CDP Institute

Ireland’s Data Protection Commission (DPC) just announced it is fining Meta €265 million (US $276 million) for GDPR non-compliance due to data scraping. This brings Meta’s 2022 total fines from the DPC to almost €700 million. The DPC oversees the company because it is headquartered in Ireland. And, reports are that more Meta fines may be announced there soon. This fine was for a 2021 breach that affected more than a half million records and resulted in personal data surfacing on a public forum and circulating widely on the web.

The MarkUp and The Verge allege that H&R Block, TaxAct, TaxSlayer, and Ramsey Solutions have shared sensitive personal and financial user data with Meta via Meta Pixel, a JavaScript code snippet embedded in websites. The exposed tax filer data includes income filing status, refund amounts, and college scholarship amounts, in addition to more basic identifying information. And, while the number of people affected hasn’t been confirmed, it is estimated in the tens of millions. Why? Apparently, the data is useful to feed Meta algorithms for ad targeting.

Citizen Labs’ new report adds to criticism of Canada’s pending (and long-titled) Bill C-27: An Act to enact the Consumer Privacy Protection Act (CCPA), the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act. Bill C-27 is an update to the Personal Information Protection and Electronic Documents Act (PIPEDA), which has been in force as federal law for two decades. Among the concerns raised is that the new CCPA law would be weaker than GDPR and that it includes problematic exemptions, including that organizations can decide when benefits of collecting of personal information outweighs risks - and that this could be done without having to notify people of collection or planned use.

A Twitter data breach last year, estimated to have exposed 5.4 million records, was thought to have been achieved and exploited by just one hacker. Now, evidence indicates multiple hackers accessed and then offered the data for sale on the dark web. The compromised data belonged to users from the UK, US and most of the EU countries. Twitter has not yet commented on the story, but as has been pointed out its communications team was just gutted following Elon Musk’s Twitter acquisition.

France has determined that free versions of Office 365 and Google Workspace potentially leave data at risk because they store data in the cloud in the US, so are not under obligation to comply with the EU’s GDPR and Schrems II, the 2020 ruling by the European Court of Justice on the cross-border sharing of data. As a result free versions are not allowed to be used in French schools.

Meta announced new users of Instagram and Facebook under 16, and users under 18 in certain countries will be put by default into more private settings when they join Facebook. This seems good, though those users already on the app will only be encouraged to change settings for more privacy, rather than having their settings changed by the company. At the same time, Meta is testing ways to protect teens from suspicious adults and is building a platform to help keep intimate images from being posted online.