Menu

Timesdelhi.com

March 19, 2019
Category archive

General Data Protection Regulation

The other smartphone business

in africa/antitrust/Asia/Bolivia/China/data protection/Delhi/Europe/finland/GDPR/General Data Protection Regulation/geopolitics/google-android/India/Jalasoft/Jolla/mobile/mobile linux/Politics/privacy/Rostelecom/Russia/sailfish/Sami Pienimäki/Security/Startups/TC by

With the smartphone operating system market sewn up by Google’s Android platform, which has a close to 90% share globally, leaving Apple’s iOS a slender (but lucrative) premium top-slice, a little company called Jolla and its Linux-based Sailfish OS is a rare sight indeed: A self-styled ‘independent alternative’ that’s still somehow in business.

The Finnish startup’s b2b licensing sales pitch is intended to appeal to corporates and governments that want to be able to control their own destiny where device software is concerned.

And in a world increasingly riven with geopolitical tensions that pitch is starting to look rather prescient.

Political uncertainties around trade, high tech espionage risks and data privacy are translating into “opportunities” for the independent platform player — and helping to put wind in Jolla’s sails long after the plucky Sailfish team quit their day jobs for startup life.

Building an alternative to Google Android

Jolla was founded back in 2011 by a band of Nokia staffers who left the company determined to carry on development of mobile Linux as the European tech giant abandoned its own experiments in favor of pivoting to Microsoft’s Windows Phone platform. (Fatally, as it would turn out.)

Nokia exited mobile entirely in 2013, selling the division to Microsoft. It only returned to the smartphone market in 2017, via a brand-licensing arrangement, offering made-in-China handsets running — you guessed it — Google’s Android OS.

If the lesson of the Jolla founders’ former employer is ‘resistance to Google is futile’ they weren’t about to swallow that. The Finns had other ideas.

Indeed, Jolla’s indie vision for Sailfish OS is to support a whole shoal of differently branded, regionally flavored and independently minded (non-Google-led) ecosystems all swimming around in parallel. Though getting there means not just surviving but thriving — and doing so in spite of the market being so thoroughly dominated by the U.S. tech giant.

TechCrunch spoke to Jolla ahead of this year’s Mobile World Congress tradeshow where co-founder and CEO, Sami Pienimäki, was taking meetings on the sidelines. He told us his hope is for Jolla to have a partner booth of its own next year — touting, in truly modest Finnish fashion, an MWC calendar “maybe fuller than ever” with meetings with “all sorts of entities and governmental representatives”.

Jolla co-founder, Sami Pienimaki, showing off a Jolla-branded handset in May 2013, back when the company was trying to attack the consumer smartphone space. 
(Photo credit: KIMMO MANTYLA/AFP/Getty Images)

Even a modestly upbeat tone signals major progress here because an alternative smartphone platform licensing business is — to put it equally mildly — an incredibly difficult tech business furrow to plough.

Jolla almost died at the end of 2015 when the company hit a funding crisis. But the plucky Finns kept paddling, jettisoning their early pursuit of consumer hardware (Pienimäki describes attempting to openly compete with Google in the consumer smartphone space as essentially “suicidal” at this point) to narrow their focus to a b2b licensing play.

The early b2b salespitch targeted BRIC markets, with Jolla hitting the road to seek buy in for a platform it said could be moulded to corporate or government needs while still retaining the option of Android app compatibility.

Then in late 2016 signs of a breakthrough: Sailfish gained certification in Russia for government and corporate use.

Its licensing partner in the Russian market was soon touting the ability to go “absolutely Google-free!“.

Buy in from Russia

Since then the platform has gained the backing of Russian telco Rostelecom, which acquired Jolla’s local licensing customer last year (as well as becoming a strategic investor in Jolla itself in March 2018 — “to ensure there is a mutual interest to drive the global Sailfish OS agenda”, as Pienimäki puts it).

Rostelecom is using the brand name ‘Aurora OS‘ for Sailfish in the market which Pienimäki says is “exactly our strategy” — likening it to how Google’s Android has been skinned with different user experiences by major OEMs such as Samsung and Huawei.

“What we offer for our customers is a fully independent, regional licence and a tool chain so that they can develop exactly this kind of solution,” he tells TechCrunch. “We have come to a maturity point together with Rostelecom in the Russia market, and it was natural move plan together, that they will take a local identity and proudly carry forward the Sailfish OS ecosystem development in Russia under their local identity.”

“It’s fully compatible with Sailfish operating system, it’s based on Sailfish OS and it’s our joint interest, of course, to make it fly,” he adds. “So that as we, hopefully, are able to extend this and come out to public with other similar set-ups in different countries those of course — eventually, if they come to such a fruition and maturity — will then likely as well have their own identities but still remain compatible with the global Sailfish OS.”

Jolla says the Russian government plans to switch all circa 8M state officials to the platform by the end of 2021 — under a project expected to cost RUB 160.2 billion (~$2.4BN). (A cut of which will go to Jolla in licensing fees.)

It also says Sailfish-powered smartphones will be “recommended to municipal administrations of various levels,” with the Russian state planning to allocate a further RUB 71.3 billion (~$1.1BN) from the federal budget for that. So there’s scope for deepening the state’s Sailfish uptake.

Russian Post is one early customer for Jolla’s locally licensed Sailfish flavor. Having piloted devices last year, Pienimäki says it’s now moving to a full commercial deployment across the whole organization — which has around 300,000 employees (to give a sense of how many Sailfish powered devices could end up in the hands of state postal workers in Russia).

A rugged Sailfish-powered device piloted by Russian post

Jolla is not yet breaking out end users for Sailfish OS per market but Pienimäki says that overall the company is now “clearly above” 100k (and below 500k) devices globally.

That’s still of course a fantastically tiny number if you compare it to the consumer devices market — top ranked Android smartphone maker Samsung sold around 70M handsets in last year’s holiday quarter, for instance — but Jolla is in the b2b OS licensing business, not the handset making business. So it doesn’t need hundreds of millions of Sailfish devices to ship annually to turn a profit.

Scaling a royalty licensing business to hundreds of thousands of users is sums to “good business”, , says Pienimäki, describing Jolla’s business model for Sailfish as “practically a royalty per device”.

“The success we have had in the Russian market has populated us a lot of interesting new opening elsewhere around the world,” he continues. “This experience and all the technology we have built together with Open Mobile Platform [Jolla’s Sailfish licensing partner in Russia which was acquired by Rostelecom] to enable that case — that enables a number of other cases. The deployment plan that Rostelecom has for this is very big. And this is now really happening and we are happy about it.”

Jolla’s “Russia operation” is now beginning “a mass deployment phase”, he adds, predicting it will “quickly ramp up the volume to very sizeable”. So Sailfish is poised to scale.

Step 3… profit?

While Jolla is still yet to turn a full-year profit Pienimäki says several standalone months of 2018 were profitable, and he’s no longer worried whether the business is sustainable — asserting: “We don’t have any more financial obstacles or threats anymore.”

It’s quite the turnaround of fortunes, given Jolla’s near-death experience a few years ago when it almost ran out of money, after failing to close a $10.6M Series C round, and had to let go of half its staff.

It did manage to claw in a little funding at the end of 2015 to keep going, albeit as much leaner fish. But bagging Russia as an early adopter of its ‘independent’ mobile Linux ecosystem looks to have been the key tipping point for Jolla to be able to deliver on the hard-graft ecosystem-building work it’s been doing all along the way. And Pienimäki now expresses easy confidence that profitability will flow “fairly quickly” from here on in.

“It’s not an easy road. It takes time,” he says of the ecosystem-building company Jolla hard-pivoted to at its point of acute financial distress. “The development of this kind of business — it requires patience and negotiation times, and setting up the ecosystem and ecosystem partners. It really requires patience and takes a lot of time. And now we have come to this point where actually there starts to be an ecosystem which will then extend and start to carry its own identity as well.”

In further signs of Jolla’s growing confidence he says it hired more than ten people last year and moved to new and slightly more spacious offices — a reflection of the business expanding.

“It’s looking very good and nice for us,” Pienimäki continues. “Let’s say we are not taking too much pressure, with our investors and board, that what is the day that we are profitable. It’s not so important anymore… It’s clear that that is soon coming — that very day. But at the same time the most important is that the business case behind is proven and it is under aggressive deployment by our customers.”

The main focus for the moment is on supporting deployments to ramp up in Russia, he says, emphasizing: “That’s where we have to focus.” (Literally he says “not screwing up” — and with so much at stake you can see why nailing the Russia case is Jolla’s top priority.)

While the Russian state has been the entity most keen to embrace an alternative (non-U.S.-led) mobile OS — perhaps unsurprisingly — it’s not the only place in the world where Jolla has irons in the fire.

Another licensing partner, Bolivian IT services company Jalasoft, has co-developed a Sailfish-powered smartphone called Accione.

Jalasoft’s ‘liberty’-touting Accione Sailfish smartphone

It slates the handset on its website as being “designed for Latinos by Latinos”. “The digitalization of the economy is inevitable and, if we do not control the foundation of this digitalization, we have no future,” it adds.

Jalasoft founder and CEO Jorge Lopez says the company’s decision to invest effort in kicking the tyres of Jolla’s alternative mobile ecosystem is about gaining control — or seeking “technological libration” as the website blurb puts it.

“With Sailfish OS we have control of the implementation, while with Android it is the opposite,” Lopez tells TechCrunch. “We are working on developing smart buildings and we need a private OS that is not Android or iOS. This is mainly because our product will allow the end user to control the whole building and doing this with Android or iOS a hackable OS will bring concerns on security.”

Lopez says Jalasoft is using Accione as its development platform — “to gather customer feedback and to further develop our solution” — so the project clearly remains in an early phase, and he says that no more devices are likely to be announced this year.

But Jolla can point to more seeds being sewn with the potential, with work, determination and patience, to sprout into another sizeable crop of Sailfish-powered devices down the line.

Complexity in China

Even more ambitiously Jolla is also targeting China, where investment has been taken in to form a local consortium to develop a Chinese Sailfish ecosystem.

Although Pienimäki cautions there’s still much work to be done to bring Sailfish to market in China.

“We completed a major pilot with our licensing customer, Sailfish China Consortium, in 2017-18,” he says, giving an update on progress to date. “The public in market solution is not there yet. That is something that we are working together with the customer — hopefully we can see it later this year on the market. But these things take time. And let’s say that we’ve been somewhat surprised at how complex this kind of decision-making can be.”

“It wasn’t easy in Russia — it took three years of tight collaboration together with our Russian partners to find a way. But somehow it feels that it’s going to take even more in China. And I’m not necessarily talking about calendar time — but complexity,” he adds.

While there’s no guarantee of success for Jolla in China, the potential win is so big given the size of the market that even if they can only carve out a tiny slice, such as a business or corporate sector, it’s still worth going after. And he points to the existence of a couple of native mobile Linux operating systems he reckons could make “very lucrative partners”.

That said, the get-to-market challenge for Jolla in China is clearly distinctly different vs the rest of the world. This is because Android has developed into an independent (i.e. rather than Google-led) ecosystem in China as a result of state restrictions on the Internet and Internet companies. So the question is what could Sailfish offer that forked Android doesn’t already?

An Oppo Android powered smartphone on show at MWC 2017

Again, Jolla is taking the long view that ultimately there will be appetite — and perhaps also state-led push — for a technology platform bolster against political uncertainty in U.S.-China relations.

“What has happened now, in particular last year, is — because of the open trade war between the nations — many of the technology vendors, and also I would say the Chinese government, has started to gradually tighten their perspective on the fact that ‘hey simply it cannot be a long term strategy to just keep forking Android’. Because in the end of the day it’s somebody else’s asset. So this is something that truly creates us the opportunity,” he suggests.

“Openly competing with the fact that there are very successful Android forks in China, that’s going to be extremely difficult. But — let’s say — tapping into the fact that there are powers in that nation that wish that there would be something else than forking Android, combined with the fact that there is already something homegrown in China which is not forking Android — I think that’s the recipe that can be successful.”

Not all Jolla’s Sailfish bets have paid off, of course. An earlier foray by an Indian licensing partner into the consumer handset market petered out. Albeit, it does reinforce their decision to zero in on government and corporate licensing.

“We got excellent business connections,” says Pienimäki of India, suggesting also that it’s still a ‘watch this space’ for Jolla. The company has a “second move” in train in the market that he’s hopeful to be talking about publicly later this year.

It’s also pitching Sailfish in Africa. And in markets where target customers might not have their own extensive in-house IT capability to plug into Sailfish co-development work Pienimäki says it’s offering a full solution — “a ready made package”, together with partners, including device management, VPN, secure messaging and secure email — which he argues “can be still very lucrative business cases”.

Looking ahead and beyond mobile, Pienimäki suggests the automotive industry could be an interesting target for Sailfish in the future — though not literally plugging the platform into cars; but rather licensing its technologies where appropriate — arguing car makers are also keen to control the tech that’s going into their cars.

“They really want to make sure that they own the cockpit. It’s their property, it’s their brand and they want to own it — and for a reason,” he suggests, pointing to the clutch of major investments from car companies in startups and technologies in recent years.

“This is definitely an interesting area. We are not directly there ourself — and we are not capable to extend ourself there but we are discussing with partners who are in that very business whether they could utilize our technologies there. That would then be more or less like a technology licensing arrangement.”

A trust balancing model

While Jolla looks to be approaching a tipping point as a business, in terms of being able to profit off of licensing an alternative mobile platform, it remains a tiny and some might say inconsequential player on the global mobile stage.

Yet its focus on building and maintaining trusted management and technology architectures also looks timely — again, given how geopolitical spats are intervening to disrupt technology business as usual.

Chinese giant Huawei used an MWC keynote speech last month to reject U.S.-led allegations that its 5G networking technology could be repurposed as a spying tool by the Chinese state. And just this week it opened a cybersecurity transparency center in Brussels, to try to bolster trust in its kit and services — urging industry players to work together on agreeing standards and structures that everyone can trust.

In recent years U.S.-led suspicions attached to Russia have also caused major headaches for security veteran Kaspersky — leading the company to announce its own trust and transparency program and decentralize some of its infrastructure, including by spinning up servers in Europe last year.

Businesses finding ways to maintain and deepen the digital economy in spite of a little — or even a lot — of cross-border mistrust may well prove to be the biggest technology challenge of all moving forward.

Especially as next-gen 5G networks get rolled out — and their touted ‘intelligent connectivity’ reaches out to transform many more types of industries, bringing new risks and regulatory complexity.

The geopolitical problem linked to all this boils down to how to trust increasing complex technologies without any one entity being able to own and control all the pieces. And Jolla’s business looks interesting in light of that because it’s selling the promise of neutral independence to all its customers, wherever they hail from — be it Russia, LatAm, China, Africa or elsewhere — which makes its ability to secure customer trust not just important but vital to its success.

Indeed, you could argue its customers are likely to rank above average on the ‘paranoid’ scale, given their dedicated search for an alternative (non-U.S.-led) mobile OS in the first place.

“It’s one of the number one questions we get,” admits Pienimäki, discussing Jolla’s trust balancing act — aka how it manages and maintains confidence in Sailfish’s independence, even as it takes business backing and code contributions from a state like Russia.

“We tell about our reference case in Russia and people quickly ask ‘hey okay, how can I trust that there is no blackbox inside’,” he continues, adding: “This is exactly the core question and this is exactly the problem we have been able to build a solution for.”

Jolla’s solution sums to one line: “We create a transparent platform and on top of fully transparent platform you can create secure solutions,” as Pienimäki puts it.

“The way it goes is that Jolla with Sailfish OS is always offering the transparent Sailfish operating system core, on source code level, all the time live, available for all the customers. So all the customers constantly, in real-time, have access to our source code. Most of it’s in public open source, and the proprietary parts are also constantly available from our internal infrastructure. For all the customers, at the same time in real-time,” he says, fleshing out how it keeps customers on board with a continually co-developing software platform.

“The contributions we take from these customers are always on source code level only. We don’t take any binary blobs inside our software. We take only source code level contributions which we ourselves authorize, integrate and then we make available for all the customers at the very same moment. So that loopback in a way creates us the transparency.

“So if you want to be suspicion of the contributions of the other guys, so to say, you can always read it on the source code. It’s real-time. Always available for all the customers at the same time. That’s the model we have created.”

“It’s honestly quite a unique model,” he adds. “Nobody is really offering such a co-development model in the operating system business.

“Practically how Android works is that Google, who’s leading the Android development, makes the next release of Android software, then releases it under Android Open Source and then people start to backboard it — so that’s like ‘source, open’ in a way, not ‘open source’.”

Sailfish’s community of users also have real-time access to and visibility of all the contributions — which he dubs “real democracy”.

“People can actually follow it from the code-line all the time,” he argues. “This is really the core of our existence and how we can offer it to Russia and other countries without creating like suspicion elements each side. And that is very important.

“That is the only way we can continue and extend this regional licensing and we can offer it independently from Finland and from our own company.”

With global trade and technology both looking increasingly vulnerable to cross-border mistrust, Jolla’s approach to collaborative transparency may offer something of a model if other businesses and industries find they need to adapt themselves  in order for trade and innovation to keep moving forward in uncertain political times.

Antitrust and privacy uplift

Last but not least there’s regulatory intervention to consider.

A European Commission antitrust decision against Google’s Android platform last year caused headlines around the world when the company was slapped with a $5BN fine.

More importantly for Android rivals Google was also ordered to change its practices — leading to amended licensing terms for the platform in Europe last fall. And Pienimäki says Jolla was a “key contributor” to the Commission case against Android.

European competition commissioner Margrethe Vestager, on April 15, 2015 in Brussels, as the Commission said it would open an antitrust investigation into Google’s Android operating system. (Photo credit: JOHN THYS/AFP/Getty Images)

The new Android licensing terms make it (at least theoretically) possible for new types of less-heavily-Google-flavored Android devices to be developed for Europe. Though there have been complaints the licensing tweaks don’t go far enough to reset Google’s competitive Android advantage.

Asked whether Jolla has seen any positive impacts on its business following the Commission’s antitrust decision, Pienimäki responds positively, recounting how — “one or two weeks after the ruling” — Jolla received an inbound enquiry from a company in France that had felt hamstrung by Google requiring its services to be bundled with Android but was now hoping “to realize a project in a special sector”.

The company, which he isn’t disclosing at this stage, is interested in “using Sailfish and then having selected Android applications running in Sailfish but no connection with the Google services”.

“We’ve been there for five years helping the European Union authorities [to build the case] and explain how difficult it is to create competitive solutions in the smartphone market in general,” he continues. “Be it consumer or be it anything else. That’s definitely important for us and I don’t see this at all limited to the consumer sector. The very same thing has been a problem for corporate clients, for companies who provide specialized mobile device solutions for different kind of corporations and even governments.”

While he couches the Android ruling as a “very important” moment for Jolla’s business last year, he also says he hopes the Commission will intervene further to level the smartphone playing field.

“What I’m after here, and what I would really love to see, is that within the European Union we utilize Linux-based, open platform solution which is made in Europe,” he says. “That’s why we’ve been pushing this [antitrust action]. This is part of that. But in bigger scheme this is very good.”

He is also very happy with Europe’s General Data Protection Regulation (GDPR) — which came into force last May, plugging in a long overdue update to the bloc’s privacy rules with a much beefed up enforcement regime.

GDPR has been good for Jolla’s business, according to Pienimäki, who says interest is flowing its way from customers who now perceive a risk to using Android if customer data flows outside Europe and they cannot guarantee adequate privacy protections are in place.

“Already last spring… we have had plenty of different customer discussions with European companies who are really afraid that ‘hey I cannot offer this solution to my government or to my corporate customer in my country because I cannot guarantee if I use Android that this data doesn’t go outside the European Union’,” he says.

“You can’t indemnify in a way that. And that’s been really good for us as well.”

News Source = techcrunch.com

Cookie walls don’t comply with GDPR, says Dutch DPA

in Advertising Tech/cookie consent/cookie walls/data protection/data protection law/Delhi/dutch dpa/Europe/GDPR/General Data Protection Regulation/Google/India/online advertising/Politics/privacy/targeted advertising by

Cookie walls that demand a website visitor agrees to their Internet browsing being tracked for ad-targeting as the ‘price’ of entry to the site are not compliant with European data protection law, the Dutch data protection agency clarified yesterday.

The DPA said it has received dozens of complaints from Internet users who had had their access to websites blocked after refusing to accept tracking cookies — so it has taken the step of publishing clear guidance on the issue.

It also says it will be stepping up monitoring, adding that it has written to the most complained about organizations (without naming any names) — instructing them to make changes to ensure they come into compliance with GDPR.

Europe’s General Data Protection Regulation, which came into force last May, tightens the rules around consent as a legal basis for processing personal data — requiring it to be specific, informed and freely given in order for it to be valid under the law.

Of course consent is not the only legal basis for processing personal data but many websites do rely on asking Internet visitors for consent to ad cookies as they arrive.

And the Dutch DPA’s guidance makes it clear Internet visitors must be asked for permission in advance for any tracking software to be placed — such as third party tracking cookies; tracking pixels; and browser fingerprinting tech — and that that permission must be freely obtained. Ergo, a free choice must be offered.

So, in other words, a ‘data for access’ cookie wall isn’t going to cut it. (Or, as the DPA puts it: “Permission is not ‘free’ if someone has no real or free choice. Or if the person cannot refuse giving permission without adverse consequences.”)

“This is not for nothing; website visitors must be able to trust that their personal data are properly protected,” it further writes in a clarification published on its website [translated via Google Translate].

“There is no objection to software for the proper functioning of the website and the general analysis of the visit on that site. More thorough monitoring and analysis of the behavior of website visitors and the sharing of this information with other parties is only allowed with permission. That permission must be completely free,” it adds. 

We’ve reached out to the DPA with questions.

In light of this ruling the cookie wall on the Internet Advertising Bureau (IAB)’s European site (screengrabbed below) looks like a textbook example of what not to do — given the online ad industry association is bundling multiple cookie uses (site functional cookies; site analytical cookies; and third party advertising cookies) under a single ‘I agree’ option.

It does not offer visitors any opt-outs at all. (Not even under the ‘More info’ or privacy policy options pictured below).

If the user does not click ‘I agree’ they cannot gain access to the IAB’s website. So there’s no free choice here. It’s agree or leave.

Clicking ‘More info’ brings up additional information about the purposes the IAB uses cookies for — where it states it is not using collected information to create “visitor profiles”.

However it notes it is using Google products, and explains that some of these use cookies that may collect visitors’ information for advertising — thereby bundling ad tracking into the provision of its website ‘service’.

Again the only ‘choice’ offered to site visitors is ‘I agree’ or to leave without gaining access to the website. Which means it’s not a free choice.

The IAB told us no data protection agencies had been in touch regarding its cookie wall.

Asked whether it intends to amend the cookie wall in light of the Dutch DPA’s guidance a spokeswoman said she wasn’t sure what the team planned to do yet — but she claimed GDPR does not “outright prohibit making access to a service conditional upon consent”; pointing also to the (2002) ePrivacy Directive which she claimed applies here, saying it “also includes recital language to the effect of saying that website content can be made conditional upon the well-informed acceptance of cookies”.

So the IAB’s position appears to be that the ePrivacy Directive trumps GDPR on this issue.

Though it’s not clear how they’ve arrived at that conclusion. (The fifteen+ year old ePrivacy Directive is also in the process of being updated — while the flagship GDPR only came into force last year.)

The portion of the ePrivacy Directive that the IAB appears to be referring to is recital 25 — which includes the following line:

Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.

However “specific website content” is hardly the same as full site access, i.e. as is entirely blocked by their cookie wall.

The “legitimate purpose” point in the recital also provides a second caveat vis-a-vis making access conditional on accepting cookies — and the recital text includes an example of “facilita[ting] the provision of information society services” as such a legitimate purpose.

What are “information society services”? An earlier European directive defines this legal term as services that are “provided at a distance, electronically and at the individual request of a recipient” [emphasis ours] — suggesting it refers to Internet content that the user actually intends to access (i.e. the website itself), rather than ads that track them behind the scenes as they surf.

So, in other words, even per the outdated ePrivacy Directive, a site might be able to require consent for functional cookies from a user to access a portion of the site.

But that’s not the same as saying you can gate off an entire website unless the visitor agrees to their browsing being pervasively tracked by advertisers.

That’s not the kind of ‘service’ website visitors are looking for. 

Add to that, returning to present day Europe, the Dutch DPA has put out very clear guidance demolishing cookie walls.

The only sensible legal interpretation here is that the writing is on the wall for cookie walls.

News Source = techcrunch.com

Privacy complaints received by tech giants’ favorite EU watchdog up more than 2x since GDPR

in Adtech/Advertising Tech/Apple/data breaches/data protection/Delhi/Europe/Facebook/GDPR/General Data Protection Regulation/Helen Dixon/India/instagram/LinkedIn/Max Schrems/Politics/privacy/Privacy Shield/Real-time bidding/Security/Social/TC/Twitter/WhatsApp by

A report by the lead data watchdog for a large number of tech giants operating in Europe shows a significant increase in privacy complaints and data breach notifications since the region’s updated privacy framework came into force last May.

The Irish Data Protection Commission (DPC)’s annual report, published today, covers the period May 25, aka the day the EU’s General Data Protection Regulation (GDPR) came into force, to December 31 2018 and shows the DPC received more than double the amount of complaints post-GDPR vs the first portion of 2018 prior to the new regime coming in: With 2,864 and 1,249 complaints received respectively.

That makes a total of 4,113 complaints for full year 2018 (vs just 2,642 for 2017). Which is a year on year increase of 36 per cent.

But the increase pre- and post-GDPR is even greater — 56 per cent — suggesting the regulation is working as intended by building momentum and support for individuals to exercise their fundamental rights.

“The phenomenon that is the [GDPR] has demonstrated one thing above all else: people’s interest in and appetite for understanding and controlling use of their personal data is anything but a reflection of apathy and fatalism,” writes Helen Dixon, Ireland’s commissioner for data protection.

She adds that the rise in the number of complaints and queries to DPAs across the EU since May 25 demonstrates “a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data”.

While Europe has had online privacy rules since 1995 a weak regime of enforcement essentially allowed them to be ignored for decades — and Internet companies to grab and exploit web users’ data without full regard and respect for European’s privacy rights.

But regulators hit the reset button last year. And Ireland’s data watchdog is an especially interesting agency to watch if you’re interested in assessing how GDPR is working, given how many tech giants have chosen to place their international data flows under the Irish DPC’s supervision.

More cross-border complaints

“The role places an important duty on the DPC to safeguard the data protection rights of hundreds of millions of individuals across the EU, a duty that the GDPR requires the DPC to fulfil in cooperation with other supervisory authorities,” the DPC writes in the report, discussing its role of supervisory authority for multiple tech multinationals and acknowledging both a “greatly expanded role under the GDPR” and a “significantly increased workload”.

A breakdown of GDPR vs Data Protection Act 1998 complaint types over the report period suggests complaints targeted at multinational entities have leapt up under the new DP regime.

For some complaint types the old rules resulted in just 2 per cent of complaints being targeted at multinationals vs close to a quarter (22 per cent) in the same categories under GDPR.

It’s the most marked difference between the old rules and the new — underlining the DPC’s expanded workload in acting as a hub (and often lead supervisory agency) for cross-border complaints under GDPR’s one-stop shop mechanism.

The category with the largest proportions of complaints under GDPR over the report period was access rights (30%) — with the DPC receiving a full 582 complaints related to people feeling they’re not getting their due data. Access rights was also most complained about under the prior data rules over this period.

Other prominent complaint types continue to be unfair processing of data (285 GDPR complaints vs 178 under the DPA); disclosure (217 vs 138); and electronic direct marketing (111 vs 36).

EU policymakers’ intent with GDPR is to redress the imbalance of weakly enforced rights — including by creating new opportunities for enforcement via a regime of supersized fines. (GDPR allows for penalties as high as up to 4 per cent of annual turnover, and in January the French data watchdog slapped Google with a $57M GDPR penalty related to transparency and consent — albeit still far off that theoretical maximum.)

Importantly, the regulation also introduced a collective redress option which has been adopted by some EU Member States.

This allows for third party organizations such as consumer rights groups to lodge data protection complaints on individuals’ behalf. The provision has led to a number of strategic complaints being filed by organized experts since last May (including in the case of the aforementioned Google fine) — spinning up momentum for collective consumer action to counter rights erosion. Again that’s important in a complex area that remains difficult for consumers to navigate without expert help.

For upheld complaints the GDPR ‘nuclear option’ is not fines though; it’s the ability for data protection agencies to order data controllers to stop processing data.

That remains the most significant tool in the regulatory toolbox. And depending on the outcome of various ongoing strategic GDPR complaints it could prove hugely significant in reshaping what data experts believe are systematic privacy incursions by adtech platform giants.

And while well-resourced tech giants may be able to factor in even very meaty financial penalties, as just a cost of doing a very lucrative business, data-focused business models could be far more precarious if processors can suddenly be slapped with an order to limit or even cease processing data. (As indeed Facebook’s business just has in Germany, where antitrust regulators have been liaising with privacy watchdogs.)

Data breach notifications also up

GDPR also shines a major spotlight on security — requiring privacy by design and default and introducing a universal requirement for swiftly reporting data breaches across the bloc, again with very stiff penalties for non-compliance.

On the data breach front, the Irish DPC says it received a total of 3,687 data breach notifications between May 25 and December 31 last year — finding just four per cent (145 cases) did not meet the definition of a personal-data breach set out in GDPR. That means it recorded a total of 3,542 valid data protection breaches over the report period — which it says represents an increase of 27 per cent on 2017 breach report figures.

“As in other years, the highest category of data breaches notified under the GDPR were classified as Unauthorised Disclosures and accounted for just under 85% of the total data-breach notifications received between 25 May and 31 December 2018,” it notes, adding: “The majority occurred in the private sector (2,070).”

More than 4,000 data breach notifications were recorded by the watchdog for full year 2018, the report also states.

For the earlier 2018 period, from January 1 to May 24 2018, a DPC spokesman told us it recorded 1198 valid data security breaches — making the full year total 4740.

The DPC further reveals that it was notified of 38 personal data breaches involving 11 multinational technology companies during the post-GDPR period of 2018. Which means breaches involving tech giants.

“A substantial number of these notifications involved the unauthorised disclosure of, and unauthorised access to, personal data as a result of bugs in software supplied by data processors engaged by the organisations,” it writes, saying it opened several investigations as a result (such as following the Facebook Token breach in September 2018).

Open probes of tech giants

As of 31 December 2018, the DPC says it had 15 investigations open in relation to multinational tech companies’ compliance with GDPR.

Below is the full list of the DPC’s currently open investigations of multinationals — including the tech giant under scrutiny; the origin of the inquiry; and the issues being examined:

  • Facebook Ireland Limited — Complaint-based inquiry: “Right of Access and Data Portability. Examining whether Facebook has discharged its GDPR obligations in respect of the right of access to personal data in the Facebook ‘Hive’ database and portability of “observed” personal data”
  • Facebook Ireland Limited — Complaint-based inquiry: “Lawful basis for processing in relation to Facebook’s Terms of Service and Data Policy. Examining whether Facebook has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data of individuals using the Facebook platform.”
  • Facebook Ireland Limited — Complaint-based inquiry: “Lawful basis for processing. Examining whether Facebook has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data in the context of behavioural analysis and targeted advertising on its platform.”
  • Facebook Ireland Limited — Own-volition inquiry: “Facebook September 2018 token breach. Examining whether Facebook Ireland has discharged its GDPR obligations to implement organisational and technical measures to secure and safeguard the personal data of its users.”
  • Facebook Ireland Limited — Own-volition inquiry: “Facebook September 2018 token breach. Examining Facebook’s compliance with the GDPR’s breach notification obligations.”
  • Facebook Inc. — Own-volition inquiry: “Facebook September 2018 token breach. Examining whether Facebook Inc. has discharged its GDPR obligations to implement organizational and technical measures to secure and safeguard the personal data of its users.”
  • Facebook Ireland Limited — Own-volition inquiry: “Commenced in response to large number of breaches notified to the DPC during the period since 25 May 2018 (separate to the token breach). Examining whether Facebook has discharged its GDPR obligations to implement organisational and technical measures to secure and safeguard the personal data of its users.”
  • Instagram (Facebook Ireland Limited) — Complaint-based inquiry: “Lawful basis for processing in relation to Instagram’s Terms of Use and Data Policy. Examining whether Instagram has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data of individuals using the Instagram platform.”
  • WhatsApp Ireland Limited — Complaint-based inquiry: “Lawful basis for processing in relation to WhatsApp’s Terms of Service and Privacy Policy. Examining whether WhatsApp has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data of individuals using the WhatsApp platform.”
  • WhatsApp Ireland Limited — Own-volition inquiry: “Transparency. Examining whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s services, including information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.”
  • Twitter International Company — Complaint-based inquiry: “Right of Access. Examining whether Twitter has discharged its obligations in respect of the right of access to links accessed on Twitter.”
  • Twitter International Company — Own-volition inquiry: “Commenced in response to the large number of breaches notified to the DPC during the period since 25 May 2018. Examining whether Twitter has discharged its GDPR obligations to implement organisational and technical measures to secure and safeguard the personal data of its users.”
  • LinkedIn Ireland Unlimited Company — Complaint-based inquiry: “Lawful basis for processing. Examining whether LinkedIn has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data in the context of behavioural analysis and targeted advertising on its platform.”
  • Apple Distribution International — Complaint-based inquiry: “Lawful basis for processing. Examining whether Apple has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data in the context of behavioural analysis and targeted advertising on its platform.”
  • Apple Distribution International — Complaint-based inquiry: “Transparency. Examining whether Apple has discharged its GDPR transparency obligations in respect of the information contained in its privacy policy and online documents regarding the processing of personal data of users of its services.”

“The DPC’s role in supervising the data-processing operations of the numerous large data-rich multinational companies — including technology internet and social media companies — with EU headquarters located in Ireland changed immeasurably on 25 May 2018,” the watchdog acknowledges.

“For many, including Apple, Facebook, Microsoft, Twitter, Dropbox, Airbnb, LinkedIn, Oath [disclosure: TechCrunch is owned by Verizon Media Group; aka Oath/AOL], WhatsApp, MTCH Technology and Yelp, the DPC acts as lead supervisory authority under the GDPR OSS [one-stop shop] facility.”

The DPC notes in the report that between May 25 and December 31 2018 it received 136 cross-border processing complaints through the regulation’s OSS mechanism (i.e. which had been lodged by individuals with other EU data protection authorities).

A breakdown of these (likely) tech giant focused GDPR complaints shows a strong focus on consent, right of erasure, right of access and the lawfulness of data processing:

Breakdown of cross-border complaint types received by the DPC under GDPR’s OSS mechanism

While the Irish DPC acts as the lead supervisor for many high profile GDPR complaints which relate to how tech giants are handling people’s data, it’s worth emphasizing that the OSS mechanism does not mean Ireland is sitting in sole judgement on Silicon Valley’s giants’ rights incursions in Europe.

The mechanism allows for other DPAs to be involved in these cross-border complaints.

And the European Data Protection Board, the body that works with all the EU Member States’ DPAs to help ensure consistent application of the regulation, can trigger a dispute resolution process if a lead agency considers it cannot implement a concerned agency objection. The aim is to work against forum shopping.

In a section on “EU cooperation”, the DPC further writes:

Our fellow EU regulators, alongside whom we sit on the European Data Protection Board (EDPB), follow the activities and results of the Irish DPC closely, given that a significant number of people in every EU member state are potentially impacted by processing activities of the internet companies located in Ireland. EDPB activity is intense, with monthly plenary meetings and a new system of online data sharing in relation to cross-border processing cases rolled out between the authorities. The DPC has led on the development of EDPB guidance on arrangements for Codes of Conduct under the GDPR and these should be approved and published by the EDPB in Q1 of 2019. The DPC looks forward to industry embracing Codes of Conduct and raising the bar in individual sectors in terms of standards of data protection and transparency. Codes of Conduct are important because they will more comprehensively reflect the context and reality of data-processing activities in a given sector and provide clarity to those who sign up to the standards that need to be attained in addition to external monitoring by an independent body. It is clarity of standards that will drive real results.

Over the reported period the watchdog also reveals that it issued 23 formal requests seeking detailed information on compliance with various aspects of the GDPR from tech giants, noting too that since May 25 it has engaged with platforms on “a broad range of issues” — citing the following examples to give a flavor of these concerns:

  • Google on the processing of location data
  • Facebook on issues such as the transfer of personal data from third-party apps to Facebook and Facebook’s collaboration with external researchers
  • Microsoft on the processing of telemetry data collected by its Office product
  • WhatsApp on matters relating to the sharing of personal data with other Facebook companies

“Supervision engagement with these companies on the matters outlined is ongoing,” the DPC adds of these issues.

Adtech sector “must comply” with GDPR 

Talking of ongoing action, a GDPR complaint related to the security of personal data that’s systematically processed to power behavioral advertising is another open complaint on the DPC’s desk.

The strategic complaint was filed by a number of individuals in multiple EU countries (including Ireland) last fall. Since then the individuals behind the complaints have continued to submit and publish evidence they argue bolsters their case against the behavioral ad targeting industry (principally Google and the IAB which set the spec involved in the real-time bidding (RTB) system).

The Irish DPC makes reference to this RTB complaint in the annual report, giving the adtech industry what amounts to a written warning that while the advertising ecosystem is “complex”, with multiple parties involved in “high-speed, voluminous transactions” related to bidding for ad space and serving ad content “the protection of personal data is a prerequisite to the processing of any personal data within this ecosystem and ultimately the sector must comply with the standards set down by the GDPR”.

The watchdog also reports that it has engaged with “several stakeholders, including publishers and data brokers on one side, and privacy advocates and affected individuals on the other”, vis-a-vis the RTB complaint, and says it will continue prioritizing its scrutiny of the sector in 2019 — “in cooperation with its counterparts at EU level so as to ensure a consistent approach across all EU member states”.

It goes on to say that some of its 15 open investigations into tech giants will both conclude this year and “contribute to answering some of the questions relating to this complex area”. So, tl;dr, watch this space.

Responding to the DPC’s comments on the RTB complaint, Dr Johnny Ryan, chief policy and industrial relations officer of private browser Brave — and also one of the complainants — told us they expect the DPC to act “urgently”.

“We have brought our complaint before the DPC and other European regulators because there is a dire need to fix adtech so that it’s works safely,” he told TechCrunch. “The DPC itself recognizes that online advertising is a priority. The IAB and Google online ‘ad auction’ system enables companies to broadcast what every single person online reads, watches, and listens to online to countless parties. There is no control over what happens to these data. The evidence that we have submitted to the DPC shows that this occurs hundreds of billions of times a day.”

“In view of the upcoming European elections, it is particularly troubling that the IAB and Google’s systems permit voters to be profiled in this way,” he added. “Clearly, this infringes the security and integrity principles of the GDPR, and we expect the DPC to act urgently.”

The IAB has previously rejected the complaints as “false”, arguing any security risk is “theoretical”; while Google has said it has policies in place to prohibit advertisers from targeting sensitive categories of data. But the RTB complaint itself pivots on GDPR’s security requirements which demand that personal data be processed in a manner that “ensures appropriate security”, including “protection against unauthorised or unlawful processing and against accidental loss”.

So the security of the RTB system is the core issue which the Irish DPC, along with agencies in the UK and Poland, will have to grapple with as a priority this year.

The complainants have also said they intend to file additional complaints in more markets across Europe, so more DPAs are likely to join the scrutiny of RTB, as concerned supervisory agencies, which could increase pressure on the Irish DPC to act.

Schrems II vs Facebook 

The watchdog’s report also includes an update on long-running litigation filed by European privacy campaigner Max Schrems concerning a data transfer mechanism known as standard contractual clauses (SCCs) — and originally only targeted at Facebook’s use of the mechanism.

The DPC decided to refer Schrems’ original challenge to the Irish courts — which have since widened the action by referring a series of legal questions up to the EU’s top court with (now) potential implications for the legality of the EU’s ‘flagship’ Privacy Shield data transfer mechanism.

That was negotiated following the demise of its predecessor Safe Harbor, in 2015, also via a Schrems legal challenge, going on to launch in August 2016 — despite ongoing concerns from data experts. Privacy Shield is now used by close to 4,500 companies to authorize transfers of EU users’ personal data to the US.

So while Schrems’ complaint about SCCs (sometimes also called “model contract clauses”) was targeted at Facebook’s use of them the litigation could end up having major implications for very many more companies if Privacy Shield itself comes unstuck.

More recently Facebook has sought to block the Irish judges’ referral of legal questions to the Court of Justice of the EU (CJEU) — winning leave to appeal last summer (though judges did not stay the referral in the meanwhile).

In its report the DPC notes that the substantive hearing of Facebook’s appeal took place over January 21, 22 and 23 before a five judge Supreme Court panel.

“Oral arguments were made on behalf of Facebook, the DPC, the U.S. Government and Mr Schrems,” it writes. “Some of the central questions arising from the appeal include the following: can the Supreme Court revisit the facts found by the High Court relating to US law? (This arises from allegations by Facebook and the US Government that the High Court judgment, which underpins the reference made to the CJEU, contains various factual errors concerning US law).

“If the Supreme Court considers that it may do so, further questions will then arise for the Court as to whether there are in fact errors in the judgment and if so, whether and how these should be addressed.”

“At the time of going to print there is no indication as to when the Supreme Court judgment will be delivered,” it adds. “In the meantime, the High Court’s reference to the CJEU remains valid and is pending before the CJEU.”

News Source = techcrunch.com

What business leaders can learn from Jeff Bezos’ leaked texts

in Column/computing/cryptography/data protection/data security/Delhi/European Union/Facebook/General Data Protection Regulation/Google/human rights/India/jeff bezos/Microsoft/national security/online security/oregon/Politics/privacy/Ron Wyden/terms of service/United States/Wickr by

The ‘below the belt selfie’ media circus surrounding Jeff Bezos has made encrypted communications top of mind among nervous executive handlers. Their assumption is that a product with serious cryptography like Wickr – where I work – or Signal could have helped help Mr. Bezos and Amazon avoid this drama.

It’s a good assumption, but a troubling conclusion.

I worry that moments like these will drag serious cryptography down to the level of the National Enquirer. I’m concerned that this media cycle may lead people to view privacy and cryptography as a safety net for billionaires rather than a transformative solution for data minimization and privacy.

We live in the chapter of computing when data is mostly unprotected because of corporate indifference. The leaders of our new economy – like the vast majority of society – value convenience and short-term gratification over the security and privacy of consumer, employee and corporate data.  

We cannot let this media cycle pass without recognizing that when corporate executives take a laissez-faire approach to digital privacy, their employees and organizations will follow suit.

Two recent examples illustrate the privacy indifference of our leaders…

  • The most powerful executive in the world is either indifferent to, or unaware that, unencrypted online flirtations would be accessed by nation states and competitors.
  • 2016 presidential campaigns were either indifferent to, or unaware that, unencrypted online communications detailing “off-the-record” correspondence with media and payments to adult actor(s) would be accessed by nation states and competitors.

If our leaders do not respect and understand online security and privacy, then their organizations will not make data protection a priority. It’s no surprise that we see a constant stream of large corporations and federal agencies breached by nation states and competitors. Who then can we look to for leadership?

GDPR is an early attempt by regulators to lead. The European Union enacted GDPR to ensure individuals own their data and enforce penalties on companies who do not protect personal data. It applies to all data processors, but the EU is clearly focused on sending a message to the large US based data processors – Amazon, Facebook, Google, Microsoft, etc. In January, France’s National Data Protection Commission sent a message by fining Google $57 million for breaching GDPR rules. It was an unprecedented fine that garnered international attention. However, we must remember that in 2018 Google’s revenues were greater than $300 million … per day! GPDR is, at best, an annoying speed-bump in the monetization strategy of large data processors.

It is through this lens that Senator Ron Wyden’s (Oregon) idealistic call for billions of dollars in corporate fines and jail time for executives who enable privacy breaches can be seen as reasonable. When record financial penalties are inconsequential it is logical to pursue other avenues to protect our data.

Real change will come when our leaders understand that data privacy and security can increase profitability and reliability. For example, the Compliance, Governance and Oversight Council reports that an enterprise will spend as much as $50 million to protect 10 petabytes of data, and that $34.5 million of this is spent on protecting data that should be deleted. Serious efficiencies are waiting to be realized and serious cryptography can help.  

So, thank you Mr. Bezos for igniting corporate interest in secure communications. Let’s hope this news cycle convinces our corporate leaders and elected officials to embrace data privacy, protection and minimization because it responsible, profitable and efficient. We need leaders and elected officials to set an example and respect their own data and privacy if we have any hope of their organizations to protect ours.

News Source = techcrunch.com

Is Europe closing in on an antitrust fix for surveillance technologists?

in Android/antitrust/competition law/data protection/data protection law/DCMS committee/Delhi/digital media/EC/Europe/european commission/European Union/Facebook/General Data Protection Regulation/Germany/Giovanni Buttarelli/Google/India/instagram/Margrethe Vestager/Messenger/photo sharing/Politics/privacy/Social/social media/social networks/surveillance capitalism/TC/terms of service/United Kingdom/United States by

The German Federal Cartel Office’s decision to order Facebook to change how it processes users’ personal data this week is a sign the antitrust tide could at last be turning against platform power.

One European Commission source we spoke to, who was commenting in a personal capacity, described it as “clearly pioneering” and “a big deal”, even without Facebook being fined a dime.

The FCO’s decision instead bans the social network from linking user data across different platforms it owns, unless it gains people’s consent (nor can it make use of its services contingent on such consent). Facebook is also prohibited from gathering and linking data on users from third party websites, such as via its tracking pixels and social plugins.

The order is not yet in force, and Facebook is appealing, but should it come into force the social network faces being de facto shrunk by having its platforms siloed at the data level.

To comply with the order Facebook would have to ask users to freely consent to being data-mined — which the company does not do at present.

Yes, Facebook could still manipulate the outcome it wants from users but doing so would open it to further challenge under EU data protection law, as its current approach to consent is already being challenged.

The EU’s updated privacy framework, GDPR, requires consent to be specific, informed and freely given. That standard supports challenges to Facebook’s (still fixed) entry ‘price’ to its social services. To play you still have to agree to hand over your personal data so it can sell your attention to advertisers. But legal experts contend that’s neither privacy by design nor default.

The only ‘alternative’ Facebook offers is to tell users they can delete their account. Not that doing so would stop the company from tracking you around the rest of the mainstream web anyway. Facebook’s tracking infrastructure is also embedded across the wider Internet so it profiles non-users too.

EU data protection regulators are still investigating a very large number of consent-related GDPR complaints.

But the German FCO, which said it liaised with privacy authorities during its investigation of Facebook’s data-gathering, has dubbed this type of behavior “exploitative abuse”, having also deemed the social service to hold a monopoly position in the German market.

So there are now two lines of legal attack — antitrust and privacy law — threatening Facebook (and indeed other adtech companies’) surveillance-based business model across Europe.

A year ago the German antitrust authority also announced a probe of the online advertising sector, responding to concerns about a lack of transparency in the market. Its work here is by no means done.

Data limits

The lack of a big flashy fine attached to the German FCO’s order against Facebook makes this week’s story less of a major headline than recent European Commission antitrust fines handed to Google — such as the record-breaking $5BN penalty issued last summer for anticompetitive behaviour linked to the Android mobile platform.

But the decision is arguably just as, if not more, significant, because of the structural remedies being ordered upon Facebook. These remedies have been likened to an internal break-up of the company — with enforced internal separation of its multiple platform products at the data level.

This of course runs counter to (ad) platform giants’ preferred trajectory, which has long been to tear modesty walls down; pool user data from multiple internal (and indeed external sources), in defiance of the notion of informed consent; and mine all that personal (and sensitive) stuff to build identity-linked profiles to train algorithms that predict (and, some contend, manipulate) individual behavior.

Because if you can predict what a person is going to do you can choose which advert to serve to increase the chance they’ll click. (Or as Mark Zuckerberg puts it: ‘Senator, we run ads.’)

This means that a regulatory intervention that interferes with an ad tech giant’s ability to pool and process personal data starts to look really interesting. Because a Facebook that can’t join data dots across its sprawling social empire — or indeed across the mainstream web — wouldn’t be such a massive giant in terms of data insights. And nor, therefore, surveillance oversight.

Each of its platforms would be forced to be a more discrete (and, well, discreet) kind of business.

Competing against data-siloed platforms with a common owner — instead of a single interlinked mega-surveillance-network — also starts to sound almost possible. It suggests a playing field that’s reset, if not entirely levelled.

(Whereas, in the case of Android, the European Commission did not order any specific remedies — allowing Google to come up with ‘fixes’ itself; and so to shape the most self-serving ‘fix’ it can think of.)

Meanwhile, just look at where Facebook is now aiming to get to: A technical unification of the backend of its different social products.

Such a merger would collapse even more walls and fully enmesh platforms that started life as entirely separate products before were folded into Facebook’s empire (also, let’s not forget, via surveillance-informed acquisitions).

Facebook’s plan to unify its products on a single backend platform looks very much like an attempt to throw up technical barriers to antitrust hammers. It’s at least harder to imagine breaking up a company if its multiple, separate products are merged onto one unified backend which functions to cross and combine data streams.

Set against Facebook’s sudden desire to technically unify its full-flush of dominant social networks (Facebook Messenger; Instagram; WhatsApp) is a rising drum-beat of calls for competition-based scrutiny of tech giants.

This has been building for years, as the market power — and even democracy-denting potential — of surveillance capitalism’s data giants has telescoped into view.

Calls to break up tech giants no longer carry a suggestive punch. Regulators are routinely asked whether it’s time. As the European Commission’s competition chief, Margrethe Vestager, was when she handed down Google’s latest massive antitrust fine last summer.

Her response then was that she wasn’t sure breaking Google up is the right answer — preferring to try remedies that might allow competitors to have a go, while also emphasizing the importance of legislating to ensure “transparency and fairness in the business to platform relationship”.

But it’s interesting that the idea of breaking up tech giants now plays so well as political theatre, suggesting that wildly successful consumer technology companies — which have long dined out on shiny convenience-based marketing claims, made ever so saccharine sweet via the lure of ‘free’ services — have lost a big chunk of their populist pull, dogged as they have been by so many scandals.

From terrorist content and hate speech, to election interference, child exploitation, bullying, abuse. There’s also the matter of how they arrange their tax affairs.

The public perception of tech giants has matured as the ‘costs’ of their ‘free’ services have scaled into view. The upstarts have also become the establishment. People see not a new generation of ‘cuddly capitalists’ but another bunch of multinationals; highly polished but remote money-making machines that take rather more than they give back to the societies they feed off.

Google’s trick of naming each Android iteration after a different sweet treat makes for an interesting parallel to the (also now shifting) public perceptions around sugar, following closer attention to health concerns. What does its sickly sweetness mask? And after the sugar tax, we now have politicians calling for a social media levy.

Just this week the deputy leader of the main opposition party in the UK called for setting up a standalone Internet regulatory with the power to break up tech monopolies.

Talking about breaking up well-oiled, wealth-concentration machines is being seen as a populist vote winner. And companies that political leaders used to flatter and seek out for PR opportunities find themselves treated as political punchbags; Called to attend awkward grilling by hard-grafting committees, or taken to vicious task verbally at the highest profile public podia. (Though some non-democratic heads of state are still keen to press tech giant flesh.)

In Europe, Facebook’s repeat snubs of the UK parliament’s requests last year for Zuckerberg to face policymakers’ questions certainly did not go unnoticed.

Zuckerberg’s empty chair at the DCMS committee has become both a symbol of the company’s failure to accept wider societal responsibility for its products, and an indication of market failure; the CEO so powerful he doesn’t feel answerable to anyone; neither his most vulnerable users nor their elected representatives. Hence UK politicians on both sides of the aisle making political capital by talking about cutting tech giants down to size.

The political fallout from the Cambridge Analytica scandal looks far from done.

Quite how a UK regulator could successfully swing a regulatory hammer to break up a global Internet giant such as Facebook which is headquartered in the U.S. is another matter. But policymakers have already crossed the rubicon of public opinion and are relishing talking up having a go.

That represents a sea-change vs the neoliberal consensus that allowed competition regulators to sit on their hands for more than a decade as technology upstarts quietly hoovered up people’s data and bagged rivals, and basically went about transforming themselves from highly scalable startups into market-distorting giants with Internet-scale data-nets to snag users and buy or block competing ideas.

The political spirit looks willing to go there, and now the mechanism for breaking platforms’ distorting hold on markets may also be shaping up.

The traditional antitrust remedy of breaking a company along its business lines still looks unwieldy when faced with the blistering pace of digital technology. The problem is delivering such a fix fast enough that the business hasn’t already reconfigured to route around the reset. 

Commission antitrust decisions on the tech beat have stepped up impressively in pace on Vestager’s watch. Yet it still feels like watching paper pushers wading through treacle to try and catch a sprinter. (And Europe hasn’t gone so far as trying to impose a platform break up.) 

But the German FCO decision against Facebook hints at an alternative way forward for regulating the dominance of digital monopolies: Structural remedies that focus on controlling access to data which can be relatively swiftly configured and applied.

Vestager, whose term as EC competition chief may be coming to its end this year (even if other Commission roles remain in potential and tantalizing contention), has championed this idea herself.

In an interview on BBC Radio 4’s Today program in December she poured cold water on the stock question about breaking tech giants up — saying instead the Commission could look at how larger firms got access to data and resources as a means of limiting their power. Which is exactly what the German FCO has done in its order to Facebook. 

At the same time, Europe’s updated data protection framework has gained the most attention for the size of the financial penalties that can be issued for major compliance breaches. But the regulation also gives data watchdogs the power to limit or ban processing. And that power could similarly be used to reshape a rights-eroding business model or snuff out such business entirely.

The merging of privacy and antitrust concerns is really just a reflection of the complexity of the challenge regulators now face trying to rein in digital monopolies. But they’re tooling up to meet that challenge.

Speaking in an interview with TechCrunch last fall, Europe’s data protection supervisor, Giovanni Buttarelli, told us the bloc’s privacy regulators are moving towards more joint working with antitrust agencies to respond to platform power. “Europe would like to speak with one voice, not only within data protection but by approaching this issue of digital dividend, monopolies in a better way — not per sectors,” he said. “But first joint enforcement and better co-operation is key.”

The German FCO’s decision represents tangible evidence of the kind of regulatory co-operation that could — finally — crack down on tech giants.

Blogging in support of the decision this week, Buttarelli asserted: “It is not necessary for competition authorities to enforce other areas of law; rather they need simply to identity where the most powerful undertakings are setting a bad example and damaging the interests of consumers.  Data protection authorities are able to assist in this assessment.”

He also had a prediction of his own for surveillance technologists, warning: “This case is the tip of the iceberg — all companies in the digital information ecosystem that rely on tracking, profiling and targeting should be on notice.”

So perhaps, at long last, the regulators have figured out how to move fast and break things.

News Source = techcrunch.com

1 2 3 5
Go to Top