#SypherPrivacyTalks - September 2023 - Week 37

by Sypher - September 15, 2023

Welcome to #SypherPrivacyTalks — Your news and article roundup. Bringing you the top privacy & compliance stories of the week.

French lawmaker challenges transatlantic data deal before EU court

politico.eu • 2 min read

📢 French MP Philippe Latombe isn't letting the transatlantic data deal slide! He's taken the fight to the EU's General Court, challenging the new EU-US Data Privacy Framework. 👇

🤔 Just two months after the EU and US reached an agreement, Latombe is raising concerns about the respect for private and family life due to bulk collection of personal data. He's filed not one, but two challenges: one to suspend the agreement immediately and another questioning its content. 

This legal battle, following the Privacy Shield debacle, could lead to some serious data flow turbulence across the Atlantic… read more

If you’ve got a new car, it’s a data privacy nightmare

gizmodo.com • 4 min read

🚗 According to Mozilla's `Privacy Not Included` project, every major car brand's new internet-connected models failed basic privacy tests. 👇

What are they collecting? Everything from race, weight, and even details about sexual activity! 😱 Volkswagen, for instance, knows if you're buckling up or slamming on the brakes.

Modern cars use microphones, cameras, and data from connected phones to harvest information. They even sell or share this data with third parties!

The worst offender? Nissan, with a privacy policy that suggests they collect incredibly personal information.

😠 The issue goes beyond data collection. Most car brands don't encrypt the data they collect, and some engage in "privacy washing," making vague promises that don't hold up… read more

CJEU landmark data protection ruling for online and behavioural advertising

lexology.com • 8 min read

🆚 In the case of Meta vs. Bundeskartellamt, CJEU has clarified the legal basis for processing personal data in targeted advertising. 📚 Here's the scoop:

🔵 Contractual necessity is not always enough — The CJEU emphasises that processing personal data for behavioural advertising should be essential to the contract, with no viable alternatives.

🤝 Legitimate interest is a balancing act — The court highlights the importance of considering the user's expectations and the impact of data processing on them.

🔐 Consent matters — The CJEU underlines that consent must be freely given, and users shouldn't feel pressured to agree to data processing.

🕵️‍♂️ Competition authority's role — The ruling also grants National Competition Authorities the power to investigate GDPR breaches. 

Key takeaways for online platforms:
✅ Relying solely on "contractual necessity" may not cut it.
✅ Personalized content might not be crucial for social network services.
✅ "Product improvement" as a legitimate interest must respect user rights.
✅ Consent should be freely given, even for dominant operators… read more

EU-U.S. Data Privacy Framework vs. EU Standard Contractual Clauses for transatlantic transfers of personal data

jdsupra.com • 5 min read

🛡️ The European Commission has given the green light to the EU-US Data Privacy Framework (DPF). But what about those trusty Standard Contractual Clauses (SCCs)? 🤔 Let's break it down!

DPF — Designed exclusively for data transfers to the U.S.
SCCs — Versatile, usable for EU to any non-EU country, but with extra compliance steps.

🔑 Key point — SCCs might require a Transfer Impact Assessment (TIA) for each transfer. DPF skips this step!

💼 Compliance matters — Both come with compliance obligations. DPF relies on self-certification, while SCCs are contract-based.

🧐 Which to choose? It's not one-size-fits-all. Consider your business's needs, location, and compliance readiness.

📊 Bottom line — Weigh the pros and cons, and make the choice that suits your data transfer strategy best… read more

New X privacy policy promises no non-public personal data use in AI models, requires consent for biometric info

cpomagazine.com • 4 min read

😇 X is putting user privacy front and centre. They've promised not to train AI models on private data, so those late-night direct messages are safe and sound. 👇

But here's the twist! 🔄 Public posts are fair game for X's AI models. Elon Musk dropped this bombshell while unveiling their ambitions to compete with giants like Open AI and Microsoft.

The new privacy policy kicks in on September 29, and it's not just about AI. X Premium subscribers can even get a verification badge by uploading a selfie and ID. 

While X's privacy policy is clear on some fronts, the total range of user data it will access remains a bit hazy… read more

Stay tuned for more by 📌 connecting with us on LinkedIn or, better yet, by subscribing to our weekly newsletter. We do our best to select the most interesting and relevant content in our field and deliver it to you in a bite-sized format, so you can stay up to date on topics such as Privacy Management & Compliance.

Photo by Sasun Bughdaryan on Unsplash