Yesterday, the UK Information Commissioner accused me of propagating “fake news”.

I had expressed concern about how government reforms affect the ICO’s independence.

I’m not easily offended, but I take my work very seriously.

Please let me explain why I am right about this. Under the bill, the Commissioner will receive a “statement of strategic priorities” from the government, which is subject to a three-year review.

This statement “sets out the strategic priorities of His Majesty’s government relating to data protection”.

Facebook's new opt-out form is very hard to find.

After a lot of digging and several preliminary clicks, I ended up here.

I'm now going to live-tweet the process of objecting to Meta's ad-targeting.

This is pretty niche stuff. So if you're interested, I like you.

🧵 First two choices are simple enough. I've got an Insta account somewhere but I'm doing this on Facebook.

Today we learned some details about an appeal by WhatsApp at the CJEU.

These two paragraphs are the gist of the appeal. But what do they mean?

Here's the background and some info on the relevant law.

🧵 In August 2021, the Irish DPC imposed a €225 million fine on WhatsApp.

The issues were mostly around WhatsApp's "legitimate interests" and its privacy notice.

But before issuing the fine, there was a lot of back and forth (arguments) between Ireland and the EDPB.

There's understandably some confusion re: OpenAI and Italy.

• It's not about privacy per se but how OpenAI uses personal data.

• The regulator has not mentioned consent.

• The order was to stop using data about people in Italy. Not just to stop providing ChatGPT there.

1/2 The issues include allegedly:

• Lacking a "legal basis" for processing personal data
• Processing inaccurate personal data
• Failing to verify whether users are children

OpenAI has 20 days to explain how it will fix these issues.

I'm not sure how it will comply with this.

While researching an article about TikTok recently, I decided to look at the company's latest transparency report and compare it to Meta's.

I couldn't tie the data to any sort of point so I didn't use it, but I thought people might be interested.

Let's start with TikTok. China is not listed among the governments that requested TikTok provide data.

TikTok per se is not available in China, which has its own version of the app called Douyin

TikTok CEO Shou Zi Chew claims that TikTok has never received an access request from the Chinese government

Legitimate interests in the UK's new data protection bill❗

Legitimate interests got an overhaul in the original Data Protection and Digital Information Bill (DPIB)

Yesterday's new bill also introduced some new legitimate interests provisions.

A thread on how this all works.🧵 The DPDIB amends the UK GDPR’s “legitimate interest” provisions in two main ways:

1. Introducing the concept of "recognised legitimate interests".

2. (This is new) Providing examples of processing purposes that "may be" legitimate interests.

For god's sake why would you tweet this

https://twitter.com/RishiSunak/status/1632709965617012737

Ok what? The prime minister wants me to download some Adobe app to view his announcement?

I think the EDPB opinion on the EU-US DPF adequacy decision is more "bad" than "good".

The EDPB clearly sees improvements. It "welcomes" this and that.

But there are just some fundamental issues that the EDPB can't (and doesn't) ignore

Here are the EDPB's biggest criticisms🧵 1. The principles

Same as they ever were.

The Privacy Shield principles weren't mentioned in Schrems II. So the Commission clearly thought it could get away with leaving them.

And that is probably correct.

On the other hand, the EDPB (or rather, WP29) never much liked them.

I figured out what happened here in case anyone cares

This text references the EDPS guidelines for web services: edps.europa.eu/sites/edp/file…

The EDPS acknowledges that the Art 29 WP intended this as "a possible third exemption could be set out in the future by the legislator"

BUT

https://twitter.com/RobertJBateman/status/1617557919339544576

The guidelines then say "under very strict conditions this exemption may be granted in substance..."

"due to the low risk for individuals as also balanced with advantages for the institutions."

The EDPS describes how to use first-party analytics in this "low-risk" way:

So...

OK I'm keeping this going.

Generative AI (Midjourney) does data protection.

Act III: Rights of the data subject

Some pretty beautiful ones here. All weird and spooky.

1. The right of access. 2. The right to rectification.

Yesterday was lawful bases.

Next in my series of nightmarish and mesmerising AI interpretations of data protection concepts:

The GDPR's principles of data processing, by Midjourney.

1. Lawfulness, fairness and transparency.

https://twitter.com/RobertJBateman/status/1616908376600096769

2. Purpose limitation.

Each GDPR lawful basis for processing, by AI image generator Midjourney.

Going backwards from the last one because it's the weirdest.

I mean—WHAT

Legitimate interests. Public task.

‼This just in: Another DPC decision against a Meta company—WhatsApp

Similar issues to the recent Meta fine: Can WhatsApp rely on "contract" for certain processing operations?

But the processing in question is *not* ad-targeting

It's "service improvement and security"...

🧵 Shortly before the GDPR took effect in May 2018, WhatsApp (like Facebook and Instagram) updated its terms of service

WhatsApp said users must agree to the new terms to keep using the service.

The terms included some data processing for service improvement and security features"

The report from the EDPB's Cookie Banner Taskforce just dropped.

Following many complaints from noyb...

The Taskforce lists 8 naughty things that controllers are doing to get those nasty cookies onto your device.

The below picture shows the Cookie Banner Taskforce in action. 1. No reject button on the first layer

The banner says "accept".

The banner says "show options" or something like that

But where's "reject"?

Oh no.

I have to dig through the options to find it.

You've got to have "reject" next to "consent".

Last week the Belgian DPA approved IAB Europe’s “action plan” for bringing the Transparency and Consent Framework (TCF) into compliance.

Somewhat surprising to me, given the savage teardown the DPA gave the TCF in its decision about the framework last February.

Brief🧵on this The TCF v2.0 was supposed to be a “cross-industry best practice standard” to help thousands of publishers, adtech vendors, and CMPs comply with the GDPR.

But it wasn't.

And it all fell apart last year when the Belgian DPA decided that the TCF was incompatible with the GDPR.

Next Thursday, the CJEU will answer an important about "automated decision-making" under the GDPR.

This case will test the limits of the GDPR’s rules on automated decision-making. I think it could also undermine credit rating as a business model.

A thread about it🧵 Here’s the background:

• An individual applied for a loan with a bank

• The bank refused, based on the individual’s credit rating

• The rating was provided by a credit-rating company called SCHUFA

Five US state privacy laws come into effect this year

California, Colorado, Connecticut, Utah & Virginia

Ignore the hype—these laws are nothing like the GDPR

But they'll have an impact, including on digital ads

Here’s an overview of how these laws treat targeted advertising🧵 While four of these laws are very similar, California’s CPRA is the odd one out.

But the main difference is in the language.

For example, while the other four state laws refer to “targeted advertising,” California chose “cross-context behavioral advertising.”

Well well well

Class action against Lastpass

The first such case against a password manager?

The plaintiff blames Lastpass for a $53,000 Bitcoin theft

But do he and the class have a case?

What legal violations are alleged?

Let's take a look 🧵

scribd.com/document/61807… First, note that this is a Massachusetts case with a nationwide class

No specific data security law is alleged to have been breached. Probably because there aren't any that are relevant

Massachusetts's "Data Breach Notification Law" is comically narrow

No federal law (yet)

My latest

The proposed EU Cyber Resilience Act looks like it'll be a pretty big deal

Taking a similar form to the AI Act, the law would apply rules to manufactures and distributors of software & hardware products

My write-up below

Some highlights 👇

grcworldforums.com/news-and-insig… First of all, suffice to say the law seeks to solve a really big problem

The Commission cites the annual cost of cybercrime at €5.5 trillion

And that's just the economic cost

Much of this is caused by vulnerabilities in commercial software

New from me.

Disagreements at the EDPB around Meta's legal basis for publishing children's contact details on the open web

Irish DPC agreed that "contract" and "legitimate interests" were met

Others disagreed... sometimes strongly.

Some highlights 🧵

grcworldforums.com/news-and-insig… The Irish DPA’s draft decision determined that Meta did not violate the GDPR by relying on “contract” to publish the contact information of children.

The Irish DPA came to this conclusion because:

Class action in California against Oracle by @johnnyryan and others

Ryan and others' recent case against the IAB over RTB was a pretty impressive piece of work

This case deals with similar issues but in a much trickier legal environment

A rather long🧵

iccl.ie/news/class-act… To my relief, this claim is NOT brought under the CCPA (/CPRA)

As I discuss here, the CCPA has a very narrow private right of action

Of course, that has not stopped many law firms from attempting to litigate CCPA claims with little prospect of success.

grcworldforums.com/us/why-most-cc…