Advocacy group pushes the FTC for elevated privacy reform

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

Bedoya FTC Nomination On Delay

After a 14-14 vote down party lines in the Senate Commerce Committee, Alvaro Bedoya’s nomination for the fifth FTC Commissioner seat will need to follow extra interim procedures before a formal vote from the full Senate, which may mean a delay until 2022.

WHY IT MATTERS

The FTC currently consists of four Commissioners, often split 2-2 without means to break the tie. Consumer advocacy groups have been pressuring the Senate for a swift confirmation of Bedoya in hopes of expediting measures to address big tech and algorithmic bias, which measures Bedoya is expected to support.

Advocacy Group Pushes the FTC for Elevated Privacy Reform

The Electronic Privacy Information Center (EPIC) submitted comments in response to the FTC’s Draft Strategic Plan for FY 2022-2026, suggesting that the FTC’s long-term approach to consumer privacy should be broken out and detailed, with clear benchmarks to center the privacy harms suffered by marginalized communities. The comments noted that the FTC has a critical role to play in ending surveillance advertising and remedying historically disparate impacts of online services.

EUROPE

German Telecom Privacy Law in Effect

Germany’s Telecommunications and Telemedia Data Protection Act (TTDSG) came into force December 1. The law, among other things, implements Article 5(3) of the ePrivacy Directive, providing that cookies and comparable technologies may only be used if the user has consented, the cookie is facilitating transmission of a communication over a public telecommunications network, or the cookie is strictly necessary.

WHY IT MATTERS

This aspect of the law doesn’t go beyond the wording of the ePrivacy Directive, so it doesn’t introduce anything novel that isn’t also applicable in other jurisdictions that have implemented the ePrivacy Directive. The main changes for German organizations will be that they won’t be able to rely on legitimate interest as a legal basis for the use of certain non-strictly-necessary cookies, even if legitimate interest would have been an acceptable legal basis under GDPR, and they will have to obtain consent for use of cookies and other “storage of information of the terminal equipment of an end user” even if no personal information is processed within the meaning of GDPR.  

CJEU Advocate General Suggests GDPR Allows for National Representative GDPR Action

Advocate General Richard de la Tour issued an Opinion recommending that the EU Court of Justice (CJEU) interpret the GDPR to permit consumer protection associations to bring representative actions under Member State law designed to protect the collective interests of consumers “provided that an infringement of the provisions of that regulation which are intended to confer subjective rights on data subjects is alleged.”

The opinion arose in the context of a complaint against Facebook Ireland brought by the Federation of German Consumer Organisations in German court, alleging that Facebook failed to make proper disclosures, as required by GDPR, relating to the purposes of processing and recipient of personal data.

The German Federal Court of Justice referred the case to the CJEU to determine whether the Federation had standing to bring the case in German civil court (rather than through the appropriate supervisory authority). The Advocate General suggested that the action for an injunction brought by the Federation does, indeed, allege an infringement of provisions intended to confer subjective rights on data subjects and, therefore, that the Federation has standing.

The Advocate General’s opinion is not binding on the Court of Justice, which will issue a judgment in the case at a later date that may or may not adopt the Advocate General’s opinion.

WHY IT MATTERS

If the Advocate General’s opinion is adopted by the Court of Justice, it may spur an increase in representative actions brought at the national level by consumer advocacy groups under GDPR.  

Spain DPA Says Public Key Can Be Personal Data

Spain’s data protection agency published a blog post clarifying that a public key (used in public key cryptography) corresponding to a natural person can constitute personal data under GDPR where it is possible to associate additional information to the public key that allows the identification of the person. As examples, the blog post explains that public keys are often intimately linked to other types of identifiers, such as IP addresses, session identifiers, cookies, device signatures, and email addresses, which, when combined, allow for the association of activities performed from different addresses or devices, profiling of individuals, re-identification, and links to content and metadata. Accordingly, in such contexts, the public key (while pseudonymized) should be treated as personal data.

WHY IT MATTERS

DPAs are becoming increasingly vocal to remind companies that new solutions and evolving technology creating different ways to identify, profile and target individuals don’t necessarily avoid privacy obligations. Last month, the UK and French DPAs both published guidelines to set expectations for new online advertising initiatives, making clear that identifier-based solutions, regardless of whether traditional identifiers (or even any personal data) are used, must still meet expectations of transparency, control, consent and accountability. Spain’s DPA seems to be falling in line with this sentiment, at least in the context of public key cryptography. 

EU CoMMISSIONER EXPRESSES DISAPPOINTMENT WITH BIG TECH PRIVACY

Speaking at ForumEurope’s data protection and privacy conference, EU Commission VP Vera Jourová expressed a “problem with compliance culture among those companies that live off our personal data”, identifying Google, Facebook and WhatsApp as companies that they have penalties or decisions against. She expressed a desire for those companies to take protection of personal data seriously, with “full compliance, not legal tricks” and to tackle the challenges head on, rather than hiding behind small print. She also noted that it takes too long for supervisory authorities to address questions around processing of personal data for big tech and that any potential changes in GDPR enforcement will go towards more centralisation.

WHY IT MATTERS

These comments, combined with the Advocate General opinion mentioned above, as well as the pending Digital Services Act and Digital Markets Act, which would give the European Commission more control over supervision of large tech companies, reflect a general shift in thinking about European privacy enforcement, particularly with respect to big tech.  

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.