Facebook warned over ‘very small’ indicator LED on smart glasses, as EU DPAs flag privacy concerns

Facebook’s lead privacy regulator in Europe has raised concerns about a pair of ‘smart’ Ray-Ban sunglasses the tech giant is now selling. The glasses include a face-mounted camera which can be used to take pictures and short videos with a verbal cue.

Ireland’s Data Protection Commission (DPC) said Friday that it’s asked the tech giant to demonstrate that an LED indicator light also mounted on the specs — which lights up when the user is taking a video — is an effective way of putting other people on notice that they are being recorded by the wearer.

Italy’s privacy watchdog, the Garante, already raised concerns about Facebook’s smart glasses — but Ireland has an outsized role as a regulator for the tech giant owing to where the company’s regional base is located.

Facebook announced what it couched as the “next step” on the road to making a pair of augmented reality ‘smart’ glasses a full year ago — saying initial specs would not include any AR but announcing a multi-year partnership luxury eyewear giant Luxottica, as it seemingly planned for a pipeline of increasingly feature-loaded ‘smart’ eyewear.

The first Facebook Ray-Ban-branded specs went on sale earlier this month — looking mostly like a standard pair of sunglasses but containing two 5 MP cameras mounted on the front that enable the user to take video of whatever they’re looking at and upload it to a new Facebook app called View. (The sunglasses also contain in-frame speakers so the user can listen to music and take phone calls.)

The specs also include a front mounted LED light which is supposed to switch on to indicate when a video is being recorded. However European regulators are concerned that what the DPC describes as a “very small” indicator is an inadequate mechanism for alerting people to the risk they are being recorded.

Facebook has not demonstrated it conducted comprehensive field testing of the device with a view to assessing the privacy risk it may pose, it added.

“While it is accepted that many devices including smart phones can record third party individuals, it is generally the case that the camera or the phone is visible as the device by which recording is happening, thereby putting those captured in the recordings on notice. With the glasses, there is a very small indicator light that comes on when recording is occurring. It has not been demonstrated to the DPC and Garante that comprehensive testing in the field was done by Facebook or Ray-Ban to ensure the indicator LED light is an effective means of giving notice,” the DPC wrote.

Facebook’s lead EU data protection regulator goes on to say it is calling on the tech giant to “confirm and demonstrate that the LED indicator light is effective for its purpose and to run an information campaign to alert the public as to how this new consumer product may give rise to less obvious recording of their images”.

Facebook has been contacted with questions.

It is not clear whether Facebook engaged with any EU privacy regulators during the design of the smart glasses.

Nor whether or when they might launch in Europe.

The specs sent on sale in the US earlier this month — costing $299. The price to Americans’ privacy is tbc.

Over the years, Facebook has delayed (or even halted) some of its product launches in Europe following regulatory concerns — including a facial tagging feature (which it later reintroduced in another form).

The launch of Facebook’s dating service in Europe was also delayed for more than nine months — and arrived with some claimed changes after an intervention by the DPC.

There are also ongoing limits on how the Facebook-owned messaging platform WhatsApp can share data with Facebook itself in Europe, again owing to regulatory push back. Although plenty of data does still flow from WhatsApp to Facebook in the EU and — zooming out — scores of privacy complaints against the tech giant remain under investigation in the region, meaning these issues are undecided and unenforced.

Earlier this month Ireland’s DPC did announce its first decision against a Facebook company (under the EU’s GDPR)  — hitting WhatsApp with a $267 penalty related to transparency failures. However the DPC has multiple unresolved complaints against Facebook or Facebook-owned businesses still on its desk.

In January the Irish regulator also agreed to “swiftly” resolve a (pre-GDPR) 2013 complaint against Facebook’s data transfers out of the EU to the US. That decision is still pending too.

#data-protection-commission, #europe, #european-union, #eyewear, #facebook, #gadgets, #gdpr, #glasses, #ireland, #italy, #luxottica, #privacy, #ray-ban, #smartglasses, #sunglasses, #united-states, #whatsapp

Black Irish, Mariah Carey’s New Liquor, Can’t Be Sold in Ireland

A trademark dispute with an Irish company has prevented the singer’s new line of Irish cream liqueur from reaching customers in Ireland or the rest of the European Union.

#carey-mariah, #darker-still-spirits-co, #europe, #european-union, #ireland, #liquor, #trademarks-and-trade-names, #whiskey

Facebook revamps its business tool lineup following threats to its ad targeting business

Facebook today is announcing the launch of new products and features for business owners, following the threat to its ad targeting business driven by Apple’s new privacy features, which now allow mobile users to opt out of being tracked across their iOS apps. The social networking giant has repeatedly argued that Apple’s changes would impact small businesses that relied on Facebook ads to reach their customers. But it was not successful in getting any of Apple’s changes halted. Instead, the market is shifting to a new era focused more on user privacy, where personalization and targeting are more of an opt-in experience. That’s required Facebook to address its business advertiser base in new ways.

As the ability to track consumers declines — very few consumers are opting into tracking, studies find — Facebook is rolling out new features that will allow businesses to better position themselves in front of relevant audiences. This includes updates that will let them reach customers, advertise to customers, chat with customers across Facebook apps, generate leads, acquire customers and more.

The company earlier this year began testing a way for customers to explore businesses from underneath News Feed posts by tapping on topics they were interested in — like beauty, fitness, and clothing, and explore content from other related businesses. The feature allows people to come across new businesses that may also like, and would allow Facebook to create its own data set of users who like certain types of content. Over time, it could possibly even turn the feature into an ad unit, where businesses could pay for higher placement.

But for the time being, Facebook will expand this feature to more users across the U.S., and launch it in Australia, Canada, Ireland, Malaysia, New Zealand, Philippines, Singapore, South Africa, and the U.K.

Image Credits: Facebook

Facebook is also making it easier for businesses to chat with customers. They’re already able to buy ads that encourage people to message them on Facebook’s various chat platforms — Messenger, Instagram Direct, or WhatsApp. Now, they’ll be able to choose all the messaging platforms where they’re available, and Facebook will default the chat app showcased in the ad based on where the conversation is most likely to happen.

Image Credits: Facebook

The company will tie WhatsApp to Instagram, as well, as part of this effort. Facebook explains that many businesses market themselves or run shops across Instagram, but rely on WhatsApp to communicate with customers and answer questions. So, Facebook will now allow businesses to add a WhatsApp click-to-chat button to their Instagram profiles.

This change, in particular, represents another move that ties Facebook’s separate apps more closely together, at a time when regulators are considering breaking up Facebook over antitrust concerns. Already, Facebook interconnected Facebook’s Messenger and Instagram messaging services, which would make such a disassembly more complicated. And more recently, it’s begun integrating Messenger directly into Facebook’s platform itself.

Image Credits: Facebook

In a related change, soon businesses will be able to create ads that send users directly to WhatsApp from the Instagram app. (Facebook also already offers ads like this.)

Separately from this news, Facebook announced the launch of a new business directory on WhatsApp, allowing consumers to find shops and services on the chat platform, as well.

Another set of changes being introduced involve an update to Facebook Business Suite. Businesses will be able to manage emails through Inbox and sending remarketing emails; use a new File Manager for creating, managing, and posting content; and access a feature that will allow businesses to test different versions of a post to see which one is most effective.

Image Credits: Facebook

Other new products include tests of paid and organic lead generation tools on Instagram; quote requests on Messenger, where customers answer a few questions prior to their conversations; and a way for small businesses to access a bundle of tools to get started with Facebook ads, which includes a Facebook ad coupon along with free access to QuickBooks for 3 months or free access to Canva Pro for 3 months.

Image Credits: Facebook

Facebook will also begin testing something called “Work Accounts,” which will allow business owners to access their business products, like Business Manager, separately from their personal Facebook account. They’ll be able to manage these accounts on behalf of employees and use single-sign-on integrations.

Work Accounts will be tested through the remainder of the year with a small group of businesses, and Facebook says it expects to expand availability in 2022.

Other efforts it has in store include plans to incorporate more content from creators and local businesses and new features that let users control the content they see, but these changes were not detailed at this time.

Most of the products being announced are either rolling out today or will begin to show up soon.

#advertising-tech, #app-store, #australia, #canada, #canva, #computing, #facebook, #instagram, #ireland, #malaysia, #messenger, #new-zealand, #philippines, #private-message, #singapore, #social, #social-media, #software, #south-africa, #technology, #united-kingdom, #united-states, #whatsapp

Ireland probes TikTok’s handling of kids’ data and transfers to China

Ireland’s Data Protection Commission (DPC) has yet another ‘Big Tech’ GDPR probe to add to its pile: The regulator said yesterday it has opened two investigations into video sharing platform TikTok.

The first covers how TikTok handles children’s data, and whether it complies with Europe’s General Data Protection Regulation.

The DPC also said it will examine TikTok’s transfers of personal data to China, where its parent entity is based — looking to see if the company meets requirements set out in the regulation covering personal data transfers to third countries.

TikTok was contacted for comment on the DPC’s investigation.

A spokesperson told us:

“The privacy and safety of the TikTok community, particularly our youngest members, is a top priority. We’ve implemented extensive policies and controls to safeguard user data and rely on approved methods for data being transferred from Europe, such as standard contractual clauses. We intend to fully cooperate with the DPC.”

The Irish regulator’s announcement of two “own volition” enquiries follows pressure from other EU data protection authorities and consumers protection groups which have raised concerns about how TikTok handles’ user data generally and children’s information specifically.

In Italy this January, TikTok was ordered to recheck the age of every user in the country after the data protection watchdog instigated an emergency procedure, using GDPR powers, following child safety concerns.

TikTok went on to comply with the order — removing more than half a million accounts where it could not verify the users were not children.

This year European consumer protection groups have also raised a number of child safety and privacy concerns about the platform. And, in May, EU lawmakers said they would review the company’s terms of service.

On children’s data, the GDPR sets limits on how kids’ information can be processed, putting an age cap on the ability of children to consent to their data being used. The age limit varies per EU Member State but there’s a hard cap for kids’ ability to consent at 13 years old (some EU countries set the age limit at 16).

In response to the announcement of the DPC’s enquiry, TikTok pointed to its use of age gating technology and other strategies it said it uses to detect and remove underage users from its platform.

It also flagged a number of recent changes it’s made around children’s accounts and data — such as flipping the default settings to make their accounts privacy by default and limiting their exposure to certain features that intentionally encourage interaction with other TikTok users if those users are over 16.

While on international data transfers it claims to use “approved methods”. However the picture is rather more complicated than TikTok’s statement implies. Transfers of Europeans’ data to China are complicated by there being no EU data adequacy agreement in place with China.

In TikTok’s case, that means, for any personal data transfers to China to be lawful, it needs to have additional “appropriate safeguards” in place to protect the information to the required EU standard.

When there is no adequacy arrangement in place, data controllers can, potentially, rely on mechanisms like Standard Contractual Clauses (SCCs) or binding corporate rules (BCRs) — and TikTok’s statement notes it uses SCCs.

But — crucially — personal data transfers out of the EU to third countries have faced significant legal uncertainty and added scrutiny since a landmark ruling by the CJEU last year which invalidated a flagship data transfer arrangement between the US and the EU and made it clear that DPAs (such as Ireland’s DPC) have a duty to step in and suspend transfers if they suspect people’s data is flowing to a third country where it might be at risk.

So while the CJEU did not invalidate mechanisms like SCCs entirely they essentially said all international transfers to third countries must be assessed on a case-by-case basis and, where a DPA has concerns, it must step in and suspend those non-secure data flows.

The CJEU ruling means just the fact of using a mechanism like SCCs doesn’t mean anything on its own re: the legality of a particular data transfer. It also amps up the pressure on EU agencies like Ireland’s DPC to be pro-active about assessing risky data flows.

Final guidance put out by the European Data Protection Board, earlier this year, provides details on the so-called ‘special measures’ that a data controller may be able to apply in order to increase the level of protection around their specific transfer so the information can be legally taken to a third country.

But these steps can include technical measures like strong encryption — and it’s not clear how a social media company like TikTok would be able to apply such a fix, given how its platform and algorithms are continuously mining users’ data to customize the content they see and in order to keep them engaged with TikTok’s ad platform.

In another recent development, China has just passed its first data protection law.

But, again, this is unlikely to change much for EU transfers. The Communist Party regime’s ongoing appropriation of personal data, through the application of sweeping digital surveillance laws, means it would be all but impossible for China to meet the EU’s stringent requirements for data adequacy. (And if the US can’t get EU adequacy it would be ‘interesting’ geopolitical optics, to put it politely, were the coveted status to be granted to China…)

One factor TikTok can take heart from is that it does likely have time on its side when it comes to the’s EU enforcement of its data protection rules.

The Irish DPC has a huge backlog of cross-border GDPR investigations into a number of tech giants.

It was only earlier this month that Irish regulator finally issued its first decision against a Facebook-owned company — announcing a $267M fine against WhatsApp for breaching GDPR transparency rules (but only doing so years after the first complaints had been lodged).

The DPC’s first decision in a cross-border GDPR case pertaining to Big Tech came at the end of last year — when it fined Twitter $550k over a data breach dating back to 2018, the year GDPR technically begun applying.

The Irish regulator still has scores of undecided cases on its desk — against tech giants including Apple and Facebook. That means that the new TikTok probes join the back of a much criticized bottleneck. And a decision on these probes isn’t likely for years.

On children’s data, TikTok may face swifter scrutiny elsewhere in Europe: The UK added some ‘gold-plaiting’ to its version of the EU GDPR in the area of children’s data — and, from this month, has said it expects platforms meet its recommended standards.

It has warned that platforms that don’t fully engage with its Age Appropriate Design Code could face penalties under the UK’s GDPR. The UK’s code has been credited with encouraging a number of recent changes by social media platforms over how they handle kids’ data and accounts.

#apps, #articles, #china, #communist-party, #data-controller, #data-protection, #data-protection-commission, #data-protection-law, #data-security, #encryption, #europe, #european-data-protection-board, #european-union, #general-data-protection-regulation, #ireland, #italy, #max-schrems, #noyb, #personal-data, #privacy, #social, #social-media, #spokesperson, #tiktok, #united-kingdom, #united-states

Sendoso nabs $100M as its corporate gifting platform passes 20,000 customers

Corporate gift services have come into their own during the Covid-19 pandemic by standing in as a proxy for other kinds of relationship building activities — office meetings, lunches, and hosting at events — that have traditionally been part and parcel of how people do business, but were no longer feasible during lockdowns, social distancing and offices closing their doors.

Now, Sendoso — a popular “end-to-end” gifting platform offering access to 30,000 products including corporate swag, regular physical gifts, gift cards and more; and then providing services like logistics, packing and sending to get those gifts to the recipients — is announcing $100 million of funding to capitalize on this shift, led by a big new investor.

New backer SoftBank, via its Vision Fund 2, is leading this latest Series C round of funding. Oak HC/FT, Struck Capital, Stage 2 Capital, Craft Ventures, Signia Venture Partners and Felicis Ventures — all previous investors — are also participating.

The company has been on a strong growth trajectory for years now, but it specifically saw a surge of activity as the pandemic kicked off. It now has more than 20,000 businesses signed up and using its services, particularly for sales and marketing outreach, but also to help shore up morale among employees.

“Everyone was stuck at home by themselves, saturated with emails,” said Kris Rudeegraap, the CEO of Sendoso, in an interview. “Having a personal connection to sales prospects, employees and others just meant more.” It has now racked up some 3 million gifts sent since launching in 2016.

Sendoso is not disclosing its valuation, but Rudeegraap hinted that it was four times higher than the startup’s Series B valuation from 2020. PitchBook estimates that to be $160 million, which would make the current valuation $640 million. The company has now raised over $150 million.

Rudeegraap said Sendoso will be using the funds in part to invest in a couple of areas. First, to hire more talent: it has 500 employees now and plans to grow that by 30% by the end of this year. And second, international expansion: it is setting up a European HQ in Dublin, Ireland to complement its main office in San Francisco.

Comcast, Kimpton Hotels, Thomson Reuters, Nasdaq and eBay are among its current customers — so this is in part to serve those customers’ global user bases, as well as to sign up new gifters. He estimated that the bigger market for corporate gifting is about $100 billion annually, so there is a lot to play for here.

The company was co-founded by Rudeegraap and Braydan Young (who is its chief alliances officer) on the back of a specific need Rudeegraap identified while working as a sales executive. Gifting is a very standard practice in the world of sales and marketing, but he was finding a lot of traction with potential and current customers by taking a personalized approach to this act.

“I was manually packing boxes, grabbing swag, coming up with handwritten notes,” he recalled. “It was inefficient, but it worked so well. So I dreamed up an idea: why not be able to click a button in Salesforce to do this automatically? Sometimes the best company is one that solves a pain point of your own.”

And this is essentially what Sendoso does. The startup’s platform integrates with a company’s existing marketing, sales and management software — Salesforce, HubSpot, SalesLoft among them — and then lets users use this to organize and order gifts through these channels, for example as part of larger sales, marketing or HR strategies. The gifts are wide-ranging, covering corporate swag, other physical presents, gift cards and more, and there are also integrations you can include to share gifting across teams of salespeople, to analyze the campaigns and more.

The Sendoso platform itself, meanwhile, positions itself as having the “marketplace selection and logistics precision of Amazon.com.” But Sendoso also believes it’s better than someone simply using Amazon.com itself since it ultimately takes a more personalized approach in how it presents the gift.

“There are a lot of things we do uniquely in terms of what we have built throughout our software, gifting options and logistics centre. We really personalize our gifts at scale with handwritten notes, special boxing, and more,” something that Amazon cannot do, he added. “We have built a lot of unique technology and logistics software that would make it hard for Amazon to compete.” He said that one of Sendoso’s integrations is actually with Amazon, so Sendoso users can order through there, but then the gift is first routed to Sendoso to be repackaged in a nicer way before being sent out.

At its heart, the startup has built a way of knitting together disparate work practices — some codified in software, and some based on human interactions and significantly more infused with randomness, emotion and ad hoc approaches — and built it all into a technology platform. The ability to scale what feels like an otherwise bespoke level of service is what has helped Sendoso gain traction not just with users, but investors, too:

“We believe Sendoso offers the most comprehensive end-to-end gifting platform in the market,” said Priya Saiprasad, a partner at SoftBank Investment Advisers. “Their platform includes a global marketplace of curated vendors, seamless integration with existing tools, global logistics, and deep analytics. As a result, Sendoso serves as the backbone to enterprises’ engagement programs with prospective customers, existing customers, employees and other key stakeholders. We’re excited to lead this Series C round to help Sendoso accelerate its vision.”

#amazon, #amazon-com, #business, #ceo, #comcast, #companies, #craft-ventures, #dublin, #ebay, #economy, #enterprise, #felicis-ventures, #funding, #gift, #gift-card, #giving, #hubspot, #ireland, #marketing, #partner, #salesforce, #salesloft, #san-francisco, #sendoso, #signia-venture-partners, #softbank, #softbank-group, #stage-2-capital, #struck-capital, #vision-fund

Billogram, provider of a payments platform specifically for recurring billing, raises $45M

Payments made a huge shift to digital platforms during the Covid-19 pandemic — purchasing moved online for many consumers and businesses; and a large proportion of those continuing to buy and sell in-person went cash-free. Today a startup that has been focusing on one specific aspect of payments — recurring billing — is announcing a round of funding to capitalize on that growth with expansion of its own. Billogram, which has built a platform for third parties to build and handle any kind of recurring payments (not one-off purchases), has closed a round of $45 million.

The funding is coming from a single investor, Partech, and will be used to help the Stockholm-based startup expand from its current base in Sweden to six more markets, Jonas Suijkerbuijk, Billogram’s CEO and founder, said in an interview, to cover more of Germany (where it’s already active now), Norway, Finland, Ireland, France, Spain, and Italy.

The company got its start working with SMBs in 2011 but pivoted some years later to working with larger enterprises, which make up the majority of its business today. Suijkerbuijk said that in 2020, signed deals went up by 300%, and the first half of 2021 grew 50% more on top of that. Its users include utilities like Skanska Energi and broadband company Ownit, and others like remote healthcare company Kry, businesses that take invoice and take monthly payments from their customers.

While there has been a lot of attention around how companies like Apple and Google are handling subscriptions and payments in apps, what Billogram focuses on is a different beast, and much more complex: it’s more integrated into the business providing services, and it may involve different services, and the fees can vary over every billing period. It’s for this reason that, in fact, even big companies in the realm of digital payments, like Stripe, which might even already have products that can help manage subscriptions on their platforms, partner with companies like Billogram to build the experiences to manage their more involved kinds of payment services.

I should point out here that Suijkerbuijk told me that Stripe recently became a partner of Billograms, which is very interesting… but he also added that a number of the big payments companies have talked to Billogram. He also confirmed that currently Stripe is not an investor in the company. “We have a very good relationship,” he said.

It’s not surprising to see Stripe and others wanting to more in the area of more complex, recurring billing services. Researchers estimate that the market size (revenues and services) for subscription and recurring billing will be close to $6 billion this year, with that number ballooning to well over $10 billion by 2025. And indeed, the effort to make a payment or any kind of transaction will continue to be a point of friction in the world of commerce, so any kinds of systems that bring technology to bear to make that easier and something that consumers or businesses will do without thinking about it, will be valuable, and will likely grow in dominance. (It’s why the more basic subscription services, such as Prime membership or a Netflix subscription, or a cloud storage account, are such winners.)

Within that very big pie, Suijkerbuijk noted that rather than the Apples and Googles of the world, the kinds of businesses that Billogram currently competes against are those that are addressing the same thornier end of the payments spectrum that Billogram is. These include a wide swathe of incumbent companies that do a lot of their business in areas like debt collection, and other specialists like Scaleworks-backed Chargify — which itself got a big investment injection earlier this year from Battery Ventures, which put $150 million into both it and another billing provider, SaaSOptics, in April.

The former group of competitors are not currently a threat to Billogram, he added.

“Debt collecting agencies are big on invoicing, but no one — not their customers, nor their customers’ customers — loves them, so they are great competitors to have,” Suijkerbuijk joked.

This also means that Billogram is not likely to move into debt collection itself as it continues to expand. Instead, he said, the focus will be on building out more tools to make the invoicing and payments experience better and less painful to customers. That will likely include more moves into customer service and generally improving the overall billing experience — something we have seen become a bigger area also during the pandemic, as companies realized that they needed to address non-payments in a different way from how their used to, given world events and the impact they were having on individuals.

“We are excited to partner with Jonas and the team at Billogram.” says Omri Benayoun, General Partner at Partech, in a statement. “Having spotted a gap in the market, they have quietly built the most advanced platform for large B2C enterprises looking to integrate billing, payment, and collection in one single solution. In our discussion with leading utilities, telecom, e-health, and all other clients across Europe, we realized how valuable Billogram was for them in order to engage with their end-users through a top-notch billing and payment experience. The outstanding commercial traction demonstrated by Billogram has further cemented our conviction, and we can’t wait to support the team in bringing their solution to many more customers in Europe and beyond!”

#apple, #battery-ventures, #billing, #billogram, #broadband, #business-software, #ceo, #e-health, #economy, #europe, #finance, #financial-technology, #finland, #france, #funding, #general-partner, #germany, #google, #ireland, #italy, #kry, #merchant-services, #money, #netflix, #norway, #online-payments, #partner, #spain, #stockholm, #stripe, #sweden, #web-applications

It’s Time to Give Enya Another Listen

Even at her peak, she was hugely famous but never especially cool. But maybe we’re finally ready to heed her whispered call to awaken.

#audio-recordings-downloads-and-streaming, #eno-brian, #enya, #ireland, #music

After years of inaction against adtech, UK’s ICO calls for browser-level controls to fix ‘cookie fatigue’

In the latest quasi-throwback toward ‘do not track‘, the UK’s data protection chief has come out in favor of a browser- and/or device-level setting to allow Internet users to set “lasting” cookie preferences — suggesting this as a fix for the barrage of consent pop-ups that continues to infest websites in the region.

European web users digesting this development in an otherwise monotonously unchanging regulatory saga, should be forgiven — not only for any sense of déjà vu they may experience — but also for wondering if they haven’t been mocked/gaslit quite enough already where cookie consent is concerned.

Last month, UK digital minister Oliver Dowden took aim at what he dubbed an “endless” parade of cookie pop-ups — suggesting the government is eyeing watering down consent requirements around web tracking as ministers consider how to diverge from European Union data protection standards, post-Brexit. (He’s slated to present the full sweep of the government’s data ‘reform’ plans later this month so watch this space.)

Today the UK’s outgoing information commissioner, Elizabeth Denham, stepped into the fray to urge her counterparts in G7 countries to knock heads together and coalesce around the idea of letting web users express generic privacy preferences at the browser/app/device level, rather than having to do it through pop-ups every time they visit a website.

In a statement announcing “an idea” she will present this week during a virtual meeting of fellow G7 data protection and privacy authorities — less pithily described in the press release as being “on how to improve the current cookie consent mechanism, making web browsing smoother and more business friendly while better protecting personal data” — Denham said: “I often hear people say they are tired of having to engage with so many cookie pop-ups. That fatigue is leading to people giving more personal data than they would like.

“The cookie mechanism is also far from ideal for businesses and other organisations running websites, as it is costly and it can lead to poor user experience. While I expect businesses to comply with current laws, my office is encouraging international collaboration to bring practical solutions in this area.”

“There are nearly two billion websites out there taking account of the world’s privacy preferences. No single country can tackle this issue alone. That is why I am calling on my G7 colleagues to use our convening power. Together we can engage with technology firms and standards organisations to develop a coordinated approach to this challenge,” she added.

Contacted for more on this “idea”, an ICO spokeswoman reshuffled the words thusly: “Instead of trying to effect change through nearly 2 billion websites, the idea is that legislators and regulators could shift their attention to the browsers, applications and devices through which users access the web.

“In place of click-through consent at a website level, users could express lasting, generic privacy preferences through browsers, software applications and device settings – enabling them to set and update preferences at a frequency of their choosing rather than on each website they visit.”

Of course a browser-baked ‘Do not track’ (DNT) signal is not a new idea. It’s around a decade old at this point. Indeed, it could be called the idea that can’t die because it’s never truly lived — as earlier attempts at embedding user privacy preferences into browser settings were scuppered by lack of industry support.

However the approach Denham is advocating, vis-a-vis “lasting” preferences, may in fact be rather different to DNT — given her call for fellow regulators to engage with the tech industry, and its “standards organizations”, and come up with “practical” and “business friendly” solutions to the regional Internet’s cookie pop-up problem.

It’s not clear what consensus — practical or, er, simply pro-industry — might result from this call. If anything.

Indeed, today’s press release may be nothing more than Denham trying to raise her own profile since she’s on the cusp of stepping out of the information commissioner’s chair. (Never waste a good international networking opportunity and all that — her counterparts in the US, Canada, Japan, France, Germany and Italy are scheduled for a virtual natter today and tomorrow where she implies she’ll try to engage them with her big idea).

Her UK replacement, meanwhile, is already lined up. So anything Denham personally champions right now, at the end of her ICO chapter, may have a very brief shelf life — unless she’s set to parachute into a comparable role at another G7 caliber data protection authority.

Nor is Denham the first person to make a revived pitch for a rethink on cookie consent mechanisms — even in recent years.

Last October, for example, a US-centric tech-publisher coalition came out with what they called a Global Privacy Standard (GPC) — aiming to build momentum for a browser-level pro-privacy signal to stop the sale of personal data, geared toward California’s Consumer Privacy Act (CCPA), though pitched as something that could have wider utility for Internet users.

By January this year they announced 40M+ users were making use of a browser or extension that supports GPC — along with a clutch of big name publishers signed up to honor it. But it’s fair to say its global impact so far remains limited. 

More recently, European privacy group noyb published a technical proposal for a European-centric automated browser-level signal that would let regional users configure advanced consent choices — enabling the more granular controls it said would be needed to fully mesh with the EU’s more comprehensive (vs CCPA) legal framework around data protection.

The proposal, for which noyb worked with the Sustainable Computing Lab at the Vienna University of Economics and Business, is called Advanced Data Protection Control (ADPC). And noyb has called on the EU to legislate for such a mechanism — suggesting there’s a window of opportunity as lawmakers there are also keen to find ways to reduce cookie fatigue (a stated aim for the still-in-train reform of the ePrivacy rules, for example).

So there are some concrete examples of what practical, less fatiguing yet still pro-privacy consent mechanisms might look like to lend a little more color to Denham’s ‘idea’ — although her remarks today don’t reference any such existing mechanisms or proposals.

(When we asked the ICO for more details on what she’s advocating for, its spokeswoman didn’t cite any specific technical proposals or implementations, historical or contemporary, either, saying only: “By working together, the G7 data protection authorities could have an outsized impact in stimulating the development of technological solutions to the cookie consent problem.”)

So Denham’s call to the G7 does seem rather low on substance vs profile-raising noise.

In any case, the really big elephant in the room here is the lack of enforcement around cookie consent breaches — including by the ICO.

Add to that, there’s the now very pressing question of how exactly the UK will ‘reform’ domestic law in this area (post-Brexit) — which makes the timing of Denham’s call look, well, interestingly opportune. (And difficult to interpret as anything other than opportunistically opaque at this point.)

The adtech industry will of course be watching developments in the UK with interest — and would surely be cheering from the rooftops if domestic data protection ‘reform’ results in amendments to UK rules that allow the vast majority of websites to avoid having to ask Brits for permission to process their personal data, say by opting them into tracking by default (under the guise of ‘fixing’ cookie friction and cookie fatigue for them).

That would certainly be mission accomplished after all these years of cookie-fatigue-generating-cookie-consent-non-compliance by surveillance capitalism’s industrial data complex.

It’s not yet clear which way the UK government will jump — but eyebrows should raise to read the ICO writing today that it expects compliance with (current) UK law when it has so roundly failed to tackle the adtech industry’s role in cynically sicking up said cookie fatigue by failing to take any action against such systemic breaches.

The bald fact is that the ICO has — for years — avoided tackling adtech abuse of data protection, despite acknowledging publicly that the sector is wildly out of control.

Instead, it has opted for a cringing ‘process of engagement’ (read: appeasement) that has condemned UK Internet users to cookie pop-up hell.

This is why the regulator is being sued for inaction — after it closed a long-standing complaint against the security abuse of people’s data in real-time bidding ad auctions with nothing to show for it… So, yes, you can be forgiven for feeling gaslit by Denham’s call for action on cookie fatigue following the ICO’s repeat inaction on the causes of cookie fatigue…

Not that the ICO is alone on that front, however.

There has been a fairly widespread failure by EU regulators to tackle systematic abuse of the bloc’s data protection rules by the adtech sector — with a number of complaints (such as this one against the IAB Europe’s self-styled ‘transparency and consent framework’) still working, painstakingly, through the various labyrinthine regulatory processes.

France’s CNIL has probably been the most active in this area — last year slapping Amazon and Google with fines of $42M and $120M for dropping tracking cookies without consent, for example. (And before you accuse CNIL of being ‘anti-American’, it has also gone after domestic adtech.)

But elsewhere — notably Ireland, where many adtech giants are regionally headquartered — the lack of enforcement against the sector has allowed for cynical, manipulative and/or meaningless consent pop-ups to proliferate as the dysfunctional ‘norm’, while investigations have failed to progress and EU citizens have been forced to become accustomed, not to regulatory closure (or indeed rapture), but to an existentially endless consent experience that’s now being (re)branded as ‘cookie fatigue’.

Yes, even with the EU’s General Data Protection Regulation (GDPR) coming into application in 2018 and beefing up (in theory) consent standards.

This is why the privacy campaign group noyb is now lodging scores of complaints against cookie consent breaches — to try to force EU regulators to actually enforce the law in this area, even as it also finds time to put up a practical technical proposal that could help shrink cookie fatigue without undermining data protection standards. 

It’s a shining example of action that has yet to inspire the lion’s share of the EU’s actual regulators to act on cookies. The tl;dr is that EU citizens are still waiting for the cookie consent reckoning — even if there is now a bit of high level talk about the need for ‘something to be done’ about all these tedious pop-ups.

The problem is that while GDPR certainly cranked up the legal risk on paper, without proper enforcement it’s just a paper tiger. And the pushing around of lots of paper is very tedious, clearly. 

Most cookie pop-ups you’ll see in the EU are thus essentially privacy theatre; at the very least they’re unnecessarily irritating because they create ongoing friction for web users who must constantly respond to nags for their data (typically to repeatedly try to deny access if they can actually find a ‘reject all’ setting).

But — even worse — many of these pervasive pop-ups are actively undermining the law (as a number of studies have shown) because the vast majority do not meet the legal standard for consent.

So the cookie consent/fatigue narrative is actually a story of faux compliance enabled by an enforcement vacuum that’s now also encouraging the watering down of privacy standards as a result of such much unpunished flouting of the law.

There is a lesson here, surely.

‘Faux consent’ pop-ups that you can easily stumble across when surfing the ‘ad-supported’ Internet in Europe include those failing to provide users with clear information about how their data will be used; or not offering people a free choice to reject tracking without being penalized (such as with no/limited access to the content they’re trying to access), or at least giving the impression that accepting is a requirement to access said content (dark pattern!); and/or otherwise manipulating a person’s choice by making it super simple to accept tracking and far, far, far more tedious to deny.

You can also still sometimes find cookie notices that don’t offer users any choice at all — and just pop up to inform that ‘by continuing to browse you consent to your data being processed’ — which, unless the cookies in question are literally essential for provision of the webpage, is basically illegal. (Europe’s top court made it abundantly clear in 2019 that active consent is a requirement for non-essential cookies.)

Nonetheless, to the untrained eye — and sadly there are a lot of them where cookie consent notices are concerned — it can look like it’s Europe’s data protection law that’s the ass because it seemingly demands all these meaningless ‘consent’ pop-ups, which just gloss over an ongoing background data grab anyway.

The truth is regulators should have slapped down these manipulative dark patterns years ago.

The problem now is that regulatory failure is encouraging political posturing — and, in a twisting double-back throw by the ICO! — regulatory thrusting around the idea that some newfangled mechanism is what’s really needed to remove all this universally inconvenient ‘friction’.

An idea like noyb’s ADPC does indeed look very useful in ironing out the widespread operational wrinkles wrapping the EU’s cookie consent rules. But when it’s the ICO suggesting a quick fix after the regulatory authority has failed so spectacularly over the long duration of complaints around this issue you’ll have to forgive us for being sceptical.

In such a context the notion of ‘cookie fatigue’ looks like it’s being suspiciously trumped up; fixed on as a convenient scapegoat to rechannel consumer frustration with hated online tracking toward high privacy standards — and away from the commercial data-pipes that demand all these intrusive, tedious cookie pop-ups in the first place — whilst neatly aligning with the UK government’s post-Brexit political priorities on ‘data’.

Worse still: The whole farcical consent pantomime — which the adtech industry has aggressively engaged in to try to sustain a privacy-hostile business model in spite of beefed up European privacy laws — could be set to end in genuine tragedy for user rights if standards end up being slashed to appease the law mockers.

The target of regulatory ire and political anger should really be the systematic law-breaking that’s held back privacy-respecting innovation and non-tracking business models — by making it harder for businesses that don’t abuse people’s data to compete.

Governments and regulators should not be trying to dismantle the principle of consent itself. Yet — at least in the UK — that does now look horribly possible.

Laws like GDPR set high standards for consent which — if they were but robustly enforced — could lead to reform of highly problematic practices like behavorial advertising combined with the out-of-control scale of programmatic advertising.

Indeed, we should already be seeing privacy-respecting forms of advertising being the norm, not the alternative — free to scale.

Instead, thanks to widespread inaction against systematic adtech breaches, there has been little incentive for publishers to reform bad practices and end the irritating ‘consent charade’ — which keeps cookie pop-ups mushrooming forth, oftentimes with ridiculously lengthy lists of data-sharing ‘partners’ (i.e. if you do actually click through the dark patterns to try to understand what is this claimed ‘choice’ you’re being offered).

As well as being a criminal waste of web users’ time, we now have the prospect of attention-seeking, politically charged regulators deciding that all this ‘friction’ justifies giving data-mining giants carte blanche to torch user rights — if the intention is to fire up the G7 to send a collect invite to the tech industry to come up with “practical” alternatives to asking people for their consent to track them — and all because authorities like the ICO have been too risk averse to actually defend users’ rights in the first place.

Dowden’s remarks last month suggest the UK government may be preparing to use cookie consent fatigue as convenient cover for watering down domestic data protection standards — at least if it can get away with the switcheroo.

Nothing in the ICO’s statement today suggests it would stand in the way of such a move.

Now that the UK is outside the EU, the UK government has said it believes it has an opportunity to deregulate domestic data protection — although it may find there are legal consequences for domestic businesses if it diverges too far from EU standards.

Denham’s call to the G7 naturally includes a few EU countries (the biggest economies in the bloc) but by targeting this group she’s also seeking to engage regulators further afield — in jurisdictions that currently lack a comprehensive data protection framework. So if the UK moves, cloaked in rhetoric of ‘Global Britain’, to water down its (EU-based) high domestic data protection standards it will be placing downward pressure on international aspirations in this area — as a counterweight to the EU’s geopolitical ambitions to drive global standards up to its level.

The risk, then, is a race to the bottom on privacy standards among Western democracies — at a time when awareness about the importance of online privacy, data protection and information security has actually never been higher.

Furthermore, any UK move to weaken data protection also risks putting pressure on the EU’s own high standards in this area — as the regional trajectory would be down not up. And that could, ultimately, give succour to forces inside the EU that lobby against its commitment to a charter of fundamental rights — by arguing such standards undermine the global competitiveness of European businesses.

So while cookies themselves — or indeed ‘cookie fatigue’ — may seem an irritatingly small concern, the stakes attached to this tug of war around people’s rights over what can happen to their personal data are very high indeed.

#advertising-tech, #amazon, #california, #canada, #cookie-consent-notices, #cookie-fatigue, #cookies, #data-protection, #data-protection-law, #data-security, #do-not-track, #elizabeth-denham, #europe, #european-union, #france, #g7, #general-data-protection-regulation, #germany, #google, #ireland, #italy, #japan, #noyb, #oliver-dowden, #online-privacy, #online-tracking, #privacy, #tc, #tracking, #uk-government, #united-kingdom, #united-states, #web-tracking

WhatsApp faces $267M fine for breaching Europe’s GDPR

It’s been a long time coming but Facebook is finally feeling some heat from Europe’s much trumpeted data protection regime: Ireland’s Data Protection Commission (DPC) has just announced a €225 million (~$267M) for WhatsApp.

The Facebook-owned messaging app has been under investigation by the Irish DPC, its lead data supervisor in the European Union, since December 2018 — several months after the first complaints were fired at WhatsApp over how it processes user data under Europe’s General Data Protection Regulation (GDPR), once it begun being applied in May 2018.

Despite receiving a number of specific complaints about WhatsApp, the investigation undertaken by the DPC that’s been decided today was what’s known as an “own volition” enquiry — meaning the regulator selected the parameters of the investigation itself, choosing to fix on an audit of WhatsApp’s ‘transparency’ obligations.

A key principle of the GDPR is that entities which are processing people’s data must be clear, open and honest with those people about how their information will be used.

The DPC’s decision today (which runs to a full 266 pages) concludes that WhatsApp failed to live up to the standard required by the GDPR.

Its enquiry considered whether or not WhatsApp fulfils transparency obligations to both users and non-users of its service (WhatsApp may, for example, upload the phone numbers of non-users if a user agrees to it ingesting their phone book which contains other people’s personal data); as well as looking at the transparency the platform offers over its sharing of data with its parent entity Facebook (a highly controversial issue at the time the privacy U-turn was announced back in 2016, although it predated GDPR being applied).

In sum, the DPC found a range of transparency infringements by WhatsApp — spanning articles 5(1)(a); 12, 13 and 14 of the GDPR.

In addition to issuing a sizeable financial penalty, it has ordered WhatsApp to take a number of actions to improve the level of transparency it offer users and non-users — giving the tech giant a three-month deadline for making all the ordered changes.

In a statement responding to the DPC’s decision, WhatsApp disputed the findings and dubbed the penalty “entirely disproportionate” — as well as confirming it will appeal, writing:

“WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision.” 

It’s worth emphasizing that the scope of the DPC enquiry which has finally been decided today was limited to only looking at WhatsApp’s transparency obligations.

The regulator was explicitly not looking into wider complaints — which have also been raised against Facebook’s data-mining empire for well over three years — about the legal basis WhatsApp claims for processing people’s information in the first place.

So the DPC will continue to face criticism over both the pace and approach of its GDPR enforcement.

 

Indeed, prior to today, Ireland’s regulator had only issued one decision in a major cross-border cases addressing ‘Big Tech’ — against Twitter when, back in December, it knuckle-tapped the social network over a historical security breach with a fine of $550k.

WhatsApp’s first GDPR penalty is, by contrast, considerably larger — reflecting what EU regulators (plural) evidently consider to be a far more serious infringement of the GDPR.

Transparency is a key principle of the regulation. And while a security breach may indicate sloppy practice, systematic opacity towards people whose data your adtech empire relies upon to turn a fat profit looks rather more intentional; indeed, it’s arguably the whole business model.

And — at least in Europe — such companies are going to find themselves being forced to be up front about what they’re doing with people’s data.

Is the GDPR working?  

The WhatsApp decision will rekindle the debate about whether the GDPR is working effectively where it counts most: Against the most powerful companies in the world, which are also of course Internet companies.

Under the EU’s flagship data protection regulation, decisions on cross border cases require agreement from all affected regulators — across the 27 Member States — so while the GDPR’s “one-stop-shop” mechanism seeks to streamline the regulatory burden for cross-border businesses by funnelling complaints and investigations via a lead regulator (typically where a company has its main legal establishment in the EU), objections can be raised to that lead supervisory authority’s conclusions (and any proposed sanctions), as has happened here in this WhatsApp case.

Ireland originally proposed a far more low-ball penalty of up to €50M for WhatsApp. However other EU regulators objected to its draft decision on a number of fronts — and the European Data Protection Board (EDPB) ultimately had to step in and take a binding decision (issued this summer) to settle the various disputes.

Through that (admittedly rather painful) joint-working, the DPC was required to increase the size of the fine issued to WhatsApp. In a mirror of what happened with its draft Twitter decision — where the DPC has also suggested an even tinier penalty in the first instance.

While there is a clear time cost in settling disputes between the EU’s smorgasbord of data protection agencies — the DPC submitted its draft WhatsApp decision to the other DPAs for review back in December, so it’s taken well over half a year to hash out all the disputes about WhatsApp’s lossy hashing and so forth — the fact that ‘corrections’ are being made to its decisions and conclusions can land — if not jointly agreed but at least arriving via a consensus getting pushed through by the EDPB — is a sign that the process, while slow and creaky, is working. At least technically.

Even so, Ireland’s data watchdog will continue to face criticism for its outsized role in handling GDPR complaints and investigations — with some accusing the DPC of essentially cherry-picking which issues to examine in detail (by its choice and framing of cases) and which to elide entirely (those issues it doesn’t open an enquiry into or complaints it simply drops or ignores), with its loudest critics arguing it’s therefore still a major bottleneck on effective enforcement of data protection rights across the EU.

The associated conclusion for that critique is that tech giants like Facebook are still getting a pretty free pass to violate Europe’s privacy rules.

But while it’s true that a $267M penalty is the equivalent of a parking ticket for Facebook’s business empire, orders to change how such adtech giants are able to process people’s information at least have the potential to be a far more significant correction on problematic business models.

Again, though, time will be needed to tell whether such wider orders are having the sought for impact.

In a statement reacting to the DPC’s WhatsApp decision today, noyb — the privacy advocacy group founded by long-time European privacy campaigner Max Schrems, said: “We welcome the first decision by the Irish regulator. However, the DPC gets about ten thousand complaints per year since 2018 and this is the first major fine. The DPC also proposed an initial €50MK fine and was forced by the other European data protection authorities to move towards €225M, which is still only 0.08% of the turnover of the Facebook Group. The GDPR foresees fines of up to 4% of the turnover. This shows how the DPC is still extremely dysfunctional.”

Schrems also noted that he and noyb still have a number of pending cases before the DPC — including on WhatsApp.

In further remarks, they raised concerns about the length of the appeals process and whether the DPC would make a muscular defence of a sanction it had been forced to increase by other EU DPAs.

“WhatsApp will surely appeal the decision. In the Irish court system this means that years will pass before any fine is actually paid. In our cases we often had the feeling that the DPC is more concerned with headlines than with actually doing the hard groundwork. It will be very interesting to see if the DPC will actually defend this decision fully, as it was basically forced to make this decision by its European counterparts. I can imagine that the DPC will simply not put many resources on the case or ‘settle’ with WhatsApp in Ireland. We will monitor this case closely to ensure that the DPC is actually following through with this decision.”

#data-protection, #data-protection-commission, #europe, #european-data-protection-board, #european-union, #facebook, #gdpr, #general-data-protection-regulation, #ireland, #noyb, #privacy, #social-media, #social-network, #transparency, #whatsapp

‘It Was Like I’d Never Done It Before’: How Sally Rooney Wrote Again

Her first two books, “Conversations With Friends” and “Normal People,” made her more famous than she liked. For her latest, “Beautiful World, Where Are You,” she asked herself what a novel is and why she’s taking on another one.

#beautiful-world-where-are-you-book, #books-and-literature, #content-type-personal-profile, #conversations-with-friends-book, #ireland, #normal-people-book, #rooney-sally-author, #writing-and-writers

Apple launches a new iOS app, ‘Siri Speech Study,’ to gather feedback for Siri improvements

Apple recently began a research study designed to collect speech data from study participants. Earlier this month, the company launched a new iOS app called “Siri Speech Study” on the App Store, which allows participants who have opted in to share their voice requests and other feedback with Apple. The app is available in a number of worldwide markets but does not register on the App Store’s charts, including under the “Utilities” category where it’s published.

According to data from Sensor Tower, the iOS app first launched on August 9 and was updated to a new version on August 18. It’s currently available in the U.S., Canada, Germany, France, Hong Kong, India, Ireland, Italy, Japan, Mexico, New Zealand, and Taiwan — an indication of the study’s global reach. However, the app will not appear when searching the App Store by keyword or when browsing through the list of Apple’s published apps.

The Siri Speech Study app itself offers little information about the study’s specific goals, nor does it explain how someone could become a participant. Instead, it only provides a link to a fairly standard license agreement and a screen where a participant would enter their ID number to get started.

Reached for comment, Apple told TechCrunch the app is only being used for Siri product improvements, by offering a way for participants to share feedback directly with Apple. The company also explained people have to be invited to the study — there’s not a way for consumers to sign up to join.

Image Credits: App Store screenshot

The app is only one of many ways Apple is working to improve Siri.

In the past, Apple had tried to learn more about Siri’s mistakes by sending some small portion of consumers’ voice recordings to contractors for manual grading and review. But a whistleblower alerted media outlet The Guardian that the process had allowed them to listen in on confidential details at times. Apple shortly thereafter made manual review an opt-in process and brought audio grading in-house. This type of consumer data collection continues, but has a different aim that what a research study would involve.

Unlike this broader, more generalized data collection, a focus group-like study allows Apple to better understand Siri’s mistakes because it combines the collected data with human feedback. With the Siri Speech Study app, participants provide explicit feedback on per request basis, Apple said. For instance, if Siri misheard a question, users could explain what they were trying to ask. If Siri was triggered when the user hadn’t said “Hey Siri,” that could be noted. Or if Siri on HomePod misidentified the speaker in a multi-person household, the participant could note that, too.

Another differentiator is that none of the participants’ data is being automatically shared with Apple. Rather, users can see a list of the Siri requests they’ve made and then select which to send to Apple with their feedback. Apple also noted no user information is collected or used in the app, except the data directly provided by participants.

WWDC 2021 on device privacy

Image Credits: Apple WWDC 2021

Apple understands that an intelligent virtual assistant that understands you is a competitive advantage.

This year, the company scooped up ex-Google A.I. scientist Samy Bengio to help make Siri a stronger rival to Google Assistant, whose advanced capabilities are often a key selling point for Android devices. In the home, meanwhile, Alexa-powered smart speakers are dominating the U.S. market and compete with Google in the global landscape, outside China. Apple’s HomePod has a long way to go to catch up.

But despite the rapid progress in voice-based computing in recent years, virtual assistants can still have a hard time understanding certain types of speech. Earlier this year, for example, Apple said it would use a bank of audio clips from podcasts where users had stuttered to help it improve its understanding of this kind of speech pattern. Assistants can also stumble when there are multiple devices in a home that are listening for voice commands from across several rooms. And assistants can mess up when trying to differentiate between different family members’ voices or when trying to understand a child’s voice.

In other words, there are still many avenues a speech study could pursue over time, even if these aren’t its current focus.

That Apple is running a Siri speech study isn’t necessarily new. The company has historically run evaluations and studies like this in some form. But it’s less common to find Apple’s studies published directly on the App Store.

Though Apple could have published the app through the enterprise distribution process to keep it more under wraps, it chose to use its public marketplace. This more closely follows the App Store’s rules, as the research study is not an internally-facing app meant only for Apple employees.

Still, it’s not likely consumers will stumble across the app and be confused — the Siri Speech Study app is hidden from discovery. You have to have the app’s direct link to find it. (Good thing we’re nosy!)

#android, #app-store, #apple, #apple-inc, #apps, #artificial-intelligence, #assistant, #bank, #canada, #france, #germany, #google, #google-assistant, #google-now, #homekit, #homepod, #india, #ireland, #italy, #itunes, #japan, #mexico, #new-zealand, #sensor-tower, #siri, #smart-speaker, #software, #speaker, #taiwan, #the-guardian, #united-states, #virtual-assistant

Spotify expands its radio DJ-like format, Music + Talk, to global creators

Last fall, Spotify introduced a new format that combined spoken word commentary with music, allowing creators to reproduce the  radio-like experience of listening to a DJ or music journalist who shared their perspective on the tracks they would then play. Today, the company is making the format, which it calls “Music + Talk,” available to global creators through its podcasting software Anchor.

Creators who want to offer this sort of blended audio experience can now do so by using the new “Music” tool in Anchor, which provides access to Spotify’s full catalog of 70 million tracks that they can insert into their spoken-word audio programs. Spotify has said this new type of show will continue to compensate the artist when the track is streamed, the same as it would elsewhere on Spotify’s platform. In addition, users can also interact with the music content within the shows as they would otherwise — by liking the song, viewing more information about the track, saving the song, or sharing it, for example.

The shows themselves, meanwhile, will be available to both free and Premium Spotify listeners. Paying subscribers will hear the full tracks when listening to these shows, but free users will only hear a 30-second preview of the songs, due to licensing rights.

The format is somewhat reminiscent of Pandora’s Stories, which was also a combination of music and podcasting, introduced in 2019. However, in Pandora’s case, the focus had been on allowing artists to add their own commentary to music — like talking about the inspiration for a song — while Spotify is making it possible for anyone to annotate their favorite playlists with audio commentary.

Since launching last year, the product has been tweaked somewhat in response to user feedback, Spotify says. The shows now offer clearer visual distinction between the music and talk segments during an episode, and they include music previews on episode pages.

The ability to create Music + Talk shows was previously available in select markets ahead of this global rollout, including in the U.S., Canada, the U.K., Ireland, Australia, and New Zealand.

With the expansion, creators in a number of other major markets are now gaining access, including Japan, India, the Philippines, Indonesia, France, Germany, Spain, Italy, the Netherlands, Sweden, Mexico, Brazil, Chile, Argentina, and Colombia. Alongside the expansion, Spotify’s catalog of Music + Talk original programs will also grow today, as new shows from Argentina, Brazil, Colombia, Chile, India, Japan, and the Philippines will be added.

Spotify will also begin to more heavily market the feature with the launch of its own Spotify Original called “Music + Talk: Unlocked,” which will offer tips and ideas for creators interested in trying out the format.

#argentina, #artist, #australia, #brazil, #canada, #chile, #colombia, #france, #germany, #india, #indonesia, #ireland, #italy, #japan, #media, #mexico, #microsoft-windows, #netherlands, #new-zealand, #operating-systems, #pandora, #philippines, #podcast, #software, #spain, #spotify, #sweden, #united-kingdom, #united-states

European refurbished electronics marketplace Refurbed raises $54M Series B

Refurbed, a European marketplace for refurbished electronics which raised a $17 million Series A round of funding last year has now raised a $54 million Series B funding led by Evli Growth Partners and Almaz Capital.

They are joined by existing investors such as Speedinvest, Bonsai Partners and All Iron Ventures, as well as a group of new backers — Hermes GPE, C4 Ventures, SevenVentures, Alpha Associates, Monkfish Equity (Trivago Founders), Kreos, Expon Capital, Isomer Capital and Creas Impact Fund.

Refurbed is an online marketplace for refurbished electronics that are tested and renewed. These then tend to be 40% cheaper than new, and come with a 12-month warranty included. The company claims that in 2020, it grew by 3x and reached more than €100M in GMV.

Operating in Germany, Austria, Ireland, France, Italy and Poland, the startup plans three other countries by the end of 2021.

Riku Asikainen at Evli Growth Partners said: “We see the huge potential behind the way refurbed contributes to a sustainable, circular economy.”

Peter Windischhofer, co-founder of refurbed, told me: “We are cheaper and have a wider product range, with an emphasis on quality. We focus on selling products that look new, so we end up with happy customers who then recommend us to others. It makes people proud to buy refurbished products.”

The startup has 130 refurbishers selling through its marketplace.

Other Players in this space include Back Market (raised €48M), Swappa (US) and Amazon Renew. Refurbed also competes with Rebuy in Germany, Swapbee in Finland.

#almaz-capital, #amazon, #austria, #c4-ventures, #co-founder, #electronics, #europe, #evli-growth-partners, #finland, #france, #germany, #hermes-gpe, #ireland, #isomer-capital, #italy, #online-marketplace, #poland, #tc, #trivago, #united-states

Why Draper Esprit doubled down on its status as a publicly listed VC

We cover a lot of venture capital news here at TechCrunch. New funds, partner changes, the funding rounds themselves — the list is long. Lately, we’ve had to touch on rolling funds, solo GPs and a faster-than-ever investing cadence that has rewritten the rules of venture investing. Gone are the days when investors can take weeks, let alone months, to get into a hot deal in today’s turbocharged private markets.

But there’s another venture capital trend worth discussing: venture capital firms going public. This July, for example, London-based Forward Partners went public on the AIM, a sub-market of the well-known London Stock Exchange. Augmentum Fintech is another example of a London-listed venture capital firm. The investing group focuses on European fintech.

Most recently, Draper Esprit, another British venture capital firm, moved from the AIM to the LSE proper, with a secondary listing on Euronext Dublin. TechCrunch has cited Esprit partners in our explorations of the European venture capital scene in the past, especially in our regular digs through the startup hub’s numbers.

To understand why Draper Esprit not only decided to stay public but doubled down on its structure by moving to the main boards in London and Dublin, we got on the horn with the firm’s co-founder, Stuart Chapman. What follows is an edited and condensed transcript of our call. Coming up, The Exchange has analysis and further interviews about whether the trend of floating venture capital firms may spread, and why other investing groups opted in. But first, highlights from our chat with Chapman.

TechCrunch: We have a bunch of questions about the change in listing, but let’s start with how long ago you began this transition.

Stuart Chapman: I co-founded Esprit with Simon Cook back in 2006, and after a 10-year journey of raising conventional funds, we were coming to the point of raising our fourth fund. But we were having frustrating meetings with limited partners who were trying to pigeonhole us, and at the same time, the London market was getting more and more frustrated that private companies were staying private longer and they would not have access to them. I think we were down to ARM as the last true bastion of tech companies on the London Exchange, so we were approached by a group of City funds to raise our fourth fund through a public market listing.

The junior market in London was very helpful for that, and we spent five happy years on AIM, raising money annually — until we crossed over the billion [sterling] capitalization mark. By then, it was quite obvious that if we want to fulfill the same ambition and growth over the next five years, we were going to need to step up onto a bigger market that was going to give us wider access to funds and [expand our] attraction to a much larger group of people. Part of our mission at Draper Esprit is to democratize venture capital, as Simon would say; and [being listed on the main market] increases that opportunity.

When we started out on the AIM, we raised capital from professional funds’ tech enthusiasts, who were positively biased. Unfortunately, there’s not very many of them, and once you have exhausted that, then you move down into the more general funds — maybe funds with an angle on the U.K., funds with an angle on technology. But by their very nature, they tend to be small-cap funds, and there’s not that many of them in the U.K. So, by stepping up, we enable ourselves to go into more generous funds as well as tech funds [that] have a minimum bar.

And should we now expect to see Draper Esprit raise more capital per annum?

In a perfect world, the answer is no, because realizations equal investments, so you are self-sustaining. The one thing I would say about Draper Esprit is that we are trying to be innovative. It shocks me that venture capital backs some of the most mind-blowing tech advances in our history over the last 70 years using the same legal structure as a 1958 property vehicle in New York. I don’t get it! Surely, we can reinvent and push ourselves forward as much as we push our entrepreneurs. So long story short, Simon and I never opted to rest. We always wanted to see if we could create the next thing that would help entrepreneurs be more successful.

Talking about innovation in venture capital models, what’s the main motivation for your use of retail investment platform PrimaryBid? Is it to open the door for more regular folks to invest, or is it a really material way to add capital to Draper Esprit?

It’s the former. If you go back to 2010, we launched our [Enterprise Investment Scheme] product — in the U.K., the EIS is a tax wrapper, where private individuals can invest into tech businesses and receive 30% tax credit; and then, if it goes well, it’s tax-free. It’s a great government initiative. However, whenever a government interferes in a market, it goes to the lowest denominator, and most people in the industry were using it to enable investors to gain tax credit. Whereas we said: That’s silly; you should use it to enable people to back the best possible businesses, and then the tax credit is just a bonus.

So what we did back in 2010 [was] we enabled X entrepreneurs, X people in the tech ecosystem, to participate in the Draper Esprit EIS program to be part of this democratizing equity. Today, that’s about £150 million in the EIS vehicle, and about £50 million in the VCT, which is another U.K. tax-related vehicle where you get the same benefits — so it’s now over £200 million from small individuals. The idea for us is to extend our ecosystem out into influential people.

How do you feel about having opened the way for other funds to go public?

Personally, and at Draper Esprit, we are big supporters of innovation, so we have helped Mark Boggett at Seraphim [and shared information and] our path. And then Nic Brisbourne … was an ex-colleague of mine and Simon’s, so we actually helped Nic, but we also invested in Forward Partners as a way of showing our support to what he was doing through our fund of funds program.

I think where we are very different is where we get confused with the more technology transfer shops. IP Group [for example is] a great model and it’s got real longevity [and has been] in the market much longer than us. But that’s not what we do. They’re looking to back computer science from an early stage in universities. And so, yes, we’re supportive of others following in our footsteps and we will be big fans of having much wider diversity.

Why are you investing in other funds, and does it open up your capital’s geographic footprint?

Two reasons, to be very honest with you. One is consistent with the previous point, which is [that] Europe wins when it has a really strong ecosystem. And, historically, Europe has founded seed funds in a haphazard way. Finland, for example, had 80 programs to raise early-stage capital. Regions were granted seed funds, but they had no follow-on capital.

No one realized that venture capital was an escalator, and unless you could pass the baton to the next person, [startups] have to do it themselves. But if you have to do it yourself, you don’t create an ecosystem.

The first point was how do we build an ecosystem, consistent with how we get more people into venture capital. If you have a solid ecosystem, then you bring in headhunters, you bring in talent, you bring in bankers, lawyers, you bring in advisers, you bring in the geniuses.

The second reason is that venture capital is quite constrained. If you raise a fund, it is very, very rarely permissible to invest it in other funds. Going back to Simon and I and our quest to be innovative, [we asked] well, why can’t we invest in early-stage funds, and work with them as partners, and [be their] go-to Series A, Series B fund.

[TechCrunch note: The firm then drew up a 2×2 matrix, with geography on one side, and skillset on the other. Draper Esprit divided the world into niches where it was strong and weak, and geographies where it was strong and weak. Where it was weak twice, it would partner with other funds, perhaps investing in them. This helped ensure ready deal flow.]

By partnering, we put ourselves into an area where we could benefit from their talent [and geographic focus], and they benefit from our capital, and it has been a phenomenal success. We are now in about 42 funds across Europe. The first commitment was with £75 [million] and we’ve just committed a second £75 [million] to the program. So, we’re at £150 million, [making us] one of the largest private commercial investors.

What’s your take on Ireland, and do you see it as more than a gateway to Europe?

The Irish story has a very long heritage. They always used to be our largest shareholder, the Irish government, through the Ireland Strategic Investment Fund. They might be the second or third largest shareholder that we still have, but there is a very long relationship between Simon and I and the investment group over there.

And Ireland is renowned for great education, whether that be in the south through Trinity and UCD [in Dublin], or whether that be the north through Queen’s [University Belfast]. So, there’s been a great education system, great engineering infrastructure. They have greatly benefited from the Facebooks of the world, and the Googles of the world having [offices] in Ireland. That’s all the positives, and we have two investors in Ireland.

The downside is that it is relatively small. The numbers of Series A and later-stage growth deals that come out of Ireland are still a lot less than other cities. So we are fans of Ireland; the talent there is fantastic, but it’s a part of an ecosystem instead of another London or another Berlin.

Where is Draper Esprit hoping to find the next great startups? Is there a sector or two that you find particularly exciting?

In fintech, we’re taking an unfashionable approach. You have large incumbents with very outdated systems, but a very loyal and a very high degree of trust customer base. And then you have the regulators in Europe which are very positive towards innovation and incumbents and challengers. I hear my American colleagues are less complimentary about the SEC.

You’re in an environment where people are being encouraged to challenge the big banks. But they don’t have trust, and they don’t have the balance sheet. So, where we are currently attacking — we genuinely believe that the big guys need to update these legacy systems, and they’re not going to throw them away. And so, the only way you can update is you have to take off slivers of your book, of your market, and update it bit by bit. These projects are, if not tens, hundreds of millions [of pounds]. [It’s a] lucrative customer base that needs to adopt technology.

But updating that old tech would likely require fintech startups?

Yeah, that’s our strategy. The reason why I say it is not fashionable is because it doesn’t touch the consumer. It’s quite dull, and [it has] very long sales cycles. When you look at the genius within the teams that we’re backing, it’s that very in-depth [knowledge] where the sector views them as experts, the sector views and as the go-to people. So it’s a very high barrier to entry, which is why I think Europe does very well compared to [the U.S.] in this area because to actually try and attack those European startups from an overseas perspective is quite difficult.

More to come shortly; stay tuned.

#draper-esprit, #fundings-exits, #ireland, #london-stock-exchange, #startups, #stuart-chapman, #tc, #uk, #venture-capital

Controversial WhatsApp policy change hit with consumer law complaint in Europe

Facebook has been accused of multiple breaches of European Union consumer protection law as a result of its attempts to force WhatsApp users to accept controversial changes to the messaging platforms’ terms of use — such as threatening users that the app would stop working if they did not accept the updated policies by May 15.

The consumer protection association umbrella group, the Beuc, said today that together with eight of its member organizations it’s filed a complaint with the European Commission and with the European network of consumer authorities.

“The complaint is first due to the persistent, recurrent and intrusive notifications pushing users to accept WhatsApp’s policy updates,” it wrote in a press release.

“The content of these notifications, their nature, timing and recurrence put an undue pressure on users and impair their freedom of choice. As such, they are a breach of the EU Directive on Unfair Commercial Practices.”

After earlier telling users that notifications about the need to accept the new policy would become persistent, interfering with their ability to use the service, WhatsApp later rowed back from its own draconian deadline.

However the app continues to bug users to accept the update — with no option not to do so (users can close the policy prompt but are unable to decline the new terms or stop the app continuing to pop-up a screen asking them to accept the update).

“In addition, the complaint highlights the opacity of the new terms and the fact that WhatsApp has failed to explain in plain and intelligible language the nature of the changes,” the Beuc went on. “It is basically impossible for consumers to get a clear understanding of what consequences WhatsApp’s changes entail for their privacy, particularly in relation to the transfer of their personal data to Facebook and other third parties. This ambiguity amounts to a breach of EU consumer law which obliges companies to use clear and transparent contract terms and commercial communications.”

The organization pointed out that WhatsApp’s policy updates remain under scrutiny by privacy regulations in Europe — which it argues is another factor that makes Facebook’s aggressive attempts to push the policy on users highly inappropriate.

And while this consumer-law focused complaint is separate to the privacy issues the Beuc also flags — which are being investigated by EU data protection authorities (DPAs) — it has called on those regulators to speed up their investigations, adding: “We urge the European network of consumer authorities and the network of data protection authorities to work in close cooperation on these issues.”

The Beuc has produced a report setting out its concerns about the WhatsApp ToS change in more detail — where it hits out at the “opacity” of the new policies, further asserting:

“WhatsApp remains very vague about the sections it has removed and the ones it has added. It is up to users to seek out this information by themselves. Ultimately, it is almost impossible for users to clearly understand what is new and what has been amended. The opacity of the new policies is in breach of Article 5 of the UCTD [Unfair Contract Terms Directive] and is also a misleading and unfair practice prohibited under Article 5 and 6 of the UCPD [Unfair Commercial Practices Directive].”

Reached for comment on the consumer complaint, a WhatsApp spokesperson told us:

“Beuc’s action is based on a misunderstanding of the purpose and effect of the update to our terms of service. Our recent update explains the options people have to message a business on WhatsApp and provides further transparency about how we collect and use data. The update does not expand our ability to share data with Facebook, and does not impact the privacy of your messages with friends or family, wherever they are in the world. We would welcome an opportunity to explain the update to Beuc and to clarify what it means for people.”

The Commission was also contacted for comment on the Beuc’s complaint — we’ll update this report if we get a response.

The complaint is just the latest pushback in Europe over the controversial terms change by Facebook-owned WhatsApp — which triggered a privacy warning from Italy back in January, followed by an urgency procedure in Germany in May when Hamburg’s DPA banned the company from processing additional WhatsApp user data.

Although, earlier this year, Facebook’s lead data regulator in the EU, Ireland’s Data Protection Commission, appeared to accept Facebook’s reassurances that the ToS changes do not affect users in the region.

German DPAs were less happy, though. And Hamburg invoked emergency powers allowed for in the General Data Protection Regulation (GDPR) in a bid to circumvent a mechanism in the regulation that (otherwise) funnels cross-border complaints and concerns via a lead regulator — typically where a data controller has their regional base (in Facebook/WhatsApp’s case that’s Ireland).

Such emergency procedures are time-limited to three months. But the European Data Protection Board (EDPB) confirmed today that its plenary meeting will discuss the Hamburg DPA’s request for it to make an urgent binding decision — which could see the Hamburg DPA’s intervention set on a more lasting footing, depending upon what the EDPB decides.

In the meanwhile, calls for Europe’s regulators to work together to better tackle the challenges posed by platform power are growing, with a number of regional competition authorities and privacy regulators actively taking steps to dial up their joint working — in a bid to ensure that expertise across distinct areas of law doesn’t stay siloed and, thereby, risk disjointed enforcement, with conflicting and contradictory outcomes for Internet users.

There seems to be a growing understanding on both sides of the Atlantic for a joined up approach to regulating platform power and ensuring powerful platforms don’t simply get let off the hook.

 

#beuc, #europe, #european-commission, #european-data-protection-board, #european-union, #facebook, #gdpr, #general-data-protection-regulation, #germany, #hamburg, #ireland, #policy, #privacy, #social, #social-media, #whatsapp

Localyze raises $12M for a SaaS that supports cross-border hiring and relocation

Y-Combinator-backed Localyze has nabbed $12 million in Series A funding led by Blossom Capital for a SaaS that supports staff relocations and hiring across borders.

Previous investor Frontline Ventures also participated,with a number of angel investors joining the round — including Andrew Robb (ex-Farfetch); Des Traynor, co-founder and CSO at Intercom; Hanno Renner, co-founder and CEO at Personio; David Clarke, former CTO at Workday; and Michael Wax, CEO of Forto.

In the first quarter of 2021, the Hamburg, Germany-based startup — which was founded in 2018 by a trio of women: CEO Hanna Asmussen, COO Lisa Dahlke, and CTO Franzi Löw — saw a record 300% revenue bump.

Localyze’s current roster of customers include the likes of Free Now, Trade Republic, Babbel, Thoughtworks, Tier Mobility, DeepL, Forto and Personio.

The startup suggests the pandemic-triggered rise in remote working is helping to drive demand for relocations as employees reassess where they want to be physically based. Its SaaS aims to streamline immigration-related admin tasks like visa applications; work and residence permits and registration; as well as providing help with housing and banking in the destination country.

“It was very interesting, we did of course see a negative impact from COVID-19 in 2020 but the main reason why we never worried about our business model is that we knew the businesses have never been the only driver of relocations,” Asmussen tells TechCrunch.

“We did a survey among the internationals we relocated and 98% stated that they wanted to relocate, and weren’t forced by the company. I of course believe that some people will choose not to relocate but at the same time, the increased flexibility [of remote working] opens many more doors for other people to relocate — and also for different time frames.”

To date, Localyze says it’s helped more than 2,000 people from over 100 countries relocate internationally. But it reckons that’s just the start.

“Relocation is becoming a benefit at some companies, and the overall number of people moving across borders during their working life is increasing drastically,” argues Asmussen.

Before COVID-19 hit and reconfigured so much of how we live, almost two million people relocated for work within Europe each year. But Localyze cites a PwC study on mobility in the global skilled workforce that suggests employee relocation is set to increase by 50% as we emerge from the pandemic.

“While the percentage of the global skilled workforce that is mobile — meaning that they work or worked abroad — is currently still very low, around 20% I think, it is expected to grow to up to 80% in the next decade,” she suggests. 

Localyze’s SaaS is designed to simplify and support staff relocations or cross-border hiring, offering digital tools to automate admin and case tracking, helping companies and employees navigate what can be complex, bureaucratic and even stressful immigration requirements.

“We developed a software that automates large parts of the relevant processes around global mobility,” explains Asmussen. “The core of our technology is a pipeline system that maps out all possibilities of how the employee can enter a country and matches the pipeline with the characteristics of that employee (e.g. nationality, family status or education). This guarantees that the employee gets all the relevant information throughout his/her process and that our case managers can focus on more individual questions.

“One big advantage of this pipeline system is that we built a no-code solution to manage it. Together with our CMS to edit the content of the steps, we are able to quickly expand the usability of our software to new countries and use cases.

“On the HR side our software helps to manage and track the process of all employees with the ease of mind that we notify them about changes or required actions. The HR manager can simply add a case, or transfer information over through our integration with their HRIS and we take it from there.”

Asmussen says the core of the platform is the automation of the paperwork with the startup supplementing that by providing a level of (human) support — in the form of case workers, who can field users’ questions and/or troubleshoot issues.

Case types its platform handles — such as obtaining a new visa, getting an extension etc — get broken down into a series of individual tasks that need to be carried out (and checked off), with the individual set of ‘dos’ determined by the characteristics of the person (origin, family, salary, etc.).

So essentially it’s built a decision tree with 30-50 variations per country, based on the specificity of each set of rules.

“The employee is seeing this as a personalized set of to do’s in her/his dashboard and can then go through them,” notes Asmussen, adding: “The case managers are there for questions and to give additional guidance when problems occur.

“Thanks to the automation engine, we can operate at 80% gross margin today.”

Localyze also offers a “pre-check” feature that give companies the opportunity to get information on a case that’s being considered — such as showing information on applicable conditions like the salary limits associated with a role when it comes to the visa of a new hire and the timeline that may be involved — to  make it easier for them to understand the complexity of a case. (Which may in turn help them make an informed decision on a start date for a particular hire.)

The startup says it’s been seeing growth rates hitting, on average, more than 30% month-on-month, as employer demand for its services accelerates.

The Series A funding will be used to capitalize on growing demand by expanding into new regions — with Localyze saying it will start by focusing on “major hubs” for international talent, in Ireland, Spain, Portugal, the Netherlands and the UK, so it can target more high-growth companies with offices across Europe.

Currently it has over 120 customers — and it’s expecting that to double by the end of the year.

It also predicts existing accounts will expand in value — with Asmussen saying it’s closing larger ACVs (annual contract value), and seeing existing accounts “grow strongly” over time. (It offers tiered pricing for the SaaS, based on usage.)

Europe remains the primary focus for its business currently — with all cases it supports entailing helping customers relocate staff to the region (“from all over the world”) and within Europe itself. 

“The predominant destinations are Germany, Ireland, Spain and the UK,” says Asmussen. “With the funding, we want to accelerate our expansion in the UK, Ireland, Netherlands, Portugal & Spain, besides our core market Germany. We’ve been operating in these markets for a while and now look at strengthening our go to market across Europe.”

She says Localyze’s 25-strong team will at least double by the end of the year, with the startup planning to hire across all teams — with a particular focus on expanding engineering and product to keep pace with the scaling business; and beefing up sales and customer support capacity to support its continued growth.  

On the competitor front, Asmussen names Estonia-headquartered Jobbatical as its closest rival for relocation support with the same digital focus.

She also points to Topia as providing some competing services — but says it has more of a focus on software for HR professionals and integrating partners vs Localyze providing both a HR and an employee portal plus the ‘glue’ of its “automation engine”.

Localyze also argues it differentiates vs “more traditional” relocation agencies (e.g. Cartus and Graebel), per Asmussen, because it offers “end-to-end support” in a fully digital form — giving users “full visibility and transparency at all times”, as she tells it, and helping to streamline and simplify processes in “what has previously been a complex and confusing space”.

Increased flexibility of work and and mobility of the global workforce looks set to be one firm (and typically welcome) legacy of the pandemic — one which Localyze already had a handle on supporting, putting it in a strong position to scale its SaaS as demand steps up in the coming years.

Rising levels of employee mobility may, in turn, make subscribing to a software service that assists relocations and cross-border hiring more of a ‘must have’ than a ‘nice to have’ for more types of businesses — especially as competition for talent heats up given the rising opportunities of remote work.

“In 2021, companies will need to define how they are going to operate post-COVID-19, and many companies keep locations as part of their people strategy. Yet they try to offer more flexibility in terms of location choices, which in many cases results in the creation of different talent hubs and a mix of remote with in-person hubs/offices. This means increased operations across borders and more employee mobility, both long and short-term, because people will make use of these options,” Asmussen predicts. 

Commenting on the Series A in a statement, Blossom Capital’s Ophelia Brown added: “Access to the very best talent is a huge consideration for businesses of all sizes, but for high-growth enterprises, it’s absolutely crucial that nothing gets in the way of being able to tap into the skills and abilities of staff anywhere in Europe. Localyze removes all of these barriers. Instead of being bogged down by the costly and lengthy relocation processes, enterprises can concentrate on the job at hand and their employees can feel confident and secure that their relocation – often one of the biggest decisions they’ll have to make in their career – is dealt with efficiently and without a hitch.”

#blossom-capital, #cartus, #europe, #farfetch, #forto, #frontline-ventures, #germany, #hamburg, #hanno-renner, #human-resource-management, #ireland, #localyze, #ophelia-brown, #personio, #personnel, #recent-funding, #saas, #software-as-a-service, #spain, #startup-company, #startups, #telecommuting, #united-kingdom

Dutch court will hear another Facebook privacy lawsuit

Privacy litigation that’s being brought against Facebook by two not-for-profits in the Netherlands can go ahead, an Amsterdam court has ruled. The case will be heard in October.

Since 2019, the Amsterdam-based Data Privacy Foundation (DPS) has been seeking to bring a case against Facebook over its rampant collection of Internet users’ data — arguing the company does not have a proper legal basis for the processing.

It has been joined in the action by the Dutch consumer protection not-for-profit, Consumentenbond.

The pair are seeking redress for Facebook users in the Netherlands for alleged violations of their privacy rights — both by suing for compensation for individuals; and calling for Facebook to end the privacy-hostile practices.

European Union law allows for collective redress across a number of areas, including data protection rights, enabling qualified entities to bring representative actions on behalf of rights holders. And the provision looks like an increasingly important tool for furthering privacy enforcement in the bloc, given how European data protection regulators’ have continued to lack uniform vigor in upholding rights set out in legislation such as the General Data Protection Regulation (which, despite coming into application in 2018, has yet to be seriously applied against platform giants like Facebook).

Returning to the Dutch litigation, Facebook denies any abuse and claims it respects user privacy and provides people with “meaningful control” over how their data gets exploited.

But it has fought the litigation by seeking to block it on procedural grounds — arguing for the suit to be tossed by claiming the DPS does not fit the criteria for bringing a privacy claim on behalf of others and that the Amsterdam court has no jurisdiction as its European business is subject to Irish, rather than Dutch, law.

However the Amsterdam District Court rejected its arguments, clearing the way for the litigation to proceed.

Contacted for comment on the ruling, a Facebook spokesperson told us:

“We are currently reviewing the Court’s decision. The ruling was about the procedural part of the case, not a finding on the merits of the action, and we will continue to defend our position in court. We care about our users in the Netherlands and protecting their privacy is important to us. We build products to help people connect with people and content they care about while honoring their privacy choices. Users have meaningful control over the data that they share on Facebook and we provide transparency around how their data is used. We also offer people tools to access, download, and delete their information and we are committed to the principles of GDPR.”

In a statement today, the Consumentenbond‘s director, Sandra Molenaar, described the ruling as “a big boost for the more than 10 million victims” of Facebook’s practices in the country.

“Facebook has tried to throw up all kinds of legal hurdles and to delay this case as much as possible but fortunately the company has not succeeded. Now we can really get to work and ensure that consumers get what they are entitled to,” she added in the written remarks (translated from Dutch with Google Translate).

In another supporting statement, Dick Bouma, chairman of DPS, added: “This is a nice and important first step for the court. The ruling shows that it pays to take a collective stand against tech giants that violate privacy rights.”

The two not-for-profits are urging Facebook users in the Netherlands to sign up to be part of the representative action (and potentially receive compensation) — saying more than 185,000 people have registered so far.

The suit argues that Facebook users are ‘paying’ for the ‘free’ service with their data — contending the tech giant does not have a valid legal basis to process people’s information because it has not provided users with comprehensive information about the data it is gathering from and on them, nor what it does with it.

So — in essence — the argument is that Facebook’s tracking and targeting is in breach of EU privacy law.

The legal challenge follows an earlier investigation (back in 2014) of Facebook’s business by the Dutch data protection authority which identified problems with its privacy policy and — in a 2017 report — found the company to be processing users’ data without their knowledge or consent.

However, since 2018, Europe’s GDPR has been in application and a ‘one-stop-shop’ mechanism baked into the regulation — to streamline the handling of cross-border cases — has meant complaints against Facebook have been funnelled through Ireland’s Data Protection Commission. The Irish DPC has yet to issue a single decision against Facebook despite receiving scores of complaints. (And it’s notable that  ‘forced consent‘ complaints were filed against Facebook the day GDPR begun being applied — yet still remain undecided by Ireland.)

The GDPR’s enforcement bottleneck makes collective redress actions, such as this one in the Netherlands a potentially important route for Europeans to get rights relief against powerful platforms which seek to shrink the risk of regulatory enforcement via forum shopping.

Although national rules — and courts’ interpretations of them — can vary. So the chance of litigation succeeding is not uniform.

In this case, the Amsterdam court allowed the suit to proceed on the grounds that the Facebook data subjects in question reside in the Netherlands.

It also took the view that a local Facebook corporate entity in the Netherlands is an establishment of Facebook Ireland, among other reasons for rejecting Facebook’s arguments.

How Facebook will seek to press a case against the substance of the Dutch privacy litigation remains to be seen. It may well have other procedural strategies up its sleeve.

The tech giant has used similar stalling tactics against far longer-running privacy litigation in Austria, for example.

In that case, brought by privacy campaigner Max Schrems and his not-for-profit noyb, Facebook has sought to claim that the GDPR’s consent requirements do not apply to its advertising business because it now includes “personalized advertising” in its T&Cs — and therefore has a ‘duty’ to provide privacy-hostile ads to users — seeking to bypass the GDPR by claiming it must process users’ data because it’s “necessary for the performance of a contract”, as noyb explains here.

A court in Vienna accepted this “GDPR consent bypass” sleight-of-hand, dealing a blow to European privacy campaigners.

But an appeal reached the Austrian Supreme Court in March — and a referral could be made to Europe’s top court.

If that happens it would then be up to the CJEU to weigh in whether such a massive loophole in the EU’s flagship data protection framework should really be allowed to stand. But that process could still take over a year or longer.

In the short term, the result is yet more delay for Europeans trying to exercise their rights against platform giants and their in-house armies of lawyers.

In a more positive development for privacy rights, a recent ruling by the CJEU bolstered the case for data protection agencies across the EU to bring actions against tech giants if they see an urgent threat to users — and believe a lead supervisor is failing to act.

That ruling could help unblock some GDPR enforcement against the most powerful tech companies at the regulatory level, potentially reducing the blockages created by bottlenecks such as Ireland.

Facebook’s EU-to-US data flows are also now facing the possibility of a suspension order in a matter of months — related to another piece of litigation brought by Schrems which hinges on the conflict between EU fundamental rights and US surveillance law.

The CJEU weighed in on that last summer with a judgement that requires regulators like Ireland to act when user data is at risk. (And Germany’s federal data protection commissioner, for instance, has warned government bodies to shut their official Facebook pages ahead of planned enforcement action at the start of next year.)

So while Facebook has been spectacularly successful at kicking Europe’s privacy rights claims down the road, for well over a decade, its strategy of legal delay tactics to shield a privacy-hostile business model could finally hit a geopolitical brick wall.

The tech giant has sought to lobby against this threat to its business by suggesting it might switch off its service in Europe if the regulator follows through on a preliminary suspension order last year.

But it has also publicly denied it would actually follow through and close service in Europe.

How might Facebook actually comply if ordered to cut off EU data flows? Schrems has argued it may need to federate its service and store European users’ data inside the EU in order to comply with the eponymous Schrems II CJEU ruling.

Albeit, Facebook has certainly shown itself adept at exploiting the gaps between Europeans’ on-paper rights, national case law and the various EU and Member State institutions involved in oversight and enforcement as a tactic to defend its commercial priorities — playing different players and pushing agendas to further its business interests. So whether any single piece of EU privacy litigation will prove to be the silver bullet that forces a reboot of its privacy-hostile business model very much remains to be seen.

A perhaps more likely scenario is that each of these cases further erodes user trust in Facebook’s services — reducing people’s appetite to use its apps and expanding opportunities for rights-respecting competitors to poach custom by offering something better. 

 

#amsterdam, #austria, #data-protection, #data-protection-commission, #digital-rights, #europe, #european-union, #facebook, #general-data-protection-regulation, #germany, #human-rights, #ireland, #lawsuit, #max-schrems, #netherlands, #noyb, #privacy, #surveillance-law, #vienna

German government bodies urged to remove their Facebook Pages before next year

Germany’s federal information commissioner has run out of patience with Facebook.

Last month, Ulrich Kelber wrote to government agencies “strongly recommend[ing]” they to close down their official Facebook Pages because of ongoing data protection compliance problems and the tech giant’s failure to fix the issue.

In the letter, Kelber warns the government bodies that he intends to start taking enforcement action from January 2022 — essentially giving them a deadline of next year to pull their pages from Facebook.

So expect not to see official Facebook Pages of German government bodies in the coming months.

While Kelber’s own agency, the BfDi, does not appear to have a Facebook Page (although Facebook’s algorithms appear to generate this artificial stub if you try searching for one) plenty of other German federal bodies do — such as the Ministry of Health, whose public page has more than 760,000 followers.

The only alternative to such pages vanishing from Facebook’s platform by Christmas — or else being ordered to be taken down early next year by Kelber — seems to be for the tech giant to make more substantial changes to how its platform operators than it has offered so far, allowing the Pages to be run in Germany in a way that complies with EU law.

However Facebook has a long history of ignoring privacy expectations and data protection laws.

It has also, very recently, shown itself more than willing to reduce the quality of information available to users — if doing so further its business interests (such as to lobby against a media code law, as users in Australia can attest).

So it looks rather more likely that German government agencies will be the ones having to quietly bow off the platform soon…

Kelber says he’s avoided taking action over the ministries’ Facebook Pages until now on account of the public bodies arguing that their Facebook Pages are an important way for them to reach citizens.

However his letter points out that government bodies must be “role models” in matters of legal compliance — and therefore have “a particular duty” to comply with data protection law. (The EDPS is taking a similar tack by reviewing EU institutions’ use of US cloud services giants.)

Per his assessment, an “addendum” provided by Facebook in 2019 does not rectify the compliance problem and he concludes that Facebook has made no changes to its data processing operations to enable Page operators to comply with requirements set out in the EU’s General Data Protection Regulation.

A ruling by Europe’s top court, back in June 2018, is especially relevant here — as it held that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of the data of visitors to the page.

That means that the operators of such pages also face data protection compliance obligations, and cannot simply assume that Facebook’s T&Cs provide them with legal cover for the data processing the tech giant undertakes.

The problem, in a nutshell, is that Facebook does not provide Pages operates with enough information or assurances about how it processes users’ data — meaning they’re unable to comply with GDPR principles of accountability and transparency because, for example, they’re unable to adequately inform followers of their Facebook Page what is being done with their data.

There is also no way for Facebook Page operators to switch off (or otherwise block) wider processing of their Page followers by Facebook. Even if they don’t make use of any of the analytics features Facebook provides to Page operators.

The processing still happens.

This is because Facebook operates a take-it-or-leave it ‘data maximizing’ model — to feed its ad-targeting engines.

But it’s an approach that could backfire if it ends up permanently reducing the quality of the information available on its network because there’s a mass migration of key services off its platform. Such as, for example, every government agency in the EU deleted its Facebook Page.

A related blog post on the BfDi’s website also holds out the hope that “data protection-compliant social networks” might develop in the Facebook compliance vacuum.

Certainly there could be a competitive opportunity for alternative platforms that seek to sell services based on respecting users’ rights.

The German Federal Ministry of Health’s verified Facebook Page (Screengrab: TechCrunch/Natasha Lomas)

Discussing the BfDis intervention, Luca Tosoni, a research fellow at the University of Oslo’s Norwegian Research Center for Computers and Law, told TechCrunch: “This development is strictly connected to recent CJEU case law on joint controllership. In particular, it takes into account the Wirtschaftsakademie ruling, which found that the administrator of a Facebook page should be considered a joint controller with Facebook in respect of processing the personal data of the visitors of the page.

“This does not mean that the page administrator and Facebook share equal responsibility for all stages of the data processing activities linked to the use of the Facebook page. However, they must have an agreement in place with a clear allocation of roles and responsibilities. According to the German Federal Commissioner for Data Protection and Freedom of Information, Facebook’s current data protection ‘Addendum’ would not seem to be sufficient to meet the latter requirement.”

“It is worth noting that, in its Fashion ID ruling, the CJEU has taken the view that the GDPR’s obligations for joint controllers are commensurate with those data processing stages in which they actually exercise control,” Tosoni added. “This means that the data protection obligations a Facebook page administrator would normally tend to be quite limited.”

Warnings for other social media services

This particular compliance issue affects Facebook in Germany — and potentially any other EU market. But other social media services may face similar problems too.

For example, Kelber’s letter flags an ongoing audit of Instagram, TikTok and Clubhouse — warning of “deficits” in the level of data protection they offer too.

He goes on to recommend that agencies avoid using the three apps on business devices.  

In an earlier, 2019 assessment of government bodies’ use of social media services, the BfDi suggested usage of Twitter could — by contrast — be compliant with data protection rules. At least if privacy settings were fully enabled and analytics disabled, for example.

At the time the BfDi also warned that Facebook-owned Instagram faced similar compliance problems to Facebook, being subject to the same “abusive” approach to consent he said was taken by the whole group.

Reached for comment on Kelber’s latest recommendations to government agencies, Facebook did not engage with our specific questions — sending us this generic statement instead:

“At the end of 2019, we updated the Page Insights addendum and clarified the responsibilities of Facebook and Page administrators, for which we took questions regarding transparency of data processing into account. It is important to us that also federal agencies can use Facebook Pages to communicate with people on our platform in a privacy-compliant manner.”

An additional complication for Facebook has arisen in the wake of the legal uncertainty following last summer’s Schrems II ruling by the CJEU.

Europe’s top court invalidated the EU-US Privacy Shield arrangement, which had allowed companies to self-certify an adequate level of data protection, removing the easiest route for transferring EU users’ personal data over to the US. And while the court did not outlaw international transfers of EU users’ personal data altogether it made it clear that data protection agencies must intervene and suspend data flows if they suspect information is being moved to a place, and in in such a way, that it’s put at risk.

Following Schrems II, transfers to the US are clearly problematic where the data is being processed by a US company that’s subject to FISA 702, as is the case with Facebook.

Indeed, Facebook’s EU-to-US data transfers were the original target of the complainant in the Schrems II case (by the eponymous Max Schrems). And a decision remains pending on whether the tech giant’s lead EU data supervisor will follow through on a preliminary order last year to it should suspend its EU data flows — due in the coming months.

Even ahead of that long-anticipated reckoning in Ireland, other EU DPAs are now stepping in to take action — and Kelber’s letter references the Schrems II ruling as another issue of concern.

Tosoni agrees that GDPR enforcement is finally stepping up a gear. But he also suggested that compliance with the Schrems II ruling comes with plenty of nuance, given that each data flow must be assessed on a case by case basis — with a range of supplementary measures that controllers may be able to apply.

“This development also shows that European data protection authorities are getting serious about enforcing the GDPR data transfer requirements as interpreted by the CJEU in Schrems II, as the German Federal Commissioner for Data Protection and Freedom flagged this as another pain point,” he said.

“However, the German Federal Commissioner sent out his letter on the use of Facebook pages a few days before the EDPB adopted the final version its recommendations on supplementary measures for international data transfers following the CJEU Schrems II ruling. Therefore, it remains to be seen how German data protection authorities will take these new recommendations into account in the context of their future assessment of the GDPR compliance of the use of Facebook pages by German public authorities.

“Such recommendations do not establish a blanket ban on data transfers to the US but impose the adoption of stringent safeguards, which will need to be followed to keep on transferring the data of German visitors of Facebook pages to the US.”

Another recent judgment by the CJEU reaffirmed that EU data protection agencies can, in certain circumstances, take action when they are not the lead data supervisor for a specific company under the GDPR’s one-stop-shop mechanism — expanding the possibility for litigation by watchdogs in Member States if a local agency believes there’s an urgent need to act.

Although, in the case of the German government bodies’ use of Facebook Pages, the earlier CJEU ruling finding on joint law controllership means the BfDi already has clear jurisdiction to target these agencies’ Facebook Pages itself.

 

#advertising-tech, #australia, #cjeu, #data-processing, #data-protection, #data-security, #digital-rights, #eu-us-privacy-shield, #europe, #european-union, #facebook, #facebook-pages, #general-data-protection-regulation, #germany, #instagram, #ireland, #law, #max-schrems, #policy, #privacy, #twitter, #united-states

Northern Ireland Is Coming to an End

It might not even last another decade.

#democratic-unionist-party-northern-ireland, #ireland, #irish-republican-army, #northern-ireland, #religion-and-belief, #sinn-fein

Gympass, the corporate wellness unicorn, raises a $220M series E

Gympass, the exercise and corporate wellness unicorn that originated in Brazil, today announced a $220 million Series E. The company has seen tremendous growth in the last few months, as more and more people are vaccinated and flocking back to the gym.

Gympass is like ClassPass, but on steroids. However, unlike ClassPass’ BTC model, Gympass partners with employers who then pay a flat fee for the platform (an app) which then allows their employees to choose from several wellbeing plans that give them access to myriad in-person gyms and studios, and a directory of health apps, such as Calm. The offerings are broken up into the following categories: physical health, emotional health, nutrition and sleep.

According to the company, in May, Gympass saw a record 4 million monthly check-ins across its network of more than 50,000 global partners. In fact, for some of the partners, usage hit above pre-COVID levels. 

Between increased anxiety rates and documented weight gain during the pandemic, it’s clear that people are eager to get active again with the hopes of improving their mental health and their waistlines.

GymPass is the brainchild of Cesar Carvalho, a former McKinsey & Company consultant in Brazil who was always on the road and yearned for a corporate wellness product that would comply with his hectic work schedule.

“Some days I worked from home, other days I worked from the office, and then there was the time I was traveling. I could never go to the gym in one place,” Carvalho told TechCrunch. “I realized that my needs were the same as others,” he said.

He decided to pursue his business idea while he was at Harvard Business School.

“I’m one of those crazy entrepreneurs that drops out of their MBA to start a company, but looking back now, it worked out okay,” he said, later telling TechCrunch that Gympass is now in Brazil, Mexico, Chile, Argentina, the U.S., Germany, Spain, Italy, Ireland, and the U.K. 

Since its launch in São Paulo in 2012, the company achieved product-market fit fairly quickly, and its growth and expansion have been largely organic.

Originally, Gympass was a BTC concept, and one of its first clients was an executive at PricewaterhouseCoopers in Brazil. He liked the product so much that he eventually said to Carvalho, “Can’t I communicate this to my 5000 employees in all the cities where we have offices in Brazil?” With that question – and offer – Carvalho saw the need to pivot and build a B2B company.

After only three years in Brazil, one of his biggest Brazilian clients asked Carvalho to expand to Mexico, because his company had a large presence there and he wanted to offer Gympass to its employees. And so follows most of the expansion stories.

“We expanded to Spain, because we worked with a Spanish bank in Mexico, and they wanted their employees in Spain to have access to our product,” he said.

This round, which doubles the company’s valuation to $2.2 billion, includes participation from SoftBank, General Atlantic, More Strategic Ventures, Kaszek Ventures and Valor. Carvalho plans to use the money to grow the company in the U.S., expand its offerings, and work on making the tech smarter. 

“We want [the app] to be able to recommend the best partners for your complete well-being journey based on your workout patterns, for example: ‘This is the best meditation app for you to use with your workout profile,’” Carvalho said.

 

#argentina, #brazil, #chile, #classpass, #general-atlantic, #germany, #harvard-business-school, #ireland, #italy, #kaszek-ventures, #mckinsey-company, #mexico, #pricewaterhousecoopers, #softbank, #softbank-group, #spain, #tc, #united-kingdom, #united-states

Graham Norton Comes Around

The Irish entertainer is known for his freewheeling talk show, but in his novel “Home Stretch” he explores what it’s like for a gay man to return to his home and find both it and himself wholly transformed.

#actors-and-actresses, #books-and-literature, #comedy-and-humor, #content-type-personal-profile, #home-stretch-book, #homosexuality-and-bisexuality, #ireland, #norton-graham, #television

Adtech ‘data breach’ GDPR complaint is headed to court in EU

New York-based IAB Tech Labs, a standards body for the digital advertising industry, is being taken to court in Germany by the Irish Council for Civil Liberties (ICCL) in a piece of privacy litigation that’s targeted at the high speed online ad auction process known as real-time bidding (RTB).

While that may sound pretty obscure the case essentially loops in the entire ‘data industrial complex’ of adtech players, large and small, which make money by profiling Internet users and selling access to their attention — from giants like Google and Facebook to other household names (the ICCL’s PR also name-checks Amazon, AT&T, Twitter and Verizon, the latter being the parent company of TechCrunch — presumably because all participate in online ad auctions that can use RTB); as well as the smaller (typically non-household name) adtech entities and data brokers which also also involved in handling people’s data to run high velocity background auctions that target behavioral ads at web users.

The driving force behind the lawsuit is Dr Johnny Ryan, a former adtech insider turned whistleblower who’s now a senior fellow a the ICCL — and who has dubbed RTB the biggest data breach of all time.

He points to the IAB Tech Lab’s audience taxonomy documents which provide codes for what can be extremely sensitive information that’s being gathered about Internet users, based on their browsing activity, such as political affiliation, medical conditions, household income, or even whether they may be a parent to a special needs child.

The lawsuit contends that other industry documents vis-a-vis the ad auction system confirm there are no technical measures to limit what companies can do with people’s data, nor who they might pass it on to.

The lack of security inherent to the RTB process also means other entities not directly involved in the adtech bidding chain could potentially intercept people’s information — when it should, on the contrary, be being protected from unauthorized access, per EU law…

Ryan and others have been filing formal complaints against RTB security issue for years, arguing the system breaches a core principle of Europe’s General Data Protection Regulation (GDPR) — which requires that personal data be “processed in a manner that ensures appropriate security… including protection against unauthorised or unlawful processing and against accidental loss” — and which, they contend, simply isn’t possible given how RTB functions.

The problem is that Europe’s data protection agencies have failed to act. Which is why Ryan, via the ICCL, has decided to take the more direct route of filing a lawsuit.

“There aren’t many DPAs around the union that haven’t received evidence of what I think is the biggest data breach of all time but it started with the UK and Ireland — neither of which took, I think it’s fair to say, any action. They both said they were doing things but nothing has changed,” he tells TechCrunch, explaining why he’s decided to take the step of litigating.

“I want to take the most efficient route to protection people’s rights around data,” he adds.

Per Ryan, the Irish Data Protection Commission (DPC) has still not sent a statement of issues relating to the RTB complaint he lodged with them back in 2018 — so years later. In May 2019 the DPC did announce it was opening a formal investigation into Google’s adtech, following the RTB complaints, but the case remains open and unresolved. (We’ve contacted the DPC with questions about its progress on the investigation and will update with any response.)

Since the GDPR came into application in Europe in May 2018 there has been growth in privacy lawsuits  — including class action style suits — so litigation funders may be spying an opportunity to cash in on the growing enforcement gap left by resource-strapped and, well, risk-averse data protection regulators.

A similar complaint about RTB lodged with the UK’s Information Commissioner’s Office (ICO) also led to a lawsuit being filed last year — albeit in that case it was against the watchdog itself for failing to take any action. (The ICO’s last missive to the adtech industry told it to — uhhhh — expect audits.)

“The GDPR was supposed to create a situation where the average person does not need to wear a tin-foil hat, they do not need to be paranoid or take action to become well informed. Instead, supervisory authorities protect them. And these supervisory authorities — paid for by the tax payer — have very strong powers. They can gain admission to any documents and any premises. It’s not about fines I don’t think, just. They can tell the biggest most powerful companies in the world to stop doing what they’re doing with our data. That’s the ultimate power,” says Ryan. “So GDPR sets up these guardians — these potentially very empowered guardians — but they’ve not used those powers… That’s why we’re acting.”

“I do wish that I’d litigated years ago,” he adds. “There’s lots of reasons why I didn’t do that — I do wish, though, that this litigation was unnecessary because supervisory authorities protected me and you. But they didn’t. So now, as Irish politics like to say in the middle of a crisis, we are where we are. But this is — hopefully — several nails in the coffin [of RTB’s use of personal data].”

The lawsuit has been filed in Germany as Ryan says they’ve been able to establish that IAB Tech Labs — which is NY-based and has no official establishment in Europe — has representation (a consultancy it hired) that’s based in the country. Hence they believe there is a clear route to litigate the case at the Landgerichte, Hamburg.

While Ryan has been indefatigably sounding the alarm about RTB for years he’s prepared to clock up more mileage going direct through the courts to see the natter through.

And to keep hammering home his message to the adtech industry that it must clean up its act and that recent attempts to maintain the privacy-hostile status quo — by trying to rebrand and repackage the same old data shuffle under shiny new claims of ‘privacy’ and ‘responsibility’ — simply won’t wash. So the message is really: Reform or die.

“This may very well end up at the ECJ [European Court of Justice]. And that would take a few years but long before this ends up at the ECJ I think it’ll be clear to the industry now that it’s time to reform,” he adds.

IAB Tech Labs has been contacted for comment on the ICCL’s lawsuit.

Ryan is by no means the only person sounding the alarm over adtech. Last year the European Parliament called for tighter controls on behavioral ads to be baked into reforms of the region’s digital rules — calling for regulation to favor less intrusive, contextual forms of advertising which do not rely on mass surveillance of Internet users.

While even Google has said it wants to depreciate support for tracking cookies in favor of a new stack of technology proposals that it dubs ‘Privacy Sandbox’ (although its proposed alternative — targeting groups of Internet users based on interests derived from tracking their browsing habits — has been criticized as potentially amplifying problems of predatory and exploitative ad targeting, so may not represent a truly clean break with the rights-hostile adtech status quo).

The IAB is also facing another major privacy law challenge in Europe — where complaints against a widely used framework it designed for websites to obtain Internet users’ consent to being tracked for ads online led to scrutiny by Belgium’s data protection agency.

Last year its investigatory division found that the IAB Europe’s Transparency and Consent Framework (TCF) fails to meet the required standards of data protection under the GDPR.

The case went in front of the litigation chamber last week. A verdict — and any enforcement action by the Belgian DPA over the IAB Europe’s TCF — remains pending.

#adtech, #advertising-tech, #amazon, #articles, #att, #computing, #data-protection, #europe, #european-court-of-justice, #european-union, #facebook, #general-data-protection-regulation, #germany, #hamburg, #information-commissioners-office, #ireland, #johnny-ryan, #new-york, #online-advertising, #privacy, #real-time-bidding, #techcrunch, #terms-of-service, #twitter, #united-kingdom, #verizon, #world-wide-web