User blogs

The UK’s data watchdog has restarted an investigation of adtech practices that, since 2018, have been subject to scores of complaints across Europe under the bloc’s General Data Protection Regulation (GDPR).

The high velocity trading of Internet users’ personal data can’t possibly be compliant with GDPR’s requirement that such information is adequately secured, the complaints contend.

Other concerns attached to real-time bidding (RTB) focus on consent, questioning how this can meet the required legal standard with data being broadcast to so many companies — including sensitive information, such as health data or religious and political affiliation and sexual orientation.

Since the first complaints were filed the UK’s Information Commissioner’s Office (ICO) has raised its own concerns over what it said are systemic problems with lawfulness in the adtech sector. But last year announced it was pausing its investigation on account of disruption to businesses from the COVID-19 pandemic.

Today it said it’s unpausing its multi-year probe to keep on prodding.

In an update on its website, ICO deputy commissioner, Simon McDougall, ICO, who takes care of “Regulatory Innovation and Technology” at the agency, writes that the eight-month freeze is over. And the audits are coming.

“We have now resumed our investigation,” he says. “Enabling transparency and protecting vulnerable citizens are priorities for the ICO. The complex system of RTB can use people’s sensitive personal data to serve adverts and requires people’s explicit consent, which is not happening right now.”

“Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, also raises questions around the security and retention of this data,” he goes on. “Our work will continue with a series of audits focusing on digital market platforms and we will be issuing assessment notices to specific companies in the coming months. The outcome of these audits will give us a clearer picture of the state of the industry.”

It’s not clear what data the ICO still lacks to come to a decision on complaints that are approaching 2.5 years old at this point. But the ICO has committed to resume looking at adtech — including at data brokers, per McDougall, who writes that “we will be reviewing the role of data brokers in this adtech eco-system”.

“The investigation is vast and complex and, because of the sensitivity of the work, there will be times where it won’t be possible to provide regular updates. However, we are committed to publishing our final findings, once the investigation is concluded,” he goes on, managing expectations of any swift resolution to this vintage GDPR complaint.

Commenting on the ICO’s continued reluctance to take enforcement action against adtech despite mounds of evidence of rampant breaches of the law, Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties who was involved in filing the first batch of RTB GDPR complaints — and continues to be a vocal critic of EU regulatory inaction against adtech — told TechCrunch: “It seems to me that the facts are clearly set out in the ICO’s mid 2019 adtech report.

“Indeed, that report merely confirms the evidence that accompanied our complaints in September 2018 in Ireland and the UK. It is therefore unclear why the ICO requires several months further. Nor is it clear why the ICO accepted empty gestures from the IAB and Google a year ago.”

“I have since published evidence of the impact that failure to enforce has had: Including documented use of RTB data to influence an election,” he added. “As that evidence shows, the scale of the vast data breach caused by the RTB system has increased significantly in the three years since I blew the whistle to the ICO in early 2018.”

Despite plentiful data on the scale of the personal data leakage involved in RTB, and widespread concern that all sorts of tangible harms are flowing from adtech’s mass surveillance of Internet users (from discrimination and societal division to voter manipulation), the ICO is in no rush to enforce.

In fact, it quietly closed the 2018 complaint last year — telling the complainants it believed it had investigated the matter “to the extent appropriate”. It’s in the process of being sued by the complainants as a result — for, essentially, doing nothing about their complaint. (The Open Rights Group, which is involved in that legal action, is running this crowdfunder to raise money to take the ICO to court.)

So what does the ICO’s great adtech investigation unpausing mean exactly for the sector?

Not much more than gentle notice you might be the recipient of an “assessment notice” at some future point, per the latest mildly worded ICO blog post (and judging by its past performance).

Per McDougall, all organizations should be “assessing how they use personal data as a matter of urgency”.

He has also committed the ICO to publishing “final findings” at some future point. So — to follow, post-pause — yet another report. And more audits.

“We already have existing, comprehensive guidance in this area, which applies to RTB and adtech in the same way it does to other types of processing — particularly in respect of consent, legitimate interests, data protection by design and data protection impact assessments (DPIAs),” he goes on, eschewing talk of any firmer consequences following should all that guidance continue being roundly ignored.

He ends the post with a nod to the Competition and Markets Authority’s recent investigation of Google’s Privacy Sandbox proposals (to phase out support for third party cookies on Chrome) — saying the ICO is “continuing” to work the CMA on that active antitrust complaint.

You’ll have to fill in the blanks as to exactly what work it might be doing there — because, again, McDougall isn’t saying. If it’s a veiled threat to the adtech industry to finally ‘get with the ICO’s privacy program’, or risk not having it fighting adtech’s corner in that crux antitrust vs privacy complaint, it really is gossamer thin.

Source: https://techcrunch.com/2021/01/22/uk-resumes-privacy-oversight-of-adtech-warns-platform-audits-are-coming/

Apple is said to be working on a new version of the MacBook Air with a brand new physical case design that’s both thinner and lighter than its current offering, which was updated with Apple’s M1 chip late last year, per a new Bloomberg report. The plan is to release it as early as late 2021 or 2022, according to the report’s sources, and it will also include MagSafe charging (which is also said to be returning on Apple’s next MacBook Pro models sometime in 2021).

MagSafe would offer power delivery and charging, while two USB 4 ports would provide data connectivity on the new MacBook Air. The display size will remain at its current 13-inch diagonal measurement, but Apple will reportedly realize smaller overall sizes by reducing the bevel that surrounds the screen’s edge, among other sizing changes.

Apple has a plan to revamp its entire Mac lineup with its own Apple Silicon processors over the course of the next two years. It debuted its first Apple Silicon Macs, powered by its M1 chip, late last year, and the resulting performance benefits vs. their Intel-powered predecessors have been substantial. The physical designs remained essentially the same, however, prompting speculation as to when Apple would introduce new case designs to further distinguish its new Macs from their older models.

The company is also reportedly working on new MacBook Pros with MagSafe charging, which could also ditch the company’s controversial TouchBar interface – and, again according to Bloomberg, bring back a dedicated SD card slot. All these changes would actually be reversions of design changes Apple made when it introduced the current physical notebook Mac designs, beginning with the first Retina display MacBook Pro in 2012, but they address usability complaints by some of the company’s enthusiast and professional customers.

Source: https://techcrunch.com/2021/01/22/apple-reportedly-planning-thinner-and-lighter-macbook-air-with-magsafe-charging/

The European Parliament is being investigated by the EU’s lead data regulator over a complaint that a website it set up for MEPs to book coronavirus tests may have violated data protection laws.

The complaint, which has been filed by six MEPs and is being supported by the privacy campaign group noyb, alleges third party trackers were dropped without proper consent and that cookie banners presented to visitors were confusing and deceptively designed.

It also alleges personal data was transferred to the US without a valid legal basis, making reference to a landmark legal ruling by Europe’s top court last summer (aka Schrems II).

The European Data Protection Supervisor (EDPS), which oversees EU institutions’ compliance with data rules, confirmed receipt of the complaint and said it has begun investigating.

It also said the “litigious cookies” had been disabled following the complaints, adding that the parliament told it no user data had in fact been transferred outside the EU.

“A complaint was indeed filed by some MEPs about the European Parliament’s coronavirus testing website; the EDPS has started investigating it in accordance with Article 57(1)(e) EUDPR (GDPR for EU institutions),” an EDPS spokesman told TechCrunch. “Following this complaint, the Data Protection Office of the European Parliament informed the EDPS that the litigious cookies were now disabled on the website and confirmed that no user data was sent to outside the European Union.”

“The EDPS is currently assessing this website to ensure compliance with EUDPR requirements. EDPS findings will be communicated to the controller and complainants in due course,” it added.

MEP, Alexandra Geese, of Germany’s Greens, filed an initial complaint with the EDPS on behalf of other parliamentarians.

Two of the MEPs that have joined the complaint and are making their names public are Patrick Breyer and Mikuláš Peksa — both members of the Pirate Party, in Germany and the Czech Republic respectively.

We’ve reached out to the European Parliament and the company it used to supply the testing website for comment.

The complaint is noteworthy for a couple of reasons. Firstly because the allegations of a failure to uphold regional data protection rules look pretty embarrassing for an EU institution. Data protection may also feel especially important for “politically exposed persons like Members and staff of the European Parliament”, as noyb puts it.

Back in 2019 the European Parliament was also sanctioned by the EDPS over use of US-based digital campaign company, NationBuilder, to process citizens’ voter data ahead of the spring elections — in the regulator’s first ever such enforcement of an EU institution.

So it’s not the first time the parliament has got in hot water over its attention to detail vis-a-vis third party data processors (the parliament’s COVID-19 test registration website is being provided by a German company called Ecolog Deutschland GmbH). Once may be an oversight, twice starts to look sloppy…

Secondly, the complaint could offer a relatively quick route for a referral to the EU’s top court, the CJEU, to further clarify interpretation of Schrems II — a ruling that has implications for thousands of businesses involved in transferring personal data out of the EU — should there be a follow-on challenge to a decision by the EDPS.

“The decisions of the EDPS can be directly challenged before the Court of Justice of the EU,” noyb notes in a press release. “This means that the appeal can be brought directly to the highest court of the EU, in charge of the uniform interpretation of EU law. This is especially interesting as noyb is working on multiple other cases raising similar issues before national DPAs.”

Guidance for businesses involved in transferring data out of the EU who are trying to understand how to (or often whether they can) be compliant with data protection law, post-Schrems II, is so far limited to what EU regulators have put out.

Further interpretation by the CJEU could bring more clarifying light — and, indeed, less wiggle room for processors wanting to keep schlepping Europeans’ data over the pond legally, depending on how the cookie crumbles (if you’ll pardon the pun).

noyb notes that the complaint asks the EDPS to prohibit transfers that violate EU law.

“Public authorities, and in particular the EU institutions, have to lead by example to comply with the law,” said Max Schrems, honorary chairman of noyb, in a statement. “This is also true when it comes to transfers of data outside of the EU. By using US providers, the European Parliament enabled the NSA to access data of its staff and its members.”

Per the complaint, concerns about third party trackers and data transfers were initially raised to the parliament last October — after an MEP used a tracker scanning tool to analyze the COVID-19 test booking website and found a total of 150 third-party requests and a cookie were placed on her browser.

Specifically, the EcoCare COVID-19 testing registration website was found to drop a cookie from the US-based company Stripe, as well as including many more third-party requests from Google and Stripe.

The complaint also notes that a data protection notice on the site informed users that data on their usage generated by the use of Google Analytics is “transmitted to and stored on a Google server in the US”.

Where consent was concerned, the site was found to serve users with two different conflicting data protection notices — with one containing a (presumably copypasted) reference to Brussels Airport.

Different consent flows were also presented, depending on the user’s region, with some visitors being offered no clear opt out button. The cookie notices were also found to contain a ‘dark pattern’ nudge toward a bright green button for ‘accepting all’ processing, as well as confusing wording for unclear alternatives.

A screengrab of the cookie consent prompt that the parliament’s COVID-19 test booking website displayed at the time of writing – with still no clearly apparent opt-out for non-essential cookies (Image credit: TechCrunch)

The EU has stringent requirements for (legally) gathering consents for (non-essential) cookies and other third party tracking technologies which states that consent must be clearly informed, specific and freely given.

In 2019, Europe’s top court further confirmed that consent must be obtained prior to dropping non-essential trackers. (Health-related data also generally carries a higher consent-bar to process legally in the EU, although in this case the personal information relates to appointment registrations rather than special category medical data).

The complaints allege that EU cookie consent requirements are not being met on the website.

While the presence of requests for US-based services (and the reference to storing data in the US) is a legal problem in light of the Schrems II judgement.

The US no longer enjoys legally frictionless flows of personal data out of the EU after the CJEU torpedoed the adequacy arrangement the Commission had granted (invalidating the EU-US Privacy Shield mechanism) — which in turn means transfers of data on EU peoples to US-based companies are complicated.

Data controllers are responsible for assessing each such proposed transfer, on a case by case basis. A data transfer mechanism called Standard Contractual Clauses was not invalidated by the CJEU. But the court made it clear SCCs can only be used for transfers to third countries where data protection is essentially equivalent to the legal regime offered in the EU — doing so at the same time as saying the US does not meet that standard.

Guidance from the European Data Protection Board in the wake of the ruling suggests that some EU-US data transfers may be possible to carry in compliance with European law. Such as those that involve encrypted data with no access by the receiving US-based entity.

However the bar for compliance varies depending on the specific context and case.

Additionally, for a subset of companies that are definitely subject to US surveillance law (such as Google) the compliance bar may be impossibly high — as surveillance law is the main legal sticking point for EU-US transfers.

So, once again, it’s not a good look for the parliament website to have had a notice on its COVID-19 testing website that said personal data would be transferred to a Google’s server in the US. (Even if that functionality had not been activated, as seems to have been claimed.)

Another reason the complaint against the European Parliament is noteworthy is that it further highlights how much web infrastructure in use within Europe could be risking legal sanction for failing to comply with regional data protection rules. If the European Parliament can’t get it right, who is?

noyb filed a raft of complaints against EU websites last year which it had identified still sending data to the US via Google Analytics and/or Facebook Connect integrations a short while after the Schrems II ruling. (Those complaints are being looked into by DPAs across the EU.)

Facebook’s EU data transfers are also very much on the hook here. Earlier this month the tech giant’s lead EU data regulator agreed to ‘swiftly resolve’ a long-standing complaint over its transfers.

Schrems filed that complaint all the way back in 2013. He told us he expects the case to be resolved this year, likely within around six to nine months. So a final decision should come in 2021.

He has previously suggested the only way for Facebook to fix the data transfers issue is to federate its service, storing European users’ data locally. While last year the tech giant was forced to deny it would shut its service in Europe if its lead EU regulator followed through on enforcing a preliminary order to suspend transfers (which it blocked by applying for a judicial review of the Irish DPC’s processes).

The alternative outcome Facebook has been lobbying for is some kind of a political resolution to the legal uncertainty clouding EU-US data transfers. However the European Commission has warned there’s no quick fix — and reform of US surveillance law is needed.

So with options for continued icing of EU data protection enforcement against US tech giants melting fast in the face of bar-setting CJEU rulings and ongoing strategic litigation like this latest noyb-supported complaint pressure is only going to keep building for pro-privacy reform of US surveillance law. Not that Facebook has openly come out in support of reforming FISA yet.

Source: https://techcrunch.com/2021/01/22/privacy-complaint-targets-european-parliaments-covid-19-test-booking-site/

As countries around the world prepare to vaccinate people against the coronavirus, tech companies are rushing to demonstrate their willingness to help fight the deadly virus. China’s ride-hailing leader Didi Chuxing is pledging a $10 million fund to support COVID-19 vaccination efforts in 13 markets outside its home country China, the company said on Friday.

The multi-purpose fund will be used to reduce fees for passengers going to vaccination appointments and frontline healthcare workers traveling to vaccination locations. It will also sponsor future measures based on a market’s local needs, Didi said, adding that it will continue working with the respective governments. It’s unclear how the company plans to allocate the funds across the dozens of markets.

Like other tech firms, Didi has responded swiftly to the COVID-19 outbreak by offering relief measures. It said it has so far funded more than six million free or discounted rides and meals for frontline healthcare workers and distributed more than six million masks and sanitation kits to driver and courier partners in its international markets.

In China, the ride hailing company has made similar efforts, including financial assistance like insurance plans for drivers with confirmed cases or those undergoing quarantine.

“The vaccination support initiative is a crucial step in our local recovery effort across the world,” said Jean Liu, president of Didi.

“The incredible commitment and agility of Didi teams, together with a safety system built for complex mobility scenarios, play a critical role in protecting our people and ensuring essential services throughout these challenging times. We will continue to stand by our partners and communities to get our cities moving again.”

The SoftBank-backed company took a hit when it temporarily suspended its popular and lucrative carpooling service following two passenger incidents. The startup remains one of China’s most valuable private tech companies and rumors have swirled for a few years that it is planning an initial public offering, which the company has denied.

Didi has garnered over 550 million users across the Asia Pacific, Latin
America and Russia by offering taxi hailing, private car hailing, rideshare, buses, bikes and e-bikes, and it enables over 10 billion passenger trips a year as of late. It has a nascent autonomous driving arm backed by SoftBank and is among a group of Chinese upstart AI companies aggressively developing and testing autonomous vehicles. It’s also working with China’s electric carmaking giant BYD to co-design a model tailored for ride-hailing.

Source: https://techcrunch.com/2021/01/21/didi-10-million-covid-19-fund/

A string of recent events in China’s payments industry suggests the duopoly comprising Ant Group and Tencent may be getting a shakeup.

Following the abrupt call-off of Ant’s public sale and a government directive to reform the firm’s business, the Chinese authorities sent another message this week signaling its plan to curb concentration in the flourishing digital payments industry.

The set of draft rules, designed to regulate non-bank payments and released by the People’s Bank of China (PBOC) this week, said any non-bank payments processor with over one-third of the non-bank payments market or two companies with a combined half of the market could be subject to regulatory warnings from the anti-monopoly authority under the State Council.

Meanwhile, a single non-bank payments provider with over one half of the digital payments market or two companies with a combined two-thirds of the market could be investigated for whether they constitute a monopoly.

The difference between the two rules is nuanced here, with the second stipulation focusing on digital payments as opposed to non-bank payments in the first.

Furthermore, the rules did not specify how authorities measure an organization’s market share, say, whether the judgment is based on an entity’s total transaction value, its transaction volume, or other metrics.

Alipay processed over half of China’s third-party payments transactions in the first quarter of 2020, according to market researcher iResearch, while Tencent handled nearly 40% of the payments in the same period.

As China heightens scrutiny over its payments giants, it’s also opening up the financial market to international players. In December, Goldman Sachs moved to take full ownership of its Chinese joint venture. This month, PayPal became the first foreign company with 100% control of a payments business in China after it bought out the remaining stake in its local payments partner Guofubao.

Industry experts told TechCrunch that PayPal won’t likely go after the domestic payments giants but may instead explore opportunities in cross-border payments, a market with established players like XTransfer, which was founded by a team of Ant veterans.

Ant and Tencent also face competition from other Chinese internet firms. Companies ranging from food delivery platform Meituan, e-commerce platforms Pinduoduo and JD.com, to TikTok’s parent firm ByteDance have introduced their own e-wallets, though none of them have posed an imminent threat to Alipay or WeChat Pay.

The comprehensive proposal from PBOC also defines how payments processors handle customer data. Non-bank payments services are to store certain user information and transaction history and cooperate with relevant authorities on data checks. Companies are also required to obtain user consent and make clear to customers how their data are collected and used, a rule that reflects China’s broader effort to clamp down on unscrupulous data collection.

Source: https://techcrunch.com/2021/01/21/china-payments-shakeup/