An anonymous reader shares a report: If Meta is not given the option to transfer, store and process data from its European users on US-based servers, Facebook and Instagram may be shut down across Europe, the social media giants' owner reportedly warned in its annual report. The key issue for Meta is transatlantic data transfers, regulated via the so-called Privacy Shield and other model agreements that Meta uses or used to store data from European users on American servers. The current agreements to enable data transfers are currently under heavy scrutiny in the EU. In its annual report to the U.S. Securities and Exchange Commission, Meta warns that if a new framework is not adopted and the company is no longer allowed to use the current model agreements "or alternatives," the company will "probably" no longer be able to offer many of its "most significant products and services," including Facebook and Instagram, in the EU, according to various media reports, including in iTWire, The Guardian newspaper and Side Line Magazine.

Sharing data between countries and regions is crucial for the provision of its services and targeted advertising, Meta stressed. Therefore, it previously used the transatlantic data transfer framework called Privacy Shield as the legal basis to carry out those data transfers. However, this treaty was annulled by the European Court of Justice in July 2020, because of data protection violations. Since then, the EU and the US did stress they are working on a new or updated version of the treaty.

"Facebook is threatening it will simply pull out of Europe altogether if it is no longer able to share data about European users with its U.S. operations, applications, and data centres," reports ITWire.

It's customary for regulatory filings to preemptively declare a wide variety of possible future hazards, and in that spirit a recently-filed Meta financial statement cites a ruling by the EU's Court of Justice (in July of 2020) voiding a U.S. law called the Privacy Shield (which Meta calls one legal basis for its current dara-transferring practices). Though courts are now determining the ruling's ramifications, ITWire notes that "with the European General Data Protection Regulation (GDPR) well in force, the U.S. Privacy Shield principles were found non-compliant and consequently invalid." So while that ruling affects every American company, including cloud companies like Google, Microsoft, and Amazon, it's Facebook/Meta that "says stopping transatlantic data transfers will have a devastating impact on its targeted online advertisements capabilities."

Read it yourself, in Meta's own words:

"If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on Standard Contractual Clauses [now also subject to new judical scrutiny] or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations."

Of course, the filing also cites other hazards like the possibility of new legislation restricting Facebook's ability to collect data about minors, complaining that such legislation "may also result in limitations on our advertising services or our ability to offer products and services to minors in certain jurisdictions."

And in addition, "We are, and expect to continue to be, the subject of investigations, inquiries, data requests, requests for information, actions, and audits by government authorities and regulators in the United States, Europe, and around the world, particularly in the areas of privacy, data protection, law enforcement, consumer protection, civil rights, content moderation, and competition..."

"Orders issued by, or inquiries or enforcement actions initiated by, government or regulatory authorities could cause us to incur substantial costs, expose us to unanticipated civil and criminal liability or penalties (including substantial monetary remedies), interrupt or require us to change our business practices in a manner materially adverse to our business, result in negative publicity and reputational harm, divert resources and the time and attention of management from our business, or subject us to other structural or behavioral remedies that adversely affect our business."

(Thanks to Slashdot reader juul_advocate for sharing the story!)

"A pre-pandemic policy on airport usage is pressuring airlines to keep 'ghost flights' in the air," Wired reported this week — adding "The climate impact is massive." Lufthansa, Germany's national airline, which is based in Frankfurt, has admitted to running 21,000 empty flights this winter, using its own planes and those of its Belgian subsidiary, Brussels Airlines, in an attempt to keep hold of airport slots. Although anti-air travel campaigners believe ghost flights are a widespread issue that airlines don't publicly disclose, Lufthansa is so far the only airline to go public about its own figures.... Lufthansa's own chief executive, Carsten Spohr [said] the journeys were "empty, unnecessary flights just to secure our landing and takeoff rights." But the company argues that it can't change its approach: Those ghost flights are happening because airlines are required to conduct a certain proportion of their planned flights in order to keep slots at high-trafficked airports.

A Greenpeace analysis indicates that if Lufthansa's practice of operating no-passenger flights were replicated equally across the European aviation sector, it would mean that more than 100,000 "ghost flights" were operating in Europe this year, spitting out carbon dioxide emissions equivalent to 1.4 million gas-guzzling cars. "We're in a climate crisis, and the transport sector has the fastest-growing emissions in the EU," says Greenpeace spokesperson Herwig Schuster. "Pointless, polluting 'ghost flights' are just the tip of the iceberg."

Aviation analysts are split on the scale of the ghost flight problem. Some believe the issue has been overhyped and is likely not more prevalent than the few airlines that have admitted to operating them. Others say there are likely tens of thousands of such flights operating — with their carriers declining to say anything because of the PR blowback.

After a years-long process, data protection officials across the European Union have ruled that Europe's ad tech industry has been operating unlawfully. Engadget reports: The decision, handed down by Belgium's APD (.PDF) and agreed by regulators across the EU, found that the system underpinning the industry violated a number of principles of the General Data Protection Regulations (GDPR). The Irish Council for Civil Liberties has declared victory in its protracted battle against the authority which administers much of the advertising industry on the continent: IAB Europe. At the heart of this story is the use of the Transparency and Consent Framework (TCF), a standardized process to enable publishers to sell ad-space on their websites. This framework, set by IAB Europe, is meant to provide legal cover -- in the form of those consent pop-ups which blight websites -- enabling a silent, digital auction system known-as Real-Time Bidding (RTB). But both the nature of the consent given when you click a pop-up, and the data collected as part of the RTB process have now been deemed to violate the GDPR, which governs privacy rights in the bloc.

The APD has ruled that any and all data collected as part of this Real-Time Bidding process must now be deleted. This could have fairly substantial implications for many big tech companies with their own ad businesses, including Google and Facebook, as well as big data companies. It may also have a large impact on many media platforms and publishers on the continent who will now need to address the fallout from the finding. Regulators have also handed down an initial fine of 250,000 euros to IAB Europe and ordered the body to effectively rebuild the ad-tech framework it currently uses. This includes making the system GDPR compliant (if such a thing is possible) and appoint a dedicated Data Protection Officer. Until now, IAB Europe has maintained that it did not create any personal data, and said in December that it was a standards setter and trade association, rather than a data processor in its own right. IAB Europe says the ruling did not ban the use of Transparency and Consent Frameworks, adding that it's looking to reform the process and "submit the Framework for approval as a GDPR transnational Code of Conduct."

According to Engadget, [I]t may launch a legal challenge to fight the accusation that it is a data controller, a decision it says will "have major unintended negative consequences going well beyond the digital advertising industry."

The EU is taking a "Europe First" approach to technological standardization. From a report: The European Commission on Wednesday presented a plan to bolster its influence in creating global technology standards, as the bloc currently risks falling behind in global standardization organizations, where tech giants, government regulators and experts gather to set rules for how emerging technology works -- everything from the internet to batteries, connected devices and beyond. Faced with the U.S.' market dominance and China's aggressive attempts to rewrite global rules, the EU wants to raise its game. "We need to make sure we're not just a standard-taker. We need to be a standard-setter," said Thierry Breton, the EU's industry commissioner.

The new strategy comes at the start of a bumper year for standard-setting, which often happens out of the public eye, in industry-dominated groups packed with technical experts. Deals struck in organizations like the U.N.'s International Telecommunications Union (ITU) and the International Organization for Standardization (ISO) define how technology is implemented across the world. The ITU's flagship conference is scheduled for September in Budapest, when a new secretary-general will be named. Meanwhile, other international groups are working quickly to set standards for artificial intelligence, green technology and other major sectors, with companies and government officials tussling over which technologies will dominate the digital economy in the coming decade. The EU's plan follows its industrial strategy, released in March 2020, which already showed the bloc wants to set up competing policy initiatives to defend its companies against rivals from China and the U.S. that benefit from large-scale investment and subsidy schemes.

Earlier this month, a German court fined an unidentified website $110 for violating EU privacy law by importing a Google-hosted web font. The Register reports: The decision, by Landgericht Munchen's third civil chamber in Munich, found that the website, by including Google-Fonts-hosted font on its pages, passed the unidentified plaintiff's IP address to Google without authorization and without a legitimate reason for doing so. And that violates Europe's General Data Protection Regulation (GDPR). That is to say, when the plaintiff visited the website, the page made the user's browser fetch a font from Google Fonts to use for some text, and this disclosed the netizen's IP address to the US internet giant. This kind of hot-linking is normal with Google Fonts; the issue here is that the visitor apparently didn't give permission for their IP address to be shared. The website could have avoided this drama by self-hosting the font, if possible.

The decision says IP addresses represent personal data because it's theoretically possible to identify the person associated with an IP address, and that it's irrelevant whether the website or Google has actually done so. The ruling directs the website to stop providing IP addresses to Google and threatens the site operator with a fine of 250,000 euros for each violation, or up to six months in prison, for continued improper use of Google Fonts. Google Fonts is widely deployed -- the Google Fonts API is used by about 50m websites. The API allows websites to style text with Google Fonts stored on remote servers -- Google's or a CDN's -- that get fetched as the page loads. Google Fonts can be self-hosted to avoid running afoul of EU rules and the ruling explicitly cites this possibility to assert that relying on Google-hosted Google Fonts is not defensible under the law.

Meta Platforms' WhatsApp was given a month to answer European Union concerns over new terms and services that sparked outrage among consumers and privacy campaigners. From a report: WhatsApp must provide "concrete commitments" to address EU concerns about a possible lack of "sufficiently clear information" to users, or the exchange of user data between WhatsApp and third parties, the European Commission said Thursday. "WhatsApp must ensure that users understand what they agree to and how their personal data is used," EU Justice Commissioner Didier Reynders said in a statement. "I expect from WhatsApp to fully comply with EU rules that protect consumers and their privacy."

WhatsApp announced the policy changes a year ago, but was forced to delay their introduction until May after a backlash over what data the messaging service collects and how it shares that information with parent Facebook. European consumer association BEUC complained to the EU, saying the new terms and services were opaque. "WhatsApp bombarded users for months with persistent pop-up messages," BEUC said in reaction to the commission announcement. "WhatsApp has been deliberately vague about this, laying the ground for far-reaching data processing without valid consent from consumers."

Intel won a historic victory in its court fight over a record 1.06 billion-euro ($1.2 billion) competition fine, in a landmark ruling that upends one of the European Union's most important antitrust cases. From a report: The EU General Court ruled on Wednesday that regulators made key errors in a landmark 2009 decision over allegedly illegal rebates that the U.S. chip giant gave to PC makers to squeeze out rival Advanced Micro Devices (AMD). While the surprise ruling can be appealed one more time, it's a stinging defeat for the European Commission, which hasn't lost a big antitrust case in court for more than 20 years. The Luxembourg-based EU court said the commission provided an "incomplete" analysis when it fined Intel, criticizing it for failing to provide sufficient evidence to back up its findings of anti-competitive risks.

Hacktivists in Belarus said on Monday they had infected the network of the country's state-run railroad system with ransomware and would provide the decryption key only if Belarus President Alexander Lukashenko stopped aiding Russian troops ahead of a possible invasion of Ukraine. Ars Technica reports: Referring to the Belarus Railway, a group calling itself Cyber Partisans wrote on Telegram: "BelZhD, at the command of the terrorist Lukashenko, these days allows the occupying troops to enter our land. As part of the 'Peklo' cyber campaign, we encrypted the bulk of the servers, databases and workstations of the BelZhD in order to slow down and disrupt the operation of the road. The backups have been destroyed [...]." The group also announced the attack on Twitter.

A representative from the group said in a direct message that the Peklo cyber campaign targets specific entities and government-run companies with the goal of pressuring the Belarus government to release political prisoners and stop Russian troops from entering Belarus to use its ground for the attacks on Ukraine. "The government continues to suppress the free will of Belarusians, imprison innocent people, they continue to unlawfully keep... thousands of political prisoners," the representative wrote. "The major goal is to overthrow Lukashenko's regime, keep the sovereignty and build a democratic state with the rule of law, independent institutions and protection of human rights."

At the time this post went live, several services on the railway's website were unavailable. Online ticket purchases, for instance, weren't working [...]. The representative said that besides ticketing and scheduling being disrupted, the cyberattack also affected freight trains. According to reports, Russia has been sending military equipment and personnel by rail into Belarus, which shares a border with Ukraine. @belzhd_live, a group of Belarus Railway workers that tracks activity on the 5,512-km railway, said on Friday that in a week's time, more than 33 Russian military trains loaded with equipment and troops had arrived in Belarus for joint strategic exercises there. The worker group said at the time that it expected a total of 200 so-called echelons to arrive in the coming days.

"The European Union took a significant step Thursday toward passing legislation that could transform the way major technology companies operate," reports the Washington Post, "requiring them to police content on their platforms more aggressively and introducing new restrictions on advertising, among other provisions...."

"The legislation is the most aggressive attempt yet to regulate big tech companies as the industry comes under greater international scrutiny." The version approved Thursday would force companies to remove content that is considered illegal in the country where it is viewed, which could be Holocaust denials in Germany or racist postings in France. And it would significantly shape how companies interact with users, allowing Europeans to opt out of targeted advertising more easily and prohibiting companies from targeting advertisements at children.... The legislation would also ban companies from employing deceptive tactics known as dark patterns to lure users to sign up or pay for services and products. And it would allow users to ask companies which personal characteristics, such as age or other demographic information, led them to be targeted with certain advertisements.
The two legislation bodies of the 27-nation bloc "are expected to debate the contents of the legislation for months before voting on a final version," the Post adds. But they add this a vote on "initial approval" of the legislation passed "overwhelmingly". "With the [Digital Services Act] we are going to take a stand against the Wild West the digital world has turned into, set the rules in the interests of consumers and users, not just of Big Tech companies and finally make the things that are illegal offline illegal online too," said Christel Schaldemose, the center-left lawmaker from Denmark who has led negotiations on the bill.

The Post adds this quote from Gianclaudio Malgieri, an associate professor of technology and law at the EDHEC Business School in France. "For the first time, it will not be based on what Big Tech decides to do," he said. "It will be on paper."

In fact, the site Open Access Government reports there were 530 votes for the legislation, and just 78 against (with 80 abstentions). "The Digital Services Act could now become the new gold standard for digital regulation, not just in Europe but around the world," they quote Schaldemose as saying, also offering more details on the rest of the bill: Algorithm use should be more transparent, and researchers should also be given access to raw data to understand how online harms evolve. There is also a clause for an oversight structure, which would allow EU countries to essentially regulate regulation. Violations could in future be punished with fines of up to 6% of a company's annual revenue....

The draft Bill is one half of a dual-digital regulation package. The other policy is the Digital Markets Act (DMA), which would largely look at tackling online monopolies.
Thanks to long-time Slashdot reader UpnAtom for sharing the story.

The European Union is interested in building its own recursive DNS service that will be made available to EU institutions and the general public for free. From a report: The proposed service, named DNS4EU, is currently in a project planning phase, and the EU is looking for partners to help build a sprawling infrastructure to serve all its current 27 member states. EU officials said they started looking into an EU-based centrally-managed DNS service after observing consolidation in the DNS market around a small handful of non-EU operators. "The deployment of DNS4EU aims to address such consolidation of DNS resolution in the hands of few companies, which renders the resolution process itself vulnerable in case of significant events affecting one major provider," officials said in the DNS4EU infrastructure project revealed last week. But EU officials said that other factors also played a role in their decision to build DNS4EU, including cybersecurity and data privacy.

"As part of their growing battle against popular open source software tool youtube-dl, three major music labels are now suing Uberspace, the company that currently hosts the official youtube-dl homepage," reports TorrentFreak: According to plaintiffs Sony, Universal and Warner, youtube-dl circumvents YouTube's "rolling cipher" technology, something a German court found to be illegal in 2017.... While the RIAA's effort to take down youtube-dl from GitHub grabbed all the headlines, moves had already been underway weeks before that in Germany. Law firm Rasch works with several major music industry players and it was on their behalf that cease-and-desist orders were sent to local hosting service Uberspace. The RIAA complained that the company was hosting the official youtube-dl website although the tool itself was hosted elsewhere.

"The software itself wasn't hosted on our systems anyway so, to be honest, I felt it to be quite ridiculous to involve us in this issue anyway — a lawyer specializing in IT laws should know better," Jonas Pasche from Uberspace said at the time.

In emailed correspondence today Uberspace informed TorrentFreak that, following the cease-and-desist in October 2020, three major music labels are now suing the company in Germany... According to the labels, youtube-dl poses a risk to their business and enables users to download their artists' copyrighted works by circumventing YouTube's technical measures. As a result, Uberspace should not be playing a part in the tool's operations by hosting its website if it does not wish to find itself liable too....

The alleged illegality of youtube-dl is indeed controversial. While YouTube's terms of service generally disallow downloading, in Germany there is the right to make a private copy, with local rights group GEMA collecting fees to compensate for just that. Equally, when users upload content to YouTube under a Creative Commons license, for example, they agree to others in the community making use of that content. "Even if YouTube doesn't provide video download functionality right out of the box, the videos are not provided with copy protection," says former EU MP Julia Reda from the Society for Freedom Rights (GFF) to NetzPolitik. "Not only does YouTube pay license fees for music, we all pay fees for the right to private copying in the form of the device fee, which is levied with every purchase of smartphones or storage media," says Reda.

"Despite this double payment, Sony, Universal and Warner Music want to prevent us from exercising our right to private copying by saving YouTube videos locally on the hard drive."

Europol, the law enforcement agency of the European Union (EU), has been ordered to delete its massive database of information on EU citizens that it collected in recent years if the agency did not link subjects to any ongoing criminal activity. From a report: The decision was announced today by the European Data Protection Supervisor, an EU-independent supervisory authority whose primary objective is to monitor and ensure that European institutions and bodies respect the right to privacy and data protection. The EDPS said that Europol has one year to comply with its decision, during which time the law enforcement agency must filter its database and delete any information on EU citizens that are not part of criminal investigations. Europol will be allowed to process personal information as part of investigations, but the data on those not linked to crimes must be erased after six months. "This means that Europol will no longer be permitted to retain data about people who have not been linked to a crime or a criminal activity for long periods with no set deadline," the EDPS said in a press release on Monday.

Brussels Airlines has operated 3,000 flights without passengers this winter to avoid losing take-off and landing slots. From a report: The airline's parent company, Lufthansa Group, confirmed that 18,000 flights had been flown empty, including 3,000 Brussels Airlines services, reports The Bulletin. EU rules require that airlines operate a certain percentage of scheduled flights to keep their slots at major airports. Under these "use it or lose it" regulations, prior to the pandemic carriers had to utilise at least 80 per cent of their scheduled take-off and landing slots. This was revised to 50 per cent as coronavirus saw travel become increasingly difficult -- but airlines are still struggling to hit this target. As a result of Lufthansa Group's latest figures, the Belgian federal government has written to the European Commission, calling for a change to the rules on maintaining slots. It follows the news that European airlines are slashing their winter schedules amid a dampening of demand due to Omicron travel restrictions. Lufthansa Group, which owns the carriers Lufthansa, Swiss International Airlines, Austrian Airlines, and Eurowings in addition to Brussels Airlines, has already axed 33,000 flights in January and February.

An anonymous reader quotes a report from Gizmodo: Behind every TikTok, Zoom call, and cat meme is a data center that stores, processes, or reroutes that data around the world. The more we do online, the bigger these data centers and their energy footprint get. At full capacity, servers within a modern "hyperscale" (aka "massive") data center can use as much power as 80,000 households. Although the data center industry is global, places with the right combination of stable climate and friendly regulations attract outsized attention from data center developers. Ireland is one of these places. The island nation hosts 70 data centers and is now the fastest-growing data center market in Europe. Unfortunately, supplying the equivalent of several extra cities worth of electricity to servers that aid your doomscrolling is starting to take a toll on Ireland's power grid.

Data centers already use around 900 megawatts of electricity in Ireland. According to Paul Deane, an energy researcher working with the MaREI Environmental Research Institute in Ireland, this adds up to at least 11% of Ireland's total electricity supply at present, a situation he described "as a serious energy systems problem." As Deane outlined, meeting this demand is making Ireland's current energy crisis worse and its target of halving greenhouse emissions by 2030 harder to reach. And things are only getting more challenging. A recent report from Eirgrid, Ireland's state-owned grid operator, shows that data centers will consume almost 30% (PDF) of Ireland's annual electricity supply by 2029.

Although, as Deane pointed out, data centers are essential to modern life, a small country with little grid power to spare hosting so many of them puts the sustainability of Ireland's entire power supply at risk. Deane summed up Ireland's issue with data centers as being a mismatch in size. "Data centers are large power users, and our power system is small, so plugging more of them into a small grid will start to have an outsized impact," he said. In stark comparison, Germany, the EU's biggest data center market overall, will use less than 5% of its grid capacity to power data centers in the same period. As well as stoking fears that the industry's growth will create blackouts and power shortages for Irish consumers this winter, data centers may also derail Ireland's drive to reach net zero emissions by 2050.

Politico reports: When Ford announced that starting in 2023 its cars and trucks would come with Google Maps, Assistant and Play Store preinstalled, CEO Jim Farley called the partnership between his iconic U.S. automaker and the search giant a chance to "reinvent" the automobile — making it an office-on-wheels, with more connectivity than any phone or laptop. "We were spending hundreds and hundreds and hundreds of millions every year, keeping up with basically a generic experience that was not competitive to your cellphone," Farley crowed on CNBC, announcing the six-year deal with the tech giant.... But many tech-industry watchdogs looked at the Ford-Google car of the future with different eyes. They fear that tech companies will soon be doing to cars what they did to phones: Tying their exclusive operating systems to specific products to force out competitors and dominate a huge swath of the global economy.

Indeed, the smartphone wars are over, and Google and Apple won. Now they — and Amazon — are battling to control how you operate within your car. All three see autos as the next great opportunity to reach American consumers, who spend more time in the driver's seat than anywhere outside their home or workplace. And automakers, after years of floundering to incorporate cutting-edge technologies into cars on their own, are increasingly eager for Silicon Valley's help — hoping to adopt both its tech and its lucrative business models where consumers pay monthly for ongoing services instead of shelling out for a product just once. Now, having missed the boat as the tech giants cornered the market on smartphones, some policymakers and regulators believe the battle over connected cars represents a chance to block potential monopolies before they form.

State attorneys general who sued Google in 2020 for monopolizing online search highlighted concerns about the company's move into autonomous cars in their federal antitrust complaint. Meanwhile, in Europe, the EU's competition authority has opened a probe into Google's contracts related to connected cars... While Silicon Valley and automakers are thrilled about the future of connected and autonomous cars, regulators and privacy advocates are less so. "These companies have an amount of data on us that they shouldn't have, and they have a history of not using it in responsible ways," said Katharine Trendacosta of the digital civil liberties group Electronic Frontier Foundation. "They have a history of going back on promises they have made about that data."

She cited Google's pledge during the DoubleClick acquisition in 2008 — which it later reneged on — not to combine data from its consumer products with that from its advertising services.
The article quotes Tennessee Attorney General Herbert Slatery III, who last December complained that "When smartphones took off, Google made sure they controlled search on Apple's iPhone. They are doing the same thing on voice and connected cars. It's a similar playbook." And an executive at an automotive supplier that competes with Google tells Politico that Google is already "corralling everything through their system and controls what information is released downstream."

And Jim Heffner, a vice president at Cox Automotive Mobility, adds that "The ride is no longer the point. Data is the cornerstone. ... Apple and Google and others want to be at the epicenter of that."

The European Commission has approved Microsoft's $19.7 billion bid to buy Nuance Communications. Engadget reports: The regulator said on Tuesday the proposed acquisition "would raise no competition concerns" within the European Union. In analyzing the bid, it found that "Microsoft and Nuance offer very different products." Moreover, it believes the company will continue to face "strong" competition from other firms in the future. Before today, the US and Australia had both signed off on the purchase, but it's not yet a done deal. On December 13th, the UK's Competition and Markets Authority said it would investigate the transaction. With the regulator accepting public comments until January 10th, 2022, it's unlikely the deal will close by the end of 2021 as Microsoft had said it would when it first announced its intention to buy Nuance. In April, Microsoft agreed to acquire the speech-to-text software company, claiming the acquisition was about increasing its presence in the healthcare vertical.

Despite the European Union's highest court twice declaring that the United States does not offer sufficient protection for Europeans' data from American national security agencies, the social media giant's lawyers continue to disagree, according to internal documents seen by POLITICO. Their conclusion that the U.S. is safe for EU data is part of Facebook's legal argument for it to be able to continue shipping data across the Atlantic. From the report: In July 2020, the Court of Justice of the European Union (CJEU) struck down a U.S.-EU data transfer instrument called Privacy Shield. The court concluded Washington did not offer adequate protection for EU data shipped overseas because U.S. surveillance law was too intrusive for European standards. In the same landmark ruling, the Luxembourg-based court upheld the legality of another instrument used to export data out of Europe called Standard Contractual Clauses (SCCs). But it cast doubt on whether these complex legal instruments could be used to shuttle data to countries where EU standards cannot be met, including the U.S. The CJEU reached a similar conclusion in 2015, striking down the predecessor agreement to Privacy Shield because of U.S. surveillance law and practices. In both rulings, Europe's top judges categorically stated Washington did not have sufficiently high privacy standards. Still, Facebook -- the company at the heart of both cases -- thinks it shouldn't follow the court's reasoning.

The company's lawyers argue in the documents that the EU court ruling "should not be relied on" for the social media company's own assessment of data transfers to the U.S., because the judges' findings relate to Privacy Shield data pact, and not the Standard Contractual Clauses which Facebook uses to transfer data to the U.S. "The assessment of U.S. law (and practice) under Article 45 GDPR is materially different to the assessment of law and practice required under Article 46 GDPR," the document reads. That refers to the two different types of legal data transfer instruments under the EU's General Data Protection Regulation and indicates that assessment under SCCs is different to assessment under Privacy Shield. The company also says that changes to U.S. law and practices since the July 2020 ruling should be taken into account. As an example, it cites the U.S. Federal Trade Commission, a watchdog, "carrying out its role as a data protection agency with unprecedented force and vigour." Those arguments have been central to Washington's pitch during ongoing transatlantic negotiations over a new EU-U.S. data agreement. "Though companies have to take the EU court ruling into account when making their own assessments of third party country regimes, they can, in theory, diverge from the court's findings if they believe it is justified in a particular situation," notes Politico. "This means that companies like Facebook can, in theory, continue to ship data out of Europe if they can prove its sufficiently protected."

Controversial facial recognition company, Clearview AI, which has amassed a database of some 10 billion images by scraping selfies off the Internet so it can sell an identity-matching service to law enforcement, has been hit with another order to delete people's data. From a report: France's privacy watchdog said today that Clearview has breached Europe's General Data Protection Regulation (GDPR). In an announcement of the breach finding, the CNIL also gives Clearview formal notice to stop its "unlawful processing" and says it must delete user data within two months. The watchdog is acting on complaints against Clearview received since May 2020. The US company does not have an established base in the EU -- meaning its business is open to regulatory action across the EU, by any of the bloc's data protection supervisors. So while the CNIL's order only applies to data it holds on people from French territories -- which the CNIL estimates covers "several" tens of millions of Internet users -- more such orders are likely from other EU agencies.

Ukrainian law enforcement arrested 51 suspects believed to have been selling stolen personal data on hacking forums belonging to hundreds of millions worldwide, including Ukraine, the US, and Europe. BleepingComputer reports: "As a result of the operation, about 100 databases of personal data relevant for 2020-2021 were seized," the Cyberpolice Department of the National Police of Ukraine said. "The seized databases contained information on more than 300 million citizens of Ukraine, Europe and the United States."

Following this large-scale operation, Ukrainian police also shut down one of the largest sites used to sell personal information stolen from both Ukrainians and foreigners (the site's name was not revealed in the press release). On the now shutdown illegal marketplace, suspects were selling a wide range of stolen personal data, including telephone numbers, surnames, names, addresses, and, in some cases, vehicle registration info. "A total of 117 searches were conducted in different regions of Ukraine. As a result, more than 90,000 gigabytes of information were removed."