I had thought we were in the dog days of summer, but the Farmer’s Almanac tells me that I was wrong about that. It turns out that the phrase refers to certain specific dates on the calendar, not just to the hot and steamy days that descend on the nation’s capital in . . . well, whenever they do (and not just before Labor Day, that’s for sure). The true dog days, it turns out, are July 3-Aug. 11, no matter the weather. So maybe this is just the cat’s tuches of summer, as if that makes it better.

Read the full piece here.

Abstract

Depending on implementation details, the EU Digital Markets Act (DMA) may have negative consequences regarding information privacy and security. The DMA’s interoperability mandates are a chief example of this problem. Some of the DMA’s provisions that pose risks to privacy and to the protection of personal data are accompanied either by no explicit safeguards or by insufficient safeguards. The question is then: how to interpret the DMA consistently with Articles 7-8 of the EU Charter of Fundamental Rights which ground the rights to privacy and the protection of personal data? Using the example of the prohibition on restricting users from switching and subscribing to third-party software and services (Article 6(6) DMA), I show that Charter-compatible interpretation of the DMA may depart from the intentions of the DMA’s drafters and even be perceived by some as significantly limiting the effectiveness of the DMA’s primary tools. However, given that—unlike the GDPR—the Charter takes precedence over a mere regulation like the DMA, such policy objections may have limited legal import. Thus, the true legal norms (legal content) of the DMA may be different than what a superficial reading of the text could suggest or, indeed, what the drafters hoped to achieve.

The Norwegian Data Protection Authority (DPA) on July 14 imposed a temporary three-month ban on “behavioural advertising” on Facebook and Instagram to users based in Norway. The decision relied on the “urgency procedure” under the General Data Protection Regulation (GDPR), which exceptionally allows direct regulatory interventions by other national authorities than the authority of the country where the business is registered (here: Ireland).

My initial view of the decision is that it is both a misuse of the urgency procedure and mischaracterizes the leading judgment from the EU Court of Justice (CJEU) on which it purports to rely (see my analysis of that judgment: part 1 and part 2). The decision misses the critical legal issue that it’s unclear to what extent the CJEU’s analysis applies to first-party personal data (collected by Facebook and Instagram) as the Court’s judgment expressly covered third-party data (collected “off-platform”).

Read the full piece here.

Among the regulatory tools created by the European Union’s Digital Markets Act (DMA)—landmark competition legislation that took effect across the EU last November—is a mandate that the largest digital-messaging services must be made interoperable. In the name of promoting fairness in digital markets, these gatekeeper services are asked to allow external services to connect with them, enabling new and smaller players to compete.

Read the full piece here.

Yesterday, I delved into the recent judgment in the Meta case (Case C-252/21) from the Court of Justice of the European Union (CJEU). I gave a preliminary analysis of the court’s view on some of the complexities surrounding the processing of personal data for personalized advertising under the GDPR, focusing on three lawful bases for data processing: contractual necessity, legitimate interests, and consent. I emphasized the importance of a nuanced understanding of the CJEU decision and pointed out that the decision does not determine definitively whether Meta can rely on legitimate interests or fall back on user consent for personalized advertising.

Read the full piece here.

Today’s judgment from the Court of Justice of the European Union (CJEU) in Meta’s case (Case C-252/21) offers new insights into the complexities surrounding personalized advertising under the EU General Data Protection Regulation (GDPR). In the decision, in which the CJEU gave the green light to an attempt by the German competition authority (FCO) to rely on the GDPR, the court also explored the lawful bases for data processing under the GDPR, notably for personalized advertising.

Read the full piece here.

Readers might recall my recent discussion of the Federal Trade Commission’s (FTC) new Bureau of Let’s Sue Meta, in which I covered, among other things, the commission’s proposal to modify its 2020 Decision and Order In the Matter of Facebook Inc. (now Meta). The 2020 order included complex behavioral requirements, in addition to a record-setting $5 billion penalty. One supposes that the consumer harm had been inestimable, given that the commission never did estimate it.

Read the full piece here.

In Robert Bolt’s play “A Man for All Seasons,” the character of Sir Thomas More argues at one point that he would “give the Devil benefit of law, for my own safety’s sake!” Defending the right to due process for a broadly disliked company is similarly not the most popular position, but nonetheless, even Meta deserves the rule of law.

Read the full piece here.

ICLE Senior Scholar Miko?aj Barczentewicz joined the Mobile Dev Memo podcast to discuss the Irish Data Protection Commission’s recent $1.3 billion levied against Meta over its transmission of EU resident data to the United States, and what the case means for the future of U.S.-EU data flows. The full episode is embedded below.