Privacy International lines up US firms for GDPR breaches

UK data protection and privacy advocacy group Privacy International has submitted complaints to European watchdogs suggesting GDPR violations at several US firms including Oracle, Equifax and Experian.

The complaints have been submitted to regulators in the UK, Ireland and France, bringing the data broker activities of Oracle and Acxiom into question, as well as ad-tech companies Criteo, Quantcast and Tapad, and credit referencing agencies Equifax and Experian. The complaints are specifically focused on the depth of personal data processing, which Privacy International believes violates Articles five and six of the General Data Protection Regulation (GDPR).

“It’s been more than five months since the EU’s General Data Protection Regulation (GDPR) came into effect,” a Privacy International statement read. “Fundamentally, the GDPR strengthens rights of individuals with regard to the protection of their data, imposes more stringent obligations on those processing personal data, and provides for stronger regulatory enforcement powers – in theory. In practice, the real test for GDPR will be in its enforcement.

“Nowhere is this more evident than for data broker and ad-tech industries that are premised on exploiting people’s data. Despite exploiting the data of millions of people, are on the whole non-consumer facing and therefore rarely have their practices challenged.”

The GDPR Articles in question relate to the collection and processing of information. Article Five dictates a company has to be completely transparent in how it collects and processes information, but also the reasons for doing so. Reasonable steps must be taken to ensure data is erased once the purpose has been fulfilled, this is known as data minimisation. Article Six states a company must seek consent from the individual to collect and process information for an explicit purpose; broad brush collection, storage and continued exploitation of data is being tackled here.

In both articles, the objective is to ensure companies are being specific in their collection of personal information, and that it is utilised in a timely manner before being deleted once it has served its purpose. These are two of the articles which will hit the data-sharing economy the hardest, and it will be interesting to see how stringently GDPR will be enforced if there is any evidence of wrong-doing.

This is where Privacy International is finding issue with the firms. The advocacy group is challenging the business practises on the principles of transparency, fairness, lawfulness, purpose limitation,

data minimisation, accuracy and integrity and confidentiality. It is also requesting further investigations into Articles 13 and 14 (the right to information), Article 15 (the right of access), Article 22 (automated decision making and profiling), Article 25 (data protection and by design and default) and Article 35 (data protection impact assessments).

While GDPR sounds very scary, the reality is no-one has been punished to the full extent of the regulation yet. This might be because every company has taken the guidance on effectively and is operating entirely within the legal parameters, though we doubt this is the case. It is probably a case of no-one being caught yet.

The threat of a €20 million fine, or one which is up to 3% of a business’ total revenues, is nothing more than a piece of paper at the moment. If there is no evidence or fear authorities will punish to the full extent of the law, GDPR doesn’t act as much of a protection mechanism or a deterrent. When a genuine violation of GDPR is uncovered, Europe needs to bear its teeth and demonstrate there will be no breathing room.

This has been the problem for years in the technology industry; fines have been dished out, though there has been no material impact on the business. The staggering growth of revenues in the industry has far exceeded the ability of regulators to act as judge and executioner. Take the recent fines for Apple and Samsung over planned obsolescence in Italy. The $10 million and $5 million fines for Apple and Samsung would have taken 20 and 16 minutes respectively to pay off. This is not good enough.

Regulators now have the authority to hold the suspect characters in the industry accountable for nefarious actions concerning data protection and privacy, but it has to prove itself capable of wielding the axe. Until Europe shows it has a menacing side, nothing will change for the better.

EU divided on digital tax

Fears over a reaction from the US has sent Finance Ministers from Ireland, Sweden and Denmark cowering back to their spreadsheets as the EU digital tax hits an early stumbling block.

While the collective bargaining power and protection afforded by the European Union is certainly useful, the cumbersome nature of the bureaucratic beast and unanimous decision making ensures it is anything but. As with many proposed rule changes in the past, objections from a handful of member states have slammed the emergency brakes on the digital tax, aimed at holding the internet giants accountable.

According to the Guardian, the Finance Ministers of Ireland, Sweden and Denmark have all aired their criticism not on the concept of the tax, but fears over what President Trump might suggest as a retaliation. There’s a pragmatic approach to business and there’s spineless appeasement to a bully, we’ll let you decide which one this is.

Of course, it would be unfair to herd all of the EU member states into the same cowardly-corner as Ireland, Sweden and Denmark. 12 member states are already moving ahead with their own plans to create a localised digital tax, including the UK as was announced during the Autumn Budget, and some are acting somewhat hawkish about it. The French Government has suggested it would like the tax rates on the playing field by the end of 2018, though Germany seems to be favouring a more watered-down version of the rules.

The EU wide tax on those taking advantage of creative tax regimes, would be the best solution however. A united front against the slippery Silicon Valley internet giants, as well as those from other nations around the world, would of course be the best way to claim that 3% of local revenues, but it is becoming more difficult to imagine that a reality.

The fainthearted trio do of course have something to worry about. Despite Trump slapping tariffs on Chinese goods, and threatening to revamp tax laws so Amazon cannot take advantage of the US tax havens, he would most likely take the US tax as an attack on American values and a threat to the borders. The President is a man or rarely recognises consistency and before too long will probably be describing Jeff Bezos as a close family friend who have been relentlessly pursued by the penny-pinching Europeans.

Ireland also has a lot to lose. After proving it was incapable of managing its finances in a responsible way, the technology giants could be seen as somewhat of a saviour to the economy. Apple, Facebook and Google are just a few names who house a considerable base in the country. Ireland certainly has its own interests to protect.

It’s disappointing to see such weak behaviour in the face of an orange-hued, bullying politician, but at least there are some nations who are prepared to go it alone and hold the internet giants accountable to fair taxation.

Facebook referred to EU over suspect tracking methods

The UK’s Information Commissioners Office has referred an investigation into Facebook to the EU’s lead data protection watchdog over concerns about how the internet giant is tracking users.

The investigation, which was initially launched in May 2017, is primarily focused on the Cambridge Analytica scandal, though this might only be the tip of the iceberg for Facebook. Aside from fining the social media giant, the ICO has referred the case to the Irish Data Protection Commission, as the lead supervisory authority for Facebook under the General Data Protection Regulation (GDPR). As you can see below, Cambridge Analytica might only be the beginning of Facebook’s headache.

“Since we began, the scope of our investigation has extended to 30 organisations, we have formally interviewed 33 individuals and are working through forensic analysis of 700 terabytes of data,” said Information Commissioner Elizabeth Denham. “In layman’s terms, that’s the equivalent of 52 billion pages.

“Now I have published a report to Parliament that brings the various strands of our investigation up to date. It sets out what we have found and what we now know. But it is not the end. Some of the issues uncovered in our investigation are still ongoing or will require further investigation or action.”

Those who practise the dark arts of hyper-targeted advertising rarely give explanations as to how what information is being specifically held and how much of a detailed picture is being built up through primary sourced data and third-party sources. Few have a genuine understanding of the complexities of these advertising machines, though this is the foundation of various investigations. Transparency is the key word here, with many wanting the curtain to be pulled aside and the mechanics explained.

The fine is clear evidence the ICO is not happy with the state of affairs, though continuation of the investigation and referral to the EU overlords suggests there are more skeletons to be uncovered in-between Zuckerberg’s V-neck jumpers and starch ironed chinos.

“We have referred our ongoing concerns about Facebook’s targeting functions and techniques that are used to monitor individuals’ browsing habits, interactions and behaviour across the internet and different devices to the to the IDPC,” said Denham.

The initial focus of the investigation might have been political influence, though the more details which emerge, the less comfortable pro-privacy bureaucrats in Brussels are likely to feel. Regulating the slippery Silicon Valley natives has always been a tricky job, but with the Facebook advertising machine becoming increasingly exposed, the rulebook governing the data sharing economy might well be in need of a refresh.

Google fights back against EU plans to impose its regulations on rest of world

Today the European Court of Justice will make a decision which will impact the global digital economy. Does the European Union have the right to impose its own data protection and privacy standards on everyone else?

The one-day hearing has been brought about because of French data protection watchdog, CNIL, pressing for Google to extend the ‘right to be forgotten’ ruling to all of its domains. When such a request is made and accepted, Google will remove content from search results in the relevant domain (e.g. .fr in France for example), but also when users from that country are searching through other domains (e.g. .com or .co.uk). CNIL argues the content should be removed from all domains, irrelevant where the user is based.

“This case could see the right to be forgotten threatening global free speech,” said Thomas Hughes, Executive Director of free speech advocacy group Article 19. “European data regulators should not be allowed to decide what Internet users around the world find when they use a search engine. The CJEU (European Court of Justice) must limit the scope of the right to be forgotten in order to protect the right of Internet users around the world to access information online.”

While it might not seem like the most damning of cases, the ripples from this ruling could quickly become turbulent waves. Google and numerous other free speech advocacy groups argue this is simply France, and the European Union, pursuing their own form of censorship, imposing their own standards on other nations around the world. Should the judges rule in favour of CNIL precedent would be set and precedent can be very dangerous.

If the European Union can force other countries into complying with its regulations, why shouldn’t others?

“If European regulators can tell Google to remove all references to a website, then it will be only a matter of time before countries like China, Russia and Saudi Arabia start to do the same,” said Hughes. “The CJEU should protect freedom of expression not set a global precedent for censorship.”

The question these judges have to answer is a relatively simple one on the surface; should governments and regulators have influence over those who live in their jurisdiction or should they be afforded power over everyone else as well? For us, the answer is incredibly simple as well; no it shouldn’t.

The whole concept of the CNIL argument is contradictory and patronising; it’s a form of digital colonialism, with France assuming it is the moral, ethical and political authority on such matters. If China or Russia were pressing for their rules to be imposed on the international stage, there would be uproar. Of course, the rules in these countries are backwards, though the principle remains the same. France should not be allowed to dictate to other countries around the world.

This is another example of globalisation trends working against the consumer. Companies like Google make use of the grey areas and cracks between the legislative and regulatory regimes of different countries. They take advantage of lighter-touch regulation in some countries, remaining out of reach of those who are more involved. The absence of an international code or ruling authority simply offers the internet players a blank rule book and encourages lawyers to look for loop-holes to ignore regulations in more privacy-sensitive countries. That said, the will of one nation, or a dozen or 28, should not be imposed on the rest of the world.

For Telecoms.com, the decision is a simple one; France should be told to govern its own country and not get involved in jurisdictions which does not concern it. The precedent set would be far too dangerous.

GDPR seems to benefit Silicon Valley but harm US relations

The initial effects of GDPR seems to be that the biggest companies have benefitted but the US government thinks it’s harming relations.

The Wall Street Journal reports that Google and Facebook have had a significant advantage over all other digital advertisers as their size has enabled them to tick all the GDPR boxes at scale far more quickly than anyone else. In fact Google’s own DoubleClick Bid Manager is apparently sending more traffic towards Google’s own ad inventory as a result.

It’s far from surprising that a massive new layer of bureaucracy benefits the largest companies the most, as we previously observed. All the kinky talk of compliance and forced consent gives larger organisations a natural advantage as they’re able to devote more resources to ticking all the bureaucratic boxes and have more lawyers to protect them if they transgress regardless.

The European Union is, of course, one of the largest organisations of all and thus has much more natural affinity with the likes of Google than it does some relatively insignificant SME. That’s not to say the EU sought to deliberately favour a company it recently hit with a massive fine, just that the more it meddles with business, the more advantage it gives big companies.

While Google and Facebook might be quietly pleased with how GDPR is playing out, the US government is growing increasingly agitated. Writing in the FT US Commerce Secretary Wilbur Ross said “We in the US are deeply concerned about the way the EU’s new privacy guidelines, which came into effect last week, will force big changes in the way US and European companies do business.”

“GDPR creates serious, unclear legal obligations for both private and public sector entities, including the US government. We do not have a clear understanding of what is required to comply. That could disrupt transatlantic co-operation on financial regulation, medical research, emergency management co-ordination, and important commerce.”

If even the US government doesn’t know how to comply then what hope does some small business have? Furthermore there have been some reports that even the European Commission itself is struggling with compliance and may be looking to exempt itself from its own rules, which would be a classic EC move.

This public grumbling from the US government comes as trade tensions between the EU and the US have escalated after the two were unable to come to a compromise over the trade of steel and aluminium, which President Trump seems to think needs correcting in favour of the US. As a result the US has imposed tariffs on the import of these metals from the EU, creating the prospect of retaliatory tariffs and further escalation.

“I am concerned by this decision,” said EC President Jean-Claude Juncker. “The EU believes these unilateral US tariffs are unjustified and at odds with World Trade Organisation rules. This is protectionism, pure and simple. Over the past months we have continuously engaged with the US at all possible levels to jointly address the problem of overcapacity in the steel sector.

“By targeting those who are not responsible for overcapacities, the US is playing into the hands of those who are responsible for the problem. The US now leaves us with no choice but to proceed with a WTO dispute settlement case and with the imposition of additional duties on a number of imports from the US. We will defend the Union’s interests, in full compliance with international trade law.”

The EU is the joint biggest exporter of steel to the US along with Canada, according to the BBC. Canada and Mexico have also been hit with the same tariffs and the affected regions seem likely to slap tariffs on the import of bourbon, jeans and hot air. It’s not inconceivable that the GDPR moans are part of a broader negotiating strategy but it looks like things will get worse before they get better.

Facebook and Google accused of GDPR ‘forced consent’

It turns out that imposing extra layers of bureaucracy on companies can bring about unintended consequences, who knew?

Among the inevitable deluge of emails sent by companies desperate to be seen to be doing the bare minimum in compliance with the General Data Protection Regulation (GDPR) that came into effect in Europe today, have been those requesting blanket opt-ins. They usually feature handy one-click buttons that most people presumably use just to be able to put this trying week behind them. The underlying threat is that users either agree to everything or get kicked off the service.

Campaigning group noyb.eu (none of your business), headed by prominent data privacy complainer Max Schrems, is not happy with how Facebook and Google have gone about interacting with their users on this matter. So it has filed complaints against the two and also Facebook subsidiaries Instagram and WhatsApp, in four different countries to make sure it’s nice and pan-European.

“The GDPR prohibits such forced consent and any form of bundling a service with the requirement to consent (see Article 7(4) GDPR),” says the complaint. “Consequently access to services can no longer depend on whether a user gives consent to the use of data. On this issue a very clear guideline of the European data protection authorities has already been published in November 2017.

Using language apparently taken from the pages of 50 Shades of Grey, companies seem to be imposing forced consent on their users in order to achieve basic compliance with the GDPR regulations. But if this complaint has merit, which it seems to, then these tech giants might end up getting a thorough spanking from the European Commission.

EU to back €2.1bn fund for European start-ups

The European Union has announced it will back a Pan-European Venture Capital Funds-of-Funds programme, known as VentureEU, to boost investment in start-up and scale-up companies across Europe.

The EU itself will only be providing €410 million of the total amount, which will be raised from other private and public sources. The VentureEU fund will invest in six venture capital fund of funds, which is hoped to raise a total of €6.5 billion, double the amount of capital investment which is available currently according to the European Commission.

“In venture capital, size matters!” said Commission Vice-President Jyrki Katainen. “With VentureEU, Europe’s many innovative entrepreneurs will soon get the investment they need to innovate and grow into global success stories. This means more jobs and growth in Europe.”

The worry here is about the ability to scale and for European organizations to compete with the US technology machine. While start-ups and smaller scale organizations in the US have access to a huge number of options, the same cannot be said in Europe. The EC claims across 2016 €39.4 billion was invested by venture capitalists, compared to a miserly €6.5 billion in Europe. The difference in growth can also be seen in the number of companies which reached ‘unicorn’ status (valuation of $1 billion) across 2017, with the 26 in Europe being dwarfed by the 109 in the US.

The EU will provide the first lump sum of €410 million, which will be made up of €67 million from the European Investment Fund, €200 million from the Horizon 2020 InnovFin Equity, €105 million from COSME and €105 million from the European Fund for Strategic Investments. The hope is that 1500 start-ups and scale-ups will benefit from the fund.

While this is a positive move from the European Commission, you can’t argue with the numbers. US companies do have access to investment because there are more investment funds out there. Even if targets are met, there is still much more opportunity to access a wider breadth of investors and bigger lump sums of investment. We don’t want to be a buzzkill, but this sum is only a drop in the ocean from what will be needed should Europe want to remain relevant in the digital economy.

European telcos sulk about EU direction on regulation and investment

Following an opaque and arcane ruling from a European Parliament committee there is concern that the continent is losing its way on telecoms.

The Committee on Industry, Research and Energy voted on a broad range of issues surrounding the involvement of the Eurocracy in the telecoms business. Among the conclusions of the vote were a move to reduce the cost of long distance calls within Europe, which seems to be an ideological move equivalent to the abolition of data roaming charges.

While this seems like another telco revenue stream under attack, most of the moaning was reserved for the realisation of fears expressed prior to the meeting; that the EU tending towards increased regulation and decreased investment in telecoms. This is exactly the opposite of what operators want.

The core issue is the direction of the European Electronic Communications Code – a collection of rules, regulations and initiatives originally designed to give European telcos a shot in the arm. Organisations such as ETNO (European Telecommunications Network Operators’ Association) have consistently complained about its apparent retreat from its lofty initial ambitions.

“For the Gigabit Society vision to be credible, the Code needs to stick to its original objectives,” said Lise Fuhr, ETNO Director General. “Without investment incentives and spectrum reform, European citizens and businesses risk being stripped of superfast networks and innovative services.”

Here are ETNO’s specific concerns:

  • Investment-conducive measures need to be restored and strengthened. All investment models for very high capacity networks should be provided with clear regulatory incentives. In particular, we regret the weakening of the Commission proposals to grant incentives to co-investment and that such incentives were not extended to other collaboration models.
  • The duration of spectrum licenses needs to remain 25 years or longer. An interim review of the license conditions would result into a major setback for investment in mobile connectivity and in 5G specifically. Long-term legal certainty is required in view of the long pay-back periods for 5G networks.
  • All unjustified regulatory proposals should be rejected. Economic regulation beyond the concept of single or joint dominance would not be legally consistent with the architecture of Europe’s telecoms laws. Similarly, additional retail price regulation is unjustified, with markets for intra-EU calls being competitive and customers being able to choose among multiple free alternatives.
  • Service regulation should boost consumer choice. Regulatory simplification should allow telecom operators to innovate as much as internet players, in order to provide increased choice for European consumers. At the same time, harmful regulation of bundles should be avoided. This would take away successful offers that are currently taken up by 7 in 10 European consumers (Ipsos, 2017).

ECTA (European Competitive Telecommunications Association) has also expressed concern, while the GSMA seems to have been too busy promoting its money-spinning events to comment. The real danger for European telcos is that their interests are sacrificed at the altar of super-state dogma. The EU seems to be obsessed with creating a United States of Europe and apparently considers the profits of its incumbent telcos to be a small price to pay.

The Ericsson and Intel 5G roadshow heads to Tallinn

Ericsson and Intel are spending so much time together these days that people are starting to talk.

Having been seen walking hand-in-hand through Beijing earlier in the week, ostensibly in the name of field-testing 5G multi-vendor interoperability over the 3.5 GHz band, the glamourous pair made their way to Tallinn, the capital of Estonia today. By complete coincidence that is also the location of a meeting of the EU’s leaders, so that should ensure a nice lot of paparazzi will be milling around, looking for choice photo opportunities.

The pretext for this European leg of the couple’s world tour is the deployment by Telia of what it claims are the first 5G live network use cases. Ericsson and Intel are helping out with these projects, which include a 5G connection to a passenger cruise ship and a construction excavator remotely controlled over 5G.

Gabriela Styf Sjöman, Global Head of Networks, Telia Company says: “We want to be early with 5G and will bring it to life in Stockholm, Tallinn and Helsinki in 2018,” said Gabriela Styf Sjöman, Global Head of Networks at Telia. “We work together with our partners in the whole ecosystem to explore the powerful effect it is going to have for our customers and in society.

“It’s not only about building a new network but it’s also about building a new way of thinking and perceiving what a mobile network can be and can do. High speed, low latency, guaranteed capacity and truly mobile is going to push the boundaries of digitalization and we want to be there pushing it together with our partners.”

“Our own report about the 5G business potential identifies a huge opportunity for telecom operators globally who address industry digitalization with 5G,” said Arun Bansal, Head of Europe and Latin America at Ericsson. “We foresee that they can benefit from a market opportunity of $582 billion by 2026 and this represents a potential to add 34 percent growth in revenues. Capturing this market potential requires investment in 5G technology as well as business development, and go-to-market models.”

“Our work together trialing early usages of 5G technologies and the experiences it will bring to different industries, demonstrates the importance of collaboration and the need for seamless flow of data across the network, cloud and devices to make 5G a reality,” said Asha Keddy, GM of the Next Generation and Standards Group at Intel. “Intel’s 5G platforms are critical enablers for today’s active, real-world 5G trials with service providers around the globe, providing crucial insights and helping to define the future of 5G.”

As well as giving our leaders the setting for a slap-up dinner at our expense, Tallinn is also hosting the EU Digital Summit. This is the latest in an entrenched campaign by the Eurocracy to be seen to be keeping up with the US and Far East when it comes to emerging tech trends. Ericsson and Intel seem to have decided that getting in with the public sector is a good way enhance their own 5G credibility as well as a potentially handy source of public subsidy.