A smartphone manufacturer may have triggered the end of US involvement in personal data from European citizens.

Romanian smartphone maker Allview decides to load Google Fuchsia on its low-end smartphones, but did not seek permission from the Romanian Organizație de permisiune (a PCO under the German model) nor input from the InfoCons Association (a LIAB under the Dutch model) as it viewed itself as merely a manufacturer, not liable for any personal data processed after the phone’s purchase. After a Swedish hacker nicknamed Ridbyxorson discovered Fuchsia collected personal data in secret and sent this to the Irish data centers of Google, the company and its distributors gets hit by multiple lawsuits, both in Romania and the rest of the EU.

Most notable is the Polish Federacja Konsumentów’s decision to sue Polish stores selling the phone (including webshops) for abetting the privacy infringement. Following the ZoekMPWie and PII Bay precedents, the Polish High Court concurred and held the stores and webstores liable for the infringement that would have occurred if consumers had bought the phones. A 50M€ compensation for damages had to be paid, because of the high chance of damages due to personal data coming into American hands, Ireland still having strong ties to the USA and the CLOUD ACT successor of 2023 requiring US companies to steal data if necessary from their EU subsidiaries.

A Dutch celebrity sees very personal data shared on various TheMALL/HERE discussion groups, and sues the social network for the identity of the users so she can sue each one of them. TheMALL/HERE settles for an arrangement where it will collect payment from each of the users, which it effects by debiting their “Me”-wallets automatically. This causes some consternation but turns out to be legal under the terms of service.