CDP Institute

Ireland’s Data Protection Commission (DPC) just announced it is fining Meta €265 million (US $276 million) for GDPR non-compliance due to data scraping. This brings Meta’s 2022 total fines from the DPC to almost €700 million. The DPC oversees the company because it is headquartered in Ireland. And, reports are that more Meta fines may be announced there soon. This fine was for a 2021 breach that affected more than a half million records and resulted in personal data surfacing on a public forum and circulating widely on the web.

The MarkUp and The Verge allege that H&R Block, TaxAct, TaxSlayer, and Ramsey Solutions have shared sensitive personal and financial user data with Meta via Meta Pixel, a JavaScript code snippet embedded in websites. The exposed tax filer data includes income filing status, refund amounts, and college scholarship amounts, in addition to more basic identifying information. And, while the number of people affected hasn’t been confirmed, it is estimated in the tens of millions. Why? Apparently, the data is useful to feed Meta algorithms for ad targeting.

Citizen Labs’ new report adds to criticism of Canada’s pending (and long-titled) Bill C-27: An Act to enact the Consumer Privacy Protection Act (CCPA), the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act. Bill C-27 is an update to the Personal Information Protection and Electronic Documents Act (PIPEDA), which has been in force as federal law for two decades. Among the concerns raised is that the new CCPA law would be weaker than GDPR and that it includes problematic exemptions, including that organizations can decide when benefits of collecting of personal information outweighs risks - and that this could be done without having to notify people of collection or planned use.

A Twitter data breach last year, estimated to have exposed 5.4 million records, was thought to have been achieved and exploited by just one hacker. Now, evidence indicates multiple hackers accessed and then offered the data for sale on the dark web. The compromised data belonged to users from the UK, US and most of the EU countries. Twitter has not yet commented on the story, but as has been pointed out its communications team was just gutted following Elon Musk’s Twitter acquisition.

France has determined that free versions of Office 365 and Google Workspace potentially leave data at risk because they store data in the cloud in the US, so are not under obligation to comply with the EU’s GDPR and Schrems II, the 2020 ruling by the European Court of Justice on the cross-border sharing of data. As a result free versions are not allowed to be used in French schools.

Meta announced new users of Instagram and Facebook under 16, and users under 18 in certain countries will be put by default into more private settings when they join Facebook. This seems good, though those users already on the app will only be encouraged to change settings for more privacy, rather than having their settings changed by the company. At the same time, Meta is testing ways to protect teens from suspicious adults and is building a platform to help keep intimate images from being posted online.

That is to capture license plate numbers of customer cars and print them on meal bags, so those found littering after their McMeal can be identified. The Welsh government proposed this to other fast-food companies too, though it acknowledges whichever one goes first might find customers switching to others for privacy.

This is part of a planned package of additional laws to criminalize and punish abusive online behavior particularly toward women and girls.

A ruling by Italy’s Data Protection Agency (DPA) that prohibits use of facial recognition technology (FRT) is receiving mixed reviews from privacy advocates, including concern it may set a broader EU precedent. This is due to a caveat in the ruling that FRT can still be used for crime fighting and judicial investigations. The rule is a stop gap measure pending new privacy legislation from Italy’s DPA and at a time when the EU is evolving its comprehensive AI Act, which is intended to be the first comprehensive legal framework... Read More >

Discord, Inc., a voice over IP and instant messaging company, was fined €800,000 by France’s data authority CNIL for failing to define and honor a data retention period in accordance with GDPR. The amount of the fine took into consideration the number people impacted, which was close to 3 million, and also the fact that the company worked throughout the investigation to reach compliance.

India, which this summer shelved plans to pass a Personal Data Protection Bill, has introduced a new draft proposal for a privacy bill that eases the burden on overseas data transfers, but advocates high penalty amounts of up to ₹500 crore ($61 million) for non-compliance and ₹250 crore for breaches. Decisions yet to be made are about which countries would be white listed for data transfers and to what degree state agencies could be exempted from provisions in the bill.

Favorite brands have secret ways to get you to gift them your data for the holidays. This is made easy via fun products, including from Meta with their Quest Pro ocular-reading headset; Amazon, which is hungry for more data to feed Alexa and has several new product offerings; and Google, Verizon, Nintendo and others. The majority of products on this Top 10 gift list are, however, a bit unclear on how you can delete data after you provide it – but no worries! The companies are happy to keep it.