Microsoft might be toying with European data protection compliance

The European Data Protection Supervisor has raised ‘serious concerns’ over whether Microsoft is compliant with data protection regulations.

The contracts in question are between the software giant and various European Union institutions which are making use of said products. The central issue is whether contractual terms are compliant with data protection laws intended to protect individual rights across the region from foreign bodies which do not hold data protection to the same standards.

“Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services,” a statement reads.

“Similar risk assessments were carried out by the Dutch Ministry of Justice and Security confirmed that public authorities in the Member States face similar issues.”

The preliminary findings from the European Data Protection Supervisor follow on from investigations taking place in the Netherlands and also changes to the Microsoft privacy policies for its VoIP product Skype and AI assistant Cortana. The changes were seemingly a knee-jerk reaction to reports contractors were listening to audio clips to improve translations and the accuracy of inferences.

What is worth noting is that Microsoft is not the only company which has been bending the definition of privacy with regard to contractors and audio clips. Amazon and Google have also been dragged into the hazy definition of privacy and consent.

The issue which seems to be at the heart of this investigation is one of arm’s length. While government authorities and agencies might hand-over responsibility of data protection and privacy compliance to the cloud companies, the European Data Protection Supervisor is suggesting more scrutiny and oversight should be applied by said government parties.

Once again, the definition and extent of privacy principles are causing problems. Europe takes a much more stringent stance on the depth of privacy, as well as the rights which are affording to individuals, than other regions around the world. Ensuring the rights of European citizens are extended elsewhere was one of the primary objectives of the GDPR, though it seems there are still teething problems.

“When using the products and services of IT service providers, EU institutions outsource the processing of large amounts of personal data,” the statement continues.

“Nevertheless, they remain accountable for any processing activities carried out on their behalf. They must assess the risks and have appropriate contractual and technical safeguards in place to mitigate those risks. The same applies to all controllers operating within the EEA.”

One development which could result in additional scrutiny is The Hague Forum, an initiative to create standardised contracts for European member states which meet the baseline data protection and privacy conditions set forward. The European Data Protection Supervisor has encouraged all European institutions to join the Forum.

Although GDPR was seen as a headache for many companies around the world, such statements from the European Data Protection Supervisor proves this is not an area which can simply be addressed once and then forgotten. GDPR was supposed to set a baseline, and there will be more regulation to build further protections. Perhaps the fact that Microsoft is seemingly non-compliant with current regulations justifies the introduction of more rules and red-tape.

Facebook faces yet another monstrous privacy headache in Illinois

Just as the Cambridge Analytica scandal re-emerged to heighten Facebook frustrations, the social media giant is contemplating a class-action lawsuit regarding facial-recognition.

It has been a tough couple of weeks for Facebook. With the ink still wet on a $5 billion FTC fine, the UK Government questioning discrepancies in evidence presented to Parliamentary Committees and a Netflix documentary reopening the wounds of the Cambridge Analytica scandal, the last thing needed was another headache. This is exactly what has been handed across to Mountain View from Illinois.

In a 3-0 ruling, the Court of Appeals for the Ninth District has ruled against Facebook, allowing for a class-action lawsuit following the implementation of facial-recognition technologies without consultation or the creation of public policy.

“Plaintiffs’ complaint alleges that Facebook subjected them to facial-recognition technology without complying with an Illinois statute intended to safeguard their privacy,” the court opinion states.

“Because a violation of the Illinois statute injures an individual’s concrete right to privacy, we reject Facebook’s claim that the plaintiffs have failed to allege a concrete injury-in-fact for purposes of Article III standing. Additionally, we conclude that the district court did not abuse its discretion in certifying the class.”

After introducing facial recognition technologies to the platform to offer tag suggestions on uploaded photos and video content in 2010, Facebook was the subject to a lawsuit under the Illinois Biometric Information Privacy Act. This law compels companies to create public policy before implementing facial-recognition technologies and analysing biometric data, a means to protect the privacy rights of consumers.

Facebook appealed against the lawsuit, suggesting the plaintiffs had not demonstrated material damage, therefore the lower courts in California were exceeding granted responsibilities. However, the appeals court has dismissed this opinion. The lawsuit will proceed as planned.

The law in question was enacted in 2008, with the intention of protecting consumer privacy. As biometric data can be seen as unique as a social security number, legislators feared the risk of identity theft, as well as the numerous unknowns as to how this technology could be implemented in the future. This was a protectionary piece of legislation and does look years ahead of its time when you consider the inability of legislators to create relevant rules today.

As part of this legislation, private companies are compelled to establish a “retention

schedule and guidelines for permanently destroying biometric identifiers and biometric information”. The statute also forces companies to obtain permission before applying biometric technologies used to identify individuals or analyse and retain data.

Facebook is not arguing it was compliant with the requirements but suggested as there have been no material damages to individuals or their right to privacy, the lawsuit should have been dismissed by the lower courts in California. The senior judges clearly disagree.

But what could this lawsuit actually mean?

Firstly, you have the reputational damage. Facebook’s credibility is dented at best and shattered at worst, depending on who you talk to of course. The emergence of the Netflix documentary ‘The Great Hack’, detailing the Cambridge Analytica scandal, is dragging the brand through the mud once again, while questions are also being asked whether the management team directly misread the UK Government.

Secondly, you have to look at the financial impact. Facebook is a profit-machine, but few will be happy with another fine. It was only three weeks ago the FTC issued a $5 billion fine for various privacy inadequacies over the last decade, while this is a lawsuit which could become very expensive, very quickly.

Not only will Facebook have to hire another battalion of lawyers to combat the threat posed by the likes of the American Civil Liberties Union, the Electronic Frontier Foundation, the Center for Democracy &Technology and the Illinois PIRG Education Fund, the pay-out could be significant.

Depending on the severity of the violation, users could be entitled to a single sum between $1000-$5000. Should Facebook lose this legal foray, the financial damage could be in the 100s of millions or even billions.

From a reputational and financial perspective, this lawsuit could be very damaging to Facebook.

Russian telcos push for OTT tax on new data storage laws

Russian telcos are lobbying the government to grant new powers which would allow them to tax non-domestic internet companies to ease the burden of new data storage laws.

According to Reuters, the telcos are proposing new legislation to ease the financial burden of the new laws designed to give the state more oversight on communications within the country. As part of the new rules, telcos would be forced to store customer data in the country (calls, texts, internet search history etc.) for six months. The data storage rules come into force in October.

Ahead of the October launch date, the telcos have warned the imposition would result in larger costs. To protect the pockets of shareholders and executives alike, the telcos have suggested these incurred costs for data storage would be passed onto the consumer with tariffs potentially rising as much as 10%. Should the government look favourably on the proposed bill, telcos could seek compensation for the costs from non-domestic internet companies such as Facebook and Google.

Of course it seems perfectly reasonable for telcos to want to spread the burden of the digital economy throughout the ecosystem, it has largely bore the brunt of the financial expense while others profits at the top of the value chain for years, but this is a different matter. Facilitating government ambitions to more surgically monitor citizens and potentially eradicate the concept of privacy might not sit easily with the internet giants.

That said, bowing to government ambitions despite a conflict with apparent principles of the organization is a story which has been hitting the headlines recently. In an effort to penetrate the Great Firewall of China, Google has been creating a censorship-friendly version of its news app which could filter out stories which do not please the government. Google is not alone here as LinkedIn accepted these censorship rules years ago.

Other technology companies might not be as flexible as Google or LinkedIn. Those who maintain principles and refuse to fund the governments ambitions to rid Russia of independent thought will potentially face regulator Roskomnadzor reducing the speed of access to their websites for Russian users.

This is nothing but a proposal for the moment, though should it progress, the internet companies will face another principles versus profits dilemma.