The first days of 2021 had news outlets across the world displaying headlines about recent developments in privacy of the American tech giants. If you yourself are using their services, do read on, as these developments can have a big impact on you, the privacy of your company, and your customers.
Facebook EU data move
Facebook Inc will shift all its users in the United Kingdom into user agreements with the corporate headquarters in California, moving them out of their current relationship with Facebook’s Ireland and out of reach of Europe’s privacy laws.
The change takes effect next year and follows a similar move announced in February by Google. Those companies and similar tech giants have European head offices in Dublin, and the UK's exit from the EU will change its legal relationship with Ireland, which remains in the Union.
Experts stated the problem boils down to whether the UK can obtain an “adequacy decision” with the EU which would guarantee that EU citizens’ data would be protected with the same rigor in the UK as in the EU under GDPR. Such a lack of an adequacy decision by the EC would have a large impact on businesses dealing with the UK, as it introduces hurdles for EU-UK transfer of personal data.
Privacy advocates fear the UK may move to a looser data privacy regime, especially as it pursues a trade deal with the United States, which offers far fewer protections. Some also worry that UK Facebook users could more easily be subject to surveillance by U.S. intelligence agencies, as the U.S. Cloud Act, passed in 2018, set a way for the UK and United States law-enforcement agencies to smoothen data exchange about cloud computing users.
This access by intelligence agencies was exactly the subject of the well-known CJEU cases by Max Schrems, that invalidated the EU-US Privacy Shield, making most EU-US data transfers illegal overnight. PrivacyPerfect can offer help and clarification with such issues.
Whatsapp/Facebook privacy follies
Through an in-app alert early Januari 2021, WhatsApp had asked users to agree to new terms of conditions that grants the app the consent to share with Facebook some personal data, such as their phone number and location. Users were initially granted until February 8 to comply with the new policy if they wished to continue using the service.
Responding to the EU and international backlash last week, the Facebook-owned app, which serves more than 2 billion users worldwide, said it was delaying the enforcement of the planned policy to May 15.
WhatsApp, which Facebook bought for $19 billion in 2014, has been sharing some information such as phone numbers about its users with the social giant since 2016 — and for a period allowed users to opt-out of this. Facebook, as it says, is not proposing to share the content of WhatsApp chats with Facebook. It can’t. WhatsApp has no access to the content of the messages on its own system. WhatsApp uses excellent end-to-end encryption developed by Signal.
What WhatsApp will be sharing with Facebook is “metadata”, which means data about your identity, not the content of your family chat. We’re supposed to think of “metadata” as less than “data”, but it isn’t: often it is more. Think of the location of your house and frequently visited places (e.g. school, parole officer, even more intimate places), your phone number, statuses, name and IP address. This, coupled with Facebook’s already extensive advertising network can yield a pretty strong insight into who you are and what you care about.
With more and more organisations using WhatApp’s services for business and communication with customers, the development could have a large impact on their privacy footprint. How big of an impact, and what to do about it? Organisations should probably start updating their DPIAs.
The concerns with Facebook and Whatsapp are mirrored in Google’s recent acquisition of Fitbit. The US Justice Department maintains it has not given a formal clearance to the $2.1 billion deal that was announced last week as closed. The controversial acquisition’s conclusion sparked immediate pushback from the US Senate, as well as several privacy-rights organisations, who objected to the personal information that Fitbit could feed into Alphabet’s Google data machine.
“While Fitbit is firstly a personal health appliance, it gathers information, and highly personal information at that.” St. John’s University law professor, Anthony Sabino, said “I can see Justice being deeply concerned about Google having access to such intimate customer information via Fitbit, and it would not surprise me in the least to see it raised as an issue in the antitrust lawsuit.”
Of the Big Four tech companies, Google was the first to be targeted by the federal US government this year. Privacy plays a major part in the case, while state and federal privacy laws are also in the works. With a Democratic President and a Democratic majority in both houses, organisations dealing with the United States should be preparing for a bigger focus on privacy and additional compliance requirements for handling personal data across the pond.
How PrivacyPerfect can help
To see if your organisation’s privacy is at risk following these developments, and how PrivacyPerfect can help, please feel free to contact us at firstname.lastname@example.org.
For regular updates collected in one place, subscribe to our weekly newsletter with the latest events and key highlights.