Since the GDPR went into effect in 2018, Meta has done nearly everything possible to claim legitimate interest to avoid user consent for collecting personal information for targeted ads. The company appears to have finally reached the end of its rope in this area, though a recently announced changeover to a consent basis.
Meta has now lost that case in the EU's highest court, opening the door for other antitrust law investigations in the bloc to incorporate data privacy violations and frame them as part of a systemic abuse of market position.
The central objection raised is a predictable one, and one that some analysts believe will inevitably cause the EU-US data transfer proposal to fail yet another court challenge if it makes it to implementation: the lack of a federal-level data privacy law in the US.
A new paper from global law multinational DLA Piper lays out the case for a risk-based approach to GDPR international data transfers, arguing that the status quo is too onerous and that data exporters are suffering.
Losing Ireland "main establishment" status means that any national DPA in the EU could bring direct GDPR action against Twitter on behalf of its citizens without the standard collaborative process that ultimately funnels everything through the Irish DPC.
The crux of the privacy objections is that the executive order does not guarantee that indiscriminate collection will be stopped; it merely attempts to narrow the scope of intelligence activity in EU-US data transfers.
Organizations must elevate their data management and privacy regulations to adhere to governance policies, which will align with privacy laws. This will enable the proper management and storage of personal data and avoid some of the ongoing privacy issues faced today.
GDPR was introduced in 2018 and has significantly impacted privacy, transparency, and business accountability. What could have been done better, and what’s next?
Italy’s data protection authority has ruled that Google's data transfers to servers in the United States fall afoul of the rules of the GDPR, with the company not anonymizing IP addresses sufficiently.
The EU Digital Markets Act (DMA) appears headed for adoption in May. Companies providing “core platform services”, as well as those potentially receiving data from such companies, should understand not only what the DMA requires, but also its impact on existing obligations under the GDPR.