Welcome to EURACTIV’s Digital Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR.”
– Statement from the Irish Data Protection Commission this week, on the 533 million user Facebook breach.
Top Story: Facebook has told the Irish Data Protection Commission that a breach involving the personal information of 533 million users worldwide took place prior to the entry into force of the EU’s General Data Protection Regulation in 2018, and the company, therefore ‘chose not to notify’ the violation to the authorities.
Podcast: This week, we give you the lowdown on what’s happening with the Facebook data fracas, and the reaction from worldwide data protection authorities.
Don’t miss: An intriguing story surfaced this week of a joint investigation by Europol and the Italian Postal and Communication Police, in which an Italian citizen was arrested for having hired a hitman on the dark web. Read on for more.
Also this week: EDPS and EDPB on vaccine passports, TikTok under data microscope, UK ‘super database,’ Gaia-X’s new members, UK digital markets unit, Europol’s dark web arrests, Copyright Article 17 rumours…
Last weekend, the personal data of millions of Facebook users appeared on an online hacking forum, including phone numbers, Facebook IDs, biographical information, and locations. Some email addresses also appeared to have been scraped.
The figures detail that around 100 million EU citizens may have been impacted by the data leak, including 36.6 million users from Italy, 10.9 million from Spain, and six million from Germany.
In response to the news, Facebook’s communications department said that the data “was previously reported on in 2019” and that the company “found and fixed this issue in August 2019.”
However, speaking to the Irish data protection commission on Tuesday (6 March) – the competent body for dealing with the company’s violations against EU data protection law – Facebook said that it had ‘closed off a vulnerability in its phone lookup functionality’ by April 2018.
The EU’s general data protection regulation (GDPR), which came into effect in May 2018, would have imposed legal obligations on Facebook to notify the competent data protection authority within 72 hours, as well as potentially notifying users without undue delay.
But “because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR,” the statement from the Irish data watchdog read.
The statement to the Irish DPC is therefore at odds with Facebook’s earlier position, which had noted the vulnerability to be fixed in August 2019 – this would have placed additional legal obligations on the company under the EU’s GDPR. Read more.
A message from FACEBOOK:
Facebook partnerships to fight against COVID-19
Working together is more important than ever in the fight against COVID-19. In Spain, the World Bank is using Facebook’s Disease Prevention Maps to forecast needs for COVID-19 testing and hospital beds. Learn more about how we’re collaborating to keep communities safe and informed at about.fb.com/europe.
EDPS and EDPB on vaccine passports. The EU’s umbrella data protection watchdog the EDPB, alongside the bloc’s institutional body the EDPS, this week adopted a joint opinion on the plans for the bloc to roll out a Digital Green Certificate. The organisations said the project should not result in the discrimination of individuals and must be fully in line with the fundamental principles of necessity, proportionality and effectiveness, as part of EU data protection law.
TikTok under microscope. EU regulators have been urged to ‘intervene immediately’ into the operation of video-sharing app TikTok, following the trend of ‘Blackout Challenges’ across social media, which have led to a series of deaths among young people.
The Dutch non-profit organisation, the Foundation for Market Information Research (SOMI), has filed a complaint with the Irish data protection commission – the lead regulatory authority for TikTok in the EU, on behalf of over 60,000 complainants from across the bloc.
Schrems targets Google’s Android Advertising Identifier. Privacy Activist Max Schrems’ NOYB group have filed a complaint with the French data protection authority for Google’s tracking of users without consent, a breach of the GDPR. NOYB says the US tech giant’s AAID (Android Advertising Identifier) “allows Google and all apps on the phone to track a user and combine information about online and mobile behaviour.”
UK ‘super database.’ A report from WIRED this week discloses that the UK’s Data Services & Analytics unit, part of the Home Office’s Digital, Data and Technology department, holds information on 650 million people, including those under age 13. Critics say the government is creating a ‘super database.’
Europol’s decryption platform. The Commission has this week attempted to play down fears emanating from the European Parliament on the operation of Europol’s so-called ‘decryption platform.’
Renew MEP Moritz Körner had pressed the Commission on the technical means by which Europol seeks to decrypt protection data, to which the Commission gave little insight but said that with “respect to future new technologies, Europol is subject to a rigorous governance framework, which includes robust supervision arrangements, including by the European Data Protection Supervisor.”
French DPA on ad trackers. France’s data protection watchdog CNIL began conducting checks on Thursday (1 April) to ensure websites are in compliance with new guidelines on advertising trackers after the deadline it granted expired. Read more.
Gaia-X welcomes new members. News broke last week that the EU’s ‘sovereign’ cloud infrastructure project, Gaia-X, would be welcoming in new non-EU firms including Huawei, Palantir, and Alibaba. The news provoked concern from some in Brussels, including Renew MEP Sophie in ‘t Veld, who said she was “curious” to see how it “relates to the stated aims of “digital sovereignty” and “infrastructure based on European values”.
DIGITALEUROPE expansion. Speaking of new entrants ints industry associations, Brussels Tech Lobby DIGITALEUROPE this week welcomed new representatives including Zoom, Sky CP and Global Knowledge.
Platform lobby on DSA. Platform association DOT Europe this week published their ‘questions and recommendations’ for the Digital Services Act, highlighting their concern about a series of key points, including how the scope is defined with regards to the definition of a ‘significant number of users,’ and calling for clarity on the definition of an “online platform” as a hosting service which “stores and disseminates to the public information.”
There are also questions on how the definition of an online platform in the DSA would work alongside the definition of an “online content sharing service provider” in the copyright directive, as well as the cross-border nature of ‘orders to act’ against violating content. Questions also remain about the safeguards that could be put in place to ensure that transparency on content moderation is increased without opening the door for potential abuse by malicious actors.
UK Digital Markets Unit. The UK’s new regulator for tech giants Facebook and Google launched on Wednesday (7 April) with an initial remit to see if a code of conduct could improve the balance of power between the platforms and news publishers.
DuckDuckGo on DMA. Privacy-conscious search engine DuckDuckGo has been keen to promote their opinion on the Digital Markets Act this week, highlighting that the DMA as it stands would not have prevented previous abuses, pointing to the Commission’s 2018 fine for Google’s abuse of power in the obligation for users to pre-install Google apps on Android devices.
Amongst other things, DuckDuckGo wants to see a ban on gatekeepers from “securing default status for their own core platform services on any other core platform service” as well as the possibility for regulators to impose ‘preference menus’ to allow for more user choice in the selection of web services.
New French ‘super-regulator.’ A new bill on the regulation and protection of access to cultural works in the digital age was presented to France’s Council of Ministers on Thursday (8 April). The text aims to “continue to adapt our law to new uses and (to) protect artists and creators against 21st-century counterfeiting facilitated by streaming, direct downloading or referencing sites”, government spokesman Gabriel Attal declared at the end of the meeting. Read more.
Google Maps development. US digital giant Google unveiled on 30 March new features for its Google Maps app that will make use of artificial intelligence (AI). EURACTIV France reports.
Spotify’s speech recognition concerns. Rights group Access now has written to music streaming service Spotify, raising their concerns over the fact that Spotify’s speech-recognition patent was recently approved. It is understood that the technology will be able to detect “emotional state, gender, age, or accent” to better recommend music.
US industry concerned about EU digital levy. Following a meeting with G20 finance ministers this week, in which representatives renewed their commitment to “reaching a global and consensus-based,” international tax regime, the US tech lobby in Brussels raised concern at the option of an EU digital levy – which has long been on the cards (you may recall a previously failed attempt to find consensus in 2019). This time around, the Commission is due to present new plans in June.
“We are concerned that an EU digital levy risks derailing global tax reform and triggering conflicts. EU leaders should focus on achieving a durable, ambitious international tax reform,” CCIA Vice President and Head of office Christian Borggreen said, adding however that he welcomes general moves for a more harmonised international tax system.
Europol’s dark web arrest in Italy. Europol and the Italian Postal and Communication Police announced this week that they had arrested an individual who is accused of hiring a hitman on the dark web to assassinate an ex-girlfriend, at a cost of 10,000 Bitcoins.
Europol’s technical capabilities allowed them to conduct an ‘urgent and complex’ crypto-analysis to enable the “tracing and identification of the provider from which the suspect purchased the cryptocurrencies.”
A Europol statement after the arrest disclosed that the Italian police reached out to the identified crypto service provider, who confirmed the information uncovered during the investigation and also gave further information on the suspect.
Belgians crack encryption network. Belgian police have seized nearly 30 tons of cocaine at the port of Antwerp, after cracking an encrypted phone network used by criminals. Read more from CNN.
When will Article 17 guidance come? Stakeholders are still waiting for the Commission to issue finalised guidance on Article 17 of the Copyright directive, after earlier rumours had indicated that the recommendations would come in March.
Sources close to the matter this week informed EURACTIV that the Commission may be waiting for the Court of Justice of the EU to deliver an opinion on Poland’s complaint against Article 17, which Warsaw says will stifle freedom of expression. Previous rumours had indicated March for the EC to submit finalised guidance on Copyright.
However, waiting until April 22 would be leaving things very close to the wire. After the AG opinion, a judgment would then most likely be delivered after the 7 June transposition deadline.
On my radar
Next week, ECB Executive Board Member and Chair of the Eurosystem High-Level Task Force on Central Bank Digital Currency, will present in Parliament’s ECON Committee the results of the ECB public consultation on the digital euro, followed by a discussion with ECON Members.
What else I’m reading this week: