All posts in “GDPR”

In Europe, Facebook’s data law buffer looks to be on borrowed time

Facebook’s European business may not, for too much longer, be able to rely on its preferred privacy buffer of arguing that data protection oversight of its business is exclusively limited to the Irish watchdog on account of its European HQ being located in Ireland.

A non-binding legal opinion put out today by an influential advisor to Europe’s top court has ruled that the social network can in fact be subject to privacy oversight in other European Union Member States — at least where it has some physical presence (such as a sales office), as well as users whose data it is gathering for targeted advertising.

The underlying case pertains to the background tracking of web browser users via Facebook operated cookies. A German education and training company which runs a fan page on Facebook had, in 2011, been ordered by a German data protection authority to deactivate the Facebook page because the latter deemed that neither it nor Facebook had informed users their personal data was being collected.

The company challenged the order in court and, after much legal back and forth, several questions were referred to Europe’s top court for a preliminary ruling — which today’s advocate general opinion prefigures.

In recent years, various European DPAs have sought to impose fines on Facebook for what they view as data protection violations pertaining to users in their jurisdiction, including watchdogs in Spain, the Netherlands and Belgium.

But Facebook’s go-to rebuttal is to claim it is only subject to the jurisdiction of the Irish DPA.

In today’s opinion, the advocate general writes: “In recent months, the supervisory authorities of several Member States have decided to impose fines on Facebook, because of breaches of the rules on the protection of the personal data of its users. The present case will enable the Court to clarify the extent of the powers of intervention of supervisory authorities such as ULD [German DPA] with regard to the processing of personal data which involves the participation of several parties.”

It’s fair to say that EU Member States’ data protection authorities are a spectrum, with some taking a distinctly more proactively pro-privacy stance than others.

While Ireland’s low corporate tax rate is something of a flag for where the country plants its priorities on the ‘data for businesses’ vs ‘privacy for users’ axis — underlining why Facebook might want to be subject to its supervision vs other, more pro-privacy EU DPAs.

But its preference for the Irish data protection commissioner to be its sole privacy authority could well be on borrowed time. A spokeswoman for the ECJ said there is no date yet for a final judgment but one usually follows between three and six months after the opinion.

Contacted for a response to today’s advocate general’s opinion, a Facebook spokesperson told us: “We respectfully disagree with the Advocate General and await the European Court’s decision.”

Facebook’s spokesperson further emphasized the AG’s opinion is non-binding. However AG opinions are usually highly influential on the court — though we’ll have to wait to see whether the court concurs in this instance. (If so there could be wider implications for other, similarly structured tech companies that also use tracking cookies in the EU.)

The Facebook spokesperson also sought to imply that the AG’s opinion is not consistent with an incoming update to EU data protection law, under the GDPR — which comes into force in May 2018, and includes a provision intended to reduce data oversight complexity for companies operating services across EU Member States borders via a so called one-stop shop mechanism that’s designed to limit the number of DPAs data controllers need to liaise with.

However the mechanism does not mean data oversight is automatically limited to a single DPA; rather the GDPR provides for a lead DPA which can liaise with any other concerned authorities over data issues pertaining to citizens in their own territories. So in fact it allows for multiple concerned DPAs to carry out supervision on companies’ data-related practices.

The AG also touches on this area, writing: “[T]he Court should not, in my opinion, pre-empt the scheme established by the general regulation on data protection which will apply from 25 May 2018 onwards. As part of that scheme a one-stop-shop mechanism is instituted. This means that a controller that carries out cross-border data processing, such as Facebook, will have only one supervisory authority as interlocutor, namely the lead supervisory authority, which will be the authority for the place where the controller’s main establishment is located. Nevertheless, that scheme, and the sophisticated cooperation mechanism which it introduces, are not yet applicable.”

Another interesting component of the opinion pertains to the definition of a data controller — a key distinction in privacy law which enables supervisory authorities to understand where specific legal responsibilities lie, and thus how to apply data protection law.

In the case of the German company involved in the original case, the AG’s view is that both it and Facebook share responsibility for data processing as regards the Facebook fan page, as both are involved with making decisions around how user data is processed (one as administer of the specific Facebook fan page; the other, Facebook, as administrating entity of Facebook fan pages).

But the wider point of note is that neither needs to have complete control over data processing activities to be deemed a data controller from a legal point of view.

“Ever more frequently data processing is complex, comprising several distinct processes which involve numerous parties which themselves have differing degrees of control. Consequently, any interpretation which focusses on the existence of complete control over all aspects of data processing is likely to result in serious lacunae in the protection of personal data,” writes the AG.

“I would add that, as the Belgian Government rightly observes, the fact that the Wirtschaftsakademie [the German company in the case] acts as joint controller in so far as it decides to have recourse to Facebook’s services for its information offering in no way relieves Facebook Inc. or Facebook Ireland of their obligations as controllers. Indeed, it is clear that those two entities have a decisive influence over the purposes and means of the processing of personal data which occurs when a fan page is visited and that they also use that data for their own purposes and interests.”

The AG also writes in support of “a broad interpretation of the concept of ‘controller’” saying this is necessary for EU data protection law to function as intended.

Facebook fined €1.2M for privacy violations in Spain

Another privacy-related fine for Facebook in Europe: The Spanish data protection regulator has issued a €1.2M (~$1.4M) fine against the social media behemoth for a series of violations regarding its data-harvesting activities.

Spain’s AEPD said an investigation into how Facebook collects, stores and uses data for advertising purposes found it is doing so without obtaining adequate user consent.

It says it identified two serious infringements and one very serious infringement of data protection law — with the total sanction breaking down to €300,000 for each of the first breaches and €600,000 for the second.

The regulator found Facebook collects data on ideology, sex, religious beliefs, personal tastes and navigation — either directly, through users’ use of its services or from third party pages — without, in its judgement, “clearly informing the user about the use and purpose”.

Not obtaining express consent of users to process sensitive personal data is classified as a very serious offense under local DP law.

Facebook’s use of web browsing cookies was also found in violation of privacy laws, with the regulator saying it confirmed users are not informed that their information will be processed through the use of cookies when they are browsing non-Facebook pages that contain Facebook’s ‘Like’ button social plug in — noting that while some of the use of this data is declared as being for advertising, other use is “secret”, i.e. not disclosed by the company.

“This situation also occurs when users are not members of the social network but have ever visited one of its pages, as well as when users who are registered on Facebook browse through third party pages, even without logging on to Facebook. In these cases, the platform adds the information collected in said pages to the one associated with your account in the social network. Therefore, the AEPD considers that the information provided by Facebook to users does not comply with data protection regulations,” it noted.

The regulator is also unhappy that Facebook does not delete harvested data once it has finished using it — saying it had been able to verify Facebook does not delete web browsing habits data, but  in fact “retains and reuses it later associated with the same user”.

It also found this to be true even when the company had been explicitly requested to delete data by a user.

“Regarding data retention, when a social network user has deleted his account and requests the deletion of the information, Facebook captures and treats information for more than 17 months through a deleted account cookie. Therefore, the AEPD considers that the personal data of the users are not canceled in full or when they are no longer useful for the purpose for which they were collected or when the user explicitly requests their removal, according to the requirements of the LOPD [local data protection law], which represents a serious infringement,” it said.

The AEPR, which noted it liaised with other DPAs — in Belgium, France, Germany (Hamburg) and the Netherlands, which also have their own separate investigations into these issues, initiated following Facebook’s 2015 T&Cs change — said Facebook’s existing privacy policy was judged to contain “generic and unclear terms”, and to “inaccurately” refer to the use it will make of the data it collects.

The regulator asserted that a Facebook user “with an average knowledge of the new technologies does not become aware of the collection of data, nor of their storage and subsequent treatment, nor of what they will be used”.

It also points out that unregistered Internet users would not be unaware that the social network collects their browsing data — something that has already got Facebook into trouble with other European DPAs.

Commenting on the regulator’s action, a Facebook spokesperson told us the company intends to appeal the decision, while also noting that its European business is (currently) regulated under Irish data protection rules, where its EU HQ is sited.

It provided the following statement:

We take note of the DPA’s decision with which we respectfully disagree. Whilst we value the opportunities we’ve had to engage with the DPA to reinforce how seriously we take the privacy of people who use Facebook, we intend to appeal this decision. As we made clear to the DPA, users choose which information they want to add to their profile and share with others, such as their religion. However, we do not use this information to target adverts to people.

Facebook has long complied with EU data protection law through our establishment in Ireland. We remain open to continuing to discuss these issues with the DPA, whilst we work with our lead regulator the Irish Data Protection Commissioner as we prepare for the EU’s new data protection regulation in 2018.

The size of the AEPR fine is of course a mere pinprick for Facebook whose 2016 revenue was $27.64BN. So really its appeal against the fine is about the company trying to bat away any perception that it violates privacy by refuting the substance of the violations being asserted here.

But seen through the prism of stricter incoming EU data protection rules, under the new GDPR regime which comes into force next May, there are certainly serious financial considerations for Facebook’s business pertaining to privacy — as the new EU regime includes a far larger stick to beat companies that are judged to have violated data protection rules while also tightening up privacy rules by, for example, expanding the definition of personal data and giving EU citizens the right to ask for their data to be deleted.

Companies will be facing fines of up to 4% of their global annual turnover for privacy violations under GDPR. So, in Facebook’s case, privacy-related fines could start to scale to over a billion dollars. And penalties of that size aren’t something the tech giant can too often and too easily sweep under its revenue carpet.

Even as GDPR strengthens the consent requirements for processing personal data, and expands the risk of holding and processing lots of personal data.

In addition, a company like Facebook, which processes data across multiple EU Member States’ territories, may find the new regulation creates a situation where it faces more concerted action from other DPAs, i.e. beyond their local data authority where they’ve established a European base. So, in Facebook’s case, it may not so easily be able to claim to be only under the jurisdiction of the Irish DPA. And in Europe, it’s fair to say that some DPAs are decided more pro-privacy than others.

Asked about its GDPR preparations, Facebook previously told us it has designated a cross-functional team to “fully analyze the legislation and help us understand what this would mean from a legal, policy and product perspective” — saying this is “the largest cross functional team in the history of the Facebook family”.

It is also now looking to recruit a data protection officer — a position mandated under GDPR.

“Ahead of next May we are working with our product, design and engineering teams to enhance existing products and build new products in a way that simultaneously provides an intuitive, user-centric experience and permits us to meet our obligations under the GDPR,” added Stephen Deadman, Facebook’s deputy chief global privacy officer, in a statement.

Featured Image: Twin Design/Shutterstock

Wire launches e2e encrypted team messaging in beta

End-to-end encrypted messaging platform Wire is targeting Slack’s territory with a new messaging for teams product, called Teams.

It announced a beta launch yesterday, and is offering teams a 30-day free trial — with pricing starting at €5 per user per month thereafter, or custom pricing for enterprise installations offering extras such as self-hosted servers and an integration API.

Co-founder Alan Duric tells TechCrunch that demand for the team messaging launch is being driven “primarily” by Wire’s existing user base.

Alex, a TC reader and Wire user who tipped us to the beta launch, is one of those existing users with an interest in the new team messaging feature — although he says his team won’t be signing up until the product exits beta.

Explaining how his team originally started using Wire, Alex says: “One of the team was traveling and visited China where we found the firewall was blocking basically everything. Skype would randomly keep crashing / lagging under a VPN, though Wire simply worked there. We decided just to stick with it.”

The Wire Teams product supports logging in with multiple accounts, so users can maintain a personal Wire messaging account separate from a Wire work account, for example.

There’s also support for adding guests to projects to allow for collaboration with outsiders who don’t have full Wire accounts of their own.

And, in future, Teams users will be able to switch off notifications for different accounts — so they could turn off work alerts for the weekend, for example.

“More and more businesses and international organizations have started using Wire for work since we launched end-to-end encryption. Teams make it easy to organize work groups and related conversations,” it writes in a blog post announcing the beta.

While the company started by offering a more general comms app, launched in late 2014 and backed by Skype co-founder Janus Friis, in recent years it’s shifted emphasis to focus on privacy — rolling out end-to-end encryption in March last year — perhaps calculating this makes for a better differentiator in the crowded messaging platform space.

When it comes to team messaging, services offering end-to-end encryption are certainly a relative rarity. Slack’s data request policy, for example, notes that it will turn over customer data “in response to valid and binding compulsory legal process”.

In its blog about Teams, Wire includes a comparison graphic across a range of team comms products and messaging apps, such as Slack, Skype for business, WhatsApp and Signal, which shows its commercial positioning and marketing at work.

As well as flagging as a plus its use of e2e encryption — which extends to securing features such as group calls, screen-sharing and file sharing — other differentiating advantages it’s claiming include its business having a European base (specifically it’s based in Switzerland, which has a legal regime that’s generally perceived as offering some of the most robust data protection and privacy laws in Europe); and its code being open sourced (unlike, for example, the Facebook-owned WhatsApp messaging platform).

Wire also suggests e2e encryption for team messaging could be a way for companies to ensure compliance with incoming European privacy legislation. The General Data Protection Regulation, which ramps up fines for data breaches, is due to come into force in May next year.

“Businesses affected by the EU’s upcoming GDPR rules benefit from end-to-end encryption, as it automatically protects the data they share with the team from third party access,” Wire claims.

Earlier this year the company published an external audit of its e2e encryption. This uncovered some flaws and issues but generally found the reviewed components to have a “high security”.

Although a third layer of security review — to consider Wire’s complete solution in the round — remained outstanding at that point.

At the time Wire published the audit it committed to ongoing security reviews of “every major development” of its product.

So — presumably — that should include one for the Teams addition when it launches.

Wire hosts its open sourced code on GitHub. data rewards app gets Telefónica co-branding push

London based has taken its first steps outside the UK, expanding its data sharing rewards platform into Germany — where it’s launched a co-branded version of the app with carrier o2 (called o2 Get), targeting the latter’s ~24 million customers.

The app is also available to download via the App Store and Google Play, and o2 parent company Telefónica Germany will also be pushing the apps across its full market footprint of 44M customers. The telco link follows People.ioIn going through the telco’s Wayra Germany accelerator last year. They say they’re the first Wayra-backed startup to launch a co-branded product with Telefónica.

“By co-branding with o2 we benefit from a respected and well known consumer brand which… gives us a fast track to scale; meaning we can focus on creating a great product experience that delivers on our vision to give people ownership of their data,” says co-founder Nicholas Oliver.

“Our decision to launch in Germany was driven by their strong, consumer-centric data privacy laws. This meant we were focussed on building a product that could meet even the most stringent data privacy laws with a view to further market expansion.”

Oliver says the team is expecting to get around 250,000 downloads in the next 6 months in Germany; increasing to just under 1 million by the end of the first year.

The startup is apparently working with around a dozen telcos across 35 markets at this point — although it remains to be seen how many of those conversations will turn into fully fledged co-branded app efforts.

In o2 Germany’s case,’s philosophy around user data ownership clearly meshes with a Telefónica strategic push to give data back to users aimed at fostering customer loyalty.

We first covered back in January 2016, when it had just launched a beta version in Shoreditch, giving locals the chance to share personal data in exchange for building up credits to redeem against digital services like streaming music. It’s since scaled out to be UK wide.

The core idea is to flip the notion that Internet users have to ‘pay’ to use ‘free’ products by having their personal data covertly and persistently harvested by these services. Instead, the platform aims to give people an incentive to share data willingly with it, for targeted ad purposes, rewarding them for sharing data with credits to redeem against different services (and by not sharing their data directly with others).

The app is broadly aimed at 18 to 25 year olds for now, offering a familiar Tinder-style swipe interface for them to respond to questions about their likes and dislikes to start inputting personal data into the platform. They can also choose to connect other data sources, such as their email account, in order to share more info — with increased rewards for sharing more.

Advertisers are able to target marketing messages at users via the platform, but the startup says users’ data is never shared directly with third parties. And the further pledge is that users can delete their account at any point — which immediately and permanently erases all their data.

Oliver describes the platform as “a firewall for people”, and reckons Europe’s incoming General Data Protection Regulation (GDPR) will have a serious impact on how the ad tech industry operates  regionally, because it gives consumers greater control over how their data is used. The GDPR is due to come into force in May 2018, and includes tough penalties for compliance failures, changing the risks associated with collecting and processing EU citizens’ personal data.

While’s initial product pays data sharers for viewing targeted ads — typically redeemed against gift cards for Amazon, Starbucks and iTunes, according to Oliver, with an option to donate credits earned as cash to charity currently also in testing — its wider vision is around expanding into paid services of its own; utilizing users’ data to offer them the ability to pay to enhance other digital services they use, without having to lose control of their information.

“This might apply to health and fitness, connected home or even productivity apps and experiences,” he explains. “Our advertising feature(s) are really just phase one of a far bigger product vision. It provides us with a familiar consumer experience that allows us to develop the initial relationship with the user. From here, we can then educate them on the value associated to their data and demonstrate why taking ownership of it can benefit them; both financially and through enhanced digital experiences.

“A brief example could be with a Spotify playlist. Having a playlist that dynamically changes your upcoming tracks based on your current context (at work, at home, going running, trying to relax) or mood (stressed, energetic, feel like partying). With — we’d just tell Spotify ‘Nic’s at work’ or ‘Nic is about to go running’ — without sharing any of the data behind that insight. So that means Spotify can do what it does best, without ever needing access to your digital life.”

“When you consider the future of Conversational interfaces, like Amazon Echo, or chat bots; this type of functionality will become increasingly relevant,” he adds.

At this still early stage, has around 35,000 accounts activated since exiting beta in the UK, with around two-thirds of those characterized as ‘monthly actives’.

On average, Oliver says users engage with the app between two to three times a week. While the platform gets around half a million user interactions per month at this point.

He says the startup is currently raising investment to support “continued momentum and growth into other key markets”. Investors to date include Nick Robertson, founder of ASOS; Thomas Höegh, founder of Lovefilm; and Founders’ Factory, the accelerator founded by Brent Hoberman and backed by Guardian Media Group.

European markets are a priority, thanks to the pro-privacy regulatory environment, but Oliver says the team is hoping to expand into the first non-EU market by the end of the year. “The US is certainly a market that we’re keeping an eye on,” he adds.