After 107 million downloads in April, TikTok faces a European privacy probe

Questions over the privacy of popular video-sharing application TikTok have been raised by Dutch authorities, but scepticism can’t slow the rapid expansion.

Although other investigations around the world are far more damning, suggesting some very nefarious activities, let’s not forget giants can be taken down by unsuspecting means. After all, Goliath was conquered by a pebble and Al Capone was felled by tax evasion charges.

“A huge number of Dutch children clearly love using TikTok,’ said Monique Verdier, Deputy Chairman of the Dutch DPA.

“We will investigate whether the app has a privacy-friendly design. We’ll also check whether the information TikTok provides when children install and use the app is easy to understand and adequately explains how their personal data is collected, processed and used. Lastly, we’ll look at whether parental consent is required for TikTok to collect, store and use children’s personal data.”

The investigation will focus on whether TikTok effectively protects the privacy of Dutch children, and whether there would need to be any changes enforced on the team through regulation. As with every other investigation, this probe from the Dutch could shed light on certain aspect of operations which could have a domino effect.

While TikTok was thrust on the world to much consumer enthusiasm last year, the momentum has certainly continued through 2020 and has perhaps been compounded by lockdown protocols currently in place around the world.

Most downloaded Apps (non-gaming) during April 2020 – Global
Overall App Store Google Play
1. Zoom Zoom Zoom
2. TikTok TikTok TikTok
3. Facebook Google Meet Facebook
4. WhatsApp Microsoft Teams WhatsApp
5. Instagram Netflix Aarogya Setu

Source: Sensor Tower

With more entertainment needed by those taking part in enforced lockdown, there has been a surge in interest in numerous categories, but social media and content streaming applications are close to the top of the list. TikTok has benefitted from these tendencies, but also endorsements from numerous celebrities around the world.

Over the weekend, Anthony Hopkins challenged Sylvester Stallone and Arnold Schwarzenegger to a dance-off on the platform with Drake’s Toosie Slide.

@anthonyhopkins##Drake I’m late to the party… but better late than never. @oficialstallone @arnoldschnitzel ##toosieslidechallenge♬ original sound – officialanthonyhopkins

With more and more celebrities embracing the platform, everyday consumers will be encouraged, especially during a period of boredom. This might be seen as a worrying trend to US politicians who are attempting to dilute the influence China and its companies have on global societies and economies.

Last October, Republican Senator Tom Cotton and Senate Minority Leader Chuck Schumer wrote to the Acting Director of National Intelligence, Joseph Maguire, to formally request an investigation into TikTok, questioning whether it is a threat to national security as the applications developer ByteDance could be coerced to collaborate with the Chinese Government.

A few days later, Senator Josh Hawley also introduced a new bill, known as the National Security and Personal Data Protection Act (S.2889), which would force foreign technology companies to store data locally.

This would provide some protections to US consumers but would also open up the political class to a barrage of complications as the US has been attempting to punish countries who enforce data localisation rules on US companies. India is one of these nations at loggerheads with the US, and while many would attempt to avoid such complications, hypocrisy and irony seem to be completely lost on the current political administration.

TikTok has escaped much scrutiny over the last few months, though this is perhaps due to other areas demanding more attention. The application might be enjoying success for the moment, but we suspect it is not clear of privacy investigations just yet.

Europe’s GDPR blasted for underinvestment and enforcement

Open source web browser Brave has directed weighty criticism towards European Governments for failing to equipment data protection agencies and enforcing GDPR rules.

With the release of a white paper and the filing of a complaint to the European Commission, Brave has directed weighty criticism to all Governments and agencies involved in upholding the privacy and data protection rights afforded through the implementation of GDPR. In short, the Governments are not directing enough money towards the data protection authorities to enforce GDPR.

“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities,” said Johnny Ryan, Chief Policy & Industry Relations Officer at Brave.

“Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene.”

Brave does of course benefit from disruption to the status quo of the internet economy, though there are some valid points being made. Aside from a few examples, there rhetoric from posturing politicians and boresome bureaucrats on the importance of data protection does not seem to have translated into action.

For all the good work which has been done in creating a regulatory framework to elevate data protection and privacy in today’s society, if the relevant authorities are not enforcing the rules it means nothing.

As Brave points out in the complaint, Article 52(4) of the GDPR (Regulation 2016/679/EU) and Article 41(1) of the Law Enforcement Directive (Directive 2016/680/EU) require that national governments give data protection authorities the human and financial resources necessary to perform their tasks.

Looking at the research presented by Brave, it would appear Governments are failing to adhere to these rules.

How well funded are the data protection agencies?
Nation Budget (2019/20) Nation Budget (2019/20)
UK €61 million Spain €16.5 million
Italy €30.1 million Estonia €0.8 million
Germany €26.8 million Sweden €10.3 million
Ireland €16.9 million Greece €3.1 million
Poland €9.4 million Austria €2.3 million
Netherlands €18.6 million Romania €1.3 million

This is just a snapshot of the budgets which across the continent. Some countries might look suitably funded, but this is perhaps just a comparison to the other end of the scale. However, it does appear some of these agencies are somewhat of a profit centre for Governments.

In the UK, for example, the data watchdog the Information Commissioner’s Office (ICO) is funded by data protection fees, a fee which is applicable to every organisation or sole trader who processes personal information in the UK. For 2019/20, the ICO budget from these fees totalled £46,560,000. The authority is also the recipient of £4,626,000 of Government funding.

What is worth noting, however, is that any fine which is given by the ICO for data protection or privacy violations is directly paid to Her Majesty’s Treasury. None of these funds are used to further enhance the powers of the ICO or employ additional experts. The ICO currently employs 22 technology specialists of a total staff of more than 600.

So far, the ICO has issued some substantial fines:

Company Fine Reason
Cathay Pacific £500,000 Data breach
DSG Retail £500,000 Lack of security during cyber-attack
Life at Parliament View £80,000 Inadequate cybersecurity
Bounty £400,000 Sharing personal information illegally

These are the relevant fines from the last 12 months, though it should also be noted that they were all cases where the incident occurred before the introduction of GDPR, and the maximum fine was £500,000. In the Cathay Pacific incident, if the breach was after the introduction it could have been fined up to 4% of annual revenues, some £460 million.

Currently, the ICO has 56 cases under investigation, one of the busier data protection authorities, but by no means the busiest. That crown is offered to Ireland, where the annual budget of the data protection authority, the DPC, is €16.9 million.

The DPC in Ireland currently has 21 staff who are specialist tech investigators to evaluate the 127 cases which are running. The DPC is the lead data protection authority for complaints against the likes of Facebook, Google, Apple, Intel, IBM and numerous other tech giants owing to their corporate HQ being in Dublin.

€16.9 million should not be seen as an adequate budget to over see that many GDPR cases or hold the internet giants accountable. These companies could lodge numerous appeals or filings to prolong the legal proceedings, bleeding the DPC dry and severely inhibiting its ability to maintain GDPR principles in Ireland, as well as ensuring the internet giants are held accountable.

In this example, it is very difficult to levy all of the criticism towards Ireland. As the DPC is being asked to be the champion for all of Europe, fighting against some of the companies who are presumably the worst data protection and privacy offenders, contributions should be enforced from other member states to build this authority. €16.9 million is quite frankly pathetic when the DPC is effectively being asked to take on Silicon Valley.

Across Europe, the Brave research suggests there are only 305 technology specialists working for the data protection authorities. Only six have more than 10 specialist tech investigation staff, seven have two specialists or less and half of all authorities have annual budgets less than €5 million.

EU GDPR was a regulatory evolution which was very much needed in 2018. It created rules which were fit-for-purpose in the current digital society, but this means nothing if Governments are not doing what they should to create the agencies to enforce the rules.

Brave might be looking to throw a cat amongst the bureaucratic pigeons for its own gain, but it is not wrong. Governments are failing.

EU data watchdog asks for single, pan-European COVID-19 app

European Data Protection Supervisor (EDPS) Wojciech Wiewiorowski has requested nations work together through a single app to track the spread of COVID-19.

With several nations, including Wiewiorowski’s home country Poland, creating apps for Government authorities and consumers to track the spread of COVID-19, the digital economy is searching for solutions. But there are questions as to whether this is being done in the most effective manner.

“Given these divergences, the European Data Protection Supervisor calls for a pan-European model ‘COVID-19 mobile application’, coordinated at EU level,” said Wiewiorowski. “Ideally, coordination with the World Health Organisation should also take place, to ensure data protection by design globally from the start.”

Not only would a pan-European approach to add more depth to the data, it would ensure more eyeballs are evaluating the data sets instead of a fragmented approach with several national apps. Another benefit for Wiewiorowski and his team at the EDPS office is there is less opportunity for data protection rules to be screwed.

Wiewiorowski has spoken about the right to data protection not being an absolute right, but one which should be balanced against the context of societal need. Today, more sensitive data should be opened up for analysis because of substantial public interest. This is how GDPR has been designed; to allow for the necessary and validated application of data analysis.

This is why having a single, pan-European app is more attractive than several different ones. The impact on data protection and privacy principles can be managed more effectively, but also reversed once the crisis has passed. This is a very important element of the opinion which has been offered by Wiewiorowski.

Data is critical to fight the coronavirus outbreak, but any measures taken at European or national level should be:

  • Temporary to deal with the outbreak
  • Limited to specific purposes
  • Access should be limited to specified individuals
  • A route back to normality should be planned, including the deletion of data

This is the most important part of the EDPS opinion; the collection and analysis of sensitive information is for the benefit of society. The heightened activities should only be in place because there is a heightened state of requirements. This should not be considered normal, and access should be deescalated once the crisis has passed.

How this process is managed is critical. Taking powers away from authorities is very difficult once they have become accustomed to them, therefore it will have to defined very carefully. The apps to track the spread of the virus are very useful today, but the same applications could be twisted for very nefarious means quite easily. Such insight should not be considered normal, and any other time, would be considered a very dangerous blow to privacy.

This is one area which Wiewiorowski is keeping an eye on, but he is not alone.

“Now more than ever, EFF is dedicated to ensuring that technology supports freedom, justice, and innovation for all the people of the world,” Electronic Frontier Foundation has said in a blog post. “As our society struggles with how to protect public health, we must carefully consider how all manner of government and private decisions may impact our digital rights.”

Data is critical to combatting the coronavirus outbreak, but a careful eye has to be kept on whether the concessions made are eroding long-term privacy rights. The consumers cannot be net-losers from COVID-19.

European Data Protection Supervisor: Data sharing to combat COVID-19 is legit

After suggestions there might be some suspect data sharing going on to combat the coronavirus outbreak, the European Data Protection Supervisor has said it is within the rules.

The European Commission’s Internal Market chief Thierry Breton has been one of the busier bureaucrats in recent times. Last week, Breton’s calendar showed meetings with Walt Disney, Netflix and Google to ‘preserve the smooth functioning of the internet’, and this week it appears the telcos are on the speed-dial.

This week, meetings with the major European telcos have been on the agenda to discuss ways and means to which data can be used to combat COVID-19. The collection and analysis of anonymised and aggregated geo-location data is one proposed initiative which the telcos can help with.

There might be some concerns about the legality of the proposed ideas, though European Data Protection Supervisor Wojciech Wiewiórowski has attempted to calm fears.

“Firstly, let me underline that data protection rules currently in force in Europe are flexible enough to allow for various measures taken in the fight against pandemics,” Wiewiórowski said in an open letter to Roberto Viola, Director-General of DG CNECT.

“I am aware of the discussions taking place in some Member States with telecommunications providers with the objective of using such data to track the spread of the COVID-19 outbreak.”

While previous generations have had to go by educated assumptions to combat the spread of such pandemics, today data us one of the most valuable tools. Insight on how citizens are moving around the country can inform on the success of self-isolation demands or give clues as to where perhaps the next viral hotspot would be. Information is critical in creating the most effective response to a pandemic which caught the world by surprise.

However, the presence of coronavirus does not give authorities a blank cheque to do whatever they please; rules and regulations to protect the interest of the citizen and mitigate the risk of abuse have to be adhered to.

Sophie in’t Veld, a Dutch Member of the European Parliament, is one such person to have raised concerns.

Writing to Internal Market chief Thierry Breton, in’t Veld wanted reassurances to ensure data would be and remain anonymised, including asking how this would be done, whether the European Data Protection Supervisor has been consulted for an opinion and how the Commission will respond to academic criticism that the collection of geo-location data will not offer benefits as it is not specific enough.

Breton responded to the letter from in’t Veld in satisfactory fashion, but also added that all data collected during this initiative would be deleted once the COVID-19 outbreak is in the past. Adding to Breton’s reassurances, the opinion of the European Data Protection Supervisor further validates the actions from authorities.

In the opinion, European Data Protection Supervisor Wiewiórowski states:

  • Effectively anonymised data fall outside of the scope of data protection rules, assuming the protections applied are resilient enough
  • Should third parties be used for the purposes of collection or analysis, the Commission should ensure appropriate protections are applied
  • Data obtained should be deleted as soon as the current emergency comes to an end

Should the conditions mentioned above be met, Wiewiórowski believes the European Commission should be able to act within the boundaries of data protection rules and regulations.

What should be taken into account is whether such processes are deemed legitimate with other laws.

“The data is anonymised so its use is in compliance with UK and EU data privacy laws, but it may still be an infringement of the human right to privacy under the Human Rights Act,” said Toni Vitale, Partner and Head of Data Protection at JMW Solicitors.

“A lot depends on how the data is used.  If it is limited to creating heat maps showing where people are congregating, that might be OK. Some shopping centres already do this to show where shoppers are. This is useful to plan exits, where the cafes should be placed etc. Location data is commonly scraped from mobiles without users being aware.”

Little attention has been paid to whether the collection of personal information on this scale is a violation of the Human Rights Act, though one would hope the appropriate protections have been put in place. Data could hold the key to mitigate the worst impacts of COVID-19, so the European Commission should be applauded with its attempts to be as informed as possible.

Aussies sue Facebook over Cambridge Analytica scandal

Facebook might have thought the headaches of the Cambridge Analytica scandal were firmly in the rear-view mirror, but the Australian Information Commissioner has different ideas.

After 311,127 Australians got caught in the data harvesting saga, the Australian Information Commissioner has finally got to the point where it believes legal action is appropriate. As the This is Your Digital Life app mislead the user as to how the data collected was being used, the Commissioner believes Facebook and Cambridge Analytica are in breach of the Privacy Act, 1988.

“All entities operating in Australia must be transparent and accountable in the way they handle personal information, in accordance with their obligations under Australian privacy law,” said Australian Information Commissioner and Privacy Commissioner Angelene Falk.

“We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed. Facebook’s default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy.

“We claim these actions left the personal data of around 311,127 Australian Facebook users exposed to be sold and used for purposes including political profiling, well outside users’ expectations.”

In disclosing the personal information of 311,127 Australian users to Cambridge Analytica, the Australian Information Commissioner believes Facebook to be violation of Australian Privacy Principle 6. This is due to the fact many of the users did not download the app themselves, therefore did not consent. It is also alleged Facebook protect its users’ personal information from unauthorised disclosure, violating Australian Privacy Principle 11.

While it is not a new revelation, the Australian Information Commissioner is holding Facebook accountable on transparency grounds. The maximum penalty for breach of Australian privacy laws is $1.7 million for each violation.

Although this is unlikely to be welcome news in the Facebook offices, it is of course not the first fine the social media giant has had to deal with in regard to Cambridge Analytica. In the UK, the Information Commissioner’s Office (ICO) fired a £500,000 fine at Facebook, while it took a record $5 billion settlement with the Federal Trade Commission (FTC) to resolve a government investigation into its privacy practices.

FCC proposes $200 million fine for location snooping telcos

The four major MNOs each face the threat of a weighty fine, collectively totalling more than $200 million, for helping third parties stalk customers.

Thanks to all four of the national US telcos selling customer location data to third parties over a sustained period of time, the FCC has proposed fines supposedly proportionate to the impact. While there are justified and responsible means for third party companies to use telco location data, this was certainly not one of them and the telcos have been found guilty of not protecting the data privacy rights of customers.

“American consumers take their wireless phones with them wherever they go,” said FCC Chairman Ajit Pai. “And information about a wireless customer’s location is highly personal and sensitive.

“The FCC has long had clear rules on the books requiring all phone companies to protect their customers’ personal information. And since 2007, these companies have been on notice that they must take reasonable precautions to safeguard this data and that the FCC will take strong enforcement action if they don’t. Today, we do just that.”

The proposed fines are as follows: AT&T is potentially liable for $57,265,625, Verizon $48,318,750, T-Mobile US $91,630,000 and Sprint $12,240,000. What is worth noting is that it appears the investment community has been buoyed by the figures presented by Pai.

Telco Price at close Friday 28 February Price at time or writing (pre-market trading)
AT&T 35.22 (-1.43%) 35.66 (1.25%)
Verizon 54.16 (-1.63%) 54.52 (0.66%)
T-Mobile US 90.16 (-1.18%) 91.05 (0.99%)
Sprint 9.19 (-1.08%) 9.35 (1.74%)

The final hours of trading for the telcos were hardly the most profitable for the industry, though as the proposed fines emerged over the weekend there has been recovery. There may well of course be other factors, but it does appear the investment community believed these fines could have been larger.

Privacy red flags were raised here following an article in the New York Times which claimed a Missouri Sheriff named Cory Hutcheson was making use of location finding services from Securus without the appropriate legal authority. Instead of uploading documents such as a search warrant, irrelevant documents were uploaded such as health insurance policies and pages from Sheriff training manuals. What soon emerged from the eventual investigation was a slurry of abuse and the development of a nefarious industry.

“This investigation is a day late and a dollar short,” said FCC Commissioner Jessica Rosenworcel.

“Our real-time location information is some of the most sensitive data there is about us, and it deserves the highest level of privacy protection. It did not get that here – not from our nationwide wireless carriers and not from the Federal Communications Commission. For this reason, I dissent.”

While it is hardly unusual for Democrat Rosenworcel to oppose the actions of a Republican controlled FCC, there is a valid point being made, despite it being somewhat lost in the immaturity of US politics. Firstly, the fines probably do not match the profits made or negligence from the telcos. Secondly, Pai elected to ignore action for far too long. And finally, the amount of redacted information in the documents blur the picture, protecting the reputations of the guilty telcos.

Commissioner Geoffrey Starks, another Democrat, has painted another very similar gloomy picture, also choosing to dissent to large swathes of the FCC process. The condemning tone is hardly surprising, but the FCC does not look the most competent coming out of this saga.

When the initial suspicions were raised, nothing was done. When it appeared the practice was still largely continuing, actions were meek. The investigation took too long and the fine does not necessarily look proportionate. Not only did these telcos mislead the regulator, they broke the law, lied to customers and profited for at least five years from the practice.

Under the leadership of Ajit Pai, the FCC has taken a much more hands-off approach to regulation of the telco industry, allowing business to be business. But there are more and more examples of private industry, not just the telcos, demonstrating they are not responsible enough to act independently within the parameters of responsibility.

Tinder comes under the scope of Irish GDPR watchdog

Dating apps have forever changed the way millennials find relationships (for however long they last…) but Tinder has found itself under the scrutiny of the Irish regulator.

The dating trailblazer has found itself alongside serial privacy offender Google as the focal point of an investigation from lead-European GDPR regulator the Irish Data Protection Commission. The question is whether MTCH Technology Services, the parent-company of Tinder, complies with GDPR in terms of processing user data.

“The identified issues pertain to MTCH Technology Services Limited’s ongoing processing of users’ personal data with regard to its processing activities in relation to the Tinder platform, the transparency surrounding the ongoing processing, and the company’s compliance with its obligations with regard to data subject right’s requests,” a statement from the regulator said.

Interestingly enough, a recent investigation from the Norwegian Consumer Council (NCC) suggested several dating apps such as Grindr, OkCupid, and Tinder might be breaking GDPR. The investigation suggested nine out of ten of the most popular dating apps were transmitting data to ‘unexpected third-parties’ without seeking consent from users, potentially violating GDPR.

As these applications collect sensitive information, sexual preferences, behavioural data, and location, there could be quite the backlash. The Irish Data Protection Commission will investigate how this information is processed, whether it then transmitted onto third parties and if the developers are being transparent enough with their users.

Alongside the Tinder investigation, the Irish watchdog is also investigating a regular for the privacy enforcement community, Google.

Once again, transparency is the key word here, as it so often is when one of the Silicon Valley residents are placed under the microscope. The authority will hope to understand how Google collects and processes location data, while also seeing whether it has been effectively informing users prior to collecting consent.

Google is seemingly constantly under the scrutiny of one regulator or another due to the complex web that is its operations. No-one outside of Google genuinely understands every aspect of the business, therefore a new potential privacy scandal emerges every so often as the layers of complexity are pulled back. In this investigation, it is not entirely clear what product or service is the focal point.

What is worth bearing in mind that any new privacy investigations are most likely to focus on timelines which were initiated following the introduction of GDPR in 2018. Anything prior to this, for example the Equifax leak or Yahoo hack, would not have been subject to the same financial penalties.

For the Tinder and Google investigations, any wrongdoing could be punished with a fine up to €2 million or 4% of total annual revenues, whichever is greater. We haven’t seen many of these fines to date because of the timing of the incidents or investigations, but regulators might well be looking for a case to prove there is a bite behind the regulatory bark, a means to scare corporates into action and proactive security measures.

An excellent example of this enforcement concerns Facebook and the Cambridge Analytica scandal. The investigation into potential GDPR violations takes into account several different things; the incident itself, security procedures and features, transparency with the user and assistance with the investigation, to name a few. Facebook did not cover itself with glory and was not exactly helpful during the investigation, CEO Mark Zuckerberg refused to appear in front of a Parliamentary Committee in the UK when called upon.

As this incident occurred prior to the introduction of GDPR, the Information Commissioner’s Office in the UK was only permitted to fine the social media giant £500,000. Facebook’s annual revenue for 2013, when the incident occurred, was $7.87 billion. The maximum penalty which could have been applied under GDPR would have been $314 million.

Although the potential fines have been well-documented, until there is a case to point to most companies will push the boundary between right and wrong. Caution is generally only practised when the threat of punishment is followed through to make an example.

Privacy International leads revolt over Android ‘bloatware’

Privacy International is leading a coalition of more than 50 organisations demanding Android owner Google offers users the opportunity to delete any and every app from their device.

On almost every device, there are several apps which are relatively redundant and useless. Unfortunately for the user, these applications are known as ‘bloatware’ and there is no-way to get rid of the squatting app. The open-letter spearheaded by Privacy International is calling for Google to end the practice, allowing users complete control over what applications are kept on the device.

“We, the undersigned, agree with you [Google CEO Sundar Pichai]: privacy cannot be a luxury offered only to those people who can afford it,” the letter states.

“And yet, Android Partners – who use the Android trademark and branding – are manufacturing devices that contain pre-installed apps that cannot be deleted (often known as ‘bloatware’), which can leave users vulnerable to their data being collected, shared and exposed without their knowledge or consent.”

‘Bloatware’ applications are largely harmless on the surface. Generally, they sit there not doing much, but the issue being raised by Privacy International and its followers is what is going on in the background.

Quoting a paper written by several academics, the coalition claim these applications collect data in the background, largely without the knowledge of the user, and also have ‘privileged custom’ permissions which would not usually be granted by the Android security framework. These permissions include access to the devices microphone and camera.

Interestingly enough, the paper also claims the devices carry the ‘Google Play Protect’ badge but 91% of these applications do not appear in the Google Play Store. This could be a way to get around the strict privacy protections which are implemented by Google and therefore undermines the integrity of the ‘Google Play Protect’ credentials.

The letter is calling for several changes to the dynamic, most notably:

  • Users should be able to permanently delete any application
  • Pre-installed apps should face the same scrutiny as other apps
  • Pre-installed apps should have some sort of update mechanism
  • Google should refuse to certify devices unless manufacturers make changes to reinforce privacy credentials and protections

What is worth noting is that Privacy International and other such organisations are lobby groups which often paints an apocalyptic view of the digital economy. Google can never do anything right in the eyes of this community.

That said, Google is often in hot water over privacy concerns.

Numerous executives have penned blog posts and opinion articles to push the importance of privacy both as a concept and an internal company value of Google. However, the odd scandal often emerges to undermine these PR efforts.

In November, Amnesty International suggested Google was implementing strategies to abuse privacy rights of individuals. Its virtual assistant is under investigation after it emerged humans were reviewing transcripts of conversations recorded by its smart speaker without the consent of the user. In July, International Computer Science Institute (ICSI) researchers said numerous apps could easily circumnavigate Android’s privacy protections. The Google smart city initiative, Sidewalk, has also come under some intense privacy criticism.

What is clear is that Google’s actions and the relationships which it has in place are always of benefit to it as an organisation. The presence of ‘bloatware’ is by design not an oversight, therefore Google will begrudgingly back-pedal on this current dynamic. It may well be forced to under the weight of public criticism, but there will be plenty rolls of the dice before it.

Facebook gets a thumbs-up from privacy officials

The Advocate General to the Court of Justice of the European Union (CJEU) has said Facebook is not in violation of privacy rules in transferring data to US servers.

In a rare sign of approval from privacy officials, Facebook has won the backing of Advocate General Saugmandsgaard Øe, who has confirmed Facebook Ireland is acting legally by sending data to servers located in the US. The opinion from Øe is in connection with a lawsuit filed by Austrian privacy advocate Max Schrems.

Removing all the legal jargon, Øe’s opinion is that there are adequate protections in place to ensure the rights of European citizens are maintained in the event data is transferred from Facebook’s Irish servers to be processed in the US. Agreements have been signed between the two parties which contain contractual clauses to enforce the privacy rights of European citizens.

Although this is the opinion of the Advocate General and not binding for the CJEU, it is a very positive (and perhaps surprising) note for a company which so often flirts with privacy controversy.

For Schrems, this is not the most encouraging of signs. The CJEU is not bound to Øe’s opinion, but the courts rarely hold a different view to such high-ranking officials.

The court case in question was initially filed by Schrems, the man largely responsible for the downfall of the Safe Harbour mechanism dictating trans-Atlantic data transfer, in 2015. Schrems argued that in light of privacy violations highlighted by Edward Snowden, the Irish data protection authorities were falling short of their own responsibilities. As it had been proven intelligence agencies were spying on citizens, Schrems argued it was not possible to maintain the privacy rights of European citizens if data is transferred to the US.

With the downfall of Safe Harbour, the mechanism that deems protections were being upheld in the US, big questions were being asked. Schrems suggested that even with the contractual clauses in place protections could not be maintained and there was little justification to transfer data to US servers in the first place.

Øe’s opinion disagrees with these assertions. Firstly, the ‘exporter’ has placed appropriate protections, and secondly, the US Government is entitled to process some data under the banner of national security.

Schrems has been fighting Facebook and other internet platforms for years in an attempt to stop the flow of information across the Atlantic. He and other privacy advocates suggest this information is being used to aide US intelligence agencies in snooping on European citizens. While his actions certainly were successful in bringing down Safe Harbour, he has been less successful in arguing the invalidity of the replacement mechanism, Privacy Shield.

Data protection is, and will continue to be, a significant talking point in the increasingly digital world, though this is a case which will add some confidence in the internet platforms so many people blindly trust. The new digital world needs people like Schrems to hold Big Tech accountable, though it does appear this is a case where the internet giants are on the right side of the line.

MyData signs on first Finnish operator as battle for consumer data rights rages

MyData is not a company which many would have heard of, but it is one everyone should start to take notice of.

The concept of MyData is quite simple. This is a non-profit organisation which acts as the middle-man to collect and manage consumer’s personal information and data. It is a single point of contact where a consumer can manage the flow, depth and breadth of personal data which is flowing across the digital world.

Companies who are betting big on the data-driven world of tomorrow will not like organisation like MyData. This is an organisation which aims to take control of the data-driven digital world, and hand it to the consumer.

This might sound like blue-sky-thinking, but in signing-up Finland’s first operator, Vastuu Group, the idea is starting to spread.

“In today’s data-driven world it is important that the use of personal information is fluent and human-centric,” said Vastuu Group’s Deputy CEO Mika Huhtamäki. “Vastuu Group is a founding member of MyData Global network. We want to build co-operation between different MyData operators and enhance sustainable data-based business.”

For the consumer, this is a very interesting and beneficial idea.

As it stands, the world is not educated on the dangers of the internet. There are still a vast number of unknowns, both in terms of how users could endanger themselves and what the consequence of lost/stolen/copied personal data actually is. Because of these unknowns, few people are appropriately guarded when engaging with the digital economy.

For example, your correspondent has recently downloaded an app called ‘WalkIn’, which allows the user to digitally stand in the queue at restaurants which do not allow bookings. It is a very good idea, though only when researching this article did your correspondent dig into the terms and conditions to understand where the collected personal information was heading and what it was being used for.

In this example, there was little consequence. WalkIn Limited is a company run out of Manchester, and while it collects far more information than necessary for the app to perform effectively, it does not look to be engaging in any nefarious data sharing practises (although this is very difficult to judge on the surface).

This illustrates a point. How many applications have been downloaded by an individual without checking into who the developer is, what information is being collected and where it eventually ends up? We suspect 99.99% of downloads (if not more) would fall into this category.

Firstly, the user is not aware of breadth, depth and type of personal information which is being handed over. And secondly, as few people could remember every single app they have ever downloaded, tracing this information down to understand the consequences will be incredibly difficult.

With companies like Vastuu acting as guardians of personal information for the consumer, it is a logical step to improve the safety of the internet and the digital economy. With the creation of a new business model, “Authorisation as a Service”, companies like Vastuu will be a central point for that consumer, allowing data to be tracked and for the companies who want to make use of it, to be held accountable.

Theoretically, this is an attractive proposition for the health of the digital consumer, but for it to work, the developer community will also need to be engaged. This might be a bit trickier.

Data-driven technology companies are difficult beasts to pin down, especially those in the app economy. Few people would recognise the name of developer organisations, but these companies control the personal information of unknown numbers of people. Such is the embryonic stage of regulating the digital economy, the concept of auditing and reporting on personal information which is being held is almost non-existent. These companies have to prove they are safe-guarding it properly, but few people peer inside the walled gardens.

This dynamic is largely by design. Facebook builds incredibly detailed profiles on its users to serve the advertiser, and it is not alone here. Sky in the UK has a platform called AdSmart which allows you to target adult women, with two children, living in a south-east London, second-time mortgaged semi-detached home with a two-year old BMW in the drive. Other developers sell information onto parties where ambitions are a bit more nefarious than promoting the latest lipstick shade.

In any case, sceptics and critics of the current digital economy will suggest these companies want to muddy the waters as some consumers might retaliate and refuse to engage when the curtain is drawn back on the data wizard. There is probably an element of truth to this, which perhaps explains why a data-intermediators like MyData are not commonplace today.

MyData is an organisation which has the power to do immense good in the digital economy, but it will not be a simple path to success.