European commission to draft U.S. adequacy decision

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

UNITED STATES

European Commission to Draft U.S. Adequacy Decision

In response to an executive order signed by U.S. President Biden, implementing new binding safeguards and redress mechanisms for Europeans, the European Commission released a Q&A revealing that they “will now prepare a draft adequacy decision, as well as launch its adoption procedure”.

President Biden’s executive order will:

(1) limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security; and

(2) establish an independent and impartial redress mechanism to investigate and resolve complaints regarding access to data by US national security authorities.

The European Commission said in their Q&A that these are “significant improvements compared to the Privacy Shield” that “provide a durable and reliable legal basis for transatlantic data flows”.

NEXT STEPS

Once the European Commission proposes a draft adequacy decision, it will need to be approved by a committee composed of representatives of the EU member states and overcome potential scrutiny from the European Parliament, which could take several months.

Once an adequacy decision is finalized though, EU companies will be able to freely send data to the US, relying on the adequacy decision as their legal basis of transfer.

In the meantime, the European Commission confirmed that other transfer mechanisms, such as model clauses, are available and that the safeguards that the Commission has agreed with the US Government in the area of national security will be available for all transfers to the US under the GDPR, regardless of the transfer tool used. 

Google Enters $85 Million Fraud Settlement with Arizona AG Over User Tracking

Arizona Attorney General Mark Brnovich announced a consumer-fraud settlement over allegations Google “deceptively obtained users’ location data” by tracking smartphones even when users disabled the “Location History” setting.

TAKEAWAY

 Even in states where comprehensive privacy laws, like the California Consumer Privacy Act, do not exist, State Attorneys General are increasingly finding ways, such state laws prohibiting consumer fraud or unfair and deceptive acts and practices, to hold companies accountable for so-called “dark patterns”, when data collection and use practices are misleading or don’t line up with consumer understanding. 

Papa Johns Hit With Class Action Lawsuit Alleging Unlawful Website Tracking

A proposed class action filed in California alleges that papajohns.com violated the federal Wiretap Act and California Invasion of Privacy Act by tracking website visitors’ IP address and information such as mouse movements and clicks, keystrokes, search items, inputted text, and pages and content viewed without their knowledge or consent.

TAKEAWAY

Like state Attorneys’ Generals, class action law firms are increasingly utilizing long-existing state and federal consumer deception and privacy laws to address allegedly hidden or non-transparent data collection and use. In recent months, class action lawsuits have also been filed against or settled with TikTok, Plaid, NBA, Meta, and Twitter over allegedly unlawful or deceptive data use practices. 

EUROPE

IAB Europe Reserves the Right to Take Action Should the Belgian APD Proceed on Decision Pending Appeal

In a press release, IAB Europe revealed that the Belgian Data Protection Authority (APD) has notified the association of intentions to pursue examination of IAB Europe’s action plan submitted in response to the APD’s February 2022 decision holding IAB Europe in violation of GDPR.

This is despite the recent preliminary decision from the Belgian Market Court referring two questions to the European Court of Justice (CJEU) regarding IAB Europe’s appeal of the APD decision.

In its press release, IAB Europe asserts its firm belief “that the APD decision cannot be enforced”, noting that “the questions that have been referred to the CJEU are foundational as they call into question whether an enforcement action should have been brought against IAB Europe in the first place”.

As a result, the IAB Europe says that it “reserves the right to engage in any form of available legal action should the APD attempt to enforce its illegal decision and preempt responses from the CJEU on the central issues that have been referred to it.” 

MORE CONTEXT

The two questions that have been referred to the CJEU are:

1) whether the Transparency and Consent (TC) String passed by participants using the IAB Europe’s Transparency and Consent Framework (TCF) constitutes Personal Data under the GDPR; and

2) whether IAB Europe acts as a controller of the TC String and other data processed by participants of the TCF.

The APD’s February 2022 decision ordering IAB Europe to create an action plan, and IAB Europe’s resulting action plan submitted in April 2022, are both based on the APD’s finding that IAB Europe has certain obligations under the GDPR as a controller (or, in some cases, a joint controller) of the TC String (which it found to constitute personal data under the GDPR) and other data processed by participants of the TCF.

If the CJEU therefore answers one or both of the Market Court’s questions in the negative, reversing the APD’s findings regarding the TC String and IAB Europe’s status as a controller, IAB Europe is arguing that the foundation of the original enforcement action as a whole would be called into question, making the original decision and resulting action plan unenforceable. 

ICO Issues £1.48 Million Fine for Using Medical Condition Inferences for Targeted Advertising

The UK Information Commissioner’s Office (ICO) fined Easylife £1.48 Million based on allegations the retailer was using personal information and purchase history of its customers to predict medical conditions and subsequently target those customers with health-related products.

As an example, the ICO cited in its press release that the company would infer from a purchase of a jar opener that a person may have arthritis and then market joint patches to that customer.

The ICO found this practice to be “against data protection law” because the practice was unknown to consumers and without consumer consent. 

TAKEAWAY

This case demonstrates that, when assessing privacy compliance obligations, companies should take into account not only the specific data that is collected, but also any inferences that the company draws from the data and how those inferences are used.

A recent decision by the European Court of Justice (CJEU) took this reasoning one step further, holding the listing of individual names with their spouses to constitute “special categories of personal data” because “it is possible to deduce from the information the sexual orientation of the listed individuals”.

This was without regard to whether the listing company or anyone else was actually making such inferences. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.