Jan. 25, 2023

E.U. Regulators Bar Meta From Requiring Users to Pay With Their Data

E.U. regulators have invalidated Meta’s contract requirement that Facebook, Instagram and WhatsApp users allow the company to use their personal data without consent, fining the company $428 million. The regulators’ decisions, published January 11 and 19, reject the common business model of providing a free internet service in exchange for users’ activity data. The Meta case also exposes intensifying disputes among the E.U. regulators, with Ireland’s Data Protection Commission announcing that it will sue the bloc’s top data protection board to annul one binding order for further proceedings. This article examines the decisions' impact on data collection under GDPR, the dueling regulator positions, and the key compliance implications for companies, and includes insights from GDPR specialists at DLA Piper, Ropes & Gray and Wallace. See “Two European Regulators Warn Behavioral Advertising Skates on Thin Ice” (Jan. 19, 2022).

France’s Cookie Enforcement Against TikTok and Microsoft Highlights Common Compliance Missteps

In a span of less than two weeks, the Commission Nationale de l’Informatique et des Libertés (CNIL), France’s lead privacy regulator, fined two companies – TikTok and Microsoft – for insufficient cookie consent practices. The CNIL’s cookie enforcement activity, which has been on the uptick, represents just one part of a broader enforcement initiative by European regulators who, in recent years, have been targeting cookie practices that are not in alignment with the GDPR’s stringent data privacy requirements. This article explores the CNIL’s recent enforcement actions, the broader heightened cookie enforcement activity across Europe, and offers lessons for multinational companies to avoid costly financial and reputational mistakes with their own cookie practices. See “Compliance Takeaways From the Latest GDPR Enforcement Statistics” (Feb. 2, 2022).

Transparency of Beneficial Ownership Clashes With U.K. Privacy Laws

The Register of Overseas Entities (ROE) that came into force in the U.K. on August 1, 2022, via the Economic Crime (Transparency and Enforcement) Act 2022 aims to help crack down on foreign criminals using U.K. property to launder money by requiring registration with the U.K. Companies House. However, on November 22, 2022, the Court of Justice of the European Union issued a ruling that prioritizes privacy over transparency and could eventually lead to changes in the approach to registries across Europe. The Cybersecurity Law Report spoke with Crispin Rapinet and Khushaal Ved, attorneys at Hogan Lovells, about the new requirements, the somewhat conflicting CJEU ruling, and what they mean for multinational corporations. See our two-part series on lessons from the WhatsApp decision on GDPR transparency requirements: Enforcement Takeaways (Oct. 20, 2021); and Compliance Foundations (Oct. 27, 2021).

Constangy Expands With New Cyber Team

Constangy has added a new data privacy and cybersecurity team consisting of 32 attorneys in 17 cities and 12 states, all of whom joined from Lewis Brisbois. The team will be led by Sean Hoar.

Cyber Expert Rejoins Cole-Frieman & Mallon to Serve Investment Management Industry

Cole-Frieman & Mallon announced that it will launch a cybersecurity law practice, bringing back former partner John Araneo as its lead. Araneo focuses his practice on cybersecurity regulation as it relates specifically to investment advisors.