Security is a concern, especially as it can hit bank accounts now

New research from EY suggests British businesses are more concerned than ever about security. Funny that, considering there’s now a whopping fine to worry about.

Security is one of those areas which is constantly discussed but little is done to address. Irrelevant as to how many CEOs tell you its top of the agenda or how many statements start with the phrase ‘our customers security is our number one concern’, it’s an aspect of the technology world which has been swept aside. But not according to this research from EY.

“It’s not surprising that businesses are most concerned with the threat of cyberattacks,” said Adrian Baschnonga, Global Lead Telecommunications Analyst at EY. “The introduction of 5G will help organisations unlock new growth opportunities, but this transition comes at a time when fears regarding data breaches and network security are especially pronounced.”

While you always have to take statements like this with a pinch of salt, it might be right this time. Why? Because if you want to make executives care about something aside from their annual bonuses, you have to fight fire with fire.

Under the General Data Protection Regulations (GDPR) brought into play last May, any company which is found to have inadequately protected customer or employee data are subject to fines of 3% of annual turnover or €20 million. GDPR fines are proportionate to the risk posed by a breach, allowing flexibility for regulators to tackle the problem, but it certainly seems to have caught some attention.

According to professional services firm RPC, in the 12 months prior to September 30 2018 (the period in which GDPR was introduced) the Information Commissioners Office issued fines totalling just over £5 million, a 24% increase on the previous period of 12 months. Considering the ICO only had a couple of months to swing the GDPR stick at offenders, it would be fair to assume the watchdog is fully embracing the new powers offered to it.

This also seems to have hit home with those investing in new technologies. 40% of respondents to EY’s survey are worried about 5G and cyberattacks, while 37% saw IoT as a risk. These numbers aren’t particularly high, but they are the biggest concerns.

Another factor to consider is the consumer. While many will have been blind to the risk of data breaches in by-gone years, this does not seem to be the case anymore. Recent Lloyd’s research claims 44% of UK consumers believe there is a risk to personal safety in the sharing economy, perhaps indicating they would be hard-pushed to share data. If enterprise organizations are going to benefit from the data boom, they’ll have to convince customers that their personal information will be safe.

Whether this translates to appropriate security investments remains to be seen, as there seems to be a lack of ownership over security overall. Enterprise organizations are looking to suppliers for security to be built into products, while it is perfectly reasonable for suppliers to ask enterprise organizations to do more. Security should be built into products, but if an individual buys a front door, the manufacturer cannot be blamed when it is left open or an inadequate lock is used.

More often than not the carrot is used to incentivise business, but it seems the GDPR stick is an effective tool in bringing security to the front of executive’s minds. Hopefully now there will be less pandering for PR headlines and more affirmative action.

Cisco calls for US GDPR rollout

In a move which might make the networking giant quite unpopular on the US side of the pond, Cisco’s Chief Legal and Compliance Officer Mark Chandler has called for a US version of GDPR.

Having been implemented during May 2018, Europe’s General Data Protection Regulation (GDPR) is starting to make waves in the technology world. The first complaints were filed as the ink was drying on May 25, though with the first rulings started to be announced eight months later, the implications and dangers are starting to become clear. Unless Silicon Valley wins the opening legal skirmishes, precedent will be set and disruption to the data sharing economy will be very apparent.

Considering the massive potential for disruption in the digital ecosystem, Chandler will not be making any friends in Silicon Valley by pushing the case for more focused protections on data protection and privacy. Commenting to the Financial Times, Chandler stated he believes the new regulations have worked out well and after some tweaking, the same rules should be applied in the US as well.

Of course, a legal executive from a networking company stirring the pot is unlikely to turn heads right now, the rules would not necessarily have any monumental impact on the networking infrastructure giant, but there might be a few upset individuals in Silicon Valley. For years, the internet players have effectively been able to do what they want, but GDPR sought to end this reign of freedom.

Although GDPR is an incredibly complex set of rules with more nuances than a teenage philosophers diary, the overall aim is pretty simple. Firstly, the user has more control over his/her personal data, and secondly, internet companies have to demonstrate a need to collect and process data, while also improving securities around these processes. And of course, there are the fines as well.

This is perhaps one of the biggest concerns of the internet giants as they can now be held accountable. Prior to GDPR, fines were feeble. For any normal company, they would be horrid, but considering the size and profitability of the likes of Facebook, Google, Amazon and Apple, any punishments dished out would take a matter of minutes or hours to pay off. GDPR allows regulators to assign fines which are relative to the size of the organization, therefore companies can now be held accountable.

While GDPR does seem to be forcing many companies to act more responsibly, the saving grace for Silicon Valley is that it is limited to Europe. The lobbyists will be fighting hard to make sure such rules do not find sympathetic ears in Washington DC, though governments do seem to be welcoming.

In India, the government is considering new rules which would tighten up protections around personal information, while the Japanese government has signed a new treaty with the European Union which extends GDPR protections of European citizens to Japan. These are two examples, though as more complaints are filed and more Judge’s opinions released to the public, interest in these rules will almost certainly increase.

What you always have to consider when you read such comments is that Cisco is a B2B firm. The privacy rules are geared towards empowering the consumer and therefore would have minimal impact here. In public, many of the internet giants are calling for a revamp of privacy rules, its just good PR form, but they will be privately terrified of a GDPR replicant.

What is also worth bearing in mind is that the US is not as sensitive to privacy issues as Europeans are. Of course, legislators will have an eye on privacy and it will be a worry, but Europe is much more aware and condemning of the slippery practises of Silicon Valley. For years, the Californian lawyers have revelled in technology outpacing regulation, identifying grey areas and loop holes galore. However, the European regulators are attempting to make life difficult.

GDPR net starting to get very wide

Eight months after the introduction of GDPR decisions are starting to emerge from the first complaints. The breadth and depth of the complaints is starting to look revolutionary for the digital economy.

For years, the internet effectively did whatever it wanted. Bureaucrats attempted to regulate the industry, though mostly built ineffective rules on shaky foundations. Regulators were seemingly unable to out-manoeuvre Silicon Valley’s slippery legal beagles, experts at discovering grey areas, but then Europe’s General Data Protection Regulation (GDPR) was created.

The months leading up to the May 25 ‘doomsday’ were a nightmare for many companies around the world, such is the weight of potential fines. As soon as the ink was dry in the rulebook, the complaints started to get filed. Eight months later, the first decisions are emerging, and the threat of disruption is starting to look big, broad and beastly.

Over the last few weeks, French regulator CNIL has fined Google for not being explicit enough when collecting consent, a decision the search giant is challenging. Privacy Advocate Max Schrems’ non-profit, None of Your Business (NYOB) is taking eight internet companies to court in Austria for ‘Right to Access’ violations. NYOB is also challenging Google’s Android as well as Facebook’s Instagram and WhatsApp on the grounds of forced consent. Privacy International is also pointing the GDPR finger at Facebook. Private browser Brave and the Open Rights Group are tackling Google and marketing agency IAB on ‘Real-time bidding’ for hyper-personalised advertising.

Looking at the final case, this is an interesting one as it is not a practise which has been widely connected with GDPR. Real-time bidding platforms allow companies to collect in-depth and wide-ranging troves of information on individuals. This behavioural data is then ‘is broadcast to tens or hundreds of companies’ in order to attract potential advertisers’ bids. Brave and the Open Rights Group believe this is a violation of GDPR as the ‘broadcast’ fails to protect these intimate data against unauthorized access.

Article 5, paragraph one of GDPR states data should be ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss’. As there is no control over the data once it has been broadcast, Brave and the Open Rights Group state this is a violation of privacy rights.

The marketing and advertising industry certainly would have been aware of the threat to this segment, however it is not the type of data application which has hit the headlines in a major fashion broadly. This is the current risk the internet industry is facing; privacy advocates are getting creative with how they are applying GDPR, widening the net of accusation, ensuring lawyers are fighting the regulation on multiple fronts.

In the first couple of months, you can almost guarantee every court decision will be challenged by at least one of the internet giants. This is the gravity of the situation; fundamental and revolutionary changes could be on the way is the privacy win. The internet will change due to the interpretation of GDPR. The threat of red-tape choking off the steady flow of billions is look very real.

Worryingly for the internet giants is the emergence of class-action suits as well. Although this type of proceeding is quite common across the pond, such cases are rare occurrences in Europe. Across the legal community there have been mutterings, suggesting the regulation could open the door on the bloc. Perhaps it would not evolve to the same scale as class-action suits in the US, but the threat of such a trend should be very worrying for those who are currently ducking and diving swipes from the GDPR stick.

Today is Data Privacy Day, so perhaps it is fate that it appears the data privacy campaigners have the upper hand over Silicon Valley right now. The first decision from the courts has gone against the internet industry, the implications could have a significant knock-on effect to Terms of Service agreements, and you can guarantee Google will throw everything it can against the CNIL and its €50 million fine.

The money means nothing to the ‘Do no Eviler’, but the potential disruption to the internet economy could be seismic. We all knew GDPR could be very damaging to the data-sharing industry, but now it is starting to get very real.

Google challenges France’s first swing of the GDPR stick

Google has stated it will appeal the French regulator’s decision to dish out a €50 million fine for not being forthright enough with how it collects, stores and processes user’s personal data.

For Google, this is not about the money. €50 million for Google is nothing. This is a company which generated $33.7 billion over the final quarter of 2018. It would take a matter of minutes for the team to pay off this fine. However, should this ruling be allowed to stand Google would have to alter its business model, as would the rest of the data-sharing economy, causing a very unwelcomed, and potentially costly, disruption.

“The 50 million euro fine issued by the CNIL on 21 January 2019 significantly impacts Google as it directly challenges its business model based on the processing of personal data,” said Sonia Cissé, Head of TMT Practice of law firm Linklaters in Paris.

“Considering the seriousness of the CNIL’s findings and the broad publicity of this case, a potential appeal by Google is no surprise and makes perfect sense from a legal-strategy perspective.”

On Monday, France’s National Data Protection Commission (CNIL) dished out the fine for two violations of Europe’s General Data Protection Regulation (GDPR). Firstly, the search giant was not specific enough when requesting consent from users. Secondly, for users who wanted to dig deeper into the Google data practices, the company made it unnecessarily difficult to see the entire picture. Google was being too vague and not accessible enough.

“Users are not able to fully understand the extent of the processing operations carried out by Google,” the CNIL said in a statement.

This is the first time a regulator has used GDPR to hold one of the internet giants accountable, but there are plenty of other cases in the pipeline. Google is of course not the only target, as various different privacy advocates across the bloc lodge their complaints against the likes of Spotify, Amazon and Apple, just to name a few others.

In appealing this case, Google is making itself the tip of the spear for the entire internet ecosystem. There will be multiple appeals against the various rulings over the coming months because of how important precedent in this saga. If Google was to just let this ruling stand, it is effectively validating its opinion potentially undermining its own business model. If similar ruling start to appear across the continent the disruption to the data-sharing economy would be massive.

“In all likelihood, Google will challenge the CNIL’s decision on two main grounds: (i) procedural aspects (i.e., the competence of the CNIL); and (ii) the content of the case (i.e., challenging the facts),” said Cissé.

“Should Google be able to demonstrate that Google Ireland Limited was its main establishment in the European Union (EU) at the time of the CNIL’s investigations, then the competence of the CNIL could be validly challenged.

“Second, the content of the decision is another ground for action, and it will be up to the French administrative judges to determine, in light of the circumstances at stake, whether the transparency requirements under GDPR were met or not.”

GDPR is an incredibly complicated set of rules mainly because there are so many different definitions and clauses, but also certain exemptions. In most cases, companies would have to obtain consent from users to use data for explicit purposes, retaining the data only until these purposes have been satisfied. However, companies do not have to obtain consent when it is necessary to comply with another law, or there are ‘legitimate interests’. It paints a complicated picture.

Of course, for those who are more privacy sensitive, such rules and grey areas are a bounty of riches. The rules have created amble opportunity to challenge the internet giants’ business models, as well as the influence they have over the world. One of those is privacy campaigner Max Schrems.

“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” Schrems said following the CNIL ruling.

“Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”

Schrems’ firm, None of Your Business (NYOB), has filed several complaints against other internet businesses on the grounds of accessibility. Those who will come under the scrutiny of Austrian courts include Apple, DAZN, Filmmit, Netflix and Amazon. More specifically, these complaints suggest the companies violated GDPR’s ‘right to access’, enshrined in Article 15 GDPR and Article 8(2) of the Chart of Fundamental Rights.

All of these cases will dictate how the internet economy will function over the coming years, but this battle between the CNIL and Google could prove to be a critical one, such is the power of precedent in the legal world.

“In a nutshell, it is highly difficult to identify certainties regarding the outcome of Google’s appeal,” said Cissé.

“Since data protection is a field of law particularly subject to interpretation and grey areas, one cannot exclude the possibility that Google could be successful in appealing the CNIL’s decision before the French Administrative Supreme Court. In any event, the ruling of the French administrative judges will be closely monitored by all the tech companies.”

Privacy International points GDPR finger at Facebook

An investigation from privacy advocacy group Privacy International on the flow of personal information has questioned whether Facebook and its advertisers are violating Europe’s GDPR.

To date there have not been any major challenges using the data privacy regulation. There have of course been numerous violations of user privacy, but as these incidents occurred prior to the implementation of GDPR, the old-version of the rules and punishments were used. This investigation from Privacy International could prove to be a landmark.

The investigation itself questions whether Facebook and the app-developers which use its platform for data collection and user identification is acting responsibly and legally. Using the Facebook Software Development Kit (SDK), data is automatically sent back to the social media giant, irrelevant as to whether consent has been collected, or even if the user has a Facebook book account.

“Facebook routinely tracks users, non-users and logged-out users outside its platform through Facebook Business Tools,” Privacy International states on its website.

“App developers share data with Facebook through the Facebook Software Development Kit (SDK), a set of software development tools that help developers build apps for a specific operating system. Using the free and open source software tool called ‘mitmproxy’, an interactive HTTPS proxy, Privacy International has analysed the data that a number of Android apps transmit to Facebook through the Facebook SDK.”

After testing dozens of different apps, Privacy International claims 61% automatically transfer data to Facebook the moment a user opens the app, while others routinely send Facebook data that is incredibly detailed. Some of these users may be logged out of the platform or might not even have a Facebook account in the first place. Developers tested include travel comparison app Kayak, job search company Indeed and crowd-sourced search service Yelp.

Looking at the Kayak example, not only was information transferred back to Facebook once the app was opened and closed, but also during each stage of the search process. In the example Privacy International gives, the user selected a flight from London Gatwick to Tokyo between December 2 and 5, Narita Airport was then selected, before another search was conducted searching for hotels for two adults in the city. All of this information was sent to Facebook without prompt, despite Kayak claiming, ‘don’t worry, we’ll never share anything without your permission’, when the user signs in.

Alone this information is useful, but not incredibly so. However, when you consider the huge number of apps which will be sending information back to Facebook, an incredibly detailed picture of the user can be built. Using the other apps tested in this investigation, Facebook could also learn or make assumptions about the user’s religion (Muslim Pro), music interests (Shazam), salary and disposable income (Indeed Job Search) and interest in physical activities (MyFitnessPal). All of this information could be used to feed incredibly personalised advertisements to the user.

The big question which remains is whether this could be perceived as a violation of GDPR. Facebook has stated it released an update to the SDK which allowed developers to suspend the automatic data transfers, though this was only for version 4.34 and later. With the Opt-out section (the Google advertising ID) automatically turned off, some might suggest the user is being led as opposed to asked.

Another factor which could work against Facebook is the collection of data on users who do not have Facebook accounts; this is much more suspect. As per GDPR, a company has to have a specific and justified reason to collect personal information. It does appear Facebook is collecting information on users despite having no purpose or valid reason to do so.

With fines for violating GDPR up to 3% of annual turnover, the stakes are very high. This could prove to be one of the first tests of the rules, designed to protect the privacy of the general public, and few will be surprised Facebook is a central character in the story. With the social media giant seemingly antagonising many governments around the world, we suspect there will be a queue forming to have a swing with the sharp GDPR stick.

The biggest stories of 2018 all in one place

2018 has been an incredibly business year for all of us, and it might be easy to forget a couple of the shifts, curves, U-turns and dead-ends.

From crossing the 5G finish line, finger pointing from the intelligence community, the biggest data privacy scandal to date and a former giant finally turning its business around, we’ve summarised some of the biggest stories of 2018.

If you feel we’ve missed anything out, let us know in the comments section below.

Sanction, condemnation and extinction (almost)

ZTE. Three letters which rocked the world. A government-owned Chinese telecommunications vendor which can’t help but antagonise the US government.

It might seem like decades ago now but cast your mind back to April. A single signature from the US Department of Commerce’s Bureau of Industry and Security (BIS) almost sent ZTE, a company of 75,000 employees and revenues of $17 billion, to keep the dodo company.

This might have been another move in the prolonged technology trade war between the US and China, but ZTE was not innocent. The firm was caught red-handed trading with Iran, a country which sits very prominently on the US trade sanction list. Trading with Iran is not necessarily the issue, it’s the incorporation of US components and IP in the goods which were sent to the country. ZTE’s business essentially meant the US was indirectly helping a country which was attempting to punish.

The result was a ban, no US components or IP to feature in any ZTE products. A couple of weeks later manufacturing facilities lay motionless and the company faced the prospect of permanent closure, such was its reliance on the US. With a single move, the US brought one of China’s most prominent businesses to its knees.

Although this episode has been smoothed over, and ZTE is of course back in action, the US demonstrated what its economic dirty bombs were capable of. This was just a single chapter in the wider story; the US/China trade war is in full flow.

Tinker, tailor, Dim-sum, Spy

This conflict has been bubbling away for years, but the last few months is where the argument erupted.

Back in 2012, a report was tabled by Congressman Mike Rogers which initially investigated the threat posed by Chinese technology firms in general, and Huawei specifically. The report did not produce any concrete evidence, though it suggested what many people were thinking; China is a threat to Western governments and its government is using internationally successful companies to extend the eyes of its intelligence community.

This report has been used several times over the last 12 months to justify increasingly aggressive moves against China and its technology vendors. During the same period, President Trump also blocked Broadcom’s attempts to acquire Qualcomm on the grounds of national security, tariffs were imposed, ZTE was banned from using US technologies in its supply chain and Huawei’s CFO was arrested in Canada on the grounds of fraud. With each passing month of 2018, the trade war was being cranked up to a new level.

Part of the strategy now seems to be undermining China’s credibility around the world, promoting a campaign of suggestion. There is yet to be any evidence produced confirming the Chinese espionage accusations but that hasn’t stopped several nations snubbing Chinese vendors. The US was of course the first to block Huawei and ZTE from the 5G bonanza, but Australia and Japan followed. New Zealand seems to be heading the same way, while South Korean telcos decided against including the Chinese vendors on preferred supplier lists.

The bigger picture is the US’ efforts to hold onto its dominance in the technology arena. This has proved to be incredibly fruitful for the US economy, though China is threatening the vice-like grip Silicon Valley has on the world. The US has been trying to convince the world not to use Chinese vendors on the grounds of national security, but don’t be fooled by this rhetoric; this is just one component of a greater battle against China.

Breakaway pack cross the 5G finish line

We made it!

Aside from 5G, we’ve been talking about very little over the last few years. There might have been a few side conversations which dominate the headlines for a couple of weeks, but we’ve never been far away from another 5G ‘breakthrough’ or ‘first’. And the last few weeks of 2018 saw a few of the leading telcos cross the 5G finish line.

Verizon was first with a fixed wireless access proposition, AT&T soon followed in the US with a portable 5G hotspot. Telia has been making some promising moves in both Sweden and Estonia, with limited launches aiming to create innovation and research labs, while San Marino was the first state to have complete coverage, albeit San Marino is a very small nation.

These are of course very minor launches, with geographical coverage incredibly limited, but that should not take the shine off the achievement. This is a moment the telco and technology industry has been building towards for years, and it has now been achieved.

Now we can move onto the why. Everyone knows 5G will be incredibly important for relieving the pressure on the telco pipes and the creation of new services, but no-one knows what these new services will be. We can all make educated guesses, but the innovators and blue-sky thinkers will come up with some new ideas which will revolutionise society and the economy.

Only a few people could have conceived Uber as an idea before the 4G economy was in full flow, and we can’t wait to see what smarter-than-us people come up with once they have the right tools and environment.

Zuckerberg proves he’s not a good friend after all

This is the news story which rocked the world. Data privacy violations, international actors influencing US elections, cover ups, fines, special committees, empty chairs, silly questions, knowledge of wrong-doing and this is only what we know so far… the scandal probably goes deeper.

It all started with the Cambridge Analytica scandal, and a Russian American researcher called Aleksandr Kogan from the University of Cambridge. Kogan created a quiz on the Facebook platform which exposed a loop-hole in the platform’s policies allowing Kogan to scrape data not only from those who took the quiz, but also connections of that user. The result was a database containing information on 87 million people. This data was used by political consulting firm Cambridge Analytica during elections around the world, creating hyper-targeted adverts.

What followed was a circus. Facebook executives were hauled in-front of political special committees to answer questions. As weeks turned into months, more suspect practices emerged as politicians, journalists and busy-bodies probed deeper into the Facebook business model. Memos and internal emails have emerged suggesting executives knew they were potentially acting irresponsibly and unethically, but it didn’t seem to matter.

As it stands, Facebook is looking like a company which violated the trust of the consumer, has a much wider reaching influence than it would like to admit, and this is only the beginning. The only people who genuinely understand the expanding reach of Facebook are those who work for the company, but the curtain is slowly being pulled back on the data machine. And it is scaring people.

Big Blue back in the black

This might not have been a massive story for everyone in the industry, but with the severe fall from grace and rise back into the realms of relevance, we feel IBM deserves a mention.

Those who feature in the older generations will remember the dominance of IBM. It might seem unusual to say nowadays, but Big Blue was as dominant in the 70s as Microsoft was in the 90s and Google is today. This was a company which led the technology revolution and defined innovation. But it was not to be forever.

IBM missed a trick; personal computing. The idea that every home would have a PC was inconceivable to IBM, who had carved its dominant position through enterprise IT, but it made a bad choice. This tidal wave of cash which democratised computing for the masses went elsewhere, and IBM was left with its legacy business unit.

This was not a bad thing for years, as the cash cow continued to grow, but a lack of ambition in seeking new revenues soon took its toll. Eight years ago, IBM posted a decline in quarterly revenues and the trend continued for 23 consecutive periods. During this period cash was directed into a new division, the ‘strategic imperatives’ unit, which was intended to capitalise on a newly founded segment; intelligent computing.

In January this year, IBM proudly posted its first quarterly growth figures for seven years. Big Blue might not be the towering force it was decades ago, but it is heading in the right direction, with cloud computing and artificial intelligence as the key cogs.

Convergence, convergence, convergence

Convergence is one of those buzzwords which has been on the lips of every telco for a long time, but few have been able to realise the benefits.

There are a few glimmers of promise, Vodafone seem to be making promising moves in the UK broadband market, while Now TV offers an excellent converged proposition. On the other side of the Atlantic, AT&T efforts to move into the content world with the Time Warner acquisition is a puzzling one, while Verizon’s purchase of Yahoo’s content assets have proved to be nothing but a disaster.

Orange is a company which is taking convergence to the next level. We’re not just talking about connectivity either, how about IOT, cyber-security, banking or energy services. This is a company which is living the convergence dream. Tie as many services into the same organisation, making the bill payer so dependent on one company it becomes a nightmare to leave.

It’s the convergence dream as a reality.

Europe’s Great Tax Raid

This is one of the more recent events on the list, and while it might not be massive news now, we feel it justifies inclusion. This developing conversation could prove to be one of the biggest stories of 2019 not only because governments are tackling the nefarious accounting activities of Silicon Valley, but there could also be political consequences if the White House feels it is being victimised.

Tax havens are nothing new, but the extent which Silicon Valley is making use of them is unprecedented. Europe has had enough of the internet giants making a mockery of the bloc, not paying its fair share back to the state, and moves are being made by the individual states to make sure these monstrously profitable companies are held accountable.

The initial idea was a European-wide tax agenda which would be led by the European Commission. It would impose a sales tax on all revenues realised in the individual states. As ideas go, this is a good one. The internet giants will find it much more difficult to hide user’s IP addresses than shifting profits around. Unfortunately, the power of the European Union is also its downfall; for any meaningful changes to be implemented all 28 (soon to be 27) states would have to agree. And they don’t.

Certain states, Ireland, Sweden and Luxembourg, have a lot more to lose than other nations have to gain. These are economies which are built on the idea of buddying up to the internet economy. They might not pay much tax in these countries, but the presence of massive offices ensure society benefits through other means. Taxing Silicon Valley puts these beneficial relationships with the internet players in jeopardy.

But that isn’t good enough for the likes of the UK and France. In the absence of any pan-European regulations, these states are planning to move ahead with their own national tax regimes; France’s 3% sales tax on any revenues achieved in the country will kick into action on January 1, with the UK not far behind.

What makes this story much more interesting will be the influence of the White House. The US government might feel this is an attack on the prosperous US economy. There might be counter measures taken against the European Union. And when we say might, we suspect this is almost a certainty, such is the ego of President Donald Trump.

This is a story which will only grow over the next couple of months, and it could certainly cause friction on both sides of the Atlantic.

Que the moans… GDPR

GDPR. The General Data Protection Regulation. It was a pain for almost everyone involved and simply has to be discussed because of this distress.

Introduced in May, it seemingly came as a surprise. This is of course after companies were given 18 months to prepare for its implementation, but few seemed to appreciate the complexity of becoming, and remaining compliant. As a piece of regulation, it was much needed for the digital era. It heightened protections for the consumer and ensured companies operating in the digital economy acted more responsibly.

Perhaps one of the most important components of the regulation was the stick handed to regulators. With technology companies growing so rapidly over the last couple of years, the fines being handed out by watchdogs were no longer suitable. Instead of defining specific amounts, the new rules allow punishments to be dished out as a percentage of revenues. This allows regulators to hold the internet giants accountable, hitting them with a suitably large stick.

Change is always difficult, but it is necessary to ensure regulations are built for the era. Evolving the current rulebook simply wouldn’t work, such is the staggering advancement of technology in recent years. Despite the headaches which were experienced throughout the process, it was necessary, and we’ll be better off in the long-run.

Next on the regulatory agenda, the ePrivacy Regulation.

Jio piles the misery on competitors

Jio is not a new business anymore, neither did it really come to being in 2018, but this was the period where the telco really justified the hype and competitors felt the pinch.

After hitting the market properly in early 2016, the firm made an impression. But like every challenger brand, the wins were small in context. Collecting 100,000s of customers every month is very impressive, but don’t forget India has a population of 1.3 billion and some very firmly position incumbents.

2017 was another year where the firm rose to prominence, forcing several other telcos out of the market and two of the largest players into a merger to combat the threat. Jio changed the market in 2017; it democratised connectivity in a country which had promised a lot but delivered little.

This year was the sweeping dominance however. It might not be the number one telco in the market share rankings, but it will be before too long. Looking at the most recent subscription figures released by the Telecom Regulatory Authority of India (TRAI), Jio grew its subscription base by 13.02 million, but more importantly, it was the only telco which was in the positive. This has started to make an impact on the financial reports across the industry, Bharti Airtel is particularly under threat, and there might be worse to come.

For a long-time Jio has been hinting it wants to tackle the under-performing fixed broadband market. There have been a couple of acquisitions in recent months, Den Networks and Hathway Cable, which give it an entry point, and numerous other digital services initiatives to diversify the revenue streams.

The new business units are not making much money at the moment, though Jio is in the strongest position to test out the convergence waters in India. Offering a single revenue stream will ensure the financials hit a glass ceiling in the near future, but new products and aggressive infrastructure investment plans promise much more here.

We’re not too sure whether the Indian market is ready for mass market fixed broadband penetration, there are numerous other market factors involved, but many said the initial Jio battle plan would fail as well.

Convergent business models are certainly an interesting trend in the industry, and Jio is looking like it could force the Indian market into line.

Redundancies, redundancies, redundancies

Redundancy is a difficult topic to address, but it is one we cannot ignore. Despite what everyone promises, there will be more redundancies.

Looking at the typical telco business model, this is the were the majority have been seen and will continue to be seen. To survive in the digitally orientated world, telcos need to adapt. Sometimes this means re-training staff to capitalise on the new bounties, but unfortunately this doesn’t always work. Some can’t be retrained, some won’t want to; the only result here will be redundancies.

BT has been cutting jobs, including a 13,000-strong cull announced earlier this year, Deutsche Telekom is trimming its IT services business by 25%, the merger between T-Mobile and Sprint will certainly create overlaps and resulting redundancies, while Optus has been blaming automation for its own cuts.

Alongside the evolving landscape, automation is another area which will result in a headcount reduction. The telcos will tell you AI is only there to supplement human capabilities and allow staff to focus on higher value tasks, but don’t be fooled. There will be value-add gains, but there will also be accountants looking to save money on the spreadsheets. If you can buy software to do a simple job, why would you hire a couple of people to do it? We are the most expensive output for any business.

Unfortunately, we have to be honest with ourselves. For the telco to compete in the digital era, new skills and new business models are needed. This means new people, new approaches to software and new internal processes. Adaptation and evolution is never easy and often cruel to those who are not qualified. This trend has been witnessed in previous industrial revolutions, but the pace of change today means it will be felt more acutely.

Redundancy is not a nice topic, but it is not always avoidable.

Uber feels sharp(ish) end of Dutch and British stick

Following a data breach which exposed personal information of roughly three million European customers, Uber has been fined over £900,000 by Dutch and British authorities.

£900,000 does sound like a lot of cash, but let’s just put it into perspective for the moment. In the Netherlands, details of 174,000 customers and drivers were hacked, resulting in a €600,000 (roughly £532,000) fine, while the punishment for leaking details of 2.7 million customers and drivers in the UK was £385,000. In the US, where the exposure was admittedly significantly higher, Uber had to fork out $148 million. The numbers aren’t exactly consistent.

Uber should certainly consider itself lucky the incident occurred prior to the implementation of GDPR, though the fines simply demonstrate how important the new rules are in enforcing data protection requirements. Under today’s rules, Uber could have potentially been fined 3% of global annual turnover, and we suspect the fact it tried to cover up the incident meant it would have been held fully accountable.

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” said Information Commissioner’s Office Director of Investigations, Steve Eckersley. “At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.

“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber-attack. Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”

While many found the implementation of GDPR a nightmare, this is an incident which demonstrates why new data protection rules were completely necessary. In our opinion, Uber got off lightly considering the severity of the breach and subsequent efforts to cover up the hack with ‘hush-money’.

Once the breach was discovered, Uber tried to sweep the incident under the rug. Instead of reporting the breach to authorities, customers and drivers, $100,000 was paid to the hacker, with the promise the data would be deleted, it was downloaded from a cloud-based storage system operated by Uber’s US parent company, and the hacker would keep quiet. As with all of these incidents, the truth eventually emerged. Here, it took a full year.

In both the Dutch data protection authority’s and the ICO’s investigations it was found the breach could have been avoiding if basic and appropriate data protection protocols were followed. Under GDPR, Uber is obliged to inform the relevant data protection authorities within 72 hours of discovery, which can mean fines can be avoided. If a company co-operates and is able to demonstrate it has put in place acceptable protections, authorities will not punish in the strictest of terms.

This is an aspect of GDPR which we like. Rule makers have accepted there is no such thing as 100% secure, and has created a framework which has in-built sympathy for those cases which cannot be avoided. As long as a company is proactive and honest, authorities are willing to work alongside industry to make customers and employees more secure.

This is not an example of this perfect scenario however. Uber acted completely irresponsibly and is incredibly fortunate the incident occurred during a time when data protection rules and punishments were woefully outdated. The whole incident does leave two questions remaining however…

Firstly, how many more incidents have there been which have been swept under the carpet, as we can almost guarantee there will be a few, and secondly, will the EU hold the guilty parties fully accountable to GDPR punishments? We need to know whether authorities are prepared to swing the very sharp stick GDPR hands them.

Google faces GDPR complaints over user location tracking

Seven privacy advocacy groups will be reporting Google to their relevant data protection authority, claiming the firm is violating GDPR through location tracking of users.

Forbrukerrådet (Norway), Consumentenbond (The Netherlands), Ekpizo (Greece), dTest (Czech Republic), Zveza Potrošnikov Slovenije (Slovenia), Federacja Konsumentów (Poland) and Sveriges Konsumenter (Sweden) will all file complaints, while vzbv in Germany is considering action for an injunction and the  Transatlantic Consumer Dialogue will bring it to the attention of the Federal Trade Commission. This is of course not the first time Google has faced complaints in the EU over privacy, but the volume here might cause a headache.

The complaint is a simple one. Even if a dataset has been anonymised by Google, detailed information on that users location can make this irrelevant, while in-depth and personal insights can be learned, violating user rights to privacy. For example, if a smartphone is stationary for eight hour consistently, at the same time every night, it would be a fair assumption this is the home address of the person, while learning about what bars they visit could give away the sexual persuasion of the individual.

Not only are these insights which can be used for personalised advertising, but the data can be sold onto other companies to dictate was services are sold to that individual at what price. An insurance company could up premiums for someone who never visits the gym, but this is not personal information which the individual has given permission to be released. Some would argue it is an invasion of privacy, others would suggest it is statistical science and fair game.

One of the complaints being made against Google is the lack of transparency. Yes, Google has made the consumer aware it collects information when the opt-outs are not altered in ‘location history’ settings tabs, though it has not made the user aware this opt-out could be irrelevant. By using other apps and services, Google is collecting the data in any case. Once it is said out loud it should seem obvious, even if you have opted out when you want to use the Maps app, you will have to send Google your location data, but the slight contradiction has the capacity to confuse users. This is not what many would consider complete transparency.

“Google’s practices leave consumers very little choice other than providing their location data, which is then used by the company for a wide range of purposes including targeted advertising,” European privacy group BEUC said in a statement. “BEUC and its members argue that these practices contradict basic principles of the GDPR, such as the lawfulness, transparency and fairness of processing, and infringe on data subject’s rights such as the right to information. In our assessment Google notably lacks a lawful legal ground for processing the location data in question.”

There will of course be investigations over the course of the next couple of months, as we suspect there will be more complaints filed in the near future, though this will be a test of GDPR. As a reminder, the largest fine which the EU can impose is 3% of annual turnover. Google might have been able to swallow previous fines from the EU, but this one will be a bit more difficult to justify.

Privacy International lines up US firms for GDPR breaches

UK data protection and privacy advocacy group Privacy International has submitted complaints to European watchdogs suggesting GDPR violations at several US firms including Oracle, Equifax and Experian.

The complaints have been submitted to regulators in the UK, Ireland and France, bringing the data broker activities of Oracle and Acxiom into question, as well as ad-tech companies Criteo, Quantcast and Tapad, and credit referencing agencies Equifax and Experian. The complaints are specifically focused on the depth of personal data processing, which Privacy International believes violates Articles five and six of the General Data Protection Regulation (GDPR).

“It’s been more than five months since the EU’s General Data Protection Regulation (GDPR) came into effect,” a Privacy International statement read. “Fundamentally, the GDPR strengthens rights of individuals with regard to the protection of their data, imposes more stringent obligations on those processing personal data, and provides for stronger regulatory enforcement powers – in theory. In practice, the real test for GDPR will be in its enforcement.

“Nowhere is this more evident than for data broker and ad-tech industries that are premised on exploiting people’s data. Despite exploiting the data of millions of people, are on the whole non-consumer facing and therefore rarely have their practices challenged.”

The GDPR Articles in question relate to the collection and processing of information. Article Five dictates a company has to be completely transparent in how it collects and processes information, but also the reasons for doing so. Reasonable steps must be taken to ensure data is erased once the purpose has been fulfilled, this is known as data minimisation. Article Six states a company must seek consent from the individual to collect and process information for an explicit purpose; broad brush collection, storage and continued exploitation of data is being tackled here.

In both articles, the objective is to ensure companies are being specific in their collection of personal information, and that it is utilised in a timely manner before being deleted once it has served its purpose. These are two of the articles which will hit the data-sharing economy the hardest, and it will be interesting to see how stringently GDPR will be enforced if there is any evidence of wrong-doing.

This is where Privacy International is finding issue with the firms. The advocacy group is challenging the business practises on the principles of transparency, fairness, lawfulness, purpose limitation,

data minimisation, accuracy and integrity and confidentiality. It is also requesting further investigations into Articles 13 and 14 (the right to information), Article 15 (the right of access), Article 22 (automated decision making and profiling), Article 25 (data protection and by design and default) and Article 35 (data protection impact assessments).

While GDPR sounds very scary, the reality is no-one has been punished to the full extent of the regulation yet. This might be because every company has taken the guidance on effectively and is operating entirely within the legal parameters, though we doubt this is the case. It is probably a case of no-one being caught yet.

The threat of a €20 million fine, or one which is up to 3% of a business’ total revenues, is nothing more than a piece of paper at the moment. If there is no evidence or fear authorities will punish to the full extent of the law, GDPR doesn’t act as much of a protection mechanism or a deterrent. When a genuine violation of GDPR is uncovered, Europe needs to bear its teeth and demonstrate there will be no breathing room.

This has been the problem for years in the technology industry; fines have been dished out, though there has been no material impact on the business. The staggering growth of revenues in the industry has far exceeded the ability of regulators to act as judge and executioner. Take the recent fines for Apple and Samsung over planned obsolescence in Italy. The $10 million and $5 million fines for Apple and Samsung would have taken 20 and 16 minutes respectively to pay off. This is not good enough.

Regulators now have the authority to hold the suspect characters in the industry accountable for nefarious actions concerning data protection and privacy, but it has to prove itself capable of wielding the axe. Until Europe shows it has a menacing side, nothing will change for the better.