zealand’s Privacy Commissioner and the likely next Information Commissioner, would undertake.

    “Now that we have left the EU I’m determined to seize the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK,” said Dowden, according to The Guardian.

    “It means reforming our own data laws so that they’re based on common sense, not box-ticking. And it means having the leadership in place at the Information Commissioner’s Office to pursue a new era of data-driven growth and innovation. John Edwards’ vast experience makes him the ideal candidate to ensure data is used responsibly to achieve those goals.”

    Edwards will have his work cut out for him, as any legislation will need to maintain the same level of protection as the GDPR. If it doesn’t, the EU would e forced to stop data-sharing with the UK, a move that would impact companies on both sides of the Channel.

  • Amazon Hit With Record-Breaking Fine by EU Over Data Privacy

    Amazon Hit With Record-Breaking Fine by EU Over Data Privacy

    Amazon has been hit with a whopping $888 million fine from the EU over how it handled private data.

    The EU has been stepping up its attempts to regulate tech companies and enforcement of the General Data Protection Regulation (GDPR), its signature privacy regulation.

    The EU is accusing Amazon of not processing of personal data in compliance with the law, according to The BBC, resulting in the $888 million fine. Amazon is disputing the charges, telling The BBC there was “no data breach.”

    “We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter,” Amazon said.

    “There has been no data breach, and no customer data has been exposed to any third party,” an Amazon spokeswoman said. “These facts are undisputed.”

    “The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation,” she added.

    Amazon’s case could set a precedent for the EU’s application of the GDPR and have far-reaching consequences for the entire tech industry.

  • Microsoft Will Keep EU Data in the EU

    Microsoft Will Keep EU Data in the EU

    Microsoft has upped its commitment to EU data privacy, promising to keep EU data within the bloc.

    Data privacy is a bigger concern than ever before, as individuals and lawmakers start holding companies accountable. As part of the shift toward more data responsibility, some jurisdictions have passed legislation requiring companies to take certain steps to protect user data.

    The EU’s GDPR is one of the strictest such laws, providing far more protection than US federal laws currently do. As a result, EU states and citizens have become increasingly concerned about their data being transferred to the US and coming under the scope of US surveillance efforts.

    Microsoft is working to address those concerns, promising it will go beyond existing agreements and keep EU data within the bloc. Brad Smith, President and Chief Legal Officer, announced the pledge on the company’s blog.

    Today we are announcing a new pledge for the European Union. If you are a commercial or public sector customer in the EU, we will go beyond our existing data storage commitments and enable you to process and store all your data in the EU. In other words, we will not need to move your data outside the EU. This commitment will apply across all of Microsoft’s core cloud services – Azure, Microsoft 365, and Dynamics 365. We are beginning work immediately on this added step, and we will complete by the end of next year the implementation of all engineering work needed to execute on it. We’re calling this plan the EU Data Boundary for the Microsoft Cloud.

    The new step we’re taking builds on our already strong portfolio of solutions and commitments that protect our customers’ data, and we hope today’s update is another step toward responding to customers that want even greater data residency commitments. We will continue to consult with customers and regulators about this plan in the coming months, including adjustments that are needed in unique circumstances like cybersecurity, and we will move forward in a way that is responsive to their feedback.

    While individual states have passed privacy laws, there have been increasing calls for for the US to address the issue on a federal level. Microsoft’s pledge, along with the increased challenges of doing business in the EU, will likely add increased pressure for measurable change.

  • FTC Demands Answers From Big Tech on Privacy

    FTC Demands Answers From Big Tech on Privacy

    The Federal Trade Commission (FTC) has issued orders to nine social media and video platforms, inquiring about their data practices.

    Big Tech is under more scrutiny than ever before, and privacy is a big focal point. Data breaches and mishandling of consumer data in recent years has resulted in individuals and officials being more privacy-conscious. As a result, there have been some instances of groundbreaking legislations, such as the EU’s GDPR and California’s CCPA/CPRA.

    It appears the FTC is increasing its own scrutiny of companies’ data practices, with an order to “Amazon.com, Inc., ByteDance Ltd., which operates the short video service TikTok, Discord Inc., Facebook, Inc., Reddit, Inc., Snap Inc., Twitter, Inc., WhatsApp Inc., and YouTube LLC.”

    The FTC is specifically looking to understand how these platforms “collect, use, track, estimate, or derive personal and demographic information.” In addition, the FTC wants to know how these platforms determine which ads and content are shown to users, how they handle user engagement and how children and teens are impacted.

    Some companies, such as Apple, Microsoft and Mozilla, have taken strong stands on privacy. The platforms covered by the FTC’s order, however, have based much of their business on collecting user information. In many cases, there has been a lack of transparency about what data is collected and how it is used.

    Hopefully the FTC’s inquiry is the first step toward stronger data protections for consumers.

  • California Voters Pass Version 2.0 of the CCPA Privacy Legislation

    California Voters Pass Version 2.0 of the CCPA Privacy Legislation

    California voters passed Proposition 24, widely considered to be version 2.0 of the California Consumer Privacy Act (CCPA).

    The CCPA was a ground-breaking piece of legislation for the US, the first of its kind to so vigorously protect the privacy of consumers. In many ways, the CCPA was the American equivalent of the EU’s GDPR. Although the law was unique to California, some industry leaders vowed to apply its protections to all customers, even those outside of California.

    Proposition 24, officially known as the California Privacy Rights Act (CPRA), picks up where the CCPA left off, expanding the CCPA, closing loopholes and increasing protections even more.

    One of the biggest changes is the creation of a new agency that will oversee the enforcement of the regulation. Another change is that the CPRA makes companies collecting data responsible for what any companies they share that data with do with it.

    In addition, the CRPA differentiates between personally identifiable information and sensitive personally identifiable information, such as Social Security number, logins, precise location data and biometrics. This gives companies more options to fine-tune their marketing to use non-personal information, rather than lose access all-together.

    The legislation includes many other improvements, including more opt-in requirements, limits on how long companies may retain personal information, limits to how sensitive personal information may be used, reasonable expectations data will be kept secure, legal options if companies fail to do so and more.

    It’s a safe bet these increased measures and a dedicated enforcement agency will likely increase the CRPA’s reach even more than the CCPA’s. Since companies will be responsible for how third-party partners—including non-California partners—use data, many more companies will likely opt to apply CRPA protections to all of their customers in the interest of simplicity.

  • Sweden’s Largest Insurer Leaked Private Data to Tech Firms

    Sweden’s Largest Insurer Leaked Private Data to Tech Firms

    Sweden’s largest insurer, Folksam, has admitted to accidentally leaking the private data of one million of its customers to tech firms.

    According to U.S. News & World Report, Folksam insures every second home in Sweden, giving the company access to vast troves of personal and private data on its customers. Unfortunately, the company accidentally shared that data with Facebook, Google, LinkedIn and Microsoft.

    Unlike the US, the EU has strict data privacy laws in the form of the GDPR. As a result, data breaches such as this one can result in hefty fines and penalties if not handled correctly. Folksam has assured customers that it does not appear any of the data was used improperly by third-parties, and vowed to do better.

    “We take what has happened seriously. We have immediately stopped sharing this personal information and requested that it be deleted,” said Jens Wikstrom, Folksam’s head of marketing.

    This data breach is just the latest example demonstrating the risks that come with the current state of the tech industry, and specifically cross-industry interdependencies that have become commonplace.

  • Google Sued For $3 Billion in the UK Over YouTube Privacy

    Google Sued For $3 Billion in the UK Over YouTube Privacy

    Google is being sued for $3 billion in the UK over allegations that YouTube tracks children, violating the UK’s privacy laws.

    Google has been facing ongoing scrutiny over privacy and antitrust concerns, but this latest lawsuit could be one of its most expensive. The lawsuit was brought by Duncan McCann, a father of three. The lawsuit is supported by Foxglove, a tech advocacy group in the UK.

    The lawsuit alleges that YouTube and Google are ignoring UK privacy laws designed to protect children. Instead, according to the lawsuit, YouTube is harvesting data from children watching videos and using that data to target the children with ads specifically designed to influence young minds.

    “We think its unlawful because YouTube processes the data of every child who uses the service – including kids under 13,” writes Foxglove. “They profit from this data, as they are paid by advertisers to place targeted advertising on their YouTube website. They do all this without getting explicit consent from the children’s parents. Under the GDPR and UK law, corporations can’t process the data of kids under 13 *at all* without explicit parental consent. Parents haven’t agreed to the many ways YouTube takes kids’ data.”

    The lawsuit comes as Google is facing other lawsuits claiming it continues to track users even after they opt out. Should McCann win his case, the repercussions for Google and YouTube would be profound.

  • Court Kills EU-US Privacy Shield

    Court Kills EU-US Privacy Shield

    An EU court has struck down a privacy agreement that made it possible to share the data of EU citizens with the US.

    Under the EU-US Privacy Shield, companies could implement higher privacy standards to allow for the transfer of EU citizen data. This was necessary because of the EU’s stricter privacy legislation. In spite of the goals behind the Privacy Shield, privacy groups raised a number of concerns about its effectiveness.

    In particular, advocates were concerned about the privacy threat the US government poses. Thanks to the Edward Snowden leaks, the world is aware of the US government’s long history of digital spying, even on law-abiding citizens. Advocates were concerned that, even if a company met the necessary data sharing privacy requirements, there was no guarantee the US government wouldn’t snoop on any shared data.

    Max Schrems, an Austrian privacy advocate, initially filed the complaint that eventually made its way to the European Court of Justice (ECJ). After considering the case, the ECJ struck down the law.

    This will have major ramifications for many companies with customers in the EU. At the very least, companies will need to use Standard Contractual Clauses. This is a type of non-negotiable legal contract drawn up in the EU that governs data transfers. Specifically, they are used to make sure any data transfer abides by the GDPR privacy laws, especially when transferring the data to a country that does not have the same level of privacy protection.

    The ECJ’s decision is a big win for privacy advocates, and will no doubt put additional pressure on the US to adopt privacy regulation of its own.

  • California Begins Enforcing New Privacy Law

    California Begins Enforcing New Privacy Law

    Following a six month grace period, California has begun enforcing its new privacy regulation, effective July 1.

    The California Consumer Protection Act (CCPA) was signed into law on January 1. Similar to the EU’s GDPR, the CCPA is a robust set of laws designed to protect individual privacy and give consumers more control over the data companies collect about them. Companies were given a six month grace period before enforcement began, but that grace period ended on June 30.

    The CCPA likely impacts more companies than many realize. It directly applies to companies that do $25 million in annual revenue, companies that derive at least half of their revenue from selling their customers’ data or companies that collect data on at least 50,000 individuals.

    Potential penalties are high enough to ensure compliance. Non-intentional violations could cost as much as $2,500 per incident, while intentional violations could cost as much as $7,500.

    While many companies have struggled to be ready for the new law, privacy advocates have praised it for protecting the interests of consumers.

  • Google Accused of Tracking EU Users

    Google Accused of Tracking EU Users

    Austrian privacy advocate Max Schrems has levied a complaint against Google, accusing the search giant of tracking users and passing the info to advertisers.

    Google has been mired in privacy and antitrust issues in the EU, generally considered to be the most privacy and consumer-focused part of the world. EU regulators have repeatedly hit Google with billions of dollars in fines, in 2017, ’18 and ’19.

    Now Bloomberg is reporting that Schrems campaign group Noyb has accused Google of using a unique ID to track Android users without the proper opt-in consent.

    “Google does not collect valid ‘opt-in’ consent before generating the tracking ID, but seems to generate these IDs without user consent,” according to the group.

    “Android does not allow deleting the tracking ID. It only allows users to generate a new tracking ID to replace the existing tracking ID. This neither deletes the data that was collected before, nor stops tracking going forward.”

    If the claim has merit, the EU’s GDPR laws allow for fines up to “4% of a company’s global annual sales.” If Google is found guilty, the result could be one of its biggest fines yet.

  • Newton Lives On As New Owners Take Over From Essential

    Newton Lives On As New Owners Take Over From Essential

    Popular email app Newton Mail has received another lease on life, thanks to new owners who are taking over for Andy Rubin’s failed startup Essential.

    Newton has had a tumultuous history in the email market, initially being released as CloudMagic in 2013 and rebranded as Newton Mail in 2016. The app, available for iOS, macOS, Windows, Android and Chrome OS, won rave reviews across the board. In spite of its success, the original developer announced the app would be shut down in September 2018.

    The app was ultimately acquired by Andy Rubin’s (of Google Android fame) Essential and subsequently resurrected, only to face the chopping block again as a result of Essential shutting down. In the original announcement, Newton Mail was scheduled to stop working after April 30, 2020.

    In a blog post, developer Maitrik Kataria outlines how he and business partner Justin Mitchell were able to work out terms with Essential to take over ownership of the app and continue developing it. The two were motivated by a deep love for the app and its innovative approach to email.

    Just as significant, the pair are acutely aware of Newton’s troubled past, and are determined to bring some much needed stability to the app’s future. In outlining their goals moving forward, the first step in their model involves creating a contingency plan, complete with open-sourcing the app, to ensure Newton never again faces extinction—regardless of what happens to the individuals or company currently tasked with its development.

    Kataria and Mitchell are also committed to improving privacy and security, bringing Newton into compliance with the EU’s GDPR, as well as adding features like PGP integration. The company is also offering a number of promotions to existing users, as well as those who had previously cancelled their subscriptions.

    The announcement is good news for Newton users, as well as the email market in general. For email to grow and evolve, it’s important for third-party developers to continue to push the envelope, rather than relying solely on Apple, Microsoft or Google’s built-in clients.

  • Twitter Disables User Control of Advertising Data

    Twitter Disables User Control of Advertising Data

    Twitter took a big step backward in its efforts to protect user privacy, eliminating user control over data used for advertising.

    In an announcement that started showing up when users logged on, Twitter said the goal of the change was to help it continue as a free service. The announcement read:

    An update to your data-sharing settings

    The control you have over what information Twitter shares with its business partners has changed. Specifically, your ability to control mobile app advertising measurements has been removed, but you can control whether to share some non-public data to improve Twitter’s marketing activities on other sites and apps. These changes, which help Twitter to continue operating as a free service, are reflected now in your settings.

    The move is disappointing for users who value their privacy, although users in the European Union are unaffected by the change. Thanks to the EU’s GDPR, companies are required by law to give users control over their own data and how it is used.

    After Twitter’s announcement, it won’t be surprising if there are renewed calls for GDPR-style legislation in the U.S.

  • Brexit Means No GDPR Protection: Google May Move UK User Data

    Brexit Means No GDPR Protection: Google May Move UK User Data

    Brexit may have finally happened, but one side effect people may not have anticipated is losing GDPR protection as Google may be moving UK data out of the EU.

    The General Data Protection Regulation (GDPR) is one of the most sweeping, comprehensive data protection regulations in the world, aimed at giving people control of their own data and digital footprint. With Britain leaving the EU, sources have told Reuters that Google plans on moving its customers’ data to the U.S.

    British Google users’ data is currently housed in Ireland, which is staying in the EU. To date, Britain has not committed to following the GDPR or implementing its own solution. Google evidently has some concerns that leaving its British data in Ireland would make it harder for British authorities to access it if the UK does not continue abiding by the GDPR.

    As Reuters points out, the decision is likely encouraged by the fact that the U.S. has one of the weakest set of privacy laws of any major economy. Google will likely welcome the opportunity to deal with less oversight.