TikTok must pay £368 million for numerous breaches of the EU general data protection regulation (GDPR) relating to its processing of personal data from child users of the platform, the Irish Data Protection Commission (DPC) announced Friday. The inquiry, which covered the period July to December 2020, examined possible violations in the context of certain TikTok platform settings, including public-by-default settings and those associated with the "Family Pairing" feature; age verification as part of the registration process; and some of TikTok's transparency obligations, such as the extent of information given children about default settings. The DPC submitted a draft decision finding GDPR infringements to all EU data protection supervisory authorities, two of which objected. When the DPC could not reach consensus on the issues raised in the objections, it referred the matter to the European Data Protection Board (EDPB) for resolution. The board ordered the DPC to make several amendments. The final decision includes a reprimand of TikTok; an order that it bring its processing into compliance within three months; and the $368 million (€345 million) fine. "Social media companies have a responsibility to avoid presenting choices to users, especially children, in an unfair manner - particularly if that presentation can nudge people into making decisions that violate their privacy interests," said EDPB Chair Anu Talus. "We respectfully disagree with several aspects of the decision, particularly the level of the fine" and are evaluating next steps, said TikTok Head of Privacy-Europe Elaine Fox. Among other things, she said, the DPC looked at how some privacy settings worked three years ago, and TikTok had already addressed most of its criticisms well before the investigation began. The European Consumer Organisation said it alerted authorities from 15 countries in February 2021 that the platform was breaching many EU consumer and data protection rules. "We now hope this decision triggers change at the company to address issues which not only concern minors, but also adults," emailed Deputy Director General Ursual Pachl.
The European Center for Digital Rights (noyb) isn't involved in French lawmaker Philippe Latombe's contest of the EU-U.S. Data Privacy Framework (DPF) but is "happy about any additional challenge," its spokesperson told us (see 2309120030). Noyb is the brainchild of privacy lawyer and activist Max Schrems, who contested the previous trans-Atlantic data transfer regime Privacy Shield (PS), resulting in its being thrown out by the European Court of Justice (ECJ) in 2020 (see Ref:2007160014]). There's a "potential downside" to Latombe's strategy for attacking the DPF, however, noyb's spokesperson emailed: "You have to show that you are 'directly affected' to the Court of First Instance and then you have to appeal the decision further" to the ECJ. French non-governmental organization La Quadrature du Net took that approach to PS, but its challenge was paused because Shrems' case went directly to the EU high court via a reference from a court. "So we plan to take the route via a reference instead," noyb said. "We are obviously happy to support any other efforts too."
A French lawmaker is seeking annulment of the EU-U.S. Data Privacy Framework for trans-Atlantic data transfers, law firm Hogan Lovells noted in a Sept. 8 legal analysis. The request was filed in the European Court of Justice (ECJ) by Philippe Latombe, a member of the French Parliament and of the country's Data Protection Authority. Latombe's news release said he filed in his personal capacity as a citizen of the EU. The ECJ must first determine whether the request is admissible, because as an individual, Latombe must meet stringent standing requirements, attorney Patrice Navarro wrote. If the court accepts the filing, "the procedure will offer the advantage of speed compared to the prejudicial question procedures used by Maximilian Schrems" in his challenge to former regime Privacy Shield. Latombe argued that: (1) The DPF lacks guarantees of a right to an effective remedy, and the newly created Data Protection Review Court lacks transparency; (2) The accord breaches the minimization and proportionality principles of the general data protection regulation by allowing bulk collection of personal data by U.S. surveillance agencies; and (3) The DPF is available only in English but should be translated into all EU official languages. The ECJ decision, "both in terms of admissibility and substance, promises to wield a major impact," the analysis said. The European Commission paved the way for the DPF by deciding in July that the U.S. now ensures sufficient privacy protections to allow Europeans' personal data to be transferred there (see 2307100015). Schrems said at the time he expected the issue to be back at the ECJ by the beginning of 2024. He didn't immediately comment.
The FTC plans to vote Sept. 14 on whether to release staff recommendations on how to protect children against the blurring of lines between online content and advertising, the agency said Thursday. The commission will vote on releasing a staff “perspective,” which builds on an October event in which staff explored existing research on the harms to kids.
Congress should study how AI “can and is being used to exploit children through child sexual abuse material,” a bipartisan group of attorneys general from more than 50 states and territories wrote Congress Tuesday, asking lawmakers to pass federal legislation to protect children from abuse. The letter highlights how AI has been used to track children across the internet, mimic children’s characteristics and generate child pornography. “While internet crimes against children are already being actively prosecuted, we are concerned that AI is creating a new frontier for abuse that makes prosecution more difficult,” they wrote.
The FTC and DOJ plan a Tuesday workshop on the update of their draft merger guidelines, detailing what transactions violate antitrust law (see 2307190048) and which face industry pushback. "The workshop is aimed at promoting a dynamic discussion about the draft guidelines to complement the comments currently being submitted to the agencies by the public," the FTC said: "The goal of the merger guidelines update is to better reflect how the agencies determine a merger’s effect on competition in the modern economy and evaluate proposed mergers under the law." Speakers will include FTC Economics Bureau Director Aviv Nevo; Laura Alexander, Washington Center for Equitable Growth director-markets and competition; and Public Knowledge Competition Policy Director Charlotte Slaiman. The webcast workshop will begin at 1 p.m. EDT.
Worldwide spending on public cloud services will reach $1.35 trillion in 2027, IDC predicted Tuesday. During 2023-2027, the firm projects a compound annual growth rate of 19.9%. "Cloud now dominates tech spending across infrastructure, platforms, and applications," said Eileen Smith, IDC program vice president-data and analytics: "Most organizations have adopted the public cloud as a cost-effective platform for hosting enterprise applications and for developing and deploying customer-facing solutions.” Banking, software and information services and telecommunications will make the largest investments, IDC said.
The owners of Roomster will pay $1.6 million to settle allegations they misled consumers seeking affordable housing by paying for fake reviews and charging for access to phony listings, the FTC and states attorney general announced Monday (see 2208300051). The commission authorized the settlement with a 3-0 vote. The amount is due to AGs in California, Colorado, Florida, Illinois, Massachusetts and New York, who signed the complaint. Roomster and owners John Shriber and Roman Zaks took tens of millions of dollars from largely low-income and student prospective renters, the agency alleged. The proposed order included a $36.2 million monetary judgment and $10.9 million in civil penalties to the states. Roomster and its owners will pay $1.6 million to six states due to the defendants’ “inability to pay the full amount.” the FTC said. “If Roomster and its owners are found to have misrepresented their financial status or to have violated the terms of the order, the full amounts would immediately become due.” Schriber and Zaks are permanently banned from buying or incentivizing consumer reviews. “Our coalition’s investigation revealed that Roomster was, in simple terms, conning people seeking rental housing,” California AG Rob Bonta (D) said. The “last thing renters need is to be scammed by fake reviews and apartments that might not even exist,” New York AG Letitia James (D) said. Attorneys for Roomster didn’t comment.
Governments were the most highly targeted group for cyberattacks in the first half of 2023, said a global report from Radware Thursday. The company gathered information from the messaging app Telegram, which is frequented by cyberattackers. The report recorded 1,112 distributed denial-of-service (DDoS) attacks against government entities. Business entities had 1,036 attacks, and travel websites 628. India had the most targeted DDoS attacks with 674, followed by 507 in the U.S., 459 in Israel, 376 in Ukraine and 297 in Poland. The telecom sector had 15% of attacks across Europe, the Middle East and Africa in 2023, the report said.
Comments on the National Institute of Standards and Technology’s IOT preliminary update from its IOT Working Group are due Sept. 25. The paper is intended to document “the current state of the IoT Federal Working Group’s approach to addressing the reporting requirements” National Defense Authorization Act 2021, said Thursday’s Federal Register.