ICO gets serious on British Airways over GDPR

The UK’s Information Commissioner Officer has swung the sharp stick of GDPR at British Airways and it looks like the damage might be a £183.39 million fine.

With GDPR inked into the rule book in May last year, the first investigations under the new guidelines will be coming to a conclusion in the near future. There have been several judgments passed in the last couple of months, but this is one of the most significant in the UK to date.

What is worth noting is this is not the final decision; this is an intention to fine £183.39 million. We do not imagine the final figure will differ too much, the ICO will want to show it is serious, but BA will be giving the opportunity to have its voice heard with regard to the amount.

“People’s personal data is just that – personal,” said Information Commissioner Elizabeth Denham.

“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The EU’s GDPR, General Data Protection Regulation, offers regulators the opportunity to fine guilty parties €20 million or as much as 3% of total revenues for the year the incident occurred. In this case, BA will be fined 1.5% of its total revenues for 2018, with the fine being reduced for several reasons.

In September 2018, user traffic was directed towards a fake British Airways site, with the nefarious actors harvesting the data of more than 500,000 customers. In this instance, BA informed the authorities of the breach the defined window, co-operated during the investigation and made improvements to its security systems.

While many might have suggested the UK watchdog, or many regulators around the world for that matter, lack teeth when it comes to dealing with privacy violations, this ruling should put that preconception to rest. This is a weighty fine, which should force the BA management team to take security and privacy seriously; if there is one way to make executives listen, its hit them in the pocket.

This should also be seen as a lesson for other businesses in the UK. Not only is the ICO brave enough to hand out fines for non-compliance, it is mature enough to reduce the fine should the effected organization play nice. £183.39 million is half of what was theoretically possible and should be seen as a win for BA.

Although this is a good start, we would like to see the ICO, and other regulatory bodies, set their sight on the worst offenders when it comes to data privacy. Companies like BA should be punished when they end up on the wrong side of right, but the likes of Facebook, Google and Amazon have gotten an easy ride so far. These are the companies who have the greatest influence when it comes to personal information, and the ones which need to be shown the rod.

This is one of the first heavy fines implemented in the era of GDPR and the difference is clear. Last November, Uber was fined £385,000 for a data breach which impacted 2.7 million customers and drivers in the UK. The incident occurred prior to the introduction of GDPR, the reason the punishment looks so measly compared to the BA fine here.

The next couple of months might be a busy time in the office of the ICO as more investigations conclude. We expect some heavy fines as the watchdog bears its teeth and forces companies back onto the straight and narrow when it comes to privacy and data protection.

Google’s Sidewalk’s bet is a nightmare for the privacy conscious

If you’re concerned about whether Google is listening to you through your phone or smart speaker, soon enough you’ll have to worry about lampposts having ears, or at least if your live in Toronto.

For those who have not been keeping up-to-date with the Canadian tech scene, Google’s Sidewalk Labs is currently working in partnership with Toronto to demonstrate the vision of tomorrow; the smart city. Plans are still being drawn up, though it looks like two neighbourhoods will be created with a new Google campus bang in the middle.

The Master Innovation and Development Plan (MIDP) hope to create the city of tomorrow and will be governed by Waterfront Toronto, a publicly-funded organization. In a move to seemingly appease the data concerns of Waterfront Toronto, Google has now stated all the systems would be run by analysing data, but Sidewalk Labs will not disclose personal information to third parties without explicit consent and will not sell personal information.

This is the first bit of insight we’ve had on this initiative for a while. Having secured the project in 2017, Sidewalk Labs has been in R&D mode. The team is attempting to prove the business case and the products, though it won’t be long before work is underway. Assuming of course Google is able to duck and weave through the red-tape which is going to be presented over the next 12-18 months.

The most recent development is a series of white papers which are addressing numerous topics from sustainable production plans, mobility, data protection and privacy and the envisioned usecases. If you have a spare few hours, you can find all the documentation here.

Of course, there are plenty of smart city initiatives around the world but what makes this one interesting is that the concept of ‘smart’ is being built from the foundations. This is a greenfield project not brownfield, which is substantially easier. Buildings, street furniture and infrastructure can be built with connectivity in mind.

This is the challenge which other cities are facing, lets take London as an example. Construction on the London Underground system started in 1863, while the London sewage system was plumbed in between 1859 and 1865. The city itself, and the basic layout, was established in 50 AD. Although there are creative solutions to enhance connectivity, most cities were built in the days before most could even conceive of the internet.

The Quayside and Villiers West neighbourhoods will be home to almost 7,000 residents and offer jobs to even more, anchored by the new Google campus. The buildings will offer ‘adaptable’ spaces, including floor plates and sliding walls panels to accelerate renovations and reduce vacancies. It will also be incredibly energy friendly, featuring a thermal energy grid which could heat and cool homes using the natural temperature of the earth.

But onto the areas which most people in the industry will be interested in; the introduction of new technologies and access to data.

High-speed internet connections will be promised to all residents and businesses, intelligent traffic lights and curbs will be deployed to better regulate traffic, smart awnings will be introduced for those into gimmicky technology and the neighbours will be designed to allow for an army of underground delivery robots to function.

Autonomous driving is one technology area which fits perfectly into the greenfield advantage. The complications of creating a landscape for autonomous vehicles in older cities are great, but by building up the regions with connectivity in mind many of these challenges can be averted. Not only can the introduction of self-driving vehicles be accelerated, but ride-sharing (Zipcar) or hailing (Uber) alternatives can be assisted while other options such as e-scooters are more realistic.

Such is the ambition nurtured in the Google business, if there is a crazy idea which can be applied to the smart city concept, Sidewalk Labs have probably factored it into the design and build process.

And now onto the data. This is where the project has drawn criticism as Google does not necessarily have the most glistening record when it comes to data privacy and protection. Small print littered throughout various applications has ensured Google is never too far away from criticism. In fairness, this is a problem which is industry wide, but a cloud of scepticism has been placed over any initiative which has data as the fuel.

The latest announcement from Google/Sidewalk Labs focuses on this very issue. Sidewalk Labs will not sell any personal information, this data will not be used to fuel the advertising mechanisms and it will not disclose this insight to third-parties. Explicit consent would have to be provided in any of these circumstances.

Whether these conditions will be up to the standards defined by Waterfront Toronto remains to be seen. This body has the final say and may choose to set its own standards at a higher or lower level. Anonymity might be called into play as many activists have been pushing. This is not a scenario which Google would want to see.

While expanding into new services might seem like an attractive idea, if this expansion can be coupled with additional access to data to fuel the Google data machine, it is a massive win for the internet giant. Let’s not forget, everything which Google has done to date (perhaps excluding Loon and the failed Fiber business) has paid homage to the advertising mechanisms.

Fi offers it interesting data on customer locations, the smart speakers are simply an extension of the core advertising business through a new user interface and Android allowed Google to place incredibly profitable products as default on billions of phones and devices. If Google can start to access new data sets it can offer new services, engage new customers and create new revenues for investors.

Let’s say it can start collecting data on traffic flow, this could become important insight for traffic management and city planners when it comes to adding or altering bus routes. This data could also be used to reduce energy consumption on street lights or traffic lights; if there is no-one there, do they actually need to be on? It could also help retailers forecast demand for new stores and aid the police with their work.

These ideas might not sound revolutionary or that they would bring in billions, but always remember, Google never does anything for free. This is a company which seems to see ideas before anyone else and can monetize them like few others. If Google is paying this much attention to an idea or project, there must be money to be made and we bet there is quite a bit.

But this is where Google is facing the greatest opposition. Because it is so good at extracting insight and value from data, it is one of the companies which is facing the fiercest criticism. This will be the most notable the further afield Google spreads its wings. It seems the world is content with Google sucking value out of personal data when it comes to search engines or mobile apps, but pavements, lampposts and bus stops might be a step too far for some.

Of course, criticism might disappear when jealousy emerges. The hardcore privacy advocates will never rest, but most simply don’t care that much. Privacy violations will of course cause uproar, but if there is a fair trade-off, most will accept Google’s role. If Google can prove these neighbourhoods not only improve the quality of life, but also offer advantages to entertainment and business (for example), this initiative could prove to be very popular with the general public, governments and businesses.

Maine gets tough on telcos over data economy

Maine Governor Janet Mills has signed new privacy rules into law, demanding more proactive engagement from broadband providers in the data-sharing economy.

While the rules are tightening up an area of the digital world which is under-appreciated at the moment, it will have its critics. The law itself is targeting those companies who delivering connectivity solutions to customers, the telcos, not the biggest culprits of data protection and privacy rights, the OTTs and app developers.

The rules are applicable to broadband providers in the state, both mobile and fixed, and force a more proactive approach in seeking consent. Telcos will now be compelled to seek affirmative consent from customers before being allowed to use, disclose, sell or permit access to customer personal information, except in a few circumstances.

As is on-trend with privacy rules, the ‘opt-out’ route, used by many to ensure the lazy and negligent are caught into the data net, has been ruled out.

There are also two clauses included in the legislation which block off any potential coercing behaviour from the telcos also:

  • Providers will not be allowed to refuse service to a customer who does not provide consent
  • Customers cannot be penalised or offered a discount based on that customer’s decision to provide or not provide consent

This is quite an interesting inclusion in the legislation. Other states, California for example, are building rules which will offer freedoms to those participating in the data-sharing economy if the spoils are shared with those providing the data (i.e. the customer), though the second clause removes the opportunity to offer financial incentives or penalties based on consent.

This is not to say rewards will not be offered however. There is wiggle room here, zero-rating offers on in-house services or third-party products for example, which does undermine the rules somewhat.

It is also worth noting that these rules only pertain to what the State deems as personal data. Telcos can continue to monetize data which is not considered personal without seeking affirmative consent, unless the customer has written to the telco to deny it this luxury. Personal data is deemed as the following categories:

  • Web browsing history
  • Application usage history
  • Geolocation
  • Financial
  • Health
  • Device identifiers
  • IP Address
  • Origin and destination of internet access service
  • Content of customer’s communications

What is worth noting is this is a solution to a problem, but perhaps not the problem which many were hoping would be addressed.

Firstly, the telcos are already heavily regulated, with some suggesting already too much so. There are areas which need to be tightened up, but this is not necessarily the problem child of the digital era. The second point is the issue which we are finding hard to look past; what about the OTTs, social media giants and app community?

The communications providers do need to be addressed, though the biggest gulf in regulation is concerning the OTTs and app developers. These are companies which are operating in a relative light-touch regulatory environment and benefiting considerably from it. There are also numerous examples of incidents which indicate they are not able to operate in such a regulatory landscape.

Although it is certainly a lot more challenging to put more constraints on these slippery digital gurus, these companies are perhaps the biggest problem with the data-sharing economy. Maine might grab the headlines here with new privacy rules, which are suitably strict in fairness, but the rule-makers seem to have completely overlooked the biggest problem.

These rules do not add any legislative or regulator restraints on the OTTs or app developers, therefore anyone who believes Maine is taking a notable step in addressing the challenges of the data-sharing economy is fooling themselves. This is a solution, but not to the question which many are asking.

Ambulance chasers are readying themselves for GDPR assault

While getting a firm ready for the introduction of GDPR was a frantic period, the last 12 months have been relatively quiet period for the rules. However that might all be about to change.

At the European Data Protection Summit in London, a few points were raised which should put the fear back into executives. It does appear the ‘sex appeal’ of data protection and privacy has been eroded, but just wait until the summer is over. It might well be dominating the headlines again.

There seem to be four developments bubbling away at the moment, each of which could have a significant impact on the data protection and privacy landscape; Brexit, the UK’s 2018 Data Protection Act and ambulance chasers.

Ditching PPI for GDPR

Although it is not necessarily the most flattering of terms, the ambulance chasers are readying themselves for an assault on the GDPR negligent.

The Financial Conduct Authority (FCA) has set a deadline of August 29 for consumers to complain about the sale of PPI products in the UK. This effectively means all the firms set-up to manage the complaints on behalf of consumers will become redundant. Most will evolve however, the legal world is simply too profitable, and GDPR seems a prime opportunity.

While it might not be the most common practice for the moment, there are certainly examples. Numerous law firms, Hayes Connor Solicitors for example, are already advertising their services for the British Airways data breach, impacting roughly 400,000 people. This is an on-going investigation, though the financial penalty for this breach could be as much as €918 million.

As more PPI lawyers find themselves at the mercy of free time, more will turn their attentions to new fields of expertise. Due to the headline-worth nature of data breaches and privacy violations, as well as the potential consequence to the individual, this is an area which is primed for the legal buzz.

Big fines have been promised

So far, there is only one example of a Data Protection Authority (DPA) swinging the heavy stick of GDPR at a major firm. France’s watchdog fined Google €50 million for numerous offenses, and while there have been other significant breaches over the last few years, most occurred at a time prior to the heavy fines of GDPR.

“Serious fines are coming in the summer, including to some of the big companies,” said Paul Breitbarth, Director of Strategic Research and Regulator Outreach at Nymity. “The DPAs [Data Protection Authorities] are taking this very seriously and so should we.”

The Irish DPA is an example of one regulator taking control of the situation, and quite rightly so. Despite the fact its economy is heavily reliant on the internet giants, the Irish watchdog is Europe’s lead GDPR authority; it should be leading the charge.

In a recent PR defence plea, Commissioner for Data Protection Helen Dixon pointed out the authority has already opened 54 investigation, 19 of which were cross border. According to Breitbarth, we should expect some pretty heavy fines which will also bring data protection and privacy back into public debate.

One of the big challenges being faced by the industry is apathy from the general public and any considered concern from executives. Enforcement of GDPR rules will not only highlight the potential risks to the general public, but also make data protection and privacy a priority for those running the firms.

Executives might want to ignore data protection and privacy, but one way to get the attention is to hit them in their wallets. Both the enforcement of GDPR and the emergence of ambulance chasers will ensure this is a topic of conversation in the board rooms.

New rules, new considerations

The 2018 Data Protection Act is something which has not really generated many headlines, but there is a monumental opportunity for headaches.

“It’s a bit of a minefield to go through,” said Ian Evans, MD of OneTrust.

The Data Protection Act is the UK’s own version of GDPR, required due to the fact we are divorcing the European Union, but it does actually go a lot further than the European rules. This is perhaps worst-case scenario for those wanting to remain compliant, as it creates more work ensuring compliance to two different sets of rules.

New clauses have been introduced creating new grey areas when it comes to confidentiality agreements, while the approach in the immigration department has received criticism. Those who are seeking official residential status in the UK will not be able to force the government into providing insight into the data which has been collected, analysed and actioned. This is the first time a data moat has been embedded into law, and there are come people who are not happy about it.

One area which is very useful is the standardization of usecases. In four areas, the ICO will effectively produce standards to ensure companies can remain compliant. This is the first time an authority has taken such an approach, and we hope it will be replicated by other authorities. The first example, ‘Age-appropriate design’, will be released in the coming weeks.

The groans of Brexit

Brexit is a tricky topic to bring up. People either disagree with it, hate it or are bored of it, but the matter of the fact is, it is crucially important in numerous areas.

Brexit changes the status quo. The UK will no-longer be in the European Union, therefore fundamentally changing the relationship companies have with governments, customers and supply chains.

With the Brexit deadline fast approaching, and little concrete information being offered, the risk is running quite high. This will have to be a major factor in any companies approach to data protection and privacy moving forward.

The risk of a boring conversation

“Everyone is saying they are trying more for data protection, but does anyone actually believe it,” said Ian West, COO of the GDPR Institut.

GDPR was critically important when it was introduced, and it remains critically important today. However, you have to question whether the organizations involved, or the general public, are actually taking it seriously. The last 12 months has seen GDPR fall down the agenda, though it will rise again.

Enforcement is key, and it is coming. GDPR investigations are painfully slow processes due to the vast amount of information and the complexities of the business models in the data-sharing economy. However, many investigations will be finalised over the next few months. With these final decisions come the fines.

This will propel data protection and privacy back into the public debate, and ensure the general public is becoming more aware to the dangers of the digital world.

There is currently a risk of negligence, but soon enough data protection and privacy principles will form part of the buying decision-making process. The companies which are taking data protection and privacy seriously, will become more appealing to those customers, both consumer and enterprise.

Another factor to consider is recruitment. More graduates nowadays want to work for ethically sound organizations, and soon enough this definition will be expanded to include data protection and privacy principles.

GDPR is a topic which is not ‘sexy’ at the moment, but the next couple of months could ensure these conversations are firmly set back into the board room. The question is whether these will be fleeting, defensive discussions, or whether these executives will take the challenge seriously and create a culture which encourages data protection and privacy principles.

Irish data watchdog defends its GDPR actions

The Irish data protection regulator has unveiled a progress report on GDPR on the first anniversary of the rules, perhaps defending itself from a perception of inaction.

As Europe’s lead regulator for GDPR, the Data Protection Commission (DPC) is in an incredibly important position. It is supposed to lead the bloc into an era of increased privacy and data protection, though considering its economy is largely dependent on the very firms GDPR has been designed to punish, it is a tricky position.

Despite some suggesting GDPR is failing to live up to the promise of holding the technology giants accountable, the DPC has defending its positions, actions and ambitions.

“The GDPR is a strong new platform from which we can all demand and drive higher standards of protection of our personal information,” said Commissioner for Data Protection, Helen Dixon.

“As the national supervisory authority, the Data Protection Commission (DPC) is firmly committed to its role in public enforcement of the new law, while also working hard to provide guidance to sectors as they seek to comply with the new requirements.

“The DPC is grateful for the positive and energetic engagement with the GDPR that we have seen from all quarters, particularly from consumers and concerned persons who have raised queries about the processing of their personal data with the office.”

Looking at the numbers, 6,624 complaints have been received since the introduction of GDPR, while 5,818 valid data security breaches were notified. 54 investigations have been opened, 19 of which are cross-border investigations into multinational technology companies and their compliance with the GDPR. Last week, the DPC announced its most recent investigation into Google.

Interestingly enough, more than half of these investigations will see either Facebook, WhatsApp and Instagram as the focal point. The question which remains is whether the rules are having a material impact on data protection and privacy across the world?

According to the International Association of Privacy Professionals, more than 500,000 data protection officers have been appointed at firms across the world, while more than 200,000 instances of data breaches have been reported. However, the largest fine which has been levied at one of the internet giants is €50 million.

Back in January, French data watchdog CNIL fined Google €50 million for various different violations of GDPR. These violations included a lack of transparency, overly complicated wording and inaccessible information on how a user’s data is being collected, stored and processed. This might serve as a wake-up call for the ‘normal’ companies across the world, but it is might not be considered a deterrent for the worst offenders, the tech giants who collect billions in profit each year by monetizing data.

As mentioned previously, the DPC is in a slightly precarious position. Ireland will want to protect the interests of the technology giants due to the role the industry plays in the country. The technology sector has largely been credited with saving Ireland from economic recession a decade ago, and now employees a significant number of individuals. The industry has also fuelled a rise in entrepreneurship, creating bright prospects as the world strides towards the digital economy.

Reading between the lines, this is perhaps the rationale behind today’s announcement from the DPC. It is working to uphold the promise of GDPR.

What is worth noting is one year is not a lot of time. Investigations into complaints will take months on months, due to the number of companies involved, collections of statements and all the relevant information, and the complex nature of data processing business models. The big data machine is incredibly complicated and understanding whether there have been any violations of rules is even more so; some clauses and sections made grey areas to be exploited.

One year one, GDPR has clearly had an impact on the world, but whether this is enough of an impact to create a privacy-orientated digital society still remains to be seen.

Europe’s lead data watchdog opens Google GDPR investigation

Ireland’s data protection watchdog has kicked off a GDPR investigation into Google following a complaint from ad-free web browser Brave.

Although GDPR is approaching its first birthday, there is yet to be an example of the towering fines which were promised for non-compliance. Perhaps everyone is playing merrily by the rules, or it might be that they are very good at covering their tracks. Brave will be hoping to chalk up a victory over Google with this investigation however.

“The Irish Data Protection Commission’s action signals that now – nearly one year after the GDPR was introduced – a change is coming that goes beyond just Google,” said Johnny Ryan, Chief Policy Officer at Brave. “We need to reform online advertising to protect privacy, and to protect advertisers and publishers from legal risk under the GDPR.”

The complaint itself is directed at Google’s DoubleClick/Authorized Buyers advertising system. While giving evidence to the Data Protection Commission, Ryan has suggested the way in which data is processed through the system violates Article 5(1)(a), (b) and (f) of GDPR, as well as Section 110 of the Irish Data Protection Act.

DoubleClick/Authorized Buyers advertising system is active on 8.4 million websites, allowing the search giant to track users as they scour the web. This information is then broadcast to more than 2,000 companies who bid on the traffic to deliver more targeted and personalised ads.

This information can potentially be incredibly personal. Google has various different categories which internet users are neatly filed into, including ‘eating disorders’, ‘left-wing politics’, ‘Judaism’ and ‘male impotence’. The companies bidding on this data will also have access to geo-location information and the type of device which the user is on.

Under Article 5 (1)(f) of the GDPR, companies are only permitted to process personal information if it is tightly controlled. Brave suggests Google has no control over the data once it is broadcast and is therefore violating GDPR.

With the Irish watchdog, Europe’s lead for GDPR, investigating the system in Ireland, similar complaints have been filed the UK, Poland, Spain, Belgium, Luxembourg and the Netherlands. Should Google be found non-compliant, it would be forced to ditch the DoubleClick/Authorized Buyers advertising system and could face a fine as much as 4% of annual turnover. Based on 2018 revenues, that figure would be $5.4 billion.

“For too long, the AdTech industry has operated without due regard for the protection of consumer data,” said Ravi Naik of ITN Solicitors, who will be representing Brave for the complaint. “We are pleased that the Data Protection Commissioner has taken action. The industry must change.”

GDPR is supposed to be a suitable deterrent for the internet economy, but without enforcement and demonstrable consequences little will change. If GDPR is to work as designed, a monstrous fine will have to be directed at someone sooner or later. Could this be the first domino to fall?

Microsoft starts ruffling privacy feathers in the US

This weekend will mark the one-year anniversary of Europe’s GDPR and Microsoft has made the bold suggestion of bringing the rules over the pond to the US.

Many US businesses would have been protected from the chaos that was the European Union’s General Data Protection Regulation (GDPR), with the rules only impacting those which operated in Europe. And while there are benefits to privacy and data protection rights for consumers, that will come as little compensation for those who had to protect themselves from the weighty fines attached to non-compliance.

Voicing what could turn out to be a very unpopular opinion, Microsoft has suggested the US should introduce its own version.

“A lot has happened on the global privacy front since GDPR went into force,” said Julie Brill, Deputy General Counsel at Microsoft. “Overall, companies that collect and process personal information for people living in the EU have adapted, putting new systems and processes in place to ensure that individuals understand what data is collected about them and can correct it if it is inaccurate and delete it or move it somewhere else if they choose.

“This has improved how companies handle their customers’ personal data. And it has inspired a global movement that has seen countries around the world adopt new privacy laws that are modelled on GDPR.

“Now it is time for Congress to take inspiration from the rest of the world and enact federal legislation that extends the privacy protections in GDPR to citizens in the United States.”

The rules themselves were first introduced in an attempt to force companies to be more responsible and transparent in how customer data is handled. The update reflected the new sharing economies the world had sleepwalked into; the new status quo had come under criticism and new protections had to be put in place while also offering more control to the consumer of their personal data.

GDPR arrived with little fanfare after many businesses scurried around for the weeks prior despite having almost 18 months’ notice. And while these regulations were designed for the European market, such is the open nature of the internet, the impact was felt worldwide.

While this might sound negative, GDPR has proved to be an inspiration for numerous other countries and regions. Brazil, Japan, South Korea and India were just a few of the nations which saw the benefit of the rules, and now it appears there are calls for the same position to be adopted in the US.

As Brill points out in the blog post stating the Microsoft position, California has already made steps forward to create a more privacy-focused society. The California Consumer Privacy Act (CCPA) will go into effect on January 1 2020. Inspired by GDPR, the new law will provide California residents with the right to know what personal information is being collected on them, know whether it is being sold or monetized, say no to monetization and access all the data.

This is only one example, though there are numerous states around the US, primarily Democrat, which have similar pro-privacy attitudes to California. However, this is a law which stops short of the strictness of GDPR. Companies are not on the stopwatch to notify customers of a breach, as they are under GDPR, while the language around punishment for non-compliance is very vague.

This is perhaps the issue Microsoft will face in attempting to escalate such rules up to federal law; the only attempt which we have seen so far in the US is a diluted version of GDPR. Whereas GDPR is a sharp stick for the regulators to swing, a fine of 3% of annual turnover certainly encourages compliance, the Californian approach is more like a tickling feather; it might irritate a little bit.

At the moment, US privacy laws are nothing more than ripples in the technology pond. If GDPR-style rules were to be introduced in the US, the impact would be significant. GDPR has already shifting the privacy conversation and had notable impacts on the way businesses operate. Google, for example, has introduced an auto-delete function for users while Facebook’s entire business rhetoric has become much more privacy focused. It is having a fundamental impact on the business.

We are not too sure whether Microsoft’s call is going to have any material impact on government thinking right now, but privacy laws in the US (and everywhere for that matter) are going to need to be brought up-to-date. With artificial intelligence, personalisation, big data, facial recognition and predictive analytics technologies all gaining traction, the role of personal data and privacy is going to become much more significant.

Apple recognised as ‘Privacy Champion’ by techies

An anonymous survey of people working in the technology industry has crowned Apple as the privacy champion of FANG, while 78% believe it is a top priority at their own organization.

The survey was run by Blind, an anonymous social network for the workplace​, which has a userbase in the hundreds of thousands, many of whom work at the world’s largest technology companies. Asking whether they believed their own organization prioritised user privacy, the results might shock a few.

Employees of technology companies were given a simple statement and offered the opportunity to add an explanation. The statement was “My company believes customer data protection is a top priority”.

Sitting at the top of the table was Apple with 73.6% and 19.8% answering the statement they strongly agreed or agreed respectively. LinkedIn and Salesforce also featured highly on the list, while Google and Amazon were also above the industry average. Facebook was below the industry average while Adobe, Intuit and SAP fell way below the average with only 44.6%, 40% and 39% respectively stating they strongly agree with the statement.

Such low numbers should be a major concern, especially with lawmakers and regulators attempting to reconfigure rules to take a stronger tone with data privacy. Irrelevant whether the likes of Apple is taking privacy seriously, rules will be written for the industry as a whole; the laggards will ensure everyone has to face the sharp stick of the law.

On the FANG front, Blind users were asked whether Apple should be considered the privacy champion. 67.9% agreed with the statement, with some suggesting the business model is not based on the transfer of personal information therefore it is more secure or less of a threat. That said, Apple is fast evolving with the software and services business becoming more of a focus. It might well evolve to include some of these practises in the future.

That said, while Apple is seemingly keeping its hands clean, one person feels the company is nothing more than an enabler for the more nefarious.

“I feel Apple is no better for creating the technology that enables companies like Facebook to become no more than spying tools,” said one Intuit employee.

Although scores in the 70s could be viewed as positive, this means 20-30% of an organization’s own employees do not believe the privacy rhetoric which is being reeled off in the press by executives of the tech giants. If a company is unable to create an internal belief in privacy, it might be viewed as a worrying sign.

Europe sailing towards conflict over China 5G

Germany is drafting rules to allow Chinese companies to participate in the 5G bonanza, while the European Commission is thinking of banning them. Something’s got to give.

In terms of collective political influence and economic power, the European Union could consider itself more or less on par with the US and China. Considering the Union represents the societal, political and economic interests of 28 nations, more than 500 million people and roughly $23 trillion in GDP, it is certainly a powerful concept. But the China issue is just one example of how its neatly stitched patchwork could unravel very quickly.

China is a very tricky equation to balance right now. On side, you have an incredibly powerful economy, a massive and increasingly wealthy population and technological advancements which could benefit almost every society. However, to access these riches you have to deal with a government which ideologically conflicts with a lot of what Europe stands for.

But this is where a potentially significant conflict lies. The European Commission is reportedly looking at how it could create a de facto ban for Chinese technology and kit in communications infrastructure, conflicting with some of its member states positions. The Commission is supposed to represent the interests of all its member states, creating a common framework which sits above national policies, but if these policies are a contradiction of opinions of some member states the perfect storm could be brewing on the horizon.

Germany is not talking the anti-China rhetoric

The most recent reports echoing out of Berlin will not have the US government jumping for joy. Local newspaper Handelsblatt is suggesting the German government is doing everything it can to write security protections into new regulation, however, the rules will be written in a manner which will not exclude Chinese companies.

The reports have not been confirmed by any official government spokespeople as of yet, though this does follow on from the Federal Office for Information Security (BSI) made in December.

“For such serious decisions like a ban, you need proof,” said Arne Schoenbohm, President of BSI.

The US will not be happy about developments here, a delegation is currently undertaking a European lobby tour to turn officials against China, though neither will the European Commission. There are several instances which indicate the European Commission is taking a similar stance against China, suggesting a bloc-wide ban could be on the cards before too long.

Aside from recent reports the European Commission is rewriting cybersecurity rules to effectively ban Chinese companies from providing technology for communications infrastructure, one of its Commissioners has also fuelled the anti-China rhetoric.

“I think we have to be worried about these companies,” Commissioner for Digital Single Market Andrus Ansip told reporters in December. Ansip was referring to companies such as Huawei and ZTE, while this statement implies the Commission believes there are strong ties between multi-national corporations and the Chinese government.

The United States of Europe argument emerging again?

With Germany seemingly working to ensure collaboration with Chinese companies remains possible, the UK creating monitoring mechanisms to enable Huawei’s work and Italy denying reports it is considering its own ban, the European Commission appears to be working in direct contradiction to some of its largest member states.

To be fair, the role of the European Commission is to serve all the states not just the big ones, but the point of the bureaucracy is to create a common framework which all agree on, not rules which are forced onto member states. Cynics of the Commission and Union in general will suggest this is perhaps more evidence of Juncker and co. attempting to create a United States of Europe, where the desires of the member states are secondary to that of the ruling party.

Although many of these conspiracy theories are generally relegated to the comment boards of the Daily Mail, the Commission might well be heading towards a monumental conflict. Any rules which are written at European Commission level would potentially render national regulations redundant, a scenario those member states would not be happy with.

Considering the shoddy state of affairs Brexit has been creating, perhaps the European Commission should attempt to create an image of co-operation and collaboration. Antagonising leading member states is not a sensible idea, while a ‘state v. Europe’ conflict over security is not something which will reflect favourably on the agency.

Is politics anything more than arguing with shiny teeth?

Caught on the fringes of this conflict and the constant political seesawing are the telcos. Governments often tell the telco industry they are there to help and enable innovation, but it seems most of the time politicians are nothing but a hindrance attempting to score PR points by pandering to buzzwords and public opinion.

With governments aiming to ban Huawei and ZTE from connectivity plans, several telcos have stepped into the fray to give their own opinion. The message seems to be relatively consistent; heighten security requirements if you must but banning a vendor in an incredibly top-heavy market will not be a good idea.

“Clearly, if there were a complete ban at radio level, then it would be a huge issue for us, but it would be a huge issue for the whole European telco sector,” Vodafone CEO Nick Read said during the latest earnings call. “Huawei probably has 35% of the market share through the whole of Europe.”

Deutsche Telekom is another who foresees any Huawei ban being nothing but problematic. The German telco has previously stated a ban on Huawei would set its 5G ambitions back two years. Several telcos are considering scaling back work with Huawei, but this is perhaps directed more towards the uncertain political climate than any outright worry regarding the security credentials of Huawei equipment.

European telcos are not dependent on Huawei equipment to function effectively, but they are somewhat reliant on it. There aren’t enough suppliers, or good-enough suppliers, to strike Huawei out of the mix. US telcos are not having to deal with this headache as their operations adapted to a lack of Huawei and ZTE years ago, Europe is struggling with the political seesawing and story of uncertainty. Any business leader will tell you, a consolidated, cohesive and concrete regulatory landscape is critical for success.

Huawei stuck between a rock and a hard place

Huawei is a company which now has no control over its own fate.

With the US parading around political offices spreading its anti-China message without the burden of evidence, Huawei can’t do anything. Numerous governments are asking the vendor to prove its security credentials, but this will mean little is there is still suspicion. The case against Huawei is not based on evidence, but one which is based on a political and economic power struggle.

With a lack of evidence to substantiate any accusations against the firm, Huawei is being asked to do something which has been accepted as almost impossible; prove a negative. All of the questions and queries being directed at the firm have a single aim, to demonstrate there are no ties between the organization and the Chinese government, as well as its intelligence agencies.

It’s an almost impossible task, especially when you take into account the powerful influence of the US and the fact most of these decisions are being made on hearsay, circumstantial evidence and emotion. Whatever Huawei says, however much evidence is put on the table, we suspect opinions have already been made.

An issue of consistency and contradiction

In a single signature, the European Commission could throw the bloc into disarray. If the rumours evolve into reality, the European Commission could impose its own rules, contradicting the hopes and ambitions of some member states. Such a scenario would question how much control the member states have over their own society, undermining the concept of sovereignty.

Any fundamental changes would certainly have to be greenlit by all member states, but the European approach to China on the whole, and Huawei specifically, has not been entirely consistent. One question which might be worth considering is whether the European Commission is overstepping its remit.

We are almost certain Germany will not be happy being told to ban Huawei considering it seemingly wants to ensure Chinese participation in the upcoming 5G bonanza. Conflict is on the horizon, potentially pitting the European Commission against the biggest financial contributor to the bloc.

Cisco calls for US GDPR rollout

In a move which might make the networking giant quite unpopular on the US side of the pond, Cisco’s Chief Legal and Compliance Officer Mark Chandler has called for a US version of GDPR.

Having been implemented during May 2018, Europe’s General Data Protection Regulation (GDPR) is starting to make waves in the technology world. The first complaints were filed as the ink was drying on May 25, though with the first rulings started to be announced eight months later, the implications and dangers are starting to become clear. Unless Silicon Valley wins the opening legal skirmishes, precedent will be set and disruption to the data sharing economy will be very apparent.

Considering the massive potential for disruption in the digital ecosystem, Chandler will not be making any friends in Silicon Valley by pushing the case for more focused protections on data protection and privacy. Commenting to the Financial Times, Chandler stated he believes the new regulations have worked out well and after some tweaking, the same rules should be applied in the US as well.

Of course, a legal executive from a networking company stirring the pot is unlikely to turn heads right now, the rules would not necessarily have any monumental impact on the networking infrastructure giant, but there might be a few upset individuals in Silicon Valley. For years, the internet players have effectively been able to do what they want, but GDPR sought to end this reign of freedom.

Although GDPR is an incredibly complex set of rules with more nuances than a teenage philosophers diary, the overall aim is pretty simple. Firstly, the user has more control over his/her personal data, and secondly, internet companies have to demonstrate a need to collect and process data, while also improving securities around these processes. And of course, there are the fines as well.

This is perhaps one of the biggest concerns of the internet giants as they can now be held accountable. Prior to GDPR, fines were feeble. For any normal company, they would be horrid, but considering the size and profitability of the likes of Facebook, Google, Amazon and Apple, any punishments dished out would take a matter of minutes or hours to pay off. GDPR allows regulators to assign fines which are relative to the size of the organization, therefore companies can now be held accountable.

While GDPR does seem to be forcing many companies to act more responsibly, the saving grace for Silicon Valley is that it is limited to Europe. The lobbyists will be fighting hard to make sure such rules do not find sympathetic ears in Washington DC, though governments do seem to be welcoming.

In India, the government is considering new rules which would tighten up protections around personal information, while the Japanese government has signed a new treaty with the European Union which extends GDPR protections of European citizens to Japan. These are two examples, though as more complaints are filed and more Judge’s opinions released to the public, interest in these rules will almost certainly increase.

What you always have to consider when you read such comments is that Cisco is a B2B firm. The privacy rules are geared towards empowering the consumer and therefore would have minimal impact here. In public, many of the internet giants are calling for a revamp of privacy rules, its just good PR form, but they will be privately terrified of a GDPR replicant.

What is also worth bearing in mind is that the US is not as sensitive to privacy issues as Europeans are. Of course, legislators will have an eye on privacy and it will be a worry, but Europe is much more aware and condemning of the slippery practises of Silicon Valley. For years, the Californian lawyers have revelled in technology outpacing regulation, identifying grey areas and loop holes galore. However, the European regulators are attempting to make life difficult.