Last week in Privacy (week 36)

Google faces another class action lawsuit - this time in Canada


A class action lawsuit has been filed in the Supreme Court of British Columbia against Google. The class action is filed on behalf of millions of Canadians who personal information is collected allegedly without the consent of the individuals.


Google is allegedly collecting personal information through Google Ads and Google Analytics, tools that are installed on more than 50% of the global websites. The claim alleges that Google is turning Canadians’ electronic devices into tracking devices, which are used to build profiles on almost every Internet user in Canada, even on people with not relationship to Google at all.


The claim is brought on behalf of residents of Canada who have used Google’s services or visited websites that contain Google Ads or Google Analytics.


Read more here: Google turns electronics into tracking devices, without consent


European Data Protection Board adopts new guidelines in it’s 37th plenary meeting


The European Data Protection Board (“EDPB”) adopted guidelines on the concepts of controller and processor. The new guidelines consists a detailed guidance on the main consequences of the concepts for controllers, processors and joint controllers and will be subject to a public consultation.


Guidelines on the targeting of social media users aims to clarify the roles and responsibilities of the social media provider and the targeted individual and to provide guidance on key data protection requirements, such as lawfulness of processing, DPIA and transparency related to social media targeting.


In addition, the EDPB has created a taskforce to look into the complaints filed in the aftermath of the CJEU’s judgement in case C-311/18 (“Schrems II”). Another taskforce has been set to prepare recommendations to assist controllers and processors with their duty to implement appropriate supplementary measures when transferring personal data to third countries.


Read more here: EDPB's 37th Plenary meeting


US court finds mass surveillance program exposed by Edward Snowden, illegal


In a ruling handed down on Wednesday 2nd of September 2020, the US Court of Appeals for the Ninth Circuit said that the warrantless telephone dragnet that secretly collected millions of Americans’ telephone record violated the Foreign Intelligence Surveillance Act (“FISA”) and may well have been unconstitutional.

Read more here: Mass surveillance exposed by Snowden found illegal


What is the hidden cost of free Google Analytics?


Millions of websites from government to health sector use free Google Analytics to gather data about their visitors. Despite it’s popularity, Google Analytics may not be the best option.


The biggest cost lies in how Google uses and shares the data gathered via Google Analytics. In its own policies, Google clarifies that the information gathered with Google Analytics is shared with Google for its own advertising purposes.


Read more here: The hidden cost of free Google Analytics


Adtech companies can uniquely identify users - even without cookies


By using fingerprinting methods e.g by gathering different variables, such as the browser name and version, screen resolution, list of installed fonts and plugins and IP addresses, Adtech companies can uniquely identify users with 99% accuracy. This means the blocking third party cookies won’t improve data subjects’ privacy as expected by Google’s recent move in its upcoming Chrome browser release.


Read more here: Blocking 3rd party cookies might not improve privacy as expected


Are US style class action lawsuits increasing in the EU?


Consumer groups and campaigners are increasingly skipping the data protection supervisors and taking their complaints directly to the courts. This shift hints a growing disappointment with the current enforcement system that is still struggling to finalise a single major investigation more than two years after the GDPR became applicable.


Read more here: Skip the regulators and go directly to the court


UK’s ICO gives organisations 12 months to meet its new code of practice for childrens’ privacy


The Age Appropriate Design: a code of practice for online services came into force on 2nd of September  with a 12 month transition period. The code sets new standards and explains how the GDPR applies in the context of children using digital services.


The information society services must put the best interests of the children first when designing and developing apps, games, connected toys and websites that are likely to be used by children.


Read more here: ICO's new code of practice for childrens' privacy


Norway’s parliament subject to a cyber attack


Norway’s parliament Stortinget reports that it has been subject to a cyber attack on its internal email system where hackers gained access and downloaded content for a small number of representatives and employees.


In a press release on 1st of September, Stortinget’s director Marianne Andreasson said that the incident is currently under investigation and it was too early to provide further details on who was behind the attack or the exact number of breached accounts. The matter has been reported to the police.


Read more here: Cyber attack to Norway's parliament