The bloc’s investigation, which takes aim at the heart of Google’s business model, is part of a push to regulate the world’s largest technology companies.
The European Data Protection Board (EDPB) published its final recommendations yesterday setting on guidance for making transfers of personal data to third countries to comply with EU data protection rules in light of last summer’s landmark CJEU ruling (aka Schrems II).
The long and short of these recommendations — which are fairly long; running to 48 pages — is that some data transfers to third countries will simply not be possible to (legally) carry out. Despite the continued existence of legal mechanisms that can, in theory, be used to make such transfers (like Standard Contractual Clauses; a transfer tool that was recently updated by the Commission).
However it’s up to the data controller to assess the viability of each transfer, on a case by case basis, to determine whether data can legally flow in that particular case. (Which may mean, for example, a business making complex assessments about foreign government surveillance regimes and how they impinge upon its specific operations.)
Companies that routinely take EU users’ data outside the bloc for processing in third countries (like the US), which do not have data adequacy arrangements with the EU, face substantial cost and challenge in attaining compliance — in a best case scenario.
Those that can’t apply viable ‘special measures’ to ensure transferred data is safe are duty bound to suspend data flows — with the risk, should they fail to do that, of being ordered to by a data protection authority (which could also apply additional sanctions).
One alternative option could be for such a firm to store and process EU users’ data locally — within the EU. But clearly that won’t be viable for every company.
Law firms are likely to be very happy with this outcome since there will be increased demand for legal advice as companies grapple with how to structure their data flows and adapt to a post-Schrems II world.
In some EU jurisdictions (such as Germany) data protection agencies are now actively carrying out compliance checks — so orders to suspend transfers are bound to follow.
While the European Data Protection Supervisor is busy scrutinizing EU institutions’ own use of US cloud services giants to see whether high level arrangements with tech giants like AWS and Microsoft pass muster or not.
Last summer the CJEU struck down the EU-US Privacy Shield — only a few years after the flagship adequacy arrangement was inked. The same core legal issues did for its predecessor, ‘Safe Harbor‘, though that had stood for some fifteen years. And since the demise of Privacy Shield the Commission has repeatedly warned there will be no quick fix replacement this time; nothing short of major reform of US surveillance law is likely to be required.
US and EU lawmakers remain in negotiations over a replacement EU-US data flows deal but a viable outcome that can stand up to legal challenge as the prior two agreements could not, may well require years of work, not months.
And that means EU-US data flows are facing legal uncertainty for the foreseeable future.
The UK, meanwhile, has just squeezed a data adequacy agreement out of the Commission — despite some loudly enunciated post-Brexit plans for regulatory divergence in the area of data protection.
If the UK follows through in ripping up key tenets of its inherited EU legal framework there’s a high chance it will also lose adequacy status in the coming years — meaning it too could face crippling barriers to EU data flows. (But for now it seems to have dodged that bullet.)
Data flows to other third countries that also lack an EU adequacy agreement — such as China and India — face the same ongoing legal uncertainty.
The backstory to the EU international data flows issues originates with a complaint — in the wake of NSA whistleblower Edward Snowden’s revelations about government mass surveillance programs, so more than seven years ago — made by the eponymous Max Schrems over what he argued were unsafe EU-US data flows.
Although his complaint was specifically targeted at Facebook’s business and called on the Irish Data Protection Commission (DPC) to use its enforcement powers and suspend Facebook’s EU-US data flows.
A regulatory dance of indecision followed which finally saw legal questions referred to Europe’s top court and — ultimately — the demise of the EU-US Privacy Shield. The CJEU ruling also put it beyond legal doubt that Member States’ DPAs must step in and act when they suspect data is flowing to a location where the information is at risk.
Following the Schrems II ruling, the DPC (finally) sent Facebook a preliminary order to suspend its EU-US data flows last fall. Facebook immediately challenged the order in the Irish courts — seeking to block the move. But that challenge failed. And Facebook’s EU-US data flows are now very much operating on borrowed time.
As one of the platform’s subject to Section 702 of the US’ FISA law, its options for applying ‘special measures’ to supplement its EU data transfers look, well, limited to say the least.
It can’t — for example — encrypt the data in a way that ensures it has no access to it (zero access encryption) since that’s not how Facebook’s advertising empire functions. And Schrems has previously suggested Facebook will have to federate its service — and store EU users’ information inside the EU — to fix its data transfer problem.
Safe to say, the costs and complexity of compliance for certain businesses like Facebook look massive.
But there will be compliance costs and complexity for thousands of businesses in the wake of the CJEU ruling.
Commenting on the EDPB’s adoption of final recommendations, chair Andrea Jelinek said: “The impact of Schrems II cannot be underestimated: Already international data flows are subject to much closer scrutiny from the supervisory authorities who are conducting investigations at their respective levels. The goal of the EDPB Recommendations is to guide exporters in lawfully transferring personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the European Economic Area.
“By clarifying some doubts expressed by stakeholders, and in particular the importance of examining the practices of public authorities in third countries, we want to make it easier for data exporters to know how to assess their transfers to third countries and to identify and implement effective supplementary measures where they are needed. The EDPB will continue considering the effects of the Schrems II ruling and the comments received from stakeholders in its future guidance.”
The EDPB put out earlier guidance on Schrems II compliance last year.
It said the main modifications between that earlier advice and its final recommendations include: “The emphasis on the importance of examining the practices of third country public authorities in the exporters’ legal assessment to determine whether the legislation and/or practices of the third country impinge — in practice — on the effectiveness of the Art. 46 GDPR transfer tool; the possibility that the exporter considers in its assessment the practical experience of the importer, among other elements and with certain caveats; and the clarification that the legislation of the third country of destination allowing its authorities to access the data transferred, even without the importer’s intervention, may also impinge on the effectiveness of the transfer tool”.
Commenting on the EDPB’s recommendations in a statement, law firm Linklaters dubbed the guidance “strict” — warning over the looming impact on businesses.
“There is little evidence of a pragmatic approach to these transfers and the EDPB seems entirely content if the conclusion is that the data must remain in the EU,” said Peter Church, a Counsel at the global law firm. “For example, before transferring personal data to third country (without adequate data protection laws) businesses must consider not only its law but how its law enforcement and national security agencies operate in practice. Given these activities are typically secretive and opaque, this type of analysis is likely to cost tens of thousands of euros and take time. It appears this analysis is needed even for relatively innocuous transfers.”
“It is not clear how SMEs can be expected to comply with these requirements,” he added. “Given we now operate in a globalised society the EDPB, like King Canute, should consider the practical limitations on its power. The guidance will not turn back the tides of data washing back and forth across the world, but many businesses will really struggle to comply with these new requirements.”
A Supreme Court ruling has opened the door to a new era in college sports.
Im aktuellen #DealMonitor für den 22. Juni werfen wir wieder einen Blick auf die wichtigsten, spannendsten und interessantesten Investments und Exits des Tages in der DACH-Region. Alle Deals der Vortage gibt es im großen und übersichtlichen #DealMonitor-Archiv.
+++ DST Global, SoftBank, Tencent und Dragoneer sowie Altinvestoren wie Coatue, Left Lane Capital und DN Capital investieren 205 Millionen Euro in GoStudent. Das EdTech wird dabei mit 1,4 Milliarden Euro bewertet und steigt somit zum Unicorn auf. “Mit der neuen Finanzierung beläuft sich die Gesamtinvestition von GoStudent auf über 291 Millionen Euro”, teilt das Unternehmen mit. Erst im März dieses Jahres sammelte GoStudent 70 Millionen Euro ein. Das Wiener Startup, das sich als E-Learning-Dienst positioniert und auf kostenpflichtige Einzelkurse setzt, wurde 2017 von Gregor Müller, Felix Ohswald und seinem Bruder Moritz Ohswald gegründet. “Das Investment wird genutzt, um die globale Expansion weiter voranzutreiben”, schreibt das Unternehmen. Über 500 Mitarbeiter:innen wirken bereits für das junge Unternehmen. Mehr über GoStudent
+++ Xploration Capital, Fasanara Capital und Tomahawk, also Cédric Waldburger, investieren 25 Millionen Euro in Myos – siehe FinanceFWD. Das Startup, das 2018 von Nikolaus Hilgenfeldt ins Leben gerufen wurde, versorgt Händler mit Betriebsmitteln (Working Capital). Das Unternehmen nutzt dabei “die Transparenz und Datenverfügbarkeit auf E-Commerce-Plattformen, um das Kreditrisiko auf Basis des Umsatzpotenzials von Handelsprodukten zu bewerten”. Die Deutsche Handelsbank, Mountain Partners, BTH, Avala Capital, die raisin-Gründer, Tim Marbach und Gerald Schönbucher investierten 2019 bereits 10 Millionen Euro in Myos.
+++ New Wave, Speedinvest, Calm/Storm Ventures, Tiny.VC und einige Angel-Investoren investieren 2,5 Millionen Euro in Airbank. Das Berliner Startup, das 2021 von Christopher Zemina, zuletzt Principal bei Speedinvest, und Patrick de Castro Neuhaus gegründet wurde, kann man als eine Art CFO-Cockpit bezeichnen. In der Selbstbeschreibung heißt es: “Cashflow Management Lösung für Startups und KMUs, die alle Geschäftskonten und Finanzdaten an einem Ort vereint, reibungslose Liquiditätskontrolle und -planung ermöglicht und den Zahlungsverkehr vereinfacht”. Über den Einstieg von Speedinvest hatten wir bereits Anfang April im Insider-Podcast berichtet.
MERGERS & ACQUISITIONS
+++ Der chinesische Internetriese Tencent übernimmt die Mehrheit am Berliner Gamesstudio Yager – siehe GamesWirtschaft. Yager, das 1999 von Timo Ullmann, Uwe Bennecke, Roman Golka, Philipp Schellbach und Mathias Wiese gegründet wurde, ist insbesondere für den Antikriegs-Ego-Shooter “Spec Ops: The Line” und das Weltraum-Action-Spiel “Dreadnought” bekannt. Tencent stieg bereits 2020 bei Yager und hielt zuletzt 25 % am Unternehmen. 140 Mitarbeiter:innen arbeiten derzeit für Yager.
+++ Der dänische GreenMobility übernimmt das Stuttgarter Startup Twist. “Damit wird das Unternehmen aus Kopenhagen erstmals auf dem deutschen Markt aktiv”, heißt es in der Presseaussendung. Twist bietet seit 2020 elektrisches Car- und Roller-Sharing für kleinere Städte und Gemeinden an. Die Jungfirma wurde von EnBW und dem Company Builder Bridgemaker angeschoben.
Achtung! Wir freuen uns über Tipps, Infos und Hinweise, was wir in unserem #DealMonitor alles so aufgreifen sollten. Schreibt uns eure Vorschläge entweder ganz klassisch per E-Mail oder nutzt unsere “Stille Post“, unseren Briefkasten für Insider-Infos.
Startup-Jobs: Auf der Suche nach einer neuen Herausforderung? In der unserer Jobbörse findet Ihr Stellenanzeigen von Startups und Unternehmen.
Foto (oben): azrael74
The funding round, said to be the largest Series A investment in cybersecurity history and one of the highest valuations for a bootstrapped company, was led by Insight Partners and General Atlantic, with additional investment from Cyberstarts, Geodesic, SYN Ventures, Vintage, and Artisanal Ventures.
Transmit Security said it has a pre-money valuation of $2.2 billion, and will use the new funds to expand its reach and investing in key global areas to grow the organization.
Ultimately, however, the funding round will help the company to accelerate its mission to help the world go passwordless. Organizations lose millions of dollars every year due to “inherently unsafe” password-based authentication, according to the startup; not only do weak passwords account for more than 80% of all data breaches, but the average help desk labor cost to reset a single password stands at more than $70.
Transmit says its biometric-based authenticator is the first natively passwordless identity and risk management solution, and it has already been adopted by a number of big-name brands including Lowes, Santander, and UBS. The solution, which currently handles more than 9,000 authentication requests per second, can reduce account resets by 96%, the company says, and reduces customer authentication from 1 minute to 2 seconds.
“By eliminating passwords, businesses can immediately reduce churn and cart abandonment and provide superior security for personal data,” said Transmit Security CEO Mickey Boodaei, who co-founded the company in 2014. “Our customers, whether they are in the retail, banking, financial, telecommunications, or automotive sectors, understand that providing an optimized identity experience is a multimillion-dollar challenge. With this latest round of funding from premier partners, we can significantly expand our reach to help rid the world of passwords.”
Transmit Security isn’t the only company that’s on a mission to kill off the password. Microsoft has announced plans to make Windows 10 password-free, and Apple recently previewed Passkeys in iCloud Keychain, a method of passwordless authentication powered by WebAuthn, and Face ID and Touch ID.
How do you follow up a burger-flipping robot? If you’re Miso Robotics (which you likely are, if you’ve created a burger-flipping robot), the answer is simple: beverages. The robotics startup continues to focus on the fast food service industry with the planned launch of an automated beverage-dispensing robot.
The system, which is being created as part of a partnership with beverage dispenser manufacturer Lancer, brings an added level of automation to your standard fast food fountain. It has a point of sale system directly integrated, which kicks off the process of pouring, sealing and advancing the drink. Beyond that, it’s integrated with a larger sales system to ensure that it’s getting orders right, between in-person customers and delivery drivers.
Basically it’s a much smarter version of the fountain you encounter in every fast food restaurant and movie theater. Naturally, the company says that interest in the category has only increased amid labor shortages and a pandemic that froze much of the available workforce over the past year and a half.
“Lancer has a legacy of stand-out industry quality and shares in our vision for beverage innovation and futuristic design,” Miso Chief Strategy Officer Jake Brewer said in a press release tied to this morning’s news. “Order fulfillment is a major factor for customer satisfaction and operators can’t afford to have a beverage left behind when a delivery driver or customer visits. We are extremely excited to create a product that will not only make the lives of those working in commercial kitchens better, but will be a game changer for the industry as a whole to deliver a world-class customer experience.”
Speaking of striking while the iron is hot, the company is also using the opportunity to announce a planned Series D, following up on a recently closed $25 million Series C.
As voters head to the polls, we talk to two Democrats about an election that is testing the city’s values.
Die Vorständin hätte gute Chancen auf den Topjob bei der Förderbank gehabt. Doch ihre Eignungsprüfung hat sie kaum bestanden, zu sehr hakte die Verteilung der Corona-Hilfen.
Beim Zocken mit Aktien der Videospielkette GameStop zog der Hedgefonds White Square Capital gegenüber Kleinanlegern den Kürzeren. Nun wird der Fonds geschlossen.
What to expect to see on your ballot, and how to navigate ranked-choice voting.