Italy’s Garante fines social audio app Clubhouse for GDPR violations
December 12, 2022
Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
Judge Rules Plaintiff Failed to Show Injury in Twitter Ad Targeting Case
A Northern District of California federal judge granted Twitter’s motion to dismiss a lawsuit against it regarding its use for ad targeting of phone numbers and email addresses allegedly collected for security purposes.
The judge held that the plaintiff failed to show injury-in-fact from Twitter’s actions, a required element to have standing to bring unfair competition and breach of contract claims.
Specifically, the judge found it insufficient to show the value Twitter gained by using the information; rather, the plaintiff must demonstrate the value of the information to the plaintiff to demonstrate loss or deprivation of property.
The judge gave the plaintiff leave to amend her complaint to more clearly demonstrate injury in fact, which is due at the end of December; if she is unable to meet the burden requested by the judge, the findings in this case will likely impact two other pending cases against Twitter in the Northern District of California on similar facts.
IndianA AG Files Deception Claims Against TIkTok re Data Risks
The Indiana Attorney General filed a lawsuit against TikTok, alleging that TikTok’s deception of consumers regarding the risk of the Chinese Government and Communist Party accessing and exploiting their data violates Indiana’s Deceptive Consumer Sales Act.
Specifically, the lawsuit claims that statements by TikTok that U.S. user data is not subject to Chinese Law are false, deceptive and misleading, because it paints a picture that there is little to no risk of the Chinese Government or Chinese Communist Party accessing and exploiting their data, even when Chinese Law has been interpreted by both to apply to any data in which China has a national intelligence or security interest, no matter where the data is located.
The lawsuit is seeking an injunctive, plus a civil penalty up to $5,000 per violation.
State attorneys general have increasingly been leaning on state consumer deception laws to make data protection and privacy claims.
Most recently, Google settled a multistate lawsuit with 40 state attorneys general based on allegations Google deceptively tracked user location in violation of various state consumer protection laws.
These cases raise the stakes for companies to ensure they are making fully transparent disclosures regarding their data use practices and that such disclosures are clear, so as not to deceive or paint a misleading picture of how a consumer’s data may be used or accessed.
Garante Fines 2 Million Euros for Clubhouse GDPR Violations
The Italian Data Protection Authority (the Garante) announced a 2 Million Euro fine issued against Alpha Exploration, owner of social network Clubhouse.
The fine was based on several alleged GDPR violations, including lack of transparency on the use of its user data, ability to share and store audio without consent, and profiling and sharing of account information without identifying a correct legal basis.
In addition to the fine, the company has been prohibited from processing information for marketing and profiling without specific consent.
The Garante specified that Clubhouse will have to introduce a mechanism to disclose to users, before entering a conversation room, which legal basis applies to each purpose of processing, the retention times of personal data and audio files, and the necessary information regarding the company’s “appointed representative”, since Clubhouse is not established in any EU Member State.
This is an important action for US (or non-EU) companies to be aware of, as Alpha Exploration is a US company that is not established in any Member State of the European Union.
The Garante found Italian jurisdiction to exist because the Clubhouse offered its services to interested parties in the Union.
The Garante further found that, since there was a lack of an establishment in a specific territory in the European Union, each Supervisory Authority is competent to assess the company’s compliance with respect to its own territory, and therefore that the Garante is competent to assess the company’s compliance in Italy.
EDPB Adopts Decisions on Key Legal-Basis-for-Processing Questions
The European Data Protection Board (EDPB) announced that it has adopted binding decisions addressing important legal issues impacting the Irish Supervisory Authority’s assessment of GDPR compliance by Facebook, Instagram and WhatsApp.
Specifically, the EDPB’s decision will settle the questions of whether the processing of personal data for the performance of a contract is a suitable legal basis for behavioral advertising, in the cases of Facebook and Instagram, and for service improvement, in the case of WhatsApp.
The decisions will be published on the EDPB’s website once the lead supervisory authority in the case has notified its national decisions to Meta.
WHY IT MATTERS
Although these decisions will be specific to the facts and circumstances of Facebook, Instagram and WhatsApp, they will likely provide some clarification and common understanding across EU Member States of the requirements for identifying performance of a contract as a legal basis for processing.
According to the Wall Street Journal, leaked reports indicate the decision will deny the ability for Meta to rely on its terms of service as a legal basis for behavioral advertising.
ICO Publishes All 2022 Reprimands
The UK Information Commissioner’s Office (ICO) announced that it will now publish all reprimands going forward (even where fines have not been awarded).
It has now published all reprimands issued back to January 2022 on its website.
Of note, the ICO reprimanded Grindr for failing to provide effective and transparent privacy information to data subjects. It specifically recommended that Grindr disclose, among other items, the fact that IP address and advertising ID may constitute personal data in certain circumstances (e.g., when combined with other data), as well as the methods Grindr uses to obtain user IP addresses and advertising IDs, the restriction of data flows by Grindr and its advertising partners, and the full list of third parties Grindr shares personal data with.
Separately, Virgin Media Limited received a reprimand for failing to respond to 14% of subject access requests it received within the required timeframe.
The ICO recommended that Virgin Media should take further steps (including having adequate staff resources) to ensure subject access requests are responded to within the statutory deadlines. In total, 28 reprimands were published by the ICO.
WHY IT MATTERS
This resource provides companies with additional insight into specific case-by-case direction issued by the ICO, which, although possibly tedious to thumb through, may be helpful to better understand the ICO’s application of its guidance in practice.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
A memorandum from the California Privacy Protection Agency (CPPA) staff proposes...
The ICO previously made an announcement on its website warning that...
Publisher Collective recognised the importance of collecting consent in...
Latest White Papers
The current state of publisher compliance with CCPA, and...
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.