#SypherPrivacyTalks - January 2023 - Week 2

by Sypher - January 11, 2023

€390M fine strikes blow to Meta’s ad-fueled business model

politico.eu • 4 min read

Meta took a massive €390 million blow after EU regulators found it has been illegally forcing users to accept personalised ads. 👇

The ruling, one of the most significant issued under the GDPR, might require Meta to make costly changes to its ad-based business in the EU — one of its largest markets. The case hinges on Meta's terms-of-service agreement, which effectively requires users to either allow their data to be used for personalised ads or stop using the company's social media services altogether.

The EU's data privacy board (EDPB) determined that this clearly violated the GDPR. Meta has three months to outline how it will comply with the ruling, which could result in the company allowing users to choose whether they want their data used for targeted promotions. This could put 5-7% of Meta's overall advertising revenue at risk.

Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users

ic3.gov • 2 min read

Here's a curious one: the FBI recommends the use of ad blockers to avoid cybercrime tactics involving search engine ads. 👇

The criminals create ad links to web pages that look identical to official brand webpages. They often impersonate financial websites, particularly cryptocurrency exchanges, and prompt users to enter login credentials and financial information.

What's curious is that, along with other two elementary precautions, the FBI recommends the use of ad blockers, which has been a hot topic for debate in both online marketing AND data protection.

The Slow Death of Surveillance Capitalism Has Begun

wired.com • 3 min read

As privacy becomes a top priority for consumers, it will be interesting to see how companies adapt to this new reality. 👇

The recent €390m ruling against Meta is a huge blow to Big Tech as a whole, and a sign that the GDPR has teeth. This ruling is part of a wider move away from the unregulated model of online advertising that existed for years. 

While Apple's changes take a chunk out of Meta, Google is trying to remake or even move away from advertising cookies, but it's a plan that's proven controversial, and in July Google delayed the phaseout. This ruling really asks the whole advertising industry, how do they move forward? And how do they move forward in a way that stops these litigations that require them to change constantly? 

We must dismantle the barriers that GDPR creates for global science

ft.com • 3 min read

The GDPR has unintentionally created data-sharing silos in the biomedical research community. 👇

The GDPR is meant to give individuals greater control over their personal data, but, as the article argues, it is not taking into consideration how research-related uses of personal data differ from other types of uses. The regulation is making it difficult for scientists to find a legal basis for sharing data and for US federal agencies such as the National Institutes of Health (NIH) to receive pseudonymised data collected by research partners in the EU. 

Longstanding research collaborations are being halted, and GDPR is having direct effects on patient care in a research setting. To solve this problem, the US and EU must dismantle these data-sharing silos in medicine and public health and find remedies such as an international agreement, amendments to the GDPR, or expanded guidelines on GDPR transfer mechanisms. 

The urgency is real, as genomics and other tools create opportunities to advance curative treatments, but resolving these barriers will enable scientists to power clinical trials and make precision or personalised medicine a reality. 

Polish DPA fines telecom operator for failure to notify personal-data breach

edpb.europa.eu • 2 min read

In a recent decision, the Polish supervisory authority has imposed a fine of ~€53K on telecom company P4 for failing to notify a personal data breach to the supervisory authority and to the affected data subject. 

The case began when the Polish DPA received an email from a person indicating that they were an unauthorised recipient of a set of documents relating to the conclusion of a telecommunications contract. After investigating, the DPA found that the company had obtained information about the personal data breach twice — first from the customer themselves and then from the DPA — but had only taken action to notify and communicate the breach after the DPA had initiated administrative proceedings. 

This decision serves as a reminder to companies of the importance of timely and thorough reporting of personal data breaches in accordance with GDPR regulations.

Stay tuned for more by 📌 connecting with us on LinkedIn or, better yet, by subscribing to our weekly newsletter. We do our best to select the most interesting and relevant content in our field and deliver it to you in a bite-sized format, so you can stay up to date on topics such as Privacy Management & Compliance.