Facebook investors brush off leaked $5 billion fine

It has been widely reported that Facebook will receive a record fine for privacy violations, but investors seems strangely pleased about it.

All the usual-suspect business papers seem to have received the leak late last week that the US Federal Trade Commission voted narrowly to fine Facebook $5 billion for data privacy violations related to the Cambridge Analytica thing. The FTC, like the FCC, has five commissioners, three of which are affiliated to the Republican party and two the Democrats. As ever they voted on partisan lines, with the Democrats once more opposing the move.

The FTC has yet to make an official announcement, so we don’t know the stated reasons for the Democrat objections. But since that party seems to have decided it would have won the last general election if it wasn’t for those meddling targeted political ads, it’s safe to assume they think the fine is too lenient.

Just because the Democrats have a vested interest, that doesn’t mean they’re wrong, however. Of course Democrat politicians have criticised the decision, but many more independent commentators have noted that the fine amounts to less than a quarter’s profit for the social media giant. Nilay Patel, Editor in Chief of influential tech site The Verge, seems to speak for many in this tweet.

That Facebook’s share price actually went up after such a big fine initially seems remarkable, but all it really indicates is that Facebook had done a good job of communicating the risk to its investors, so a five bil hit was already priced in. The perfectly legitimate point, however, is that as a punishment one month’s revenue is unlikely to serve as much of a deterrent from future transgressions.

Patel seems very hostile to Facebook, stating in his opinion piece on the matter “Facebook has done nothing but behave badly from inception.” A lot of this bad behaviour consists of exploiting user data, but what is really under attack seems to be Facebook’s core business model and, to some extent, the whole-ad-funded model on which sites like The Verge rely.

Debates need to be had about the way the Internet operates and monetizes itself, but identifying Facebook as a uniquely bad actor when it comes to exploiting user data seems disingenuous. Laws and regulations are struggling to catch up with the business models of internet giants and there are many other questions to be asked about how they operate.

The fact that Facebook’s share price has now largely recovered from the Cambridge Analytica scandal of a year or so ago, as illustrated by the Google Finance screenshot below, indicates that investors consider these issues to be just another business risk, to be weighed up against obscene profits. While we have always considered the scandal to be overblown, it also seems clear that, as a meaningful punishment, even a $5 billion fine is totally inadequate in this case.

Facebook share price July 19

ICO gets serious on British Airways over GDPR

The UK’s Information Commissioner Officer has swung the sharp stick of GDPR at British Airways and it looks like the damage might be a £183.39 million fine.

With GDPR inked into the rule book in May last year, the first investigations under the new guidelines will be coming to a conclusion in the near future. There have been several judgments passed in the last couple of months, but this is one of the most significant in the UK to date.

What is worth noting is this is not the final decision; this is an intention to fine £183.39 million. We do not imagine the final figure will differ too much, the ICO will want to show it is serious, but BA will be giving the opportunity to have its voice heard with regard to the amount.

“People’s personal data is just that – personal,” said Information Commissioner Elizabeth Denham.

“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The EU’s GDPR, General Data Protection Regulation, offers regulators the opportunity to fine guilty parties €20 million or as much as 3% of total revenues for the year the incident occurred. In this case, BA will be fined 1.5% of its total revenues for 2018, with the fine being reduced for several reasons.

In September 2018, user traffic was directed towards a fake British Airways site, with the nefarious actors harvesting the data of more than 500,000 customers. In this instance, BA informed the authorities of the breach the defined window, co-operated during the investigation and made improvements to its security systems.

While many might have suggested the UK watchdog, or many regulators around the world for that matter, lack teeth when it comes to dealing with privacy violations, this ruling should put that preconception to rest. This is a weighty fine, which should force the BA management team to take security and privacy seriously; if there is one way to make executives listen, its hit them in the pocket.

This should also be seen as a lesson for other businesses in the UK. Not only is the ICO brave enough to hand out fines for non-compliance, it is mature enough to reduce the fine should the effected organization play nice. £183.39 million is half of what was theoretically possible and should be seen as a win for BA.

Although this is a good start, we would like to see the ICO, and other regulatory bodies, set their sight on the worst offenders when it comes to data privacy. Companies like BA should be punished when they end up on the wrong side of right, but the likes of Facebook, Google and Amazon have gotten an easy ride so far. These are the companies who have the greatest influence when it comes to personal information, and the ones which need to be shown the rod.

This is one of the first heavy fines implemented in the era of GDPR and the difference is clear. Last November, Uber was fined £385,000 for a data breach which impacted 2.7 million customers and drivers in the UK. The incident occurred prior to the introduction of GDPR, the reason the punishment looks so measly compared to the BA fine here.

The next couple of months might be a busy time in the office of the ICO as more investigations conclude. We expect some heavy fines as the watchdog bears its teeth and forces companies back onto the straight and narrow when it comes to privacy and data protection.

UK launches competition probe into digital advertising market

The UK Competition and Markets Authority wants to know if the digital advertising market is being corrupted by internet giants like Google and Facebook.

The investigation is being called the ‘Online platforms and digital advertising market study’ and it will look into the following:

  • To what extent online platforms have market power in user-facing markets, and what impact this has on consumers
  • Whether consumers are able and willing to control how data about them is used and collected by online platforms
  • Whether competition in the digital advertising market may be distorted by any market power held by platforms

So this seems to be a combination of a monopoly investigation and an audit of how digital platforms are handling personal data. The dominance of the Silicon Valley platforms over the digital advertising market seems clear, so the question is whether they abuse that dominance to unfairly crush competition. The matter of data privacy seems secondary, especially since there are already loads of similar investigations happening around the world.

“It is our job to ensure that companies innovate and compete,” explained CMA Chairman Andrew Tyrie. “And every bit as much, it’s our job to ensure that consumers are protected from detriment. Implementation of the Furman Report should help a lot. As part of the work announced today, we will be advising Government on how aspects of Furman can most effectively be implemented.

“Much about these fast-changing markets is a closed book to most people. The work we do will open them up to greater scrutiny, and should give Parliament and the public a better grip on what global online platforms are doing. These are global markets, so we should and will work more closely than before with authorities around the world, as we all consider new approaches to the challenges posed by them.

“The market study will examine concerns about how online platforms are using people’s personal data, including whether making this data available to advertisers in return for payment is producing good outcomes for consumers,” said CMA Chief Executive Andrea Coscelli. “The CMA will examine whether people have the skills, knowledge and control over how information about them is collected and used, so they can decide whether or not to share it in the first place.”

While they’re at it why don’t they do an investigation into how many people read the terms and conditions of using a service, let alone understand them. While there can be little doubt that online platforms have been very effective at monetising third party data, anyone who uses them for free and then claims to feel exploited is being disingenuous. Much more interesting will be the measures taken if they’re viewed as a harmful monopoly.

Google’s Sidewalk’s bet is a nightmare for the privacy conscious

If you’re concerned about whether Google is listening to you through your phone or smart speaker, soon enough you’ll have to worry about lampposts having ears, or at least if your live in Toronto.

For those who have not been keeping up-to-date with the Canadian tech scene, Google’s Sidewalk Labs is currently working in partnership with Toronto to demonstrate the vision of tomorrow; the smart city. Plans are still being drawn up, though it looks like two neighbourhoods will be created with a new Google campus bang in the middle.

The Master Innovation and Development Plan (MIDP) hope to create the city of tomorrow and will be governed by Waterfront Toronto, a publicly-funded organization. In a move to seemingly appease the data concerns of Waterfront Toronto, Google has now stated all the systems would be run by analysing data, but Sidewalk Labs will not disclose personal information to third parties without explicit consent and will not sell personal information.

This is the first bit of insight we’ve had on this initiative for a while. Having secured the project in 2017, Sidewalk Labs has been in R&D mode. The team is attempting to prove the business case and the products, though it won’t be long before work is underway. Assuming of course Google is able to duck and weave through the red-tape which is going to be presented over the next 12-18 months.

The most recent development is a series of white papers which are addressing numerous topics from sustainable production plans, mobility, data protection and privacy and the envisioned usecases. If you have a spare few hours, you can find all the documentation here.

Of course, there are plenty of smart city initiatives around the world but what makes this one interesting is that the concept of ‘smart’ is being built from the foundations. This is a greenfield project not brownfield, which is substantially easier. Buildings, street furniture and infrastructure can be built with connectivity in mind.

This is the challenge which other cities are facing, lets take London as an example. Construction on the London Underground system started in 1863, while the London sewage system was plumbed in between 1859 and 1865. The city itself, and the basic layout, was established in 50 AD. Although there are creative solutions to enhance connectivity, most cities were built in the days before most could even conceive of the internet.

The Quayside and Villiers West neighbourhoods will be home to almost 7,000 residents and offer jobs to even more, anchored by the new Google campus. The buildings will offer ‘adaptable’ spaces, including floor plates and sliding walls panels to accelerate renovations and reduce vacancies. It will also be incredibly energy friendly, featuring a thermal energy grid which could heat and cool homes using the natural temperature of the earth.

But onto the areas which most people in the industry will be interested in; the introduction of new technologies and access to data.

High-speed internet connections will be promised to all residents and businesses, intelligent traffic lights and curbs will be deployed to better regulate traffic, smart awnings will be introduced for those into gimmicky technology and the neighbours will be designed to allow for an army of underground delivery robots to function.

Autonomous driving is one technology area which fits perfectly into the greenfield advantage. The complications of creating a landscape for autonomous vehicles in older cities are great, but by building up the regions with connectivity in mind many of these challenges can be averted. Not only can the introduction of self-driving vehicles be accelerated, but ride-sharing (Zipcar) or hailing (Uber) alternatives can be assisted while other options such as e-scooters are more realistic.

Such is the ambition nurtured in the Google business, if there is a crazy idea which can be applied to the smart city concept, Sidewalk Labs have probably factored it into the design and build process.

And now onto the data. This is where the project has drawn criticism as Google does not necessarily have the most glistening record when it comes to data privacy and protection. Small print littered throughout various applications has ensured Google is never too far away from criticism. In fairness, this is a problem which is industry wide, but a cloud of scepticism has been placed over any initiative which has data as the fuel.

The latest announcement from Google/Sidewalk Labs focuses on this very issue. Sidewalk Labs will not sell any personal information, this data will not be used to fuel the advertising mechanisms and it will not disclose this insight to third-parties. Explicit consent would have to be provided in any of these circumstances.

Whether these conditions will be up to the standards defined by Waterfront Toronto remains to be seen. This body has the final say and may choose to set its own standards at a higher or lower level. Anonymity might be called into play as many activists have been pushing. This is not a scenario which Google would want to see.

While expanding into new services might seem like an attractive idea, if this expansion can be coupled with additional access to data to fuel the Google data machine, it is a massive win for the internet giant. Let’s not forget, everything which Google has done to date (perhaps excluding Loon and the failed Fiber business) has paid homage to the advertising mechanisms.

Fi offers it interesting data on customer locations, the smart speakers are simply an extension of the core advertising business through a new user interface and Android allowed Google to place incredibly profitable products as default on billions of phones and devices. If Google can start to access new data sets it can offer new services, engage new customers and create new revenues for investors.

Let’s say it can start collecting data on traffic flow, this could become important insight for traffic management and city planners when it comes to adding or altering bus routes. This data could also be used to reduce energy consumption on street lights or traffic lights; if there is no-one there, do they actually need to be on? It could also help retailers forecast demand for new stores and aid the police with their work.

These ideas might not sound revolutionary or that they would bring in billions, but always remember, Google never does anything for free. This is a company which seems to see ideas before anyone else and can monetize them like few others. If Google is paying this much attention to an idea or project, there must be money to be made and we bet there is quite a bit.

But this is where Google is facing the greatest opposition. Because it is so good at extracting insight and value from data, it is one of the companies which is facing the fiercest criticism. This will be the most notable the further afield Google spreads its wings. It seems the world is content with Google sucking value out of personal data when it comes to search engines or mobile apps, but pavements, lampposts and bus stops might be a step too far for some.

Of course, criticism might disappear when jealousy emerges. The hardcore privacy advocates will never rest, but most simply don’t care that much. Privacy violations will of course cause uproar, but if there is a fair trade-off, most will accept Google’s role. If Google can prove these neighbourhoods not only improve the quality of life, but also offer advantages to entertainment and business (for example), this initiative could prove to be very popular with the general public, governments and businesses.

Maine gets tough on telcos over data economy

Maine Governor Janet Mills has signed new privacy rules into law, demanding more proactive engagement from broadband providers in the data-sharing economy.

While the rules are tightening up an area of the digital world which is under-appreciated at the moment, it will have its critics. The law itself is targeting those companies who delivering connectivity solutions to customers, the telcos, not the biggest culprits of data protection and privacy rights, the OTTs and app developers.

The rules are applicable to broadband providers in the state, both mobile and fixed, and force a more proactive approach in seeking consent. Telcos will now be compelled to seek affirmative consent from customers before being allowed to use, disclose, sell or permit access to customer personal information, except in a few circumstances.

As is on-trend with privacy rules, the ‘opt-out’ route, used by many to ensure the lazy and negligent are caught into the data net, has been ruled out.

There are also two clauses included in the legislation which block off any potential coercing behaviour from the telcos also:

  • Providers will not be allowed to refuse service to a customer who does not provide consent
  • Customers cannot be penalised or offered a discount based on that customer’s decision to provide or not provide consent

This is quite an interesting inclusion in the legislation. Other states, California for example, are building rules which will offer freedoms to those participating in the data-sharing economy if the spoils are shared with those providing the data (i.e. the customer), though the second clause removes the opportunity to offer financial incentives or penalties based on consent.

This is not to say rewards will not be offered however. There is wiggle room here, zero-rating offers on in-house services or third-party products for example, which does undermine the rules somewhat.

It is also worth noting that these rules only pertain to what the State deems as personal data. Telcos can continue to monetize data which is not considered personal without seeking affirmative consent, unless the customer has written to the telco to deny it this luxury. Personal data is deemed as the following categories:

  • Web browsing history
  • Application usage history
  • Geolocation
  • Financial
  • Health
  • Device identifiers
  • IP Address
  • Origin and destination of internet access service
  • Content of customer’s communications

What is worth noting is this is a solution to a problem, but perhaps not the problem which many were hoping would be addressed.

Firstly, the telcos are already heavily regulated, with some suggesting already too much so. There are areas which need to be tightened up, but this is not necessarily the problem child of the digital era. The second point is the issue which we are finding hard to look past; what about the OTTs, social media giants and app community?

The communications providers do need to be addressed, though the biggest gulf in regulation is concerning the OTTs and app developers. These are companies which are operating in a relative light-touch regulatory environment and benefiting considerably from it. There are also numerous examples of incidents which indicate they are not able to operate in such a regulatory landscape.

Although it is certainly a lot more challenging to put more constraints on these slippery digital gurus, these companies are perhaps the biggest problem with the data-sharing economy. Maine might grab the headlines here with new privacy rules, which are suitably strict in fairness, but the rule-makers seem to have completely overlooked the biggest problem.

These rules do not add any legislative or regulator restraints on the OTTs or app developers, therefore anyone who believes Maine is taking a notable step in addressing the challenges of the data-sharing economy is fooling themselves. This is a solution, but not to the question which many are asking.

Ambulance chasers are readying themselves for GDPR assault

While getting a firm ready for the introduction of GDPR was a frantic period, the last 12 months have been relatively quiet period for the rules. However that might all be about to change.

At the European Data Protection Summit in London, a few points were raised which should put the fear back into executives. It does appear the ‘sex appeal’ of data protection and privacy has been eroded, but just wait until the summer is over. It might well be dominating the headlines again.

There seem to be four developments bubbling away at the moment, each of which could have a significant impact on the data protection and privacy landscape; Brexit, the UK’s 2018 Data Protection Act and ambulance chasers.

Ditching PPI for GDPR

Although it is not necessarily the most flattering of terms, the ambulance chasers are readying themselves for an assault on the GDPR negligent.

The Financial Conduct Authority (FCA) has set a deadline of August 29 for consumers to complain about the sale of PPI products in the UK. This effectively means all the firms set-up to manage the complaints on behalf of consumers will become redundant. Most will evolve however, the legal world is simply too profitable, and GDPR seems a prime opportunity.

While it might not be the most common practice for the moment, there are certainly examples. Numerous law firms, Hayes Connor Solicitors for example, are already advertising their services for the British Airways data breach, impacting roughly 400,000 people. This is an on-going investigation, though the financial penalty for this breach could be as much as €918 million.

As more PPI lawyers find themselves at the mercy of free time, more will turn their attentions to new fields of expertise. Due to the headline-worth nature of data breaches and privacy violations, as well as the potential consequence to the individual, this is an area which is primed for the legal buzz.

Big fines have been promised

So far, there is only one example of a Data Protection Authority (DPA) swinging the heavy stick of GDPR at a major firm. France’s watchdog fined Google €50 million for numerous offenses, and while there have been other significant breaches over the last few years, most occurred at a time prior to the heavy fines of GDPR.

“Serious fines are coming in the summer, including to some of the big companies,” said Paul Breitbarth, Director of Strategic Research and Regulator Outreach at Nymity. “The DPAs [Data Protection Authorities] are taking this very seriously and so should we.”

The Irish DPA is an example of one regulator taking control of the situation, and quite rightly so. Despite the fact its economy is heavily reliant on the internet giants, the Irish watchdog is Europe’s lead GDPR authority; it should be leading the charge.

In a recent PR defence plea, Commissioner for Data Protection Helen Dixon pointed out the authority has already opened 54 investigation, 19 of which were cross border. According to Breitbarth, we should expect some pretty heavy fines which will also bring data protection and privacy back into public debate.

One of the big challenges being faced by the industry is apathy from the general public and any considered concern from executives. Enforcement of GDPR rules will not only highlight the potential risks to the general public, but also make data protection and privacy a priority for those running the firms.

Executives might want to ignore data protection and privacy, but one way to get the attention is to hit them in their wallets. Both the enforcement of GDPR and the emergence of ambulance chasers will ensure this is a topic of conversation in the board rooms.

New rules, new considerations

The 2018 Data Protection Act is something which has not really generated many headlines, but there is a monumental opportunity for headaches.

“It’s a bit of a minefield to go through,” said Ian Evans, MD of OneTrust.

The Data Protection Act is the UK’s own version of GDPR, required due to the fact we are divorcing the European Union, but it does actually go a lot further than the European rules. This is perhaps worst-case scenario for those wanting to remain compliant, as it creates more work ensuring compliance to two different sets of rules.

New clauses have been introduced creating new grey areas when it comes to confidentiality agreements, while the approach in the immigration department has received criticism. Those who are seeking official residential status in the UK will not be able to force the government into providing insight into the data which has been collected, analysed and actioned. This is the first time a data moat has been embedded into law, and there are come people who are not happy about it.

One area which is very useful is the standardization of usecases. In four areas, the ICO will effectively produce standards to ensure companies can remain compliant. This is the first time an authority has taken such an approach, and we hope it will be replicated by other authorities. The first example, ‘Age-appropriate design’, will be released in the coming weeks.

The groans of Brexit

Brexit is a tricky topic to bring up. People either disagree with it, hate it or are bored of it, but the matter of the fact is, it is crucially important in numerous areas.

Brexit changes the status quo. The UK will no-longer be in the European Union, therefore fundamentally changing the relationship companies have with governments, customers and supply chains.

With the Brexit deadline fast approaching, and little concrete information being offered, the risk is running quite high. This will have to be a major factor in any companies approach to data protection and privacy moving forward.

The risk of a boring conversation

“Everyone is saying they are trying more for data protection, but does anyone actually believe it,” said Ian West, COO of the GDPR Institut.

GDPR was critically important when it was introduced, and it remains critically important today. However, you have to question whether the organizations involved, or the general public, are actually taking it seriously. The last 12 months has seen GDPR fall down the agenda, though it will rise again.

Enforcement is key, and it is coming. GDPR investigations are painfully slow processes due to the vast amount of information and the complexities of the business models in the data-sharing economy. However, many investigations will be finalised over the next few months. With these final decisions come the fines.

This will propel data protection and privacy back into the public debate, and ensure the general public is becoming more aware to the dangers of the digital world.

There is currently a risk of negligence, but soon enough data protection and privacy principles will form part of the buying decision-making process. The companies which are taking data protection and privacy seriously, will become more appealing to those customers, both consumer and enterprise.

Another factor to consider is recruitment. More graduates nowadays want to work for ethically sound organizations, and soon enough this definition will be expanded to include data protection and privacy principles.

GDPR is a topic which is not ‘sexy’ at the moment, but the next couple of months could ensure these conversations are firmly set back into the board room. The question is whether these will be fleeting, defensive discussions, or whether these executives will take the challenge seriously and create a culture which encourages data protection and privacy principles.

Irish data watchdog defends its GDPR actions

The Irish data protection regulator has unveiled a progress report on GDPR on the first anniversary of the rules, perhaps defending itself from a perception of inaction.

As Europe’s lead regulator for GDPR, the Data Protection Commission (DPC) is in an incredibly important position. It is supposed to lead the bloc into an era of increased privacy and data protection, though considering its economy is largely dependent on the very firms GDPR has been designed to punish, it is a tricky position.

Despite some suggesting GDPR is failing to live up to the promise of holding the technology giants accountable, the DPC has defending its positions, actions and ambitions.

“The GDPR is a strong new platform from which we can all demand and drive higher standards of protection of our personal information,” said Commissioner for Data Protection, Helen Dixon.

“As the national supervisory authority, the Data Protection Commission (DPC) is firmly committed to its role in public enforcement of the new law, while also working hard to provide guidance to sectors as they seek to comply with the new requirements.

“The DPC is grateful for the positive and energetic engagement with the GDPR that we have seen from all quarters, particularly from consumers and concerned persons who have raised queries about the processing of their personal data with the office.”

Looking at the numbers, 6,624 complaints have been received since the introduction of GDPR, while 5,818 valid data security breaches were notified. 54 investigations have been opened, 19 of which are cross-border investigations into multinational technology companies and their compliance with the GDPR. Last week, the DPC announced its most recent investigation into Google.

Interestingly enough, more than half of these investigations will see either Facebook, WhatsApp and Instagram as the focal point. The question which remains is whether the rules are having a material impact on data protection and privacy across the world?

According to the International Association of Privacy Professionals, more than 500,000 data protection officers have been appointed at firms across the world, while more than 200,000 instances of data breaches have been reported. However, the largest fine which has been levied at one of the internet giants is €50 million.

Back in January, French data watchdog CNIL fined Google €50 million for various different violations of GDPR. These violations included a lack of transparency, overly complicated wording and inaccessible information on how a user’s data is being collected, stored and processed. This might serve as a wake-up call for the ‘normal’ companies across the world, but it is might not be considered a deterrent for the worst offenders, the tech giants who collect billions in profit each year by monetizing data.

As mentioned previously, the DPC is in a slightly precarious position. Ireland will want to protect the interests of the technology giants due to the role the industry plays in the country. The technology sector has largely been credited with saving Ireland from economic recession a decade ago, and now employees a significant number of individuals. The industry has also fuelled a rise in entrepreneurship, creating bright prospects as the world strides towards the digital economy.

Reading between the lines, this is perhaps the rationale behind today’s announcement from the DPC. It is working to uphold the promise of GDPR.

What is worth noting is one year is not a lot of time. Investigations into complaints will take months on months, due to the number of companies involved, collections of statements and all the relevant information, and the complex nature of data processing business models. The big data machine is incredibly complicated and understanding whether there have been any violations of rules is even more so; some clauses and sections made grey areas to be exploited.

One year one, GDPR has clearly had an impact on the world, but whether this is enough of an impact to create a privacy-orientated digital society still remains to be seen.

Europe’s lead data watchdog opens Google GDPR investigation

Ireland’s data protection watchdog has kicked off a GDPR investigation into Google following a complaint from ad-free web browser Brave.

Although GDPR is approaching its first birthday, there is yet to be an example of the towering fines which were promised for non-compliance. Perhaps everyone is playing merrily by the rules, or it might be that they are very good at covering their tracks. Brave will be hoping to chalk up a victory over Google with this investigation however.

“The Irish Data Protection Commission’s action signals that now – nearly one year after the GDPR was introduced – a change is coming that goes beyond just Google,” said Johnny Ryan, Chief Policy Officer at Brave. “We need to reform online advertising to protect privacy, and to protect advertisers and publishers from legal risk under the GDPR.”

The complaint itself is directed at Google’s DoubleClick/Authorized Buyers advertising system. While giving evidence to the Data Protection Commission, Ryan has suggested the way in which data is processed through the system violates Article 5(1)(a), (b) and (f) of GDPR, as well as Section 110 of the Irish Data Protection Act.

DoubleClick/Authorized Buyers advertising system is active on 8.4 million websites, allowing the search giant to track users as they scour the web. This information is then broadcast to more than 2,000 companies who bid on the traffic to deliver more targeted and personalised ads.

This information can potentially be incredibly personal. Google has various different categories which internet users are neatly filed into, including ‘eating disorders’, ‘left-wing politics’, ‘Judaism’ and ‘male impotence’. The companies bidding on this data will also have access to geo-location information and the type of device which the user is on.

Under Article 5 (1)(f) of the GDPR, companies are only permitted to process personal information if it is tightly controlled. Brave suggests Google has no control over the data once it is broadcast and is therefore violating GDPR.

With the Irish watchdog, Europe’s lead for GDPR, investigating the system in Ireland, similar complaints have been filed the UK, Poland, Spain, Belgium, Luxembourg and the Netherlands. Should Google be found non-compliant, it would be forced to ditch the DoubleClick/Authorized Buyers advertising system and could face a fine as much as 4% of annual turnover. Based on 2018 revenues, that figure would be $5.4 billion.

“For too long, the AdTech industry has operated without due regard for the protection of consumer data,” said Ravi Naik of ITN Solicitors, who will be representing Brave for the complaint. “We are pleased that the Data Protection Commissioner has taken action. The industry must change.”

GDPR is supposed to be a suitable deterrent for the internet economy, but without enforcement and demonstrable consequences little will change. If GDPR is to work as designed, a monstrous fine will have to be directed at someone sooner or later. Could this be the first domino to fall?

FCC reveals glacial progress on the resale of location data by operators

US operators have been reselling the location data they accumulate about their subscribers and have been slow to deliver on promises to stop.

This practice was already well-known by the time it was highlighted in an expose at the start of this year. At the time operators were quick to stress that they’re pulling out all the stops to protect their customers’ personal data but Federal Communications Commissioner Jessica Rosenworcel was apparently skeptical. Frustrated by their deafening silence on the matter she wrote to the four US MNOs at the start of the month to ask them what they were playing at.

Rosenworcel received relatively prompt responses from those operators and decided to publish them alongside a mea culpa that was probably directed more at other FCC Commissioners than herself. “The FCC has been totally silent about press reports that for a few hundred dollars shady middlemen can sell your location within a few hundred meters based on your wireless phone data. That’s unacceptable,” she said.

“I don’t recall consenting to this surveillance when I signed up for wireless service—and I bet neither do you. This is an issue that affects the privacy and security of every American with a wireless phone. It is chilling to think what a black market for this data could mean in the hands of criminals, stalkers, and those who wish to do us harm. I will continue to press this agency to make public what it knows about what happened. But I do not believe consumers should be kept in the dark. That is why I am making these letters available today.”

You can read the contrite and exculpatory responses here, but in case you can’t be bothered here’s a summary. AT&T said it started phasing out this sort of thing in June 2018, while still making location data available in emergencies. Additionally the letter attempted to distance AT&T from the reports in question and said it had stopped sharing and data with location aggregators and LBS providers on 29 March 2019.

Sprint said it current works with just one LBS (location based services) provider but will pack that in by the end of this month. T-Mobile said it had terminated all contracts with LBS types by 9 March 2019 and went on at considerable length to correct what it considers to be flawed reporting on how it used to handle this sort of thing. Verizon said it had terminated all location deals by the end of March 2019.

So that would appear to be that. All the operators have said they don’t deal with location data aggregators anymore and presumably Rosenworcel is a happy Commissioner. But the fact that they’ve only just stopped reselling their customer’s personal data, and even then only after persistent nagging and bad publicity, is a further illustration of how cavalier the tech industry has been with personal data to date.

Apple recognised as ‘Privacy Champion’ by techies

An anonymous survey of people working in the technology industry has crowned Apple as the privacy champion of FANG, while 78% believe it is a top priority at their own organization.

The survey was run by Blind, an anonymous social network for the workplace​, which has a userbase in the hundreds of thousands, many of whom work at the world’s largest technology companies. Asking whether they believed their own organization prioritised user privacy, the results might shock a few.

Employees of technology companies were given a simple statement and offered the opportunity to add an explanation. The statement was “My company believes customer data protection is a top priority”.

Sitting at the top of the table was Apple with 73.6% and 19.8% answering the statement they strongly agreed or agreed respectively. LinkedIn and Salesforce also featured highly on the list, while Google and Amazon were also above the industry average. Facebook was below the industry average while Adobe, Intuit and SAP fell way below the average with only 44.6%, 40% and 39% respectively stating they strongly agree with the statement.

Such low numbers should be a major concern, especially with lawmakers and regulators attempting to reconfigure rules to take a stronger tone with data privacy. Irrelevant whether the likes of Apple is taking privacy seriously, rules will be written for the industry as a whole; the laggards will ensure everyone has to face the sharp stick of the law.

On the FANG front, Blind users were asked whether Apple should be considered the privacy champion. 67.9% agreed with the statement, with some suggesting the business model is not based on the transfer of personal information therefore it is more secure or less of a threat. That said, Apple is fast evolving with the software and services business becoming more of a focus. It might well evolve to include some of these practises in the future.

That said, while Apple is seemingly keeping its hands clean, one person feels the company is nothing more than an enabler for the more nefarious.

“I feel Apple is no better for creating the technology that enables companies like Facebook to become no more than spying tools,” said one Intuit employee.

Although scores in the 70s could be viewed as positive, this means 20-30% of an organization’s own employees do not believe the privacy rhetoric which is being reeled off in the press by executives of the tech giants. If a company is unable to create an internal belief in privacy, it might be viewed as a worrying sign.