Facebook is planning a social media network for young kids. Will it succeed? Probably.

Photo by Prateek Katyal on Unsplash

Mark Zuckerberg once said that the Children’s Online Privacy Protection Act (COPPA) was a “fight” Facebook would “take on at some point.”

This week, we learned Facebook is planning an Instagram for under-13s. If this is the fight, Facebook will probably win.

Why? Why would Facebook do this?

Instagram is currently unavailable for under-13s because they have special legal protections, meaning that it’s harder for businesses to collect their data and to target them with ads.

In the U.S., the main children’s privacy law is COPPA…


On 28 April, the U.K. Supreme Court hears Lloyd v Google — a vitally important case for the future of data rights. There’s a lot riding on this case.

Photo by Mitchell Luo on Unsplash

Consumer rights advocate Richard Lloyd is suing Google over the “Safari Workaround”.

Lloyd alleges that Google set cookies without consent (surely not!) on over 4 million UK iPhones in 2011/12, despite Apple’s browser protections that attempted to prevent this.

The case has big implications for data protection in the U.K.

Why is it such a big deal?

There are several reasons why Lloyd v Google is so significant.

First, the case…


Big tech’s most privacy-focused company is facing three data protection complaints and one antitrust investigation

Photo by Nikolai Chernichenko on Unsplash

Privacy is a major part of Apple’s brand. So you might be surprised to learn that the company is dealing with multiple investigations by EU data protection authorities over allegations that it is breaching privacy law.

Most recently, Apple was referred to France’s CNIL over allegations that ad personalisation is turned “on” by default in iOS 14. The group behind the complaint, France Digitale, claims that this violates the ePrivacy Directive and the GDPR.

Back in December, I wrote about a similar complaint filed with…


The Irish DPA has been criticised by the German federal data regulator. Fair enough?

Photo by gdtography from Pexels

Here’s the background:

A letter from thefederal data protection regulator (BfDI) Ulrich Kelber has been reported by the Irish Times criticising the Irish Data Protection Commission (DPC).

This letter reiterated what many observers have been saying about the Irish DPC for some time. As home to most big tech companies, Ireland has earned a reputation as a GDPR-compliance haven.

Is the Irish DPC’s reputation fair?

Think of it this way. As lead supervisory authority to Facebook and Google, the DPC’s job is to ensure these companies…


Facebook is “bypassing GDPR consent”, according to a case brought to the Austrian Superior Court by GDPR final boss Max “Schrems II” Schrems.

Photo by Joshua Hoehne on Unsplash

What does “bypassing the GDPR” mean?

Here’s the background of this case:

  • Under the Data Protection Directive, Facebook relied on the legal basis of “consent” for cookies.
  • The GDPR passed in 2016, with a higher consent standard. Consent now had to be obtained via an “unambiguous,” “clear, affirmative action.”
  • Facebook’s consent request was no longer valid. What would the company do? Ask for consent in a valid way? …

Illinois lawmakers are trying to undermine the Biometric Information Processing Act (BIPA). This is one of the few U.S. privacy laws providing Americans with real privacy protection.

Photo by GIUSEPPE AZZONE on Unsplash (Chicago, Illinois)

What is America’s best privacy law?

Maybe it’s not objectively the best, but my favourite U.S. privacy law is Illinois’ Biometric Information Processing Act (BIPA), which passed way back in 2008. BIPA is one of the most powerful — albeit limited — privacy laws in the U.S.

BIPA requires businesses to provide notice and obtain consent before collecting biometric information from consumers, including facial recognition data, fingerprints, and voiceprints.

Sounds reasonable?

Not according…


French court ruling says vaccine-booking platform’s contract with Amazon is lawful. But this case isn’t as clear-cut as it seems.

Photo by İsmail Enes Ayhan on Unsplash

I’m drawing my analysis here from the IAPP’s summary of the case.

Here’s the background

The French Conseil d’Etat looked at a data processing agreement between Doctolib, whose platform is used for booking vaccinations, and AWS Sarl, a Luxembourg-based subsidiary of Amazon Web Services.

Doctolib used AWS to process health data. The claimants asked the court to suspend transfers of personal data between Doctolib and AWS.

Who cares?

The case was significant, in part, because so many EU data controllers…


The U.K.’s culture secretary has repeated his ambiguous claims about the future data protection regime.

Photo by Rodrigo Santos on Unsplash

Sky News published the glibly-titled Government to reform data protection laws to spur economic growth on Thursday, in which Oliver Dowden, the U.K.’s culture secretary, states that he is “seeking to set out where we are going to go with data” post-Brexit.

The “unashamedly pro-tech” minister has made similar comments in the past, including in a Financial Times op-ed earlier this month, but has been relatively coy about providing solid details.

In one sense, the U.K. can do whatever it likes with its data protection…


Telecoms giant will start selling information about how customers use the web and what apps are on their phones unless they opt out.

Photo by Mika Baumeister on Unsplash

In the previous edition of Data Protection, I recommended reading the New York Times editorial on opt-in consent: America, Your Privacy Settings Are All Wrong.

This piece argued that the U.S. should be enacting a privacy law with an “opt-in” model of consent. It suggests that Virginia and California have missed this opportunity with recent legislation.

This same week, T-Mobile announced that it will start selling U.S. customers’ data on an opt-out basis, starting on 26 April.


The European Data Protection Board stands strong on privacy, while Commission, Parliament, and the Council seek to undermine the confidentiality of communications.

The European Data Protection Board (EDPB) held its 46th plenary session this week. The EDPB Chair, Andrea Jelinek said:

“The ePrivacy Regulation must not — under no circumstances [sic] — lower the level of protection offered by the current ePrivacy Directive, and should complement the GDPR by providing additional strong guarantees for confidentiality and protection of all types of electronic communication.”

There’s a very different mood in the European Parliament, which recently voted overwhelmingly in favour the Commission’s…

Robert Bateman

Privacy and Data Protection Writer, runs the Data Protection newsletter: protectionofdata.substack.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store