A 'reject all' button for cookies is in place across all Google sites in Europe. The tech giant first rolled out the changes in France after being ordered to by the French privacy regulator.
Breaking: In decisions just out, Meta is not only on the hook for privacy fines totaling nearly €400 million, but it must also — quickly — find a new legal basis for its sprawling targeted advertising empire. 🧵
This is significant, and awkward for Britain, which has said that its data protection overhaul will unleash tech investment.
Via my colleague
@g_lanktree
, how an e-vehicle firm pulled a U.K. project in part because of the reform proposals.
BREAKING: Europe facing Facebook blackout as Ireland orders halt to its EU-US data transfers.
FB has repeatedly said such an order could force it to shutter services in EU. Other EU regulators now have 1 month to weigh in before decision finalized.
Is Meta running out of ways to legally use our data to target ads? Today's opinion from an advocate general at the European Court of Justice certainly suggests that could be the case. 🧵
BREAKING: The EU has escalated legal action against Belgium over concerns its privacy regulator lacks independence. Belgium now has 2 months to take action or face a lawsuit at the European Court of Justice.
Scoop: Facebook should be fined for continuing to shuttle Europeans’ personal information to the US in violation of the landmark Schrems II EU court ruling, Norway’s data protection authority has told its peer regulators. 🧵
In today's POLITICO London Playbook: UK urged to review lobbying rules after ex-Information Commissioner Liz Denham's quick switch to firm that led Facebook's defence ... against enforcement by Liz Denham.
New: Instagram has been fined €405M for violating kids' privacy.
That's the second highest GDPR fine ever, and the Irish regulator's third for a Meta-owned company.
Docs unearthed by
@NOYBeu
show that the Irish data regulator lobbied to get EU guidelines to allow social networks to bypass GDPR consent requirements to use people's data to target advertising.🧵
Amazon just got handed the biggest GDPR fine ever issued: 746 million euros. And surprisingly, it was issued by Luxembourg’s data protection authority.
Before, the record was a 50 million fine for Google, from France's famously tough enforcer. 🧵
Girl, she CRUSHED that privacy explanation. Love it. No notes.
(I mean, some potential expansions because I’m an obnoxious privacy lawyer, but NO NOTES.)
I've just joined
@POLITICOEurope
's tech team in Brussels, where I'll be focusing primarily on data protection. Send tips to vmanancourt
@politico
.eu!
Privacy Shield News: The White House is expected to publish its long-awaited executive order on transatlantic data transfers as early as October 3, we've been told.
w/
@alfredwkng
@markscott82
@ericgeller
Breaking: The Irish data regulator has triggered a dispute resolution mechanism for the Meta data transfers case after failing to resolve objections with other EU regulators.
Reminder: Meta has said it might have to shutter its services if the order is confirmed.
🚨SCOOP🚨: ‘Millions of people’s data is at risk’. That’s the warning of former high-level Amazon information security employees, who told me they were sidelined, dismissed or pushed out for raising red flags about privacy and compliance failures. 🧵
Scoop: Norway’s privacy watchdog has lashed out against an Irish ruling in a major Facebook case, saying it would render European data protection law “pointless,” according to a document obtained by POLITICO under FOI.
Some personal news, as they say: After 3+ years of leading POLITICO's data protection coverage from Brussels, I'm heading back across the Channel to head up our new, expanded coverage of tech in the U.K.
It's been a blast folks!
If you want to know the state of the surveillance-for-hire industry right now, look no further than the sponsor list for the ISS World Europe conference kicking off in Prague today. 1/3
Scoop (now free to view): Rishi Sunak’s AI Safety Institute is failing to test the safety of most leading AI models like GPT-5 before they’re released — despite heralding a “landmark” deal to check them for big security threats 👇
ICYMI: Potential landmark decision from the Austrian data protection authority this morning, which ruled that a website can’t use web analytics tools developed by Google because doing so involves illegal transfers of user data to the United States.
UK DATA ADEQUACY: 🇪🇺 EU expected to give flows of personal data to the 🇬🇧 UK the preliminary🟢 greenlight next week:
(Draft decision then needs EU data protection authorities' opinion + national capitals' sign off)
Scoop: Europe's top court says Washington plays fast and loose with European data. Facebook disagrees.
According to internal docs seen by POLITICO, Facebook's lawyers say the U.S. is safe for EU data, despite landmark EU rulings that say the opposite.🧵
I'm at
@EUCourtPress
following Facebook v Belgian DPA. At stake: the scope of the one-stop-shop (GDPR mechanism by which regulator where company has EU's base takes the lead on investigation). Stay tuned.
Scoop: Brexit deal to incl. interim solution to keep data flowing from 🇪🇺 to 🇬🇧 for 4 months (+2 month extension option) while the EU ratifies an adequacy decision. 🇬🇧 will be largely barred from changing its dp framework in the interim:
w/
@markscott82
President Biden's 🇺🇸-🇪🇺 transatlantic data flows executive order is OUT. It's an attempt to address EU concerns on US surveillance practices and Europeans' ability to legally challenge those practices. 🧵
Scoop: Amazon is facing a lawsuit in Germany over claims it has continued to transfer data to the United States using the invalidated Privacy Shield mechanism
Scoop: European Commission 🇪🇺 to launch infringement proceedings against Belgium 🇧🇪 following complaints that its data protection regulator does not meet the EU’s independence requirements:
NEW: British Deputy PM Oliver Dowden waded into the open vs closed source AI debate in remarks today, throwing his backing behind the "huge potential” of open source.
He also downplayed the risks of AI being misused by bad actors — at least for now. 👀
European Commission VP Věra Jourová: "Either we will all collectively show that GDPR enforcement is effective or it will have to change and ... any potential changes will go towards more centralization."
Regulator bust up imminent? Ireland’s interpretation of the GDPR would “entail the end of data protection as we know it,” according to an official at another EU data watchdog following Dublin's Facebook decision.
From today's POLITICO Pro Cyber Insights newsletter:
🗓️There's (another) hearing on the GDPR planned, this time on March 17 in the European Parliament. Speakers include Austrian activist Max Schrems as well as officials from data protection regulators across Europe.
After Facebook and LinkedIn, it seems new kid on the block Clubhouse wants to prove to the big boys that it can leak customer data like the best of them:
.
@laurenscerulus
and I were able to contact a European head of state and a top EU Commissioner *directly* using details in the Facebook leak. Imagine what sophisticated scammers could do.
Belgian privacy watchdog finds ad lobby IAB Europe's *Transparency & Consent framework* violates GDPR.
IAB Europe had previously insisted that the decision found that only they, and not *framework* violated the rules.
🇪🇺 Data Governance Act — what's been binned? (compared to leak)
🚮 explicit data localization rules
🚮 requirements for providers of "data sharing services" to be legally established in🇪🇺
🚮 requirements for providers of "data altruism activities" to be legally established in🇪🇺
Attention Brussels: The UK will present its data protection reform bill during the Queen's speech on May 10. The ex-EU member country has inherited the GDPR, but wants to make its framework more innovation friendly now that it's left the bloc.
Facebook, Instagram and WhatsApp to face finalized GDPR penalties by early January.
The penalties stem from complaints filed by Max Schrems in 2018 accusing the platforms of failing to have a proper legal basis to process Europeans’ data.
w/
@LauKaya
Just in: 🇪🇺 Parliament has adopted its GDPR resolution, rejecting Axel Voss's amendments that sought to reform the rulebook, which is just under 3 years old.
BREAKING: Ireland has fined WhatsApp €225 million for privacy violations. That's 4x higher than the amount it initially proposed to Europe's network of privacy regulators, who forced Dublin to go higher.
Scoop: The United States tried — and failed — to use a process at the OECD intergovernmental forum to get the European Union to commit to going easy on its data surveillance practices, docs seen by POLITICO reveal. 🧵
The EU's privacy regulator is planning a conference on Europe's privacy enforcement model, and plans to "explore alternative models of enforcement including a more centralized approach.”
w/
@LauKaya
New: EU "crazy" to consider carve out for foundation models in AI act, 'Godfather of AI' Yoshua Bengio told me. He warned bloc risks "law of the jungle" for most advanced forms of the tech.
Story for pros:
Two news nuggets for you this morning:
— Top EU privacy regulator calls for ban on Pegasus
— EU regulator taskforce to investigate public use of cloud services
Alerts to follow on POLITICO pro
The EU's toolbox on covid apps is out. It says such apps should:
— Be fully compliant with EU data protection and privacy rules
— Be voluntary
— Use the latest "privacy-enhancing" technology
— Use anonymized data
— Be interoperable across the EU
— Involve pub. health auth.
BREAKING: Facebook fined €17M for a series of data breaches it suffered in 2018.
N.B. First Irish fine to cross the finish line without the regulator having to trigger a dispute resolution mechanism to quell disagreements with other EU regulators.
NEW: Irish Data Protection Commissioner Helen Dixon told me a draft decision blocking Meta’s transfers of Europeans’ data to the U.S. could come "potentially next month."
How about €2 billion?
That's the size of the fine Meta could face within weeks for its 3 platforms — Facebook, WhatsApp and Instagram — in decisions that strike at the heart of the tech firm's business model.
Good news: the proposal by
@RenewEurope
for an
@Europarl_EN
inquiry committee into the
#Pegasus
scandal now has support from a majority! It must be set up asap and fully investigate claims of illegal spying on government critics.
@rozathun
@donath_anna
Scoop: A banker who donated over £20,000 to prominent Labour figures and worked for the party in the months leading up to the election has been given a top civil service job in Britain’s finance ministry.🧵
w/
@hannahcbrenton
Privacy Shield is dead. Long live data localization.
Tools used to shuttle digital information out of Europe are stuck in legal limbo. Now companies are considering the once-unthinkable: limiting the flow of data out of the bloc.
Following the Schrems II ruling, U.S. official told reporters this afternoon that changes to the U.S. surveillance regime are likely not "advisable or possible" at this stage
People in Europe can get Google to delete search results about them if you they prove the information is "manifestly inaccurate," the EU's top court ruled Thursday.
As well as potentially putting a bomb under the internet giant's business model, the cases revealed deep fissures between Europe’s data protection authorities, with the Irish initially endorsing Meta's argument before being overruled by the EU data protection body the EDPB.
Reminder that the Irish DPC and Facebook will be facing off in court within the hour. At stake: Facebook's use of SCCs to transfer data from the EU to the US. (the company argues Dublin was too quick to conclude that it probably couldn't use the instrument in light of Schrems II)
🇪🇺 parliament's civil liberties committee tomorrow presents its Schrems II resolution.
In a nutshell: it's not happy with 🇮🇪's privacy regulator, and thinks even 🇺🇸 federal privacy law won't be enough to address concerns raised by the ruling:
Meet the world's biggest privacy regulators: Google and Apple.
By rolling out updates to their dominant mobile software, the two giants are doing more to change online tracking practices in a few weeks than years of regulation.
w/
@markscott82
Scoop 🇪🇺🇬🇧: MEPs today urged the European Commission to hold off finalizing a data flows deal with the U.K. following fresh indications that the Boris Johnson government intends to diverge from EU privacy standards:
Ireland’s data watchdog has now imposed more than €600 million in fines against Big Tech. Is it time to reassess the narrative that it doesn’t enforce the GDPR?
🚨EXCLUSIVE🚨
@amazon
lobbyists boasted in internal company documents of having weakened support among Brussels lawmakers for proposals to bolster EU privacy protections:
European Data Protection Board wrote to the 🇪🇺Commission today re COVID-19 contact tracing and warning apps. Key takeaways:
— Most relevant legal basis is public interest, national law *NOT* consent
— Contact tracing ≠ location tracking (latter violates data min. principle)
🇪🇺 Parliament narrowly votes AGAINST the EPP/ECR resolution on the 🇬🇧 data flows deal. 335 for, to 350 against.
That means the plenary will now vote on the rival resolution passed by the civil liberties committee that is more critical of the deal.
New: EU regulator body the EDPB adopted the 3 decisions targeting Facebook, WhatsApp and Instagram Monday, three people close to the cases tell me. That gives Ireland a month to finalise the penalties. Details under wraps until then.
How about €2 billion?
That's the size of the fine Meta could face within weeks for its 3 platforms — Facebook, WhatsApp and Instagram — in decisions that strike at the heart of the tech firm's business model.
🗓️ Ruling in Facebook v Belgian data regulator due June 15. A reminder that the case will determine to what extent regulators can sue companies that aren't under their jurisdiction.
The decisions rebuke Meta’s claim that it could hoover up users’ data as part of a contract to provide them with personalized adverts, and leave the tech giant scratching around for another legal route to target people with advertising.
EU Data Protection Supervisor orders Europol to delete data on people with no link to crime.
Order comes after Europol warned by the watchdog in 2020 that it was likely flouting privacy rules.
Scoop: The United Kingdom is expected to announce a new agreement with the United States on opening up transatlantic data flows this week, according to three people with knowledge of the plans.
w/
@markscott82
Leak: The EU's proposal to force tech platforms to detect, report and remove child sexual abuse material online (for pros), ahead of the European Commission unveiling tomorrow.
🇧🇪 approves the first GDPR code of conduct spanning the entire cloud industry. But can a body backed by the likes of Google, IBM and Microsoft really monitor compliance with Europe's data protection code? 👇🏽 (brought to you via the POLITICO Pro Morning Tech newsletter)
It seems 🇬🇧 data protection standards have got the 👍🏽 (overall) from 🇪🇺 data regulators. "The UK data protection framework is largely based on the EU data protection framework. Therefore ... the EDPB identified many aspects to be essentially equivalent."
France's Google Analytics decision shows that Europe's privacy watchdogs are actually beginning to enforce the bloc's strict data transfer requirements.
That's giving companies the jitters.
Story w/
@LauKaya
Facebook facing up to 36 million euro fine in draft decision following complaint by Max Schrems & co. Decision not final, needs to be reviewed by other regulators.
New: Europe’s network of data watchdogs has urged the European Commission to harmonize procedural rules across the EU to help unleash GDPR enforcement against the likes of Meta and Google, according to a letter seen by POLITICO. 🧵
EU's top court confirms — yet again — that countries aren't allowed to force companies to hang on to data in bulk and allow access by the authorities to fight crime.
@EUCourtPress
must have a template, fill-in-the-blanks ruling on this by now.
#ECJ
:
#EUlaw
precludes the general and indiscriminate retention of traffic and location data relating to electronic communications for the purposes of combating serious crime
#PersonalData
👉
🗓️ Irish High Court ruling on Facebook's judicial review of the Irish DPC's preliminary decision to halt its data transfers to the US due Friday at 3 PM.