Facebook must improve its privacy practices
Plus: EU-US adequacy decision - how long will it last?
🔥 EU-US adequacy decision: how long will it last?
The adequacy decision for the EU-U.S. Data Privacy Framework is out - but it might not last long. According to the official document: "The Commission concludes that the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. Data Protection Framework from a controller or a processor in the Union to certified organisations in the United States" (page 3) and "This Decision has the effect that personal data transfers from controllers and processors in the Union to certified organisations in the United States may take place without the need to obtain any further authorisation" (page 3). According to the official press release, Ursula von der Leyen, the President of the European Commission, said: “The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic. Following the agreement in principle I reached with President Biden last year, the US has implemented unprecedented commitments to establish the new framework. Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues.” However, despite the global excitement around the topic and various government officials publicly celebrating it, it is unclear how long it will last. Max Schrems wrote this week on Twitter: "So today @EU_Justice is announcing 'SafeHarbor 3.0'! 'After a 'Harbor', 'Umbrella' and 'PrivacyShield' it's now a 'Framework', but guess what: it is largely a copy of the old principles! WhatCouldGoWrong." Noyb (Schrems' organization) wrote on their website: "Third attempt of the European Commission to get a stable agreement on EU-US data transfers will be likely back at the Court of Justice (CJEU) in a matter of months. The allegedly 'new' Trans-Atlantic Data Privacy Framework is largely a copy of the failed 'Privacy Shield.' Despite the European Commission's public relations efforts, there is little change in US law or the approach taken by the EU. The fundamental problem with FISA 702 was not addressed by the US, as the US still takes the view that only US persons are worthy of constitutional rights." Noyb said they will challenge this decision - Schrems III might be on the way. What is your view on the topic? Next week, I will have a live talk with Max Schrems to discuss GDPR enforcement challenges. So far, 2,400+ people have confirmed attendance, I welcome you to join us live.
🔥 Threads: extreme growth, privacy, and the DMA
If you were online in the last few days, you probably heard that Meta launched its new app - Threads - a direct competitor to Twitter. According to Mark Zuckerberg: “I think there should be a public conversations app with 1 billion+ people on it. Twitter has had the opportunity to do this but hasn’t nailed it. Hopefully we will.” Threads is connected to Instagram, and this network effect has helped it reach 100 million users in 5 days. (Remember that a few months ago, everybody was talking about how OpenAI's 2 months to get to 100 million was so much faster than TikTok's 9 months - and here we are, with 5 days for Threads; so will the next app reach 100 million users in what, 2 hours?). Last week, I discussed some of Thread’s privacy issues, and today I would like to add the fact that it is impossible to delete Threads without deleting Instagram - and this is also problematic from a privacy perspective. The two social networks are clearly separated environments (for example, you have to install two apps, settings are different, etc.), and a user should be able to exercise the right to erasure in one of them while keeping the activities in the other one. It looks like they are working on it, as the head of Instagram clarified. Another hot topic involving Threads is that it has not launched in the EU yet. According to Meta spokesperson Christine Pai, this is due to “upcoming regulatory uncertainty,” and it's believed that this is due to the Digital Markets Act - the DMA. July 3rd was the deadline for platforms to notify the EU Commission that they meet the thresholds to qualify as gatekeepers under the DMA. The following companies have declared that they meet the thresholds: Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft, and Samsung. On this official page, you can find more information about what it means to be a gatekeeper under the DMA (and here is the full text). On a personal note, I tried Threads for a day and did not enjoy it mostly because of: a) the lack of focus on topics of interest, as you can only search for a person, not keywords. I cannot, for example, find other accounts sharing content that I am interested in; b) the strong algorithmic curation based on geolocation. I found the algorithm very similar to TikTok, where I do not have power over what I see, and the algorithm pushed content around my location; c) the lack of a web version for posting, you can only post content using the mobile version. For now, I have abandoned it, but let's see if Zuckerberg will convince me to become a regular user.
🔥 AI involves much more human work than you think
I recently read two excellent articles about the human work behind AI. The first one was written by Josh Dzieza for The Verge and is called AI Is a Lot of Work. This will be one of the best in-depth articles you will read about the not-so-hyped work of thousands of annotators required to build AI models. A quote from the article: “Annotation remains a foundational part of making AI, but there is often a sense among engineers that it’s a passing, inconvenient prerequisite to the more glamorous work of building models. You collect as much labeled data as you can get as cheaply as possible to train your model, and if it works, at least in theory, you no longer need the annotators. But annotation is never really finished. Machine-learning systems are what researchers call ‘brittle,’ prone to fail when encountering something that isn’t well represented in their training data. These failures, called ‘edge cases,’ can have serious consequences.” The second recommended article on the topic is this one written by Melissa Heikkilä to MIT Technology Review called We are all AI’s free data workers. The article mentions that “Data annotators are involved in every stage of AI development, from training models to verifying their outputs to offering feedback that makes it possible to fine-tune a model after it has been launched. They are often forced to work at an incredibly rapid pace to meet high targets and tight deadlines, says Srravya Chandhiramowuli, a Ph.D. researcher studying labor practices in data work at City, University of London.” Both articles are recommended, read them to understand the people and the massive human work behind the AI hype.
🔥 Facebook must improve its privacy practices
Facebook has almost 3 billion monthly active users - more than 30% of the Earth's human population is on Facebook. Next year, it will complete 20 years of existence, and it certainly did not happen without privacy fines and scandals. However, even being so popular and almost 20 years old, their privacy practices are still problematic, and I get so frustrated every time I must log in to check something related to my kids (or to get examples of invasive privacy practices). Today I want to talk about some of Facebook's bad privacy practices involving privacy UX, product policies, and product functionalities so that you and your company won't do the same mistakes:
a) even before a person creates an account, Facebook will have already created a “non-user profile” based on information sent or shared by other users of the social network, although the non-user had never been notified of this or given the option to delete this profile;
b) if the person is connecting for the first time,