FTC launches investigation for privacy practices in US

The Federal Trade Commission (FTC) has issued orders to seven US broadband providers seeking non-public information to assess privacy practises.

Although this investigation is relatively broad, this might be another attempt from the US Government to get a handle on the privacy practices of the fast-evolving digital economy. Several scandals over the last 18 months have demonstrated current rules are not fit for purpose, containing too many loopholes and inadequately governing an industry which has progressed beyond the reach of bureaucracy.

The FTC has been under pressure in recent months to get a better handle on the data machines which power the digital economy, bringing in billions for the likes of Amazon and Google, but increasingly the telcos. While many fingers have been pointed at the residents of Silicon Valley, the telcos have been making money through the transfer of personal information also.

This investigation is an important step forward in creating a better understanding of the data and sharing economy, a foundation to create resilient and future-proof regulations. Some might suggest this sort of investigation should have happened years ago, but hindsight is always 20/20; who would have predicted the scale of scandals we have witnessed recently.

AT&T, AT&T Mobility, Comcast Cable Communications, Google Fiber, T-Mobile US, Verizon, and Cellco Partnership are the firms which have received the demands.

As part of the investigation, the FTC is requesting:

  • The categories of personal information collected about consumers or their devices
  • Purpose of collecting data for each of the categories
  • Methods of collecting the data
  • Policies for employees to access this data
  • Retention policies
  • What information is transferred to third-parties
  • How the data is the information is aggregated, anonymized or deidentified
  • Disclosures to customers about data collection and transfer to third-parties
  • What choices are offered to the customer
  • How accessible personal data is to the customer

As you can see, this is an incredibly broad and in-depth request, with a lot of the information being non-public. Many of the telcos who have been sent the orders will be uncomfortable releasing this information, though they’ll have no choice.

Although this is a good first step for the FTC, we would hope the investigation is broadened further in the future. More information and insight needs to be collected from the OTTs, the masters of manipulating the data-sharing economy. The telcos are small fish in this expedition, but it is progress.

All eyes from the data-sharing community will be keenly directed towards the FTC over the next couple of months. While this investigation is nothing more than a virtual pebble dropped into the digital pond for the moment, there is the potential for those ripples to grow into waves. This could be the first step towards major regulatory reform, an overdue revolution to gain a better handle on the wild-west internet economy.

Facebook reportedly facing criminal charges over data sharing

Facebook’s day started off with a major outage and, should reports turn out to be true, it is ending with the social media giant facing a criminal investigation from Federal prosecutors.

According to the New York Times, a grand jury in New York has obtained records from two smartphone manufacturers, via subpoena, which will detail the data sharing partnerships in or previously in place with Facebook. Sources has retained anonymity and it is not exactly clear who the subpoenaed parties were, though Facebook did have more than 150 such relationships in place before winding-down over the last couple of years.

Although the investigation has not been officially confirmed, it will come as a surprise to few considering the scrutiny those dominating the data-sharing economy are facing. Over the last few months, there have been numerous attempts to weaken the influence of the internet giants, with some even suggesting legal force to break-up the empires. The internet giants created a cosy position, but this is certainly under threat.

That said, while the scandals over the last 18 months might lead some to presume the practice of selling personal data would be scaled back, there seems to be little evidence of this. A recent Motherboard investigation suggests various US telcos are still reaping the benefits, and in some cases, scaling up the practice.

What is worth noting is the concept of selling personal information is not illegal, as long as the right consent has been obtained from the end user. This is what Facebook, and the third-parties who entered into such arrangements, are facing criticism for today. Accusers suggest proper content was not obtained or done so in such a complicated fashion it should not be considered valid.

The data-sharing economy is gaining validity across the world, but only when the practice is managed in a fair and responsible manner. This is what GDPR and other regulations intend to enforce. The idea is not to stop the practice, but to ensure the companies involved act in a responsible manner, with the user properly informed and in control of the situation. The data-sharing economy can work, and can benefit everyone involved, as long as no single party abuses their position.

The partnerships which are reportedly being investigated here, however, have come under criticism for some time. Privacy campaigners suggest the partnerships violate a 2011 consent agreement between Facebook and the FTC, after allegations the social media giant had shared personal information in a way that deceived users. At one point, there were more than 150 such partnerships in place, though Facebook has been phasing out most of the agreements over the last few years.

Although this is a retrospective investigation into the company, it could potentially contradict statements from CEO Mark Zuckerberg and other executives suggesting the business was being more transparent and managing user data responsibly. Facebook has been making this statement for several years. This case could prove Facebook mislead the world with these claims as well.

There is a general feeling of ‘if’ not ‘when’ here. Politicians, governments and regulators are seemingly scouring the Facebook business for any cracks, allowing them to slap a significant fine and parade the streets with a victory on behalf of consumer privacy. Facebook’s lawyers have done a pretty good job of wriggling so far, but there is a bit of a feeling the dam could burst at any point.

Google challenges France’s first swing of the GDPR stick

Google has stated it will appeal the French regulator’s decision to dish out a €50 million fine for not being forthright enough with how it collects, stores and processes user’s personal data.

For Google, this is not about the money. €50 million for Google is nothing. This is a company which generated $33.7 billion over the final quarter of 2018. It would take a matter of minutes for the team to pay off this fine. However, should this ruling be allowed to stand Google would have to alter its business model, as would the rest of the data-sharing economy, causing a very unwelcomed, and potentially costly, disruption.

“The 50 million euro fine issued by the CNIL on 21 January 2019 significantly impacts Google as it directly challenges its business model based on the processing of personal data,” said Sonia Cissé, Head of TMT Practice of law firm Linklaters in Paris.

“Considering the seriousness of the CNIL’s findings and the broad publicity of this case, a potential appeal by Google is no surprise and makes perfect sense from a legal-strategy perspective.”

On Monday, France’s National Data Protection Commission (CNIL) dished out the fine for two violations of Europe’s General Data Protection Regulation (GDPR). Firstly, the search giant was not specific enough when requesting consent from users. Secondly, for users who wanted to dig deeper into the Google data practices, the company made it unnecessarily difficult to see the entire picture. Google was being too vague and not accessible enough.

“Users are not able to fully understand the extent of the processing operations carried out by Google,” the CNIL said in a statement.

This is the first time a regulator has used GDPR to hold one of the internet giants accountable, but there are plenty of other cases in the pipeline. Google is of course not the only target, as various different privacy advocates across the bloc lodge their complaints against the likes of Spotify, Amazon and Apple, just to name a few others.

In appealing this case, Google is making itself the tip of the spear for the entire internet ecosystem. There will be multiple appeals against the various rulings over the coming months because of how important precedent in this saga. If Google was to just let this ruling stand, it is effectively validating its opinion potentially undermining its own business model. If similar ruling start to appear across the continent the disruption to the data-sharing economy would be massive.

“In all likelihood, Google will challenge the CNIL’s decision on two main grounds: (i) procedural aspects (i.e., the competence of the CNIL); and (ii) the content of the case (i.e., challenging the facts),” said Cissé.

“Should Google be able to demonstrate that Google Ireland Limited was its main establishment in the European Union (EU) at the time of the CNIL’s investigations, then the competence of the CNIL could be validly challenged.

“Second, the content of the decision is another ground for action, and it will be up to the French administrative judges to determine, in light of the circumstances at stake, whether the transparency requirements under GDPR were met or not.”

GDPR is an incredibly complicated set of rules mainly because there are so many different definitions and clauses, but also certain exemptions. In most cases, companies would have to obtain consent from users to use data for explicit purposes, retaining the data only until these purposes have been satisfied. However, companies do not have to obtain consent when it is necessary to comply with another law, or there are ‘legitimate interests’. It paints a complicated picture.

Of course, for those who are more privacy sensitive, such rules and grey areas are a bounty of riches. The rules have created amble opportunity to challenge the internet giants’ business models, as well as the influence they have over the world. One of those is privacy campaigner Max Schrems.

“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” Schrems said following the CNIL ruling.

“Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”

Schrems’ firm, None of Your Business (NYOB), has filed several complaints against other internet businesses on the grounds of accessibility. Those who will come under the scrutiny of Austrian courts include Apple, DAZN, Filmmit, Netflix and Amazon. More specifically, these complaints suggest the companies violated GDPR’s ‘right to access’, enshrined in Article 15 GDPR and Article 8(2) of the Chart of Fundamental Rights.

All of these cases will dictate how the internet economy will function over the coming years, but this battle between the CNIL and Google could prove to be a critical one, such is the power of precedent in the legal world.

“In a nutshell, it is highly difficult to identify certainties regarding the outcome of Google’s appeal,” said Cissé.

“Since data protection is a field of law particularly subject to interpretation and grey areas, one cannot exclude the possibility that Google could be successful in appealing the CNIL’s decision before the French Administrative Supreme Court. In any event, the ruling of the French administrative judges will be closely monitored by all the tech companies.”