DPOInsider #33

New year same old Meta; Twitter hacker breach

Jan 13

The DPO Insider covers the latest news and developments in data compliance and privacy. The DPO's favourite weekly read ☕️

Meta’s New Year kicks off with $410M+ in fresh EU privacy fines

Welcome back, and we’re straight in. What a new year it’s been for Meta.

The DPC announced these fines as it was confirmed that contractual necessity is not an appropriate basis for processing personal data for behavioral ads.

After a number of hefty fines in 2022 for a data scraping breach, a violation over children’s privacy and cookie consent violations, this is a woeful start to the new year for Meta.

And not just because these fines represent more than the combined total of their fines last year. It’s because behavioral ads are a fundamental part of Meta’s business model.

It’s another GDPR decision with profound consequences. Data protection cases have forced governments to sign bilateral agreements, undermined trillion-dollar business models and challenged how companies track people's day-to-day lives.

So, this decision confirms that the DPC has not ordered Meta to adopt "consent" for its targeting of ads. The DPC says that identifying a new legal basis "may" be one of the things Meta does to bring itself into compliance.

However, it seems that Meta is running out of legal basis from which to choose from.

Without too much hyperbole, could this ruling be saying that targeted advertising in this form is unlawful?

If that’s true, then it could mean less personalization for Meta’s ad business and, ultimately, less revenue.

Either way, this is a fascinating start to the new year for data privacy and advertising.

Hackers reportedly leak email addresses of more than 200 million Twitter users

A dataset allegedly containing the email addresses and phone numbers of more than 400 million Twitter users has been put up for sale on hacking forum Breached Forums.

The dataset was uploaded to Breached Forums on December 23, 2022, by a hacker going by the screen name ‘Ryushi’. The hacker claimed to have collected the data using data scraping techniques and a now-patched vulnerability in the social media site’s software in 2021 and demanded US$200,000 for an “exclusive” sale of the data.

🏴‍☠️🕊🍓Puck Arks🍓🕊🏴‍☠️ @PuckArksReturns

Sample of 400 million Twitter breach Alexandria Ocasio-Cortez - SpaceX - CBS Media - Donald Trump Jr. - Doja Cat - Charlie Puth - Sundar Pichai - Salman Khan - NASA's JWST account - NBA - Ministry of Information and Broadcasting, India - Shawn Mendes - Social Media of WHO

Ryushi went on to say that the data breach would exacerbate an already “sensitive time” for content creators on Twitter, and that if Musk was unsure about what to do, he should “run a poll on Twitter like usual and people will choose their fate”, a reference to the fact Musk has allegedly used Twitter polls to influence business decisions.

A major breach at Twitter may interest regulators on both sides of the Atlantic. The data protection commission in Ireland, where Twitter has its European headquarters, and the US Federal Trade Commission have been monitoring the Elon Musk-owned company for compliance with European data protection rules and a US consent order respectively.