After 107 million downloads in April, TikTok faces a European privacy probe

Questions over the privacy of popular video-sharing application TikTok have been raised by Dutch authorities, but scepticism can’t slow the rapid expansion.

Although other investigations around the world are far more damning, suggesting some very nefarious activities, let’s not forget giants can be taken down by unsuspecting means. After all, Goliath was conquered by a pebble and Al Capone was felled by tax evasion charges.

“A huge number of Dutch children clearly love using TikTok,’ said Monique Verdier, Deputy Chairman of the Dutch DPA.

“We will investigate whether the app has a privacy-friendly design. We’ll also check whether the information TikTok provides when children install and use the app is easy to understand and adequately explains how their personal data is collected, processed and used. Lastly, we’ll look at whether parental consent is required for TikTok to collect, store and use children’s personal data.”

The investigation will focus on whether TikTok effectively protects the privacy of Dutch children, and whether there would need to be any changes enforced on the team through regulation. As with every other investigation, this probe from the Dutch could shed light on certain aspect of operations which could have a domino effect.

While TikTok was thrust on the world to much consumer enthusiasm last year, the momentum has certainly continued through 2020 and has perhaps been compounded by lockdown protocols currently in place around the world.

Most downloaded Apps (non-gaming) during April 2020 – Global
Overall App Store Google Play
1. Zoom Zoom Zoom
2. TikTok TikTok TikTok
3. Facebook Google Meet Facebook
4. WhatsApp Microsoft Teams WhatsApp
5. Instagram Netflix Aarogya Setu

Source: Sensor Tower

With more entertainment needed by those taking part in enforced lockdown, there has been a surge in interest in numerous categories, but social media and content streaming applications are close to the top of the list. TikTok has benefitted from these tendencies, but also endorsements from numerous celebrities around the world.

Over the weekend, Anthony Hopkins challenged Sylvester Stallone and Arnold Schwarzenegger to a dance-off on the platform with Drake’s Toosie Slide.

@anthonyhopkins##Drake I’m late to the party… but better late than never. @oficialstallone @arnoldschnitzel ##toosieslidechallenge♬ original sound – officialanthonyhopkins

With more and more celebrities embracing the platform, everyday consumers will be encouraged, especially during a period of boredom. This might be seen as a worrying trend to US politicians who are attempting to dilute the influence China and its companies have on global societies and economies.

Last October, Republican Senator Tom Cotton and Senate Minority Leader Chuck Schumer wrote to the Acting Director of National Intelligence, Joseph Maguire, to formally request an investigation into TikTok, questioning whether it is a threat to national security as the applications developer ByteDance could be coerced to collaborate with the Chinese Government.

A few days later, Senator Josh Hawley also introduced a new bill, known as the National Security and Personal Data Protection Act (S.2889), which would force foreign technology companies to store data locally.

This would provide some protections to US consumers but would also open up the political class to a barrage of complications as the US has been attempting to punish countries who enforce data localisation rules on US companies. India is one of these nations at loggerheads with the US, and while many would attempt to avoid such complications, hypocrisy and irony seem to be completely lost on the current political administration.

TikTok has escaped much scrutiny over the last few months, though this is perhaps due to other areas demanding more attention. The application might be enjoying success for the moment, but we suspect it is not clear of privacy investigations just yet.

Netherlands named as Europe’s meanest GDPR henchman

The Netherlands has seen the most GDPR breach notifications reported to the regulator, but the spread of activity, or inactivity in some nations, is quite remarkable.

In the eight months since GDPR was officially written into European regulations, law firm DLA Piper has said regulators have been alerted to breaches more than 59,000 times. The Netherlands, Germany and the UK have seen the biggest numbers of notifications, with 15,400, 12,600 and 10,600 respectively, though the new privacy status quo has not been embraced with such enthusiasm everywhere.

“GDPR has driven the issue of data breach well and truly into the open,” said Ross McKean, a partner at DLA Piper, “The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organisations.”

The scale and depth of these breaches vary considerably, a mis-sent email there and a cybersecurity hack here, but the number does represent a significant shift in the tides; data breaches are now being taken seriously, or at least in some nations.

As you can see from the table below, we have selected the ten largest economies across the bloc, the variance is quite interesting.

Nation Breaches in total Breaches per 100,00 people
Germany 12,600 15.6
UK 10,600 16.3
France 1,300 1.9
Italy 610 0.9
Spain 670 1.3
Netherlands 15,400 89.8
Sweden 2,500 24.9
Poland 2,200 5.7
Belgium 420 3.6
Austria 580 6.6

There might be a few reasons for increased number of notifications in certain countries, allowing for the presence of different industries. For example, Ireland has the 4th largest number of notifications to the data watchdog (c.3,800) but the 20th smallest population (out of 28). This is also a country where the economy and society is dominated by the presence of the technology sector.

This will explain some of the variance on figures, but not completely. Take Italy for example. This is the 4th largest economy across the bloc, but in the eight months since May 25 when GDPR was introduced, the regulator was only notified of 610 data breaches. There are two explanations for such a low figure:

  • Italian businesses have some of most advanced data protection policies and mechanisms worldwide
  • The culture of owning mistakes and reporting data protection and privacy inadequacies is almost non-existent in the country

We have made the Italians the centre of this point, but there are quite a few who would fall into this category of (a) squeaky clean or (b) don’t care about GDPR. Spain has 670 breach notifications to the regulator, Belgium 420, Greece 70, Cyprus 35 and Liechtenstein 15.

Although GDPR has certainly made promising sets forward in forcing a more privacy orientated society and economy, the issues will continue to persist unless the same stringent attitudes are adopted across the board. Such is the fluidity and borderless nature of the digital economy, a weak link in the chain can cause disruption. All economies are interlinked, make no doubt about that.

Interestingly enough, momentum will gather as the digital economy becomes more complex. Security and data protection are still not high enough priorities on the corporate agenda, although trends are heading the right direction. Breaches will still continue to occur, and fines will start to get very large.

GDPR violations carry a maximum penalty of €20 million or 3% of annual revenues. These numbers can be reduced if the breach is reportedly in a timely manner and the company is helpful. However, fines to date have not been to this magnitude largely because the incidents occurred prior to the introduction of GDPR. Any breach which occurred after May 25 will be met with a much sharper stick than previously.

For example, Equifax is a company which collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. Hundreds of millions of customers and consumers were impacted by the Equifax data breach of 2017, though the maximum fine which could be imposed by the UK’s Information Commissioner’s Office (ICO) was £500,000. Under GDPR, Equifax would have been fined £20 million.

GDPR took Europe into the 21st century when it comes to data protection and privacy. It forced companies and regulators to take a more stringent approach to the security of personal and corporate information. Despite the pain everyone had to endure to be GDPR-compliant, it should only be viewed as a good thing.

Data breaches are almost certainly going to continue, but one thing you can guarantee is the numbers are going to be getting a lot bigger.

Dutch regulator hints at 5G network sharing plan

The Authority for Consumers and Markets (ACM) has proposed plans to create a network infrastructure sharing framework to counteract any potential for a digital divide.

With the plans intended to be released before the next spectrum auction in 2020, the regulator is putting in the groundwork ahead of time to theoretically ease the investment burdens of 5G network infrastructure in the rural environments. Telcos generally don’t like to be told how to spend their money, but the ACM is taking appropriate, proactive steps to prevent the digital divide which tends to emerge when telcos are left to their own devices.

“We regularly receive questions about what is and what is not allowed with regard to infrastructure sharing,” said Henk Don, an ACM board member.

“Working together in this can bring many benefits to telecom companies, but this should not be at the expense of mutual competition. With the guidelines we want to offer clarity to the parties on the mobile market and thereby contribute to a smooth rollout of 5G.”

Although the 5G rollout in the Netherlands is progressing at a much slower rate than other countries in the bloc, the pondering approach is allowing bureaucrats to create the necessary regulatory and legislative landscape ahead of time. Other nations, the UK for example, seem to be taking a ‘build now, regulate later’ approach, which runs the risk of creating the digital divide as telcos chase profits and an overbuild situation in the highly urbanised areas. As with anything in life, it is much easier to plan to tackle a problem as opposed to fixing after it has emerged.

As part of the ‘slow and steady’ approach to network deployment, coverage obligations will be placed on any future spectrum auctions. 98% of the Netherlands geographic area will have to be covered by a certain time, though more details will emerge over the coming months as the auctions close in. 98% might sound like a ludicrous objective, though the network sharing framework should aid this.

These are just very top-line ideas which are being presented by the ACM here, though more details will be offered over the short-term. Ahead of 2020, plans are being ironed out for spectrum auctions for the 700 MHz, 1400 MHz and 2100 MHz 5G bands, while the valuable 3.5 GHz 5G auction should take place at the end of 2021 or beginning of 2022. The ACM has suggested the proposals will be in place to ahead of next year’s auction.

Network sharing frameworks are not exactly uncommon throughout the telco world, though many regulators err on the side of caution in the pursuit of competition. The UK is considering such plans also, though these would only be in the regions which are seen as the most difficult to justify commercially. Generally, these not-spots have almost no coverage nowadays, usually home to an incredibly low population density or no-one at all.

This might not be the most rapid of rollout plans, but the ‘first’ tag does not necessarily mean much, or it might not end up meaning much. Laying the necessary regulatory framework ahead of plans, instead of playing catch-up like some nations, might just be a more considered approach. That said, the Dutch Government will not want to fall too far behind.

KPN goes in-house to resolve CEO soap opera

Having bailed on its new CEO within days of announcing her, Dutch operator KPN has taken the safe option with its next pick.

Current COO Joost Farwerck (pictured) has been promoted to CEO with immediate effect, following the decision not to follow through with the appointment of Dominique Leroy, who is being investigated for insider trading. Farwerck is effectively caretaker CEO for now, but KPN has announced its intention to formalize the gig on 1 December, presuming there are no further dramas.

Picking an internal lifer who has been on the management board since 2013 largely eliminates the possibility of nasty surprises or skeletons in the closet, which must surely be a high priority after the Leroy debacle. Having passed over Farwerck in favour of an external appointment so recently, the conversation must have been a bit awkward, but fair play to him for not sulking.

“With Joost assuming the role of CEO, the supervisory board is pleased to appoint an experienced telecommunications professional,” said the presumably relieved KPN Chairman, Duco Sickinghe. “He has been a member of the board since April 2013 and is part of the leadership team that shaped the 2019-2021 strategy. Joost knows the company inside out and the environment the company is operating in. With Joost as CEO, the supervisory board is convinced that we will make good progress on the further development and execution of KPN’s strategy.”

“It is with pleasure that I assume the role of CEO of this great company which focuses on offering high speed connections to consumers, businesses and Dutch society,” said Farwerck. “KPN is a company with a realistic strategy in place to perform in the competitive Dutch market. My primary focus will be to deliver on that strategy and explore how we can accelerate the execution even more to deliver organic sustainable growth. We have a great team and a lot of dedicated people in the company. I am eager to work with all of them to execute on that strategy.”

Farwerck will be paid €875kpa, which isn’t bad, but is still less than the €935k Leroy was due to get. Given the very strong negotiating position he must have been in following the Leroy business, this doesn’t say much for his negotiating skills. Maybe he’ll get a bit more in December.

KPN cancels CEO appointment following insider trading investigation

Dominique Leroy was due to switch from Proximus to KPN but now she’s CEO of neither following an investigation into insider trading.

Leroy (pictured) was unveiled as the new CEO of Dutch telco KPN earlier this month, having previously headed up Belgian operator Proximus. She was due to hang around at Proximus until December, but within days employees of the company protested the prospect of having a ‘lame duck’ CEO at a time when there was extensive restructuring underway. This led the Proximus board to bring forward Leroy’s departure date to 20 September.

Another reason for the staff kicking off may have been the revelation that Leroy had flogged a bunch of her Proximus shares on 1 August, just a month before calling it a day. No unreasonably this led to speculation that she may have conducted the sale in advance of an anticipated drop in the share price following the announcement of her resignation. Leroy addressed the matter in a personal message published on the Proximus site. Here is it in full.

I would like to comment my sale of Proximus shares on August 1, 2019.

A CEO of a stock quoted company has few moments in which he can trade his company shares on the stock market. As for me I was in a closed period- this is a period during which no transactions are allowed- since November 22, 2018. I had the intention to trade my shares since several months, but this was not possible. After the publication of the results of the second quarter, August 1st was the first day on which new transactions were possible. I have therefore instructed the bank end of July to sell shares that day, what happened with notification to the financial regulator on August 5, as it needs to be done and with publication on their site on August 6.

At that moment I had not decided to leave Proximus. I was in discussion about the renewal of my contract with Proximus and had some conversations with several external parties, amongst which KPN.

I understand that with hindsight the timing can create the perception that I did this exactly prior and because of my departure. This is surely not the reason for my sale of shares, but this can –now that the discussions with KPN are closed soon after my holidays and the communication on my departure already had to happen beginning of September- be understood in such way by the external world. I regret that this perception has been created, this is not in line with my values where integrity and transparency are very high.

Belgian authorities don’t seem to have been reassured by this explanation, however, and launched a formal insider trading investigation, even going so far as to search her home for incriminating evidence. Typically this isn’t the kind of stuff companies like hanging around their new CEOs and KPN seems to have decided Leroy is not worth the extra aggro.

“KPN regrets to announce that Mrs. Dominique Leroy is no longer a candidate in the process to become the Chief Executive Officer and Chairman of the Board of Management of KPN,” said today’s announcement. “The duration of the procedures which concern Mrs. Leroy by the authorities in Belgium is unclear and unpredictable. The Supervisory Board of KPN considers these uncertainties around timing not in the interest of KPN and its stakeholders. For this reason, the Supervisory Board has taken the decision to withdraw the intended appointment of Mrs. Leroy in the position of CEO of KPN.”

“This was a difficult decision for the Supervisory Board given the track record of Mrs. Dominique Leroy as a very accomplished executive,” said current KPN Chairman Duco Sickinghe. “However, the uncertainty around timing results in a situation, which the Supervisory Board considers not in the interest of KPN. We wish her all the best.”

In other words: you’re on your own, kid. While it’s understandable to rethink a decision in the light of new information, it’s notable that KPN isn’t willing to wait to see if Leroy is exonerated by rhe investigation. Either they think there’s little chance of that happening, they think she’s irredeemably tarnished regardless or they just think the process will take too long.

Leroy presumably did her due diligence before selling the shares, but it’s hard to see how she can justify selling the shares before the announcement of her departure was made, since she already concedes she was considering doing so when she sold them. Meanwhile both Proximus and KPN are CEO-less.

KPN poaches Proximus CEO

Dominique Leroy has played Benelux musical chairs by moving from Belgian Proximus to become Dutch KPN’s new CEO.

The CEO vacancy at KPN was created by the sudden departure of Maximo Ibarra earlier this year for family reasons, which coincided with a major outage for which KPN was culpable. Leroy has been CEO of Proximus for five years but her new salary of around a million euros a year was presumably a factor in convincing her to seek new challenges.

“We are very pleased to appoint Dominique Leroy as the new CEO of KPN,” said Duco Sickinghe, KPN Chairman. “Dominique is a dynamic, customer-focused and engaging leader with a wealth of experience in the telecommunications industry. With her strong strategic, operational and communication skills, we are convinced that Dominique will be able to successfully execute on KPN’s strategy.”

“At the end of last year KPN unveiled its 2019 – 2021 strategy, prioritising sustainable growth in the medium term. Good progress has been made to date, driven by our dedicated Board of Management and Executive management team, and executed by our colleagues throughout the firm. With Dominique at the helm, the Supervisory Board is confident that we will see further progress in the delivery of KPN’s strategy, positioning KPN for further success in the years to come. Continuing to execute against that strategy will remain KPN’s focus.”

“I am very excited to be nominated as the next CEO of KPN,” said Leroy (pictured). “KPN has a high-quality reputation and an excellent leadership team. I am looking forward to working with them and the wider KPN team to execute on the existing strategy and help KPN to become a premier digital services and communication provider with the customer at its heart.”

Ibarra’s resignation was due to complete on 30 September but Leroy isn’t available until 1 December. It looks like COO Joost Farwerck is going to be super-sub CEO for October and November, but since the board doesn’t seem to have been able to come up with any strategy beyond the basic default for any company, that shouldn’t be too tricky.

BT streamlining continues with reported £100m Dutch infrastructure sale

UK telco group BT is reportedly flogging £100 million of infrastructure assets in The Netherlands as its new CEO strives to make it a leaner operation.

BT doesn’t seem to have said anything official yet, but the Sunday Times got the scoop regardless. Apparently this is part of an attempt to streamline the struggling Global Services business, as BT currently uses its own infrastructure, such as towers and cables, to connect its Dutch business customers.

There’s not much more to the report other than a claim that, while BT is also looking to streamline its Global Services operations in other regions, including Ireland, Spain and Latin America, it doesn’t plan to completely abandon specific countries.

The report also refers to a previous Sunday Times scoop that BT is also flogging a legal software service called Tikit. It’s reasonable to ask what the hell BT was doing in the legal software business in the first place and if this is indicative of the kind of wild tangents the Global Services business has gone off on in the past, we can expect many more such disposals.

This news comes just days after it was revealed that BT was forced to hand over a bunch of cash to Ofcom due to its historical accounting incompetence. In addition BT announced last week that it was delisting from the New York stock exchange and earlier in the month decided to flog BT Fleet Solutions. Sadly for CEO Philip Jansen, none of this tweaking seems to have won over investors, with BT’s share price down by over 30% since he took over at the start of the year.

KPN CEO resignation definitely had nothing to do with recent network crash

Maximo Ibarra resigned at CEO of Dutch telco KP the day after a major network failure, but the company insists the two events are unrelated.

Ibarra had led KPN for just a year and a half, having moved over from Italy where he was a Wind lifer and CEO for five years. If we take the KPN announcement at face value Ibarra and his family never took to Rotterdam and have decided to move back to Italy. Luckily for them Sky Italia had a vacancy and has appointed Ibarra as its new CEO once he’s served out his notice.

“I have been with KPN since 2017, and appointed CEO in 2018,” said Ibarra. “I regret the timing, but family reasons gave me no choice. I will dedicate myself the coming months to secure a seamless transfer to my successor.”

The timing referred to must surely be the major outage suffered by KPN on Monday of this week, which even shut down the 112 emergency number. It seemed to just affect voice calls, which were down across the country for three hours.

“We regret that this could have happened, and we offer our sincere apologies to our customers and also to the Dutch society,” said Joost Farwerck, COO of KPN. “We immediately established a crisis team and yesterday afternoon and evening every possible effort was made to find a solution. Thankfully, as a result, by early evening service was resumed and 112 was also accessible again.

“It goes without saying, KPN will evaluate this disruption thoroughly, because this should never have happened. In this evaluation, we will work together with the Ministry of Security and Justice, the Ministry of Economic Affairs, and the Telecom Agency and other relevant bodies. Of course, we want to learn from this disruption, so that we can draw the correct conclusions and ensure that this kind of incident can be prevented in the future.”

In the Ibarra press release KPN felt compelled to include the following statement: “His resignation is unrelated to the network outage experienced yesterday.” It probably was just unfortunate timing and we certainly have no evidence to suggest otherwise. But you can see how some people might put two and two together to make five.