Connect with us

FACEBOOK

Ireland must ‘swiftly’ investigate legality of Facebook-WhatsApp data sharing, says EDPB

Published

on

Facebook’s lead regulator in the European Union must “swiftly” investigate the legality of data sharing related to a controversial WhatsApp policy update, following an order by the European Data Protection Board (EDPB).

We’ve reached out to the Irish Data Protection Commission (DPC) for a response. (Update: See below for their statement.)

Updated terms had been set to be imposed upon users of the Facebook-owned messaging app early this year — but in January Facebook delayed the WhatsApp terms update until May after a major privacy backlash and ongoing confusion over the details of its user data processing.

Despite WhatsApp going ahead with the policy update, the ToS has continued to face scrutiny from regulators and rights organizations around the world.

The Indian government, for example, has repeatedly ordered Facebook to withdraw the new terms. While, in Europe, privacy regulators and consumer protection organizations have raised objections about how opaque terms are being pushed on users — and in May a German data protection authority issued a temporary (national) blocking order.

Today’s development follows that and is significant as it’s the first urgent binding decision adopted by the EDPB under the bloc’s General Data Protection Regulation (GDPR).

Although the Board has not agreed to order the adoption of final measures against Facebook-WhatsApp as the requesting data supervisor, the Hamburg DPA, had asked — saying that “conditions to demonstrate the existence of an infringement and an urgency are not met”.

The Board’s intervention in the confusing mess around the WhatsApp policy update follows the use of GDPR Article 66 powers by Hamburg’s data protection authority.

In May the latter ordered Facebook not to apply the new terms to users in Germany — saying its analysis found the policy granted “far-reaching powers” to WhatsApp to share data with Facebook, without it being clear what legal basis the tech giant was relying upon to be able to process users’ data.

Hamburg also accused the Irish DPC of failing to investigate the Facebook-WhatsApp data sharing when it raised concerns — hence seeking to take matters into its own hands by making an Article 66 intervention.

As part of the process it asked the EDPB to take a binding decision — asking it to take definitive steps to block data-sharing between WhatsApp and Facebook — in a bid to circumvent the Irish regulator’s glacial procedures by getting the Board to order enforcement measures that could be applied stat across the whole bloc.

However, the Board’s assessment found that Hamburg had not met the bar for demonstrating the Irish DPC “failed to provide information in the context of a formal request for mutual assistance under Article 61 GDPR”, as it puts it.

It also decided that the adoption of updated terms by WhatsApp — which it nonetheless says “contain similar problematic elements as the previous version” — cannot “on its own” justify the urgency for the EDPB to order the lead supervisor to adopt final measures under Article 66(2) GDPR.

The upshot — as the Hamburg DPA puts it — is that data exchange between WhatsApp and Facebook remains “unregulated at the European level”.

Article 66 powers

The importance of Article 66 of the GDPR is that it allows EU data protection authorities to derogate from the regulation’s one-stop-shop mechanism — which otherwise funnels cross border complaints (such as those against Big Tech) via a lead data supervisor (oftentimes the Irish DPC), and is thus widely seen as a bottleneck to effective enforcement of data protection (especially against tech giants).

An Article 66 urgency proceeding allows any data supervisor across the EU to immediately adopt provisional measures — provided a situation meets the criteria for this kind of emergency intervention. Which is one way to get around a bottleneck, even if only for a time-limited period.

A number of EU data protection authorities have used (or threatened to use) Article 66 powers in recent years, since GDPR came into application in 2018, and the power is increasingly proving its worth in reconfiguring certain Big Tech practices — with, for example, Italy’s DPA using it recently to force TikTok to remove hundreds of thousands of suspected underage accounts.

Just the threat of Article 66’s use back in 2019 (also by Hamburg) was enough to encourage Google to suspend manual reviews of audio reviews of recordings captured by its voice AI, Google Assistant. (And later led to a number of major policy changes by several tech giants who had similarly been manually reviewing users’ interactions with their voice AIs.)

At the same time, Article 66 provisional measures can only last three months — and only apply nationally, not across the whole EU. So it’s a bounded power. (Perhaps especially in this WhatsApp-Facebook case, where the target is a ToS update, and Facebook could just wait out the three months and apply the policy anyway in Germany after the suspension order lapses.)

This is why Hamburg wanted the EDPB to make a binding decision. And it’s certainly a blow to privacy watchers eager for GDPR enforcement to fall on tech giants like Facebook that the Board has declined to do so in this case.

Unregulated data sharing

Responding to the Board’s decision not to impose definitive measures to prevent data sharing between WhatsApp and Facebook, the Hamburg authority expressed disappointment — see below for its full statement — and also lamented that the EDPB has not set a deadline for the Irish DPC to conduct the investigation into the legal basis of the data sharing.

Ireland’s data protection authority has only issued one final GDPR decision against a tech giant to date (Twitter) — so there is plenty of cause to be concerned that without a concrete deadline the ordered probe could be kicked down the road for years.

Nonetheless, the EDPB’s order to the Irish DPC to “swiftly” investigate the finer-grained detail of the Facebook-WhatsApp data sharing does look like a significant intervention by a pan-EU body — as it very publicly pokes a regulator with a now infamous reputation for reluctance to actually do the job of rigorously investigating privacy concerns. 

Demonstrably it has failed to do so in this WhatsApp case. Despite major concerns being raised about the policy update — within Europe and globally — Facebook’s lead EU data supervisor did not open a formal investigation and has not raised any public objections to the update.

Back in January when we asked about concerns over the update, the DPC told TechCrunch it had obtained a “confirmation” from Facebook-owned WhatsApp that there was no change to data-sharing practices that would affect EU users — reiterating Facebook’s line that the update didn’t change anything, ergo “nothing to see here”. 

“The updates made by WhatsApp last week are about providing clearer, more detailed information to users on how and why they use data. WhatsApp have confirmed to us that there is no change to data-sharing practices either in the European Region or the rest of the world arising from these updates,” the DPC told us then, although it also noted that it had received “numerous queries” from stakeholders who it described as “confused and concerned about these updates”, mirroring Facebook’s own characterization of complaints.

“We engaged with WhatsApp on the matter and they confirmed to us that they will delay the date by which people will be asked to review and accept the terms from February 8th to May 15th,” the DPC went on, referring to a pause in the ToS application deadline which Facebook enacted after a public backlash that saw scores of users signing up to alternative messaging apps, before adding: “In the meantime, WhatsApp will launch information campaigns to provide further clarity about how privacy and security works on the platform. We will continue to engage with WhatsApp on these updates.”

The EDPB’s assessment of the knotty WhatsApp-Facebook data-sharing terms looks rather different — with the Board calling out WhatsApp’s user communications as confusing and simultaneously raising concerns about the legal basis for the data exchange.

In a press release, the EDPB writes that there’s a “high likelihood of infringements” — highlighting purposes contained in the updated ToS in the areas of “safety, security and integrity of WhatsApp IE [Ireland] and the other Facebook Companies, as well as for the purpose of improvement of the products of the Facebook Companies” as being of particular concern.

From the Board’s PR [emphasis its]:

Considering the high likelihood of infringements in particular for the purpose of safety, security and integrity of WhatsApp IE [Ireland] and the other Facebook Companies, as well as for the purpose of improvement of the products of the Facebook Companies, the EDPB considered that this matter requires swift further investigations. In particular to verify if, in practice, Facebook Companies are carrying out processing operations which imply the combination or comparison of WhatsApp IE’s [Ireland] user data with other data sets processed by other Facebook Companies in the context of other apps or services offered by the Facebook Companies, facilitated inter alia by the use of unique identifiers. For this reason, the EDPB requests the IE SA [Irish supervisory authority] to carry out, as a matter of priority, a statutory investigation to determine whether such processing activities are taking place or not, and if this is the case, whether they have a proper legal basis under Article 5(1)(a) and Article 6(1) GDPR.

NB: It’s worth recalling that WhatsApp users were initially told they must accept the updated policy or else the app would stop working. (Although Facebook later changed its approach — after the public backlash.) While WhatsApp users who still haven’t accepted the terms continue to be nagged to do so via regular pop-ups, although the tech giant does not appear to be taking steps to degrade the user experience further as yet (i.e. beyond annoying, recurring pop-ups).

The EDPB’s concerns over the WhatsApp-Facebook data sharing extend to what it says is “a lack of information around how data is processed for marketing purposes, cooperation with the other Facebook Companies and in relation to WhatsApp Business API” — hence its order to Ireland to fully investigate.

The Board also essentially confirms the view that WhatsApp users themselves have no hope of understanding what Facebook is doing with their data by reading the comms material it has provided them with — with the Board writing [emphasis ours]:

Based on the evidence provided, the EDPB concluded that there is a high likelihood that Facebook IE [Ireland] already processes WhatsApp IE [Ireland] user data as a (joint) controller for the common purpose of safety, security and integrity of WhatsApp IE [Ireland] and the other Facebook Companies, and for the common purpose of improvement of the products of the Facebook Companies. However, in the face of the various contradictions, ambiguities and uncertainties noted in WhatsApp’s user-facing information, some written commitments adopted by Facebook IE [Ireland] and WhatsApp IE’s [Ireland] written submissions, the EDPB concluded that it is not in a position to determine with certainty which processing operations are actually being carried out and in which capacity.

We contacted Facebook for a response to the EDPB’s order, and the company sent us this statement — attributed to a WhatsApp spokesperson:

We welcome the EDPB’s decision not to extend the Hamburg DPA’s order, which was based on fundamental misunderstandings as to the purpose and effect of the update to our terms of service. We remain fully committed to delivering secure and private communications for everyone and will work with the Irish Data Protection Commission as our lead regulator in the region in order to fully address the questions raised by the EDPB.

Facebook also claimed it has controls in place for “controller to processor data sharing” (i.e. between WhatsApp and Facebook) — which it said prohibit it (Facebook) from using WhatsApp user data for its own purposes.

The tech giant went on to reiterate its line that the update does not expand WhatsApp’s ability to share data with Facebook.

GDPR enforcement stalemate

A further vital component to this saga is the fact the Irish DPC has, for years, been investigating long-standing complaints against WhatsApp’s compliance with GDPR’s transparency requirements — and still hasn’t issued a final decision.

So when the EDPB says it’s highly likely that some of the WhatsApp-Facebook data-processing being objected to is already going on it doesn’t mean Facebook gets a pass for that — because the DPC hasn’t issued a verdict on whether or not WhatsApp has been up front enough with users.

tl;dr: The regulatory oversight process is still ongoing.

The DPC provisionally concluded its WhatsApp transparency investigation last year — saying in January that it sent a draft decision to the other EU data protection authorities for review (and the chance to object) on December 24, 2020; a step that’s required under the GDPR’s co-decision-making process.

In January, when it said it was still waiting to receive comments on the draft decision, it also said: “When the process is completed and a final decision issues, it will make clear the standard of transparency to which WhatsApp is expected to adhere as articulated by EU Data Protection Authorities.”

Over a half a year later and WhatsApp users in the EU are still waiting to find out whether the company’s comms lives up to the required legal standard of transparency or not — with their data continuing to pass between Facebook and WhatsApp in the meanwhile.

The Irish DPC was contacted for comment on the EDPB’s order today and with questions on the current status of the WhatsApp transparency investigation.

It told us it would have a response later today — we’ll update this report when we get it.

Update: The DPC’s deputy commissioner Graham Doyle said [emphasis his]:

This Article 66 procedure was about whether the EDPB on request from Hamburg would take final measures confirming the provisional measures applied by the Hamburg SA against Facebook. The EDPB decision decided not to take measures as insufficient evidence to ground such measures was presented by the Hamburg SA.

Measures, had they been decided by the Board, would not in any case be measures that would be adopted by the Irish DPC. They would be measures adopted by the EDPB. This is a decision of the Board based on a request from Hamburg SA under a provision that is a derogation to the cooperation and consistency mechanism.

The DPC, of course, has already carried out an in-depth inquiry into WhatsApp’s privacy policy user facing material in the context of its transparency inquiry. That inquiry reached the Article 60 (co-decision making) stage in December 2020 and is now progressing through the dispute resolution procedure. The Hamburg SA has been actively involved in the decision-making process since December 2020 and the dispute resolution process (which commenced in June) is an EDPB-led initiative, involving all other supervisory authorities.

The DPC notes the request of the Board and will give consideration to any appropriate regulatory follow-up where it identifies matters canvassed in the EDPB decision have not already been addressed in the Article 60 draft decision transmitted by the DPC (and now currently with the Board under Article 65).

The DPC also has a separate, complaint-based inquiry ongoing that considers the legal basis that WhatsApp relies upon for processing. That inquiry is also at an advanced stage.

Back in November the Irish Times reported that WhatsApp Ireland had set aside €77.5 million for “possible administrative fines arising from regulatory compliance matters presently under investigation”. No fines against Facebook have yet been forthcoming, though.

Indeed, the DPC has yet to issue a single final GDPR decision against Facebook (or a Facebook-owned company) — despite more than three years having passed since the regulation started being applied.

Scores of GDPR complaints against the Facebook’s data-processing empire — such as this May 2018 complaint against Facebook, Instagram and WhatsApp’s use of so-called “forced consent” — continue to languish without regulatory enforcement in the EU because there’s been no decisions from Ireland (and sometimes no investigations either).

The situation is a huge black mark against the EU’s flagship data protection regulation. So the Board’s failure to step in more firmly now — to course-correct — does look like a missed opportunity to tackle a problematic GDPR enforcement bottleneck.

That said, any failure to follow the procedural letter of the law could invite a legal challenge that unpicked any progress. So it’s hard to see any quick wins in the glacial game of GDPR enforcement.

In the meanwhile, the winners of the stalemate are of course the tech giants who get to continue processing people’s data how they choose, with plenty of time to work on reconfiguring their legal, business and system structures to route around any enforcement damage that does eventually come.

Hamburg’s deputy commissioner for data protection, Ulrich Kühn, essentially warns as much in a statement responding to the EDPB’s decision in a statement — in which he writes:

The decision of the European Data Protection Board is disappointing. The body, which was created to ensure the uniform application of the GDPR throughout the European Union, is missing the opportunity to clearly stand up for the protection of the rights and freedoms of millions of data subjects in Europe. It continues to leave this solely to the Irish supervisory authority. Despite our repeated requests over more than two years to investigate and, if necessary, sanction the matter of data exchanges between WhatsApp and Facebook, the IDPC has not taken action in this regard. It is a success of our efforts over many years that IDPC is now being urged to conduct an investigation. Nonetheless, this non-binding measure does not do justice to the importance of the issue. It is hard to imagine a case in which, against the background of the risks for the rights and freedoms of a very large number of data subjects and their de facto powerlessness vis-à-vis monopoly-like providers, the urgent need for concrete action is more obvious. The EDPB is thus depriving itself of a crucial instrument for enforcing the GDPR throughout Europe. This is no good news for data subjects and data protection in Europe as a whole.

In further remarks the Hamburg authority emphasizes that the Board noted “considerable inconsistencies between the information with which WhatsApp users are informed about the extensive use of their data by Facebook on the one hand, and on the other the commitments made by the company to data protection authorities not (yet) to do so”; and also that it “expressed considerable doubts about the legal basis on which Facebook intends to rely when using WhatsApp data for its own or joint processing” — arguing that the Board therefore agrees with the “essential parts” of its arguments against WhatsApp-Facebook data sharing.

Despite carrying that weight of argument, the call for action is once again back in Ireland’s court.

TechCrunch

FACEBOOK

Man Recalls A Dating Catastrophe When He Invited A Felon He Met Online Over To Hangout

Published

on

YourTango

There exists a subreddit where people explain stories by setting the precedent of, “Today I F–ked Up,” called “r/TIFU.”

One man shared how he messed up by inviting a girl over to his place, not expecting the night to take a turn for the worst before he had to go to work the next day.

His second date turned into a night of horror after his date started drinking during dinner.

In order to provide some context, he explained how he met the girl on Facebook Dating and had gone on his first date with her over the weekend.

“I did notice that she only smiled with her top row of teeth in the pictures and figured that her bottom teeth might be effed up, but didn’t think much of it,” he explained, already pointing out potential red flags. “She had trad wife energy and I was into it.”

RELATED: Kindergarten Teacher Says A Mom Gave Her A Vacuum To ‘Turn On’ When Her Daughter Misbehaves

He explained that during their first date, he had learned a lot about her, including her history of battling eating disorders which explained the messed up teeth.

He learned that she doesn’t drink often and that she lives with her parents because she’s preparing for surgery that will require a lot of physical therapy.

“This is all a red herring — nothing about this TIFU has to do with the teeth,” he explains. “I wanted to mention it because I was so focused on this that I didn’t pick up the other red flags.”



Source link

Continue Reading

FACEBOOK

Zuckerberg says Meta Quest 3 will get Quest Pro’s key tech feature

Published

on

Renderings of the Meta Quest 3 based on leaked CAD images

Meta Quest 3 is not a reality yet but it is expected to launch this year, probably in the fall at a Meta Connect event. This will be Meta’s consumer focussed headset that will succeed the Meta Quest 2. We recently heard rumors about the headset being much slimmer with more compact display lenses than the Quest 2 and that it could run on a more powerful Qualcomm Snapdragon XR2 Gen 2 chipset. 

Now, Meta’s recent earnings release has shed some light on new information around the Quest 3. Mark Zuckerberg, the CEO of Meta, has confirmed that the Quest 3 will have support for Meta Reality — the technology that allows the headset to be used for both augmented reality as well as virtual reality. This means that the Quest 3 will be a mixed reality headset and not just have virtual reality — much like the premium, enterprise-focussed Meta Quest Pro. This is something we had heard of before, but Zuckerberg seems to have confirmed it.

Source link

Continue Reading

FACEBOOK

5 Android apps you shouldn’t miss this week

Published

on

Apex Legends Mobile Cinematic Scene 7

Joe Hindy / Android Authority

Welcome to the 470th edition of Android Apps Weekly. Here are the big headlines from the last week.

  • YouTube Music has an annoying censorship bug on Nest Hubs. It doesn’t let you play music with sensitive album art. You get the same warning on the phone app, but you can usually bypass it. Unfortunately, there are limited ways to bypass it on your Nest Hub. Hit the link to learn more.
  • A former Facebook employee says Facebook can intentionally kill your battery. It does so through a process termed negative testing, where the app acts out, tanks your battery, and Facebook collects the data with it. It doesn’t happen to a ton of people, but it can happen to anyone.
  • Samsung updated Good Lock this week, just in time for its Samsung Galaxy S23 launch. The update added an option to update every installed plugin at once. Previously, you had to update each one individually. It’s a minor quality-of-life improvement, but it’s a welcome one.
  • ChatGPT is getting more serious. You can now spend $20 per month for a more powerful version of OpenAI’s bot. It’s only available to US customers right now, but it may expand later. The bot is also causing waves at Google, causing the company to ramp up its own AI work.
  • Apex Legends Mobile is shutting down after less than one year. EA made the announcement just a month after half of the Internet, including us, dubbed it the best new game of 2022. EA cites challenges with the content pipeline. It makes sense, since many of the newer updates have included a host of bugs that the developers just can’t seem to squash. Oh well, it was a nice run.

Pompom: The Great Space Rescue

Price: Free / $5.49

Pompom: The Great Space Rescue is a platformer. You play as Pompom and you progress through the game by jumping through and around obstacles, avoiding enemies, and solve puzzles to progress. It pays ode to the 16-bit era of gaming, so you’ll see a lot of elements, including graphics, from that era. There are also a bunch of weapons and tools you’ll get to help you on your way. The actual gameplay has some runner elements where you run forward automatically, and that’s not a 16-bit era style, but the game is still fun.

Memori Note

Price: Free / $2.49

Memori Note screenshot 2023

Memori Note is a note-taking app with an emphasis on reminding you of things. You write down what you want in the app, ask it to remind you about it at a random time, and it’ll do just that. The app also has color coding, a tags and filters system, and we think it looks pretty nice with its muted colors. There are also some backup settings if you want to transfer notes to a new device. We’re not sure how well it’ll do long term, but it definitely has the potential.

Devil Hunter Idle

Price: Free to play

Devil Hunter Idle is an action idle game. Your character hacks and slashes its way to level-ups, loot, and resources. You use those resources to strengthen your character so they can go back out and hack and slash more bad guys. That’s the primary gameplay loop, and it plays similarly to classic games like Buff Knight. The game’s over-the-top art style makes it feel like a lot more is happening, and the player does get to control some aspects of combat. The advertising is annoying, but you can pay to remove all of them. Other than that and some early bugs, the game is decent for its genre.

Rewind: Music Time Travel

Price: Free

Rewind Music Time Travel screenshot 2023

Rewind: Music Time Travel is an app for music rediscovery. It’s basically a big timeline that you scroll through to see what the music world looked like in any given year. It’s a neat way to rediscover old hits, and remind yourself of stuff you used to listen to. When I tested this one, I used it to help fill out my YouTube Music library a little bit since I had forgotten some of the songs I used to listen to. This isn’t something you’ll use long-term, but it’s a neat little app anyway.

Checkers Clash

Price: Free to play

Checkers Clash is an online competitive game where you play checkers. It’s not a complicated experience. You get into a game with an opponent. The two of you take turns until one of you runs out of pieces or concedes the match. You can also invite your friends and play against them as well. Some other game features include 8×8 and 10×10 board options, bots to play against to improve your skill, and a rewards system where you collect various things. The matchmaking system is imperfect, as it is in almost all online games, but it’s one of the few competitive checkers apps on mobile.


If we missed any big Android apps or games releases, tell us about it in the comments.
Thank you for reading. Try these out too:

Source link

Continue Reading

Trending

en_USEnglish