At a glance.
- Privacy enforcement post-GDPR.
- Google's Privacy Sandbox.
- Update on ICRC breach.
The progression of EU and US privacy enforcement since the GDPR.
In the latest installment of their Privacy Talks series, the experts at Cooley examine trends in US and EU privacy enforcement actions since the establishment of the General Data Protection Regulation (GDPR) in 2018. In the EU, sanctions have increased from about 600,000 euros in total fines in 2018 to more than 1 billion euros in 2021 (largely due to two major decisions from data protection authorities in Luxembourg and Ireland). Spain and Italy are the most active EU nations where sanctions are concerned, but Luxembourg and Ireland are the leaders in penalty severity, with Luxembourg sanctioning Amazon for 700 million euros last year.
The industry and commerce sector was at the receiving end of more than 50% of the fines issued, followed by the telecom, transportation and energy, and employment sectors. Across the pond, the US Federal Trade Commission (FTC) announced six privacy or data security settlements in 2021, about half the number brought forth in 2020 The cases involved a photo storage app, a fertility tracking app, and one company’s phone monitoring apps. In a report to Congress on Privacy and Security in September, the FTC said it plans to prioritize integrating consumer protection and competition concerns, expanding remedies for consumers, targeting enforcement for dominant digital platforms, and gaining a better understanding of algorithms and how they impact consumer protection and competition.
Google’s Privacy Sandbox aims to give users power over their advertising data.
This week Google announced a new private advertising initiative for Android called Privacy Sandbox, aimed at providing users with more control over their advertising data by limiting the sharing of user data and preventing the use of cross-app advertising identifiers. Google explained, “Our goal with the Privacy Sandbox on Android is to develop effective and privacy enhancing advertising solutions, where users know their information is protected, and developers and businesses have the tools to succeed on mobile.” Security Week explains that Android developers have been asked to review the initiative proposal and provide feedback through the developer portal. Mobile Dev Memo notes that Privacy Sandbox was preceded last year by Apple’s App Tracking Transparency privacy framework, which caused issues for mobile advertisers due to the deprecation of the iOS device identifier, or IDFA. Sandbox appears to be Google’s attempt to offer a more measured, collaborative approach.
Update on Red Cross data breach.
As we noted last month, the International Committee of the Red Cross (ICRC) suffered a third-party data breach that resulted in the theft of the data of over 515,000 individuals including staff, volunteers, and the highly vulnerable families supported by its programs. Security Week reports that the ongoing investigation has revealed the attackers exploited a critical-severity authentication bypass bug in Zoho’s ManageEngine ADSelfService Plush, and the hackers had access to the ICRC network for over seventy days by posing as legitimate users. ICRC stated, “This was a sophisticated attack – a criminal act – breaching sensitive humanitarian data. We know that the attack was targeted because the attackers created code designed solely for execution on the concerned ICRC servers, a technique we believe was designed to shield the hackers´ activities from detection and subsequent forensic investigations.” Though the identity of the threat actor has not been disclosed, investigative journalist Brian Krebs says the attacker created an account on an underground forum using an email address associated with an Iranian influence campaign.