Italy’s Garante fines social audio app Clubhouse for GDPR violations

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

UNITED STATES

Judge Rules Plaintiff Failed to Show Injury in Twitter Ad Targeting Case

A Northern District of California federal judge granted Twitter’s motion to dismiss a lawsuit against it regarding its use for ad targeting of phone numbers and email addresses allegedly collected for security purposes.

The judge held that the plaintiff failed to show injury-in-fact from Twitter’s actions, a required element to have standing to bring unfair competition and breach of contract claims.

Specifically, the judge found it insufficient to show the value Twitter gained by using the information; rather, the plaintiff must demonstrate the value of the information to the plaintiff to demonstrate loss or deprivation of property. 

Additionally, the judge noted that Twitter’s privacy policy, which was the basis of the plaintiff’s breach of contract claims, also disclosed that the address and phone number would be used to show more relevant advertising and extended users an opportunity to opt out of such use. 

NEXT STEPS

The judge gave the plaintiff leave to amend her complaint to more clearly demonstrate injury in fact, which is due at the end of December; if she is unable to meet the burden requested by the judge, the findings in this case will likely impact two other pending cases against Twitter in the Northern District of California on similar facts. 

 IndianA AG Files Deception Claims Against TIkTok re Data Risks

The Indiana Attorney General filed a lawsuit against TikTok, alleging that TikTok’s deception of consumers regarding the risk of the Chinese Government and Communist Party accessing and exploiting their data violates Indiana’s Deceptive Consumer Sales Act.

Specifically, the lawsuit claims that statements by TikTok that U.S. user data is not subject to Chinese Law are false, deceptive and misleading, because it paints a picture that there is little to no risk of the Chinese Government or Chinese Communist Party accessing and exploiting their data, even when Chinese Law has been interpreted by both to apply to any data in which China has a national intelligence or security interest, no matter where the data is located.

The lawsuit is seeking an injunctive, plus a civil penalty up to $5,000 per violation. 

NEXT STEPS

State attorneys general have increasingly been leaning on state consumer deception laws to make data protection and privacy claims.

Most recently, Google settled a multistate lawsuit with 40 state attorneys general based on allegations Google deceptively tracked user location in violation of various state consumer protection laws.

These cases raise the stakes for companies to ensure they are making fully transparent disclosures regarding their data use practices and that such disclosures are clear, so as not to deceive or paint a misleading picture of how a consumer’s data may be used or accessed. 

EUROPE

Garante Fines 2 Million Euros for Clubhouse GDPR Violations

The Italian Data Protection Authority (the Garante) announced a 2 Million Euro fine issued against Alpha Exploration, owner of social network Clubhouse.

The fine was based on several alleged GDPR violations, including lack of transparency on the use of its user data, ability to share and store audio without consent, and profiling and sharing of account information without identifying a correct legal basis.

In addition to the fine, the company has been prohibited from processing information for marketing and profiling without specific consent.

The Garante specified that Clubhouse will have to introduce a mechanism to disclose to users, before entering a conversation room, which legal basis applies to each purpose of processing, the retention times of personal data and audio files, and the necessary information regarding the company’s “appointed representative”, since Clubhouse is not established in any EU Member State. 

NEXT STEPS

This is an important action for US (or non-EU) companies to be aware of, as Alpha Exploration is a US company that is not established in any Member State of the European Union.

The Garante found Italian jurisdiction to exist because the Clubhouse offered its services to interested parties in the Union.

The Garante further found that, since there was a lack of an establishment in a specific territory in the European Union, each Supervisory Authority is competent to assess the company’s compliance with respect to its own territory, and therefore that the Garante is competent to assess the company’s compliance in Italy.     

EDPB Adopts Decisions on Key Legal-Basis-for-Processing Questions

The European Data Protection Board (EDPB) announced that it has adopted binding decisions addressing important legal issues impacting the Irish Supervisory Authority’s assessment of GDPR compliance by Facebook, Instagram and WhatsApp.

Specifically, the EDPB’s decision will settle the questions of whether the processing of personal data for the performance of a contract is a suitable legal basis for behavioral advertising, in the cases of Facebook and Instagram, and for service improvement, in the case of WhatsApp.

The decisions will be published on the EDPB’s website once the lead supervisory authority in the case has notified its national decisions to Meta. 

WHY IT MATTERS

Although these decisions will be specific to the facts and circumstances of Facebook, Instagram and WhatsApp, they will likely provide some clarification and common understanding across EU Member States of the requirements for identifying performance of a contract as a legal basis for processing.

According to the Wall Street Journal, leaked reports indicate the decision will deny the ability for Meta to rely on its terms of service as a legal basis for behavioral advertising. 

ICO Publishes All 2022 Reprimands

The UK Information Commissioner’s Office (ICO) announced that it will now publish all reprimands going forward (even where fines have not been awarded).

It has now published all reprimands issued back to January 2022 on its website.

Of note, the ICO reprimanded Grindr for failing to provide effective and transparent privacy information to data subjects. It specifically recommended that Grindr disclose, among other items, the fact that IP address and advertising ID may constitute personal data in certain circumstances (e.g., when combined with other data), as well as the methods Grindr uses to obtain user IP addresses and advertising IDs, the restriction of data flows by Grindr and its advertising partners, and the full list of third parties Grindr shares personal data with.

Separately, Virgin Media Limited received a reprimand for failing to respond to 14% of subject access requests it received within the required timeframe.

The ICO recommended that Virgin Media should take further steps (including having adequate staff resources) to ensure subject access requests are responded to within the statutory deadlines. In total, 28 reprimands were published by the ICO.

WHY IT MATTERS

This resource provides companies with additional insight into specific case-by-case direction issued by the ICO, which, although possibly tedious to thumb through, may be helpful to better understand the ICO’s application of its guidance in practice.  

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.