In the ever-evolving landscape of privacy, the recent case of SCHUFA’s GDPR violations in Germany has brought to light the critical importance of understanding and exercising our data protection rights. As individuals navigate the complexities of personal data misuse, it’s become more crucial than ever to know how to effectively report such infringements. This guide is tailored to provide you with the essential information and direct links to make reporting GDPR violations in Germany not just possible, but straightforward and effective.

Understanding the Need for Regional Reporting

Germany’s federal structure means that each state has its own Data Protection Authority (DPA). These bodies are responsible for ensuring GDPR compliance and handling privacy complaints within their jurisdiction. This decentralized approach ensures that privacy concerns are addressed with a nuanced understanding of regional specifics. However, it can be challenging for individuals to navigate the different websites and forms needed to report a violation.

Common GDPR Violations: From Cookie Banners to SCHUFA

A frequent issue faced by web users in Germany is encountering non-functional cookie banners. These banners, which are supposed to offer a choice regarding data tracking, often do not work as intended, leading to unauthorized data collection. Another significant concern revolves around SCHUFA, Germany’s credit agency, where individuals face issues related to incorrect data storage or usage. Both scenarios represent potential GDPR violations, emphasizing the need for an accessible reporting mechanism.

Streamlining the Reporting Process

To make reporting simpler and more accessible, we’ve compiled a list of the data protection supervisory authorities for each federal state in Germany. If you believe your privacy rights under the GDPR have been violated, refer to the relevant authority based on your location or the location of the entity you are reporting.

List of Official Links for Authorities in Each Federal State:

• Baden-Württemberg: The state commissioner for data protection and freedom of information for Baden-Württemberg

• Bavaria (Public Sector): The Bavarian State Commissioner for Data Protection

• Bavaria (Private Area): Bavarian State Office for Data Protection Supervision

• Berlin: Berlin Commissioner for Data Protection and Freedom of Information

• Brandenburg: The state commissioner for data protection and the right to inspect files in Brandenburg

• Bremen: The State Commissioner for Data Protection and Freedom of Information of the Free Hanseatic City of Bremen

• Hamburg: The Hamburg Commissioner for Data Protection and Freedom of Information

• Hesse: The Hessian data protection officer

• Mecklenburg-Western Pomerania: The State Commissioner for Data Protection and Freedom of Information Mecklenburg-Western Pomerania

• Lower Saxony: The State Commissioner for Data Protection for Lower Saxony

• North Rhine-Westphalia: State Commissioner for Data Protection and Freedom of Information for North Rhine-Westphalia

• Rhineland-Palatinate: The state representative for data protection and freedom of information for Rhineland-Palatinate

• Saarland: Independent Data Protection Center Saarland – State Commissioner for Data Protection and Freedom of Information

• Saxony: Saxon data protection officer

• Saxony-Anhalt: State Commissioner for Data Protection for Saxony-Anhalt

• Schleswig-Holstein: Independent State Center for Data Protection Schleswig-Holstein

• Thuringia: Thuringia State Commissioner for Data Protection and Freedom of Information

Remember, protecting your data privacy is a right, not a privilege. By understanding the channels available for reporting GDPR violations, you empower yourself to take action against privacy breaches.

The post How to Report a Privacy or GDPR Violation in Germany: Useful Links and Guide appeared first on Ubiscore.

The demand for online privacy is rising. Let’s look at recent example from last year: In the April 2021 iOS 14.5 update, iPhone users were given the option whether to be tracked across apps. A whopping 96% of people chose NOT to be tracked, indicating how important privacy is to people. 

Not that this craving for privacy is new, however. Even very early on in the Internet revolution, consumers took free products at face value, and didn’t yet realize that “if you’re not paying for the product, you are the product”.   

But with the movement of all communications online during the COVID-19 pandemic, people are starting to expect much more out of the companies they share their data with. With so many leery of sharing their personal info online, having independent proof of how much you care about consumer privacy is a huge business advantage. 

In this article, we’ll look 5 ways our Ubiscore badge can help you gain confidence from your customers and partners. This badge is something we award for organizations that have achieved a privacy score exceeding 650 using Ubiscore, because the fact that they’re using Ubiscore proves they’re working on and committed to safeguarding customer privacy. 

Having our Ubiscore badge creates a competitive advantage because it positions Privacy as a Trust metric:

1) It improves your ROI: According to a 2023 Cisco report, for every dollar companies invest in privacy, they experiencing a strong 1.8 times ROI. Privacy ROI is real, and with the ongoing threat of data breaches and misuse by both authorized/unauthorized users, people don’t want to take chances anymore. They only want to work with companies they can trust. Plus, the more sales you get, the bigger you grow, meaning more social proof and brand trust for your company. 

2) It reduces Customer Churn: Since our badge shows that you prioritize data privacy, it’s one of the fastest ways to drive customer loyalty and retention. Treating a customer’s data with respect for their privacy will lead to happy, satisfied customers that keep coming back for more. 

3) It’s evidence you’re compliant: Organizations that fail to comply with data protection regulations can be subject to fines, lawsuits, and potential director liabilities. Whereas when you use Ubiscore and achieve the Ubiscore badge, it means you’re implementing the best practices for data protection, and risks associated with data breaches are dramatically reduced, keeping you in a much better position than competitors who don’t use Ubiscore.  

4) It helps you operate better: Once you get an Ubiscore badge and know the mitigation strategies needed to improve your privacy score, you’ll receive significant benefits beyond compliance, including better agility, optimized data, and improved attractiveness to investors. 

5) It establishes you as a consumer-focused thought leader: When you educate others on their rights to privacy, you can build an authoritative voice in your industry. Be one of the first to get a privacy badge in your industry, and you’ll stand out as a thought leader devoted to protecting privacy. Being a thought-leader in this area can open doors for your business that never existed before, including new opportunities to which you would otherwise not be privy. 

Our Ubiscore badge is there to add some sense of security, credibility, and call attention to your brand’s dedication to privacy. It’s a small but significant visual reminder that will convince customers your business is reliable and trustworthy, and that you keep customer info safe. 

Most consumers will not want to deal with a company known to lack adequate data protection, and since data breaches are at an all-time high these days, providing data protections is not just a nice thing to do–it’s a crucial thing to do. Taking a privacy-first approach with your prospects and clients pays off, and if you don’t take privacy seriously, customers will look elsewhere.  

To get your very own privacy badge today and start showing (not just telling) customers how much you care about their privacy, just sign up for our platform today!  

Here’s to building a trustworthy brand that will last for years to come! 

The post How the Ubiscore Privacy Badge Can Help Your Business appeared first on Ubiscore.

In early June, Microsoft shared details of an incoming GDPR fine from the Irish Data Protection Commission (DPC) for which the company has put aside $425 million (around €390 million).

Microsoft is the largest software company in the world, with its products used on practically every desktop computer and nearly a billion users of its business-focused social network, LinkedIn.

This draft fine would be Microsoft’s first under the GDPR. But the company has dealt with data protection and privacy enforcement before—and so have several organisations that used Microsoft products.

The Draft LinkedIn Fine

Data protection observers were taken by surprise when Microsoft quietly announced a fine of nearly half a billion dollars on the “investor relations” page of its website on 1 June.

The tech giant’s message to investors was the first hint of an investigation that has apparently been underway for over five years. But the statement revealed little about the fine—except that it relates to ad-targeting on LinkedIn and is at the “preliminary draft” phase.

Microsoft acquired LinkedIn in 2016. The social network’s privacy notice appears not to fully disclose how it justifies processing data for ad-targeting purposes.

Yet advertising makes up a significant portion of LinkedIn’s revenues, declared as $13.8 billion (around €12.64 billion) in 2022.

The Irish DPC’s draft fine would constitute around 3% of that figure—a high proportion, given the GDPR’s 4% fine ceiling for the most serious violations.

But LinkedIn’s parent company has a far higher turnover. If—as is likely—the $425 million fine was calculated as a proportion of Microsoft’s revenues, it would amount to 1.1% of the company’s $116.8 billion (around €106.5 billion) 2022 global revenues.

Microsoft denies any wrongdoing and claims that the Irish DPC’s allegations are wrong both on the law and on the facts. But even if the DPC proceeds with the decision, the process of recovering any penalty could take several more years.

The Luck of the Irish (Subsidiaries)

Like practically every “big tech” corporation, Microsoft has chosen Ireland as its “main establishment” in the EU.

This means the Irish DPC is responsible for regulating Microsoft’s GDPR compliance—along with Apple, Google, Meta, TikTok, Twitter, and other data-hungry enterprises.

(Amazon is the notable exception—the company runs its European operations from a subsidiary based in Luxembourg, whose data protection regulator handed the company a €746 million GDPR fine in 2021).

As such, it’s perhaps unsurprising that Microsoft has yet to feel the brunt of GDPR enforcement. The Irish DPC has faced criticism from many quarters for its alleged lack of action on data protection.

The Irish Council of Civil Liberties (ICCL) recently accused the DPC of creating a GDPR “crisis”—and even the head of Germany’s federal data protection authority once criticised the DPC’s “extremely slow case handling”.

Ireland has issued many of the largest GDPR fines of all time—including its recent €1.2 billion penalty against Meta. 

But in almost every major case, the DPC has been initially reluctant to impose harsh sanctions, and fellow members of the European Data Protection Board (EDPB) have forced the Irish regulator’s hand.

(And despite consistently denying any tension between Ireland and other EDPB members, the DPC is taking the EU body to court after the EDPB ordered the DPC to carry out a “problematic” investigation into Meta’s data processing activities earlier this year).

Xbox COPPA Concerns

Microsoft’s privacy practices have also recently come under scrutiny across the Atlantic.

The US Federal Trade Commission (FTC) announced a proposed privacy order against Microsoft in early June—just a few days after the company told investors about its incoming GDPR fine.

The FTC’s order relates to Microsoft allegedly violating the federal Children’s Online Privacy Protection Act (COPPA) via its Xbox Live gaming product.

COPPA was enacted in 1998 and requires certain companies to notify and request consent from parents before collecting personal information from children under 13. The law was updated in 2011 with new data retention and erasure rules. 

When people sign up for Xbox Live, Microsoft asks them for certain personal information, including their age. If the user says they’re under 13, Microsoft will suspend the account creation process while the child asks a parent or guardian to provide consent.

But the FTC alleged that between 2015 and 2020, Microsoft had been retaining children’s data—”sometimes for years”—even after no parent had consented.

The FTC found that this violated COPPA’s requirement to store children’s data for no longer than necessary for a specific purpose. Microsoft also allegedly failed to notify parents of all the types of personal information it collects, such as children’s profile pictures.

The US regulator’s order against Microsoft comes with a small penalty ($20 million, or around €18.2 million)—and requires the company to adopt new data deletion processes, notify video game companies if a user is under 13, and obtain parental consent for existing child users.

Bing’s Cookie Compliance

While the Irish DPC’s draft LinkedIn fine would be the first that Microsoft has received under the GDPR, the company did get a €60 million privacy-related penalty in late 2022 from the French data protection authority, known as the “CNIL”.

The CNIL is arguably the EU’s most active regulator when it comes to cookie and online advertising violations. In mid-June, the CNIL imposed the largest GDPR fine ever issued against a non-US company—€40 million against adtech firm Criteo.

Microsoft’s alleged violations related to its search engine, Bing, and were pursued by the CNIL under France’s implementation of another EU law, the ePrivacy Directive.

The CNIL took issue with how Microsoft was tracking people via Bing. The website reportedly set two “non-essential” cookies—used for purposes including advertising and fraud prevention—without obtaining people’s consent.

The ePrivacy Directive comes with smaller fines than the GDPR. But because France empowered the CNIL to issue GDPR-level penalties for ePrivacy violations, so French cookie fines often reach tens of millions of euros.

And unlike the GDPR, which requires regulators to forward some data protection complaints to a company’s “lead supervisory authority” (Ireland, in Microsoft’s case), any EU data protection authority can enforce the ePrivacy Directive.

As such, many of Europe’s largest internet-related fines—including against Ireland-based companies like Google, Meta, and Apple—have been imposed by the CNIL under its implementation of the ePrivacy Directive rather than the GDPR.

Microsoft as a Service Provider

We’ve looked at three data protection and privacy cases pursued directly against Microsoft. This is a relatively small number, given the omnipresence of Microsoft’s properties and the quantity of data the company processes.

But despite this somewhat spotty enforcement against Microsoft itself, the company’s name frequently arises during GDPR investigations concerning other organisations.

In 2019, for example, a regulator in Germany banned the use of Microsoft’s Office 365 product by schools over concerns about students’ data being accessible to the US government.

And this May, the Finnish data protection authority sanctioned a school district for using Office 365, finding that the product exposed students’ personal data to an excessive number of people by default.

Microsoft is also mentioned repeatedly throughout investigations by the European Data Protection Supervisor (EDPS) and the EDPB into the use of cloud services by EU institutions and public sector bodies.

The message from such cases is clear. 

Companies using Microsoft’s products may be liable any data protection infringements that occur when this software shares data with Microsoft.

Microsoft collects large amounts of personal data—sometimes for its own purposes—and often stores that data in the US. 

So despite the tech giant’s ubiquity, European companies should think carefully before using Microsoft as a service provider.

We hope this guide was helpful. Thank you for reading and we wish you the best of luck with improving your company’s privacy practices! Stay tuned for more helpful articles and tips about growing your business and earning trust through data-protection compliance. Test your company’s privacy practices, CLICK HERE to receive your instant privacy score now!

The post Microsoft and Privacy Enforcement: Has the Tech Giant Got Off Light? appeared first on Ubiscore.

Ten years ago, Edward Snowden leaked thousands of classified documents and revealed the extent of surveillance by US intelligence services.  

Among many other serious consequences, the Snowden revelations triggered a series of European court cases that invalidated two international agreements—and seriously undermined the ability of US tech firms to operate in the EU. 

The Snowden Story 

Snowden worked for the CIA between 2006 and 2009, including in a post maintaining network security under diplomatic cover in Geneva. In 2009, he took on a job as an NSA contractor with Dell at the NSA’s offices in a Japanese US airbase. 

Dell relocated Snowden to Hawaii in 2012, where he worked in the recently-opened Hawaii Cryptologic Center. 

Source: https://web.archive.org/web/20150918033924/https://www.nsa.gov/public_info/press_room/2012/a4_hawaii_final.shtml 

Snowden has described his growing disillusionment with US foreign policy while working for the intelligence services, where he learned of practices such as blackmail, assassination, and—most notably—mass surveillance. 

In one of many examples, Snowden learned that the NSA was tracking the pornography-viewing habits of suspected jihadists—with the intention to publicise the information and cause the “degradation or loss of (their) authority.” 

Source: https://www.huffingtonpost.co.uk/entry/nsa-porn-muslims_n_4346128#slide=3074349 

Snowden also observed how the NSA routinely shared private data with authorities in Israel and other states. 

Such information allegedly included transcripts of phone calls between Palestinian Americans and their relatives in Palestine, which could later be used by the Israeli military to target suspected insurgents.  

Snowden claimed that despite a legal obligation to minimise any intrusion on US residents’ privacy, the NSA made little or no effort to disguise people’s identities when sharing data with foreign governments. 

2013 Snowden Leaks 

Snowden claimed he “had access to everything” while working in Hawaii. He also felt that the NSA had not anticipated that a rogue agent could blow the whistle on the agency’s practices. 

After taking a job with another NSA contractor, digital consultancy Booz Allen, Snowden’s access levels—and disillusionment—increased further still. 

At Booz Allen, Snowden learned of an NSA project known as “MonsterMind” that would detect malware targeting US infrastructure—and which, he believed, could automatically retaliate against the sender. 

For Snowden, the automated nature of this process represented a considerable risk, as cyberattacks are often routed through innocent third countries. 

After learning of MonsterMind and other NSA projects, Snowden felt the world needed to know the extent of US surveillance practices. He downloaded thousands of classified documents onto portable storage devices and flew to Hong Kong to leak them to journalists. 

What Did Snowden Reveal? 

The Snowden leaks revealed secret surveillance programmes operated by intelligence services such as the NSA and its UK counterpart, Government Communications Headquarters (GCHQ). 

Snowden also showed how US national security laws were being applied in practice. From the European perspective, the main relevant US laws include the following: 

• Section 702 of the Foreign Intelligence Surveillance Act (“FISA 702”): The primary law covering how intelligence services gather foreign intelligence data on US soil. 
• Executive Order 12333 (“EO 12333”), which strengthened the surveillance powers of intelligence services—including with regard to foreign surveillance. The order has been amended several times by various US presidents. 

 For non-Americans, Snowden’s two most important disclosures related to the NSA’s “PRISM” and “Upstream”, surveillance programmes. 

PRISM 

The PRISM programme involves the collection of data stored by private companies, including:  

• Google 
• Meta (then “Facebook) 
• Microsoft 
• Yahoo 
• Apple 
• AOL 

The PRISM revelations also shed light on how US intelligence services interpreted their legal powers. The evidence suggested that safeguards against excessive surveillance were weak, underused, and sometimes ignored. 

Upstream 

The Upstream programme involves the direct collection of data “in transit” with the cooperation of telecommunications companies. 

Data collected via Upstream is intercepted as it passes through fiber optic cables. In one of Snowden’s leaked slides, the NSA referred to a “unique aspect” of Upstream as being “access to a massive amount of data.” 

Snowden and the Schrems Cases 

In 2013, after learning of the intrusive nature of US surveillance activities, Austrian privacy activist Max Schrems launched a legal challenge against Facebook (and, initially, Apple). 

Schrems argued that, by transferring his personal data from its Irish subsidiary to its US parent company, Facebook was putting him at risk of surveillance via the PRISM programme. 

Schrems’ case was rejected by the Irish Data Protection Commission (DPC).  

“There is an agreement at European level that there’s free movement of personal data between the EU and the US,” said then-Commissioner Billy Hawkes in response to Schrems’ complaint. 

Hawkes referred to the EU-US “Safe Harbor Privacy Principles”, a certification scheme adopted as an “adequacy decision” by the European Commission in 2000.  

EU data protection law normally requires organisations to implement controls before transferring personal data outside of the European Economic Area (EEA). But such transfers are considered lawful by default if covered by an adequacy decision such as Safe Harbor. 

US businesses self-certifying under Safe Harbor were contractually obliged to protect imported EU personal data to a high standard. But Schrems argued that a contractual agreement did not prevent the US intelligence services from accessing his personal data. 

However, the Irish DPC felt it could not address the Safe Harbor decision and rejected Schrems’ arguments. 

“I am bound by that decision and that is why there is nothing to investigate by me in this case,” Commissioner Hawkes said. 

Snowden and the Irish High Court 

Schrems appealed the Irish DPC’s decision to the Irish High Court. The opening paragraphs of the High Court’s 2013 judgment described the Snowden revelations as the “backdrop” of the case. 

“While it is true that the Snowden disclosures caused—and are still causing—a sensation, only the naïve or the credulous could really have been greatly surprised,” the judge stated. 

But while the Snowden leaks might not have revealed much about the nature of US surveillance, the Irish High Court found that Snowden had shed light on the extent of such practices. 

“…the Snowden revelations demonstrate a massive overreach on the part of the security authorities, with an almost studied indifference to the privacy interests of ordinary citizens. Their data protection rights have been seriously compromised by mass and largely unsupervised surveillance programmes… 

“I will therefore proceed on the basis that personal data transferred by companies such as Facebook Ireland to its parent company in the United States is thereafter capable of being accessed by the NSA in the course of a mass and indiscriminate surveillance of such data.” 

As such, the Irish court found that the Court of Justice of the European Union (CJEU) should review the Safe Harbor decision to ensure that it did not violate the fundamental rights of people in the EU. 

Snowden and the CJEU 

In the decision now known as “Schrems I”, the CJEU also referenced the Snowden revelations. 

The court cited Snowden as one of Schrems’ motivations for bringing the case and referenced the Irish High Court’s position that Snowden had revealed the “significant overreach” of the NSA. 

The CJEU made two main findings in Schrems I. 

First, it addressed the Irish DPC’s assertion that national data protection authorities (DPAs) have no power to assess adequacy decisions adopted by the European Commission (in this case, “Safe Harbor”). 

The CJEU disagreed, stating that DPAs were entitled to address any complaint by an individual who felt their rights had been violated by an adequacy decision. 

Second, the CJEU took on the task of assessing Safe Harbor itself. The court agreed with Schrems that the decision did not effectively protect the personal data imported from the EU by US companies. 

As such, the CJEU tore up a 16-year-old international agreement between the EU and the US that had been used to facilitate billions of data transfers.  

The decision caused thousands of companies to turn to other legal mechanisms in order to continue their transatlantic business operations. 

Schrems II 

Following the Schrems I judgment, Brussels and Washington negotiated a successor to Safe Harbor known as “Privacy Shield.” Schrems challenged Privacy Shield on similar grounds to Safe Harbor.  

In the landmark “Schrems II” case that followed, the CJEU found Privacy Shield inadequate for many of the same reasons as its predecessor. 

The court held that the framework enabled US intelligence services to indiscriminately surveil people in the EU. And if a European’s data was accessed by the NSA, America’s weak legal protections left the individual with no meaningful way to challenge any violation of their rights. 

Furthermore, the CJEU found similar issues with other legal mechanisms designed to facilitate international data transfers, such as the “standard contractual clauses” (SCCs) that can be inserted into agreements between EU data exporters and non-EU importers. 

The court noted that laws such as FISA 702 and EO 12333 grant US intelligence services broad powers to conduct surveillance on non-Americans—and a US company’s contractual obligation to keep EU data secure does not affect these powers. 

The Post-Schrems II Data Protection Landscape 

With Privacy Shield invalidated and SCCs inadequate for most transfers, US companies have struggled to find lawful ways to continue operations in the EU. 

But perhaps unsurprisingly, data transfers to the US have largely continued—even where they are likely illegal. 

Recommendations from the European Data Protection Board (EDPB) suggest that most data transfers from the EU to the US are unlawful following Schrems II—even where it is highly unlikely that intelligence services would attempt to access exported data. 

But besides this non-binding guidance, DPAs have taken a piecemeal enforcement approach, addressing data transfers across scores of individual investigations into the use of tools like Google Analytics and the Meta Pixel—but not banning such products outright. 

However, the Schrems II decision finally hit Meta in May 2023, when the Irish DPC reluctantly imposed a €1.2 billion fine on the company—and ordered Meta to stop transferring EEA Facebook users’ data to the US within five months. 

The DPC also directed Meta to stop unlawfully storing Facebook data in the US—an order that, if followed, could result in the permanent deletion of every EEA-based Facebook user’s posts, photos, messages, and account data before the end of the year. 

Ten Years On from the Snowden Leaks 

After blowing the whistle on the NSA in 2013, Snowden fled to Russia, where he was granted citizenship in 2022.  

Snowden’s decision to seek sanctuary in Moscow has been controversial. Some otherwise sympathetic commentators have criticised Snowden’s alleged lack of vocal opposition to Putin’s policies, including regarding the invasion of Ukraine. 

In a Guardian interview in early June, Snowden said he had “no regrets” about his whistleblowing but that technical advancements in the past decade made 2013 surveillance methods look like “child’s play.” 

After Snowden revealed US tech firms’ cosy relationship with the intelligence services, many companies rushed to adopt new privacy measures such as end-to-end encryption. 

But these technical measures have not prevented big tech from being caught in the middle of the ensuing decade-long privacy dispute between the EU and the US. 

Following the invalidation of Safe Harbor and Privacy Shield, a new data transfer scheme, the “EU-US Data Privacy Framework” (EU-US DPF), should soon be in place—and could save Meta from the Irish DPC’s orders to stop its US data transfers. 

But the draft EU-US DPF decision has been criticised by the EDPB and the European Parliament, with both bodies expressing continued concern that the framework will violate EU data protection and privacy rights. 

The EU’s digital market remains saturated with US tech firms. European public bodies, businesses, and individuals in the EU use US digital products every day—largely oblivious to the fact that using such products likely violates EU law.  

Nowadays, Edward Snowden is seldom mentioned in the context of EU-US data transfers. But his revelations led to a decade of uncertainty around how US companies can continue operating in the EU. 

Max Schrems has made clear his intention to challenge the EU-US DPF on similar grounds as its predecessors, Safe Harbor and Privacy Shield.  

As such, Snowden’s leaks might continue to disrupt transatlantic data transfers for many years to come. 

If you’re curious about how your organization stacks up against industry benchmarks for privacy, test your company’s privacy practices, CLICK HERE to receive your instant privacy score now!

The post How the Snowden Leaks Triggered a Decade-Long EU-US ‘Data Protection Diplomacy’ Crisis appeared first on Ubiscore.

Meta has received the largest GDPR fine to date: €1.2 billion. But the company is also subject to two orders: To stop unlawfully transferring personal data from the EU to the US and to stop unlawfully storing EU personal data in the US. 

 The 216-page Meta decision comes from the Irish Data Protection Commission (DPC)—but only after fellow regulators at the European Data Protection Board (EDPB) forced Ireland to impose harsher sanctions than planned. 

 This article will unpack this complicated and long-running decision and consider whether Meta can meet the terms of the order without pulling out of the EU altogether. 

The Background 

 This decision comes with a lot of baggage. 

A good place to start is in 2013 when Edward Snowden revealed the full extent of US intelligence services’ surveillance operations. 

This prompted privacy campaigner Max Schrems to complain to the Irish DPC about how Facebook transferred his personal data from the EU to the US. 

Schrems I and II 

Schrems’ complaint ended up as a 2015 court case known as “Schrems I”.  

In this case, the Court of Justice of the European Union (CJEU) assessed a certification framework called “Safe Harbor”, which many companies used to transfer personal data from the EU to the US. 

Safe Harbor was implemented via an “adequacy decision”—an EU legal instrument that greenlights data transfers to a given country. It’s possible to make a data transfer to a “non-adequate” country, but you must normally have another safeguard in place. 

The CJEU found that Safe Harbor was illegal as it did not protect personal data from US intelligence services.  

So the EU and the US negotiated a new framework to replace Safe Harbor, called “Privacy Shield”. 

Schrems took Facebook to court again. In the resulting July 2020 case known as “Schrems II”, the CJEU examined Privacy Shield. Again, the court found that the framework was illegal as it did not protect personal data from US intelligence services. 

The EU and the US are working on a third framework, known as the “EU-US Data Privacy Framework” (EU-US DPF). We’ll return to this later. 

But it turns out Facebook was not exclusively relying on Privacy Shield. The company used another transfer safeguard known as “standard contractual clauses” (SCCs). 

The CJEU did not say the SCCs were illegal. But the court did say that SCCs were not always enough to protect personal data from US intelligence services.  

As such, following Schrems II, any company using SCCs must ensure they are effective. If not, the company must put other “supplementary measures” in place to make sure governments cannot access the personal data being transferred. 

If this isn’t possible, the transfer can’t proceed. 

The Decision 

After Schrems II, the CJEU returned Schrems’ case to the Irish courts, which asked the Irish DPC to implement the decision against Meta. 

After several years of debate with the EDPB, the Irish DPC has finally adopted one of the most important (if predictable) GDPR decisions yet. 

The Finding 

Despite the CJEU’s judgment in Schrems II, Facebook (now Meta) continued using SCCs to transfer personal data from the EU to the US. 

And according to the Irish DPC, Meta did not implement any “supplementary measures” to prevent the US government from accessing EU personal data. 

This means all the personal data Meta transferred to the US since July 2020 was transferred illegally. 

As such, the DPC found that Meta had violated Article 46(1) of the GDPR, which states that: 

 “…a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.” 

The Orders 

Having found that Meta violated the GDPR, the Irish DPC issued three “corrective measures”. Meta must: 

1. Stop illegally transferring personal data to the US within five months. 

1. Stop illegally processing the personal data it transferred to the US since July 2020, within six months. 

1. Pay a €1.2 billion fine. 

 Let’s look at how Meta might deal with each of these three orders. 

The Transfer ‘Suspension Order’ 

Meta has to stop unlawfully transferring EU Facebook users’ data to the US within six months. How will it do this? 

While it seems clear that Meta didn’t comply with the international data transfer rules, it’s not obvious how the company could have done so while still maintaining EU-based users. 

There are ways to keep transferred personal data secure from government access. For example, if Meta had encrypted the personal data and did not have access to the key required to decrypt the data, the data would be considered safe, and the transfer would be legal. 

But there’s not much Meta can do with encrypted data. A platform like Facebook requires the operator to have access to unencrypted data. 

So what’s next? Meta has data centres in the EU and can afford to buy more if required. Can the company simply keep EU users’ personal data exclusively in European data centres? 

There are two main reasons this might not work. 

Legal Issues 

US national security law gives the country’s intelligence services very broad powers to access personal data held by US companies. 

In a 2015 case known as Microsoft v United States, the US government had requested that Microsoft hand over data stored in Ireland by Microsoft’s Irish subsidiary. 

Microsoft refused, arguing that the law did not require the company to provide access to data stored outside the US. The case ended up at the US Supreme Court. 

But before the Supreme Court decided the case, the US government changed the law by passing the CLOUD Act. The CLOUD Act clarifies that US companies still need to hand over data stored overseas. 

In the end, the government issued a new order under Microsoft under the CLOUD Act, and Microsoft dropped the case. 

This suggests Meta’s problems might not be solved solely by housing EU users’ data in Europe. Every time the US government requested access to users’ data (which happens a lot), Meta might need to violate EU law to comply with US law. 

Technical Issues 

It’s possible to run an EU-only social network that does not transfer personal data out of Europe. But Facebook is a global operation, and many EU users enjoy interacting with people in the US and elsewhere. 

Would it be possible for an EU user to join a Facebook group with US users or buy a product from a US-based Facebook vendor without a “data transfer” occurring? 

A data transfer requires at least two organisations. One transfers the data to another. A business—even a business based in the US—that collects personal data directly from an individual is not engaged in a “data transfer”. 

The transfers at issue in this case were from Meta Platforms Ireland to Meta Platforms Inc. (the company’s US entity). 

If Meta Platforms Ireland administered all data about EU Facebook users, including interactions with non-EU users, it might be technically feasible to run Facebook without transferring any EU users’ data. 

But there’s a complication here, too. 

In another CJEU case known as “Fashion ID”, the court found that businesses running Facebook pages are “controllers” under the GDPR and are jointly responsible for GDPR compliance with Facebook. 

As such, a “transfer” could occur any time an EU user interacts with a non-EU company’s Facebook page—even if the user’s personal data is stored in Europe and managed by Meta Platforms Ireland. 

The ‘Stop Processing’ Order 

In addition to stopping its data transfers, Meta must stop processing the personal data it has illegally transferred since July 2020. 

The order specifies that “processing” includes “storing”. There is some discussion in the EDPB’s binding decision about the implications of this order. 

Meta has not indicated how much data was subject to illegal transfers. However, it is established that the case involved the “bulk, repetitive and ongoing” transfer of millions of users’ data. 

There are only two clear options for Meta to stop storing personal data in the US: “return” the data or delete it. 

It’s not entirely clear what “returning” the personal data would look like, but the obvious interpretation would be to ensure all EU users’ personal data is stored in EU-based data centres by Meta Platforms Ireland. We looked at some potential issues with this solution above. 

Meta’s allegedly chaotic approach to data governance might prevent the company from properly distinguishing EU users’ data. Furthermore, a strict delineation between EU and non-EU user data might be altogether impossible, given the GDPR’s broad definition of “personal data”. 

That would leave Meta with one option: Delete all EU Facebook data transferred since July 2020. 

If this is possible, it might require the erasure of all EU users’ posts, messages, photos, account details—any sign that an EU user had used the platform after July 2020 would need to be scrubbed. 

The Fine 

The Irish DPC initially proposed that no fine should be issued against Meta. After the EDPB dispute resolution process, the company was handed by far the largest penalty in GDPR history—€1.2 billion. 

While this large penalty has made headlines, and Meta intends to appeal it, the fine is less consequential than the “transfer suspension” and “stop processing” orders explored above. 

€1.2 billion is just over 1% of Meta’s €116.6 billion turnover for the relevant period—even combined with the other roughly €1.3 billion in GDPR fines that the company has received over the past two years. 

Meta’s poor track record with GDPR compliance has cost the company a lot, but the savings and earnings achieved by flouting the law likely outstrip the fines—for now. 

What Happens Next? 

As noted, Meta is no stranger to privacy and data protection issues. But it’s important to note that Meta is far from the only business implicated by the DPC’s decision. 

US-based service providers dominate the internet. Each is subject to the same laws as Meta, and each faces the same technical challenges in safeguarding personal data from the US authorities. 

But it’s the EU companies using such services that are normally liable under the GDPR, as we know from the multiple cases against European websites running Google Analytics. 

A solution might be around the corner if the EU adopts the EU-US Data Privacy Framework (EU-US DPF). This scheme would replace the earlier “Safe Harbor” and “Privacy Shield” frameworks and could be relied upon by Meta (and others) to make its data transfers lawful. 

But the EU-US DPF might only provide temporary relief. Some EU bodies have indicated that they are not happy with the framework. And Max Schrems has indicated that he intends to challenge the new framework at CJEU.  

Based on Schrems’ past performance in defeating transatlantic data transfer frameworks, his case against the EU-US DPF is likely to win. This would leave Meta back where it started—together with all other US businesses and their EU clients. 

We hope this guide was helpful. Thank you for reading and we wish you the best of luck with improving your company’s privacy practices! Stay tuned for more helpful articles and tips about growing your business and earning trust through data-protection compliance. Test your company’s privacy practices, CLICK HERE to receive your instant privacy score now!

The post Can Meta Survive Its €1.2 Billion GDPR Fine? appeared first on Ubiscore.

The European Data Protection Board (EDPB) has published a report on the work of its 101 Task Force. The report provides insights into how European data protection authorities (DPAs) are approaching complaints about one of the GDPR’s toughest problems: international data transfers.

This article will explain the background of the EDPB’s 101 Task Force and draw out four key lessons from the report—to help you understand why using certain US-based software products could be illegal under the GDPR.

What Is the 101 Task Force?

The EDPB’s 101 Task Force was established to deal with 101 complaints submitted in several EU countries by the privacy campaign group noyb (“None of Your Business”).

The complaints came shortly after noyb’s founder, Austrian activist Max Schrems, won a Court of Justice of the European Union (CJEU) case against Facebook (now Meta).

The case, now known as “Schrems II”, concerned the GDPR’s rules on international data transfers—sharing personal data with organisations based outside of the European Economic Area (EEA).

Under the GDPR, international data transfers must be covered by a “transfer safeguard”. In Schrems II, the CJEU overturned an international data transfer scheme called Privacy Shield, used by thousands of US-based businesses to safeguard data transfers from the EEA.

Standard Contractual Clauses (SCCs)

As well as invalidating Privacy Shield, the CJEU questioned the validity of another commonly-used transfer mechanism known as “standard contractual clauses” (SCCs). 

SCCs are provisions that can be entered into an agreement between a “data importer” (based in a “third country”, such as the US) and a “data exporter” (based in the EEA), binding the data importer to uphold a strong standard of data protection.

The CJEU noted that SCCs alone do not prevent foreign intelligence services—specifically those in the US—from accessing personal data. 

The court found that EEA-based data exporters must also implement technical measures to effectively eliminate the risk of unauthorised access to personal data.

Google and Meta

Noyb’s 101 complaints each concerned EEA-based companies using two popular online tracking tools: Google Analytics and the Meta Pixel (previously the “Facebook Pixel”).

The group alleged that companies using these tools were breaking the law because they had not implemented safeguards that would prevent access to personal data by US intelligence services.

However, note that Google Analytics and the Meta Pixel are not unique in the way that they transfer personal data to US-based companies. The lessons from the 101 Task Force’s report could apply to many other software tools.

Four Lessons from the 101 Task Force Report

By now, you should understand the background and the meaning of important terms such as “SCCs” and “international data transfer”. So let’s look at four lessons on data transfers from the 101 Task Force report.

1. Data transfers aren’t the only consideration when using Google and Meta’s tools

From the outset, the EDPB notes that data transfers are just one consideration for EEA-based companies wishing to use Google Analytics or the Meta Pixel.

“…if a certain tool is being used for collection of personal data on a website without a legal basis within the meaning of Article 6(1) GDPR, the data processing is unlawful, even if there were no issues with the requirements of Chapter V GDPR.”

Article 6(1) of the GDPR requires that all processing of personal data is “lawful, fair, and transparent”. Chapter V of the GDPR covers the rules on international data transfers.

While the 101 Task Force focuses exclusively on data transfers, it’s important to remember that there might be other legal issues with using products such as Google Analytics and the Meta Pixel.

For example, processing personal data under the GDPR requires a “legal basis”. Organisations running analytics and advertising tools that employ cookies should normally get consent, which means configuring tools so they do not activate without a website visitor’s permission.

Noyb’s 101 complaints focused on data transfers—but this is just one piece of the GDPR compliance puzzle. Google and Meta products collect a lot of personal data, and there could be broader GDPR compliance issues to consider before using these tools.

2. Encryption doesn’t always protect personal data

The 101 Task Force agreed that Google and Meta’s tools transfer personal data to the US, and don’t employ the sorts of technical safeguards that meet the GDPR’s data transfer requirements.

As noted above, SCCs can be a valid data transfer tool. But in the Schrems II decision, the CJEU found that companies using SCCs might also need to supplement the protection provided by SCCs via additional technical safeguards.

Encryption can be one such technical safeguard. But the 101 Task Force notes that encryption is not always enough. 

EEA-based companies can lawfully transfer personal data to US-based companies if the following three conditions are met:

1. SCCs are in place, and
2. The personal data is encrypted, and
3. The US-based company does not have the decryption keys.

Google Analytics and the Meta Pixel meet the first two conditions—but not the third.

Google Analytics and the Meta Pixel are used in part to analyse individuals’ behaviour on users. As such, Google and Meta need to “see” the personal data that their tools collect.

Google and Meta both state that they encrypt personal data “in transit” to the US, which should prevent any unauthorised third party from intercepting personal data. 

However, Google and Meta control the encryption keys, allowing the companies to decrypt and analyse the personal data and share the results of this analysis with website operators. The personal data is thus accessible to these companies in unencrypted form.

Due to the nature of US national security law, US intelligence services can order US companies to hand over both encrypted personal data and the encryption keys required to decrypt it. This creates an unacceptable risk of unauthorised access and renders the transfer unlawful.

3. European organisations are liable for unlawful data transfers

European companies—not Google and Meta—are accountable for any GDPR violations caused by using tools such as Google Analytics and the Meta Pixel.

Although Noyb’s 101 complaints focused on these two products, Google and Meta were not the respondents. Noyb’s complaints were directed at EEA-based websites acting as “data controllers” by implementing Google Analytics or the Meta Pixel on their websites.

Under the GDPR, a data controller “determines the purposes and means” of the processing of personal data. 

The starting point in assessing each of the 101 complaints was that a website operator using Google Analytics or the Meta Pixel is a data controller, because it:

• Decides (determines) to install the tool on its website.
• Has a reason (purpose) for using the tool (e.g. to drive sales through behavioural advertising).
• Chooses the method (means) of processing personal data (e.g. using the Meta Pixel to collect personal data about its users and display relevant ads).

Website operators using Google Analytics and Meta Pixel transfer personal data about their website visitors to US-based servers owned by Google and Meta (respectively). These website operators are responsible for implementing data transfer safeguards—not Google or Meta.

4. European regulators are taking a consistent approach

In early 2022, EU DPAs began concluding some of the 101 complaints. For example, DPAs in several countries, including Finland, Austria, France, Italy, and Denmark, have all decided complaints about companies that use Google Analytics.

In each case, the DPAs came to the same conclusion: Google Analytics, when implemented in any of the standard configurations provided by Google, cannot be used without violating the GDPR.

Each DPA made the same decision: the website operator must remove Google Analytics.

There’s a reason for this consistent approach. EEA regulators have mechanisms to help them resolve any disagreements and ensure they are applying the law consistently.

This means that all of the outstanding 101 complaints are likely to be decided in the same way—together with any further complaints that arise regarding Google Analytics, the Meta Pixel, or any other tools that transfer personal data to the US without sufficient safeguards.

We hope this guide was helpful. Thank you for reading and we wish you the best of luck with improving your company’s privacy practices! Stay tuned for more helpful articles and tips about growing your business and earning trust through data-protection compliance. Test your company’s privacy practices, CLICK HERE to receive your instant privacy score now!

The post Four GDPR Data Transfer Lessons from the EDPB’s 101 Task Force Report appeared first on Ubiscore.

The EU has a suite of upcoming regulations that will impact companies operating in the digital sphere that could have an even bigger impact than the GDPR.

This article provides an overview of three important pieces of proposed EU legislation: the AI Act, the ePrivacy Regulation, and the Data Act, explaining what they are, how they compare to the GDPR, and when we can expect them to take effect.

AI Act

The AI Act (sometimes called the AI Regulation) is the EU’s approach to regulating artificial intelligence.

The AI Act has not yet been finalised, but the proposed law would:

• Define “AI” broadly in an attempt to cover all models and use cases.
• Take a risk-based approach to regulating AI according to its potential to cause harm.
• Provide new transparency obligations for most types of AI systems.
• Provide a self-certification process for developers of certain AI systems to demonstrate that their products are safe and compliant.
• Ban the use of AI in certain unacceptably risky contexts.

How Does the AI Act Compare to the GDPR?

The AI Act and the GDPR interact and diverge in some important ways.

Both the GDPR and the AI Act arise out of Article 16 of the Treaty on the Functioning of the European Union (TFEU), which allows EU institutions to make rules about protecting personal data.

The GDPR already has a significant impact on the use and development of AI systems. This is because AI systems typically use a lot of personal data—both for model-training and decision-making purposes. 

The GDPR’s rules and principles will generally continue to apply to AI systems when personal data is involved. However, unlike the GDPR, the scope of the AI Act is not limited to personal data.

The GDPR governs “automated decision-making”—but only insofar as the decision-making does not involve any human intervention and has “legal or similarly significant effects” (e.g. AI-driven loan decisions). The AI Act’s rules on decision-making are likely to be broader.

The AI Act will also likely allow new uses of “special category data” (data about, for example, people’s ethnicity, sex life, or health) for certain purposes within AI systems, such as detecting and correcting bias.

When Will the AI Act Take Effect?

Before an EU act passes, the three main EU institutions (the Commission, the Council and the Parliament) must each produce a “common position” that sets out their preferred version of the legislation.

The European Commission goes first by publishing the text of its proposed legislation. The Commission published its proposed AI Act in April 2021.

The European Council adopted its position in December 2022.

On 27 April 2023, the various political groups within the European Parliament settled on a common position, which will likely go to a final vote in May.

According to Commissioner Margrethe Vestager, this progress means that the AI Act could pass later in 2023.

ePrivacy Regulation

The ePrivacy Regulation is a long-awaited update of the ePrivacy Directive, which passed in 2002. Among other things, the law will:

• Regulate cookies, electronic marketing, and privacy in communications.
• Explicitly cover “over-the-top (OTT)” communications services like WhatsApp, Facebook Messenger and Skype.
• Clarify and amend the rules on cookie consent, including on mechanisms such as “cookie walls” and first-party analytics.
• Clarify the scope of the EU’s privacy rules so that they are in line with the data protection rules under the GDPR (i.e., the ePrivacy Regulation will explicitly apply to organisations outside the EU under certain conditions).

How Does the ePrivacy Regulation Compare to the GDPR?

Like the current ePrivacy Directive, the ePrivacy Regulation will act as “lex specialis” to the GDPR, meaning that it takes precedence over the GDPR in certain areas.

For example, as under the present rules, the ePrivacy Regulation will specify which cookies require consent, while the standard of consent will come from the GDPR.

The ePrivacy Regulation will be broader than the GDPR in some respects. 

The GDPR only applies to communication involving personal data, whereas the ePrivacy Regulation will regulate privacy across all forms of electronic communication, regardless of whether personal data is involved.

When Will the ePrivacy Regulation Take Effect?

The long wait for progress on the ePrivacy Regulation has become something of a running joke among those observing the development of EU privacy legislation.

Commission first proposed its version of the ePrivacy Regulation in 2017. The Council and Parliament have both adopted positions on the final text.

The legislation has been repeatedly delayed as EU member states debate the rules on data retention and national security. 

The Rapporteur for the ePrivacy Regulation, MEP Birgit Sippel, recently called on the Swedish Council Presidency to return to the negotiating table and help the legislation progress.

Data Act

The Data Act concerns the EU’s rules on how organisations share and use both personal and non-personal data. Among other things, the Data Act will:

• Require providers of connected devices to allow consumers to access the data produced by those devices.
• Place rules on data-sharing contracts that attempt to rebalance power towards small to medium-sized enterprises (SMEs).
• Enable public sector bodies to access data held by private sector organisations under certain conditions.
• Create a framework enabling consumers to switch between data-processing service providers.

How Does the Data Act Compare to the GDPR?

There’s a lot of overlap between the Data Act and the GDPR. 

The Data Act refers to the GDPR in several areas that concern personal data. In some of those areas, the GDPR explicitly takes precedence over the Data Act. In others, the Data Act extends GDPR-like rules to cover non-personal data.

Much like the GDPR, the Data Act imposes restrictions on the international transfer of data—except that in the case of the Data Act, the restrictions apply to non-personal data.

The Data Act also incorporates some other GDPR-style concepts, including standard contractual clauses and the principles of fairness and data minimisation.

When Will the Data Act Take Effect?

The Commission proposed its version of the Data Act last February, with the Council following this February and the Parliament in March.

There will now be a period of negotiation between the Council and the Parliament, which could take anything from a few months to several years.

We hope this guide was helpful. Thank you for reading and we wish you the best of luck with improving your company’s privacy practices! Stay tuned for more helpful articles and tips about growing your business and earning trust through data-protection compliance. Test your company’s privacy practices, CLICK HERE to receive your instant privacy score now!

The post How Do the EU’s AI Act, ePrivacy Regulation, and Data Act Compare to the GDPR? appeared first on Ubiscore.

19 April, Berlin, Germany – Ubiscore, the world’s first independent privacy score platform, has announced the launch of its public Privacy database where individuals can now learn how companies protect their data.  

Ubiscore began the rollout of its Privacy database with over 5,000 German startups, and soon the platform will be available for companies in the DACH region, Italy, and other GDPR area countries. This platform introduces a new way of reviewing businesses and enables users to check how they or their competitors are handling data protection. 

The platform provides completely independent ratings for companies with high scores and low scores. This allows individuals to make informed decisions when sharing their data with businesses. 

“We’re thrilled to launch our Privacy database and provide individuals with a tool to evaluate the privacy practices of companies,” said Frank Trautwein, Founder and CEO of Ubiscore. “Our platform is designed to promote transparency and accountability in data protection, and we believe that this will encourage companies to prioritize privacy in their operations.” 

Ubiscore’s platform utilizes a unique scoring system that evaluates a company’s privacy practices based on four categories: domains, vendors, privacy, and security. This comprehensive approach ensures that companies are evaluated on their overall commitment to privacy. 

“We are proud to be the first platform to provide independent privacy scores for companies,” said Alex Di Mango, Founder and CTO at Ubiscore. “We hope that our platform will encourage businesses to adopt best practices in data protection and provide individuals with greater confidence in sharing their data.” 

Take a look at our Data base here: Explore page

About Ubiscore:  

Ubiscore was born in a world of increasing data breaches and missing transparency on how data is handled. Our platform focuses on enabling organizations worldwide make better decisions when it comes to handling their user data, while also helping them comply with privacy laws. Ubiscore is a leading provider of privacy ratings and privacy analytics for businesses. The company’s mission is to help organizations of all sizes achieve their full potential by providing them with the tools and insights they need to understand and improve their privacy practices. 

Contact us at press@ubiscore.com or visit our company website at ubiscore.com 

The post Ubiscore launches public privacy database appeared first on Ubiscore.

On 5 April 2023, Meta implemented a new process designed to let some Facebook and Instagram users opt out of receiving targeted ads. 

Meta’s opt-out process is the latest stage in a legal battle that began in 2018—on the day before the General Data Protection Regulation (GDPR) came into effect. 

But does the opt-out process comply with the GDPR’s principles of lawfulness, fairness, and transparency? Or is Meta’s opt-out form deliberately designed to dissuade people from exercising their rights? 

Meta’s ‘Legal Basis’ Battle: The Story So Far 

EU data protection law requires companies to establish one of six “legal bases” for processing personal data. The relevant legal bases for this article are known as “legitimate interests”, “contract”, and “consent”. 

Meta (which was then simply “Facebook”) previously relied on “consent” for targeting ads. Facebook and Instagram users were deemed to have consented to this activity when they signed up to use either service. 

But the GDPR tightened up the EU’s concept of “consent”, and Meta was concerned that its consent mechanism did not meet the new definition. So, on the day the GDPR took effect, Meta switched its legal basis to “contract”. 

Contract vs Consent 

Under the GDPR, data controllers such as Meta can process a person’s personal data when doing so is “necessary” for performing obligations under a contract. 

Meta argued that its terms of service constituted a contract between the company and its users—and that delivering behavioural advertising was an obligation under that contract.  

Under this interpretation, Facebook and Instagram users were not providing consent to ad-targeting—they signed up to receive targeted ads, and Meta was required to deliver them. 

But after a drawn-out legal battle with privacy campaigners and regulators, Meta was forced to reconsider. 

European data protection authorities found that using people’s personal data for ad-targeting was not “necessary” for providing Facebook and Instagram services, and so Meta had to find a new legal basis. 

Contract vs Legitimate Interests 

On 5 April, Meta changed its EU terms of service. The company now said it was relying on a different legal basis for targeting ads: “legitimate interests”. The change does not apply to UK users. 

The GDPR’s legal basis of “legitimate interests” is flexible, and can apply in many different situations. To rely on “legitimate interests”, a data controller has to show that: 

• It is pursuing a legitimate purpose (something legal, fair, and beneficial to the company or a third party). 
• Processing personal data is necessary to meet that purpose. 
• The company’s interests outweigh the interests and rights of data subjects (the people whose personal data it is processing). 

This is sometimes called the “balancing test”. The idea is that a controller can use personal data in its own interests, as long as the risks to people’s “rights and freedoms” (such as the right to privacy) are not unduly affected. 

But there’s an important difference between “contract” and “legitimate interests”: It provides people with the “right to object”. 

The Right to Object 

People have several rights under the GDPR regarding how organisations process their personal data. 

One of these rights is known as the “right to object”. Under the right to object, people can ask controllers to stop processing their personal data in a particular way. 

But, with one exception (direct marketing), the right to object is not absolute. Even if a person exercises their right to object, a company can sometimes continue to process their personal data.  

To refuse someone’s objection, a controller must show that it has a compelling legitimate grounds to continue processing the person’s data that outweigh any risks to the person’s rights. 

Nonetheless, if you’re relying on your legitimate interests to process someone’s personal data, you must give that person the opportunity to object to your processing. 

(NB: Whether Meta’s targeted ads should require an absolute right to object is currently being debated in the UK courts). 

Meta’s Opt-Out Form 

To meet its obligation under the “right to object”, Meta has implemented an opt-out form on Facebook and Instagram. 

The GDPR’s principle of “lawfulness, fairness, and transparency” requires organisations to be reasonable and clear in how they communicate with people. 

Controllers must also provide information about people’s rights in a “concise, transparent, intelligible, and easily accessible form”, using “clear and plain language”. 

Adjusting other privacy controls on Meta’s platforms is relatively easy. Users can opt out of certain third-party advertising activities simply by toggling a button in their account settings. 

Opting out of Meta’s core advertising services is much more complicated. 

Step 1: Choose the Right Option 

After a few preliminary questions about the user’s country of residence and the relevant platform (Facebook or Instagram), the form asks the user to choose one of 12 options.  

These options are all privacy-related to some extent, and include “Manage my ad preferences”, and “Edit my profile”. Selecting most of these options takes the user back to Facebook’s “Help Centre” (the start of the process). 

To opt out of ad-targeting, the user must select “I want to object to the use of my information”, which sits at the bottom of the list.  

Step 2: Read the Legalese 

Once the user has selected “I want to object to the use of my information”, Meta presents some information about the right to object. 

Using dense legal language could be seen as non-transparent and might deter people from exercising their rights. 

Because the user wants to object to Meta’s ad-targeting, the correct option is the first one:  

“You want Meta to stop conducting a specific processing activity with your information and this processing activity relies on Meta’s legitimate interests (or that of a third party) or a task carried out in the public interest…” 

The Meta also lists five other purposes for which the user cannot use the form. This arguably adds further friction to the opt-out process. 

Step 3: Provide Information Meta Already Has 

The next part of Meta’s opt-out form requests the user’s full name, email address, country of residence, and the platform to which their request relates. 

Meta requested some of this information (country of residence, platform) moments earlier in the opt-out process. Meta already holds the other information (name, email address), and arguably does need to ask for it as the user is already logged into their Facebook account. 

When a person submits a request under the GDPR, it’s important to verify their identity. However, the fact that a user is logged into a password-protected account should normally be enough to prove who they are. 

Step 4. Explain the Objection 

The next step in Meta’s opt-out process requires the user to explain why they are opting out. 

Meta asks the user to explain “how the product or service is using (the user’s) personal information” and “why (they) want to object”. 

For the average person, these are not simple questions.  

Meta processes personal data in complex, technical ways that involve drawing inferences about people’s behaviour and communications, segmenting audiences according to their perceived interests, and selling the opportunity to target them with ads. 

It’s not always obvious how such activity affects an individual user. Arguably, though, there are wider impacts to society when communications between over a billion people are commoditised in this way. 

The tests set out in Meta’s opt-out form might deter some users from proceeding with their objection request. 

Step 5. Submit the Form 

After providing the relevant information, the user can provide any additional relevant information and submit their request. 

Transparency and Fairness 

Meta was highly reluctant to change its legal basis from “contract” and is appealing the order that required the company to do so. 

Providing users with the right to object might disrupt the company’s ability to effectively target ads. The company’s complex opt-out form might help mitigate this impact. 

However, there are arguably issues with Meta’s process in relation to two key principles of data protection: transparency and fairness. 

To grow sustainably, build trusting customer relationships, and avoid long legal battles with their users, businesses can make it easy for people to exercise control over the use of their personal data. 

Simple and unintrusive cookie banners, accessible privacy notices, and easy-to-use data subject rights portals help people understand how businesses use their data and how to exercise their rights. 

We hope this guide was helpful. Thank you for reading and we wish you the best of luck with improving your company’s privacy practices! Stay tuned for more helpful articles and tips about growing your business and earning trust through data-protection compliance. Test your company’s privacy practices, CLICK HERE to receive your instant privacy score now!

The post Is Meta’s New ‘Opt-Out’ Process Lawful, Fair, and Transparent? appeared first on Ubiscore.

OpenAI began as a non-profit that trained open-source AI models on unpublished books. Eight years later, fueled by billion dollars of investment from Microsoft, the company faces allegations of violating European data protection law—and compliance demands that might be impossible to meet. 

‘A Good Outcome for All’ 

OpenAI started in 2015, funded by donations from entrepreneurs including Sam Altman (now the company’s CEO), Elon Musk, and Peter Thiel—plus corporations such as Amazon Web Services (AWS), Infosys, and Microsoft. 

OpenAI’s stated goal was to “advance digital intelligence in the way that is most likely to benefit humanity as a whole, unconstrained by a need to generate financial return.” 

It’s hard to predict when human-level AI might come within reach,” an early OpenAI press release states. “When it does, it’ll be important to have a leading research institution which can prioritise a good outcome for all over its own self-interest”. 

Semi-Supervised Learning 

OpenAI’s most significant work is its GPT series (short for “Generative Pre-trained Transformer”) of AI models. 

GPT was the first “transformer”-type AI to receive “semi-supervised” training. Whereas earlier transformers required a lot of costly and time-consuming human intervention, GPT could learn from large amounts of raw, unlabelled data. 

The first GPT model was trained on literature—7,000 unpublished books comprising 4.5 GB of text. 

With GTP’s successor, GPT-2, OpenAI began integrating text scraped from the open web. The model’s training set included “all outbound links from Reddit… which received at least three karma”. As a result, GPT-2 produced more convincing, “human-like” outputs. 

After some initial reluctance to publicly release the model—supposedly due to concern over its potential to produce disinformation—OpenAI eventually published GPT-2’s source code in February 2019.  

Common Crawl 

Shortly before releasing GPT-2, OpenAI announced that was switching from a non-profit to a “capped” private company whose profits would never exceed an amount 100 times higher than its original investment. 

The following year, OpenAI announced GPT-3—a version of which would later power OpenAI’s leading commercial product, ChatGPT. 

GPT-3 was trained on a much larger corpus of data than previous GPT models. Around 60% of GPT-3’s training set came from Common Crawl, a non-profit that “scrapes” the web each month and provides free access to the resulting dataset. 

Common Crawl, a non-profit, has been largely left alone by US authorities and rightsholders. The organisation has defended the legality of its operations against allegations of copyright abuse. 

Under US law, web scraping is protected by the first amendment. The legal situation is different in Europe, where a “legal basis” is required for most activities involving personal data (which will inevitably appear in a large enough set of web-scraped data). 

The Closing of OpenAI 

Although OpenAI allowed limited third-party access to the GPT-3 API, enabling others to integrate GPT-3 into their products, the company declined to release the model’s source code. 

“In addition to being a revenue source to help us cover costs in pursuit of our mission, the API has pushed us to sharpen our focus on general-purpose AI technology.” OpenAI said in a June 2020 blog post. 

In January, the company received a $10 billion funding injection from Microsoft, which subsequently announced it would integrate OpenAI’s model into the Bing search engine. 

On releasing its most recent GPT model, GPT-4, this March, OpenAI did not publish any information about the model’s size, architecture, or training data, citing the “competitive landscape” and “safety implications”. 

‘Plausible-Sounding But Incorrect’ 

ChatGPT, the chatbot released by OpenAI last October, runs on GPT-3.5—a fine-tuned version of GPT-3 whose training data includes information published as recently as June 2021. 

ChatGPT’s user-friendly design helped it reportedly become history’s fastest-growing app, attracting over 100 million users within a few months of its launch. 

Despite the program’s impressively human-like outputs, OpenAI admitted that ChatGPT would sometimes “respond to harmful instructions”, “exhibit biased behaviour”, and produce “plausible-sounding but incorrect or nonsensical answers”. 

OpenAI’s GDPR compliance efforts have been relatively slow. The company published its data processing agreement, a mandatory contract for companies using “data processors” under the GDPR, on 14 March—some five months after ChatGPT’s launch. 

The following week, OpenAI notified users of a security breach that exposed some users’ private chat topics, names, email addresses, billing addresses, and limited payment information. It was this relatively minor incident that led to OpenAI’s first reckoning under the GDPR. 

OpenAI’s GDPR Reckoning 

Italy’s data protection authority (DPA), the Garante, was the first regulator to directly challenge OpenAI, announcing action against the company on 31 March. 

While the Garante’s intervention was triggered by ChatGPT’s security incident, the regulator issued an emergency order addressing a much broader set of issues. The Garante alleged that OpenAI: 

• Was not sufficiently transparent about how ChatGPT used personal data. 
• Had no legal basis for collecting personal data to train its algorithms.
• Processed inaccurate personal data about people via ChatGPT. 
• Had no age verification system in place to stop children from using ChatGPT. 

The regulator cited violations of Articles 5, 6, 8, 13, and 25 of the GDPR—provisions relating to the GDPR’s principles, its legal bases, the rules on delivering online services to children, transparency obligations, and the concept of “data protection by design”. 

The Garante’s order against OpenAI required the “temporary limitation of the processing of personal data of data subjects established in the Italian territory”. The company had 20 days to explain how it would address the compliance issues alleged by the regulator. 

In response, OpenAI “ceased offering ChatGPT in Italy”. 

Not a Block or a Ban 

Italy’s action against OpenAI provoked headlines such as “Italy blocks ChatGPT over privacy concerns” and “ChatGPT banned in Italy”.  

But rather than having been “blocked” or “banned” by Italy, OpenAI chose to restrict Italian users’ access as a means to comply with the regulator’s order.  

In an interview following OpenAI’s decision, a Garante representative said the company could, in theory, have continued offering ChatGPT—if it could do so without processing any personal data about people in Italy. 

On a technical level, it would be impossible to offer ChatGPT in Italy without processing personal data about Italians. In fact, it’s unclear how OpenAI could have limited all processing of such data—regardless of whether the company blocked ChatGPT. 

 Processing” is defined broadly in the GDPR, covering “any operation” performed on personal data. 

As such, whatever OpenAI did in response to the Garante would have constituted “processing”—including deleting personal data in its training set, continuing to store that data, or providing refunds to Italian customers. 

And despite the geo-restriction of ChatGPT, the chatbot would continue to generate inaccurate personal data about people in Italy (which was one of the Garante’s key concerns). There is no clear solution to the “accuracy” problem short of closing down the app altogether. 

Further Investigations 

On 12 April, a week before OpenAI’s original deadline, the Garante announced that OpenAI had a further 18 days to bring its operations into compliance with the GDPR. 

By the end of April, OpenAI must: 

• Create a new privacy notice describing the “logic involved” in ChatGPT, plus information about the rights of users and non-users. 
• Adopt a new “legal basis” for processing personal data, based either on consent or the company’s “legitimate interests”. 
• Implement a system enabling people to request the correction or erasure of inaccurate personal data, and to object to the use of their personal data in training sets. 
• Prohibit children from using ChatGPT, and, by the end of September, filter out children under 13 and children aged 13-18 whose parents have not provided consent. 
• Conduct an awareness-raising campaign across TV, radio, and print media, informing people about the use of personal data in training algorithms. 

The following day, at the request of the Spanish regulator, the European Data Protection Board (EDPB) announced a new “dedicated task force” to “foster cooperation” and “exchange information on possible enforcement actions” against OpenAI. 

The next OpenAI enforcement action could come from France, where the country’s regulator is apparently investigating complaints about the company. 

The End of the Beginning 

Even if OpenAI manages to satisfy Italy’s demands, the company’s compliance issues are unlikely to go away. 

Data protection experts have been highlighting conflicts between the GDPR’s requirements and the large-scale processing of data that powers large language models like GPT. 

In a 2018 paper titled “Algorithms that remember”, academics Michael Veale, Lilian Edwards, and Reuben Binns argued that AI models themselves—not only the datasets used to train the models—constitute “personal data” under the GDPR. 

This would mean that AI models are personal data “all the way down”—they are trained on personal data, process personal data as inputs, produce personal data as outputs, and, according to the above interpretation, are themselves personal data. 

A recent Oxford University paper argues that European regulators are “ill-prepared for the emergence of this new generation of AI models”—and will remain so even after the passing of the EU’s upcoming AI Act. 

The GDPR’s principles of fairness, transparency, data minimisation, data accuracy, and its rules on automated decision-making all apply to the training and operation of AI models.  

But full GDPR compliance could seriously undermine OpenAI’s data-hungry operations, and it might be easier for the company to leave Europe altogether. 

We hope this guide was helpful. Thank you for reading and we wish you the best of luck with improving your company’s privacy practices! Stay tuned for more helpful articles and tips about growing your business and earning trust through data-protection compliance. Test your company’s privacy practices, CLICK HERE to receive your instant privacy score now!

The post Are the GDPR Walls Closing in on OpenAI? (NO, Italy did not ban ChatGPT!) appeared first on Ubiscore.