INTERNATIONAL

CANADA

3. Federal Court of Appeal Rules Against Facebook for Violating Privacy Law

On September 9, 2024, the Federal Court of Appeal delivered a verdict against Facebook (Meta) in the case of Privacy Commissioner of Canada v. Facebook, Inc. [2024 FCA 140],[3] concerning breach of Personal Information Protection and Electronic Documents Act, S.C. 2000 (“PIPED”) by sharing personal information of its users with third party applications hosted on Facebook platform.

The Court thoroughly examined Facebook’s ‘Terms of Service’, and ‘Data Policy’ concluding that third-party applications were able to access not only users’ personal data but also the data of their friends who have not installed such applications without explicit consent. The Court assessed whether these policies were understandable to a reasonable person, how consent was obtained, and the clarity of the language used. It was noted that consent was primarily obtained through the ‘Data Policy’, which was merely hyperlinked to the ‘Terms of Service’, automatically deeming users to have consented. Additionally, both policies were overly lengthy and complex for a typical user to comprehend. Consequently, the Court found Facebook in breach of PIPEDA for failing to obtain ‘meaningful consent’ and for inadequately protecting user data, allowing third-party applications to access the information of users who had not even downloaded those applications.

This decision signifies a strict approach toward privacy protections, especially regarding consent and data sharing with third parties. Organizations must prioritize the spirit of the law, focusing on genuinely understanding and respecting individuals’ privacy rights rather than merely adhering to the letter of the law. This involves not only revising consent mechanisms and closely monitoring third-party access but also enhancing the clarity of privacy communications. By doing so, organizations can ensure they are fully compliant with data privacy regulations while fostering trust with their users.

UNITED STATES – CALIFORNIA 

4. State Introduces 5 laws to Combat AI-Generated Deepfakes

California has made significant strides in addressing issues related to the use of deepfakes during elections and the protection of performers’ rights by introducing 5 newly enacted law effect from January 1, 2025. Assembly Bill 2655[4] titled as Defending Democracy from Deepfakes Act, 2024, Assembly Bill 2839[5] titled as Elections: Deceptive Media in Advertisements and Assembly Bill 2355[6] titled as Political Reform Act of 1974: Political Advertisements: Artificial Intelligence together targets the use of deepfake videos and audio to prevent deceptive political communication, prohibiting such content 120 days prior to elections and 60 days after election. It also requires online platforms to provide California residents with an easy way to report content for removal or labelling, mandating that they act within 72 hours of a report. The law further establishes a ‘Fair Political Practices Commission’ to act as a watchdog and enforce violations.

Additionally, Assembly Bill 1836[7] entitled as Use of Likeness: Digital Replica prohibits the use of a deceased personality’s voice or likeness in expressive audiovisual works or sound recordings without prior consent from their estate or surviving family members, imposing penalties of at least $10,000 or actual damages for violations, while narrowing exceptions for uses in news, commentary, and documentaries.

The law emphasis on the much-needed attention to the issue of deepfake and is a significant step forward in addressing the manipulation of digital media, however, the focus on restricting such content primarily during election periods may be seen as too narrow in scope. Deepfakes are a pervasive issue that can be misused in various contexts beyond elections, such as in spreading misinformation, damaging reputations, and committing fraud, affecting the public at large. By limiting the law’s applicability to election-related periods, the legislation misses an opportunity to address the pervasive and continuous nature of deepfake technology misuse at a larger scale.

BELGIUM

5. DPC Fines Employer €45,000 for Unlawful Processing of Biometric Data of Employees[8]

The Belgian Data Protection Commission (“DPC”) fined an employer €45,000 for unlawfully processing employees’ fingerprints, which are considered biometric data under the General Data Protection Regulation (“GDPR”) and warrant heightened protection under Article 9. The employer used a timekeeping system to collect fingerprints and transferred the data to Japan, a non-EU country. After an employee’s access request regarding this data was mishandled, a complaint was filed with the DPC, raising concerns about inadequate consent for data collection and insufficient data protection safeguards in Japan.

The DPC’s investigation uncovered several GDPR violations, including the employer’s failure to establish a clear legal basis for processing biometric data. Although consent was identified as the legal basis, it was improperly obtained and not freely given, given its association with the employment relationship. Moreover, the employer failed to fully disclose all data processing purposes, with the provided brochure only mentioning timekeeping and site security without clearly specifying the legal grounds for processing.

As companies increasingly adopt biometric systems for efficiency, they must prioritize employee rights and comply with GDPR requirements to avoid significant fines and reputational harm. In contrast, India’s Digital Personal Data Protection Act, 2023 adopts a different approach, wherein the employers are not required to obtain explicit consent from employees. This flexibility may streamline data processing in the workplace, but it also raises important questions about employee rights and privacy protection as dealt by the Belgian DPC in this matter.

SOUTH AFRICA

6. Constitutional Court Sets Landmark Precedent on Balancing Privacy and Freedom of Expression in the Digital Era 

The Supreme Court of Appeal ruled in favour of a farmer in a landmark case of Herman Botha v Bool Smuts and Another [(2024) ZACC 22] on right to privacy versus freedom of expression. Botha had earlier sued wildlife conservationist Bool Smuts for publishing Botha’s personal information on social media platform Facebook, including photos of his farm, contact details, and a controversial trapping incident.

Initially, the High Court ruled that Botha’s privacy rights were violated, ordering Smuts to delete the post. However, the Supreme Court of Appeal later overturned this decision, invoking Section 16 of the Constitution, which upholds the right to freedom of expression, allowing for the dissemination of information in the public interest while balancing it against privacy rights. The Constitutional Court ultimately reinstated Botha’s privacy rights, stating that even publicly accessible information does not entirely forfeit an individual’s privacy expectations.

The ruling emphasized the nuanced balance between privacy and freedom of expression in the digital age.

EUROPEAN UNION

7. Commission Terms Current Consumer Laws Inadequate for Digital Environment[9]

On October 3, 2024, the European Commission published a report evaluating the effectiveness of existing EU consumer protection laws in the digital space, including the Unfair Commercial Practices Directive (UCPD), the Consumer Rights Directive (CRD), and the Unfair Contract Terms Directive (UCTD). The report found that these legal frameworks are inadequate for addressing contemporary and emerging consumer risks in the digital environment.

In response, the Commission intends to introduce a new “Digital Fairness Act” to address challenges such as dark patterns, influencer marketing, personalized content, digital subscriptions, and AI-based systems. The proposed legislation aims to achieve greater harmonization across EU member states and to strengthen enforcement mechanisms through the use of automated tools and enhanced powers for consumer authorities. The proposal is anticipated in the coming years.

UNITED STATES

8. FTC Report Calls for Stricter Data Policies for Social Media Industry[10]

The Federal Trade Commission (“FTC”) has issued a Staff Report following an investigation into the data practices of nine prominent social media and video streaming companies, including Meta, TikTok, YouTube, and Twitter (now X Corp.). The report identified critical issues such as indefinite retention of data, unauthorized use of personal information for targeted advertising, limited user control over AI-driven data processing, insufficient safeguards for children and teenagers, and potentially anticompetitive data practices.

The FTC has recommended implementing robust data policies to minimize data collection, enhance consumer control and transparency, strengthen protections for sensitive information, and improve safeguards for minors. Although the report provided limited guidance on how to achieve these recommendations, the FTC signalled its intent to use its enforcement authority to pursue actions against companies that do not comply.

UNITED STATES – CALIFORNIA 

9. State Enacts New Online Child Protection Laws[11]

California is actively pursuing measures to safeguard children online through recent legal developments that impact businesses providing services to minors. The Ninth Circuit has issued a ruling concerning the Age-Appropriate Design Code Act, which aligns with UK’s legislation. A temporary injunction has postponed the law’s implementation, initially scheduled for July 2024. While the Ninth Circuit upheld a portion of this injunction related to data protection impact assessments, it allowed other provisions of the law to remain intact, and the case has been remanded to the district court for further evaluation.

The law retains several critical provisions, including requirements for age-appropriate privacy settings, the necessity of providing child-friendly privacy information, and restrictions on the collection of precise location data. Additionally, the Governor has enacted the ‘Protecting Our Kids from Social Media Addiction Act,’ set to take effect in January 2027. This law aims to mitigate ‘addictive feeds’ directed at minors and empowers parents with greater control over their children’s access and visibility of content on social media platforms.

UNITED STATES – MONTANA

10. State’s Comprehensive Privacy Law Takes Effect[12]

On October 1, 2024, Montana enacted its comprehensive privacy law, becoming the fourth State to implement such legislation this year, alongside Texas, Oregon, and Florida. This development increases the total number of States with active privacy laws to nine, which includes California, Colorado, Connecticut, Utah, and Virginia. Montana’s law largely aligns with the requirements of other States, such as honouring opt-out signals and granting individuals rights to access and delete their data; however, it does not offer a private right of action.  Looking ahead, additional State privacy laws in Delaware, Iowa, New Jersey, Nebraska, and New Hampshire are scheduled to take effect in January 2025.

UNITED STATES – TEXAS

11. State AG Sues TikTok for Violating Children’s Privacy Law [13]

The Texas Attorney General’s office has filed a civil suit against TikTok for violating Texas’ Securing Children Online Through Parental Empowerment Act (SCOPE Act) according to which, the Digital Services Providers are required to register users age, obtain parental consent, provide parental tools, and protect minors’ data. It is alleged that TikTok has violated the provisions of the SCOPE Act by unlawfully sharing, selling the personal data of such minors using the application.

UNITED STATES – CALIFORNIA 

12. State Federal Court Rejects CIPA Claims Against Online Chat Provider[14]

In Gutierrez v. Converse Inc., 2024 WL 3511648 (C.D. Cal. July 12, 2024), the California Federal court ruled in favour of the company that used a third-party chat provider on its website. The plaintiff alleged that the chat provider had stored her chat communications with Converse’s customer service agents on its servers after she visited the Converse’s website with this chat feature installed. The attorneys argued that the chat provider aided and abetted ‘wiretapping’ under Section 631(a) of the California Invasion of Privacy Act (CIPA). However, the court found that CIPA does not apply to online chat conversations conducted through smartphones and that the chat provider did not unlawfully access the content of the messages.