EU Companies using US vendors for their data

For companies operating within the EU, this adequacy decision eliminates the need for additional data protection measures when transferring personal data to U.S. vendors participating in the EU-U.S. Data Privacy Framework. It streamlines data transfers, allowing businesses to focus on their core operations without being burdened by complex compliance requirements.

If your company relies on U.S. vendors for services or data processing, this decision brings positive implications. The EU-US Data Privacy Framework introduces comprehensive binding safeguards to address concerns raised by the European Court of Justice. These safeguards ensure that access to EU data by U.S. intelligence services is limited to what is necessary and proportionate for national security purposes.

Moreover, the framework establishes a redress mechanism for EU individuals whose data is mishandled by U.S. companies. This includes independent dispute resolution mechanisms and an arbitration panel, providing added assurance to EU consumers and reinforcing trust in transatlantic data flows.

Serving EU Customers from the US

For U.S. vendors seeking to serve EU customers, participation in the EU-US Data Privacy Framework is crucial. By committing to comply with a detailed set of privacy obligations, U.S. companies can demonstrate their adherence to the high data protection standards required by the EU. This includes obligations such as purpose limitation, data minimization, data retention, data security, and responsible data sharing with third parties.

The framework will be administered by the U.S. Department of Commerce, ensuring proper oversight and monitoring of participating companies’ compliance. The U.S. Federal Trade Commission will enforce these obligations, safeguarding the interests of EU individuals and promoting accountability among U.S. vendors.

It is important to note that the safeguards implemented by the U.S. government to protect data privacy will also benefit companies using other data transfer mechanisms, such as standard contractual clauses and binding corporate rules. This provides flexibility and reassurance for companies engaged in transatlantic data transfers, regardless of the specific mechanism they choose.

We encourage companies to familiarize themselves with the details of the adequacy decision and the obligations set forth in the EU-US Data Privacy Framework as this will affect many data setups.

Criticism of the EU-US Data Privacy Framework

Critics argue that the new Trans-Atlantic Data Privacy Framework closely resembles its predecessors, particularly the failed “Privacy Shield” agreement. The fundamental concerns regarding U.S. surveillance laws and the unequal treatment of non-U.S. persons in terms of constitutional rights remain largely unaddressed. The framework’s reliance on the U.S. Executive Order 14086, which includes the term “proportionate” but interprets it differently than the European Court of Justice (CJEU), has raised concerns about the adequacy of protections.

Furthermore, the redress mechanism established under the new framework has been questioned. While some improvements have been made compared to the previous “Ombudsperson” mechanism, the individual’s direct interaction with the newly formed Civil Liberties Protection Officer (CLPO) and the “Court” is limited. Critics argue that this mechanism does not provide true judicial redress, as the response is already known before a case is brought, potentially undermining the effectiveness of individuals’ rights to seek redress.

It is expected that the privacy advocacy group noyb (None of Your Business) will challenge the adequacy decision in court. They contend that the new framework lacks substantial changes and does not address the necessary reforms to U.S. surveillance laws. Previous attempts, such as the “Safe Harbor” and “Privacy Shield,” have been declared invalid by the CJEU.

The potential legal challenge could result in further scrutiny of the Trans-Atlantic Data Privacy Framework. If the case reaches the CJEU, the court may suspend the framework during the review process, leading to a final decision in 2024 or 2025. This uncertainty raises concerns about the legal validity of data transfers conducted under the new framework.

The post EU-US Data Privacy Framework Adopted appeared first on TechGDPR.

Legal processes: UK data protection reform

Last week in the Queen’s Speech it was announced that the UK’s data protection regime will be reformed through the introduction of the Data Reform Bill, dataprotectionlawhub.com reports. The Bill’s purpose is to “create a trusted UK data protection framework that reduces burdens on businesses and boosts the economy.” Reportedly, the main elements of the Bill include:

• a more flexible, outcomes-focused approach to data protection focused on privacy outcomes that will replace the “box tick exercises” required under current data protection law; 
• public bodies will be able to share data to improve the delivery of services, with data protection, ensuring that the personal data of UK citizens is protected to a ‘gold standard’. 

Additionally, the introduction of the Brexit Freedoms Bill in the future will end the supremacy of European law. This would enable the Government to change the position of retained EU data protection law which is currently enshrined under UK data protection law. Taken all together this could undermine the EU’s adequacy decision for data flows with the UK. Read the full governmental proposal here. 

Official guidance: UK AI toolkit, China cross-border processing, CNIL and EDPB’s annual wrap-ups

The UK’s ICO has presented its AI toolkit designed to provide further practical support to organisations to reduce the risks to individuals’ rights and freedoms caused by their own AI systems. It contains advice on a) how to interpret relevant law as it applies to AI, b) recommendations on good practice for organisations, c) technical measures to mitigate the risks to individuals that AI may cause or exacerbate, d)  an AI glossary. This guidance is not a statutory code. There is no penalty if you fail to adopt good practice recommendations, as long as you find another way to comply with the law, the ICO says. 

The guidance covers both the AI and data-protection-specific risks, and the implications of those risks for governance and accountability. Regardless of whether you are using AI, you should have accountability measures in place. However, adopting AI applications may require you to re-assess your existing governance and risk management practices. AI applications can exacerbate existing risks, introduce new ones, or generally make risks more difficult to assess or manage.

Meanwhile, China issued new specifications for cross-border processing of personal Information for multinational corporations, as stipulated in the Personal Information Protection Law (PIPL). In particular, such companies must meet one of the following criteria in order to transfer personal information over a certain scale overseas: 

• Undergo a security review organized by the Cyberspace Administration of China, except where exempted by relevant laws and regulations. 
• Undergo personal information protection certification by a professional institution in accordance with the regulations of the CAC. 
• Sign a contract with a foreign party stipulating the rights and obligations of each party in accordance with standards set by the CAC, etc.

Personal information can include any data points or information that can be used to identify an individual, such as names, phone numbers, and IP addresses. Separately, the PIPL also defines “sensitive” personal information, which is subject to stricter protection requirements:

• Biometric data, (fingerprints, iris recognition, facial recognition, and DNA);
• Data pertaining to religious beliefs or specific identities;
• Medical history;
• Financial accounts;
• Location and whereabouts;
• Any personal information of minors under the age of 14. 

However, it does not include data that has been anonymised or abstract data that doesn’t contain any specific personal information on individuals, such as aggregated information. Read the full analysis in the original publication. 

The French regulator CNIL published its 2021 activity report, (in French). One of its objectives was to provide legal certainty to all professionals with regard to the GDPR. To support them, it has thus published new sector guides and resources on its website in 2021, in particular for the voluntary associations’ sector, insurance, health and adtech. In 2021 the CNIL received 14,143 complaints and closed 12,522. It carried out 384 checks and the shortcomings noted during some of the investigations led to issuing 135 formal notices and 18 penalties, entailing fines exceeding 214 million euros. 89 of the 135 formal notices concerned cookies, one of the priority themes set by the CNIL for this year. 

The CNIL also carried out 30 new control missions with medical analysis laboratories, hospitals, service providers and data brokers in health, in particular on treatments related to the COVID-19 epidemic. Some of these procedures are still under review. Finally, it paid particular attention to the cybersecurity of the French web by controlling 22 organisations, 15 of which are public. During its investigations, the CNIL noted obsolete cryptographic suites making websites vulnerable to attacks, shortcomings concerning passwords and, more generally, insufficient resources with regard to current security issues.

At the same time the EDPB presented its annual report 2021 with a detailed overview of its work over the last year. In 2021, the EDPB adopted its final version of the recommendations on:

• Supplementary measures following the Schrems II ruling by the Court of Justice of the EU, taking on board the input received from stakeholders during public consultation. 
• Opinions on the UK draft adequacy decisions, under both the GDPR and the Law Enforcement Directive, as well as its opinion on the draft adequacy decision for the Republic of Korea. 
• Guidance documents on other international transfer tools, such as Codes of Conduct, and adopted joint opinions, together with the EDPS, on the new sets of Standard Contractual Clauses, issued by the European Commission for the transfer of personal data to controllers and processors established outside the EEA. 
• Guidelines and recommendations on topics such as personal data breach notifications, connected vehicles and virtual voice assistants, and much more.

In the US, the Network Advertising Initiative, (NAI is the leading self-regulatory association comprised exclusively of third-party digital advertising companies – ed.), issued Best Practices for User Choice and Transparency. The term “dark pattern” was coined in 2010 to refer to “tricks used in websites and apps that make you do things you didn’t mean to do, like buying or signing up for something.” They are also sometimes referred to as “deceptive patterns” or “manipulative designs.” These practices can be dynamic and multifaceted, including a series of tactics and specific design choices in apps and on websites. The guide is intended to help member companies better understand the practice of dark patterns and to implement the highlighted best practices to avoid them, namely:

• to examine the current legal environment at the state and federal levels, (FTC ACT, CCPA and CPRA, Colorado privacy Act, and the GDPR); and 
• to identify best practices and guide companies in maximizing effective and efficient notice and choice mechanisms with respect to collecting consumer data, (Notice and Choice, Exercising Consumer Requests, User Interface considerations).

Pursuant to the GDPR, the NAI quotes the French CNIL that  asserts “the fact of using and abusing a strategy to divert attention or dark patterns can lead to invalidating consent.” Furthermore, in March 2022, the EDPB released a series of its own guidelines on the use of dark patterns in social media platforms, open for public comment. 

Investigations and enforcement actions: IAB Europe case, IKEA Canada internal threat, whistleblowing, community owners

The IAB Europe, (the European-level association for the digital marketing and advertising ecosystem – ed.), withdrew its request for suspension of the execution of the decision issued by the Belgian Data Protection Authority, (APD), on the Transparency & Consent Framework (TCF). The request for suspension had been submitted as part of the appeal to the Belgian Market Court lodged on 4th March. The withdrawal coincides with confirmation that the APD will not take a decision on validation of the action plan submitted by IAB Europe to rectify alleged EU GDPR violations connected with TCF before Sept. 1, the date by which the Market Court is expected to have issued a ruling on the appeal.

IKEA Canada reportedly confirmed a data breach involving the personal information of approximately 95,000 customers. The furniture retailer notified Canada’s privacy regulator saying that some of its customers’ personal information appeared in the results of a “generic search” made by an employee at IKEA Canada between March 1 and March 3 using IKEA’s customer database, but no financial or banking information was involved in the breach. In a letter sent to impacted customers, IKEA Canada said that the data that may have been compromised included customer names, email addresses, phone numbers and postal codes.The IKEA Family loyalty program number belonging to customers may have also been visible. The company already made changes to reinforce its internal policies and no action was needed by customers. 

The Italian privacy regulator ‘Garante’ fined ISWEB and Perugia Hospital 40,000 euros each for GDPR violations in relation to the whistleblowing system, following an ex officio investigation, Data Guidance reports. ISWEB is an IT company that provides and manages the whistleblowing application used by numerous clients, including Perugia Hospital. The ‘Garante’ found that ISWEB had failed to regulate the relationship with the hosting service provider, noting that ISWEB had engaged the hosting service provider both to carry out processing in its capacity as data controller, and for the processing carried out in its capacity as a data processor on behalf of its clients, including the Hospital. The ‘Garante’ noted that the aggravating factors for the administrative fine were: a) the nature, subject, and purpose of the processing; b) the high degree of confidentiality required by sector regulations in relation to the identity of the data subjects in cases of whistleblowing; c) the fact that no whistleblowing reports were available in the system at the time of the investigation; d) ISWEB had not regulated in any way the relationship with the hosting service provider.

At the same time, the Spanish data protection authority imposed a fine of 500 euros on community owners. In particular, the decision states that the Presidency of the Community of Owners had placed a list of debtors on three community bulletin boards, including the claimant. Moreover, the decision noted that the location of the respective bulletin boards is inside the portals and that all the boards are locked, but exposed to viewing by third parties outside of the community. 

Data security: cybersecurity for regulated industries

EU countries and lawmakers agreed last week to tougher cybersecurity rules for regulated industries such as energy, transport and financial firms, digital providers and medical device makers amid concerns about cyber attacks by state actors and other malicious players under the scope of NIS 2 Directive, proposed by the Commission in December 2020.  Medium and large companies are required to assess their cybersecurity risk, notify authorities and take technical and organisational measures to counter the risks, with fines of up to 2% of global turnover for non-compliance. EU countries and the EU cybersecurity agency ENISA can also assess the risks of critical supply chains under the rules. 

The political agreement reached by the European Parliament and the Council is now subject to formal approval by the two co-legislators. Once published in the Official Journal, the Directive will enter into force 20 days after publication and Member States will then need to transpose the new elements of the Directive into national law. Member States will have 21 months to transpose the Directive into national law.

Big Tech: Twitter’s ‘Data Dash’ game, Clearview AI settlement and future fine, EU biometrics, Zoom’s user emotion detection 

Twitter has rolled out a new web video game to make it easier for users to understand its privacy policy, TechCrunch reports.  The goal of the game, which is called Data Dash, is to educate people on the information that Twitter collects, how the information is used and what controls users have over it: “Once you start the game, you’ll be asked to pick the language in which you would like to play. After that, you’ll have the option to select a character. The game is played by helping a dog, named Data, safely navigate “PrivaCity” by dodging ads, steering clear of spammy DMs and avoiding Twitter trolls.”

According to Reuters, France’s data privacy regulator is about to trigger the process of fining US-based Clearview AI, a facial recognition company the regulator had ordered to stop amassing data from people based in the country. The start of a formal penalty process would indicate that CNIL suspected Clearview of failing to comply with its order within the two-month deadline it had set. 

Meanwhile, under a settlement filed in an Illinois state court in Chicago, Clearview AI will stop granting paid or free access to its database to most local private businesses and individuals, as well as police. However, Clearview AI, based in New York, can still work with federal government agencies, including immigration authorities, as well as state government agencies outside Illinois. The case was brought by the American Civil Liberties Union in 2020. Clearview AI repeatedly violated the Illinois Biometric Information Privacy Act by scraping photos taken from the internet, including from social media platforms, Reuters reports.

The European Digital Rights group and 52 other organisations called for banning remote biometric identification systems in public locations, Biometric Update and IAPP News report. They called the technology, like facial recognition, one of the greatest threats to fundamental rights and democracy that destroys the possibility of anonymity in public. They have called for amendments to Article 5(1)(d) of the AI Act to extend the scope of the prohibition to cover all private as well as public actors. 

And nearly 30 civil society groups wrote a letter to Zoom’s CEO calling on the company to cease use of software that detects users’ emotions, The Hill and IAPP News reports. The letter came in response to reports of Zoom beginning to roll out post-meeting sentiment analysis for hosts: “Facial expressions are incredibly variable from culture to culture and nation to nation, making creating an algorithm that can judge them equally difficult.” The groups also launched an online petition demanding Zoom to drop the technology.

The post Weekly digest May 9 – 15, 2022: UK data protection reform, and dark patterns invalidating consent appeared first on TechGDPR.

Legal processes and redress: Facebook data transfer hustle, Amazon fine halted, adequacy for South Korea

Despite the CJEU twice declaring that the US does not offer sufficient protection for Europeans’ data from American national security agencies, Facebook, (Meta)’s lawyers continue to disagree, according to internal documents seen by the POLITICO EU newspaper. In July 2020, the CJEU struck down a US-EU data transfer framework, the Privacy Shield, but upheld the legality of another safeguard instrument used to export data out of the EU – Standard Contractual Clauses (SCCs). 

Facebook’s lawyers argue that the EU court ruling relates only to the Privacy Shield data pact, (Art. 45 of the GDPR), and not the SCCs, (Art.46 of the GDPR), the instrument Facebook uses to transfer data to the US. The company also says that changes to US law and practices since the 2020 ruling should be taken into account, namely the US Federal Trade Commission, “carrying out its role as a data protection agency with unprecedented force and vigour.” Finally, the platform’s lawyers note that the 234,998 data requests it received from US authorities in 2020 represents a “tiny fraction” of the total number of users, which Facebook estimates at around 3.3 bln. 

At the same time, Austrian activist and lawyer Maximilian Schrems, who in 2013 started the legal battle against Facebook, states that since the 2020 CJEU judgment the platform has not taken any steps to limit its data transfers. “Instead, it produced a 86 page “Transfer Impact Assessment” under the newly introduced SCCs, coming to the surprising result that the CJEU judgment would not apply to Facebook and transfers could continue as they are”.  Reportedly Facebook’s self-assessment document concluded that relevant US law and practice provided protection of personal data that was essentially equivalent to the level of protection required by EU law.

Also last week:

Luxembourg’s legal judgment halts Amazon’s enormous daily GDPR fine. The Administrative court suspended a 746,000 euro fine the US retailer had to pay each day over suspected data privacy breaches. The court ruled that the data protection regulator’s instructions on how to correct the breaches were too vague. In July the Luxembourg data protection commissioner, where Amazon’s European headquarters is based, hit the company with a record fine after deciding that its processing of customers personal data for targeted advertising purposes did not comply with the GDPR. Amazon argued the ruling lacked merit and would be appealed. As of today, hearings between the two parties are still ongoing.

The European Commission has adopted South Korea’s GDPR-governed adequacy ruling. The agreement allows for the free flow of personal data between the EU and the Republic of Korea, without further authorization or additional transfer tools. The decision also covers transfers of personal data between public authorities. The agreement stands on the adequate protections afforded to individuals in the EU under Korean law when their data is transferred to the Republic of Korea, including additional transparency and onward data transfer requirements agreed by both parties. These rules are now binding and enforceable by the South Korean data protection authority, PIPC, and the court system, Hunton Andrews Kurth LLP reports. Read the full South Korea adequacy decision here, as well as the latest Q&As on the EU adequacy mechanism.

Official guidance: TTDSG, card-based payments, COVID status checks

The German Data Protection Conference published their guidance, (in German,) on the Telecommunications and Telemedia Act (TTDSG), which entered into force on 1 December. The document, (open for public consultations), offers operators of websites, apps, and smart home applications assistance in the implementation of the new provisions. The same guide also informs citizens of the key changes in the legal framework, and further clarifies the interplay between the TTDSG, the GDPR and the ePrivacy Directive, namely:

• TTDSG goes beyond the scope of the GDPR and establishes the consent requirement for storing/accessing information on or from users terminal equipment, regardless of whether the information relates to a person. 
• cookie, (and similar technologies), user consent can be bundled with the consent for subsequent data processing/transfers, if sufficiently transparent. 
• TTDSG establishes strict requirements for valid consent with a “reject all” option (with some possible exceptions under anti-fraud/IT security requirements).
• The aforementioned requirements are applicable only for data processing within the EEA. There must therefore always be additional examinations where the processing involves the transfer to third countries, especially such as the US, where there is no adequate agreement with the EU. 

The guide also explains the rationale behind the “absolutely necessary” cookies, main services, services provided at the user’s demand and the additional functions/services. In the context of websites, users do not have to accept every access to their terminal equipment, in particular the setting of cookies, just because a website or an app has been actively called up. They must first become aware that there are additional services and functions that require access to the terminal device in order to provide them (measurements or analysis of visitors numbers or A/B testing, etc). Also, cookies for any additional functions, such as for storing products in the shopping cart or making a payment, can regularly only be regarded as absolutely necessary in terms of the time dimension when a corresponding user interaction has taken place (when items are actually placed in the cart, or the payment process has been initiated).

The EDPS’s latest TechDispatch section investigates card based-payments, that nowadays go beyond debit cards or credit cards. Contactless payments using Near Field Communication or Quick Response technologies and cardless payments via smartphone apps are just a few examples of new card-based payment methods. The key takeaways include analysis on:

• payment gateways and processors;
• balancing interests between anonymity and traceability of personal data;
• necessity and proportionality of customer identification;
• processing of special categories of data;
• GDPR-covered roles and responsibilities; 
• data retention and surveillance, automated decision making and profiling;
• data security standards, etc.

In the UK, the Information Commissioner’s office advised organisations about how to look after customers’ personal data when completing COVID status checks. The provisions require data collectors to be clear, open and honest with people about what they are doing with the personal information:

• display your privacy notice on your website, social media or email it alongside any event information, put up posters around your venue’s entrance;
• follow the government guidance to determine whether you should carry out purely visual checks, or a digital scan;
• use only official governmental apps to scan QR codes;
• don’t create any of your own lists or records with your customers’ status;
• make sure staff can answer questions about how data will be used and stored;
• ensure that your staff treat the information that they are checking confidentially;
• keep up-to-date with the latest advice from the government and the ICO.

Investigations and enforcement actions: gamers’ videos, children’s learning data, ex-employee email box

Gaming giant Ubisoft has confirmed an intrusion into its IT infrastructure targeting the popular game Just Dance. The company explained that the incident “was the result of a misconfiguration, that once identified, was quickly fixed, but made it possible for unauthorized individuals to access and possibly copy some personal player data.” However, Ubisoft did not comment about how many people were affected by the incident: “The data in question was limited to ‘technical identifiers’ which include GamerTags, profile IDs, and Device IDs as well as Just Dance videos that were recorded and uploaded to be shared publicly with the in-game community and/or on social media profiles.” Anyone affected by the breach will receive an email from Ubisoft and will be given more information through the company’s support team. The team also urged players to enable two-factor authentication and to reset passwords.

The Icelandic data protection authority has found the City of Reykjavík guilty of multiple violations of the GDPR, following its failure to comply with data protection obligations in processing children’s personal data, DataGuidance reports. The investigation started over one of the City of Reykjavík’s primary schools’ use of the Seesaw Learning app. The regulator found that the City of Reykjavík failed to process personal data in a fair and transparent manner, noting that:

• The processing of personal information was not based on a valid consent. 
• It was possible to identify registered students for longer than necessary. 
• The system processed the personal data of parents and guardians of students in order to direct them to marketing. 
• The personal information of students was transferred to the US and processed there, without sufficient safeguards. 
• The municipality failed to clarify which of the parties was responsible for the processing, demonstrate any existing data processing agreements or to complete DPIA. 

The City of Reykjavík was requested to close the accounts of school children in Seesaw and ensure that all their personal information is deleted from the system, but not before a copy of the information has been handed over to the children or, as the case may be, kept in schools. 

The Belgian Data Protection Authority, (DPA), issued a reprimand to a company following violations of Art. 5, 6 and 13 of the GDPR. The organisation had kept the complainant’s email address and mailbox active, leading to the possibility a third party could read received emails and respond in the complainant’s name, after the complainant’s employment agreement had terminated, DataGuidance reports. The complainant’s email address was still in the company’s system in January 2020, despite the fact that the employment agreement with the complainant had ended in 2019. Furthermore, the complainant had not received information about further use of their mailbox and email address, besides being told that they no longer would have access to it. The Belgian DPA did not issue a monetary penalty in this case, considering publication of the reprimand would constitute a sufficient warning.

Opinion: ICO’s regulatory powers

The UK Information Commissioner’s Office, (ICO), has launched a consultation to gather the views of data controllers, their representatives and the public on how it regulates the laws it monitors and enforces. People will have 14 weeks to comment on three documents:

• The Regulatory Action Policy that reinforces the proportionate and risk-based approach to enforcement, and explains the factors taken into consideration before taking regulatory action such as monetary penalties, stop-processing orders or compulsory audits.
• Statutory Guidance that specifies the ICO’s legal obligations to publish guidance to help organisations navigate the law.
• Statutory Guidance on The Privacy and Electronic Communications Regulations, (PECR), that explains how the ICO enforces the data protection legislation relating to electronic communications like nuisance calls, emails and texts. The guidance focuses on the ICO’s powers to issue monetary penalty notices on a person, or an officer of a body, for data protection failures in respect of the PECR. This is a power that has recently been incorporated into law. 

The forms for written responses are available here.

Big Tech: Google and Meta fines in Russia, Meta/Giphy deal, Alibaba-cloud, tech buzzwords 2021

A Moscow court on Friday said it was fining Alphabet’s Google about 90 mln euros for what it said was a repeated failure to delete content Russia deems illegal, the first revenue-based fine of its kind in Russia. The court also fined Meta more than 20 mln euros on the same grounds. Russia’s communication watchdog Roskomnadzor said that Facebook and Instagram failed to remove two thousand pieces that violate Russian laws whereas Google keeps 2,600 pieces of banned content. Moscow has also demanded that 13 foreign and mostly US technology companies, which include Google and Meta, be officially represented on Russian soil by January 1 or face possible restrictions or outright bans.

Facebook owner Meta has appealed against the UK’s ruling that it must sell its animated images platform Giphy. The company does not support the finding that buying Giphy in 2020 constituted a threat to its rivals or could impact competition in display advertising. It is the first time the British regulator, the CMA, has blocked a major digital acquisition. Half of the traffic to Giphy’s huge library of looping videos comes from Facebook, Instagram and WhatsApp. Its GIFs are also popular with users of TikTok, Twitter and Snapchat. The CMA was concerned Meta could limit access or force rivals to provide more user data. Meta argued it would not change the terms of access for competitors, nor collect additional data from the use of GIFs, which have no online tracking mechanisms such as pixels or cookies. Meta also pointed out that Giphy has no presence, employees, offices or revenues in Britain. The CMA noted that UK users look for 1 billion GIFs a month on Giphy, and 73% of the time they spend on social media was on Meta’s Facebook, Instagram and WhatsApp.

Chinese regulators suspended an information-sharing partnership with Alibaba Cloud Computing, a subsidiary of e-commerce conglomerate Alibaba Group, over accusations it failed to promptly report and address a cybersecurity vulnerability. Reportedly Alibaba Cloud did not immediately report recently discovered vulnerabilities in the popular, open-source logging framework Apache Log4j2 to China’s telecommunications regulator, but notified the US based Apache Software Foundation. In response the Chinese government suspended partnership with the cloud unit, to be reassessed in six months. This latest measure highlights Beijing’s desire to strengthen control over key online infrastructure and data in the name of national security. The Chinese government has also asked state-owned companies to migrate their data from private operators such as Alibaba and Tencent to a state-backed cloud system by next year.

Finally, to end the year, Reuters tech team published a guide to 2021’s tech buzzwords. So, if you’re still drawing a blank as 2021 wraps up – metaverse, web3, social audio, NFTs, tech decentralization, DAOs, “stonks”, gameFI, altcoin, FSD beta, fabs and net zero are all made crystal clear in this quick guide for everyone whose digital lexicon may be in need of an upgrade. 

The post Weekly digest December 20 – 26, 2021: Facebook data transfer hustle, guide on Germany’s TTDSG, contactless payments, tech buzzwords appeared first on TechGDPR.