#EU#CJEU#GDPR#DataProtection#BigTech#AdTech#TargetedAds#OnlineTracking: "In a landmark decision on 7 March 2023, the Court of Justice of the European Union (CJEU) issued a groundbreaking judgment against online targeted ads prohibited by the General Data Protection Regulation (GDPR). This ruling has far-reaching implications for major platforms, including giants like Google and TikTok, that rely on the online personalised advertising industry as part of their business model. The Court recognised that invasive tracking and profiling cannot be sanctioned through ‘consent’ pop-ups, responding to a complaint that focused on the mechanisms facilitating the covert profiling and monitoring of the private activities of a majority of individuals across the digital realm. The court’s decision emphasised the need for stricter controls on the online tracking and advertising industry." https://edri.org/our-work/europes-highest-court-delivers-landmark-judgment-against-iab-europe-in-gdpr-consent-spam-pop-ups-case/
The Data Protection and Digital Information Bill is back at Committee Stage in the UK House of Lords.
Welfare surveillance powers in the Bill are an injustice waiting to happen.
The Department for Work and Pensions (UK) will be able to access the financial information of any benefit claimant – from Universal Credit to Child Benefit and State Pensions.
The Netherlands benefits scandal saw thousands being unjustly accused of fraud and having their benefits incorrectly withdrawn after errors in data sharing and automated decision-making.
The Data Protection and Digital Information Bill (UK) weakens protections against solely automated decisions that have life-changing or significant impacts. This will increase the risk of harms.
Indeed the DWP is already being criticised for its use of AI, despite warnings of algorithmic bias.
While we can appeal automated decisions, it’s of little use without access or resources to scrutinise how AI systems work.
The #DPDIBill (UK) makes it easier for organisations to refuse to comply with Subject Access Requests. If you don’t know what data is being held about you, it’s harder to challenge decisions or correct mistakes.
And even if we can get access, the Bill lets organisations refuse requests to erase or correct data if they lack the resources.
As AI is trained on data, any inaccurate data means automated systems will continue to make mistakes and embed biases.
With the Department for Work and Pensions (UK) not being transparent over its automated systems while expanding its use, there are real concerns of harms.
Combined with weaker protections against faulty automated decision-making and curtailed data access rights, welfare surveillance powers in the #DPDIBill are an injustice waiting to happen.
First, today we are opening a case against Meta. We suspect that Meta is breaching the DMA rules on data combination [Article 5(2) DMA].
You all heard about Meta's “Subscription for No Ads” model. With this new model, users have to pay if they want to use Facebook and Instagram without targeted advertising. And this has forced millions of users across Europe into a binary choice: “pay or consent”. And if you consent, Meta can use your data, generated for example on Messenger, to target ads on Instagram.
But the DMA is very clear: gatekeepers must obtain users' consent to use their personal data across different services. And this consent must be free! We have serious doubts that this consent is really free when you are confronted with a binary choice. With the DMA, users who do not consent should be provided with a less personalised alternative of the service, for example financed thanks to contextual advertising. But they do not have to pay.
This is because with the DMA, we want to give back to our users the power to decide how their data is used: to pave the way for business models where citizens' rights are at the centre of operations.
Some of you may recall, we are already looking into this practice of Meta under the DSA: earlier this month, we sent Meta a request for information to verify how this “Subscription for No Ads” model complies with the DSA obligation to offer at least one option of their recommender systems not based on profiling, but also to assess the risks stemming from the personalisation of digital services.
(...)
Second, today we are also opening a second case against Alphabet. We suspect that Alphabet is breaching the DMA prohibition of self-preferencing [Article 6(5) DMA]." https://ec.europa.eu/commission/presscorner/detail/en/speech_24_1702
We need an independent regulator to ensure strong protections and get redress when things go wrong.
But the Data Protection and Digital Information Bill (UK) weakens the role of the Information Commissioner's Office. That’s why we've presented amendments.
The revolving door between business and the UK data protection regulator must stop to prioritise our rights.
✅ ORG's amendment protects the new Commission from regulatory capture by introducing a three-years stay period that prohibits its members to work for the industries they were regulating.
With the Data Protection and Digital Information Bill at Committee Stage in the UK House of Lords, here's a round-up of what's changing with data protection in the UK.
You’ll have weaker rights to challenge how data is used and shared with less ability to find that out in the first place.
The #DataGrabBill lets UK government Ministers approve international data transfers, even if the country lacks data protection rights or remedies for data subjects.
This will make the UK data laundering hub, putting the UK's adequacy agreement with the EU at risk.
#Cars#Surveillance#Privacy#Insurances#DataProtection#USA: "We've written previously about how insurance companies offer discounts for customers who opt into a usage-based insurance program. Every state except California currently allows the use of telematics data for insurance rating, but privacy protections for this data vary widely across states.
When you sign up directly through an insurer, these opt-in insurance programs have a pretty clear tradeoff and sign up processes, and they'll likely send you a physical device that you plug into your car's OBD port that then collects and transmits data back to the insurer.
But some cars have their own internal systems for sharing information with insurance companies that can piggy back off an app you may have installed, or the car’s own internet connection. Many of these programs operate behind dense legalese. You may have accidentally “agreed” to such sharing without realizing it, while buying a new car—likely in a state of exhaustion and excitement after finally completing a gauntlet of finance and legal forms.
#DataColonialism#Privacy#Surveillance#DataProtection: "When undertaking research for the book, Professors Couldry and Mejias found data was being extracted from every aspect of human life. “We realised the closest parallel was in the colonial land grab that happened around 1500 when Spain and Portugal suddenly realised there was a whole new world they could grab for themselves,” Professor Couldry says.
“It seemed to us this was a good analogy for the serious scale of what’s happening with data and that's when we started developing a framework for data colonialism. We weren't the first people to come up with this term, but we were the first people to see this as not just a metaphor but a new stage in the evolution of colonialism. What if colonialism could evolve? And that a new land grab could be happening right now, right in front of our eyes, through human life being captured in the form of data?”" https://www.lse.ac.uk/research/research-for-the-world/society/data-colonialism-privacy
EU’s use of Microsoft 365 found to breach data protection rules
An investigation into the European Union’s use of Microsoft 365 has found the Commission breached the bloc’s data protection rules through its use of the cloud-based productivity software.
A capable colleague passed on a request from their client. They want to know if the VM disks are encrypted at rest, if the keys are rotated periodically, and if there's a key retention procedure in place. Ironically, the client's VPS runs on Ubuntu 18.04, which has been out of updates for a year, and despite numerous notifications to upgrade, they believe it can wait. 😄
It‘s on! I just filed a complaint against the Austrian subsidiary of a German data broker.
My first claim is that they have violated my right to information by, well, not providing any when they began scraping and selling my personal data, thereby effectively depriving me of my other data subject rights.
My second claim is that they have also violated my right to data protection by processing my personal data unlawfully and intransparently.
— #privacy#DataProtection#GDPR#DataBrokers#BigData
As the #DPDIBill returns to the UK Parliament, we're calling for amendments to strengthen the independence and effectiveness of the Information Commissioner's Office.
With the ICO's weak enforcement record, ORG has worked with Members of the House of Lords to table amendments to better defend our data rights and improve accountability.
Real-world harms result from data misuse and legal safeguards are only as good as their enforcement.
❌ #DPDIBill abolishes the Biometrics and Surveillance Camera Commissioner and the requirement for the government to publish a surveillance camera code of practice.
✅ Our amendment retains the Commissioner for proper oversight of this expanding and privacy-intrusive technology.