Belgian market court refers questions in IAB Europe case to CJEU

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

EUROPE

Belgian Market Court Refers Questions in IAB Europe Case to CJEU

In response to IAB Europe’s appeal of a February ruling finding IAB Europe’s TCF Framework in violation of the GDPR, the Belgian Market Court issued a judgment rejecting in part and accepting in part certain procedural grounds for appeal and referring two substantive questions to the European Court of Justice, specifically:

(1) whether the “TC String” processed as part of the TCF Framework constitutes “personal data” under the GDPR; and

(2) whether IAB Europe constitutes a controller of the TC String and a joint controller of subsequent processing of personal data by participants in the TCF Framework. Further proceedings and a final judgment on the appeal are suspended pending the reply to the questions referred for a preliminary ruling. 

TAKEAWAY

It is not clear at this stage what impact this preliminary ruling will have on the timeline of the appeal and, separately, the Belgian Data Protection Authority’s (APD’s) decision on IAB Europe’s action plan submitted in April, per the original order.

According to a statement issued by IAB Europe, a final decision on the appeal is unlikely until 2023 or 2024. However, this delay does not necessarily suspend the APD’s decision on the action plan, which was expected this month. 

We will update our blog post with more information as it becomes available.

Meta Receives 405 Million Euro Fine for GDPR Children’s Privacy Violations on Instagram

Ireland’s Data Protection Authority reportedly imposed one of the largest GDPR fines to date on Instagram’s parent company Meta based on allegations Instagram allowed teenage users to create business accounts, resulting in default settings making email addresses and phone numbers publicly available.

The ruling was based on an investigation in 2020, and the default settings at issue have reportedly since been changed.

Full details of the decision will reportedly be made available in the next week. Meta has also reportedly expressed an intent to appeal the decision.

ADDITIONAL CONTEXT

The Irish DPA recently released guidance for businesses on the fundamentals for a child-oriented approach to data processing and separate guidance for children on their data protection rights, along with a statement that “the protection of children’s personal data is an important priority for the DPC, and is one of the five strategic goals of our 2022-2027 Regulatory Strategy.”  

USA

Privacy Identified as a Key Area of Concern in White House Session on Tech Platforms

In a White House listening session with experts and practitioners on harms posed by tech platforms, six key areas of concern were identified: competition, privacy, youth mental health, misinformation and disinformation, illegal and abusive conduct, and algorithmic discrimination and lack of transparency.

According to a White House readout, on the topic of privacy, participants explained that mere self-help technological protections for privacy are insufficient and that better guardrails, particularly for children’s privacy, are needed.

In response to the event, the Biden-Harris Administration announced several core principles for reform, including that there should be limits on targeted advertising and strong protections for children and particularly sensitive data such as geolocation and health information. 

TAKEAWAY

These core principles, particularly with respect to children, are consistent with President Biden’s March 2022 State of the Union Address, in which he noted that “it’s time to strengthen privacy protections, ban targeted advertising to children, demand tech companies stop collecting personal data on our children.

GLOBAL

Indonesian Lawmakers Commit to Immediately Ratify Personal Data Protection Bill into Law

The House of Representatives of Indonesia Republic announced its agreement, with the Ministry of Communication and Information, to bring the Personal Data Protection Bill to a Plenary Meeting to be immediately ratified.

TAKEAWAY

Like the United States, Indonesia’s approach to personal data privacy has previously been largely sectoral, with a patchwork of laws addressing certain types of data protection.

If ratified, the Personal Data Protection Bill will bring Indonesia privacy protections more in line with international standards, such as GDPR, with a comprehensive approach to data privacy. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.