Europe’s lead data watchdog opens Google GDPR investigation

Ireland’s data protection watchdog has kicked off a GDPR investigation into Google following a complaint from ad-free web browser Brave.

Although GDPR is approaching its first birthday, there is yet to be an example of the towering fines which were promised for non-compliance. Perhaps everyone is playing merrily by the rules, or it might be that they are very good at covering their tracks. Brave will be hoping to chalk up a victory over Google with this investigation however.

“The Irish Data Protection Commission’s action signals that now – nearly one year after the GDPR was introduced – a change is coming that goes beyond just Google,” said Johnny Ryan, Chief Policy Officer at Brave. “We need to reform online advertising to protect privacy, and to protect advertisers and publishers from legal risk under the GDPR.”

The complaint itself is directed at Google’s DoubleClick/Authorized Buyers advertising system. While giving evidence to the Data Protection Commission, Ryan has suggested the way in which data is processed through the system violates Article 5(1)(a), (b) and (f) of GDPR, as well as Section 110 of the Irish Data Protection Act.

DoubleClick/Authorized Buyers advertising system is active on 8.4 million websites, allowing the search giant to track users as they scour the web. This information is then broadcast to more than 2,000 companies who bid on the traffic to deliver more targeted and personalised ads.

This information can potentially be incredibly personal. Google has various different categories which internet users are neatly filed into, including ‘eating disorders’, ‘left-wing politics’, ‘Judaism’ and ‘male impotence’. The companies bidding on this data will also have access to geo-location information and the type of device which the user is on.

Under Article 5 (1)(f) of the GDPR, companies are only permitted to process personal information if it is tightly controlled. Brave suggests Google has no control over the data once it is broadcast and is therefore violating GDPR.

With the Irish watchdog, Europe’s lead for GDPR, investigating the system in Ireland, similar complaints have been filed the UK, Poland, Spain, Belgium, Luxembourg and the Netherlands. Should Google be found non-compliant, it would be forced to ditch the DoubleClick/Authorized Buyers advertising system and could face a fine as much as 4% of annual turnover. Based on 2018 revenues, that figure would be $5.4 billion.

“For too long, the AdTech industry has operated without due regard for the protection of consumer data,” said Ravi Naik of ITN Solicitors, who will be representing Brave for the complaint. “We are pleased that the Data Protection Commissioner has taken action. The industry must change.”

GDPR is supposed to be a suitable deterrent for the internet economy, but without enforcement and demonstrable consequences little will change. If GDPR is to work as designed, a monstrous fine will have to be directed at someone sooner or later. Could this be the first domino to fall?

FCC reveals glacial progress on the resale of location data by operators

US operators have been reselling the location data they accumulate about their subscribers and have been slow to deliver on promises to stop.

This practice was already well-known by the time it was highlighted in an expose at the start of this year. At the time operators were quick to stress that they’re pulling out all the stops to protect their customers’ personal data but Federal Communications Commissioner Jessica Rosenworcel was apparently skeptical. Frustrated by their deafening silence on the matter she wrote to the four US MNOs at the start of the month to ask them what they were playing at.

Rosenworcel received relatively prompt responses from those operators and decided to publish them alongside a mea culpa that was probably directed more at other FCC Commissioners than herself. “The FCC has been totally silent about press reports that for a few hundred dollars shady middlemen can sell your location within a few hundred meters based on your wireless phone data. That’s unacceptable,” she said.

“I don’t recall consenting to this surveillance when I signed up for wireless service—and I bet neither do you. This is an issue that affects the privacy and security of every American with a wireless phone. It is chilling to think what a black market for this data could mean in the hands of criminals, stalkers, and those who wish to do us harm. I will continue to press this agency to make public what it knows about what happened. But I do not believe consumers should be kept in the dark. That is why I am making these letters available today.”

You can read the contrite and exculpatory responses here, but in case you can’t be bothered here’s a summary. AT&T said it started phasing out this sort of thing in June 2018, while still making location data available in emergencies. Additionally the letter attempted to distance AT&T from the reports in question and said it had stopped sharing and data with location aggregators and LBS providers on 29 March 2019.

Sprint said it current works with just one LBS (location based services) provider but will pack that in by the end of this month. T-Mobile said it had terminated all contracts with LBS types by 9 March 2019 and went on at considerable length to correct what it considers to be flawed reporting on how it used to handle this sort of thing. Verizon said it had terminated all location deals by the end of March 2019.

So that would appear to be that. All the operators have said they don’t deal with location data aggregators anymore and presumably Rosenworcel is a happy Commissioner. But the fact that they’ve only just stopped reselling their customer’s personal data, and even then only after persistent nagging and bad publicity, is a further illustration of how cavalier the tech industry has been with personal data to date.

Apple recognised as ‘Privacy Champion’ by techies

An anonymous survey of people working in the technology industry has crowned Apple as the privacy champion of FANG, while 78% believe it is a top priority at their own organization.

The survey was run by Blind, an anonymous social network for the workplace​, which has a userbase in the hundreds of thousands, many of whom work at the world’s largest technology companies. Asking whether they believed their own organization prioritised user privacy, the results might shock a few.

Employees of technology companies were given a simple statement and offered the opportunity to add an explanation. The statement was “My company believes customer data protection is a top priority”.

Sitting at the top of the table was Apple with 73.6% and 19.8% answering the statement they strongly agreed or agreed respectively. LinkedIn and Salesforce also featured highly on the list, while Google and Amazon were also above the industry average. Facebook was below the industry average while Adobe, Intuit and SAP fell way below the average with only 44.6%, 40% and 39% respectively stating they strongly agree with the statement.

Such low numbers should be a major concern, especially with lawmakers and regulators attempting to reconfigure rules to take a stronger tone with data privacy. Irrelevant whether the likes of Apple is taking privacy seriously, rules will be written for the industry as a whole; the laggards will ensure everyone has to face the sharp stick of the law.

On the FANG front, Blind users were asked whether Apple should be considered the privacy champion. 67.9% agreed with the statement, with some suggesting the business model is not based on the transfer of personal information therefore it is more secure or less of a threat. That said, Apple is fast evolving with the software and services business becoming more of a focus. It might well evolve to include some of these practises in the future.

That said, while Apple is seemingly keeping its hands clean, one person feels the company is nothing more than an enabler for the more nefarious.

“I feel Apple is no better for creating the technology that enables companies like Facebook to become no more than spying tools,” said one Intuit employee.

Although scores in the 70s could be viewed as positive, this means 20-30% of an organization’s own employees do not believe the privacy rhetoric which is being reeled off in the press by executives of the tech giants. If a company is unable to create an internal belief in privacy, it might be viewed as a worrying sign.

Facebook’s privacy conundrum

Facebook CEO Mark Zuckerberg has to do something about his firm’s reputation for data privacy, but it could it require destroying its own core business model.

At the F8 developer conference this week, Zuckerberg has been making claims no-one is surprised to hear. Facebook is all about user privacy, its not about making money anymore, just about offering a service its users care about. The PR machine is shifting through the gears, Facebook has to save its reputation before it’s too late.

This is perhaps the worst kept secret in Silicon Valley; Facebook does not care about data privacy, or at least it hasn’t cared in the past. It cares it was caught flamboyantly prancing around, above and all over the concept, but few will be surprised executives prioritized profits over privacy.

But here is the crossroads the firm faces; be disrupted or destroyed.

This of course sounds very dramatic, and perhaps we are taking poetic licence, but there is at least an element of accuracy to the statement. Zuckerberg needs to fundamentally redefine the business, moving away from the tried and tested business model, before regulators and legislators take Facebook out at the knees.

At the conference, Zuckerberg has been outlining Facebook’s journey forward. Updates will focus on creating a more ‘private’ experience, ushering users towards groups and chat locations which, theoretically, will prevent Facebook from fuelling its data machine. It seems the new business will be focused around two of the companies most popular applications, Messenger and WhatsApp, though this could potentially kill the tried and tested Facebook business model; hyper-targeted advertising.

One example of this is an update which will allow users to invite connections to watch videos in a private message or group. In years gone, this would be sacrilege to Facebook executives. If it is private, how can it be used to tune the advertising machine? Where is the opportunity to make money?

This is the risk Facebook is facing up to; its traditional business model is under threat. Its reputation for handling privacy is in tatters and the world is turning against Facebook. If it continues on the path of collecting and harvesting data in this manner, someone will eventually step in and stop it. Governments and regulators are cracking down on the data sharing economy, and Facebook has been made enemy number one.

But all is not lost. Facebook still has a couple of tricks up its sleeve. Firstly, the core social media platform is salvageable. It might look like a digital Yellow Pages today, but it by-gone years, it was a genuinely engaging platform. Somewhere along the line executives got grabby and started prioritising advertising over engagement, and the platform suffered as a result. If Facebook can rediscover the magic of old, all will be forgiven, such is the short-term memory of many consumers.

This might mean having to sacrifice the hyper-targeted advertising model, but if Zuckerberg’s claims on privacy are to be believed, Facebook might be moving away from it anyway.

Fortunately, with a reinvigorated platform, which people trust and enjoy, Facebook can bolt services on and beside it, as opposed to through it. This is perfectly feasible business model; running the platform as a loss-leader, maintaining a more transparent advertising business and also using the credibility to monetize premium services. And it might be a sensible direction for Facebook to go. It has worked before and will work again.

To make this idea work, Facebook will need a few things. Firstly, the ambition to explore news ideas. Secondly, smart people. And finally, R&D funds. Facebook has all these things in abundance.

Facebook has already shown its ambition with the launch of AR/VR, video platforms, online market places, dating applications and enterprise services (just to name a few). It has and will continue to attract some of the worlds most intelligent engineers and business people. And finally, Facebook has bags of cash.

This of course is taking Zuckerberg at his word. This might be nothing more than a ploy to generate positive PR. The hyper-targeting advertising model might simply be evolving with the help of small print and clever distractions. But, Zuckerberg surely is smarter than this. Another case of misleading the general public would surely be a step too far.

Zuckerberg might be waking up to the fact he cannot hide from this horrid and distasteful reputation he and his firm has developed. Perhaps Facebook has realised it needs to fundamentally change its business model. Maybe Zuckerberg wants to disrupt his own business before governments and regulators try to destroy it.

UK wants to force internet companies to think of the children

A UK regulator has drafted 16 things internet companies need to do to help protect children online or else.

To be precise it has launched a consultation of a document called ‘Age appropriate design: a code of practice for online services’, but there is little precedent for these consultations resulting in anything other than plan A being fully implemented. It lays down a bunch of rules that anyone providing online services that could be accessed by children – i.e. nearly all of them – need to do.

“This is the connected generation,” explained Information Commissioner Elizabeth Denham. “The internet and all its wonders are hardwired into their everyday lives. We shouldn’t have to prevent our children from being able to use it, but we must demand that they are protected when they do. This code does that.

“The ICO’s Code of Practice is a significant step, but it’s just part of the solution to online harms. We see our work as complementary to the current focus on online harms and look forward to participating in discussions regarding the Government’s white paper.”

There are many conceits and Orwellian aspirations implied in those two short statements, not least the inference that the government could prevent children from being able to access the internet if it wanted to. But then nobody’s in favour of harm are they, so surely this is all for the best. Here’s a summary of the 16 commandments.

  1. Best interests of the child

Protect them from any conceivable harm but you’re still allowed to make money so long as you do that.

  1. Age-appropriate application

If you can stop kids accessing your stuff then don’t worry about all these rules.

  1. Transparency

Provide clear privacy information, including ‘bite sized’ explanations at the point at which use of personal data is activated that kids can understand.

  1. Detrimental use of data

Don’t use kids’ data in a way that might be detrimental to them.

  1. Policies and community standards

Implement your own policies.

  1. Default settings

Privacy settings must be ‘high’ by default be difficult to change. Reset existing user settings accordingly.

  1. Data minimisation

Only collect the minimum amount of data you need to provide your service.

  1. Data sharing

Don’t share kids’ personal data unless you’ve got a really good reason to do so.

  1. Geolocation

Switch it off by default unless you’ve got a really good reason not to and even than make it clear that it’s on.

  1. Parental controls

Let kids know when their parents are keeping an eye on them.

  1. Profiling

Turn it off by default unless you’ve got a really good reason not to and even then think of the children.

  1. Nudge techniques

Don’t try to persuade kids to lower their privacy protections and don’t use things like reward loops to keep kids engaged. This could even include ‘likes’.

  1. Connected toys and devices

All this applies to them too.

  1. Online tools

Give kids tools to protect themselves online and make them prominent.

  1. Data protection impact assessments

A bureaucratic process to demonstrate you’ve complied with these rules.

  1. Governance and accountability

More bureaucracy to show you’ve done what you’re told.

“If you don’t comply with the code, you are likely to find it difficult to demonstrate that your processing is fair and complies with the GDPR and PECR,” warns the consultation document. “If you process a child’s personal data in breach of this code and the GDPR or PECR, we can take action against you.

“Tools at our disposal include assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). For serious breaches of the data protection principles, we have the power to issue fines of up to €20 million or 4% of your annual worldwide turnover, whichever is higher.”

Some of the above points, such as 3, 5 and 14 seem perfectly sensible, but taken all together this initiative seems designed to massively increase the bureaucratic burden on nearly all internet companies. As ever the largest ones can just call on their compliance departments to mitigate the restrictions and keep the companies out of trouble. Small ones, however, may have to just impose age restrictions.

In that respect this seems like an extension of UK porn block law, which Wired does a good job of picking holes in below. At the very least this sort of thing is great news for VPN providers. The announcement coincides with  the European Copyright Directive clearing its final hurdle, so before long everyone will be able to access the internet secure in the knowledge that nothing bad will ever happen to them.

 

FTC launches investigation for privacy practices in US

The Federal Trade Commission (FTC) has issued orders to seven US broadband providers seeking non-public information to assess privacy practises.

Although this investigation is relatively broad, this might be another attempt from the US Government to get a handle on the privacy practices of the fast-evolving digital economy. Several scandals over the last 18 months have demonstrated current rules are not fit for purpose, containing too many loopholes and inadequately governing an industry which has progressed beyond the reach of bureaucracy.

The FTC has been under pressure in recent months to get a better handle on the data machines which power the digital economy, bringing in billions for the likes of Amazon and Google, but increasingly the telcos. While many fingers have been pointed at the residents of Silicon Valley, the telcos have been making money through the transfer of personal information also.

This investigation is an important step forward in creating a better understanding of the data and sharing economy, a foundation to create resilient and future-proof regulations. Some might suggest this sort of investigation should have happened years ago, but hindsight is always 20/20; who would have predicted the scale of scandals we have witnessed recently.

AT&T, AT&T Mobility, Comcast Cable Communications, Google Fiber, T-Mobile US, Verizon, and Cellco Partnership are the firms which have received the demands.

As part of the investigation, the FTC is requesting:

  • The categories of personal information collected about consumers or their devices
  • Purpose of collecting data for each of the categories
  • Methods of collecting the data
  • Policies for employees to access this data
  • Retention policies
  • What information is transferred to third-parties
  • How the data is the information is aggregated, anonymized or deidentified
  • Disclosures to customers about data collection and transfer to third-parties
  • What choices are offered to the customer
  • How accessible personal data is to the customer

As you can see, this is an incredibly broad and in-depth request, with a lot of the information being non-public. Many of the telcos who have been sent the orders will be uncomfortable releasing this information, though they’ll have no choice.

Although this is a good first step for the FTC, we would hope the investigation is broadened further in the future. More information and insight needs to be collected from the OTTs, the masters of manipulating the data-sharing economy. The telcos are small fish in this expedition, but it is progress.

All eyes from the data-sharing community will be keenly directed towards the FTC over the next couple of months. While this investigation is nothing more than a virtual pebble dropped into the digital pond for the moment, there is the potential for those ripples to grow into waves. This could be the first step towards major regulatory reform, an overdue revolution to gain a better handle on the wild-west internet economy.

Europe sailing towards conflict over China 5G

Germany is drafting rules to allow Chinese companies to participate in the 5G bonanza, while the European Commission is thinking of banning them. Something’s got to give.

In terms of collective political influence and economic power, the European Union could consider itself more or less on par with the US and China. Considering the Union represents the societal, political and economic interests of 28 nations, more than 500 million people and roughly $23 trillion in GDP, it is certainly a powerful concept. But the China issue is just one example of how its neatly stitched patchwork could unravel very quickly.

China is a very tricky equation to balance right now. On side, you have an incredibly powerful economy, a massive and increasingly wealthy population and technological advancements which could benefit almost every society. However, to access these riches you have to deal with a government which ideologically conflicts with a lot of what Europe stands for.

But this is where a potentially significant conflict lies. The European Commission is reportedly looking at how it could create a de facto ban for Chinese technology and kit in communications infrastructure, conflicting with some of its member states positions. The Commission is supposed to represent the interests of all its member states, creating a common framework which sits above national policies, but if these policies are a contradiction of opinions of some member states the perfect storm could be brewing on the horizon.

Germany is not talking the anti-China rhetoric

The most recent reports echoing out of Berlin will not have the US government jumping for joy. Local newspaper Handelsblatt is suggesting the German government is doing everything it can to write security protections into new regulation, however, the rules will be written in a manner which will not exclude Chinese companies.

The reports have not been confirmed by any official government spokespeople as of yet, though this does follow on from the Federal Office for Information Security (BSI) made in December.

“For such serious decisions like a ban, you need proof,” said Arne Schoenbohm, President of BSI.

The US will not be happy about developments here, a delegation is currently undertaking a European lobby tour to turn officials against China, though neither will the European Commission. There are several instances which indicate the European Commission is taking a similar stance against China, suggesting a bloc-wide ban could be on the cards before too long.

Aside from recent reports the European Commission is rewriting cybersecurity rules to effectively ban Chinese companies from providing technology for communications infrastructure, one of its Commissioners has also fuelled the anti-China rhetoric.

“I think we have to be worried about these companies,” Commissioner for Digital Single Market Andrus Ansip told reporters in December. Ansip was referring to companies such as Huawei and ZTE, while this statement implies the Commission believes there are strong ties between multi-national corporations and the Chinese government.

The United States of Europe argument emerging again?

With Germany seemingly working to ensure collaboration with Chinese companies remains possible, the UK creating monitoring mechanisms to enable Huawei’s work and Italy denying reports it is considering its own ban, the European Commission appears to be working in direct contradiction to some of its largest member states.

To be fair, the role of the European Commission is to serve all the states not just the big ones, but the point of the bureaucracy is to create a common framework which all agree on, not rules which are forced onto member states. Cynics of the Commission and Union in general will suggest this is perhaps more evidence of Juncker and co. attempting to create a United States of Europe, where the desires of the member states are secondary to that of the ruling party.

Although many of these conspiracy theories are generally relegated to the comment boards of the Daily Mail, the Commission might well be heading towards a monumental conflict. Any rules which are written at European Commission level would potentially render national regulations redundant, a scenario those member states would not be happy with.

Considering the shoddy state of affairs Brexit has been creating, perhaps the European Commission should attempt to create an image of co-operation and collaboration. Antagonising leading member states is not a sensible idea, while a ‘state v. Europe’ conflict over security is not something which will reflect favourably on the agency.

Is politics anything more than arguing with shiny teeth?

Caught on the fringes of this conflict and the constant political seesawing are the telcos. Governments often tell the telco industry they are there to help and enable innovation, but it seems most of the time politicians are nothing but a hindrance attempting to score PR points by pandering to buzzwords and public opinion.

With governments aiming to ban Huawei and ZTE from connectivity plans, several telcos have stepped into the fray to give their own opinion. The message seems to be relatively consistent; heighten security requirements if you must but banning a vendor in an incredibly top-heavy market will not be a good idea.

“Clearly, if there were a complete ban at radio level, then it would be a huge issue for us, but it would be a huge issue for the whole European telco sector,” Vodafone CEO Nick Read said during the latest earnings call. “Huawei probably has 35% of the market share through the whole of Europe.”

Deutsche Telekom is another who foresees any Huawei ban being nothing but problematic. The German telco has previously stated a ban on Huawei would set its 5G ambitions back two years. Several telcos are considering scaling back work with Huawei, but this is perhaps directed more towards the uncertain political climate than any outright worry regarding the security credentials of Huawei equipment.

European telcos are not dependent on Huawei equipment to function effectively, but they are somewhat reliant on it. There aren’t enough suppliers, or good-enough suppliers, to strike Huawei out of the mix. US telcos are not having to deal with this headache as their operations adapted to a lack of Huawei and ZTE years ago, Europe is struggling with the political seesawing and story of uncertainty. Any business leader will tell you, a consolidated, cohesive and concrete regulatory landscape is critical for success.

Huawei stuck between a rock and a hard place

Huawei is a company which now has no control over its own fate.

With the US parading around political offices spreading its anti-China message without the burden of evidence, Huawei can’t do anything. Numerous governments are asking the vendor to prove its security credentials, but this will mean little is there is still suspicion. The case against Huawei is not based on evidence, but one which is based on a political and economic power struggle.

With a lack of evidence to substantiate any accusations against the firm, Huawei is being asked to do something which has been accepted as almost impossible; prove a negative. All of the questions and queries being directed at the firm have a single aim, to demonstrate there are no ties between the organization and the Chinese government, as well as its intelligence agencies.

It’s an almost impossible task, especially when you take into account the powerful influence of the US and the fact most of these decisions are being made on hearsay, circumstantial evidence and emotion. Whatever Huawei says, however much evidence is put on the table, we suspect opinions have already been made.

An issue of consistency and contradiction

In a single signature, the European Commission could throw the bloc into disarray. If the rumours evolve into reality, the European Commission could impose its own rules, contradicting the hopes and ambitions of some member states. Such a scenario would question how much control the member states have over their own society, undermining the concept of sovereignty.

Any fundamental changes would certainly have to be greenlit by all member states, but the European approach to China on the whole, and Huawei specifically, has not been entirely consistent. One question which might be worth considering is whether the European Commission is overstepping its remit.

We are almost certain Germany will not be happy being told to ban Huawei considering it seemingly wants to ensure Chinese participation in the upcoming 5G bonanza. Conflict is on the horizon, potentially pitting the European Commission against the biggest financial contributor to the bloc.

Cisco calls for US GDPR rollout

In a move which might make the networking giant quite unpopular on the US side of the pond, Cisco’s Chief Legal and Compliance Officer Mark Chandler has called for a US version of GDPR.

Having been implemented during May 2018, Europe’s General Data Protection Regulation (GDPR) is starting to make waves in the technology world. The first complaints were filed as the ink was drying on May 25, though with the first rulings started to be announced eight months later, the implications and dangers are starting to become clear. Unless Silicon Valley wins the opening legal skirmishes, precedent will be set and disruption to the data sharing economy will be very apparent.

Considering the massive potential for disruption in the digital ecosystem, Chandler will not be making any friends in Silicon Valley by pushing the case for more focused protections on data protection and privacy. Commenting to the Financial Times, Chandler stated he believes the new regulations have worked out well and after some tweaking, the same rules should be applied in the US as well.

Of course, a legal executive from a networking company stirring the pot is unlikely to turn heads right now, the rules would not necessarily have any monumental impact on the networking infrastructure giant, but there might be a few upset individuals in Silicon Valley. For years, the internet players have effectively been able to do what they want, but GDPR sought to end this reign of freedom.

Although GDPR is an incredibly complex set of rules with more nuances than a teenage philosophers diary, the overall aim is pretty simple. Firstly, the user has more control over his/her personal data, and secondly, internet companies have to demonstrate a need to collect and process data, while also improving securities around these processes. And of course, there are the fines as well.

This is perhaps one of the biggest concerns of the internet giants as they can now be held accountable. Prior to GDPR, fines were feeble. For any normal company, they would be horrid, but considering the size and profitability of the likes of Facebook, Google, Amazon and Apple, any punishments dished out would take a matter of minutes or hours to pay off. GDPR allows regulators to assign fines which are relative to the size of the organization, therefore companies can now be held accountable.

While GDPR does seem to be forcing many companies to act more responsibly, the saving grace for Silicon Valley is that it is limited to Europe. The lobbyists will be fighting hard to make sure such rules do not find sympathetic ears in Washington DC, though governments do seem to be welcoming.

In India, the government is considering new rules which would tighten up protections around personal information, while the Japanese government has signed a new treaty with the European Union which extends GDPR protections of European citizens to Japan. These are two examples, though as more complaints are filed and more Judge’s opinions released to the public, interest in these rules will almost certainly increase.

What you always have to consider when you read such comments is that Cisco is a B2B firm. The privacy rules are geared towards empowering the consumer and therefore would have minimal impact here. In public, many of the internet giants are calling for a revamp of privacy rules, its just good PR form, but they will be privately terrified of a GDPR replicant.

What is also worth bearing in mind is that the US is not as sensitive to privacy issues as Europeans are. Of course, legislators will have an eye on privacy and it will be a worry, but Europe is much more aware and condemning of the slippery practises of Silicon Valley. For years, the Californian lawyers have revelled in technology outpacing regulation, identifying grey areas and loop holes galore. However, the European regulators are attempting to make life difficult.

Facebook can’t seem to keep itself out of trouble

Facebook has apparently been paying customers $20 each to trade away their privacy to install a VPN which analyses usage, sidestepping Apple’s App Store policies.

The research initiative is similar to Onavo Protect, which was effectively banned by Apple last year, rewarding teenagers and adults to download the app to give the social media giant root access to network traffic which most likely would have been decrypted otherwise. According to TechCrunch, this is a violation of the App Store policies.

While $20 per user might seem like a huge amount, the data which is collected is incredibly valuable. Not only will it be able to identify usage habits, it will also contribute to competitor research. In theory, Facebook would be able to build a much more detailed competitor landscape, identifying potential threats to its business. The UK government has already unveiled documents which confirm Facebook uses the platform to inhibit competitive threats, so this type of data collection simply adds another nefarious cog to the devious machine.

According to the TechCrunch investigation, if Facebook makes full use of the freedoms granted through this app it would be able to access private messages from social media and other messaging apps, photos and videos, emails, web browsing activity and location information. What is worth noting is that is has not been confirmed whether this is the case, though Facebook could be heading for another privacy debacle.

This is of course not the first time Facebook has ventured into the murky world of surveillance. Back in 2014, the increasingly suspect social media giant acquired Onavo for $120 million. This VPN allowed users to minimize data leakage and improve the effectiveness of tariffs, but it also allowed Facebook to access deep analytics about what other apps they were using. This insight reportedly gave Facebook the confidence to make such a significant bet on WhatsApp.

The app came under pressure when it was revealed Facebook was stepping across the line, collecting information when the screen was off for example. Apple changed the App Store policies to ensure apps could only collect information which was critical to functionality, though by this point Facebook had a huge amount of competitive intelligence, and seemingly lit the fires of ambition.

One question which you really have to ask is how many lives Facebook has left. The last 12 months have been a carousel of scandal, saga and suspicion. Whether it is Cambridge Analytica, Friendly Fraud, fake news, influencing elections, violating privacy or snooping on customers, Facebook has poked and prodded the confidence and trust of the digital society. How much longer can this go on for?

Every time a new headline emerges about some nefarious or suspect activity from Facebook, the world much be getting closer to taking disruptive action. More and more people distrust the brand, but due to its influence in and penetration through digital society, usage of its applications have not been damaged much. You have to wonder how many more of these headlines the business can take; maybe it won’t be long before the Facebook empire is broken up.

GDPR net starting to get very wide

Eight months after the introduction of GDPR decisions are starting to emerge from the first complaints. The breadth and depth of the complaints is starting to look revolutionary for the digital economy.

For years, the internet effectively did whatever it wanted. Bureaucrats attempted to regulate the industry, though mostly built ineffective rules on shaky foundations. Regulators were seemingly unable to out-manoeuvre Silicon Valley’s slippery legal beagles, experts at discovering grey areas, but then Europe’s General Data Protection Regulation (GDPR) was created.

The months leading up to the May 25 ‘doomsday’ were a nightmare for many companies around the world, such is the weight of potential fines. As soon as the ink was dry in the rulebook, the complaints started to get filed. Eight months later, the first decisions are emerging, and the threat of disruption is starting to look big, broad and beastly.

Over the last few weeks, French regulator CNIL has fined Google for not being explicit enough when collecting consent, a decision the search giant is challenging. Privacy Advocate Max Schrems’ non-profit, None of Your Business (NYOB) is taking eight internet companies to court in Austria for ‘Right to Access’ violations. NYOB is also challenging Google’s Android as well as Facebook’s Instagram and WhatsApp on the grounds of forced consent. Privacy International is also pointing the GDPR finger at Facebook. Private browser Brave and the Open Rights Group are tackling Google and marketing agency IAB on ‘Real-time bidding’ for hyper-personalised advertising.

Looking at the final case, this is an interesting one as it is not a practise which has been widely connected with GDPR. Real-time bidding platforms allow companies to collect in-depth and wide-ranging troves of information on individuals. This behavioural data is then ‘is broadcast to tens or hundreds of companies’ in order to attract potential advertisers’ bids. Brave and the Open Rights Group believe this is a violation of GDPR as the ‘broadcast’ fails to protect these intimate data against unauthorized access.

Article 5, paragraph one of GDPR states data should be ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss’. As there is no control over the data once it has been broadcast, Brave and the Open Rights Group state this is a violation of privacy rights.

The marketing and advertising industry certainly would have been aware of the threat to this segment, however it is not the type of data application which has hit the headlines in a major fashion broadly. This is the current risk the internet industry is facing; privacy advocates are getting creative with how they are applying GDPR, widening the net of accusation, ensuring lawyers are fighting the regulation on multiple fronts.

In the first couple of months, you can almost guarantee every court decision will be challenged by at least one of the internet giants. This is the gravity of the situation; fundamental and revolutionary changes could be on the way is the privacy win. The internet will change due to the interpretation of GDPR. The threat of red-tape choking off the steady flow of billions is look very real.

Worryingly for the internet giants is the emergence of class-action suits as well. Although this type of proceeding is quite common across the pond, such cases are rare occurrences in Europe. Across the legal community there have been mutterings, suggesting the regulation could open the door on the bloc. Perhaps it would not evolve to the same scale as class-action suits in the US, but the threat of such a trend should be very worrying for those who are currently ducking and diving swipes from the GDPR stick.

Today is Data Privacy Day, so perhaps it is fate that it appears the data privacy campaigners have the upper hand over Silicon Valley right now. The first decision from the courts has gone against the internet industry, the implications could have a significant knock-on effect to Terms of Service agreements, and you can guarantee Google will throw everything it can against the CNIL and its €50 million fine.

The money means nothing to the ‘Do no Eviler’, but the potential disruption to the internet economy could be seismic. We all knew GDPR could be very damaging to the data-sharing industry, but now it is starting to get very real.