Producing real change: key highlights of our results

Long Read

In 2023, Privacy International continues to produce real change by challenging governments and corporations that use data and technology to exploit us.

Since the beginning of the year, we had some significant achievements we're proud of and want to share with you. 

Take a look below to see how we are changing the world for the better.

Spring

Better EU regulation of digital products  
PI’s continuous advocacy around the Cyber Resilience Act resulted in further adjustment of the proposed text of the document. Thus, the report of the European Parliament’s rapporteur for the Cyber Resilience Act included some important suggested amendments to the law, which directly reflect our proposals. Following publication of the report, members of the European Parliament ITRE Committee further developed the text in line with our positions. The Cyber Resilience Act is a regulation on cybersecurity requirements for products with digital elements, aimed at improving cybersecurity through more secure hardware and software products.

More scrutiny of use of technology in elections  
Following our collaboration with the Carter Center around the 2022 Presidential elections in Kenya, our data protection and privacy observations were substantially reflected into the Carter Center’s final report on the elections. The report provided an in-depth analysis of the implications of the Kenyan Data Protection Act for Kenyan elections, together with an explanation of the election technology used and a series of recommendation in relation to election technologies. This was one of the first substantial analyses of data protection and privacy legislation and the use of technology in the Kenyan election.

UK government issues a proposal for amending the national law on communications surveillance 
On 20 March 2023, the UK Government published its "Proposal for a Draft Investigatory Powers Act 2016 (Remedial) Order 2023”. The Investigatory Powers Act (IPA) 2016 is a document regulating electronic surveillance practices (particularly interception of communications) of the British intelligence agencies and police. The proposal is a direct result of the European Court of Human Rights’ judgment in Big Brother Watch and others v UK case, to which Privacy International was a lead applicant. The proposal aims to ensure the IPA’s compliance with the judgment.

Joint, beneficiary-led campaign against company (CAPITA) involved in migrants’ surveillance 
PI, together with Bail for Immigration Detainees (BID) and Migrants Organise, initiated a campaign against Capita’s involvement in the UK Home Office's practice of GPS tagging of migrants. The first phase of the campaign was designed around company’s Annual General Meeting (AGM) of its core shareholders. As part of our campaign, we asked Capita’s shareholders to consider the human rights implications of the GPS tagging contract with the UK Government. Our demands have been supported by hundreds of people who sent the action letter to Capita following our public action. You can support the campaign by sending a letter from the campaign’s page.

French Data Protection regulator (CNIL) fined Doctissimo 
Following PI’s complaint from 2020, in May 2023, CNIL fined French health website doctissimo.fr (Doctissimo) €380,000 euro. The regulator found that Doctissimo failed to comply with obligations under the GDPR and French Data Protection Act mentioning the following infringements: (1) failure to store data for no longer than is necessary; (2) failure to obtain consent from individuals to collect their health data; (3) failure to provide a formal legal framework for the processing operation; (4) failure to ensure the security of personal data and (5) failure to comply with obligations related to the use of cookies. As a result, the company has taken measures to remedy the infringements.

Summer

French Data Protection regulator (CNIL) fined AdTech company Criteo 
As a result of our complaint from 2018 and further investigations conducted by CNIL, in June 2023, the regulator fined French AdTech company, Criteo, €40 million for failing to ensure that people (data subjects) had provided their consent to processing of their data, failing to sufficiently inform them and to enable them to exercise their rights. The decision was submitted and approved by all the other 29 European supervisory authorities interested in the case.

The Hellenic DPA opened investigation on the Greek Coast Guard for social media monitoring 
In February 2022, Privacy International joined Homo Digitalis, Hellenic League for Human Rights, and HIAS Greece together with researcher Phoebus Simeonidis, in a joint submission, asked the Hellenic Data Protection Authority (HDPA) to investigate the supply of a social media monitoring software to the Hellenic Coast Guard. As a result, in May 2023, the Hellenic DPA initiated an investigation, collected evidence and is conducting an assessment of use of social media monitoring by the authorities.

PI was granted permission to intervene in the Amazon/iRobot merger case 
Once the merger between Amazon and iRobot was notified by the European Commission, we submitted an application to intervene in the case. Our application was granted and PI became the only digital rights group to receive interested third person status from the Commission. We believe that the Amazon-iRobot merger would threaten competition in and across several potential markets and would reduce the pressure on Amazon to compete in relation to privacy options available to consumers.

PI’s educational materials are helpful to other organisations  
In 2023, reputable legal and environmental organisations expressed interest in using PI’s materials for educational purposes and building their internal capacity. Among the requested materials were: How to avoid social media monitoring: A Guide for Climate Activists, What Is Privacy?, Big Data, Data Protection Explained, What is Data Exploitation?. More educational materials could be found on our Learn page and our YouTube channel.

Autumn

PI’s work informed court’s decision forcing online advertiser Criteo to review their use of cookies
After the French Data Protection regulator’s (CNIL) decision to fine Criteo for their abusive data collection practices, on 18 October, the Amsterdam District Court adopted an important decision concerning the company’s practices. According to the court, Criteo did not obtain a ‘valid consent for the placement of cookies’, which made their placement illegal. The court recognised the CNIL’s decision (which resulted from our complaint), holding that Criteo must provide a complete overview of the third parties with whom data has been shared.

European Court of Human Rights held the United Kingdom accountable for its digital spying outside its borders
On 18 September 2023, the European Court of Human Rights ruled on the case Guarnieri and Wielder v UK, that UK’s security and intelligence agencies breached the right to privacy of two individuals living outside the UK, through the UK’s mass surveillance practices. The judgment from the European Court underscores that security and intelligence agencies must be held responsible for the effects of their actions in the UK no matter where their consequences are felt. The case was a result of PI’s 2015 campaign asking people to make applications to the UK’s Investigatory Powers Tribunal to investigate whether they had been subjected to unlawful surveillance measures by the UK’s intelligence agencies.

European Commission asks companies to provide longer support of their products
On 31 August 2023, the European Commission published its Regulation for eco-design for smartphones and tablets laying down specific requirements to the relevant mobile devices. The regulation requires manufacturers, importers or authorised representatives to provide for at least 5 years of operating system updates from the date of end of placement of the product on the market. This means that end-users will benefit for longer protections and functionality of their devices. This change in the regulation was intensively promoted by PI through our Best Before Date advocacy and extensive engagement with the Commission.

Campaigning for protection of our privacy in Public
In the context of dramatic rise of facial recognition technology (FRT) in public spaces we launched the The End of Privacy in Public campaign. The campaign asks members of the public to ask their MP if facial recognition cameras are being deployed in their local areas. At the moment of writing, dozens of people joined our campaign and messaged their MPs.