Europe’s GDPR blasted for underinvestment and enforcement

Open source web browser Brave has directed weighty criticism towards European Governments for failing to equipment data protection agencies and enforcing GDPR rules.

With the release of a white paper and the filing of a complaint to the European Commission, Brave has directed weighty criticism to all Governments and agencies involved in upholding the privacy and data protection rights afforded through the implementation of GDPR. In short, the Governments are not directing enough money towards the data protection authorities to enforce GDPR.

“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities,” said Johnny Ryan, Chief Policy & Industry Relations Officer at Brave.

“Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene.”

Brave does of course benefit from disruption to the status quo of the internet economy, though there are some valid points being made. Aside from a few examples, there rhetoric from posturing politicians and boresome bureaucrats on the importance of data protection does not seem to have translated into action.

For all the good work which has been done in creating a regulatory framework to elevate data protection and privacy in today’s society, if the relevant authorities are not enforcing the rules it means nothing.

As Brave points out in the complaint, Article 52(4) of the GDPR (Regulation 2016/679/EU) and Article 41(1) of the Law Enforcement Directive (Directive 2016/680/EU) require that national governments give data protection authorities the human and financial resources necessary to perform their tasks.

Looking at the research presented by Brave, it would appear Governments are failing to adhere to these rules.

How well funded are the data protection agencies?
Nation Budget (2019/20) Nation Budget (2019/20)
UK €61 million Spain €16.5 million
Italy €30.1 million Estonia €0.8 million
Germany €26.8 million Sweden €10.3 million
Ireland €16.9 million Greece €3.1 million
Poland €9.4 million Austria €2.3 million
Netherlands €18.6 million Romania €1.3 million

This is just a snapshot of the budgets which across the continent. Some countries might look suitably funded, but this is perhaps just a comparison to the other end of the scale. However, it does appear some of these agencies are somewhat of a profit centre for Governments.

In the UK, for example, the data watchdog the Information Commissioner’s Office (ICO) is funded by data protection fees, a fee which is applicable to every organisation or sole trader who processes personal information in the UK. For 2019/20, the ICO budget from these fees totalled £46,560,000. The authority is also the recipient of £4,626,000 of Government funding.

What is worth noting, however, is that any fine which is given by the ICO for data protection or privacy violations is directly paid to Her Majesty’s Treasury. None of these funds are used to further enhance the powers of the ICO or employ additional experts. The ICO currently employs 22 technology specialists of a total staff of more than 600.

So far, the ICO has issued some substantial fines:

Company Fine Reason
Cathay Pacific £500,000 Data breach
DSG Retail £500,000 Lack of security during cyber-attack
Life at Parliament View £80,000 Inadequate cybersecurity
Bounty £400,000 Sharing personal information illegally

These are the relevant fines from the last 12 months, though it should also be noted that they were all cases where the incident occurred before the introduction of GDPR, and the maximum fine was £500,000. In the Cathay Pacific incident, if the breach was after the introduction it could have been fined up to 4% of annual revenues, some £460 million.

Currently, the ICO has 56 cases under investigation, one of the busier data protection authorities, but by no means the busiest. That crown is offered to Ireland, where the annual budget of the data protection authority, the DPC, is €16.9 million.

The DPC in Ireland currently has 21 staff who are specialist tech investigators to evaluate the 127 cases which are running. The DPC is the lead data protection authority for complaints against the likes of Facebook, Google, Apple, Intel, IBM and numerous other tech giants owing to their corporate HQ being in Dublin.

€16.9 million should not be seen as an adequate budget to over see that many GDPR cases or hold the internet giants accountable. These companies could lodge numerous appeals or filings to prolong the legal proceedings, bleeding the DPC dry and severely inhibiting its ability to maintain GDPR principles in Ireland, as well as ensuring the internet giants are held accountable.

In this example, it is very difficult to levy all of the criticism towards Ireland. As the DPC is being asked to be the champion for all of Europe, fighting against some of the companies who are presumably the worst data protection and privacy offenders, contributions should be enforced from other member states to build this authority. €16.9 million is quite frankly pathetic when the DPC is effectively being asked to take on Silicon Valley.

Across Europe, the Brave research suggests there are only 305 technology specialists working for the data protection authorities. Only six have more than 10 specialist tech investigation staff, seven have two specialists or less and half of all authorities have annual budgets less than €5 million.

EU GDPR was a regulatory evolution which was very much needed in 2018. It created rules which were fit-for-purpose in the current digital society, but this means nothing if Governments are not doing what they should to create the agencies to enforce the rules.

Brave might be looking to throw a cat amongst the bureaucratic pigeons for its own gain, but it is not wrong. Governments are failing.

Europe releases guidelines for building COVID-19 apps

The European Commission has unveiled guidelines for member states creating COVID-19 apps, with perhaps an attempt to prevent mission creep from private industry.

The document, which is available here, suggests the national health authorities take the leadership position in developing the applications, while another recommendation is to store data on devices wherever possible. Minimising data analysis, external storage and the role of private organisations are ways and means to maintain privacy principles but also reduce the risk of data breaches.

“This is the first global crisis where we can deploy the full power of technology to offer efficient solutions and support the exit strategies from the pandemic,” said Vice-President for Values and Transparency, Věra Jourová.

“Trust of Europeans will be key to success of the tracing mobile apps. Respecting the EU data protection rules will help ensure that our privacy and fundamental rights will be upheld and that the European approach will be transparent and proportional.”

Although the guidelines are relatively simple, such a tick-box exercise is critical to ensure the largest possible adoption rates. The apps will assist individuals irrelevant as to how many people install, however for the contact tracing features to be the most effective in slowing the spread of COVID-19, downloads would have to meet critical mass. Oxford University researchers suggest this would be at least 60% of the population.

If any of the apps being discussed are to reach 60% penetration, privacy and security fears would have to be addressed, while legislation would have to be introduced to ensure such tracking activities do not become the new normality and data is not retained after the crisis.

In brief, the guidelines are as follows:

  • Downloading the app should be voluntary not compulsory
  • National health services should own the project and be responsible as the Data Controller
  • Data minimisation principles should be applied
  • GDPR principles of right to deletion should be adhered to
  • Data should be stored on user devices wherever possible
  • Consent should be applied to each element of the application not a catch-all opt-in at the beginning
  • Rules should be introduced for the deletion of collected raw data and the subsequent insight

There are of course multiple other nuances and elements included in the 14-page document, though should the above guidelines be adhered to and the role of private industry limited, there could be trust installed in the apps. Irrelevant to how elegant and sophisticated the apps are, the most important aspect is user adoption.

This is not the first time the world has faced a pandemic to this degree, but technology and insight are tools which we have never had at our disposal before. The contact tracing apps, to warn individuals of potential infection and educate on how to further prevent the spread, should be adopted by every nation. However, privacy and security concerns should not be ignored.

The technology and telecoms industry has a pretty poor record when it comes to privacy and security. Executives might point to policies and features to improve resilience, however these are almost always reactionary additions not proactive. Considering the sensitive nature of the data which is being discussed in relation to these apps, this is the time to be overly cautious in applying privacy and security principles.

Europe gives operators minor throttling concession

The powers that be in the European Union have said its operators can do a little bit of traffic management if they absolutely have to.

The reason for this minor concession, of course, is that the entire continent is being encouraged, and increasingly compelled, to stay at home the whole time as we try to slow the spread of the COVIS-19 pandemic. Most of them will probably be spending a lot of time streaming video, online gaming and so on, so exceptional levels of both fixed and mobile broadband are expected.

On the demand side, EU bigwigs have been hassling Netflix not to let its customers stream in HD, and now they’re addressing the supply side. A joint statement from the European Commission and BEREC (Body of European Regulators for Electronic Communications) addressed coping with the increased demand for network connectivity due to the Covid-19 pandemic.

It flags a regulation that prevents operators from prioritising traffic, but notes that it allows a bit of light throttling if there’s a really good reason. “Pursuant to the regulation, operators are authorised to apply exceptional traffic management measures, inter alia, to prevent impending network congestion and to mitigate the effects of exceptional or temporary network congestion, always under the condition that equivalent categories of traffic are treated equally,” says the statement.

The long and short of it seems to be that European authorities have given a tentative green light to throttling when needed. However this comes with the implicit threat that if it is suspected that the operator in question didn’t have a good enough reason, or failed to do so in an even-handed manner, then there will be trouble.

Europe asks Netflix to save networks by restricting HD streams

European Commissioner for the Internal Market Thierry Breton has been on the phone to Netflix CEO Reed Hastings to officially request the streaming service slow down downloads.

Under the hashtag #SwitchToStandard, Breton has asked Netflix to enforce a slow down on customers who might be tempted by HD standard content. With HD content requiring 4-5X more data than SD, the threat to networks is quite apparent as more of the population are forced to stay inside and binge watch any new recommendations.

The issue being faced by the telecommunications industry is the perfect storm for network congestion.

Firstly, video consumption places much more of a strain on networks than any other type of internet traffic. These applications are incredibly data intensive, and while Netflix only requires a consistent 5 Mbps connection to function properly, the consistent streaming over sustained periods of time by millions of customers starts to add up.

Over the first half of 2019, video accounted for 58% of the total downstream volume of traffic on the internet, according to network management firm Sandvine, with Netflix accounting for 15%. Another issue which home broadband networks might face is more people connecting devices to routers.

“People are watching a bit more YouTube than normal (because it is a great source of information from a wide variety of sources) to try and figure out what is actually going on and to learn about what they should be doing,” Cam Cullen, VP of Global Marketing at Sandvine said in a blog post.

“And unlike normal, where their usage is divided between mobile networks, work, or school networks, and random wifi hotspots, it is all centred on home networks.”

With more people working from home, more devices are going to be connected to the home broadband networks as opposed to mobile, public wifi or more powerful work networks. Video conferencing will become much more popular, people skiving will have something on the TV, while kids needs to be kept busy as well. With parents attempting to work, whacking an episode of Paw Patrol or Pepper Pig on Netflix might have to suffice.

Another element to consider is the rise of online gaming, both on consoles and mobile devices, which will also be running off home broadband networks. Telecom Italia has attributed a material proportion of the 70% surge of internet traffic on its networks to increased use of games such as Fortnite and Call of Duty.

Italy, France and Spain are all countries which have gone into full lockdown mode, while it seems it will only be a matter of time before the same happens in the UK. Without the pub, clubs, cinemas, theatres or gigs to distract consumers, more will turn to the endless treasure trove of harmless comedies and rabbit hole documentaries to fill time in the evenings.

BT has already said it builds networks to deal with peak time traffic, therefore it does not foresee a problem, but what could be about to be unleashed is a monstrous amount of internet traffic as children are no-longer distracted by education or adults by alcohol.

All of the telcos are furiously working to increase capacity on networks which are potentially under threat, though whether the work can be done quick enough to mitigate the rise in traffic remains to be seen. It might not seem like a significant change but considering the popularity and increased use of streaming services over the coming weeks and months, downgrading to SD might have an impact if everyone makes an effort.

Europe’s ‘circular economy’ strategy could be shake-up for mobile

As part of the new Industrial Strategy set forward by the European Commission, rules designed to combat the throw away culture of today might have a significant impact on the mobile sector.

The European Commission is championing what it is now coining as the ‘circular economy’, a concept designed to challenge the take-make-waste extractive industrial model which fuels so many landfills around the world. On the surface it might sound like political jargon, a sustainability agenda which is designed to attract attention not material change, but there is certainly potential for a jolt to the mobile and smartphone manufacturing segments.

The following extract from the plan sets out a top-down view of the strategy:

At the heart of it [the Circular Economy Action Plan] is a new sustainable product policy framework which will establish sustainability principles for all products, helping to make Europe’s industry more competitive. Priority will be given to high-impact product groups and action will include initiative on the common charger, a circular electronics initiative, sustainability requirements for batteries, and new measures in the textiles sector.

In pursuit of climate change and sustainability goals, attention has to be turned to behaviour as well as technological and industrial efficiency. This is the purpose of the ‘circular economy’, to make more of what is currently available as opposed to simple replacing products on a regular basis.

The Circular Economy Action Plan will attempt to force companies into creating a more environmentally friendly and sustainable supply chain. Part of this will be to identify and measure durability, reusability, reparability, recyclability and the presence of critical raw materials in products and set up an action plan to improve each component.

What this could mean for some companies are higher standards of quality for items which are regularly replaced today. Batteries, consumer electronics, mobile devices could be a few which falls under the umbrella. Few companies will like regulatory change because it leads to disruption within their own business. This is an area which certainly has the potential to do just that.

“This strategy could be an opportunity to completely transform the way European industry operates,” said Davide Sabbadin of the European Environmental Bureau (EBB), a lobby group based out of Brussels.

“Europe needs to be ready to embrace a new industrial revolution with clean, safe and sustainable jobs. A strategy which fails to deliver would be a disaster for the aim of reaching climate neutrality and other commitments made in the European Green Deal.”

For mobile devices and smartphones, this could mean stricter standards. For example, low-end mobile devices and handsets which become redundant in a short period of time could fall foul of the rules. It could mean this segment of the market is effectively killed off as higher specs and more expensive materials are forced on manufacturers, reducing profit margin and the appetite to produce such products.

The impact of these new rules and initiatives remains to be seen. What is worth noting is that many of the manufacturers are making strides forward to improve the sustainability of manufacturing and logistics operations, though whether this falls in-line with the standards championed by the European Commission will decide the scale of disruption.

EU reportedly set to approve TIM/Vodafone tower JV

After announcing their intention to merge their tower businesses last July, TIM and Vodafone have had to wait nine months for the EU to give it a look.

While there had been no formal announcement at time of writing, Reuters spoke to some people who reckon the European  Commission is about to green-light the move. The mergers of the telecoms tower businesses of the two operators would apparently create Europe’s biggest mobile tower company, so antitrust authorities were bound to take an interest.

Presumably the activities of competing tower giants such as Cellnex reassured the EC that even such a major bit of M&A wouldn’t damage competition. Furthermore the whole European tower scene seems to be stampeding towards consolidation, so this presumably won’t be the last such case it has to scrutinise.

The combined tower holdings will be run by INWIT, the tower company TIM is currently the 60% owner of. After the €10 billion merger TIM and Vodafone will each own a 37.5% stake in INWIT, with equal governance rights.

Antitrust authorities will presumably only start thinking about blocking this sort of M&A when it gives one company to great a share of the mobile towers in a single country. TIM is not international, but Vodafone is an MNO in the Italian market. The report says they offered to give rival, presumably Italian, operators access to their towers as a condition for the deal being approved.

Vodafone joins the EU in announcing major diversity initiative

Operator group Vodafone has decided to speak for the whole industry on diversity, while the EU is seeking to impose gender balance quotas on the whole bloc.

The Vodafone thing is called #changetheface because it strives to change the face of technology. That seems to refer primarily to sex as, apparently, the balance between men and women is wrong. Vodafone knows this because it commissioned a survey and, when asked to describe technology as a person, the majority of respondents answered that the person would be young, white, middle-class and mostly male.

“#ChangeTheFace is Vodafone’s commitment to improving our diversity and inclusion at Vodafone,” said Nick Read, CEO of Vodafone Group. “We are urging the technology industry to act now so we build a digital future that reflects society and works for everyone.” A special website urges people to make diversity pledges and even offers some suggestions in case people aren’t sure what the rules are, which you can see below.

The Vodafone announcement says Ericsson and Nokia have been among the first to get on board with this ‘industry-wide initiative’. Neither of them seems to have made separate announcements, however, with Ericsson preferring to talk about how committed to sustainability it is. There were no CSR announcements from Nokia at time of writing, so maybe it figures it ticked that box already with its recent ethics announcement.

Meanwhile, and perhaps not coincidentally, the European Commission has unveiled its gender equality strategy. As you would expect from the EU, it’s a wide-ranging set of positions and directives covering sexual equality in general, and specifically pay, opportunities and ‘gender-based violence’.

“Gender equality is a core principle of the European Union, but it is not yet a reality,” said EC President Ursula von der Leyen. “In business, politics and society as a whole, we can only reach our full potential if we use all of our talent and diversity. Using only half of the population, half of the ideas or half of the energy is not good enough. With the gender equality strategy, we are pushing for more and faster progress to promote equality between men and women.”

“Europe is a good address for women, despite all shortcomings,” said VP for Values and Transparency Vera Jourová. “As our society is undergoing important transitions, be it green or digital, we must ensure that women and men have equal opportunities and that inequalities are not further exacerbated by change. On the contrary, we have to create conditions for women to be agents for a fair transition at work and in private.”

“The pursuit of equality does not require the shifting of anything from one basket to another,” said Commissioner for Equality, Helena Dalli. “Equality is an infinite resource, and there is enough of it for everyone. On the flipside, discrimination costs the individuals that suffer it and society as a whole dearly, in lack of personal recognition, lack of meritocracy and loss of talent and innovation.”

While not in any way shifting anything from one basket to another, the EC has implemented a number of ‘concrete actions’. The most remarkable of these is a push for ‘gender balance’ on the boards of all European companies. To lead by example, the Commission will is aiming to reach gender balance of 50% at all levels of its management by the end of 2024.

The EC announcement also asserts that European women, on average, earn 16% less than men. It doesn’t specify whether this this is for the same job or just a broad average, but it clearly thinks this is a statistic that needs correcting regardless. Lastly there is a push to criminalise violence against women, the only surprising aspect of which is the inference that it’s not already criminalised.

These announcements are presumably timed to coincide with International Women’s Day, which takes place on Sunday 8 March and has the strapline ‘An equal world is an enabled world.’ There will presumably be other corporate initiatives of these kinds around the day as the pressure to show they’re doing their bit mounts.

Europe unveils its digital grand plan

The EU reckons Europe can be a digital leader so long as it does what the European Commission tells it to.

To be fair to the EC this is a pretty ambitious project as it seeks to define the rules, parameters and scope of all the digital ambitions for the entire bloc. It encompasses the European data strategy and its rules for the development of artificial intelligence in such a way that it helps the continent out, but doesn’t result in a Terminator-like dystopia.

“Today we are presenting our ambition to shape Europe’s digital future,” said President of the Commission, Ursula von der Leyen. “It covers everything from cybersecurity to critical infrastructures, digital education to skills, democracy to media. I want that digital Europe reflects the best of Europe – open, fair, diverse, democratic, and confident.”

Democratic eh – who elected you then Ursula? Anyway, the collateral associated with this announcement is predictably encyclopaedic, but if you want you could start here, or here, or here. As if the scope of the project wasn’t broad enough the EC seems to be trying to reconcile a bunch of other trendy political issues like diversity and green stuff while it’s at it.

“We want every citizen, every employee, every business to stand a fair chance to reap the benefits of digitalisation,” said Executive Vice-President for A Europe Fit for the Digital Age, Margrethe Vestager. “Whether that means driving more safely or polluting less thanks to connected cars; or even saving lives with AI-driven medical imagery that allows doctors to detect diseases earlier than ever before.”

“Our society is generating a huge wave of industrial and public data, which will transform the way we produce, consume and live,” said Commissioner for Internal Market, Thierry Breton. “I want European businesses and our many SMEs to access this data and create value for Europeans – including by developing Artificial Intelligence applications. Europe has everything it takes to lead the ‘big data’ race, and preserve its technological sovereignty, industrial leadership and economic competitiveness to the benefit of European consumers.”

It’s hard to know what to make of such a massive initiative. This was clearly the sort of thing Vestager’s role was created for, but what does it mean on the ground? AI clearly needs some kind of global supervision and Europe has plenty of catching up to do with its geopolitical rivals when it comes to the digital economy. We’ll probably have a better sense of how effective this initiative has been in a decade or so.

The EU starts hassling US tech companies again

Facebook and Qualcomm look set for another round of scrutiny from the European Commission around their business practices.

According to the WSJ, Facebook is being asked to hand over internal documents to EU antitrust investigators so they can have a deeper look into whether or not it used dirty tricks against its competition. The allegation is that Facebook made use of its users’ data to skew the market in its favour by bribing partners to stay loyal.

That’s the sort of thing Qualcomm has got into trouble with the European Commission about in the past and, according to Reuters, lightning may be about to strike twice. Qualcomm revealed in a regulatory filing accompanying its recent quarterlies that the EU is investigating whether it abused its dominant position in radio frequency front-end chips.

It seems the EU is concerned that Qualcomm is using its near monopoly in 5G modems to strongly encourage customers to buy its RF chips too. Apparently sales of RF chips were a factor in issuing a better than expected forecast. As ever this will all drag out as lawyers and antitrust types get bogged down in the minutiae of it all, but it seems clear that the EU’s appetite for hassling US tech companies is undiminished.