Loading...
TerraTrueTerraTrue's privacy by design platform helps teams comply with global privacy regulations, identify risks, and trigger privacy and security reviews.

May 18, 2023

Issue 20: Do fines even work, brah?

Oh Hey! Welcome to The Privacy Beat Newsletter!

Here’s the gist: Come here for insights on the hottest topics in privacy according to our peers’ tweets so you can walk into any happy hour or team meeting and sound like the absolute baller you are. No current topic gets by you!

Clock expires on TikTok's (alleged) naughty behavior

I’ve been a journalist in the data privacy space for almost 15 years, and I can tell you that we journos love nothing more than an enforcement action. The thought of writing a headline like “Big Tech firm whacked for $5B” makes me positively warm inside. But that’s because tales of fines send shivers down most companies’ spines, and you know an article like that will be shared far and wide.

But while I was reading about the TikTok fine, I felt like: Who cares? Maybe it’s just because I was reading it on a Monday and that’s the day I can’t feel feelings due to an overwhelming sense of dread at how far Friday is. But it’s like the fines are a speedbump for any of the tech giants.

In this case, the ICO fined TikTok $15.7M for breaching U.K. data protection law. The ICO said TikTok didn’t do enough to verify users’ ages; TikTok allegedly had about 1.4 million underage U.K. users from 2018-2020, even though its terms of service say users must be 13 or older.

I’m (obviously) not privy to any of Big Tech’s financials, and I’m sure there’s some budget-line shifting after a fine. But I haven’t read anything to indicate any enforcement fine had the affected business clutching its pearls over how the fine would impact it. Not that I wish anyone hardship! But is there a more effective way to get companies to be respectful custodians of people’s data?

I think about my mail service. Because I live in an apartment building, our packages get delivered to lockers, and we can access them with a code. If I forget to pick up a package, after two days, the locker company fines me $3. I hate that charge. It's a total waste of money. But it's small enough that I can take a few hits and be fine. If the locker company told me that because of my misbehavior I can't use its services anymore, and therefore get my delicious mail-order treats when I want them, I'd pick up my packages the second they hit the box!

Anyway, I asked PrivacyTwitter™️ if fines change behaviors or impact bottom line financials. Guess who responded? The ICO himself, John Edwards, and the inimitable Eduardo Ustaran.

We'll talk a bit more about this below.

Dixon critics say we're in an enforcement 'crisis'

I really don’t consider myself within the ranks of the mob that’s been chasing Irish DPC Helen Dixon around for years now, but, this new report is worth a gander for its insights. The Irish Council for Civil Liberties, which counts longtime activist Johnny Ryan in its ranks (who Dixon surely likes about as much as Schrems), published what it calls, “5 years – GDPR crisis” this week looking at the Irish regulator’s GDPR enforcement from 2018-2022.

The advocacy group’s report has got some alluring sound bites for the DPC’s critics, for sure, including that

  • 87% of complaints to the DPC involve the same eight Big Tech companies.
  • 83% of the cross-border complaints the DPC received were settled via “amicable resolution” using Dixon’s discretion.
  • The EDPB has overruled 75% of Dixon decisions that weren’t resolved amicably.
  • Compliance orders are the most powerful GDPR enforcement tool, but there have only been 49 compliance orders since 2018.

Admittedly, Ryan and his team aren't Dixon's No. 1 fans, the very title of the report indicates as much. But with that in mind, wouldn't you say that the numbers – if accurate – look like we’re allowing the top eight offenders to keep on offending? Yes, there have been massive fines in some cases. But do those fines have a real impact in the end?

If the money is a drop in the bucket and any perceived reputational hits don’t really make a dent in the long run, are fines good for anything more than sexy headlines? I don’t know. My friend Calli makes a fair point in her tweet above that the GDPR doesn’t matter if it isn’t enforced. When I think about U.S. enforcement trends lately, I wonder if the FTC’s recent work mandating companies that operated in unfair or deceptive ways delete the algorithms they used to collect the data, as well as the data itself, isn’t a more effective deterrent?

I’m not a CFO, but to me, an regulator ordering you to destroy an algorithm that’s helping you monetize your data is far more punishing and final. And if the goal is deterrence, that seems much scarier if I’m a CEO or a CPO scanning Sunday's paper for warning signs. (And by "paper" I mean iPhone, because we killed newspapers and that's why I work in tech now.)

Does GDPR allow for DPAs to destroy algos?

I went looking for examples of GDPR cases mandating algorithmic disgorgement, and it looks like the closest regulators have come is to mandate the offending company delete data sets. But to be sure, I went to one of my privacy expert besties to ask: Could EU DPAs mandate algorithmic disgorgement?

Here’s what he told me in a nutshell:

  • The GDPR doesn’t specify for remedies, but it allows member states to pass laws that grant “effective, proportionate and dissuasive remedies.”
  • Most member states allow a DPA to order a company to do anything the DPA thinks is “reasonable” to bring a company into compliance, and there’s no reason to believe this would be limited to just deleting data. Ostensibly, DPAs could order a company to cease using certain algorithms, or tweak them, if they felt they were non-compliant.

Meanwhile, as TechCrunch reported, the EU’s AI Act could allow regulators to “order the withdrawal of commercial AI systems from the market,” and while the GDPR allows for data subjects to request data deletion, “it’s less clear cut how (or whether) the DPA regulators are able to wield deletion powers.”

FTC bans ovulation app from sharing data for ads. Period.

Yesterday, May 17, the FTC said Easy Healthcare, the developer behind fertility tracking app Premom, deceived users by sharing sensitive information with third parties without permission, Cyberscoop reports. Easy Healthcare allegedly shared sexual and reproductive-related data with AppsFlyer, a marketing firm, and Google. It also shared geolocation data with two Chinese advertising firms.

As a result, Easy Healthcare will pay $100,000, stop sharing personal health data with third parties for advertising, and implement new security and privacy programs.

The requirements that it stop sharing data for advertising and must implement security and privacy programs are big deal for a small company. Based in Illinois, it launched in 2018 and employs somewhere between 1-50 people. But as we should know by now, the FTC doesn’t care if you’re a skeleton crew. If you’re misusing or misrepresenting data, the risks of attracting the agency's unwanted attention still exist, and the penalties can be expensive. The $100,000 is one thing, but the profit-loss from its inability to share data with third-parties without consent forever more surely hurts more.

In addition, this case follows the GoodRX settlement, in which the FTC similarly mandated GoodRX stop sharing health data for advertising purposes. This is a space to pay attention to moving forward. How is your company monetizing data?

Things to watch

Just a chat you might enjoy watching

I recently had a nice chat with my COO Chris Handman, as well as my old pal Ron De Jesus, CEO of DeJesus Consulting, on how to demonstrate to your leadership that your privacy program is having a strategic impact on the business. If you can prove your value, you’re going to have an easier time getting top-down buy-in, budget, headcount, etc. Check it out at your leisure!

Latest poddy

Everyone’s losing it over this Washington State privacy law. The impetus for the bill was to cover gaps in HIPAA, and the Dobbs v. Jackson decision lit a fire in regulators, putting health-data privacy protections on a fast-track that never slowed. Mike Hintze, co-founder of Hintze Law, says this one “goes well beyond what any other privacy law has done.” Here’s what he means. Check it out!

Hot take(s) of the week

Burn(s)!