EU puts out final guidance on data transfers to third countries

The European Data Protection Board (EDPB) published its final recommendations yesterday setting on guidance for making transfers of personal data to third countries to comply with EU data protection rules in light of last summer’s landmark CJEU ruling (aka Schrems II).

The long and short of these recommendations — which are fairly long; running to 48 pages — is that some data transfers to third countries will simply not be possible to (legally) carry out. Despite the continued existence of legal mechanisms that can, in theory, be used to make such transfers (like Standard Contractual Clauses; a transfer tool that was recently updated by the Commission).

However it’s up to the data controller to assess the viability of each transfer, on a case by case basis, to determine whether data can legally flow in that particular case. (Which may mean, for example, a business making complex assessments about foreign government surveillance regimes and how they impinge upon its specific operations.)

Companies that routinely take EU users’ data outside the bloc for processing in third countries (like the US), which do not have data adequacy arrangements with the EU, face substantial cost and challenge in attaining compliance — in a best case scenario.

Those that can’t apply viable ‘special measures’ to ensure transferred data is safe are duty bound to suspend data flows — with the risk, should they fail to do that, of being ordered to by a data protection authority (which could also apply additional sanctions).

One alternative option could be for such a firm to store and process EU users’ data locally — within the EU. But clearly that won’t be viable for every company.

Law firms are likely to be very happy with this outcome since there will be increased demand for legal advice as companies grapple with how to structure their data flows and adapt to a post-Schrems II world.

In some EU jurisdictions (such as Germany) data protection agencies are now actively carrying out compliance checks — so orders to suspend transfers are bound to follow.

While the European Data Protection Supervisor is busy scrutinizing EU institutions’ own use of US cloud services giants to see whether high level arrangements with tech giants like AWS and Microsoft pass muster or not.

Last summer the CJEU struck down the EU-US Privacy Shield — only a few years after the flagship adequacy arrangement was inked. The same core legal issues did for its predecessor, ‘Safe Harbor‘, though that had stood for some fifteen years. And since the demise of Privacy Shield the Commission has repeatedly warned there will be no quick fix replacement this time; nothing short of major reform of US surveillance law is likely to be required.

US and EU lawmakers remain in negotiations over a replacement EU-US data flows deal but a viable outcome that can stand up to legal challenge as the prior two agreements could not, may well require years of work, not months.

And that means EU-US data flows are facing legal uncertainty for the foreseeable future.

The UK, meanwhile, has just squeezed a data adequacy agreement out of the Commission — despite some loudly enunciated post-Brexit plans for regulatory divergence in the area of data protection.

If the UK follows through in ripping up key tenets of its inherited EU legal framework there’s a high chance it will also lose adequacy status in the coming years — meaning it too could face crippling barriers to EU data flows. (But for now it seems to have dodged that bullet.)

Data flows to other third countries that also lack an EU adequacy agreement — such as China and India — face the same ongoing legal uncertainty.

The backstory to the EU international data flows issues originates with a complaint — in the wake of NSA whistleblower Edward Snowden’s revelations about government mass surveillance programs, so more than seven years ago — made by the eponymous Max Schrems over what he argued were unsafe EU-US data flows.

Although his complaint was specifically targeted at Facebook’s business and called on the Irish Data Protection Commission (DPC) to use its enforcement powers and suspend Facebook’s EU-US data flows.

A regulatory dance of indecision followed which finally saw legal questions referred to Europe’s top court and — ultimately — the demise of the EU-US Privacy Shield. The CJEU ruling also put it beyond legal doubt that Member States’ DPAs must step in and act when they suspect data is flowing to a location where the information is at risk.

Following the Schrems II ruling, the DPC (finally) sent Facebook a preliminary order to suspend its EU-US data flows last fall. Facebook immediately challenged the order in the Irish courts — seeking to block the move. But that challenge failed. And Facebook’s EU-US data flows are now very much operating on borrowed time.

As one of the platform’s subject to Section 702 of the US’ FISA law, its options for applying ‘special measures’ to supplement its EU data transfers look, well, limited to say the least.

It can’t — for example — encrypt the data in a way that ensures it has no access to it (zero access encryption) since that’s not how Facebook’s advertising empire functions. And Schrems has previously suggested Facebook will have to federate its service — and store EU users’ information inside the EU — to fix its data transfer problem.

Safe to say, the costs and complexity of compliance for certain businesses like Facebook look massive.

But there will be compliance costs and complexity for thousands of businesses in the wake of the CJEU ruling.

Commenting on the EDPB’s adoption of final recommendations, chair Andrea Jelinek said: “The impact of Schrems II cannot be underestimated: Already international data flows are subject to much closer scrutiny from the supervisory authorities who are conducting investigations at their respective levels. The goal of the EDPB Recommendations is to guide exporters in lawfully transferring personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the European Economic Area.

“By clarifying some doubts expressed by stakeholders, and in particular the importance of examining the practices of public authorities in third countries, we want to make it easier for data exporters to know how to assess their transfers to third countries and to identify and implement effective supplementary measures where they are needed. The EDPB will continue considering the effects of the Schrems II ruling and the comments received from stakeholders in its future guidance.”

The EDPB put out earlier guidance on Schrems II compliance last year.

It said the main modifications between that earlier advice and its final recommendations include: “The emphasis on the importance of examining the practices of third country public authorities in the exporters’ legal assessment to determine whether the legislation and/or practices of the third country impinge — in practice — on the effectiveness of the Art. 46 GDPR transfer tool; the possibility that the exporter considers in its assessment the practical experience of the importer, among other elements and with certain caveats; and the clarification that the legislation of the third country of destination allowing its authorities to access the data transferred, even without the importer’s intervention, may also impinge on the effectiveness of the transfer tool”.

Commenting on the EDPB’s recommendations in a statement, law firm Linklaters dubbed the guidance “strict” — warning over the looming impact on businesses.

“There is little evidence of a pragmatic approach to these transfers and the EDPB seems entirely content if the conclusion is that the data must remain in the EU,” said Peter Church, a Counsel at the global law firm. “For example, before transferring personal data to third country (without adequate data protection laws) businesses must consider not only its law but how its law enforcement and national security agencies operate in practice. Given these activities are typically secretive and opaque, this type of analysis is likely to cost tens of thousands of euros and take time. It appears this analysis is needed even for relatively innocuous transfers.”

“It is not clear how SMEs can be expected to comply with these requirements,” he added. “Given we now operate in a globalised society the EDPB, like King Canute, should consider the practical limitations on its power. The guidance will not turn back the tides of data washing back and forth across the world, but many businesses will really struggle to comply with these new requirements.”

 

#andrea-jelinek, #china, #data-controller, #data-protection, #data-security, #edpb, #edward-snowden, #eu-us-privacy-shield, #europe, #european-data-protection-board, #european-union, #facebook, #general-data-protection-regulation, #germany, #india, #law-enforcement, #law-firms, #linklaters, #max-schrems, #policy, #privacy, #schrems-ii, #surveillance-law, #united-kingdom, #united-states

0

Ban biometric surveillance in public to safeguard rights, urge EU bodies

There have been further calls from EU institutions to outlaw biometric surveillance in public.

In a joint opinion published today, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), Wojciech Wiewiórowski, have called for draft EU regulations on the use of artificial intelligence technologies to go further than the Commission’s proposal in April — urging that the planned legislation should be beefed up to include a “general ban on any use of AI for automated recognition of human features in publicly accessible spaces, such as recognition of faces, gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals, in any context”.

Such technologies are simply too harmful to EU citizens’ fundamental rights and freedoms — like privacy and equal treatment under the law — to permit their use, is the argument.

The EDPB is responsible for ensuring a harmonization application of the EU’s privacy rules, while the EDPS oversees EU institutions’ own compliance with data protection law and also provides legislative guidance to the Commission.

EU lawmakers’ draft proposal on regulating applications of AI contained restrictions on law enforcement’s use of biometric surveillance in public places — but with very wide-ranging exemptions which quickly attracted major criticism from digital rights and civil society groups, as well as a number of MEPs.

The EDPS himself also quickly urged a rethink. Now he’s gone further, with the EDPB joining in with the criticism.

The EDPB and the EDPS have jointly fleshed out a number of concerns with the EU’s AI proposal — while welcoming the overall “risk-based approach” taken by EU lawmakers — saying, for example, that legislators must be careful to ensure alignment with the bloc’s existing data protection framework to avoid rights risks.

“The EDPB and the EDPS strongly welcome the aim of addressing the use of AI systems within the European Union, including the use of AI systems by EU institutions, bodies or agencies. At the same time, the EDPB and EDPS are concerned by the exclusion of international law enforcement cooperation from the scope of the Proposal,” they write.

“The EDPB and EDPS also stress the need to explicitly clarify that existing EU data protection legislation (GDPR, the EUDPR and the LED) applies to any processing of personal data falling under the scope of the draft AI Regulation.”

As well as calling for the use of biometric surveillance to be banned in public, the pair have urged a total ban on AI systems using biometrics to categorize individuals into “clusters based on ethnicity, gender, political or sexual orientation, or other grounds on which discrimination is prohibited under Article 21 of the Charter of Fundamental Rights”.

That’s an interesting concern in light of Google’s push, in the adtech realm, to replace behavioral micromarketing of individuals with ads that address cohorts (or groups) of users, based on their interests — with such clusters of web users set to be defined by Google’s AI algorithms.

(It’s interesting to speculate, therefore, whether FLoCs risks creating a legal discrimination risk — based on how individual mobile users are grouped together for ad targeting purposes. Certainly, concerns have been raised over the potential for FLoCs to scale bias and predatory advertising. And it’s also interesting that Google avoided running early tests in Europe, likely owning to the EU’s data protection regime.)

In another recommendation today, the EDPB and the EDPS also express a view that the use of AI to infer emotions of a natural person is “highly undesirable and should be prohibited” —  except for what they describe as “very specified cases, such as some health purposes, where the patient emotion recognition is important”.

“The use of AI for any type of social scoring should be prohibited,” they go on — touching on one use-case that the Commission’s draft proposal does suggest should be entirely prohibited, with EU lawmakers evidently keen to avoid any China-style social credit system taking hold in the region.

However by failing to include a prohibition on biometric surveillance in public in the proposed regulation the Commission is arguably risking just such a system being developed on the sly — i.e. by not banning private actors from deploying technology that could be used to track and profile people’s behavior remotely and en masse.

Commenting in a statement, the EDPB’s chair Andrea Jelinek and the EDPS Wiewiórowski argue as much, writing [emphasis ours]:

“Deploying remote biometric identification in publicly accessible spaces means the end of anonymity in those places. Applications such as live facial recognition interfere with fundamental rights and freedoms to such an extent that they may call into question the essence of these rights and freedoms. This calls for an immediate application of the precautionary approach. A general ban on the use of facial recognition in publicly accessible areas is the necessary starting point if we want to preserve our freedoms and create a human-centric legal framework for AI. The proposed regulation should also prohibit any type of use of AI for social scoring, as it is against the EU fundamental values and can lead to discrimination.”

In their joint opinion they also express concerns about the Commission’s proposed enforcement structure for the AI regulation, arguing that data protection authorities (within Member States) should be designated as national supervisory authorities (“pursuant to Article 59 of the [AI] Proposal”) — pointing out the EU DPAs are already enforcing the GDPR (General Data Protection Regulation) and the LED (Law Enforcement Directive) on AI systems involving personal data; and arguing it would therefore be “a more harmonized regulatory approach, and contribute to the consistent interpretation of data processing provisions across the EU” if they were given competence for supervising the AI Regulation too.

They are also not happy with the Commission’s plan to give itself a predominant role in the planned European Artificial Intelligence Board (EAIB) — arguing that this “would conflict with the need for an AI European body independent from any political influence”. To ensure the Board’s independence the proposal should give it more autonomy and “ensure it can act on its own initiative”, they add.

The Commission has been contacted for comment.

The AI Regulation is one of a number of digital proposals unveiled by EU lawmakers in recent months. Negotiations between the different EU institutions — and lobbying from industry and civil society — continues as the bloc works toward adopting new digital rules.

In another recent and related development, the UK’s information commissioner warned last week over the threat posed by big data surveillance systems that are able to make use of technologies like live facial recognition — although she claimed it’s not her place to endorse or ban a technology.

But her opinion makes it clear that many applications of biometric surveillance may be incompatible with the UK’s privacy and data protection framework.

#andrea-jelinek, #artificial-intelligence, #biometrics, #data-protection, #data-protection-law, #edpb, #edps, #europe, #european-data-protection-board, #european-union, #facial-recognition, #general-data-protection-regulation, #law-enforcement, #privacy, #surveillance, #united-kingdom, #wojciech-wiewiorowski

0

Belarus Faces Expanded E.U. Sanctions, Targeting Economy

In a new effort to punish the Lukashenko government for repression, European foreign ministers were expected to focus on industries crucial to the country, including potash and finance.

#belarus, #embargoes-and-sanctions, #european-union, #lukashenko-aleksandr-g, #potash, #protasevich-roman

0

Perspectives on tackling Big Tech’s market power

The need for markets-focused competition watchdogs and consumer-centric privacy regulators to think outside their respective ‘legal silos’ and find creative ways to work together to tackle the challenge of big tech market power was the impetus for a couple of fascinating panel discussions organized by the Centre for Economic Policy Research (CEPR), which were livestreamed yesterday but are available to view on-demand here.

The conversations brought together key regulatory leaders from Europe and the US — giving a glimpse of what the future shape of digital markets oversight might look like at a time when fresh blood has just been injected to chair the FTC so regulatory change is very much in the air (at least around tech antitrust).

CEPR’s discussion premise is that integration, not merely intersection, of competition and privacy/data protection law is needed to get a proper handle on platform giants that have, in many cases, leveraged their market power to force consumers to accept an abusive ‘fee’ of ongoing surveillance.

That fee both strips consumers of their privacy and helps tech giants perpetuate market dominance by locking out interesting new competition (which can’t get the same access to people’s data so operates at a baked in disadvantage).

A running theme in Europe for a number of years now, since a 2018 flagship update to the bloc’s data protection framework (GDPR), has been the ongoing under-enforcement around the EU’s ‘on-paper’ privacy rights — which, in certain markets, means regional competition authorities are now actively grappling with exactly how and where the issue of ‘data abuse’ fits into their antitrust legal frameworks.

The regulators assembled for CEPR’s discussion included, from the UK, the Competition and Markets Authority’s CEO Andrea Coscelli and the information commissioner, Elizabeth Denham; from Germany, the FCO’s Andreas Mundt; from France, Henri Piffaut, VP of the French competition authority; and from the EU, the European Data Protection Supervisor himself, Wojciech Wiewiórowski, who advises the EU’s executive body on data protection legislation (and is the watchdog for EU institutions’ own data use).

The UK’s CMA now sits outside the EU, of course — giving the national authority a higher profile role in global mergers & acquisition decisions (vs pre-brexit), and the chance to help shape key standards in the digital sphere via the investigations and procedures it chooses to pursue (and it has been moving very quickly on that front).

The CMA has a number of major antitrust probes open into tech giants — including looking into complaints against Apple’s App Store and others targeting Google’s plan to depreciate support for third party tracking cookies (aka the so-called ‘Privacy Sandbox’) — the latter being an investigation where the CMA has actively engaged the UK’s privacy watchdog (the ICO) to work with it.

Only last week the competition watchdog said it was minded to accept a set of legally binding commitments that Google has offered which could see a quasi ‘co-design’ process taking place, between the CMA, the ICO and Google, over the shape of the key technology infrastructure that ultimately replaces tracking cookies. So a pretty major development.

Germany’s FCO has also been very active against big tech this year — making full use of an update to the national competition law which gives it the power to take proactive inventions around large digital platforms with major competitive significance — with open procedures now against Amazon, Facebook and Google.

The Bundeskartellamt was already a pioneer in pushing to loop EU data protection rules into competition enforcement in digital markets in a strategic case against Facebook, as we’ve reported before. That closely watched (and long running) case — which targets Facebook’s ‘superprofiling’ of users, based on its ability to combine user data from multiple sources to flesh out a single high dimension per-user profile — is now headed to Europe’s top court (so likely has more years to run).

But during yesterday’s discussion Mundt confirmed that the FCO’s experience litigating that case helped shape key amendments to the national law that’s given him beefier powers to tackle big tech. (And he suggested it’ll be a lot easier to regulate tech giants going forward, using these new national powers.)

“Once we have designated a company to be of ‘paramount significance’ we can prohibit certain conduct much more easily than we could in the past,” he said. “We can prohibit, for example, that a company impedes other undertaking by data processing that is relevant for competition. We can prohibit that a use of service depends on the agreement to data collection with no choice — this is the Facebook case, indeed… When this law was negotiated in parliament parliament very much referred to the Facebook case and in a certain sense this entwinement of competition law and data protection law is written in a theory of harm in the German competition law.

“This makes a lot of sense. If we talk about dominance and if we assess that this dominance has come into place because of data collection and data possession and data processing you need a parameter in how far a company is allowed to gather the data to process it.”

“The past is also the future because this Facebook case… has always been a big case. And now it is up to the European Court of Justice to say something on that,” he added. “If everything works well we might get a very clear ruling saying… as far as the ECN [European Competition Network] is concerned how far we can integrate GDPR in assessing competition matters.

“So Facebook has always been a big case — it might get even bigger in a certain sense.”

France’s competition authority and its national privacy regulator (the CNIL), meanwhile, have also been joint working in recent years.

Including over a competition complaint against Apple’s pro-user privacy App Tracking Transparency feature (which last month the antitrust watchdog declined to block) — so there’s evidence there too of respective oversight bodies seeking to bridge legal silos in order to crack the code of how to effectively regulate tech giants whose market power, panellists agreed, is predicated on earlier failures of competition law enforcement that allowed tech platforms to buy up rivals and sew up access to user data, entrenching advantage at the expense of user privacy and locking out the possibility of future competitive challenge.

The contention is that monopoly power predicated upon data access also locks consumers into an abusive relationship with platform giants which can then, in the case of ad giants like Google and Facebook, extract huge costs (paid not in monetary fees but in user privacy) for continued access to services that have also become digital staples — amping up the ‘winner takes all’ characteristic seen in digital markets (which is obviously bad for competition too).

Yet, traditionally at least, Europe’s competition authorities and data protection regulators have been focused on separate workstreams.

The consensus from the CEPR panels was very much that that is both changing and must change if civil society is to get a grip on digital markets — and wrest control back from tech giants to that ensure consumers and competitors aren’t both left trampled into the dust by data-mining giants.

Denham said her motivation to dial up collaboration with other digital regulators was the UK government entertaining the idea of creating a one-stop-shop ‘Internet’ super regulator. “What scared the hell out of me was the policymakers the legislators floating the idea of one regulator for the Internet. I mean what does that mean?” she said. “So I think what the regulators did is we got to work, we got busy, we become creative, got our of our silos to try to tackle these companies — the likes of which we have never seen before.

“And I really think what we have done in the UK — and I’m excited if others think it will work in their jurisdictions — but I think that what really pushed us is that we needed to show policymakers and the public that we had our act together. I think consumers and citizens don’t really care if the solution they’re looking for comes from the CMA, the ICO, Ofcom… they just want somebody to have their back when it comes to protection of privacy and protection of markets.

“We’re trying to use our regulatory levers in the most creative way possible to make the digital markets work and protect fundamental rights.”

During the earlier panel, the CMA’s Simeon Thornton, a director at the authority, made some interesting remarks vis-a-vis its (ongoing) Google ‘Privacy Sandbox’ investigation — and the joint working it’s doing with the ICO on that case — asserting that “data protection and respecting users’ rights to privacy are very much at the heart of the commitments upon which we are currently consulting”.

“If we accept the commitments Google will be required to develop the proposals according to a number of criteria including impacts on privacy outcomes and compliance with data protection principles, and impacts on user experience and user control over the use of their personal data — alongside the overriding objective of the commitments which is to address our competition concerns,” he went on, adding: “We have worked closely with the ICO in seeking to understand the proposals and if we do accept the commitments then we will continue to work closely with the ICO in influencing the future development of those proposals.”

“If we accept the commitments that’s not the end of the CMA’s work — on the contrary that’s when, in many respects, the real work begins. Under the commitments the CMA will be closely involved in the development, implementation and monitoring of the proposals, including through the design of trials for example. It’s a substantial investment from the CMA and we will be dedicating the right people — including data scientists, for example, to the job,” he added. “The commitments ensure that Google addresses any concerns that the CMA has. And if outstanding concerns cannot be resolved with Google they explicitly provide for the CMA to reopen the case and — if necessary — impose any interim measures necessary to avoid harm to competition.

“So there’s no doubt this is a big undertaking. And it’s going to be challenging for the CMA, I’m sure of that. But personally I think this is the sort of approach that is required if we are really to tackle the sort of concerns we’re seeing in digital markets today.”

Thornton also said: “I think as regulators we do need to step up. We need to get involved before the harm materializes — rather than waiting after the event to stop it from materializing, rather than waiting until that harm is irrevocable… I think it’s a big move and it’s a challenging one but personally I think it’s a sign of the future direction of travel in a number of these sorts of cases.”

Also speaking during the regulatory panel session was FTC commissioner Rebecca Slaughter — a dissenter on the $5BN fine it hit Facebook with back in 2019 for violating an earlier consent order (as she argued the settlement provided no deterrent to address underlying privacy abuse, leaving Facebook free to continue exploiting users’ data) — as well as Chris D’Angelo, the chief deputy AG of the New York Attorney General, which is leading a major states antitrust case against Facebook.

Slaughter pointed out that the FTC already combines a consumer focus with attention on competition but said that historically there has been separation of divisions and investigations — and she agreed on the need for more joined-up working.

She also advocated for US regulators to get out of a pattern of ineffective enforcement in digital markets on issues like privacy and competition where companies have, historically, been given — at best — what amounts to wrist slaps that don’t address root causes of market abuse, perpetuating both consumer abuse and market failure. And be prepared to litigate more.

As regulators toughen up their stipulations they will need to be prepared for tech giants to push back — and therefore be prepared to sue instead of accepting a weak settlement.

“That is what is most galling to me that even where we take action, in our best faith good public servants working hard to take action, we keep coming back to the same questions, again and again,” she said. “Which means that the actions we are taking isn’t working. We need different action to keep us from having the same conversation again and again.”

Slaughter also argued that it’s important for regulators not to pile all the burden of avoiding data abuses on consumers themselves.

“I want to sound a note of caution around approaches that are centered around user control,” she said. “I think transparency and control are important. I think it is really problematic to put the burden on consumers to work through the markets and the use of data, figure out who has their data, how it’s being used, make decisions… I think you end up with notice fatigue; I think you end up with decision fatigue; you get very abusive manipulation of dark patterns to push people into decisions.

“So I really worry about a framework that is built at all around the idea of control as the central tenant or the way we solve the problem. I’ll keep coming back to the notion of what instead we need to be focusing on is where is the burden on the firms to limit their collection in the first instance, prohibit their sharing, prohibit abusive use of data and I think that that’s where we need to be focused from a policy perspective.

“I think there will be ongoing debates about privacy legislation in the US and while I’m actually a very strong advocate for a better federal framework with more tools that facilitate aggressive enforcement but I think if we had done it ten years ago we probably would have ended up with a notice and consent privacy law and I think that that would have not been a great outcome for consumers at the end of the day. So I think the debate and discussion has evolved in an important way. I also think we don’t have to wait for Congress to act.”

As regards more radical solutions to the problem of market-denting tech giants — such as breaking up sprawling and (self-servingly) interlocking services empires — the message from Europe’s most ‘digitally switched on’ regulators seemed to be don’t look to us for that; we are going to have to stay in our lanes.

So tl;dr — if antitrust and privacy regulators’ joint working just sums to more intelligent fiddling round the edges of digital market failure, and it’s break-ups of US tech giants that’s what’s really needed to reboot digital markets, then it’s going to be up to US agencies to wield the hammers. (Or, as Coscelli elegantly phrased it: “It’s probably more realistic for the US agencies to be in the lead in terms of structural separation if and when it’s appropriate — rather than an agency like ours [working from inside a mid-sized economy such as the UK’s].”)

The lack of any representative from the European Commission on the panel was an interesting omission in that regard — perhaps hinting at ongoing ‘structural separation’ between DG Comp and DG Justice where digital policymaking streams are concerned.

The current competition chief, Margrethe Vestager — who also heads up digital strategy for the bloc, as an EVP — has repeatedly expressed reluctance to impose radical ‘break up’ remedies on tech giants. She also recently preferred to waive through another Google digital merger (its acquisition of fitness wearable Fitbit) — agreeing to accept a number of ‘concessions’ and ignoring major mobilization by civil society (and indeed EU data protection agencies) urging her to block it.

Yet in an earlier CEPR discussion session, another panellist — Yale University’s Dina Srinivasan — pointed to the challenges of trying to regulate the behavior of companies when there are clear conflicts of interest, unless and until you impose structural separation as she said has been necessary in other markets (like financial services).

“In advertising we have an electronically traded market with exchanges and we have brokers on both sides. In a competitive market — when competition was working — you saw that those brokers were acting in the best interest of buyers and sellers. And as part of carrying out that function they were sort of protecting the data that belonged to buyers and sellers in that market, and not playing with the data in other ways — not trading on it, not doing conduct similar to insider trading or even front running,” she said, giving an example of how that changed as Google gained market power.

“So Google acquired DoubleClick, made promises to continue operating in that manner, the promises were not binding and on the record — the enforcement agencies or the agencies that cleared the merger didn’t make Google promise that they would abide by that moving forward and so as Google gained market power in that market there’s no regulatory requirement to continue to act in the best interests of your clients, so now it becomes a market power issue, and after they gain enough market power they can flip data ownership and say ‘okay, you know what before you owned this data and we weren’t allowed to do anything with it but now we’re going to use that data to for example sell our own advertising on exchanges’.

“But what we know from other markets — and from financial markets — is when you flip data ownership and you engage in conduct like that that allows the firm to now build market power in yet another market.”

The CMA’s Coscelli picked up on Srinivasan’s point — saying it was a “powerful” one, and that the challenges of policing “very complicated” situations involving conflicts of interests is something that regulators with merger control powers should be bearing in mind as they consider whether or not to green light tech acquisitions.

(Just one example of a merger in the digital space that the CMA is still scrutizing is Facebook’s acquisition of animated GIF platform Giphy. And it’s interesting to speculate whether, had brexit happened a little faster, the CMA might have stepped in to block Google’s Fitibit merger where the EU wouldn’t.)

Coscelli also flagged the issue of regulatory under-enforcement in digital markets as a key one, saying: “One of the reasons we are today where we are is partially historic under-enforcement by competition authorities on merger control — and that’s a theme that is extremely interesting and relevant to us because after the exit from the EU we now have a bigger role in merger control on global mergers. So it’s very important to us that we take the right decisions going forward.”

“Quite often we intervene in areas where there is under-enforcement by regulators in specific areas… If you think about it when you design systems where you have vertical regulators in specific sectors and horizontal regulators like us or the ICO we are more successful if the vertical regulators do their job and I’m sure they are more success if we do our job properly.

“I think we systematically underestimate… the ability of companies to work through whatever behavior or commitments or arrangement are offered to us, so I think these are very important points,” he added, signalling that a higher degree of attention is likely to be applied to tech mergers in Europe as a result of the CMA stepping out from the EU’s competition regulation umbrella.

Also speaking during the same panel, the EDPS warned that across Europe more broadly — i.e. beyond the small but engaged gathering of regulators brought together by CEPR — data protection and competition regulators are far from where they need to be on joint working, implying that the challenge of effectively regulating big tech across the EU is still a pretty Sisyphean one.

It’s true that the Commission is not sitting on hands in the face of tech giant market power.

At the end of last year it proposed a regime of ex ante regulations for so-called ‘gatekeeper’ platforms, under the Digital Markets Act. But the problem of how to effectively enforce pan-EU laws — when the various agencies involved in oversight are typically decentralized across Member States — is one key complication for the bloc. (The Commission’s answer with the DMA was to suggest putting itself in charge of overseeing gatekeepers but it remains to be seen what enforcement structure EU institutions will agree on.)

Clearly, the need for careful and coordinated joint working across multiple agencies with different legal competencies — if, indeed, that’s really what’s needed to properly address captured digital markets vs structural separation of Google’s search and adtech, for example, and Facebook’s various social products — steps up the EU’s regulatory challenge in digital markets.

“We can say that no effective competition nor protection of the rights in the digital economy can be ensured when the different regulators do not talk to each other and understand each other,” Wiewiórowski warned. “While we are still thinking about the cooperation it looks a little bit like everybody is afraid they will have to trade a little bit of its own possibility to assess.”

“If you think about the classical regulators isn’t it true that at some point we are reaching this border where we know how to work, we know how to behave, we need a little bit of help and a little bit of understanding of the other regulator’s work… What is interesting for me is there is — at the same time — the discussion about splitting of the task of the American regulators joining the ones on the European side. But even the statements of some of the commissioners in the European Union saying about the bigger role the Commission will play in the data protection and solving the enforcement problems of the GDPR show there is no clear understanding what are the differences between these fields.”

One thing is clear: Big tech’s dominance of digital markets won’t be unpicked overnight. But, on both sides of the Atlantic, there are now a bunch of theories on how to do it — and growing appetite to wade in.

#advertising-tech, #amazon, #andreas-mundt, #competition-and-markets-authority, #competition-law, #congress, #data-processing, #data-protection, #data-protection-law, #data-security, #digital-markets-act, #digital-rights, #doubleclick, #elizabeth-denham, #europe, #european-commission, #european-court-of-justice, #european-union, #facebook, #federal-trade-commission, #financial-services, #fitbit, #france, #general-data-protection-regulation, #germany, #human-rights, #margrethe-vestager, #policy, #privacy, #uk-government, #united-kingdom, #united-states, #yale-university

0

UK’s ICO warns over ‘big data’ surveillance threat of live facial recognition in public

The UK’s chief data protection regulator has warned over reckless and inappropriate use of live facial recognition (LFR) in public places.

Publishing an opinion today on the use of this biometric surveillance in public — to set out what is dubbed as the “rules of engagement” — the information commissioner, Elizabeth Denham, also noted that a number of investigations already undertaken by her office into planned applications of the tech have found problems in all cases.

“I am deeply concerned about the potential for live facial recognition (LFR) technology to be used inappropriately, excessively or even recklessly. When sensitive personal data is collected on a mass scale without people’s knowledge, choice or control, the impacts could be significant,” she warned in a blog post.

“Uses we’ve seen included addressing public safety concerns and creating biometric profiles to target people with personalised advertising.

“It is telling that none of the organisations involved in our completed investigations were able to fully justify the processing and, of those systems that went live, none were fully compliant with the requirements of data protection law. All of the organisations chose to stop, or not proceed with, the use of LFR.”

“Unlike CCTV, LFR and its algorithms can automatically identify who you are and infer sensitive details about you. It can be used to instantly profile you to serve up personalised adverts or match your image against known shoplifters as you do your weekly grocery shop,” Denham added.

“In future, there’s the potential to overlay CCTV cameras with LFR, and even to combine it with social media data or other ‘big data’ systems — LFR is supercharged CCTV.”

The use of biometric technologies to identify individuals remotely sparks major human rights concerns, including around privacy and the risk of discrimination.

Across Europe there are campaigns — such as Reclaim your Face — calling for a ban on biometric mass surveillance.

In another targeted action, back in May, Privacy International and others filed legal challenges at the controversial US facial recognition company, Clearview AI, seeking to stop it from operating in Europe altogether. (Some regional police forces have been tapping in — including in Sweden where the force was fined by the national DPA earlier this year for unlawful use of the tech.)

But while there’s major public opposition to biometric surveillance in Europe, the region’s lawmakers have so far — at best — been fiddling around the edges of the controversial issue.

A pan-EU regulation the European Commission presented in April, which proposes a risk-based framework for applications of artificial intelligence, included only a partial prohibition on law enforcement’s use of biometric surveillance in public places — with wide ranging exemptions that have drawn plenty of criticism.

There have also been calls for a total ban on the use of technologies like live facial recognition in public from MEPs across the political spectrum. The EU’s chief data protection supervisor has also urged lawmakers to at least temporarily ban the use of biometric surveillance in public.

The EU’s planned AI Regulation won’t apply in the UK, in any case, as the country is now outside the bloc. And it remains to be seen whether the UK government will seek to weaken the national data protection regime.

A recent report it commissioned to examine how the UK could revise its regulatory regime, post-Brexit, has — for example — suggested replacing the UK GDPR with a new “UK framework” — proposing changes to “free up data for innovation and in the public interest”, as it puts it, and advocating for revisions for AI and “growth sectors”. So whether the UK’s data protection regime will be put to the torch in a post-Brexit bonfire of ‘red tape’ is a key concern for rights watchers.

(The Taskforce on Innovation, Growth and Regulatory Reform report advocates, for example, for the complete removal of Article 22 of the GDPR — which gives people rights not to be subject to decisions based solely on automated processing — suggesting it be replaced with “a focus” on “whether automated profiling meets a legitimate or public interest test”, with guidance on that envisaged as coming from the Information Commissioner’s Office (ICO). But it should also be noted that the government is in the process of hiring Denham’s successor; and the digital minister has said he wants her replacement to take “a bold new approach” that “no longer sees data as a threat, but as the great opportunity of our time”. So, er, bye-bye fairness, accountability and transparency then?)

For now, those seeking to implement LFR in the UK must comply with provisions in the UK’s Data Protection Act 2018 and the UK General Data Protection Regulation (aka, its implementation of the EU GDPR which was transposed into national law before Brexit), per the ICO opinion, including data protection principles set out in UK GDPR Article 5, including lawfulness, fairness, transparency, purpose limitation, data minimisation, storage limitation, security and accountability.

Controllers must also enable individuals to exercise their rights, the opinion also said.

“Organisations will need to demonstrate high standards of governance and accountability from the outset, including being able to justify that the use of LFR is fair, necessary and proportionate in each specific context in which it is deployed. They need to demonstrate that less intrusive techniques won’t work,” wrote Denham. “These are important standards that require robust assessment.

“Organisations will also need to understand and assess the risks of using a potentially intrusive technology and its impact on people’s privacy and their lives. For example, how issues around accuracy and bias could lead to misidentification and the damage or detriment that comes with that.”

The timing of the publication of the ICO’s opinion on LFR is interesting in light of wider concerns about the direction of UK travel on data protection and privacy.

If, for example, the government intends to recruit a new, ‘more pliant’ information commissioner — who will happily rip up the rulebook on data protection and AI, including in areas like biometric surveillance — it will at least be rather awkward for them to do so with an opinion from the prior commissioner on the public record that details the dangers of reckless and inappropriate use of LFR.

Certainly, the next information commissioner won’t be able to say they weren’t given clear warning that biometric data is particularly sensitive — and can be used to estimate or infer other characteristics, such as their age, sex, gender or ethnicity.

Or that ‘Great British’ courts have previously concluded that “like fingerprints and DNA [a facial biometric template] is information of an ‘intrinsically private’ character”, as the ICO opinion notes, while underlining that LFR can cause this super sensitive data to be harvested without the person in question even being aware it’s happening. 

Denham’s opinion also hammers hard on the point about the need for public trust and confidence for any technology to succeed, warning that: “The public must have confidence that its use is lawful, fair, transparent and meets the other standards set out in data protection legislation.”

The ICO has previously published an Opinion into the use of LFR by police forces — which she said also sets “a high threshold for its use”. (And a few UK police forces — including the Met in London — have been among the early adopters of facial recognition technology, which has in turn led some into legal hot water on issues like bias.)

Disappointingly, though, for human rights advocates, the ICO opinion shies away from recommending a total ban on the use of biometric surveillance in public by private companies or public organizations — with the commissioner arguing that while there are risks with use of the technology there could also be instances where it has high utility (such as in the search for a missing child).

“It is not my role to endorse or ban a technology but, while this technology is developing and not widely deployed, we have an opportunity to ensure it does not expand without due regard for data protection,” she wrote, saying instead that in her view “data protection and people’s privacy must be at the heart of any decisions to deploy LFR”.

Denham added that (current) UK law “sets a high bar to justify the use of LFR and its algorithms in places where we shop, socialise or gather”.

“With any new technology, building public trust and confidence in the way people’s information is used is crucial so the benefits derived from the technology can be fully realised,” she reiterated, noting how a lack of trust in the US has led to some cities banning the use of LFR in certain contexts and led to some companies pausing services until rules are clearer.

“Without trust, the benefits the technology may offer are lost,” she also warned.

There is one red line that the UK government may be forgetting in its unseemly haste to (potentially) gut the UK’s data protection regime in the name of specious ‘innovation’. Because if it tries to, er, ‘liberate’ national data protection rules from core EU principles (of lawfulness, fairness, proportionality, transparency, accountability and so on) — it risks falling out of regulatory alignment with the EU, which would then force the European Commission to tear up a EU-UK data adequacy arrangement (on which the ink is still drying).

The UK having a data adequacy agreement from the EU is dependent on the UK having essentially equivalent protections for people’s data. Without this coveted data adequacy status UK companies will immediately face far greater legal hurdles to processing the data of EU citizens (as the US now does, in the wake of the demise of Safe Harbor and Privacy Shield). There could even be situations where EU data protection agencies order EU-UK data flows to be suspended altogether…

Obviously such a scenario would be terrible for UK business and ‘innovation’ — even before you consider the wider issue of public trust in technologies and whether the Great British public itself wants to have its privacy rights torched.

Given all this, you really have to wonder whether anyone inside the UK government has thought this ‘regulatory reform’ stuff through. For now, the ICO is at least still capable of thinking for them.

 

#artificial-intelligence, #biometrics, #clearview-ai, #data-protection, #data-protection-law, #elizabeth-denham, #europe, #european-commission, #european-union, #facial-recognition, #general-data-protection-regulation, #information-commissioners-office, #law-enforcement, #privacy, #privacy-international, #safe-harbor, #surveillance, #tc, #uk-government, #united-kingdom

0

E.U. Recommends Opening to Americans to Rescue the Summer

The European Union recommended its 27 member nations lift a ban on nonessential travel from the United States, but each country will decide for itself.

#european-union, #politics-and-government, #quarantines, #travel-and-vacations, #travel-warnings, #vaccination-and-immunization, #world-health-organization

0

After Coronavirus Pandemic and Brexit, UK Begins to See Worker Gaps

As the country’s economy restarts after months of closures, staffing shortages have emerged in some industries. The impact of leaving the European Union could be part of the problem.

#coronavirus-2019-ncov, #european-union, #foreign-workers, #labor-and-jobs, #le-gavroche-london-england-restaurant, #london-england, #shortages

0

Internxt gets $1M to be ‘the Coinbase of decentralized storage’

Valencia-based startup Internxt has been quietly working on an ambitious plan to make decentralized cloud storage massively accessible to anyone with an Internet connection.

It’s just bagged $1M in seed funding led by Angels Capital, a European VC fund owned by Juan Roig (aka Spain’s richest grocer and second wealthiest billionaire), and Miami-based The Venture City. It had previously raised around half a million dollars via a token sale to help fund early development.

The seed funds will be put towards its next phase of growth — its month-to-month growth rate is 30% and it tells us it’s confident it can at least sustain that — including planning a big boost to headcount so it can accelerate product development.

The Spanish startup has spent most of its short life to date developing a decentralized infrastructure that it argues is both inherently more secure and more private than mainstream cloud-based apps (such as those offered by tech giants like Google).

This is because files are not only encrypted in a way that means it cannot access your data but information is also stored in a highly decentralized way, split into tiny shards which are then distributed across multiple storage locations, with users of the network contributing storage space (and being recompensed for providing that capacity with — you guessed it — crypto).

“It’s a distributed architecture, we’ve got servers all over the world,” explains founder and CEO Fran Villalba Segarra. “We leverage and use the space provided by professionals and individuals. So they connect to our infrastructure and start hosting data shards and we pay them for the data they host — which is also more affordable because we are not going through the traditional route of just renting out a data center and paying them for a fixed amount of space.

“It’s like the Airbnb model or Uber model. We’ve kind of democratized storage.”

Internxt clocked up three years of R&D, beginning in 2017, before launching its first cloud-based apps: Drive (file storage), a year ago — and now Photos (a Google Photos rival).

So far it’s attracting around a million active users without paying any attention to marketing, per Villalba Segarra.

Internxt Mail is the next product in its pipeline — to compete with Gmail and also ProtonMail, a pro-privacy alternative to Google’s freemium webmail client (and for more on why it believes it can offer an edge there read on).

Internxt Send (file transfer) is another product billed as coming soon.

“We’re working on a G-Suite alternative to make sure we’re at the level of Google when it comes to competing with them,” he adds.

The issue Internxt’s architecture is designed to solve is that files which are stored in just one place are vulnerable to being accessed by others. Whether that’s the storage provider itself (who may, like Google, have a privacy-hostile business model based on mining users’ data); or hackers/third parties who manage to break the provider’s security — and can thus grab and/or otherwise interfere with your files.

Security risks when networks are compromised can include ransomeware attacks — which have been on an uptick in recent years — whereby attackers that have penetrated a network and gained access to stored files then hold the information to ransom by walling off the rightful owner’s access (typically by applying their own layer of encryption and demanding payment to unlock the data).

The core conviction driving Internxt’s decentralization push is that files sitting whole on a server or hard drive are sitting ducks.

Its answer to that problem is an alternative file storage infrastructure that combines zero access encryption and decentralization — meaning files are sharded, distributed and mirrored across multiple storage locations, making them highly resilient against storage failures or indeed hack attacks and snooping.

The approach ameliorates cloud service provider-based privacy concerns because Internxt itself cannot access user data.

To make money its business model is simple, tiered subscriptions: With (currently) one plan covering all its existing and planned services — based on how much data you need. (It is also freemium, with the first 10GB being free.)

Internxt is by no means the first to see key user value in rethinking core Internet architecture.

Scotland’s MaidSafe has been trying to build an alternative decentralized Internet for well over a decade at this point — only starting alpha testing its alt network (aka, the Safe Network) back in 2016, after ten years of testing. Its long term mission to reinvent the Internet continues.

Another (slightly less veteran) competitor in the decentralized cloud storage space is Storj, which is targeting enterprise users. There’s also Filecoin and Sia — both also part of the newer wave of blockchain startups that sprung up after Bitcoin sparked entrepreneurial interest in cryptocurrencies and blockchain/decentralization.

How, then, is what Internxt’s doing different to these rival decentralized storage plays — all of which have been at this complex coal face for longer?

“We’re the only European based startup that’s doing this [except for MaidSafe, although it’s UK not EU based],” says Villalba Segarra, arguing that the European Union’s legal regime around data protection and privacy lends it an advantage vs U.S. competitors. “All the others, Storj, plus Sia, Filecoin… they’re all US-based companies as far as I’m aware.”

The other major differentiating factor he highlights is usability — arguing that the aforementioned competitors have been “built by developers for developers”. Whereas he says Internxt’s goal is be the equivalent of ‘Coinbase for decentralized storage’; aka, it wants to make a very complex technology highly accessible to non-technical Internet users.

“It’s a huge technology but in the blockchain space we see this all the time — where there’s huge potential but it’s very hard to use,” he tells TechCrunch. “That’s essentially what Coinbase is also trying to do — bringing blockchain to users, making it easier to use, easier to invest in cryptocurrency etc. So that’s what we’re trying to do at Internxt as well, bringing blockchain for cloud storage to the people. Making it easy to use with a very easy to use interface and so forth.

“It’s the only service in the distributed cloud space that’s actually usable — that’s kind of our main differentiating factor from Storj and all these other companies.”

“In terms of infrastructure it’s actually pretty similar to that of Sia or Storj,” he goes on — further likening Internxt’s ‘zero access’ encryption to Proton Drive’s architecture (aka, the file storage product from the makers of end-to-end encrypted email service ProtonMail) — which also relies on client side encryption to give users a robust technical guarantee that the service provider can’t snoop on your stuff. (So you don’t have to just trust the company not to violate your privacy.)

But while it’s also touting zero access encryption (it seems to be using off-the-shelf AES-256 encryption; it says it uses “military grade”, client-side, open source encryption that’s been audited by Spain’s S2 Grupo, a major local cybersecurity firm), Internxt takes the further step of decentralizing the encrypted bits of data too. And that means it can tout added security benefits, per Villalba Segarra.

“On top of that what we do is we fragment data and then distribute it around the world. So essentially what servers host are encrypted data shards — which is much more secure because if a hacker was ever to access one of these servers what they would find is encrypted data shards which are essentially useless. Not even we can access that data.

“So that adds a huge layer of security against hackers or third party [access] in terms of data. And then on top of that we build very nice interfaces with which the user is very used to using — pretty much similar to those of Google… and that also makes us very different from Storj and Sia.”

Storage space for Internxt users’ files is provided by users who are incentivized to offer up their unused capacity to host data shards with micropayments of crypto for doing so. This means capacity could be coming from an individual user connecting to Internxt with just their laptop — or a datacenter company with large amounts of unused storage capacity. (And Villalba Segarra notes that it has a number of data center companies, such as OVH, are connected to its network.)

“We don’t have any direct contracts [for storage provision]… Anyone can connect to our network — so datacenters with available storage space, if they want to make some money on that they can connect to our network. We don’t pay them as much as we would pay them if we went to them through the traditional route,” he says, likening this portion of the approach to how Airbnb has both hosts and guests (or Uber needs drivers and riders).

“We are the platform that connects both parties but we don’t host any data ourselves.”

Internxt uses a reputation system to manage storage providers — to ensure network uptime and quality of service — and also applies blockchain ‘proof of work’ challenges to node operators to make sure they’re actually storing the data they claim.

“Because of the decentralized nature of our architecture we really need to make sure that it hits a certain level of reliability,” he says. “So for that we use blockchain technology… When you’re storing data in your own data center it’s easier in terms of making sure it’s reliable but when you’re storing it in a decentralized architecture it brings a lot of benefits — such as more privacy or it’s also more affordable — but the downside is you need to make sure that for example they’re actually storing data.”

Payments to storage capacity providers are also made via blockchain tech — which Villalba Segarra says is the only way to scale and automate so many micropayments to ~10,000 node operators all over the world.

Discussing the issue of energy costs — given that ‘proof of work’ blockchain-based technologies are facing increased scrutiny over the energy consumption involved in carrying out the calculations — he suggests that Internxt’s decentralized architecture can be more energy efficient than traditional data centers because data shards are more likely to be located nearer to the requesting user — shrinking the energy required to retrieve packets vs always having to do so from a few centralized global locations.

“What we’ve seen in terms of energy consumption is that we’re actually much more energy efficient than a traditional cloud storage service. Why? Think about it, we mirror files and we store them all over the world… It’s actually impossible to access a file from Dropbox that is sent out from [a specific location]. Essentially when you access Dropbox or Google Drive and you download a file they’re going to be sending it out from their data center in Texas or wherever. So there’s a huge data transfer energy consumption there — and people don’t think about it,” he argues.

“Data center energy consumption is already 2%* of the whole world’s energy consumption if I’m not mistaken. So being able to use latency and being able to send your files from [somewhere near the user] — which is also going to be faster, which is all factored into our reputation system — so our algorithms are going to be sending you the files that are closer to you so that we save a lot of energy from that. So if you multiple that by millions of users and millions of terabytes that actually saves a lot of energy consumption and also costs for us.”

What about latency from the user’s point of view? Is there a noticeable lag when they try to upload or retrieve and access files stored on Internxt vs — for example — Google Drive?

Villalba Segarra says being able to store file fragments closer to the user also helps compensate for any lag. But he also confirms there is a bit of a speed difference vs mainstream cloud storage services.

“In terms of upload and download speed we’re pretty close to Google Drive and Dropbox,” he suggests. “Again these companies have been around for over ten years and their services are very well optimized and they’ve got a traditional cloud architecture which is also relatively simpler, easier to build and they’ve got thousands of [employees] so their services are obviously much better than our service in terms of speed and all that. But we’re getting really close to them and we’re working really fast towards bringing our speed [to that level] and also as many features as possible to our architecture and to our services.”

“Essentially how we see it is we’re at the level of Proton Drive or Tresorit in terms of usability,” he adds on the latency point. “And we’re getting really close to Google Drive. But an average user shouldn’t really see much of a difference and, as I said, we’re literally working as hard as possible to make our services as useable as those of Google. But we’re ages ahead of Storj, Sia, MaidSafe and so forth — that’s for sure.”

Internxt is doing all this complex networking with a team of just 20 people currently. But with the new seed funding tucked in its back pocket the plan now is to ramp up hiring over the next few months — so that it can accelerate product development, sustain its growth and keep pushing its competitive edge.

“By the time we do a Series A we should be around 100 people at Internxt,” says Villalba Segarra. “We are already preparing our Series A. We just closed our seed round but because of how fast we’re growing we are already being reached out to by a few other lead VC funds from the US and London.

“It will be a pretty big Series A. Potentially the biggest in Spain… We plan on growing until the Series A at at least a 30% month-to-month rate which is what we’ve been growing up until now.”

He also tells TechCrunch that the intention for the Series A is to do the funding at a $50M valuation.

“We were planning on doing it a year from now because we literally just closed our [seed] round but because of how many VCs are reaching out to us we may actually do it by the end of this year,” he says, adding: “But timeframe isn’t an issue for us. What matters most is being able to reach that minimum valuation.”

*Per the IEA, data centres and data transmission networks each accounted for around 1% of global electricity use in 2019

#angels-capital, #blockchain, #cloud-computing, #cloud-storage, #coinbase, #cryptocurrencies, #decentralization, #dropbox, #encryption, #energy-consumption, #europe, #european-union, #fundings-exits, #gmail, #internxt, #privacy, #recent-funding, #spain, #startups, #storage, #tc, #the-venture-city, #valencia

0

Co-living startup Habyt closes $24M Series B, merges with Homefully

When WeWork appeared, other entrepreneurs looked at the model and thought that if you could apple co-working to property, then why not apply co-living. Thus, in the US, Common appeared, as did Hmlet in Asia. Imn the EU, Habyt launched, but has already gobbled-up its competitors Quarters, Goliving, and Erasmo’s Room.

It’s now closed a series B round of €20M / $24M, and merged with another competitor, Homefully, founded by Sebastian Wuerz in 2016. The round was backed by HV Capital (formerly Holtzbrink Ventures), Vorwerk Ventures, P101 and Picus Capital.

Founded in 2017 by Luca Bovone, Habyt will now have over 5,000 units across 15 cities and 6 countries. The merged companies will offer fully furnished and serviced living units, coupled with a tech-enabled user-experience and a focus on community, aimed at young professionals between 20 and 35 years old who move jobs and cities fairly frequently.

Luca Bovone, Founder and CEO of Habyt, said: “We have been on an incredible journey in the past year and a half. In spite of less than perfect market conditions we have been able to grow a lot via a very successful M&A strategy that brought us into the position of leaders of our sector in Europe and that still has a lot of potential. This 20M series B round really opens our doors to keep building Habyt both via organic growth and via more M&As. We are now looking at strategic targets in Europe, specifically in France and Italy, and also in other continents, especially in Asia.”

Sebastian Wuerz, Founder of homefully, said: “The coliving market is going through a consolidation phase and Habyt has really seized this opportunity quickly and effectively and is on the best track to become the leader of the sector at a global scale. Joining forces is a crucial step in this direction and I am very excited for the team to be part of this journey.”

Felix Kluehr, Partner at HV said: “We are happy to see that Habyt has emerged as the leading player in the European co-living market and HV is excited to support the team in their ambitious plan to build the leading European coliving company”.

Over an interview, Bovone told me: “It’s like a member’s club. We have a subscription model, where people pay a monthly fee, which is your rent, and then you can, of course, apply for a room somewhere else and know that we have a fairly decent scale across Europe and eventually, also in southern Europe. You are able to move from one place to the other. Our motto is live anywhere.”

He said that the pandemic had meant that people were ditching co-working spaces and “They would prefer to spend 50 to 100 euro more per month on getting better housing where they can work comfortably from home.”

“We are already seeing within our customer base, they want to stay six months in Berlin, three months in Madrid, then move back to Berlin and so on. The traditional housing market just doesn’t allow that to happen. You have contracts with utilities and so on, which you can never break and it’s just an outdated product offering, and we’re trying to tackle that.”

#asia, #berlin, #ceo, #co-living, #economy, #europe, #european-union, #france, #housing, #hv-capital, #italy, #madrid, #partner, #picus-capital, #sharing-economy, #tc, #united-states, #vorwerk-ventures, #wework

0

Tired of accepting/rejecting cookies? ADPC wants to automate the process

The European Union’s General Data Protection Regulation (GDPR), passed in 2018, requires websites to ask visitors for consent prior to placing cookies. As any Internet user is now aware, this means an extra step required when visiting nearly any website for the first time—or potentially every time, if you choose not to accept cookies. A new proposed HTTP standard from None of Your Business and the Sustainable Computing Lab would allow the user to set their privacy preferences once, inside the browser itself, and have the browser communicate those preferences invisibly with any website the user visits.

Advanced Data Protection Control

The proposed standard enables two methods of automated preference delivery—one which communicates directly with the web server hosting a site being visited, and another which communicates with the website itself.

When ADPC communicates directly with the web server, it does so via HTTP headers—a Link header pointing to a JSON file on the server, and the ADPC header emitted by the user’s browser. When communicating with the website itself, the mechanism is via JavaScript— configuration is passed as an object to the DOM interface, e.g., navigator.dataProtectionControl.request(...).

Read 12 remaining paragraphs | Comments

#cookies, #european-union, #http, #https, #internet, #tech

0

Cannabis and digital health start-up Sanity Group closes $44.2M Series A led by Redalpine

Berlin-based cannabis and digital health start-up Sanity Group has closed a $44.2M Series A financing round led by Swiss VC Redalpine along with US-based Navy Capital and SOJE Capital. GMPVC also participated in the round. This appears to be the largest round of cannabis funding in Europe to date and brings total investment in Sanity Group to $73M.

The new capital will be used to expand the Group’s medical division in Europe as well as a EU-GMP-compliant research and production facility near Frankfurt.

Previous investors include HV Capital, TQ Ventures, Atlantic Food Labs, Cherry Ventures, Bitburger Ventures, and SevenVentures. In addition, Sanity Group has attracted celebrity angels including music producers will.i.am, Scooter Braun, and actress Alyssa Milano.

Sanity’s cannabis-based platform is for mental health and chronic pain management, allowing the tracking of cannabis-based therapy digitally with a medical device. This tells customers how much of the active ingredient (THC, CBD or other cannabinoids) is being administered. This is then registered in a therapy diary.

Finn Age Hänsel, founder and managing director of Sanity Group said: “A round of this magnitude shows that cannabis is increasingly moving into the mainstream of investor awareness, and represents an important milestone in our business expansion on our way to becoming Europe’s leading cannabis company.”

Over an interview, he added: “So we are fully legal and operated in Germany. We are just about to enter the Czech Republic and Poland. The UK is one of the biggest markets we want to enter going forward because, as you might know, the whole area of medical cannabis is slowly but surely opening all over Europe, with Germany being the largest market, about 80% of all the cannabis cannabinoid-based therapies today. But actually, the UK being the number two, which is a super attractive market for us but we look further into the Czech Republic and Poland, because those are the markets that have opened up from a regulatory perspective, at the most, over the last two years, and then France will open up next year, but that’s basically one after the other.”

Sean Stiefel, CEO at Navy Capital said: “The European cannabis market faces exciting developments in the coming months. Compared to the North American market, Europe is now where we were in the U.S. about four years ago. We want to bring our expertise and experience to the table. For our first investment in Europe, it was important for us to find a team that understands the market and has real industry experts in its ranks.”

#actress, #alyssa-milano, #atlantic-food-labs, #berlin, #cannabis, #canopy-growth, #ceo, #cherry-ventures, #czech-republic, #europe, #european-union, #france, #frankfurt, #germany, #hansel, #hv-capital, #music-producers, #navy-capital, #poland, #scooter-braun, #tc, #united-kingdom, #united-states

0

Adtech ‘data breach’ GDPR complaint is headed to court in EU

New York-based IAB Tech Labs, a standards body for the digital advertising industry, is being taken to court in Germany by the Irish Council for Civil Liberties (ICCL) in a piece of privacy litigation that’s targeted at the high speed online ad auction process known as real-time bidding (RTB).

While that may sound pretty obscure the case essentially loops in the entire ‘data industrial complex’ of adtech players, large and small, which make money by profiling Internet users and selling access to their attention — from giants like Google and Facebook to other household names (the ICCL’s PR also name-checks Amazon, AT&T, Twitter and Verizon, the latter being the parent company of TechCrunch — presumably because all participate in online ad auctions that can use RTB); as well as the smaller (typically non-household name) adtech entities and data brokers which also also involved in handling people’s data to run high velocity background auctions that target behavioral ads at web users.

The driving force behind the lawsuit is Dr Johnny Ryan, a former adtech insider turned whistleblower who’s now a senior fellow a the ICCL — and who has dubbed RTB the biggest data breach of all time.

He points to the IAB Tech Lab’s audience taxonomy documents which provide codes for what can be extremely sensitive information that’s being gathered about Internet users, based on their browsing activity, such as political affiliation, medical conditions, household income, or even whether they may be a parent to a special needs child.

The lawsuit contends that other industry documents vis-a-vis the ad auction system confirm there are no technical measures to limit what companies can do with people’s data, nor who they might pass it on to.

The lack of security inherent to the RTB process also means other entities not directly involved in the adtech bidding chain could potentially intercept people’s information — when it should, on the contrary, be being protected from unauthorized access, per EU law…

Ryan and others have been filing formal complaints against RTB security issue for years, arguing the system breaches a core principle of Europe’s General Data Protection Regulation (GDPR) — which requires that personal data be “processed in a manner that ensures appropriate security… including protection against unauthorised or unlawful processing and against accidental loss” — and which, they contend, simply isn’t possible given how RTB functions.

The problem is that Europe’s data protection agencies have failed to act. Which is why Ryan, via the ICCL, has decided to take the more direct route of filing a lawsuit.

“There aren’t many DPAs around the union that haven’t received evidence of what I think is the biggest data breach of all time but it started with the UK and Ireland — neither of which took, I think it’s fair to say, any action. They both said they were doing things but nothing has changed,” he tells TechCrunch, explaining why he’s decided to take the step of litigating.

“I want to take the most efficient route to protection people’s rights around data,” he adds.

Per Ryan, the Irish Data Protection Commission (DPC) has still not sent a statement of issues relating to the RTB complaint he lodged with them back in 2018 — so years later. In May 2019 the DPC did announce it was opening a formal investigation into Google’s adtech, following the RTB complaints, but the case remains open and unresolved. (We’ve contacted the DPC with questions about its progress on the investigation and will update with any response.)

Since the GDPR came into application in Europe in May 2018 there has been growth in privacy lawsuits  — including class action style suits — so litigation funders may be spying an opportunity to cash in on the growing enforcement gap left by resource-strapped and, well, risk-averse data protection regulators.

A similar complaint about RTB lodged with the UK’s Information Commissioner’s Office (ICO) also led to a lawsuit being filed last year — albeit in that case it was against the watchdog itself for failing to take any action. (The ICO’s last missive to the adtech industry told it to — uhhhh — expect audits.)

“The GDPR was supposed to create a situation where the average person does not need to wear a tin-foil hat, they do not need to be paranoid or take action to become well informed. Instead, supervisory authorities protect them. And these supervisory authorities — paid for by the tax payer — have very strong powers. They can gain admission to any documents and any premises. It’s not about fines I don’t think, just. They can tell the biggest most powerful companies in the world to stop doing what they’re doing with our data. That’s the ultimate power,” says Ryan. “So GDPR sets up these guardians — these potentially very empowered guardians — but they’ve not used those powers… That’s why we’re acting.”

“I do wish that I’d litigated years ago,” he adds. “There’s lots of reasons why I didn’t do that — I do wish, though, that this litigation was unnecessary because supervisory authorities protected me and you. But they didn’t. So now, as Irish politics like to say in the middle of a crisis, we are where we are. But this is — hopefully — several nails in the coffin [of RTB’s use of personal data].”

The lawsuit has been filed in Germany as Ryan says they’ve been able to establish that IAB Tech Labs — which is NY-based and has no official establishment in Europe — has representation (a consultancy it hired) that’s based in the country. Hence they believe there is a clear route to litigate the case at the Landgerichte, Hamburg.

While Ryan has been indefatigably sounding the alarm about RTB for years he’s prepared to clock up more mileage going direct through the courts to see the natter through.

And to keep hammering home his message to the adtech industry that it must clean up its act and that recent attempts to maintain the privacy-hostile status quo — by trying to rebrand and repackage the same old data shuffle under shiny new claims of ‘privacy’ and ‘responsibility’ — simply won’t wash. So the message is really: Reform or die.

“This may very well end up at the ECJ [European Court of Justice]. And that would take a few years but long before this ends up at the ECJ I think it’ll be clear to the industry now that it’s time to reform,” he adds.

IAB Tech Labs has been contacted for comment on the ICCL’s lawsuit.

Ryan is by no means the only person sounding the alarm over adtech. Last year the European Parliament called for tighter controls on behavioral ads to be baked into reforms of the region’s digital rules — calling for regulation to favor less intrusive, contextual forms of advertising which do not rely on mass surveillance of Internet users.

While even Google has said it wants to depreciate support for tracking cookies in favor of a new stack of technology proposals that it dubs ‘Privacy Sandbox’ (although its proposed alternative — targeting groups of Internet users based on interests derived from tracking their browsing habits — has been criticized as potentially amplifying problems of predatory and exploitative ad targeting, so may not represent a truly clean break with the rights-hostile adtech status quo).

The IAB is also facing another major privacy law challenge in Europe — where complaints against a widely used framework it designed for websites to obtain Internet users’ consent to being tracked for ads online led to scrutiny by Belgium’s data protection agency.

Last year its investigatory division found that the IAB Europe’s Transparency and Consent Framework (TCF) fails to meet the required standards of data protection under the GDPR.

The case went in front of the litigation chamber last week. A verdict — and any enforcement action by the Belgian DPA over the IAB Europe’s TCF — remains pending.

#adtech, #advertising-tech, #amazon, #articles, #att, #computing, #data-protection, #europe, #european-court-of-justice, #european-union, #facebook, #general-data-protection-regulation, #germany, #hamburg, #information-commissioners-office, #ireland, #johnny-ryan, #new-york, #online-advertising, #privacy, #real-time-bidding, #techcrunch, #terms-of-service, #twitter, #united-kingdom, #verizon, #world-wide-web

0

UK’s CMA opens market study into Apple, Google’s mobile “duopoly”

The UK’s competition watchdog will take a deep dive look into Apple and Google’s dominance of the mobile ecosystem, it said today — announcing a market study which will examine the pair’s respective smartphone platforms (iOS and Android); their app stores (App Store and Play Store); and web browsers (Safari and Chrome). 

The Competition and Markets Authority (CMA) is concerned that the mobile platform giants’ “effective duopoly” in those areas  might be harming consumers, it added.

The study will be wide ranging, with the watchdog concerns about the nested gateways that are created as a result of the pair’s dominance of mobile ecosystem — intermediating how consumers can access a variety of products, content and services (such as music, TV and video streaming; fitness tracking, shopping and banking, to cite some of the examples provided by the CMA).

“These products also include other technology and devices such as smart speakers, smart watches, home security and lighting (which mobiles can connect to and control),” it went on, adding that it’s looking into whether their dominance of these pipes is “stifling competition across a range of digital markets”, saying too that it’s “concerned this could lead to reduced innovation across the sector and consumers paying higher prices for devices and apps, or for other goods and services due to higher advertising prices”.

The CMA further confirmed the deep dive will examine “any effects” of the pair’s market power over other businesses — giving the example of app developers who rely on Apple or Google to market their products to customers via their smart devices.

The watchdog already has an open investigation into Apple’s App Store, following a number of antitrust complaints by developers.

It is investigating Google’s planned depreciation of third party tracking cookies too, after complaints by adtech companies and publishers that the move could harm competition. (And just last week the CMA said it was minded to accept a series of concessions offered by Google that would enable the regulator to stop it turning off support for cookies entirely if it believes the move will harm competition.)

The CMA said both those existing investigations are examining issues that fall within the scope of the new mobile ecosystem market study but that its work on the latter will be “much broader”.

It added that it will adopt a joined-up approach across all related cases — “to ensure the best outcomes for consumers and other businesses”.

It’s giving itself a full year to examine Gapple’s mobile ecosystems.

It is also soliciting feedback on any of the issues raised in its statement of scope — calling for responses by 26 July. The CMA added that it’s also keen to hear from app developers, via its questionnaire, by the same date.

Taking on tech giants

The watchdog has previously scrutinized the digital advertising market — and found plenty to be concerned about vis-a-vis Google’s dominance there.

That earlier market study has been feeding the UK government’s plan to reform competition rules to take account of the market-deforming power of digital giants. And the CMA suggested the new market study, examining ‘Gapple’s’ mobile muscle, could similarly help shape UK-wide competition law reforms.

Last year the UK announced its plan to set up a “pro-competition” regime for regulating Internet platforms — including by establishing a dedicated Digital Markets Unit within the CMA (which got going earlier this year).

The legislation for the reform has not yet been put before parliament but the government has said it wants the competition regulator to be able to “proactively shape platforms’ behavior” to avoid harmful behavior before it happens” — saying too that it supports enabling ex ante interventions once a platform has been identified to have so-called “strategic market status”.

Germany already adopted similar reforms to its competition law (early this year), which enable proactive interventions to tackle large digital platforms with what is described as “paramount significance for competition across markets”. And its Federal Cartel Office has, in recent months, wasted no time in opening a number of proceedings to determine whether Amazon, Google and Facebook have such a status.

The CMA also sounds keen to get going to tackle Internet gatekeepers.

Commenting in a statement, CEO Andrea Coscelli said:

“Apple and Google control the major gateways through which people download apps or browse the web on their mobiles – whether they want to shop, play games, stream music or watch TV. We’re looking into whether this could be creating problems for consumers and the businesses that want to reach people through their phones.

“Our ongoing work into big tech has already uncovered some worrying trends and we know consumers and businesses could be harmed if they go unchecked. That’s why we’re pressing on with launching this study now, while we are setting up the new Digital Markets Unit, so we can hit the ground running by using the results of this work to shape future plans.”

The European Union also unveiled its own proposals for clipping the wings of big tech last year — presenting its Digital Markets Act plan in December which will apply a single set of operational rules to so-called “gatekeeper” platforms operating across the EU.

The clear trend in Europe on digital competition is toward increasing oversight and regulation of the largest platforms — in the hopes that antitrust authorities can impose measures that will help smaller players thrive.

Critics might say that’s just playing into the tech giants’ hands, though — because it’s fiddling around the edges when more radical intervention (break ups) are what’s really needed to reboot captured markets.

Apple and Google were contacted for comment on the CMA’s market study.

A Google spokesperson said: “Android provides people with more choice than any other mobile platform in deciding which apps they use, and enables thousands of developers and manufacturers to build successful businesses. We welcome the CMA’s efforts to understand the details and differences between platforms before designing new rules.”

According to Google, the Android App Economy generated £2.8BN in revenue for UK developers last year, which it claims supported 240,000 jobs across the country — citing a Public First report that it commissioned.

The tech giant also pointed to operational changes it has already made in Europe, following antitrust interventions by the European Commission — such as adding a choice screen to Android where users can pick from a list of alternative search engines.

Earlier this month it agreed to shift the format underlying that choice screen from an unpopular auction model to free participation.

#amazon, #android, #app-store, #apple, #apple-inc, #big-tech, #cma, #competition-and-markets-authority, #competition-law, #digital-markets-act, #digital-markets-unit, #duopoly, #europe, #european-commission, #european-union, #germany, #google, #ios, #mobile, #policy, #smartphone, #smartphones, #uk-government, #united-kingdom, #web-browsers

0

CJEU ruling could open big tech to more privacy litigation in Europe

A long running privacy fight between Belgium’s data protection authority and Facebook — over the latter’s use of online trackers like pixels and social plug-ins to snoop on web users — has culminated in a ruling by Europe’s top court today that could have wider significance on how cross-border cases against tech giants are enforced in the region.

The Court of Justice of the European Union has affirmed that, in certain circumstances, national DPAs can pursue action even when they are not the lead data supervisor under the General Data Protection Regulation (GDPR)’s one-stop-shop mechanism (OSS) — opening up the possibility of litigation by watchdogs in Member States which aren’t the lead regulator for a particular company but where the local agency believes there is an urgent need to act.

The OSS was included in the GDPR with the idea of simplifying enforcement for businesses operating in more than one EU market — which would only need to deal directly with one ‘lead’ data protection authority. However the mechanism has been criticized for contributing to a bottleneck effect whereby multiple GDPR complaints are stacking up on the desks of a couple of DPAs (most notably Ireland and Luxembourg) — EU Member States which attract large numbers of multinationals (typically for tax reasons, such as Ireland’s 12.5% corporate tax rate).

Enforcement of the EU’s flagship data protection regime against tech giant has thus been hampered by a perception of ‘forum shopping’ — whereby a handful of EU DPAs have a disproportionately large number of major, cross-border cases to deal with vs the (inevitably limited) resources provided for them by their national governments. The resulting bottleneck looks convenient for those companies that face delayed GDPR enforcement.

Some EU DPAs are also considered more active in enforcement of the bloc’s privacy rules than others — and it’s fair to say that Ireland is not among them. (Albeit, it defends the pace of its investigations and enforcement record by saying that it must do due diligence to ensure decisions stand up to any legal challenges.)

Indeed, Ireland has been criticized for (among other things) the length of time it’s taken to investigate GDPR complaints; for procedural issues (how it’s gone about investigating or indeed not investigating complaints); and for its enforcement record against tech giants — which to date is limited to just one $550k penalty issued against Twitter issued at the end of last year.

The Irish Data Protection Commission (DPC) had originally wanted to give Twitter an even lower fine but other EU DPAs disputed its draft decision — forcing it to increase the penalty slightly.

As it stands, scores of cases remain open on the DPC’s desk, including major complaints against Facebook and Google — which are now over three years old.

This has led to calls for the Commission to step in and take action over Ireland’s perceived inaction. Although, for now, the EU’s executive has limited its intervention to a few words urging Ireland to, essentially, hurry up and get on with the job.

Today’s CJEU ruling may alleviate a little of the blockage around GDPR enforcement — in some narrow situations — by enabling national DPAs to take up the baton to litigate over users’ rights when a lead agency isn’t acting on complaints.

However the ruling does not look set to completely unblock the OSS mechanism, per Luca Tosoni, a research fellow at the Norwegian Research Center for Computers and Law at the University of Oslo who has been following the case closely — and whose work was cited by the CJEU’s advocate general in an earlier opinion on the case.

“The Court has essentially confirmed the views that the Advocate General had expressed in his opinion: Under the GDPR’ one-stop-shop system, those data protection authorities that are not the ‘lead authority’ may start enforcement actions against big tech companies only in very limited circumstances, including in case of urgency,” he told TechCrunch.

“However, unfortunately, the Court’s ruling does not elaborate on the criteria to be followed to assess the urgency of an enforcement action. In particular, the Court has not expressly seconded the advocate general’s view that a failure to act promptly from the part of the lead authority may justify the adoption of interim urgent measures by other data protection authorities. Thus, this important point remains partially unclear, and further litigation might be necessary to clarify this issue.

“Therefore, today’s ruling is unlikely to completely settle the ‘Irish issue’.”

Article 56 of the GDPR allows for non-lead DPAs to pursue action at a national level in the case of complaints that relate to an issue that substantially affects only users under their jurisdiction, and where they believe there is a need to act urgently (as a lead authority has not). So it does seem fairly narrow.

One recent example of a non-lead DPA intervention is the Italian DPA’s emergency action against TikTok — related to child safety on the platform after the death of a local girl who had been reported to have participated in a challenge on the platform.

“An authority’s wish to adopt a ‘go-it-alone’ approach… with regard to the (judicial) enforcement of the GDPR, without cooperating with the other authorities, cannot be reconciled with either the letter or the spirit of that regulation,” runs one paragraph of today’s judgement, underlining the court’s view that the GDPR requires careful and balanced joint-working between DPAs.

The ruling does go into some detailed discussion of the “dangers” of under-enforcement of the GDPR — as the concern was raised with the CJEU — but the court takes the view that it’s too soon to say whether such a concern affects the regulation or not.

“If, however, [under-enforcement were to] be evidenced by facts and robust arguments – then I do not believe that the Court would turn a blind eye to any gap which might thereby emerge in the protection of fundamental rights guaranteed by the Charter and their effective enforcement by the competent regulators,” the CJEU goes on. “Whether that would then still be an issue for a Charter-conform interpretation of provisions of secondary law, or an issue of validity of the relevant provisions, or even sections of a secondary law instrument, is a question for another case.”

The ruling, while narrow, may at least unblock the Belgian DPA’s long-running litigation against Facebook’s tracking of non-users via cookies and social plug-ins which was the route for the referral of questions over the scope of the OSS to the CJEU.

Although the court also notes that it will be for a Belgian court to determine whether the DPA’s intervention meets the GDPR’s bar for starting such proceedings or not.

Contacted for comment on the CJEU judgement, Facebook welcomed the ruling.

“We are pleased that the CJEU has upheld the value and principles of the one-stop-shop mechanism, and highlighted its importance in ensuring the efficient and consistent application of GDPR across the EU,” said Jack Gilbert, associate general counsel at Facebook in a statement.

#belgium, #cjeu, #data-protection, #europe, #european-union, #facebook, #general-data-protection-regulation, #ireland, #luxembourg, #online-trackers, #policy, #privacy

0

U.S. and E.U. Agree to Suspend Feud Over Aid for Airbus and Boeing

The agreement, coming as President Biden prepares to meet European leaders, ends a 17-year dispute over aircraft subsidies.

#airbus-industrie, #biden-joseph-r-jr, #boeing-company, #customs-tariff, #europe, #european-union, #federal-aid-us, #international-trade-and-world-market, #tai-katherine-1974, #united-states, #united-states-international-relations

0

Boris Johnson’s ‘Global Britain’ Makes Shaky Start at G7 Summit

The prime minister’s plan to introduce his vision of a nimble, trade-savvy U.K. was upended by a spat over Northern Ireland.

#european-union, #great-britain, #great-britain-withdrawal-from-eu-brexit, #group-of-seven, #international-relations, #international-trade-and-world-market, #johnson-boris, #macron-emmanuel-1977, #northern-ireland, #united-states-international-relations

0

Europe needs to back browser-level controls to fix cookie consent nightmares, says privacy group

European privacy group noyb, which recently kicked off a major campaign targeting rampant abuse of the region’s cookie consent rules, has followed up by publishing a technical proposal for an automated browser-level signal it believes could go even further to tackle the friction generated by endless ‘your data choices’ pop-ups.

Its proposal is for an automated signal layer that would enable users to configure advanced consent choices — such as only being asked to allow cookies if they frequently visit a website; or being able to whitelist lists of sites for consent (if, for example, they want to support quality journalism by allowing their data to be used for ads in those specific cases).

The approach would offer a route to circumvent the user experience nightmare flowing from all the dark pattern design that’s made cookie consent collection so cynical, confusing and tedious — by simply automating the yeses and noes, thereby keeping interruptions to a user-defined minimum.

In the European Union cookie consent banners mushroomed in the wake of a 2018 update to the bloc’s privacy rules (GDPR) — especially on websites that rely on targeted advertising to generate revenue. And in recent years it has not been unusual to find cookie pop-ups that contain a labyrinthine hell of opacity — culminating (if you don’t just click ‘agree’) — to vast menus of ‘trusted partners’ all after your data. Some of which are pre-set to share information and require the user to individually toggle each and every one off.

Such stuff is a mockery of compliance, rather than the truly simple choice envisage by the law. So noyb’s earlier campaign is focused on filing scores of complaints against sites it believes aren’t complying with requirements to provide users with a clear and free choice to say no to their data being used for ads (and it’s applying a little automation tech there too to help scale up the number of complaint it can file).

Its follow-up here — showing how an advanced control layer that signals user choices in the background could work — shares the same basic approach as the ‘Do Not Track’ proposals originally proposed for baking into web browsers all the way back in 2009 but which failed to get industry buy-in. There has also been a more recent US-based push to revive the idea of browser-level privacy control — buoyed by California’s California Consumer Privacy Act (CCPA), which took effect at the start of last year, and includes a requirement that businesses respect user opt-out preferences via a signal from their browser.

However noyb’s version of browser-level privacy control seeks to go further by enabling more granular controls — which it says it necessary to better mesh with the EU’s nuanced legal framework around data protection.

It points out that Article 21(5) of the GDPR already allows for automatic signals from the browser to inform websites in the background whether a user is consenting to data processing or not.

The ePrivacy Regulation proposal, a much delayed reform of the bloc’s rules around electronic privacy has also included such a provision.

However noyb says development to establish such a signal hasn’t happened yet — suggesting that cynically manipulative consent management platforms may well have been hampering privacy-focused innovation.

But it also sees a chance for the necessary momentum to build behind the idea.

For example, it points to how Apple has recently been dialling up the notification and control it offers users of its mobile platform, iOS, to allow people to both know which third party apps want to track them and allow or deny access to their data — including giving users a super simple ‘deny all third party tracking’ option backed into iOS’ settings.

So, well, why should Internet users who happen to be browsing on a desktop device not have a set of similarly advanced privacy controls too?

EU lawmakers are also still debating the ePrivacy Regulation reform — which deals centrally with cookies — so the campaign group wants to demonstrate how automated control tech could be a key piece of the answer to so-called ‘cookie consent fatigue’; by giving users a modern toolset to shrink consent friction without compromising their ability to control what happens with their data.

In order to work as intended automated signals would need to be legally binding (to prevent adtech companies just ignoring them) — and having a clear legal basis set out in the ePrivacy Regulation is one way that could happen within fairly short order.

The chance at least is there.

There have been concerns that the ePrivacy reform — which was stalled for years — could end up weakening the EU’s data protection framework in the face of massive adtech industry lobbying. And the negotiation process to reach a final text remains ongoing. So it’s still not clear where it’s going to end up.

But, earlier this year, the European Council agreed its negotiating mandate with the other EU institutions. And, on cookies, the Council said they want companies to find ways to reduce ‘cookie consent fatigue’ among users — such as by whitelisting types of cookies/providers in their browser settings. So there is at least a potential path to legislate for an effective browser-level control layer in Europe.

For now, noyb has published a prototype and a technology specification for what it’s calling the ADPC (aka Advanced Data Protection Control). The work on the framework has been carried out by noyb working with the Sustainable Computing Lab at the Vienna University of Economics and Business.

The proposal envisages web pages sending privacy requests in a machine-readable way and the ADPC allowing the response to be transmitted using header signals or via Java Script. noyb likens the intelligent management of queries and automatic responses such a system could support to an email spam filter.

Commenting in a statement, chairman Max Schrems said: “For Europe, we need more than just an ‘opt-out’ so that it fits into our legal framework. That’s why we call the prototype ‘Advanced’ Data Protection Control, because it’s much more flexible and specific than previous approaches.

“ADPC allows intelligent management of privacy requests. A user could say, for example, ‘please ask me only after I’ve been to the site several times’ or ‘ask me again after 3 months.’ It is also possible to answer similar requests centrally. ADPC thus allows the flood of data requests to be managed in a meaningful way.”

“With ADPC, we also want to show the European legislator that such a signal is feasible and brings advantages for all sides,” he added. “We hope that the negotiators of the member states and the European Parliament will ensure a solid legal basis here, which could be applicable law in a short time. What California has done already, the EU should be able to do as well.”

The Commission has been contacted for comment on noyb’s ADPC.

While there are wider industry shifts afoot to depreciate tracking cookies altogether — with Google proposing to replace current adtech infrastructure supported by Chrome with an alternative stack of (it claims) more privacy respecting alternatives (aka its Privacy Sandbox) — there’s still plenty of uncertainty over what will ultimately happen to third party cookies.

Google’s move to end support for tracking cookies is being closely scrutinized by regional antitrust regulators. And just last week the UK’s Competition and Markets Authority (CMA), which is investigating a number of complaints about the plan, said it’s minded to accept concessions from Google that would mean the regulator could order it not to switch off tracking cookies.

Moreover, even if tracking cookies do finally crumble there is still the question of what exactly they get replaced with — and how alternative adtech infrastructure could impact user privacy?

Google’s so-called ‘Privacy Sandbox’ proposal to target ads at cohorts of users (based on bucketed ‘interests’ its technology will assign them via on-device analysis of their browsing habits) has raised fresh concerns about the risks of exploitative and predatory advertising. So it may be no less important for users to have meaningful browser-level controls over their privacy choices in the future — even if the tracking cookie itself goes away.

A browser-level signal could offer a way for a web user to say ‘no’ to being stuck in an ‘interest bucket’ for ad targeting purposes, for example — signalling that they prefer to see only contextual ads instead, say.

tl;dr: The issue of consent does not only affect cookies — and it’s telling that Google has avoided running the first trials of its replacement tech for tracking cookies (FLoCs, or federated learning of cohorts) in Europe.

 

#advertising-tech, #competition-and-markets-authority, #data-processing, #data-protection, #do-not-track, #eprivacy-regulation, #europe, #european-parliament, #european-union, #max-schrems, #noyb, #privacy, #tc, #web-browsers

0

Angela Merkel Makes a Low-Key Farewell at the G7 Summit

The German chancellor, known for her commitment to compromise, is eager to revive deal-making on multilateral policy, joining the world’s top democratic leaders one last time. Can she be replaced?

#european-union, #germany, #global-warming, #group-of-eight, #group-of-seven, #group-of-twenty, #merkel-angela, #politics-and-government

0

Europe’s Summer of Recovery Is More Fragile Than It Looks

An anticipated surge of tourism in Portugal is suddenly not at all certain — a symbol of the global economy’s continued struggle with pandemic uncertainty.

#coronavirus-2019-ncov, #coronavirus-reopenings, #economic-conditions-and-trends, #european-union, #eurozone, #international-trade-and-world-market, #labor-and-jobs, #politics-and-government, #recession-and-depression, #summer-season, #travel-and-vacations, #wages-and-salaries

0

America May Be ‘Back’ in Europe, but How Much Has Really Changed?

Despite the feel-good imagery expected to be on display at the Group of 7 meeting, many Europeans suspect that President Biden is little more interested in give-and-take than was his predecessor.

#biden-joseph-r-jr, #europe, #european-union, #johnson-boris, #north-atlantic-treaty-organization, #united-states-international-relations, #united-states-politics-and-government

0

Eighty Years Later, Biden and Johnson Revise the Atlantic Charter for a New Era

The original was the work of Churchill and Roosevelt at the dawn of World War II. The new version pledges cooperation against 21st century global challenges and rivalries.

#biden-joseph-r-jr, #churchill-winston-leonard-spencer, #cornwall-england, #cyberwarfare-and-defense, #democracy-theory-and-philosophy, #european-union, #great-britain, #great-britain-withdrawal-from-eu-brexit, #group-of-seven, #humanitarian-aid, #johnson-boris, #north-atlantic-treaty-organization, #northern-ireland, #roosevelt-franklin-delano, #united-states-international-relations, #world-war-ii-1939-45

0

Voice AIs are raising competition concerns, EU finds

The European Union has been digging into the competition implications of AI-powered voice assistants and other Internet of Things (IoT) connected technologies for almost a year. Today it’s put out a first report discussing potential concerns that EU lawmakers say will help inform their wider digital policymaking in the coming years.

A major piece of EU legislation introduced at the back of last year is already set to apply ex ante regulations to so-called ‘gatekeeper’ platforms operating in the region, with a list of business practice ‘dos and don’ts’ for powerful, intermediating platforms being baked into the forthcoming pan-EU Digital Services Act.

But if course applications of technology don’t stand still. The bloc’s competition chief, Margrethe Vestager, has also had her eye on voice assistant AI technologies for a while — raising concerns about the challenges being posed for user choice as far back as 2019, when she said her department was “trying to figure out how access to data will change the marketplace”.

The Commission took a concrete step last July when it announced a sectoral inquiry to examine IoT competition concerns in detail.

It’s now published a preliminary report, based on polling more than 200 companies operating in consumer IoT product and services markets (in Europe, Asia and the US) — and is soliciting further feedback on the findings (until September 1) ahead of a final report due in the first half of next year.

Among the main areas of potential competition concern it found are: Exclusivity and tying practices in relation to voice assistants and practices that limit the possibility to use different voice assistants on the same smart device; the intermediating role of voice assistants and mobile OSes between users and the wider device and services market — with the concern being this allows the owners of the platform voice AI to control user relationships, potentially impacting the discoverability and visibility of rival IoT services.

Another concern is around (unequal) access to data. Survey participants suggested that platform and voice assistant operators gain extensive access to user data — including capturing information on user interactions with third-party smart devices and consumer IoT services as a result of the intermediating voice AI.

“The respondents to the sector inquiry consider that this access to and accumulation of large amounts of data would not only give voice assistant providers advantages in relation to the improvement and market position of their general-purpose voice assistants, but also allow them to leverage more easily into adjacent markets,” the Commission writes in a press release.

A similar concern underlies an ongoing EU antitrust investigation into Amazon’s use of third party merchants’ data which it obtains via its ecommerce marketplace (and which the Commission believes could be illegally distorting competition in online retail markets).

Lack of interoperability in the consumer IoT sector is another concern flagged in the report. “In particular, a few providers of voice assistants and operating systems are said to unilaterally control interoperability and integration processes and to be capable of limiting functionalities of third-party smart devices and consumer IoT services, compared to their own,” it says.

There’s nothing very surprising in the above list. But it’s noteworthy that the Commission is trying to get a handle on competitive risks — and start mulling potential remedies — at a point when the adoption of voice assistant AIs is still at a relatively early stage in the region.

In its press release, the Commission notes that usage of voice assistant tech is growing worldwide and expected to double between 2020 and 2024 (from 4.2BN voice AIs to 8.4BN) — although only 11% of EU citizens surveyed last year had already used a voice assistant, per cited Eurostat data.

EU lawmakers have certainly learned lessons from the recent failure of competition policy to keep up with digital developments and rein in a first wave of tech giants. And those giants of course continue to dominate the market for voice AIs now (Amazon with Alexa, Google with its eponymous Assistant and Apple’s Siri). So the risks for competition are crystal clear — and the Commission will be keen to avoid repeating the mistakes of the past.

Still, quite how policymakers could look to tackle competitive lock-in around voice AIs — whose USP tends to be their lazy-web, push-button and branded convenience for users — remains to be seen.

One option, enforcing interoperability, could increase complexity in a way that’s negative for usability — and may raise other concerns, such as around the privacy of user data.

Although giving users themselves more say and control over how the consumer tech they own works can certainly be a good idea, at least provided the platform’s presentation of choices isn’t itself manipulative and exploitative.

There are certainly plenty of pitfalls where IoT and competition is concerned — but also potential opportunities for startups and smaller players if proactive regulatory action can ensure that dominant platforms don’t get to set all the defaults once again.

Commenting in a statement, Vestager said: “When we launched this sector inquiry, we were concerned that there might be a risk of gatekeepers emerging in this sector. We were worried that they could use their power to harm competition, to the detriment of developing businesses and consumers. From the first results published today, it appears that many in the sector share our concerns. And fair competition is needed to make the most of the great potential of the Internet of Things for consumers in their daily lives. This analysis will feed into our future enforcement and regulatory action, so we look forward to receiving further feedback from all interested stakeholders in the coming months.”

The full sectoral report can be found here.

 

#alexa, #amazon, #ambient-intelligence, #artificial-intelligence, #assistant, #digital-competition, #europe, #european-union, #gadgets, #google, #internet-of-things, #iot, #margrethe-vestager, #policy, #privacy, #smart-device, #smart-devices, #technology, #virtual-assistant, #voice-assistant

0

A U.N. Declaration on Ending AIDS Should Have Been Easy. It Wasn’t.

Even with U.N.’s previous goals unmet, delegates tried to water down provisions regarding protections for vulnerable populations and patents for essential drugs.

#acquired-immune-deficiency-syndrome, #belarus, #china, #coronavirus-2019-ncov, #discrimination, #drugs-pharmaceuticals, #european-union, #homosexuality-and-bisexuality, #intellectual-property, #inventions-and-patents, #iran, #prostitution, #russia, #sex-education, #switzerland, #united-nations, #united-states, #vaccination-and-immunization, #your-feed-science

0

Google ditches pay-to-play Android search choice auction for free version after EU pressure

Google is ditching a massively unpopular auction format that underpins an choice screen it offers in the European Union, it said today. Eligible search providers will be able to freely participate.

The auction model was Google’s ‘remedy’ of choice — following the 2018 EU $5BN antitrust enforcement against Android — but rivals have always maintained it’s anything but fair, as we’ve reported previously (here, here, here, for eg).

The Android choice screen presents users in the region with a selection of search engines to choose as a default at the point of device set up (or factory reset). The offered choices depend on sealed bids made by search engine companies bidding to pay Google to win one of three available slots.

Google’s own search engine is a staple ‘choice’ on the screen regardless of EU market.

The pay-to-play model Google devised is not only loudly hated by smaller search engine players (including those with alternative business models, such as the Ecosia tree-planting search engine), but it been entirely ineffectual at restoring competitive balance in search marketshare so it’s not surprising Google has been forced to ditch it.

The Commission had signalled a change might be coming, with Bloomberg reporting in May remarks by the EU’s competition chief, Margrethe Vesager, that it was “actively working on making” Google’s Android choice screen for search and browser rivals work. So it evidently heard the repeated cries of ‘foul’ and ‘it’s not working, yo!’. And — finally — it acted.

However, framing its own narrative, Google writes that it’s been in “constructive discussions” with EU lawmakers for years about “how to promote even more choice on Android devices, while ensuring that we can continue to invest in, and provide, the Android platform for free for the long term”, as it puts it.

It also seems to be trying to throw some shade/blame back at the EU — writing that it only introduced what it calls a “promotional opportunity” (lol) “in consultation with the Commission”. (Ergo, ‘don’t blame us gov, blame them!’)

In another detail-light paragraph of its blog, Google says it’s now making “some final changes” — including making participation free for “eligible search providers” — after what it describes as “further feedback from the Commission”

“We will also be increasing the number of search providers shown on the screen. These changes will come into effect from September this year on Android devices,” it adds.

The planned changes raise new questions — such as what criteria it will be using to determine eligibility; and will Google’s criteria be transparent or, like the problematic auction, sealed from view? And how many search engines will be presented to users? More than the current four, that’s clear.

Where Google’s own search engine will appear in the list will also be very interesting to see, as well as the criteria for ranking all the options (marketshare? random allocation?).

Google’s blog is mealy mouthed on any/all such detail — but the Commission gave us a pretty good glimpse when we asked (see their comment below).

It still remains to seen whether any other devilish dark pattern design details will appear when we see the full implementation.

But it’s worth noting that it’s not in Google’s gift to claim these changes are “final”. EU regulators are responsible for monitoring antitrust compliance — so if fresh complaints flow they will be duty bound to listen and react.

In one response to Google’s auction U-turn, pro-privacy search player DuckDuckGo was already critical — but more on the scope than the detail.

Founder Gabriel Weinberg pointed out that not only is the switch three years too late but Google should also be applying it across all platforms (desktop and Chrome too), as well as making it seamlessly easy for Android users to switch default, rather than gating the choice screen to set-up and/or factory reset (as we’ve reported before).

Another long-time critic of the auction model, tiny not-for-profit Ecosia, was jubilant that its fight against the search behemonth has finally paid off.

Commenting in a statement, CEO Christian Kroll said: “This is a real life David versus Goliath story — and David has won. This is a momentous day, and a real moment of celebration for Ecosia. We’ve campaigned for fairness in the search engine market for several years, and with this, we have something that resembles a level playing field in the market. Search providers now have a chance to compete more fairly in the Android market, based on the appeal of their product, rather than being shut out by monopolistic behaviour.”

The Commission, meanwhile, confirmed to TechCrunch that it acted after a number of competitors raised concerns over the auction model — with a spokeswoman saying it had “discussed with Google means to improve that choice screen to address those concerns”.

“We welcome the changes introduced by Google to the choice screen. Being included on the choice screen will now be free for rival search providers,” she went on. “In addition, more search providers will be included in the choice screen. Therefore, users will have even more opportunities to choose an alternative.”

The Commission also offered a little more detail of how the choice screen will look come fall, saying that “on almost all devices, five search providers will be immediately visible”.

“They will be selected based on their market share in the user’s country and displayed in a randomised order which ensures that Google will not always be the first. Users will be able to scroll down to see up to seven more search providers, bringing the total search providers displayed in the choice screen to 12.”

“These are positive developments for the implementation of the remedy following our Android decision,” the spokeswoman added.

So it will certainly be very interesting indeed to see whether this Commission-reconfigured much bigger and more open choice screen helps move the regional need on Google’s search engine market share.

Interesting times indeed!

#android, #antitrust, #chrome-os, #competition-law, #duckduckgo, #ecosia, #eu, #europe, #european-union, #gabriel-weinberg, #google, #google-search, #margrethe-vestager, #policy, #search-engine, #search-engines

0

Croatia’s Gideon Brothers raises $31M for its 
3D vision-enabled autonomous warehouse robots

Proving that Central and Eastern Europe remains a powerhouse of hardware engineering matched with software, Gideon Brothers (GB), a Zagreb, Croatia-based robotics and AI startup, has raised a $31 million Series A round led by Koch Disruptive Technologies (KDT), the venture and growth arm of Koch Industries Inc., with participation from DB Schenker, Prologis Ventures, and Rite-Hite.

The round also includes participation from several of Gideon Brothers’ existing backers: Taavet Hinrikus (co-founder of TransferWise), Pentland Ventures, Peaksjah, HCVC (Hardware Club), Ivan Topčić, Nenad Bakić, and Luca Ascani.

The investment will be used to accelerate the development and commercialization of GB’s AI and 3D vision-based ‘autonomous mobile robots’ or ‘AMRs’. These perform simple tasks such as transporting, picking up, and dropping off products in order to free up humans to perform more valuable tasks.

The company will also expand its operations in the EU and US by opening offices in Munich, Germany and Boston, Massachusetts, respectively.

Gideon Brothers founders

Gideon Brothers founders

Gideon Brothers make robots and the accompanying software platform that specializes in horizontal and vertical handling processes for logistics, warehousing, manufacturing, and retail businesses. For obvious reasons, the need to roboticize supply chains has exploded during the pandemic.

Matija Kopić, CEO of Gideon Brothers, said: “The pandemic has greatly accelerated the adoption of smart automation, and we are ready to meet the unprecedented market demand. The best way to do it is by marrying our proprietary solutions with the largest, most demanding customers out there. Our strategic partners have real challenges that our robots are already solving, and, with us, they’re seizing the incredible opportunity right now to effect robotic-powered change to some of the world’s most innovative organizations.”

He added: “Partnering with these forward-thinking industry leaders will help us expand our global footprint, but we will always stay true to our Croatian roots. That is our superpower. The Croatian start-up scene is growing exponentially and we want to unlock further opportunities for our country to become a robotics & AI powerhouse.”

Annant Patel, Director at Koch Disruptive Technologies said: “With more than 300 Koch operations and production units globally, KDT recognizes the unique capabilities of and potential for Gideon Brothers’ technology to substantially transform how businesses can approach warehouse and manufacturing processes through cutting edge AI and 3D AMR technology.”

Xavier Garijo, Member of the Board of Management for Contract Logistics, DB Schenker added: “Our partnership with Gideon Brothers secures our access to best in class robotics and intelligent material handling solutions to serve our customers in the most efficient way.”

GB’s competitors include Seegrid, Teradyne (MiR), Vecna Robotics, Fetch Robotics, AutoGuide Mobile Robots, Geek+ and Otto Motors.