Not Too Pushy | The Cat Herder, Volume 5, Issue 11
|
There was a big announcement about trans-Atlantic data transfers which contained precious little of substance. Meta ponders, Clearview boasts it has ALL THE FACES and dark patterns come under consideration.
😼
Google is so aggressive about mining e-mail receipts for data to sell ads that Amazon no longer tells you what you bought in their emails, and now I honestly can’t tell which company is being the bigger asshole to customers.
— Corey Quinn (@QuinnyPig) March 21, 2022
The EU and US tee up Schrems III with an “agreement in principle.” Which is even more abstract than an agreement, which everyone seems to agree has not been reached.
Pleased that we found an agreement in principle on a new framework for transatlantic data flows.
— Ursula von der Leyen (@vonderleyen) March 25, 2022
It will enable predictable and trustworthy 🇪🇺🇺🇸 data flows, balancing security, the right to privacy and data protection.
This is another step in strengthening our partnership. pic.twitter.com/7Y0wslR7Go
More
White House: FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework
Techcrunch: EU, US agree on data transfer deal to replace defunct Privacy Shield
The Register: EU and US agree Privacy Shield enhancements
noyb: “Privacy Shield 2.0”? - First Reaction by Max Schrems
Last Word
None of the political statements on greater transatlantic cooperation matter. What matters is the legal underpinning of a new agreement that will withstand the immediate challenge at Europe's highest court.
— Mark Scott (@markscott82) March 25, 2022
The CJEU, last time I checked, doesn't give an F about politics.
Metabook is contemplating whether to appeal its €17 million fine while continuing to try and trivialise the issue.
Meta says it has yet to decide whether to appeal the €17m fine imposed by Ireland’s Data Protection Commissioner for mishandling it s reporting of 12 breach notifications.
—
John Edwards said a few mildly edgy things because that’s kind of his no-nonsense Antipodean personal brand, and also insisted the UK government wouldn’t be watering down data protection on his watch. Which would make one wonder how familiar he is with the current UK administration.
New Zealander John Edwards also refuses to tame his colorful online presence.
- “Much will depend on the details of construction and implementation for this protective mechanism. What our articles contribute is the identification of three fundamental building blocks on which a solid and long-lasting transatlantic adequacy agreement could stand. We have shown that there is a promising way to create, by non-statutory means, an independent redress authority and to provide the necessary investigative and decisional powers to respond to redress requests by European persons. We also suggest a way to successfully address the problem of standing and thereby to provide for an ultimate possibility of judicial control. Using these building blocks to create an effective redress mechanism could enable the U.S. and the EU not only to establish a solid transatlantic adequacy regime capable of resisting CJEU scrutiny but also to advance human rights more broadly.” From ‘EU/US Adequacy Negotiations and the Redress Challenge How to Create an Independent Authority with Effective Remedy Powers’ by Theodore Christakis, Kenneth Propp and Peter Swire for the European Law Blog.
- “Dark patterns do not necessarily only lead to a violation of data protection regulations. Dark patterns can, for example, also violate consumer protection regulations. The boundaries between infringements enforceable by data protection authorities and those enforceable by national consumer protection authorities can overlap. For this reason, in addition to examples of dark patterns, the Guidelines also present best practices that can be used to avoid undesirable but still legally compliant user interfaces.” From the EDPB‘s 'Guidelines 3/2022 on Dark patterns in social media platform interfaces: How to recognise and avoid them’.
- “The EDPB’s approach suggests that any effort to woo users into giving more data or leaving data with the organisation will be viewed as harmful by data protection authorities. Yet data protection rules are there to prevent abuse and protect data subjects, not to render all marketing techniques illegal. In this context, the guidelines should in our opinion be viewed as an invitation to re-examine marketing techniques to ensure that they are not too pushy – in the sense that users would in effect truly be pushed into a decision regarding personal data that they would not otherwise have made. Marketing techniques are not per se unlawful under the GDPR but may run afoul of GDPR requirements in situations where data subjects are misled or robbed of their choice.” From ‘EDPB on Dark Patterns: Lessons for Marketing Teams’ by Peter Craddock, Sheila A. Millar and Tracy P. Marshall in the National Law Review.
- “the consequence of this grossly unlawful policy - a policy the Home Secretary refused to admit until forced to - was that asylum seekers will have lost all means of contacting spouses, parents, and children.” From this thread on Twitter by George Peretz.
—
Endnotes & Credits
- The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
- As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
- The image used in the header is by Krystian Tambur on Unsplash.
- Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
- Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.