Online platforms need a super regulator and public interest tests for mergers, says UK parliament report

The latest policy recommendations for regulating powerful Internet platforms comes from a U.K. House of Lord committee that’s calling for an overarching digital regulator to be set up to plug gaps in domestic legislation and work through any overlaps of rules.

“The digital world does not merely require more regulation but a different approach to regulation,” the committee writes in a report published on Saturday, saying the government has responded to “growing public concern” in a piecemeal fashion, whereas “a new framework for regulatory action is needed”.

It suggests a new body — which it’s dubbed the Digital Authority — be established to “instruct and coordinate regulators”.

“The Digital Authority would have the remit to continually assess regulation in the digital world and make recommendations on where additional powers are necessary to fill gaps,” the committee writes, saying that it would also “bring together non-statutory organisations with duties in this area” — so presumably bodies such as the recently created Centre for Data Ethics and Innovation (which is intended to advise the UK government on how it can harness technologies like AI for the public good).

The committee report sets out ten principles that it says the Digital Authority should use to “shape and frame” all Internet regulation — and develop a “comprehensive and holistic strategy” for regulating digital services.

These principles (listed below) read, rather unfortunately, like a list of big tech failures. Perhaps especially given Facebook founder Mark Zuckerberg’s repeat refusal to testify before another UK parliamentary committee last year. (Leading to another highly critical report.)

  • Parity: the same level of protection must be provided online as offline
  • Accountability: processes must be in place to ensure individuals and organisations are held to account for their actions and policies
  • Transparency: powerful businesses and organisations operating in the digital world must be open to scrutiny
  • Openness: the internet must remain open to innovation and competition
  • Privacy: to protect the privacy of individuals
  • Ethical design: services must act in the interests of users and society
  • Recognition of childhood: to protect the most vulnerable users of the internet
  • Respect for human rights and equality: to safeguard the freedoms of expression and information online
  • Education and awareness-raising: to enable people to navigate the digital world safely
  • Democratic accountability, proportionality and evidence-based approach

“Principles should guide the development of online services at every stage,” the committee urges, calling for greater transparency at the point data is collected; greater user choice over which data are taken; and greater transparency around data use — “including the use of algorithms”.

So, in other words, a reversal of the ‘opt-out if you want any privacy’ approach to settings that’s generally favored by tech giants — even as it’s being challenged by complaints filed under Europe’s GDPR.

The UK government is due to put out a policy White Paper on regulating online harms this winter. But the Lords Communications Committee suggests the government’s focus is too narrow, calling also for regulation that can intervene to address how “the digital world has become dominated by a small number of very large companies”.

“These companies enjoy a substantial advantage, operating with an unprecedented knowledge of users and other businesses,” it warns. “Without intervention the largest tech companies are likely to gain more control of technologies which disseminate media content, extract data from the home and individuals or make decisions affecting people’s lives.”

The committee recommends public interest tests should therefore be applied to potential acquisitions when tech giants move in to snap up startups, warning that current competition law is struggling to keep pace with the ‘winner takes all’ dynamic of digital markets and their network effects.

“The largest tech companies can buy start-up companies before they can become competitive,” it writes. “Responses based on competition law struggle to keep pace with digital markets and often take place only once irreversible damage is done. We recommend that the consumer welfare test needs to be broadened and a public interest test should be applied to data-driven mergers.”

Market concentration also means a small number of companies have “great power in society and act as gatekeepers to the internet”, it also warns, suggesting that while greater use of data portability can help, “more interoperability” is required for the measure to make an effective remedy.

The committee also examined online platforms’ current legal liabilities around content, and recommends beefing these up too — saying self-regulation is failing and calling out social media sites’ moderation processes specifically as “unacceptably opaque and slow”.

High level political pressure in the UK recently led to a major Instagram policy change around censoring content that promotes suicide — though the shift was triggered after a public outcry related to the suicide of a young schoolgirl who had been exposed to pro-suicide content on Instagram years before.

Like other UK committees and government advisors, the Lords committee wants online services which host user-generated content to be subject to a statutory duty of care — with a special focus on children and “the vulnerable in society”.

“The duty of care should ensure that providers take account of safety in designing their services to prevent harm. This should include providing appropriate moderation processes to handle complaints about content,” it writes, recommending telecoms regulator Ofcom is given responsibility for enforcement.

“Public opinion is growing increasingly intolerant of the abuses which big tech companies have failed to eliminate,” it adds. “We hope that the industry will welcome our 10 principles and their potential to help restore trust in the services they provide. It is in the industry’s own long-term interest to work constructively with policy-makers. If they fail to do so, they run the risk of further action being taken.”

Let’s block ads! (Why?)

Link to original source

The other smartphone business

With the smartphone operating system market sewn up by Google’s Android platform, which has a close to 90% share globally, leaving Apple’s iOS a slender (but lucrative) premium top-slice, a little company called Jolla and its Linux-based Sailfish OS is a rare sight indeed: A self-styled ‘independent alternative’ that’s still somehow in business.

The Finnish startup’s b2b licensing sales pitch is intended to appeal to corporates and governments that want to be able to control their own destiny where device software is concerned.

And in a world increasingly riven with geopolitical tensions that pitch is starting to look rather prescient.

Political uncertainties around trade, high tech espionage risks and data privacy are translating into “opportunities” for the independent platform player — and helping to put wind in Jolla’s sails long after the plucky Sailfish team quit their day jobs for startup life.

Building an alternative to Google Android

Jolla was founded back in 2011 by a band of Nokia staffers who left the company determined to carry on development of mobile Linux as the European tech giant abandoned its own experiments in favor of pivoting to Microsoft’s Windows Phone platform. (Fatally, as it would turn out.)

Nokia exited mobile entirely in 2013, selling the division to Microsoft. It only returned to the smartphone market in 2017, via a brand-licensing arrangement, offering made-in-China handsets running — you guessed it — Google’s Android OS.

If the lesson of the Jolla founders’ former employer is ‘resistance to Google is futile’ they weren’t about to swallow that. The Finns had other ideas.

Indeed, Jolla’s indie vision for Sailfish OS is to support a whole shoal of differently branded, regionally flavored and independently minded (non-Google-led) ecosystems all swimming around in parallel. Though getting there means not just surviving but thriving — and doing so in spite of the market being so thoroughly dominated by the U.S. tech giant.

TechCrunch spoke to Jolla ahead of this year’s Mobile World Congress tradeshow where co-founder and CEO, Sami Pienimäki, was taking meetings on the sidelines. He told us his hope is for Jolla to have a partner booth of its own next year — touting, in truly modest Finnish fashion, an MWC calendar “maybe fuller than ever” with meetings with “all sorts of entities and governmental representatives”.

Jolla co-founder, Sami Pienimaki, showing off a Jolla-branded handset in May 2013, back when the company was trying to attack the consumer smartphone space. 
(Photo credit: KIMMO MANTYLA/AFP/Getty Images)

Even a modestly upbeat tone signals major progress here because an alternative smartphone platform licensing business is — to put it equally mildly — an incredibly difficult tech business furrow to plough.

Jolla almost died at the end of 2015 when the company hit a funding crisis. But the plucky Finns kept paddling, jettisoning their early pursuit of consumer hardware (Pienimäki describes attempting to openly compete with Google in the consumer smartphone space as essentially “suicidal” at this point) to narrow their focus to a b2b licensing play.

The early b2b salespitch targeted BRIC markets, with Jolla hitting the road to seek buy in for a platform it said could be moulded to corporate or government needs while still retaining the option of Android app compatibility.

Then in late 2016 signs of a breakthrough: Sailfish gained certification in Russia for government and corporate use.

Its licensing partner in the Russian market was soon touting the ability to go “absolutely Google-free!“.

Buy in from Russia

Since then the platform has gained the backing of Russian telco Rostelecom, which acquired Jolla’s local licensing customer last year (as well as becoming a strategic investor in Jolla itself in March 2018 — “to ensure there is a mutual interest to drive the global Sailfish OS agenda”, as Pienimäki puts it).

Rostelecom is using the brand name ‘Aurora OS‘ for Sailfish in the market which Pienimäki says is “exactly our strategy” — likening it to how Google’s Android has been skinned with different user experiences by major OEMs such as Samsung and Huawei.

“What we offer for our customers is a fully independent, regional licence and a tool chain so that they can develop exactly this kind of solution,” he tells TechCrunch. “We have come to a maturity point together with Rostelecom in the Russia market, and it was natural move plan together, that they will take a local identity and proudly carry forward the Sailfish OS ecosystem development in Russia under their local identity.”

“It’s fully compatible with Sailfish operating system, it’s based on Sailfish OS and it’s our joint interest, of course, to make it fly,” he adds. “So that as we, hopefully, are able to extend this and come out to public with other similar set-ups in different countries those of course — eventually, if they come to such a fruition and maturity — will then likely as well have their own identities but still remain compatible with the global Sailfish OS.”

Jolla says the Russian government plans to switch all circa 8M state officials to the platform by the end of 2021 — under a project expected to cost RUB 160.2 billion (~$2.4BN). (A cut of which will go to Jolla in licensing fees.)

It also says Sailfish-powered smartphones will be “recommended to municipal administrations of various levels,” with the Russian state planning to allocate a further RUB 71.3 billion (~$1.1BN) from the federal budget for that. So there’s scope for deepening the state’s Sailfish uptake.

Russian Post is one early customer for Jolla’s locally licensed Sailfish flavor. Having piloted devices last year, Pienimäki says it’s now moving to a full commercial deployment across the whole organization — which has around 300,000 employees (to give a sense of how many Sailfish powered devices could end up in the hands of state postal workers in Russia).

A rugged Sailfish-powered device piloted by Russian post

Jolla is not yet breaking out end users for Sailfish OS per market but Pienimäki says that overall the company is now “clearly above” 100k (and below 500k) devices globally.

That’s still of course a fantastically tiny number if you compare it to the consumer devices market — top ranked Android smartphone maker Samsung sold around 70M handsets in last year’s holiday quarter, for instance — but Jolla is in the b2b OS licensing business, not the handset making business. So it doesn’t need hundreds of millions of Sailfish devices to ship annually to turn a profit.

Scaling a royalty licensing business to hundreds of thousands of users is sums to “good business”, , says Pienimäki, describing Jolla’s business model for Sailfish as “practically a royalty per device”.

“The success we have had in the Russian market has populated us a lot of interesting new opening elsewhere around the world,” he continues. “This experience and all the technology we have built together with Open Mobile Platform [Jolla’s Sailfish licensing partner in Russia which was acquired by Rostelecom] to enable that case — that enables a number of other cases. The deployment plan that Rostelecom has for this is very big. And this is now really happening and we are happy about it.”

Jolla’s “Russia operation” is now beginning “a mass deployment phase”, he adds, predicting it will “quickly ramp up the volume to very sizeable”. So Sailfish is poised to scale.

Step 3… profit?

While Jolla is still yet to turn a full-year profit Pienimäki says several standalone months of 2018 were profitable, and he’s no longer worried whether the business is sustainable — asserting: “We don’t have any more financial obstacles or threats anymore.”

It’s quite the turnaround of fortunes, given Jolla’s near-death experience a few years ago when it almost ran out of money, after failing to close a $10.6M Series C round, and had to let go of half its staff.

It did manage to claw in a little funding at the end of 2015 to keep going, albeit as much leaner fish. But bagging Russia as an early adopter of its ‘independent’ mobile Linux ecosystem looks to have been the key tipping point for Jolla to be able to deliver on the hard-graft ecosystem-building work it’s been doing all along the way. And Pienimäki now expresses easy confidence that profitability will flow “fairly quickly” from here on in.

“It’s not an easy road. It takes time,” he says of the ecosystem-building company Jolla hard-pivoted to at its point of acute financial distress. “The development of this kind of business — it requires patience and negotiation times, and setting up the ecosystem and ecosystem partners. It really requires patience and takes a lot of time. And now we have come to this point where actually there starts to be an ecosystem which will then extend and start to carry its own identity as well.”

In further signs of Jolla’s growing confidence he says it hired more than ten people last year and moved to new and slightly more spacious offices — a reflection of the business expanding.

“It’s looking very good and nice for us,” Pienimäki continues. “Let’s say we are not taking too much pressure, with our investors and board, that what is the day that we are profitable. It’s not so important anymore… It’s clear that that is soon coming — that very day. But at the same time the most important is that the business case behind is proven and it is under aggressive deployment by our customers.”

The main focus for the moment is on supporting deployments to ramp up in Russia, he says, emphasizing: “That’s where we have to focus.” (Literally he says “not screwing up” — and with so much at stake you can see why nailing the Russia case is Jolla’s top priority.)

While the Russian state has been the entity most keen to embrace an alternative (non-U.S.-led) mobile OS — perhaps unsurprisingly — it’s not the only place in the world where Jolla has irons in the fire.

Another licensing partner, Bolivian IT services company Jalasoft, has co-developed a Sailfish-powered smartphone called Accione.

Jalasoft’s ‘liberty’-touting Accione Sailfish smartphone

It slates the handset on its website as being “designed for Latinos by Latinos”. “The digitalization of the economy is inevitable and, if we do not control the foundation of this digitalization, we have no future,” it adds.

Jalasoft founder and CEO Jorge Lopez says the company’s decision to invest effort in kicking the tyres of Jolla’s alternative mobile ecosystem is about gaining control — or seeking “technological libration” as the website blurb puts it.

“With Sailfish OS we have control of the implementation, while with Android it is the opposite,” Lopez tells TechCrunch. “We are working on developing smart buildings and we need a private OS that is not Android or iOS. This is mainly because our product will allow the end user to control the whole building and doing this with Android or iOS a hackable OS will bring concerns on security.”

Lopez says Jalasoft is using Accione as its development platform — “to gather customer feedback and to further develop our solution” — so the project clearly remains in an early phase, and he says that no more devices are likely to be announced this year.

But Jolla can point to more seeds being sewn with the potential, with work, determination and patience, to sprout into another sizeable crop of Sailfish-powered devices down the line.

Complexity in China

Even more ambitiously Jolla is also targeting China, where investment has been taken in to form a local consortium to develop a Chinese Sailfish ecosystem.

Although Pienimäki cautions there’s still much work to be done to bring Sailfish to market in China.

“We completed a major pilot with our licensing customer, Sailfish China Consortium, in 2017-18,” he says, giving an update on progress to date. “The public in market solution is not there yet. That is something that we are working together with the customer — hopefully we can see it later this year on the market. But these things take time. And let’s say that we’ve been somewhat surprised at how complex this kind of decision-making can be.”

“It wasn’t easy in Russia — it took three years of tight collaboration together with our Russian partners to find a way. But somehow it feels that it’s going to take even more in China. And I’m not necessarily talking about calendar time — but complexity,” he adds.

While there’s no guarantee of success for Jolla in China, the potential win is so big given the size of the market that even if they can only carve out a tiny slice, such as a business or corporate sector, it’s still worth going after. And he points to the existence of a couple of native mobile Linux operating systems he reckons could make “very lucrative partners”.

That said, the get-to-market challenge for Jolla in China is clearly distinctly different vs the rest of the world. This is because Android has developed into an independent (i.e. rather than Google-led) ecosystem in China as a result of state restrictions on the Internet and Internet companies. So the question is what could Sailfish offer that forked Android doesn’t already?

An Oppo Android powered smartphone on show at MWC 2017

Again, Jolla is taking the long view that ultimately there will be appetite — and perhaps also state-led push — for a technology platform bolster against political uncertainty in U.S.-China relations.

“What has happened now, in particular last year, is — because of the open trade war between the nations — many of the technology vendors, and also I would say the Chinese government, has started to gradually tighten their perspective on the fact that ‘hey simply it cannot be a long term strategy to just keep forking Android’. Because in the end of the day it’s somebody else’s asset. So this is something that truly creates us the opportunity,” he suggests.

“Openly competing with the fact that there are very successful Android forks in China, that’s going to be extremely difficult. But — let’s say — tapping into the fact that there are powers in that nation that wish that there would be something else than forking Android, combined with the fact that there is already something homegrown in China which is not forking Android — I think that’s the recipe that can be successful.”

Not all Jolla’s Sailfish bets have paid off, of course. An earlier foray by an Indian licensing partner into the consumer handset market petered out. Albeit, it does reinforce their decision to zero in on government and corporate licensing.

“We got excellent business connections,” says Pienimäki of India, suggesting also that it’s still a ‘watch this space’ for Jolla. The company has a “second move” in train in the market that he’s hopeful to be talking about publicly later this year.

It’s also pitching Sailfish in Africa. And in markets where target customers might not have their own extensive in-house IT capability to plug into Sailfish co-development work Pienimäki says it’s offering a full solution — “a ready made package”, together with partners, including device management, VPN, secure messaging and secure email — which he argues “can be still very lucrative business cases”.

Looking ahead and beyond mobile, Pienimäki suggests the automotive industry could be an interesting target for Sailfish in the future — though not literally plugging the platform into cars; but rather licensing its technologies where appropriate — arguing car makers are also keen to control the tech that’s going into their cars.

“They really want to make sure that they own the cockpit. It’s their property, it’s their brand and they want to own it — and for a reason,” he suggests, pointing to the clutch of major investments from car companies in startups and technologies in recent years.

“This is definitely an interesting area. We are not directly there ourself — and we are not capable to extend ourself there but we are discussing with partners who are in that very business whether they could utilize our technologies there. That would then be more or less like a technology licensing arrangement.”

A trust balancing model

While Jolla looks to be approaching a tipping point as a business, in terms of being able to profit off of licensing an alternative mobile platform, it remains a tiny and some might say inconsequential player on the global mobile stage.

Yet its focus on building and maintaining trusted management and technology architectures also looks timely — again, given how geopolitical spats are intervening to disrupt technology business as usual.

Chinese giant Huawei used an MWC keynote speech last month to reject U.S.-led allegations that its 5G networking technology could be repurposed as a spying tool by the Chinese state. And just this week it opened a cybersecurity transparency center in Brussels, to try to bolster trust in its kit and services — urging industry players to work together on agreeing standards and structures that everyone can trust.

In recent years U.S.-led suspicions attached to Russia have also caused major headaches for security veteran Kaspersky — leading the company to announce its own trust and transparency program and decentralize some of its infrastructure, including by spinning up servers in Europe last year.

Businesses finding ways to maintain and deepen the digital economy in spite of a little — or even a lot — of cross-border mistrust may well prove to be the biggest technology challenge of all moving forward.

Especially as next-gen 5G networks get rolled out — and their touted ‘intelligent connectivity’ reaches out to transform many more types of industries, bringing new risks and regulatory complexity.

The geopolitical problem linked to all this boils down to how to trust increasing complex technologies without any one entity being able to own and control all the pieces. And Jolla’s business looks interesting in light of that because it’s selling the promise of neutral independence to all its customers, wherever they hail from — be it Russia, LatAm, China, Africa or elsewhere — which makes its ability to secure customer trust not just important but vital to its success.

Indeed, you could argue its customers are likely to rank above average on the ‘paranoid’ scale, given their dedicated search for an alternative (non-U.S.-led) mobile OS in the first place.

“It’s one of the number one questions we get,” admits Pienimäki, discussing Jolla’s trust balancing act — aka how it manages and maintains confidence in Sailfish’s independence, even as it takes business backing and code contributions from a state like Russia.

“We tell about our reference case in Russia and people quickly ask ‘hey okay, how can I trust that there is no blackbox inside’,” he continues, adding: “This is exactly the core question and this is exactly the problem we have been able to build a solution for.”

Jolla’s solution sums to one line: “We create a transparent platform and on top of fully transparent platform you can create secure solutions,” as Pienimäki puts it.

“The way it goes is that Jolla with Sailfish OS is always offering the transparent Sailfish operating system core, on source code level, all the time live, available for all the customers. So all the customers constantly, in real-time, have access to our source code. Most of it’s in public open source, and the proprietary parts are also constantly available from our internal infrastructure. For all the customers, at the same time in real-time,” he says, fleshing out how it keeps customers on board with a continually co-developing software platform.

“The contributions we take from these customers are always on source code level only. We don’t take any binary blobs inside our software. We take only source code level contributions which we ourselves authorize, integrate and then we make available for all the customers at the very same moment. So that loopback in a way creates us the transparency.

“So if you want to be suspicion of the contributions of the other guys, so to say, you can always read it on the source code. It’s real-time. Always available for all the customers at the same time. That’s the model we have created.”

“It’s honestly quite a unique model,” he adds. “Nobody is really offering such a co-development model in the operating system business.

“Practically how Android works is that Google, who’s leading the Android development, makes the next release of Android software, then releases it under Android Open Source and then people start to backboard it — so that’s like ‘source, open’ in a way, not ‘open source’.”

Sailfish’s community of users also have real-time access to and visibility of all the contributions — which he dubs “real democracy”.

“People can actually follow it from the code-line all the time,” he argues. “This is really the core of our existence and how we can offer it to Russia and other countries without creating like suspicion elements each side. And that is very important.

“That is the only way we can continue and extend this regional licensing and we can offer it independently from Finland and from our own company.”

With global trade and technology both looking increasingly vulnerable to cross-border mistrust, Jolla’s approach to collaborative transparency may offer something of a model if other businesses and industries find they need to adapt themselves  in order for trade and innovation to keep moving forward in uncertain political times.

Antitrust and privacy uplift

Last but not least there’s regulatory intervention to consider.

A European Commission antitrust decision against Google’s Android platform last year caused headlines around the world when the company was slapped with a $5BN fine.

More importantly for Android rivals Google was also ordered to change its practices — leading to amended licensing terms for the platform in Europe last fall. And Pienimäki says Jolla was a “key contributor” to the Commission case against Android.

European competition commissioner Margrethe Vestager, on April 15, 2015 in Brussels, as the Commission said it would open an antitrust investigation into Google’s Android operating system. (Photo credit: JOHN THYS/AFP/Getty Images)

The new Android licensing terms make it (at least theoretically) possible for new types of less-heavily-Google-flavored Android devices to be developed for Europe. Though there have been complaints the licensing tweaks don’t go far enough to reset Google’s competitive Android advantage.

Asked whether Jolla has seen any positive impacts on its business following the Commission’s antitrust decision, Pienimäki responds positively, recounting how — “one or two weeks after the ruling” — Jolla received an inbound enquiry from a company in France that had felt hamstrung by Google requiring its services to be bundled with Android but was now hoping “to realize a project in a special sector”.

The company, which he isn’t disclosing at this stage, is interested in “using Sailfish and then having selected Android applications running in Sailfish but no connection with the Google services”.

“We’ve been there for five years helping the European Union authorities [to build the case] and explain how difficult it is to create competitive solutions in the smartphone market in general,” he continues. “Be it consumer or be it anything else. That’s definitely important for us and I don’t see this at all limited to the consumer sector. The very same thing has been a problem for corporate clients, for companies who provide specialized mobile device solutions for different kind of corporations and even governments.”

While he couches the Android ruling as a “very important” moment for Jolla’s business last year, he also says he hopes the Commission will intervene further to level the smartphone playing field.

“What I’m after here, and what I would really love to see, is that within the European Union we utilize Linux-based, open platform solution which is made in Europe,” he says. “That’s why we’ve been pushing this [antitrust action]. This is part of that. But in bigger scheme this is very good.”

He is also very happy with Europe’s General Data Protection Regulation (GDPR) — which came into force last May, plugging in a long overdue update to the bloc’s privacy rules with a much beefed up enforcement regime.

GDPR has been good for Jolla’s business, according to Pienimäki, who says interest is flowing its way from customers who now perceive a risk to using Android if customer data flows outside Europe and they cannot guarantee adequate privacy protections are in place.

“Already last spring… we have had plenty of different customer discussions with European companies who are really afraid that ‘hey I cannot offer this solution to my government or to my corporate customer in my country because I cannot guarantee if I use Android that this data doesn’t go outside the European Union’,” he says.

“You can’t indemnify in a way that. And that’s been really good for us as well.”

Let’s block ads! (Why?)

Link to original source

Cookie walls don’t comply with GDPR, says Dutch DPA

Cookie walls that demand a website visitor agrees to their Internet browsing being tracked for ad-targeting as the ‘price’ of entry to the site are not compliant with European data protection law, the Dutch data protection agency clarified yesterday.

The DPA said it has received dozens of complaints from Internet users who had had their access to websites blocked after refusing to accept tracking cookies — so it has taken the step of publishing clear guidance on the issue.

It also says it will be stepping up monitoring, adding that it has written to the most complained about organizations (without naming any names) — instructing them to make changes to ensure they come into compliance with GDPR.

Europe’s General Data Protection Regulation, which came into force last May, tightens the rules around consent as a legal basis for processing personal data — requiring it to be specific, informed and freely given in order for it to be valid under the law.

Of course consent is not the only legal basis for processing personal data but many websites do rely on asking Internet visitors for consent to ad cookies as they arrive.

And the Dutch DPA’s guidance makes it clear Internet visitors must be asked for permission in advance for any tracking software to be placed — such as third party tracking cookies; tracking pixels; and browser fingerprinting tech — and that that permission must be freely obtained. Ergo, a free choice must be offered.

So, in other words, a ‘data for access’ cookie wall isn’t going to cut it. (Or, as the DPA puts it: “Permission is not ‘free’ if someone has no real or free choice. Or if the person cannot refuse giving permission without adverse consequences.”)

“This is not for nothing; website visitors must be able to trust that their personal data are properly protected,” it further writes in a clarification published on its website [translated via Google Translate].

“There is no objection to software for the proper functioning of the website and the general analysis of the visit on that site. More thorough monitoring and analysis of the behavior of website visitors and the sharing of this information with other parties is only allowed with permission. That permission must be completely free,” it adds.

We reached out to the DPA with questions. A spokesperson told us it can’t comment on any individual complaints, but added: “Cookie walls are non-compliant with the principles of consent of the GDPR. Which means that any party with a cookie wall on their website has to be compliant ASAP, whether or not we will check that in a couple of months, which we certainly will do.”

In light of this ruling clarification, the cookie wall on the Internet Advertising Bureau (IAB)’s European site (screengrabbed below) looks like a textbook example of what not to do — given the online ad industry association is bundling multiple cookie uses (site functional cookies; site analytical cookies; and third party advertising cookies) under a single ‘I agree’ option.

It does not offer visitors any opt-outs at all. (Not even under the ‘More info’ or privacy policy options pictured below).

If the user does not click ‘I agree’ they cannot gain access to the IAB’s website. So there’s no free choice here. It’s agree or leave.

Clicking ‘More info’ brings up additional information about the purposes the IAB uses cookies for — where it states it is not using collected information to create “visitor profiles”.

However it notes it is using Google products, and explains that some of these use cookies that may collect visitors’ information for advertising — thereby bundling ad tracking into the provision of its website ‘service’.

Again the only ‘choice’ offered to site visitors is ‘I agree’ or to leave without gaining access to the website. Which means it’s not a free choice.

The IAB told us no data protection agencies had been in touch regarding its cookie wall.

Asked whether it intends to amend the cookie wall in light of the Dutch DPA’s guidance a spokeswoman said she wasn’t sure what the team planned to do yet — but she claimed GDPR does not “outright prohibit making access to a service conditional upon consent”; pointing also to the (2002) ePrivacy Directive which she claimed applies here, saying it “also includes recital language to the effect of saying that website content can be made conditional upon the well-informed acceptance of cookies”.

So the IAB’s position appears to be that the ePrivacy Directive trumps GDPR on this issue.

Though it’s not clear how they’ve arrived at that conclusion. (The fifteen+ year old ePrivacy Directive is also in the process of being updated — while the flagship GDPR only came into force last year.)

The portion of the ePrivacy Directive that the IAB appears to be referring to is recital 25 — which includes the following line:

Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.

However “specific website content” is hardly the same as full site access, i.e. as is entirely blocked by their cookie wall.

The “legitimate purpose” point in the recital also provides a second caveat vis-a-vis making access conditional on accepting cookies — and the recital text includes an example of “facilita[ting] the provision of information society services” as such a legitimate purpose.

What are “information society services”? An earlier European directive defines this legal term as services that are “provided at a distance, electronically and at the individual request of a recipient” [emphasis ours] — suggesting it refers to Internet content that the user actually intends to access (i.e. the website itself), rather than ads that track them behind the scenes as they surf.

So, in other words, even per the outdated ePrivacy Directive, a site might be able to require consent for functional cookies from a user to access a portion of the site.

But that’s not the same as saying you can gate off an entire website unless the visitor agrees to their browsing being pervasively tracked by advertisers.

That’s not the kind of ‘service’ website visitors are looking for. 

Add to that, returning to present day Europe, the Dutch DPA has put out very clear guidance demolishing cookie walls.

The only sensible legal interpretation here is that the writing is on the wall for cookie walls.

This report was updated with comment from the DPA

Let’s block ads! (Why?)

Link to original source

Privacy complaints received by tech giants’ favorite EU watchdog up more than 2x since GDPR

A report by the lead data watchdog for a large number of tech giants operating in Europe shows a significant increase in privacy complaints and data breach notifications since the region’s updated privacy framework came into force last May.

The Irish Data Protection Commission (DPC)’s annual report, published today, covers the period May 25, aka the day the EU’s General Data Protection Regulation (GDPR) came into force, to December 31 2018 and shows the DPC received more than double the amount of complaints post-GDPR vs the first portion of 2018 prior to the new regime coming in: With 2,864 and 1,249 complaints received respectively.

That makes a total of 4,113 complaints for full year 2018 (vs just 2,642 for 2017). Which is a year on year increase of 36 per cent.

But the increase pre- and post-GDPR is even greater — 56 per cent — suggesting the regulation is working as intended by building momentum and support for individuals to exercise their fundamental rights.

“The phenomenon that is the [GDPR] has demonstrated one thing above all else: people’s interest in and appetite for understanding and controlling use of their personal data is anything but a reflection of apathy and fatalism,” writes Helen Dixon, Ireland’s commissioner for data protection.

She adds that the rise in the number of complaints and queries to DPAs across the EU since May 25 demonstrates “a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data”.

While Europe has had online privacy rules since 1995 a weak regime of enforcement essentially allowed them to be ignored for decades — and Internet companies to grab and exploit web users’ data without full regard and respect for European’s privacy rights.

But regulators hit the reset button last year. And Ireland’s data watchdog is an especially interesting agency to watch if you’re interested in assessing how GDPR is working, given how many tech giants have chosen to place their international data flows under the Irish DPC’s supervision.

More cross-border complaints

“The role places an important duty on the DPC to safeguard the data protection rights of hundreds of millions of individuals across the EU, a duty that the GDPR requires the DPC to fulfil in cooperation with other supervisory authorities,” the DPC writes in the report, discussing its role of supervisory authority for multiple tech multinationals and acknowledging both a “greatly expanded role under the GDPR” and a “significantly increased workload”.

A breakdown of GDPR vs Data Protection Act 1998 complaint types over the report period suggests complaints targeted at multinational entities have leapt up under the new DP regime.

For some complaint types the old rules resulted in just 2 per cent of complaints being targeted at multinationals vs close to a quarter (22 per cent) in the same categories under GDPR.

It’s the most marked difference between the old rules and the new — underlining the DPC’s expanded workload in acting as a hub (and often lead supervisory agency) for cross-border complaints under GDPR’s one-stop shop mechanism.

The category with the largest proportions of complaints under GDPR over the report period was access rights (30%) — with the DPC receiving a full 582 complaints related to people feeling they’re not getting their due data. Access rights was also most complained about under the prior data rules over this period.

Other prominent complaint types continue to be unfair processing of data (285 GDPR complaints vs 178 under the DPA); disclosure (217 vs 138); and electronic direct marketing (111 vs 36).

EU policymakers’ intent with GDPR is to redress the imbalance of weakly enforced rights — including by creating new opportunities for enforcement via a regime of supersized fines. (GDPR allows for penalties as high as up to 4 per cent of annual turnover, and in January the French data watchdog slapped Google with a $57M GDPR penalty related to transparency and consent — albeit still far off that theoretical maximum.)

Importantly, the regulation also introduced a collective redress option which has been adopted by some EU Member States.

This allows for third party organizations such as consumer rights groups to lodge data protection complaints on individuals’ behalf. The provision has led to a number of strategic complaints being filed by organized experts since last May (including in the case of the aforementioned Google fine) — spinning up momentum for collective consumer action to counter rights erosion. Again that’s important in a complex area that remains difficult for consumers to navigate without expert help.

For upheld complaints the GDPR ‘nuclear option’ is not fines though; it’s the ability for data protection agencies to order data controllers to stop processing data.

That remains the most significant tool in the regulatory toolbox. And depending on the outcome of various ongoing strategic GDPR complaints it could prove hugely significant in reshaping what data experts believe are systematic privacy incursions by adtech platform giants.

And while well-resourced tech giants may be able to factor in even very meaty financial penalties, as just a cost of doing a very lucrative business, data-focused business models could be far more precarious if processors can suddenly be slapped with an order to limit or even cease processing data. (As indeed Facebook’s business just has in Germany, where antitrust regulators have been liaising with privacy watchdogs.)

Data breach notifications also up

GDPR also shines a major spotlight on security — requiring privacy by design and default and introducing a universal requirement for swiftly reporting data breaches across the bloc, again with very stiff penalties for non-compliance.

On the data breach front, the Irish DPC says it received a total of 3,687 data breach notifications between May 25 and December 31 last year — finding just four per cent (145 cases) did not meet the definition of a personal-data breach set out in GDPR. That means it recorded a total of 3,542 valid data protection breaches over the report period — which it says represents an increase of 27 per cent on 2017 breach report figures.

“As in other years, the highest category of data breaches notified under the GDPR were classified as Unauthorised Disclosures and accounted for just under 85% of the total data-breach notifications received between 25 May and 31 December 2018,” it notes, adding: “The majority occurred in the private sector (2,070).”

More than 4,000 data breach notifications were recorded by the watchdog for full year 2018, the report also states.

The DPC further reveals that it was notified of 38 personal data breaches involving 11 multinational technology companies during the post-GDPR period of 2018. Which means breaches involving tech giants.

“A substantial number of these notifications involved the unauthorised disclosure of, and unauthorised access to, personal data as a result of bugs in software supplied by data processors engaged by the organisations,” it writes, saying it opened several investigations as a result (such as following the Facebook Token breach in September 2018).

Open probes of tech giants

As of 31 December 2018, the DPC says it had 15 investigations open in relation to multinational tech companies’ compliance with GDPR.

Below is the full list of the DPC’s currently open investigations of multinationals — including the tech giant under scrutiny; the origin of the inquiry; and the issues being examined:

  • Facebook Ireland Limited — Complaint-based inquiry: “Right of Access and Data Portability. Examining whether Facebook has discharged its GDPR obligations in respect of the right of access to personal data in the Facebook ‘Hive’ database and portability of “observed” personal data”
  • Facebook Ireland Limited — Complaint-based inquiry: “Lawful basis for processing in relation to Facebook’s Terms of Service and Data Policy. Examining whether Facebook has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data of individuals using the Facebook platform.”
  • Facebook Ireland Limited — Complaint-based inquiry: “Lawful basis for processing. Examining whether Facebook has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data in the context of behavioural analysis and targeted advertising on its platform.”
  • Facebook Ireland Limited — Own-volition inquiry: “Facebook September 2018 token breach. Examining whether Facebook Ireland has discharged its GDPR obligations to implement organisational and technical measures to secure and safeguard the personal data of its users.”
  • Facebook Ireland Limited — Own-volition inquiry: “Facebook September 2018 token breach. Examining Facebook’s compliance with the GDPR’s breach notification obligations.”
  • Facebook Inc. — Own-volition inquiry: “Facebook September 2018 token breach. Examining whether Facebook Inc. has discharged its GDPR obligations to implement organizational and technical measures to secure and safeguard the personal data of its users.”
  • Facebook Ireland Limited — Own-volition inquiry: “Commenced in response to large number of breaches notified to the DPC during the period since 25 May 2018 (separate to the token breach). Examining whether Facebook has discharged its GDPR obligations to implement organisational and technical measures to secure and safeguard the personal data of its users.”
  • Instagram (Facebook Ireland Limited) — Complaint-based inquiry: “Lawful basis for processing in relation to Instagram’s Terms of Use and Data Policy. Examining whether Instagram has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data of individuals using the Instagram platform.”
  • WhatsApp Ireland Limited — Complaint-based inquiry: “Lawful basis for processing in relation to WhatsApp’s Terms of Service and Privacy Policy. Examining whether WhatsApp has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data of individuals using the WhatsApp platform.”
  • WhatsApp Ireland Limited — Own-volition inquiry: “Transparency. Examining whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s services, including information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.”
  • Twitter International Company — Complaint-based inquiry: “Right of Access. Examining whether Twitter has discharged its obligations in respect of the right of access to links accessed on Twitter.”
  • Twitter International Company — Own-volition inquiry: “Commenced in response to the large number of breaches notified to the DPC during the period since 25 May 2018. Examining whether Twitter has discharged its GDPR obligations to implement organisational and technical measures to secure and safeguard the personal data of its users.”
  • LinkedIn Ireland Unlimited Company — Complaint-based inquiry: “Lawful basis for processing. Examining whether LinkedIn has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data in the context of behavioural analysis and targeted advertising on its platform.”
  • Apple Distribution International — Complaint-based inquiry: “Lawful basis for processing. Examining whether Apple has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data in the context of behavioural analysis and targeted advertising on its platform.”
  • Apple Distribution International — Complaint-based inquiry: “Transparency. Examining whether Apple has discharged its GDPR transparency obligations in respect of the information contained in its privacy policy and online documents regarding the processing of personal data of users of its services.”

“The DPC’s role in supervising the data-processing operations of the numerous large data-rich multinational companies — including technology internet and social media companies — with EU headquarters located in Ireland changed immeasurably on 25 May 2018,” the watchdog acknowledges.

“For many, including Apple, Facebook, Microsoft, Twitter, Dropbox, Airbnb, LinkedIn, Oath [disclosure: TechCrunch is owned by Verizon Media Group; aka Oath/AOL], WhatsApp, MTCH Technology and Yelp, the DPC acts as lead supervisory authority under the GDPR OSS [one-stop shop] facility.”

The DPC notes in the report that between May 25 and December 31 2018 it received 136 cross-border processing complaints through the regulation’s OSS mechanism (i.e. which had been lodged by individuals with other EU data protection authorities).

A breakdown of these (likely) tech giant focused GDPR complaints shows a strong focus on consent, right of erasure, right of access and the lawfulness of data processing:

Breakdown of cross-border complaint types received by the DPC under GDPR’s OSS mechanism

While the Irish DPC acts as the lead supervisor for many high profile GDPR complaints which relate to how tech giants are handling people’s data, it’s worth emphasizing that the OSS mechanism does not mean Ireland is sitting in sole judgement on Silicon Valley’s giants’ rights incursions in Europe.

The mechanism allows for other DPAs to be involved in these cross-border complaints.

And the European Data Protection Board, the body that works with all the EU Member States’ DPAs to help ensure consistent application of the regulation, can trigger a dispute resolution process if a lead agency considers it cannot implement a concerned agency objection. The aim is to work against forum shopping.

In a section on “EU cooperation”, the DPC further writes:

Our fellow EU regulators, alongside whom we sit on the European Data Protection Board (EDPB), follow the activities and results of the Irish DPC closely, given that a significant number of people in every EU member state are potentially impacted by processing activities of the internet companies located in Ireland. EDPB activity is intense, with monthly plenary meetings and a new system of online data sharing in relation to cross-border processing cases rolled out between the authorities. The DPC has led on the development of EDPB guidance on arrangements for Codes of Conduct under the GDPR and these should be approved and published by the EDPB in Q1 of 2019. The DPC looks forward to industry embracing Codes of Conduct and raising the bar in individual sectors in terms of standards of data protection and transparency. Codes of Conduct are important because they will more comprehensively reflect the context and reality of data-processing activities in a given sector and provide clarity to those who sign up to the standards that need to be attained in addition to external monitoring by an independent body. It is clarity of standards that will drive real results.

Over the reported period the watchdog also reveals that it issued 23 formal requests seeking detailed information on compliance with various aspects of the GDPR from tech giants, noting too that since May 25 it has engaged with platforms on “a broad range of issues” — citing the following examples to give a flavor of these concerns:

  • Google on the processing of location data
  • Facebook on issues such as the transfer of personal data from third-party apps to Facebook and Facebook’s collaboration with external researchers
  • Microsoft on the processing of telemetry data collected by its Office product
  • WhatsApp on matters relating to the sharing of personal data with other Facebook companies

“Supervision engagement with these companies on the matters outlined is ongoing,” the DPC adds of these issues.

Adtech sector “must comply” with GDPR 

Talking of ongoing action, a GDPR complaint related to the security of personal data that’s systematically processed to power behavioral advertising is another open complaint on the DPC’s desk.

The strategic complaint was filed by a number of individuals in multiple EU countries (including Ireland) last fall. Since then the individuals behind the complaints have continued to submit and publish evidence they argue bolsters their case against the behavioral ad targeting industry (principally Google and the IAB which set the spec involved in the real-time bidding (RTB) system).

The Irish DPC makes reference to this RTB complaint in the annual report, giving the adtech industry what amounts to a written warning that while the advertising ecosystem is “complex”, with multiple parties involved in “high-speed, voluminous transactions” related to bidding for ad space and serving ad content “the protection of personal data is a prerequisite to the processing of any personal data within this ecosystem and ultimately the sector must comply with the standards set down by the GDPR”.

The watchdog also reports that it has engaged with “several stakeholders, including publishers and data brokers on one side, and privacy advocates and affected individuals on the other”, vis-a-vis the RTB complaint, and says it will continue prioritizing its scrutiny of the sector in 2019 — “in cooperation with its counterparts at EU level so as to ensure a consistent approach across all EU member states”.

It goes on to say that some of its 15 open investigations into tech giants will both conclude this year and “contribute to answering some of the questions relating to this complex area”. So, tl;dr, watch this space.

Responding to the DPC’s comments on the RTB complaint, Dr Johnny Ryan, chief policy and industrial relations officer of private browser Brave — and also one of the complainants — told us they expect the DPC to act “urgently”.

“We have brought our complaint before the DPC and other European regulators because there is a dire need to fix adtech so that it’s works safely,” he told TechCrunch. “The DPC itself recognizes that online advertising is a priority. The IAB and Google online ‘ad auction’ system enables companies to broadcast what every single person online reads, watches, and listens to online to countless parties. There is no control over what happens to these data. The evidence that we have submitted to the DPC shows that this occurs hundreds of billions of times a day.”

“In view of the upcoming European elections, it is particularly troubling that the IAB and Google’s systems permit voters to be profiled in this way,” he added. “Clearly, this infringes the security and integrity principles of the GDPR, and we expect the DPC to act urgently.”

The IAB has previously rejected the complaints as “false”, arguing any security risk is “theoretical”; while Google has said it has policies in place to prohibit advertisers from targeting sensitive categories of data. But the RTB complaint itself pivots on GDPR’s security requirements which demand that personal data be processed in a manner that “ensures appropriate security”, including “protection against unauthorised or unlawful processing and against accidental loss”.

So the security of the RTB system is the core issue which the Irish DPC, along with agencies in the UK and Poland, will have to grapple with as a priority this year.

The complainants have also said they intend to file additional complaints in more markets across Europe, so more DPAs are likely to join the scrutiny of RTB, as concerned supervisory agencies, which could increase pressure on the Irish DPC to act.

Schrems II vs Facebook 

The watchdog’s report also includes an update on long-running litigation filed by European privacy campaigner Max Schrems concerning a data transfer mechanism known as standard contractual clauses (SCCs) — and originally only targeted at Facebook’s use of the mechanism.

The DPC decided to refer Schrems’ original challenge to the Irish courts — which have since widened the action by referring a series of legal questions up to the EU’s top court with (now) potential implications for the legality of the EU’s ‘flagship’ Privacy Shield data transfer mechanism.

That was negotiated following the demise of its predecessor Safe Harbor, in 2015, also via a Schrems legal challenge, going on to launch in August 2016 — despite ongoing concerns from data experts. Privacy Shield is now used by close to 4,500 companies to authorize transfers of EU users’ personal data to the US.

So while Schrems’ complaint about SCCs (sometimes also called “model contract clauses”) was targeted at Facebook’s use of them the litigation could end up having major implications for very many more companies if Privacy Shield itself comes unstuck.

More recently Facebook has sought to block the Irish judges’ referral of legal questions to the Court of Justice of the EU (CJEU) — winning leave to appeal last summer (though judges did not stay the referral in the meanwhile).

In its report the DPC notes that the substantive hearing of Facebook’s appeal took place over January 21, 22 and 23 before a five judge Supreme Court panel.

“Oral arguments were made on behalf of Facebook, the DPC, the U.S. Government and Mr Schrems,” it writes. “Some of the central questions arising from the appeal include the following: can the Supreme Court revisit the facts found by the High Court relating to US law? (This arises from allegations by Facebook and the US Government that the High Court judgment, which underpins the reference made to the CJEU, contains various factual errors concerning US law).

“If the Supreme Court considers that it may do so, further questions will then arise for the Court as to whether there are in fact errors in the judgment and if so, whether and how these should be addressed.”

“At the time of going to print there is no indication as to when the Supreme Court judgment will be delivered,” it adds. “In the meantime, the High Court’s reference to the CJEU remains valid and is pending before the CJEU.”

Let’s block ads! (Why?)

Link to original source

LinkedIn forced to ‘pause’ mentioned in the news feature in Europe after complaints about ID mix-ups

LinkedIn has been forced to ‘pause’ a feature in Europe in which the platform emails members’ connections when they’ve been ‘mentioned in the news’.

The regulatory action follows a number of data protection complaints after LinkedIn’s algorithms incorrect matched members to news articles — triggering a review of the feature and subsequent suspension order.

The feature appears as a case study in the ‘Technology Multinationals Supervision’ section of an annual report published today by the Irish Data Protection Commission (DPC). Although the report does not explicitly name LinkedIn — but we’ve confirmed it is the named professional social network.

The data watchdog’s report cites “two complaints about a feature on a professional networking platform” after LinkedIn incorrectly associated the members with media articles that were not actually about them.

“In one of the complaints, a media article that set out details of the private life and unsuccessful career of a person of the same name as the complainant was circulated to the complainant’s connections and followers by the data controller,” the DPC writes, noting the complainant initially complained to the company itself but did not receive a satisfactory response — hence taking up the matter with the regulator.

The complainant stated that the article had been detrimental to their professional standing and had resulted in the loss of contracts for their business,” it adds.

“The second complaint involved the circulation of an article that the complainant believed could be detrimental to future career prospects, which the data controller had not vetted correctly.”

LinkedIn appears to have been matching members to news articles by simple name matching — with obvious potential for identity mix-ups between people with shared names.

“It was clear from the complaints that matching by name only was insufficient, giving rise to data protection concerns, primarily the lawfulness, fairness and accuracy of the personal data processing utilised by the ‘Mentions in the news’ feature,” the DPC writes.

“As a result of these complaints and the intervention of the DPC, the data controller undertook a review of the feature. The result of this review was to suspend the feature for EU-based members, pending improvements to safeguard its members’ data.”

We reached out to LinkedIn with questions and it pointed us to this blog post where it confirms: “We are pausing our Mentioned in the News feature for our EU members while we reevaluate its effectiveness.”

LinkedIn adds that it is reviewing the accuracy of the feature, writing:

As referenced in the Irish Data Protection Commission’s report, we received useful feedback from our members about the feature and as a result are evaluating the accuracy and functionality of Mentioned in the News for all members.

The company’s blog post also points users to a page where they can find out more about the ‘mentioned in the news’ feature and get information on how to manage their LinkedIn email notification settings.

The Irish DPC’s action is not the first privacy strike against LinkedIn in Europe.

Late last year, in its early annual report, on the pre-GDPR portion of 2018, the watchdog revealed it had investigated complaints about LinkedIn related to it targeting non-users with adverts for its service.

The DPC found the company had obtained emails for 18 million people for whom it did not have consent to process their data. In that case LinkedIn agreed to cease processing the data entirely.

That complaint also led the DPC to audit LinkedIn. It then found a further privacy problem, discovering the company had been using its social graph algorithms to try to build suggested networks of compatible professional connections for non-members.

The regulator ordered LinkedIn to cease this “pre-compute processing” of non-members’ data and delete all personal data associated with it prior to GDPR coming into force.

LinkedIn said it had “voluntarily changed our practices as a result”.

Let’s block ads! (Why?)

Link to original source