Included in this edition of Data & Privacy News: Lloyd v Google heard in the Supreme Court, Updated guidelines on the targeting of social media users released by EDPB and more...

Lloyd v Google heard in the Supreme Court

The case of Lloyd v Google was heard in the Supreme Court on the 28 and 29 April, with the Court set to decide in the case brought on behalf of an estimated 4.4 million iPhone users. The case, brought by the former Which? director Richard Lloyd, alleges that Google unlawfully gathered and exploited browser generated information (“BGI”) on Apple’s Safari browser, in breach of section 4(4) of the UK Data Protection Act 1998.

The case grants Mr. Lloyd, the representative claimant, permission to serve a representative claim out of the jurisdiction in the USA. Google has however urged the Supreme Court to throw out the case on the grounds that local law doesn’t allow for opt-out class action lawsuits.

The Supreme Court's decision may pave the way for new “opt-out” representative actions for data breach claims on the basis that all the claimants have lost control of their data.

CNPD suspends the sending of Census 2021 to the United States

The Portuguese Data Protection Authority (CNPD) has issued an order, suspending the National Institute for Statistics' (INE) transfer of personal data from the Census 2021 to the United States. The suspension followed an investigation by the CNPD which concluded that the INE outsourced to Cloudflare, Inc. the operation of the census questionnaire, through a data processing agreement that provides for the transfer of personal data to the United States.

Due to the type of services which it provides, Cloudflare is directly subject to the US surveillance legislation for the purposes of national security, which imposes on it the legal obligation to give the United States authorities unrestricted access to personal data held or kept by Cloudflare, without being able to inform its customers of that fact.

The CNPD took the view that the transfer of personal data, from an almost total universe of citizens residing on national territory, to the United States or to any other third country without adequate protection should be suspended with almost immediate effect.

Updated guidelines on the targeting of social media users released by EDPB

The European Data Protection Board (EDPB) has published updated guidance on the targeting of social media users. The update reflects the increased sophistication of targeting methods and the fact that the combination and analysis of data originating from different sources, together with the potentially sensitive nature of personal data processed in the context of social media, creates risks to the fundamental rights and freedoms of individuals.

The EDPB notes that, from a data protection perspective, many risks relate to the possible lack of transparency and user control. Meanwhile for individuals the underlying processing of personal data is often opaque and may involve unanticipated or undesired uses of personal data.

The new Guidance is an updated version of Guidelines 8/2020 and were adopted at the EDPB's 48th plenary session in April 2021.

EDPS advises against biometric identification in public spaces

The European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski has issued a press release stating that, whilst the Artificial Intelligence Act is welcomed by the EDPS, there must be a ban on the use of remote biometric identification in public spaces.

The EDPS regrets that earlier calls for a moratorium on the use of remote biometric identification systems – including analysis of faces, gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals - in publicly accessible spaces have not been addressed by the Commission. The EDPS believe this to be necessary given the high risks of deep and non-democratic intrusion into individuals’ private lives.

The EDPS have committed to undertaking a "meticulous and comprehensive" analysis of the Commission’s proposal to support the EU co-legislators, and will give particular attention to setting boundaries for tools and systems which may present risks for the fundamental rights to data protection and privacy.

AEPD-EDPS issue joint paper on anonymisation misunderstandings

The Spanish data protection authority (AEPD) and European Data Protection Supervisor (EDPS) have published a joint paper, breaking down ten misunderstandings related to anonymisation. The regulators have released the paper due to the growing interest in anonymization as a means to share data without harming the fundamental rights of individuals.

The joint paper aims to both increase awareness around common misunderstandings and encourage companies to check assertions about the technology, rather than accepting them without verification.