Ericsson sets aside $1.2 billion in preparation for corruption fine

Since 2013, Ericsson has been the focus of two investigations concerning the Swedish vendors compliance with the US Foreign Corrupt Practices Act (FCPA), and now it is preparing for the fine.

The investigation officially ended in the fourth quarter of 2017, though Ericsson has been in a continued dialogue with the Securities and Exchange Commission (SEC) and the Department of Justice (DoJ) since. With the team found to have broken the law in six markets, Ericsson is expected the combined fines to be north of $1 billion. Today’s announcement is to prepare investors for the hit.

“With today’s announcement we confront another legacy issue and take the next step in resolving it,” said Ericsson CEO Börje Ekholm.

“We have to recognize that the Company has failed in the past and I can assure you that we work hard every day to build a stronger Ericsson, where ethics and compliance are cornerstones in how we conduct business. Over the past two years, we have made significant investments in our ethics and compliance program including our investigative capabilities and have taken actions against employees who have transgressed our values and standards.”

Corrections have been made to internal procedures in the six years since the probes begun, though it casts a dark shadow on the vendor. Corruption allegations are never favourable, irrelevant as to how far in the past they were.

Starting in 2013, the SEC launched a probe with the DoJ joining the party in 2015. The investigations covered a four-year period, ending in 2017, relating to bribes which were offered to Government officials. Ericsson was found to be non-compliant with the FCPA in six markets; China, Djibouti, Indonesia, Kuwait, Saudi Arabia, and Vietnam.

Like every other law, there are hundreds of provisions and clauses to the FCPA, though there are two which it is most readily known for. Firstly, rules dictating accounting transparency requirements under the Securities Exchange Act of 1934, and secondly, concerning bribery of foreign officials.

In short, the rules state it is unlawful to provide anything of material value to government officials to obtain or retain business. On the accountancy transparency side, these rules are to ensure there is an effective compliance and accountability system to internally prevent illegal activity.

Although Ericsson has been co-operative with the agencies during the investigation, the $1 billion fine might only be part of the problem. The Ericsson management team has pointed to additional risks associated with this saga, including reputational damage. The team will have been working hard to smooth over the cracks, however the official fine might well encourage other parties to have a closer look at the relationships in place.

Is $170 million a big enough fine to stop Google privacy violations?

Another week has passed, and we have another story focusing on privacy violations at Google. This time it has cost the search giant $170 million, but is that anywhere near enough?

The Federal Trade Commission (FTC) has announced yet another fine for Google, this time the YouTube video platform has been caught breaking privacy rules. An investigation found YouTube had been collecting and processing personal data of children, without seeking permission from the individuals or parents.

“YouTube touted its popularity with children to prospective corporate clients,” said FTC Chairman Joe Simons. “Yet when it came to complying with COPPA [the Children’s Online Privacy Protection Act], the company refused to acknowledge that portions of its platform were clearly directed to kids. There’s no excuse for YouTube’s violations of the law.”

Once again, a prominent member of the Silicon Valley society has been caught flaunting privacy laws. The ‘act now, seek permission later’ attitude of the internet giants is on show and there doesn’t seem to be any evidence of these incredibly powerful and monstrously influential companies respecting laws or the privacy rights of users.

At some point, authorities are going to have to ask whether these companies will ever respect these rules on their own, or whether they have to be forced. If there is a carrot and stick approach, the stick has to be sharp, and we wonder whether it is anywhere near sharp enough. The question which we would like to pose here is whether $170 million is a large enough deterrent to ensure Google does something to respect the rules.

Privacy violations are nothing new when it comes to the internet. This is partly down to the fragrant attitude of those left in positions of responsibility, but also the inability for rule makers to keep pace with the eye-watering fast progress Silicon Valley is making.

In this example, rules have been introduced to hold Google accountable, however we do not believe the fine is anywhere near large enough to ensure action.

Taking 2018 revenues at Google, the $170 million fine represents 0.124% of the total revenues made across the year. Google made on average, $370 million per day, roughly $15 million per hour. It would take Google just over 11 hours and 20 minutes to pay off this fine.

Of course, what is worth taking into account is that these numbers are 12 months old. Looking at the most recent financial results, revenues increased 19% year-on-year for Q2 2019. Over the 91-day period ending June 30, Google made $38.9 billion, or $427 million a day, $17.8 million an hour. It would now take less than 10 hours to pay off the fine.

Fines are supposed to act as a deterrent, a call to action to avoid receiving another one. We question whether these numbers are relevant to Google and if the US should consider its own version of Europe’s General Data Protection Regulation (GDPR).

This is a course which would strike fear into the hearts of Silicon Valley’s leadership, as well as pretty much every other company which has any form of digital presence. It was hard work to become GDPR compliant, though it was necessary. Those who break the rules are now potentially exposed to a fine of €20 million or 3% of annual revenue. British Airways was recently fined £183 million for GDPR violations, a figure which represented 1.5% of total revenues due to co-operation from BA during the investigation and the fact it owned-up.

More importantly, European companies are now taking privacy, security and data protection very seriously, though the persistent presence of privacy violations in the US suggests a severe overhaul of the rules and punishments are required.

Of course, Google and YouTube have reacted to the news in the way you would imagine. The team has come, cap in hand, to explain the situation.

“We will also stop serving personalized ads on this content entirely, and some features will no longer be available on this type of content, like comments and notifications,” YouTube CEO Susan Wojcicki said in a statement following the fine.

“In order to identify content made for kids, creators will be required to tell us when their content falls in this category, and we’ll also use machine learning to find videos that clearly target young audiences, for example those that have an emphasis on kids characters, themes, toys, or games.”

The appropriate changes have been made to privacy policies and the way in which ads are served to children, though amazingly, the blog post does not feature the words ‘sorry’, ‘apology’, ‘wrong’ or ‘inappropriate’. There is no admission of fault, simply a statement that suggests they will be compliant with the rules.

We wonder how long it will be before Google will be caught breaking privacy rules again. Of course, Google is not alone here, if you cast the net wider to include everyone from Silicon Valley, we suspect there will be another incident, investigation or fine to report on next week.

Privacy rules are not acting as a deterrent nowadays. These companies have simply grown too large for the fines imposed by agencies to have a material impact. We suspect Google made much more than $170 million through the adverts served to children over this period. If the fine does not exceed the benefit, will the guilty party stop? Of course not, Google is designed to make money not serve the world.

Giffgaff managed to find a way to overcharge prepaid subscribers

UK telecoms regulator Ofcom has fined MVNO Giffgaff £1.4 million for double-charging some of its pay-as-you-go customers.

Giffgaff specialises in prepaid SIM-only mobile phone deals, in which subscribers buy chunks of data, etc, marketed as ‘goodybags’, in advance and then buy more when those are used up. Any data used when a goodybag isn’t active is charged at 5p per MB. It looks like there was some delay in properly recognising when a fresh goodybag had been purchased from a billing perspective, resulting in people continuing to pay the metered rate at the same time.

This resulted in 2.6 million customers being overcharged by a total of £2.9 million, which might seem like a lot but is only a quid per punter. Once Giffgaff realised what it had done it grassed itself up to Ofcom, which proceeded to spend the next ten months ‘investigating’ what it had already been told. This resulted in Giffgaff being fined £1.4 million, which would have been more if Giffgaff hadn’t fessed up and already attempted to refund the overcharging.

“Getting bills right is a basic duty for every phone company,” pronounced Gaucho Rasmussen, Ofcom’s Director of Investigations and Enforcement. “But Giffgaff made unacceptable mistakes, leaving millions of customers out of pocket. This fine should serve as a warning to all communications providers: if they get bills wrong, we’ll step in to protect customers.”

Thanks Gaucho, but didn’t Giffgaff tell you what it had done and hasn’t it already taken remedial measures? What, exactly, have you done to further protect customers other than spend ten months mulling over how much to fine them? Even regulators can never resist an opportunity to self-promote.

Giffgaff seems to have missed a PR trick here too. There is nothing on its website or social media addressing this, so people are largely left to interpret the background to the fine themselves. For a prepaid brand that makes a virtue of transparency and value for money, this apparent shiftiness and surrendering of the narrative could end up being far more harmful than the fine itself.

FTC hits Facebook with $5bn privacy fine

The Federal Trade Commission (FTC) has hit Facebook with a fine of $5 billion relating to numerous privacy violations over the last few years.

The fine itself, which is the largest ever imposed on any company for violating consumers’ privacy, will be accompanied by broad changes to its consumer privacy practices. The decision will also force Facebook to add in more decision-making capability on its privacy policies.

“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” said FTC Chairman Joe Simons.

“The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.”

The accusations directed towards Facebook will sound very familiar. Whether it is using deceptive disclosures or secretive settings to disguise features and undermine privacy principles, or violation of previous commitments made to privacy in a 2012 FTC Order and dubious data-sharing relationships with third-parties, Facebook is facing a massive disruption to the way it manages data and approaches user privacy.

Looking at the changes Facebook will have to make, CEO Mark Zuckerberg is no-longer allowed to be the single decision maker for privacy policies, a position which was ridiculous in the first place. Facebook will also be forced to appoint an ‘independent privacy committee’ to ensure a position which is consistent with society’s expectations.

Privacy policies will filter down through the organization, theoretically, through the appointment of Compliance Officers. Another condition set upon Facebook is granting more powers to independent third-party assessors, who will conduct privacy orders every other year.

There are numerous other orders placed on Facebook as part of the negotiation between the FTC and the social media giant, including:

  • Facebook must exercise greater oversight over third-party apps
  • Phone numbers obtained to enable a security feature cannot be used in advertising mechanisms
  • Facebook must provide clear and conspicuous notice of its use of facial recognition technology
  • Facebook must encrypt user passwords and regularly audit security systems

While many of these demands from the FTC might be considered as business practise in today’s privacy conscious world, they are likely to cause a disruption for Facebook internally.

“After months of negotiations, we’ve reached an agreement with the Federal Trade Commission that provides a comprehensive new framework for protecting people’s privacy and the information they give us,” said Facebook General Counsel Colin Stretch.

“The agreement will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company. It will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past.”

Although it is an incredibly steep fine for Facebook to stomach, we suspect it won’t bother the bean counters than much. Facebook is a money-making machine, and this will soon enough be nothing more than a minor blip. The disruption to its finely-tuned advertising machine will be more of an issue, but it could work in Facebook’s favour.

Facebook is being forced to be more transparent and treat privacy principles with respect. Left to its own fate, the social media giant probably wouldn’t have taken such drastic measures to disrupt itself. However, being forced into these changes could earn Facebook trust and credibility points in the eyes of the consumer.

If Facebook owns this punishment, while shouting and screaming about the changes it is making to become compliant with the order, it could swing public favour back onto its side. Facebook needs to present itself as a privacy conscious organization and this is a perfect opportunity to do so.

ICO gets serious on British Airways over GDPR

The UK’s Information Commissioner Officer has swung the sharp stick of GDPR at British Airways and it looks like the damage might be a £183.39 million fine.

With GDPR inked into the rule book in May last year, the first investigations under the new guidelines will be coming to a conclusion in the near future. There have been several judgments passed in the last couple of months, but this is one of the most significant in the UK to date.

What is worth noting is this is not the final decision; this is an intention to fine £183.39 million. We do not imagine the final figure will differ too much, the ICO will want to show it is serious, but BA will be giving the opportunity to have its voice heard with regard to the amount.

“People’s personal data is just that – personal,” said Information Commissioner Elizabeth Denham.

“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The EU’s GDPR, General Data Protection Regulation, offers regulators the opportunity to fine guilty parties €20 million or as much as 3% of total revenues for the year the incident occurred. In this case, BA will be fined 1.5% of its total revenues for 2018, with the fine being reduced for several reasons.

In September 2018, user traffic was directed towards a fake British Airways site, with the nefarious actors harvesting the data of more than 500,000 customers. In this instance, BA informed the authorities of the breach the defined window, co-operated during the investigation and made improvements to its security systems.

While many might have suggested the UK watchdog, or many regulators around the world for that matter, lack teeth when it comes to dealing with privacy violations, this ruling should put that preconception to rest. This is a weighty fine, which should force the BA management team to take security and privacy seriously; if there is one way to make executives listen, its hit them in the pocket.

This should also be seen as a lesson for other businesses in the UK. Not only is the ICO brave enough to hand out fines for non-compliance, it is mature enough to reduce the fine should the effected organization play nice. £183.39 million is half of what was theoretically possible and should be seen as a win for BA.

Although this is a good start, we would like to see the ICO, and other regulatory bodies, set their sight on the worst offenders when it comes to data privacy. Companies like BA should be punished when they end up on the wrong side of right, but the likes of Facebook, Google and Amazon have gotten an easy ride so far. These are the companies who have the greatest influence when it comes to personal information, and the ones which need to be shown the rod.

This is one of the first heavy fines implemented in the era of GDPR and the difference is clear. Last November, Uber was fined £385,000 for a data breach which impacted 2.7 million customers and drivers in the UK. The incident occurred prior to the introduction of GDPR, the reason the punishment looks so measly compared to the BA fine here.

The next couple of months might be a busy time in the office of the ICO as more investigations conclude. We expect some heavy fines as the watchdog bears its teeth and forces companies back onto the straight and narrow when it comes to privacy and data protection.

Security is a concern, especially as it can hit bank accounts now

New research from EY suggests British businesses are more concerned than ever about security. Funny that, considering there’s now a whopping fine to worry about.

Security is one of those areas which is constantly discussed but little is done to address. Irrelevant as to how many CEOs tell you its top of the agenda or how many statements start with the phrase ‘our customers security is our number one concern’, it’s an aspect of the technology world which has been swept aside. But not according to this research from EY.

“It’s not surprising that businesses are most concerned with the threat of cyberattacks,” said Adrian Baschnonga, Global Lead Telecommunications Analyst at EY. “The introduction of 5G will help organisations unlock new growth opportunities, but this transition comes at a time when fears regarding data breaches and network security are especially pronounced.”

While you always have to take statements like this with a pinch of salt, it might be right this time. Why? Because if you want to make executives care about something aside from their annual bonuses, you have to fight fire with fire.

Under the General Data Protection Regulations (GDPR) brought into play last May, any company which is found to have inadequately protected customer or employee data are subject to fines of 3% of annual turnover or €20 million. GDPR fines are proportionate to the risk posed by a breach, allowing flexibility for regulators to tackle the problem, but it certainly seems to have caught some attention.

According to professional services firm RPC, in the 12 months prior to September 30 2018 (the period in which GDPR was introduced) the Information Commissioners Office issued fines totalling just over £5 million, a 24% increase on the previous period of 12 months. Considering the ICO only had a couple of months to swing the GDPR stick at offenders, it would be fair to assume the watchdog is fully embracing the new powers offered to it.

This also seems to have hit home with those investing in new technologies. 40% of respondents to EY’s survey are worried about 5G and cyberattacks, while 37% saw IoT as a risk. These numbers aren’t particularly high, but they are the biggest concerns.

Another factor to consider is the consumer. While many will have been blind to the risk of data breaches in by-gone years, this does not seem to be the case anymore. Recent Lloyd’s research claims 44% of UK consumers believe there is a risk to personal safety in the sharing economy, perhaps indicating they would be hard-pushed to share data. If enterprise organizations are going to benefit from the data boom, they’ll have to convince customers that their personal information will be safe.

Whether this translates to appropriate security investments remains to be seen, as there seems to be a lack of ownership over security overall. Enterprise organizations are looking to suppliers for security to be built into products, while it is perfectly reasonable for suppliers to ask enterprise organizations to do more. Security should be built into products, but if an individual buys a front door, the manufacturer cannot be blamed when it is left open or an inadequate lock is used.

More often than not the carrot is used to incentivise business, but it seems the GDPR stick is an effective tool in bringing security to the front of executive’s minds. Hopefully now there will be less pandering for PR headlines and more affirmative action.

France fines Google for being vague

The French regulator has swung the GDPR stick for the first time and landed it firmly on Google’s rump, costing the firm €50 million for transparency and consent violations.

The National Data Protection Commission (CNIL) has been investigating the search engine giant since May when None Of Your Business (NOYB) and La Quadrature du Net (LQDN) filed complaints suggesting GDPR violations. The claims specifically suggested Google was not providing adequate information to the user on how data would be used or retained for, while also suggesting Google made the process to find more information unnecessarily complex.

“Users are not able to fully understand the extent of the processing operations carried out by Google,” the CNIL said in a statement.

“But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined. The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes.”

This seems to be the most prominent issue raised by the CNIL. Google was being too vague when obtaining consent in the first instance, but when digging deeper the rabbit hole become too complicated.

Information on data processing purposes, the data storage periods or the categories of personal data used for the ad personalization were spread across several pages or documents. It has been deemed too complicated for any reasonable member of the general public to make sense of and therefore a violation of GDPR.

When first obtaining consent, Google did not offer enough clarity on how data would be used, therefore was without legal grounding to offer personalised ads. Secondly, the firm then wove too vexing a maze of red-tape for those who wanted to understand the implications further.

It’ll now be interesting to see how many other firms are brought to the chopping block. Terms of Service have been over-complicated documents for a long-time now, with the excessive jargon almost becoming best practise in the industry. Perhaps this ruling will ensure internet companies make the legal necessities more accessible, otherwise they might be facing the same swinging GDPR stick as Google has done here.

For those who are finding the NOYB acronym slightly familiar it might be because the non-profit recently filed complaints against eight of the internet giants, including Google subsidiary YouTube. These complaints focus on ‘right to access’ clauses in GDPR, with none of the parties responding to requests with enough information on how data is sourced, how long it would be retained for or how it has been used.

As GDPR is still a relatively new set of regulations for the courts to ponder, the complaints from NOYB and LQDN were filed almost simultaneously as the new rules came into force, this case gives some insight into how sharp the CNIL’s teeth are. €50 million might not be a monstrous amount for Google, but this is only a single ruling. There are more complaints in the pipeline meaning the next couple of months could prove to be very expensive for the Silicon Valley slicker.

Facebook hit with Italian fine as share buy-back ramps up

The Italian watchdog is the latest to slap a fine on Facebook for misleading and abusing consumer confidence.

The Autorità Garante della Concorrenza e del Mercato (AGCM) has imposed a €10 million fine on Facebook after a lengthy investigation which begin in April. The watchdog has come to the conclusion the social media giant has violated articles 21 and 22 of the Consumer Code, misleading the consumer on how data would be collected, what information would be sourced and the commercial purpose.

To rub salt into the wounds, the AGCM also believes articles 24 and 25 of the Consumer Code were also ignored. These violations are a bit more nefarious as the AGCM has stated Facebook implemented an aggressive practice as it “exerts undue influence on registered consumers, who suffer, without express and prior consent”. A rather devilish picture is being painted by the Italian watchdog, with Facebook portrayed as the antagonist of a fair and transparent society.

For Facebook, this is simply another example of a government turning against it. It wasn’t that long-ago Facebook was a business every government wanted to get into the good books of and a brand which was admired by the majority of consumers. The Cambridge Analytica scandal has sent the reputation of the social media giant into freefall, pulling back the curtain on the terrifying complexities of the data economy. The difference between how the machine functions and how these billionaires have educated the masses who provide the fuel is quite staggering.

Despite the world turning against Facebook, it seems the management team is embracing the phrase ‘no such thing as bad publicity’.

Last week, an 8-K filing was made by David Kling, Facebook’s General Counsel and Secretary, to the Security and Exchange Commission, which authorises an additional $9 billion in the share buy-back scheme which commenced in 2017. This is the second time the management team has bolstered the chest, taking advantage of a decline in share price to seemingly take back more control of the business from investors.

Facebook Shareprice

As you can see from the image above (courtesy of Google Finance), Facebook share price has fallen by almost 37% since the summer, as the fallout of the Cambridge Analytica continues to scare investors. The management team clearly believe Facebook shares are being undervalued by the market, pumping cash into the share buy-back scheme perhaps to dilute the influence external shareholders can have on the business.

There are of course numerous reasons a company would repurchase shares. It might believe there is simply too much exposure on the market, it might be trying to reduce the influence on the business from external factors or it might not know what else to do with the free cash which it has available.

With Facebook increasingly coming under scrutiny by regulators and governments, it makes sense the management team want fewer shares on the exchanges. This minimises the damage which can be struck by negative press and unfavourable regulations, but also reduces the scrutiny which can be placed on decisions and future strategies. The management team have been under pressure recently for, what the market believes are, poor growth prospects.

However, there is a downside. Sometimes investors might consider the ramping up of a share buy-back scheme as a lack of ideas from the firm. Firstly, it is trying to protect itself for future earning calls, and secondly, it perhaps indicates the business does not know what to do with free cash, of which Facebook has a lot of.

Facebook has not been an innovative company for some years now. Most of the ‘new’ products and services introduced by the team are reinventions of something which already exists with the Facebook brand slapped on (marketplace, enterprise communications etc.), or are a blatant rip-off of a competitor’s idea. The Stories feature on Facebook and Instagram is clearly an imitation of the My Story feature on Snapchat. Some believe share buy-back programmes are evidence a firm has run out of new ideas.

Facebook is increasingly coming under pressure from consumers, governments, regulators and investors, though little is being done to reverse this trend. Posters have been displayed across the major cities promising the consumer it does care, and while executives have been meeting with governments, the answers being provided are increasingly unsatisfactory. The release of 250 Facebook emails and memos by the UK government has shed further light on the deception, though the response has been on par with Facebook’s form.

It’s almost like Zuckerberg and his cronies don’t care anymore. Instagram seems to be offsetting (at least partially) the decline in engagement on the Facebook platform, so there are still prospects to participate in the digital economy. The image of the company which is being created right now is one of arrogance. Facebook seems to think it is untouchable, and perhaps €10 million fine demonstrates it is.

How long will it take Mark to pay off this fine? Is Facebook actually going to be held accountable for wrong-doing?

Uber feels sharp(ish) end of Dutch and British stick

Following a data breach which exposed personal information of roughly three million European customers, Uber has been fined over £900,000 by Dutch and British authorities.

£900,000 does sound like a lot of cash, but let’s just put it into perspective for the moment. In the Netherlands, details of 174,000 customers and drivers were hacked, resulting in a €600,000 (roughly £532,000) fine, while the punishment for leaking details of 2.7 million customers and drivers in the UK was £385,000. In the US, where the exposure was admittedly significantly higher, Uber had to fork out $148 million. The numbers aren’t exactly consistent.

Uber should certainly consider itself lucky the incident occurred prior to the implementation of GDPR, though the fines simply demonstrate how important the new rules are in enforcing data protection requirements. Under today’s rules, Uber could have potentially been fined 3% of global annual turnover, and we suspect the fact it tried to cover up the incident meant it would have been held fully accountable.

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” said Information Commissioner’s Office Director of Investigations, Steve Eckersley. “At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.

“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber-attack. Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”

While many found the implementation of GDPR a nightmare, this is an incident which demonstrates why new data protection rules were completely necessary. In our opinion, Uber got off lightly considering the severity of the breach and subsequent efforts to cover up the hack with ‘hush-money’.

Once the breach was discovered, Uber tried to sweep the incident under the rug. Instead of reporting the breach to authorities, customers and drivers, $100,000 was paid to the hacker, with the promise the data would be deleted, it was downloaded from a cloud-based storage system operated by Uber’s US parent company, and the hacker would keep quiet. As with all of these incidents, the truth eventually emerged. Here, it took a full year.

In both the Dutch data protection authority’s and the ICO’s investigations it was found the breach could have been avoiding if basic and appropriate data protection protocols were followed. Under GDPR, Uber is obliged to inform the relevant data protection authorities within 72 hours of discovery, which can mean fines can be avoided. If a company co-operates and is able to demonstrate it has put in place acceptable protections, authorities will not punish in the strictest of terms.

This is an aspect of GDPR which we like. Rule makers have accepted there is no such thing as 100% secure, and has created a framework which has in-built sympathy for those cases which cannot be avoided. As long as a company is proactive and honest, authorities are willing to work alongside industry to make customers and employees more secure.

This is not an example of this perfect scenario however. Uber acted completely irresponsibly and is incredibly fortunate the incident occurred during a time when data protection rules and punishments were woefully outdated. The whole incident does leave two questions remaining however…

Firstly, how many more incidents have there been which have been swept under the carpet, as we can almost guarantee there will be a few, and secondly, will the EU hold the guilty parties fully accountable to GDPR punishments? We need to know whether authorities are prepared to swing the very sharp stick GDPR hands them.

Italian watchdog bares its gums in Apple and Samsung planned obsolescence case

Italian regulator AGCM has shown its bite is particularly toothless after fining Apple and Samsung €10 million and €5 million respectively over planned obsolescence.

Following a ten-month investigation for unfair commercial practices, the watchdog found the pair guilty, though after months of barking the bite has proven to be as gummy as a 70 year-old Welwyn Garden City pensioner. For many companies the fines would be considered monstrous, but for these two, it will barely register a blip on the financials.

The statement from the AGCM reads as follows:

“As a result of two complex investigations, the AGCM has ascertained that the companies of the Apple group and of the Samsung group have realized unfair commercial practices in violation of the articles. 20, 21, 22 and 24 of the Consumer Code in relation to the release of some firmware updates of mobile phones that have caused serious malfunctions and significantly reduced performance, thereby accelerating the process of replacing them.”

In Samsung’s case, the watchdog believes the company insisted users who had purchased a Note 4 to install the new Android firmware called Marshmallow, which was designed for the Note 7, but failed to inform of serious malfunctions due to the greater stress on the device.

Apple told the owners of various models of iPhone 6 to install the new iOS 10, which was developed for the iPhone7, without informing the greater energy demands of the new operating system and the possible inconveniences, such as sudden shutdowns. To counter these issues, a new update was released without warning that its installation could reduce the speed of response and functionality of the devices.

In a second investigation of Apple, AGCM found the iLeader did not provide consumers with adequate information about some characteristics of the batteries, such as their average life and deterioration, nor the correct procedures to maintain, verify and replace the batteries to preserve the full functionality of the devices.

Just to put the fines into some perspective, it would take Apple approximately 20 minutes to pay off the €10 million fine, while Samsung would take around 16 minutes to pay off its €5 million penalty.

The issue with these fines is the severity. Apple and Samsung have failed in their responsibilities to their customers, and should be punished. However, these are monstrous companies with unthinkably large bank accounts. Fines should be proportional to the size of the company, otherwise fear will not be instilled.

Fines are supposed to act as a deterrent for any wrong-doing in the future. Considering how minor these penalties are in comparison to the annual turnover of Apple and Samsung, what is to stop them from continuing to edge along the line of right and wrong.

Unfortunately this is the current state of play. Regulators can try to protect the consumer, but until they are given the power to effectively and proportionally punish wrong-doers, nothing will change. This is not the last time Apple and Samsung will be caught doing something wrong, and it’s because they are effectively being allowed to get away with it.