Executive Vice-President Vera Jourova
Commissioner Didier Reynders
Rue de la Loi 2001049 Brussels
Belgium

Cc
Bruno Gencarelli, Head of International Data Flows, DG Just

Re: Reassessment of UK adequacy decision in light of dangerous UK data bill

Dear Executive Vice President Jourova,

Dear Commissioner Reynders,

The undersigned organisations and individuals are deeply concerned about the UK government’s Data Protection and Digital Information (DPDI) Bill, which would turn the UK into a “leaky valve” that undermines the data protection rights of European citizens.

In June 2021, an adequacy decision was granted to the UK allowing the free flow of personal data to and from the United Kingdom without additional safeguards. This decision, granted by the Commission, rested on the premise that the UK's data protection system would continue to follow the same rules as when the UK was an EU Member State.

The DPDI Bill flies in the face of the 2021 adequacy decision. If passed, the Bill would mean a wholesale deregulation of the UK data protection framework, allowing private companies to seek shelter in the UK to circumvent European data protection standards, and turning the UK into a “test lab” for experimental and abusive uses of data. Likewise, the UK Government would be given the power to legalise invasive surveillance programmes and other measures that trump the right to data protection of European citizens.

The Commission must urgently take stock of these changes, which directly contradict key elements of data protection adequacy as defined in article 45(2) of Regulation (EU) 2016/679, and provide European citizens with assurance that it would repeal the adequacy decision if these proposals were to become law.

The DPDI Bill would give the UK government the power to override data protection principles whenever it sees fit

European personal data could be accessed by UK public authorities without basic human rights safeguards in place, thanks to new delegated legislative powers which would allow UK Ministers to override the law arbitrarily and without meaningful boundaries to their discretion.

At the same time, the Bill would undermine the independence of the UK data protection supervisory authority by establishing a new Information Commission, whose board would be directly appointed by the UK Government. Ministers would have the power to dictate strategic priorities to the Information Commission, and to interfere with the exercise of its powers.

The DPDI Bill would facilitate the onward sharing of European personal data to third countries without safeguards

The Bill would weaken the definition of personal data below the standards set by the 1981 Council of Europe Convention 108 on data protection. In turn, organisations could use the UK as a base to pseudonymise European personal data before transferring them to third countries: this data would be considered anonymous by UK data protection law, and safeguards afforded to personal data would not apply.

Further, the Bill would allow the UK Government to authorise personal data transfers to third countries in the absence of meaningful Parliamentary scrutiny, and without guarantees concerning the retention of enforceable rights and effective remedies once this data has been transferred. Indeed, the UK has already applied for associate membership of the US-backed Cross-Border Privacy Rules Forum, which enables international data transfers under the weaker APEC privacy framework.

UK public authorities have been showing growing disregard toward ECHR standards, which are an essential element of the UK adequacy decision

The UK is enacting a wave of illiberal legislation that has been described by Human Rights Watch as “the most significant assault on human rights protections in the UK in decades”, including restrictions to the right to protest and to strike. The UK Government is also seeking powers to legislate without parliamentary oversight, to overrule judgments from the European Court of Human Rights, to deport migrants without a fair trial or due process, and to remove modern slavery protections for trafficking survivors.

The UK Data Protection Reform follows this trend: 30 domestic civil society organisations accused the UK Government of ignoring critical voices in a rigged consultation process, and later denounced the undemocratic nature of the Bill.

The Commission must act

In light of the serious threat to European citizens’ rights, the European Commission must publicly acknowledge that conditions which underpinned the UK adequacy decision are about to change: the undersigned organisations call on the Commission to stand ready to adopt immediately applicable implementing acts to repeal the UK adequacy Decision, in accordance with the procedure referred to in Article 93(3) of Regulation (EU) 2016/679.

Your sincerely,

Ian Brown, Internet regulation expert

Prof. Dr. J.V.J. van Hoboken, Associate Professor, Institute for Information Law (IViR), Faculty of Law, University of Amsterdam, Professor of Law, LSTS, Vrije Universiteit Brussel

Douwe Korff, Emeritus Professor of International Law, London Metropolitan University

Max Schrems, Honorary Chairman, noyb

Access Now

AI Forensics

Amnesty International

Article 19

Big Brother Watch

Defend Democracy

Digitalcourage

Državljan D / Citizen D

Ekō

Electronic Frontier Norway

Epicenter.works

Eticas

European Digital Rights Initiative

Fair Vote UK

Foxglove

Fitug e.V.

Irish Council of Civil Liberties

IT-Pol Denmark

Open Rights Group

Panoptykon

Privacy International

The London Story

WeMove Europe

#jesuislà

The post Open Letter to the EU Commission regarding UK’s data bill appeared first on People vs. Big Tech.

Dozens of LGBTQ+ and human rights groups have written to Irish Taoiseach Leo Varadkar asking him to stop enabling hate and reform the Irish Data Protection Commission. Here’s the letter:

Dear Taoiseach,

As LGBTQ+ people, organisations and allies across the world, we know the vital importance of social media for forging connection and finding community. But we also see first hand the damage inflicted by the business model of the Big Tech companies – whose algorithms are primed to amplify the worst of humanity and cause deep harm to marginalised groups.

Research suggests 78% of our community in Europe faced anti-LGBTQ+ hate crime or hate speech online in the 5 years to 2020, and that we are disproportionately affected by digital privacy violations. Just this month, Facebook, TikTok and YouTube all approved ads for publication containing extreme and violent anti-LGBTQ+ content, in a test carried out by campaign group Global Witness.

Such findings equate to real-world suffering: marginalised people viciously trolled, gay teens targeted with conversion therapy ads, harassment of Pride participants live-streamed on YouTube. And underpinning this proliferation of hate is the business model of the Big Tech companies, which mines vast amounts of our personal data to maximise “engagement” and enables deeply invasive profiling and targeting.

As an open, inclusive country committed to the protection of human rights, Ireland should be leading the charge against the corporate culture and incentives that facilitate harmful exploitation of our data. But rather than act against hate, Ireland is enabling it – neglecting enforcement of European data protection law and prioritising its relationship with Silicon Valley over the safety and dignity of millions.

This is all too obvious from the Irish Data Protection Commission’s (DPC) disappointing enforcement record. The DPC is the lead data protection regulator, with unique responsibility for holding the world’s biggest – Dublin-based – tech platforms to account. But privacy advocates, legislators, regulators and citizens across Europe and the world are starting to see the stark truth that Ireland would rather protect Silicon Valley profits than fundamental human rights.

That is why we, LGBTQ+ people, organisations and allies across the world, are calling on you to change course. We ask you to stand up for citizens everywhere, be true to Irish values and ensure big tech platforms respect our rights. These actions will be popular with your own citizens. According to a Yonder poll from last year, only 18% of Irish citizens think these companies are trustworthy, while 58% hold your government responsible for protecting them against the harm they cause.

The first step in fulfilling this responsibility must be urgent reform of the DPC. Only the DPC has the power to ensure Europe’s General Data Protection Regulation (GDPR) is working as intended when it comes to the world’s most powerful platforms. But so far it has dragged its feet on enforcement and allowed Big Tech to keep trampling on people’s rights.

In the first 3.5 years of GDPR, Ireland issued just four draft decisions – 10 times fewer than Spain, for example, despite its larger budget. The European Data Protection Board recently had to step in to overrule DPC decisions that allowed Meta to illegally force users to accept targeted ads. (And even now, the DPC is seeking a court order to block an EU demand that it investigate Meta’s use of data about our sexual orientations and other intimate aspects of our lives). This is not the first time the EDPB has been forced to intervene because Ireland is failing to protect people’s basic data rights, a record sharply at odds with the country's professed commitment to human rights globally.

In the coming months, your government has a unique opportunity to change course when it appoints two new Commissioners to the DPC. This is a welcome step, but only if it leads to meaningful change. We therefore urge you to ensure that only candidates with the expertise and integrity to hold Big Tech to account are considered for the job. It is also essential that the Irish government commission an entirely independent review of how to strengthen and reform the DPC, to make it fit for purpose, and that the new commissioners appointed are given a mandate to implement these changes.

For LGBTQ+ people across the world, social media is a vital space for expression, community and connection with the capability to transform -- even save -- lives. But its positive role is being significantly undermined by a surveillance-based business model fine-tuned for spreading hate, and the failure of regulators to bring it into line. Ireland has a powerful opportunity to change that by reforming the DPC. We urge you to seize it.

Yours sincerely,

All Out

Alliance4Europe

AI Forensics

Amnesty International

Centre for Peace Studies, Croatia

Coalition For Women In Journalism (CFWIJ)

Defend Democracy

Digital Action

Ekō

Fair Vote UK

Far Right Observatory Ireland

Global Witness

ILGA-Europe

Irish Network Against Racism (INAR)

Irish Council for Civil Liberties

Institute for Strategic Dialogue (ISD)

LGBT Ireland

'NEVER AGAIN' Association

Outhouse LGBTQ+ Centre - Ireland

Transgender Europe (TGEU)

Transgender Equality Network Ireland (TENI)

Transvanilla Transgender Association - Hungary

Panoptykon Foundation

Peter Tatchell Foundation

Rouge Direct

STOP homophobie (stophomophobie.og)

Uplift Ireland

Zagreb Pride

#jesuislà

The post LGBTQ+ groups tell Leo Varadkar: reform the Irish Data Protection Commission appeared first on People vs. Big Tech.

The Court of Justice of the European Union (CJEU) is deciding on a crucial question of fundamental rights and data protection. An advisory opinion by Advocate General (AG) Campos Sánchez-Bordona, if relied upon by the Court, could undermine the practical enforcement of the data and privacy rights of 400 million EU citizens.

Article 82 of the GDPR says: "Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered."

When our rights are infringed, must we prove that we have “suffered material or non-material damage” above an as yet undefined threshold such that the routine intangible harms of the digital age go unpunished?

These questions arise in the Case C-300/21 UI v Österreichische Post AG. A claimant seeks compensation for “non-material damage” suffered when Österreichische Post (Austrian postal service) illegally created a profile of his political affiliations. He says he was incorrectly associated with a far-right party, which damaged his reputation and greatly upset him. The illegality of Österreichische Post profiling him is not at issue as the Courts already found this to be illegal. The question is, is he entitled to compensation?

Recital 146 of the GDPR says that “the concept of damage should be broadly interpreted” to reflect the objectives of the Regulation. But Campos Sánchez-Bordona’s opinion suggests a far more narrow interpretation.

First, it claims there is no right to automatic compensation from a GDPR infringement.

Second, it makes the troubling suggestion that loss of control over one’s personal data does not necessarily create damage. But isn’t it damaging to lose control over your data when your personal data is being sold on the darknet after a data breach or when data brokers sell your personal profiles to foreign state actors or corporations?

Third, and most alarmingly, it implies that fundamental rights are to be balanced and reconciled with the economic objective of promoting the free movement of data.

Finally, the opinion recommends that the CJEU leave to each Member State’s courts the task of introducing new minimum thresholds for the seriousness or “harm” required to receive compensation. This threatens to fragment the already weakly enforced GDPR and create legal uncertainty for data subjects and businesses.

Digital and data harm is often not directly perceptible. Creating vague new national thresholds for compensation would be a huge blow to victims of intangible digital violations.

If the Court agrees with these recommendations, people will be far less likely to litigate to vindicate their fundamental rights where data protection supervisory authorities have failed to act on their behalf. Simultaneously, it will embolden data controllers to continue breaking the law and walk away with spectacular profits with little risk of consequences.

1. All Out
2. Bits of Freedom
3. Centre for Peace Studies
4. Civil Liberties Union for Europe (Liberties)
5. Coalition For Women In Journalism (CFWIJ)
6. Corporate Europe Observatory
7. Dare to be Grey
8. Defend Democracy
9. Elektronisk Forpost Norge
10. Estonian Human Rights Centre
11. Eticas Foundation
12. European Digital Rights (EDRi)
13. Fair Vote UK
14. Freedom Internet BV (NL)
15. Föreningen för digitala fri- och rättigheter (DFRI)
16. Gong
17. Homo Digitalis
18. Internet Society Netherlands (ISOC NL)
19. Irish Council for Civil Liberties
20. #jesuislà
21. KaskoSan Roma Charity
22. Lie Detectors
23. LobbyControl
24. Luminate
25. Noyb
26. Privacy First
27. Statewatch
28. SumOfUs
29. Superbloom (previously Simply Secure)
30. The Privacy Collective (NL)
31. The Real Facebook Oversight Board
32. WeMove Europe

Individual signatories:

Malte Spitz, Secretary General GFF (Gesellschaft für Freiheitsrechte/ Society for Civil Rights)

If you wish to add your signature to the statement please email info@peoplevsbig.tech

We’re people, not users. Uniting to challenge Big Tech abuse.

The post EU citizens’ data and privacy rights at serious risk appeared first on People vs. Big Tech.

New polling reveals 70% of adults in France support a ban on the use of people’s sensitive personal data in online targeted advertising.

A new YouGov poll commissioned by the People vs Big Tech network demonstrates that people in France find it wholly unacceptable for technology companies to target individuals with online advertising based on their personal data. The findings come just as French Minister of State for Digital and Telecommunications, Cédric O, announced that the Digital Services Act (DSA) will include a ban on targeted ads using sensitive data, as well as targeted ads to minors. While this is a promising development, it’s not a done deal as EU lawmakers continue to discuss the final provisions of the landmark legislation which aims to hold large online platforms accountable for the harms of their business model.

At a time when industry pressure appears to be causing representatives of the EU Commission and EU Council to consider backsliding and removing the proposed measure by the European Parliament, the survey shows that 69% of people in France find it unacceptable for technology companies to use their personal data in such a way.

Rewan Al-Haddad, Campaign Director at SumOfUs, said: “For years now people across Europe have been demanding stronger protection against Big Tech’s toxic and abusive data practices which only serve to enrich the coffers of the likes of Mark Zuckerberg – and these poll results in France demonstrate exactly that. Now the question is whether EU lawmakers will follow Cédric O’s lead, or capitulate to Big Tech lobbyists.”

A full 70% of those polled supported a ban on the use of people’s sensitive personal data (such as a person’s ethnicity, religious beliefs, sexual preferences, health conditions, or political opinions) in online targeted advertising – with 42% strongly supporting such a ban. By contrast, just 10% strongly opposed a proposed ban on the invasive practice.

These findings are particularly significant for French politicians as France currently chairs the negotiations for the DSA and plays a pivotal role in shaping the rules by which Big Tech companies will be allowed to operate in Europe going forward. Of note, the overall results of the survey show public opinion in France is in line with the views of small business leaders as well. For more information on their views, see January 2022 polling.

The EU has a decisive opportunity to establish the baseline protections necessary to secure the fundamental rights of EU citizens. Because no regulation currently prevents companies like Meta/Facebook or Google from profiling people based on their sensitive data (or making inferences about such characteristics), the online targeted advertising system has been repeatedly weaponised with ads designed to suppress votes, sell miracle cures, recruit militia, and incite violence.

But an opportunity to stem these harms is available and, as the YouGov poll results demonstrate, the time to act is now. The measure proposed by the European Parliament to prohibit the use of sensitive data in Article 24 of the DSA (including the drawing of inferences about a person’s sensitive characteristics) for the purpose of displaying advertisements must be adopted into the final provisions of the law. A system that enables foreign interference, facilitates the spread of disinformation, and inflames tensions between groups can no longer be permitted to operate without robust government oversight and new rules in place to protect privacy, promote safety, and maintain the integrity of Europe’s democratic processes.

Polling Note: All figures, unless otherwise stated, are from YouGov Plc. Total sample size was 1023 adults. Fieldwork was undertaken between 21st - 23rd March 2022. The survey was carried out online. The figures have been weighted and are representative of all French adults (aged 18+).

The post Vast Majority of French People Do Not Want to be Targeted with Online Ads Based on Their Sensitive Personal Data (YouGov Poll) appeared first on People vs. Big Tech.

YouGov poll reveals small business leaders are uncomfortable with Facebook and Google’s tracking-based advertising

A new YouGov poll commissioned by Amnesty International and Global Witness has shown that small business leaders in France and Germany want alternatives to Facebook and Google’s dominant tracking-based advertising. The findings come ahead of a key EU vote this week on the Digital Services Act (DSA), which aims to impose stricter rules on tracking-based digital advertising and force more accountability from Big Tech companies.

Facebook and other industry leaders have emphasized their belief that targeted advertising is necessary for the survival of European small and mid-sized enterprises. But the survey shows that 79% of leaders of small and medium-sized enterprises felt that large online platforms – such as Facebook and Google – should face increased regulation of how they use personal data to target users while advertising online.

The poll further reveals that 75% of respondents also believe tracking-based advertising undermines peoples’ privacy and other human rights.

“The constant and invasive monitoring of our lives to target people with ads is unacceptable, annihilates our right to privacy, and fuels discrimination. These results show that business owners are extremely uncomfortable with the approach to tracking-based advertising that their customers currently experience,” said Claudia Prettner, Legal and Policy Adviser at Amnesty Tech. “This week’s plenary vote on the Digital Services Act represents a vital opportunity for MEPs to stand up for human rights, and to take action to address advertising practices that rely on intrusive surveillance.”

Respondents were uncomfortable with the influence and monopoly that platforms like Facebook and Google have. A total of 69% of business owners surveyed said that they felt they had no option but to advertise with them due to their dominance of the industry.

The survey also showed that business owners believed their customers were not comfortable being targeted with online ads based on their race or ethnicity (62%), their sexual orientation (66%), information about their health (67%), their religious views (65%), their political views (65%), or personal events in their life (62%).

“It’s been part of Facebook and Google’s lobbying playbook to use small business’ reliance on their services as a fig leaf to justify their invasive profiling and targeting of users for advertising,” said Nienke Palstra, Senior Campaigner on Digital Threats to Democracy at Global Witness. “In fact, our polling shows small business leaders in France and Germany are deeply wary of their ad tech practices – but don’t see an alternative. Given the overwhelming support from small business to regulate ad tech giants, there is every reason for MEPs to go further in the Digital Services Act and protect individuals from surveillance advertising.”

The latest findings support previous Global Witness polling conducted in February 2021 that investigated French and German social media users’ attitudes to targeted advertising. Those results showed overwhelmingly that people were deeply uncomfortable about the ways they are targeted by advertisers every day, from being categorized by income and religious views to life events such as pregnancy, bereavement, or illness.

The YouGov poll was conducted with more than 600 leaders of small and medium-sized enterprises in France and Germany. The full results are available to download for the France and Germany polls.

The post Small Businesses Want EU to Get Tough on Big Tech Ads appeared first on People vs. Big Tech.