Our readers may have heard about the recent decision of the Italian data protection authority, Garante, ordering Tik Tok to immediately limit the processing of personal data with regard to users whose age could not be established with certainty. The action was taken as a matter of urgency, following a death of a young girl in Palermo who took part in a "black-out" challenge that spread across the platform. While this story understandably captured public attention, it is worth noting that a formal proceeding against TikTok was initiated by the Garante already at the end of last year.
Earlier this week Reuters reported that the search engine giant Google may be facing yet another antitrust probe from the European Commission, this time in relation to its advertising practices. Under examination are among others the integration of DoubleClick (Google's ad serving unit) and the company's plan to phase out third-party cookies on Chrome. Several weeks ago the British Competition and Markets Authority opened an investigation on the same subject. According to Google, greater concentration of its advertising ecosystem (aka "Privacy Sandbox") is supposed to better protect consumers’ privacy (which, of course, remains to be verified, particularly in light of "dark patterns" employed by the trader), yet authorities fear it they may negatively impact other interests (here: commercial interests of the publishers, although one could also think of consumer interests other than privacy). As the CMA notes, the challenge faced by regulators is "to address legitimate privacy
concerns without distorting competition". It is worth recalling that online advertising is also part of the proposed Digital Services Act, which envisages e.g. an obligation of very large online platforms to publish ad repositories with information about targeting.
Last but not least, back in November, the data protection organisation NOYB filed a complaint with the Spanish and German data protection authorities against Apple's Identifier for Advertisers, arguing that it allowed for user tracking without consent. Interestingly, the organization - co-founded by the activist Max Schrems - chose to rely on the E-Privacy Directive instead of the GDPR, to avoid "endless procedures" of cooperation between DPAs. Indeed, some of the high-profile cases under the GDPR are still ongoing, including an inquiry into Google’s processing of location data, triggered by - you guessed it - a report by the Norwegian Consumer Council.