back

Last week in Privacy (week 36)

Google faces another class action lawsuit - this time in Canada

 

A class action lawsuit has been filed in the Supreme Court of British Columbia against Google. The class action is filed on behalf of millions of Canadians who personal information is collected allegedly without the consent of the individuals.

 

Google is allegedly collecting personal information through Google Ads and Google Analytics, tools that are installed on more than 50% of the global websites. The claim alleges that Google is turning Canadians’ electronic devices into tracking devices, which are used to build profiles on almost every Internet user in Canada, even on people with not relationship to Google at all.

 

The claim is brought on behalf of residents of Canada who have used Google’s services or visited websites that contain Google Ads or Google Analytics.

 

Read more here: Google turns electronics into tracking devices, without consent

 

European Data Protection Board adopts new guidelines in it’s 37th plenary meeting

 

The European Data Protection Board (“EDPB”) adopted guidelines on the concepts of controller and processor. The new guidelines consists a detailed guidance on the main consequences of the concepts for controllers, processors and joint controllers and will be subject to a public consultation.

 

Guidelines on the targeting of social media users aims to clarify the roles and responsibilities of the social media provider and the targeted individual and to provide guidance on key data protection requirements, such as lawfulness of processing, DPIA and transparency related to social media targeting.

 

In addition, the EDPB has created a taskforce to look into the complaints filed in the aftermath of the CJEU’s judgement in case C-311/18 (“Schrems II”). Another taskforce has been set to prepare recommendations to assist controllers and processors with their duty to implement appropriate supplementary measures when transferring personal data to third countries.

 

Read more here: EDPB's 37th Plenary meeting

 

US court finds mass surveillance program exposed by Edward Snowden, illegal

 

In a ruling handed down on Wednesday 2nd of September 2020, the US Court of Appeals for the Ninth Circuit said that the warrantless telephone dragnet that secretly collected millions of Americans’ telephone record violated the Foreign Intelligence Surveillance Act (“FISA”) and may well have been unconstitutional.

Read more here: Mass surveillance exposed by Snowden found illegal

 

What is the hidden cost of free Google Analytics?

 

Millions of websites from government to health sector use free Google Analytics to gather data about their visitors. Despite it’s popularity, Google Analytics may not be the best option.

 

The biggest cost lies in how Google uses and shares the data gathered via Google Analytics. In its own policies, Google clarifies that the information gathered with Google Analytics is shared with Google for its own advertising purposes.

 

Read more here: The hidden cost of free Google Analytics

 

Adtech companies can uniquely identify users - even without cookies

 

By using fingerprinting methods e.g by gathering different variables, such as the browser name and version, screen resolution, list of installed fonts and plugins and IP addresses, Adtech companies can uniquely identify users with 99% accuracy. This means the blocking third party cookies won’t improve data subjects’ privacy as expected by Google’s recent move in its upcoming Chrome browser release.

 

Read more here: Blocking 3rd party cookies might not improve privacy as expected

 

Are US style class action lawsuits increasing in the EU?

 

Consumer groups and campaigners are increasingly skipping the data protection supervisors and taking their complaints directly to the courts. This shift hints a growing disappointment with the current enforcement system that is still struggling to finalise a single major investigation more than two years after the GDPR became applicable.

 

Read more here: Skip the regulators and go directly to the court

 

UK’s ICO gives organisations 12 months to meet its new code of practice for childrens’ privacy

 

The Age Appropriate Design: a code of practice for online services came into force on 2nd of September  with a 12 month transition period. The code sets new standards and explains how the GDPR applies in the context of children using digital services.

 

The information society services must put the best interests of the children first when designing and developing apps, games, connected toys and websites that are likely to be used by children.

 

Read more here: ICO's new code of practice for childrens' privacy

 

Norway’s parliament subject to a cyber attack

 

Norway’s parliament Stortinget reports that it has been subject to a cyber attack on its internal email system where hackers gained access and downloaded content for a small number of representatives and employees.

 

In a press release on 1st of September, Stortinget’s director Marianne Andreasson said that the incident is currently under investigation and it was too early to provide further details on who was behind the attack or the exact number of breached accounts. The matter has been reported to the police.

 

Read more here: Cyber attack to Norway's parliament