The Office of Communications (Ofcom) released an announcement clarifying its responsibilities after the Online Safety Act came into force. Ofcom highlighted its official duty as the overseer of online safety, with the responsibility to ensure that services under its regulation adopt suitable actions to protect their users. Read here →
The ICO and the European Data Protection Supervisor (EDPS) have entered into a Memorandum of Understanding, reaffirming their shared commitment to safeguarding individuals’ data protection and privacy rights and collaborating on a global scale to accomplish this objective.
The Brazilian data protection authority (ANPD) released an activity report in celebration of the three years since the beginning of its operations, in 2020. (in Portuguese)
Data Protection Authorities Scrutinize Meta’s Paid Subscription Model
Danish Authority Weighs in on Meta’s Ad-Free Options
The Danish Data Protection Authority, Datatilsynet, is set to contribute insights to the Irish Data Protection Commission’s (DPC) evaluation of Meta Platforms Ireland Limited’s latest feature.
This new option allows Instagram and Facebook users to opt for a paid version that excludes behavioral marketing.
The move comes after the European Data Protection Board mandated Meta to adjust its use of personal data for behavioral marketing. More details → (in Danish)
Hamburg Commissioner Examining Meta’s Subscription Model
The Hamburg Commissioner for Data Protection and Freedom of Information is scrutinizing Meta’s proposed ad-free subscription service.
The model is being assessed for its alignment with the website subscription standards of the Data Protection Conference.
However, there remains uncertainty about whether Meta’s planned implementation will be deemed legally compliant in the future. Learn more → (in German)
Norway’s Data Authority Joins European Review
Norway’s Data Protection Authority, Datatilsynet, is participating in a Europe-wide review of Meta’s ad-free subscription model for EU users.
The focus is on addressing potential violations of targeted advertising under the GDPR.
The authorities have expressed doubts about Meta’s compliance, especially concerning the necessity to pay for avoiding ‘consent’. Further information → (in Norwegian)
2) Notable Case Law
Following the initiation of evaluations in 2022, the Danish Agency for Digitalization (Digitaliseringsstyrelsen) has recently directed two separate mandates against Meta and Google. These directives address the companies’ deployment of cookies and analogous technologies on their respective websites and the information given to users prior to making their choice. The service providers have been granted four weeks to correct the alleged deficiencies. Read about the decision here → (in Danish)
A privacy advocate, has filed a complaint alleging that YouTube’s ad blocker detection mechanism is in violation of the EU ePrivacy Directive. The claim states that prior to deploying the detection technology, YouTube did not obtain consent from users. Read about it on our blog →
3) New and Upcoming Legislation
The Data Protection and Digital Information Bill (Bill No. 2) was introduced by the UK Parliament and will be reintroduced in the 2023–2024 session. It carries over the previous version of the bill. Read more here →
On November 9, 2023, the Data Act, which had previously been approved by MEPs and member states, was adopted. Its goal is to remove obstacles to data access in order to promote innovation. More details here →
4) Strong Impact Tech
Research by the Dutch Broadcasting Foundation revealed that several political parties in The Netherlands had secretly placed tracking cookies on different websites. An official from the Dutch data protection authority stated that the organisation was requesting more information about each political party’s actions from them. Reported here → (in Dutch)
Other key information from the past weeks
The European Commission has formally sent AliExpress a request for information under the Digital Services Act (DSA) on the measures it has taken to comply with obligations related to risk assessments and mitigation measures to protect consumers online.
Quebec’s data protection authority, the Commission d’accès a l’information du Québec, adopted guidelines for organisations on the criteria for the attainment of valid consent to process personal data under Law 25.
The dating application Grindr sued the Norwegian data protection authority, Datatilsynet, after it was fined NOK65 million for sharing user locations and advertiser information with marketing partners, NRK reports.