What’s Happening in the World?

While the field of Data Protection is developing at an accelerating pace in our country, worldwide innovations continue to remain on the radar of the Personal Data Protection Authority (“Authority”).

From the examples we have repeatedly encountered before, we witness that the Authority keeps up with the world agenda, especially the European General Data Protection Regulation (“GDPR”) regulations, and tries to catch up with the requirements of the fast-moving data privacy world.

As GRC Legal Law Firm, we closely follow the world agenda and present a selection of the current developments for your information with this content.

The news below belongs to 2022 December – 2023 January.

Fortnite x FTC

The Federal Trade Commission (“FTC”) said it has secured record settlements for two lawsuits from Epic Games, the creator of the popular game Fortnite. The video game company Epic Games will pay a total of $520 million to resolve complaints about children’s privacy and deceptive methods of inducing players to make purchases.

“Epic used default settings and deceptive interfaces that violated the privacy of Fortnite users, including teens and children,” FTC chair Lina Khan said in a statement.

Epic Games agreed to pay a $275 million fine to anyone who collected personal information from Fortnite players under the age of 13 without notifying their parents or obtaining their consent. This is the largest fine for a violation of an FTC rule.

The company is also paying $245 million in refunds to customers who were victims of so-called dark patterns and billing practices. Dark patterns are deceptive online techniques used to induce users to do things they don’t want to do.

“Fortnite’s counterintuitive, inconsistent, and confusing button configuration caused players to incur unwanted charges by pressing a single button,” the FTC said. Players could be charged by pressing a nearby button while the game was on a loading screen, when trying to wake the game from sleep mode, or when simply trying to preview an item. “These tactics led to hundreds of millions of dollars in unauthorised payments for consumers,” the FTC said.

“Statutes written decades ago do not dictate how gaming ecosystems should operate. Laws have not changed but practices have evolved, so long-standing industry practices are no longer sufficient.”

Tiktok x Forbes

An internal investigation by ByteDance, the parent company of video-sharing platform TikTok, has revealed that employees improperly accessed the IP addresses and user data of numerous journalists covering the Company in order to determine whether they were in the same locations as ByteDance employees.

According to materials reviewed by Forbes, ByteDance followed numerous Forbes journalists as part of this covert surveillance campaign designed to uncover the source of leaks within the Company following a series of articles exposing the Company’s ongoing ties to China.

As a result of the investigation into the surveillance tactics, ByteDance suspended its chief internal auditor, Chris Lepitak, who led the team responsible for them. Song Ye, the China-based executive to whom Lepitak reported and who reported directly to ByteDance’s CEO, resigned.

“I was deeply disappointed when I was made aware of the situation… and I’m sure you feel the same,” Liang said in an email shared with Forbes: “The public trust that we have worked so hard to build will be significantly undermined by the misconduct of a few individuals. … I believe this is a lesson for us all.”

In a second email shared with Forbes, TikTok General Counsel Erich Andersen said: “It is standard practice for companies to have an internal audit group with the authority to investigate code of conduct violations. In this case, however, individuals abused their authority to gain access to TikTok user data.” it says.

Forbes first reported the surveillance tactics overseen by a China-based team at ByteDance in October 2022, and when asked for comment, ByteDance and TikTok did not deny the surveillance. However, after the article was published, the company stated on Twitter that TikTok has never targeted members of the US government, activists, public figures or journalists, and does not track US users as the article stated. In an internal email shared with Forbes, Liang acknowledged that TikTok was used in exactly this way as Forbes reported.

The investigation, known as Project Raven, began in the summer of 2022 after BuzzFeed News published a story revealing that employees of China-based ByteDance had repeatedly accessed US user data based on more than 80 hours of audio recordings of TikTok’s internal meetings.

According to ByteDance documents reviewed by Forbes, Project Raven involved the company’s Chief Security and Privacy Office, was known to TikTok’s Head of Global Legal Compliance, and was approved by ByteDance employees in China. Three Forbes reporters who previously worked at BuzzFeed News; Emily Baker-White, Katharine Schwab and Richard Nieva followed.

“This is a direct attack on the idea of a free press and its critical role in a functioning democracy,” Forbes Chief Content Officer (CCO) said: “We expect a direct response from ByteDance because this raises fundamental questions about what they do with the information they collect from TikTok users.”

Following the publication of the article, TikTok spokesperson Hilary McQuaide said: “The misconduct by some people who no longer work at ByteDance was an egregious abuse of their authority to gain access to user data. This inappropriate behaviour is unacceptable and goes against our TikTok-wide efforts to earn the trust of our users.” “ByteDance condemns this misguided scheme that violates the Company’s code of conduct,” added ByteDance spokesperson Jennifer Banks.

Banks said she found no evidence that ByteDance tracked Forbes journalists beyond Baker-White, but the investigation is ongoing. Internal company materials reviewed by Forbes show that Schwab and Nieva were also spied on.

Banks also states that Catherine Razzano, head of Global Legal Compliance, was unaware of the surveillance of journalists until late October. However, internal materials analysed by Forbes show that she was aware of the situation before the Project Raven leak investigation.

“This new development reinforces serious concerns that the social media platform allowed TikTok engineers and executives in China to repeatedly access private data of US users, despite repeated claims to lawmakers and users that this data was protected,” Senator Mark Warner told Forbes. The US Department of Justice also promises that it has been looking for ways to protect US user data from ByteDance and the Chinese Communist Party for over a year, saying “it is time to come forward with this solution, or Congress may soon be forced to step in.”

According to an internal memo sent by Andersen, ByteDance found that several of its employees had received data via TikTok from “a former BuzzFeed reporter and a Financial Times reporter” as well as “a small number of people connected to the reporters”. The audit was carried out by Covington&Burling, the law firm representing TikTok in the lawsuit against the US government. Covington did not respond to a request for comment.

In addition to firing TikTok’s Chief Internal Auditor Chris Lepitak, who was suspended, ByteDance fired two other TikTok employees in the US and China as a result of the findings. Lepitak did not immediately respond to a request for comment. “None of the individuals found to have directly participated in or supervised the misguided scheme continue to work at ByteDance,” Andersen said in internal correspondence.

“We take data security incredibly seriously,” TikTok CEO Shou Zi Chew wrote in an email to employees, adding Project Texas, which will limit China-based access to the company’s US user data. The project, first reported by Baker-White, was evidence of this commitment.

In 2021, TikTok became the world’s most visited website, ByteDance is currently negotiating a national security agreement with the Treasury Department’s Committee on Foreign Investment in the US (Committee on Foreign Investment in the US, “CFIUS”) that will govern the way it handles Americans’ personal user data. As part of Project Texas, the Company sought to address concerns about ties with China by working to move some user information out of the state to be stored in a data centre managed by Oracle.

Forbes reported that the ByteDance internal audit and investigation team overseeing the surveillance campaign against journalists is also investigating TikTok global security chief Roland Cloutier, who was tasked with overseeing efforts to limit Chinese employees’ access to American user data. Cloutier resigned in July 2022.

At least five senior employees who led departments at TikTok left the company after it became clear that they could not meaningfully influence decision-making. TikTok and ByteDance declined to comment on employee investigations or departures.

Forbes also found LinkedIn profiles of three hundred ByteDance employees that showed they had previously worked for Chinese state media publications. Twenty-three of the profiles appeared to have been created by ByteDance executives. At the time, ByteDance spokesperson Jennifer Banks said that hiring decisions for businesses in the Chinese market, including people who had previously worked in government or state media positions in China, were made solely based on the person’s professional ability to do the job.

ByteDance is not the first tech giant to use an app to track specific users. Both Uber and Facebook have reportedly tracked the locations of journalists reporting on their apps. A 2015 investigation by the Electronic Privacy Information Centre found that Uber had tracked the locations of journalists covering the company. Uber did not respond specifically to this allegation. A 2021 book, An Ugly Truth, alleges that Facebook did the same thing for the purpose of identifying journalists’ sources. Facebook did not respond directly to the allegations in the book.

But there is an important factor that distinguishes ByteDance’s collection of users’ information from these cases: TikTok told lawmakers in June that access to certain US user data, possibly including location, “will be limited to authorised personnel only in accordance with protocols under development with the US”.

Just as TikTok was trying to convince US authorities that it could be trusted, the Beijing-based parent company misused systems to obtain data on reporters. Critics believe that with this last straw, it is no longer possible for US authorities to trust TikTok.

Facebook x Cambridge Analytica

Facebook’s parent company Meta has agreed to a $725 million settlement in its long-running US class action lawsuit in which it was accused of allowing third parties to access users’ personal data, according to a court document.

In the document published by Reuters, the plaintiffs request that the court pre-approve the $725 million irrevocable settlement. It must be approved by the San Francisco court where it was submitted, with a hearing to be held on 2023 March.

The settlement is the largest ever achieved in a data privacy class action and the highest amount Facebook has ever paid to settle a private class action, according to the document.

According to plaintiffs’ estimates, the total number of people affected is in the range of 250-280 million from 24 May 2007 to 22 December 2022.

A Meta spokesperson said in a statement: “We have reached a settlement because it is in the best interests of our community and shareholders. Over the last three years we have revamped our approach to privacy and implemented a comprehensive privacy programme.”

What happened?

Facebook users sued the company for damages in 2018, alleging that the social media giant had shared their personal data with third parties. These included the notorious British data analytics company Cambridge Analytica, which was linked to Donald Trump’s successful presidential campaign in 2016.

EU x IDPC

The European Union (EU) Ombudsman, Dr Emily O’Reilly, has called for close monitoring of Ireland’s Big Tech GDPR cases. The decision concludes a year-long investigation into allegations that the European Commission failed to adequately monitor how data protection rules were being implemented in Ireland. The complaint came from the Irish Council for Civil Liberties (ICCL).

The Irish Data Protection Commission (IDPC) is the lead regulator under GDPR rules for US tech players with European headquarters in Ireland, including Meta, Google, TikTok and Twitter.

The IDPC has been criticised for the way it handles complaints against Big Tech under the GDPR. In October 2022, the ICCL claimed that there was little to suggest that Ireland was diligently following GDPR implementation. Recommendations were made by the Ombudsman, accompanied by regular bi-monthly checks by the European Union, to establish a set of prescribed rules and tables that the DPC could fill in in specific cases.

CNIL x Microsoft

The French Data Protection Authority (Commission Nationale de l’Informatique et des Libertes, “CNIL”) fined Microsoft 60 million euros for advertising cookies.

In the statement made by CNIL regarding the fine, it was stated that Bing, Microsoft’s search engine, has a system that does not allow users to reject cookies. In the statement, CNIL reported that it was determined that cookies were placed on users’ devices without their consent when they visited the site and that these cookies were also used for advertising purposes. However, it was also observed that there was no option to reject cookies.

The CNIL said that the fine was justified because of the advertising profits the company indirectly derived from the data collected through cookies. The company was also given three months to correct the problems and will be fined an extra 60,000 euros for each day the corrections are delayed. The fine was imposed on Microsoft Ireland, where the company’s European headquarters is located. Microsoft, on the other hand, defended that they had made significant changes to their cookie settings before this investigation began.

Personalised advertising, which is one of the main revenue sources of companies such as Facebook and Google, is seen as extremely important for technology platforms, but data protection / privacy consultants have long been against this situation. It is known that Google and Facebook were fined 150 million and 60 million euros, respectively, by the CNIL for similar violations related to the use of cookies. In this sense, it is not difficult to interpret that cookie applications are on the radar of data protection authorities.

NIS 2 Directive

The Directive, which entered into force on 27 December 2022, improved cybersecurity risk management and introduced reporting obligations in sectors such as energy, transport, health and digital infrastructure.

In order for member states to fulfil their obligations under the NIS2 Directive and reach full compliance, an adaptation period of 21 months was envisaged from the entry into force of the Directive.

How the NIS2 Directive, which is already the target of many questions regarding the breadth of its application area and its effects, will affect the practice is a matter of curiosity for now.

USA x TikTok

TikTok has been banned on devices issued by the US House of Representatives. In August 2022, all lawmakers and employees with mobile phones issued from the House were ordered to remove TikTok by Catherine Szpindor, Director of Administrative Affairs of the House of Representatives, who warned that the application “poses a high risk to users”.

According to information obtained by NBC News and confirmed by the US House of Representatives, House staff are not allowed to download the TikTok application to any House mobile device. “We can confirm that the House Administration Committee has authorised the CAO Office of Cybersecurity to remove TikTok from all devices managed by the House,” the statement said.

What Happened?

In August 2022, the CAO issued a cyber advisory labelling TikTok as a high-risk application due to its “lack of transparency on how it protects customer data”. TikTok, owned by Beijing-based ByteDance, was said to be actively collecting content for personal data and storing some user data in China. TikTok, on the other hand, stated in its statement that its data is kept in the USA and Singapore, not in China.

This move by the CAO came amid numerous attempts to restrict the use of TikTok by government and state employees. In recent weeks, Congress passed a $1.7 million budget bill that included a provision to ban TikTok from government devices. The ban will take effect after President Joe Biden approves the legislation.

In addition, in December, US Senator Marco Rubio submitted a legislative proposal to completely ban TikTok from the US. Rubio said it was time to ban Beijing-controlled TikTok for good. Although Biden previously cancelled presidential orders by his predecessor Donald Trump targeting TikTok and ordering TikTok to sell its business in the US, it is known that the US Foreign Investment Committee, which examines business deals with companies outside the US, is also conducting a security review on TikTok. According to recent information, TikTok offers to subject its business in the US to external audit in order to avoid a complete ban.

According to another report, at least 19 US states have reportedly partially blocked the app from state-run devices due to security concerns. With all these developments, Tiktok said in a statement following the Congressional ban that this move was “a political gesture that will not benefit national security interests”.

Twitter x Ryushi

A data protection watchdog will investigate Twitter following the disclosure of a hacker who claims to have private information linked to more than 400 million accounts.

The hacker “Ryushi” is demanding $200,000 to return and delete the data, which reportedly includes the data of some celebrities. The Irish Data Protection Commission (IDPC) said it would investigate Twitter’s compliance with data protection law in relation to this security issue. Twitter did not comment on the allegation.

The data is said to include phone numbers and emails, including those of celebrities and politicians, but the size of the data has not yet been confirmed. So far only a small “sample” has been made public.

The Guardian reported that the data sample released by the hacker included the data of US Congresswoman Alexandria Ocasio-Cortez. The data of broadcaster Piers Morgan, whose Twitter account was recently accessed without authorisation, was also reportedly included.

Cybercrime intelligence company Hudson Rock said it was the first to raise the alarm about the data sale. The company’s chief technology officer, Alon Gal, admitted that the amount of data taken had not been verified, but said a number of clues had emerged that supported the hacker’s claim. Gal said the data did not appear to have been copied from a previous breach in which details from 5.4 million Twitter accounts were published.

“Only 60 of the 1,000 email samples provided by the hacker in the earlier incident were revealed, so we are confident that this breach is different and significantly larger,” Alon Gal said: “The hacker aims to sell the database through an escrow service offered on a cybercrime forum. Usually this is only done for genuine offers.”

An escrow service is a third party that agrees to release funds only when certain conditions (such as the delivery of data) are met.

Ryushi said he took advantage of a problem in the system that allowed computer programmes to connect to Twitter to compile data. Twitter fixed the weakness in the system in 2022. But the flaw is also believed to have been used in the previous breach, which affected more than five million accounts.

In a statement sent to the BBC about the latest incident, the IDPC noted the ongoing investigation into the earlier Twitter breach but added “Reports claim that some additional data sets are now available for sale on the dark-web. The IDPC has contacted Twitter in this investigation and will examine Twitter’s compliance with the GDPR in relation to this security issue.”

The hacker recognises how damaging data loss can be for platforms, and in the post in which he offers to sell the data, he warns Twitter that its best chance of avoiding a large data protection fine is to get the data back.

The UK’s Information Commissioner’s Office (ICO) said that it was aware of media reports about Twitter user’s personal information being made available on the internet, that it was in dialogue with Twitter’s data protection officer, that they would investigate and cooperate with the IDPC.