Facebook, Google face first GDPR complaints over “forced consent”

After two years coming down the pipe at tech giants, Europe’s new privacy framework, the General Data Protection Regulation (GDPR), is now being applied — and long time Facebook privacy critic, Max Schrems, has wasted no time in filing four complaints relating to (certain) companies’ ‘take it or leave it’ stance when it comes to consent.

The complaints have been filed on behalf of (unnamed) individual users — with one filed against Facebook; one against Facebook-owned Instagram; one against Facebook-owned WhatsApp; and one against Google’s Android.

Schrems argues that the companies are using a strategy of “forced consent” to continue processing the individuals’ personal data — when in fact the law requires that users be given a free choice unless a consent is strictly necessary for provision of the service. (And, well, Facebook claims its core product is social networking — rather than farming people’s personal data for ad targeting.)

“It’s simple: Anything strictly necessary for a service does not need consent boxes anymore. For everything else users must have a real choice to say ‘yes’ or ‘no’,” Schrems writes in a statement.

“Facebook has even blocked accounts of users who have not given consent,” he adds. “In the end users only had the choice to delete the account or hit the “agree”-button — that’s not a free choice, it more reminds of a North Korean election process.”

We’ve reached out to all the companies involved for comment and will update this story with any response.

The European privacy campaigner most recently founded a not-for-profit digital rights organization to focus on strategic litigation around the bloc’s updated privacy framework, and the complaints have been filed via this crowdfunded NGO — which is called noyb (aka ‘none of your business’).

As we pointed out in our GDPR explainer, the provision in the regulation allowing for collective enforcement of individuals’ data rights in an important one, with the potential to strengthen the implementation of the law by enabling non-profit organizations such as noyb to file complaints on behalf of individuals — thereby helping to redress the imbalance between corporate giants and consumer rights.

That said, the GDPR’s collective redress provision is a component that Member States can choose to derogate from, which helps explain why the first four complaints have been filed with data protection agencies in Austria, Belgium, France and Hamburg in Germany — regions that also have data protection agencies with a strong record defending privacy rights.

Given that the Facebook companies involved in these complaints have their European headquarters in Ireland it’s likely the Irish data protection agency will get involved too. And it’s fair to say that, within Europe, Ireland does not have a strong reputation for defending data protection rights.

But the GDPR allows for DPAs in different jurisdictions to work together in instances where they have joint concerns and where a service crosses borders — so noyb’s action looks intended to test this element of the new framework too.

Under the penalty structure of GDPR, major violations of the law can attract fines as large as 4% of a company’s global revenue which, in the case of Facebook or Google, implies they could be on the hook for more than a billion euros apiece — if they are deemed to have violated the law, as the complaints argue.

That said, given how freshly fixed in place the rules are, some EU regulators may well tread softly on the enforcement front — at least in the first instances, to give companies some benefit of the doubt and/or a chance to make amends to come into compliance if they are deemed to be falling short of the new standards.

However, in instances where companies themselves appear to be attempting to deform the law with a willfully self-serving interpretation of the rules, regulators may feel they need to act swiftly to nip any disingenuousness in the bud.

“We probably will not immediately have billions of penalty payments, but the corporations have intentionally violated the GDPR, so we expect a corresponding penalty under GDPR,” writes Schrems.

Only yesterday, for example, Facebook founder Mark Zuckerberg — speaking in an on stage interview at the VivaTech conference in Paris — claimed his company hasn’t had to make any radical changes to comply with GDPR, and further claimed that a “vast majority” of Facebook users are willingly opting in to targeted advertising via its new consent flow.

“We’ve been rolling out the GDPR flows for a number of weeks now in order to make sure that we were doing this in a good way and that we could take into account everyone’s feedback before the May 25 deadline. And one of the things that I’ve found interesting is that the vast majority of people choose to opt in to make it so that we can use the data from other apps and websites that they’re using to make ads better. Because the reality is if you’re willing to see ads in a service you want them to be relevant and good ads,” said Zuckerberg.

He did not mention that the dominant social network does not offer people a free choice on accepting or declining targeted advertising. The new consent flow Facebook revealed ahead of GDPR only offers the ‘choice’ of quitting Facebook entirely if a person does not want to accept targeting advertising. Which, well, isn’t much of a choice given how powerful the network is. (Additionally, it’s worth pointing out that Facebook continues tracking non-users — so even deleting a Facebook account does not guarantee that Facebook will stop processing your personal data.)

Asked about how Facebook’s business model will be affected by the new rules, Zuckerberg essentially claimed nothing significant will change — “because giving people control of how their data is used has been a core principle of Facebook since the beginning”.

“The GDPR adds some new controls and then there’s some areas that we need to comply with but overall it isn’t such a massive departure from how we’ve approached this in the past,” he claimed. “I mean I don’t want to downplay it — there are strong new rules that we’ve needed to put a bunch of work into into making sure that we complied with — but as a whole the philosophy behind this is not completely different from how we’ve approached things.

“In order to be able to give people the tools to connect in all the ways they want and build committee a lot of philosophy that is encoded in a regulation like GDPR is really how we’ve thought about all this stuff for a long time. So I don’t want to understate the areas where there are new rules that we’ve had to go and implement but I also don’t want to make it seem like this is a massive departure in how we’ve thought about this stuff.”

Zuckerberg faced a range of tough questions on these points from the EU parliament earlier this week. But he avoided answering them in any meaningful detail.

So EU regulators are essentially facing a first test of their mettle — i.e. whether they are willing to step up and defend the line of the law against big tech’s attempts to reshape it in their business model’s image.

Privacy laws are nothing new in Europe but robust enforcement of them would certainly be a breath of fresh air. And now at least, thanks to GDPR, there’s a penalties structure in place to provide incentives as well as teeth, and spin up a market around strategic litigation — with Schrems and noyb in the vanguard.

Schrems also makes the point that small startups and local companies are less likely to be able to use the kind of strong-arm ‘take it or leave it’ tactics on users that big tech is able to use to extract consent on account of the reach and power of their platforms — arguing there’s a competition concern that GDPR should also help to redress.

“The fight against forced consent ensures that the corporations cannot force users to consent,” he writes. “This is especially important so that monopolies have no advantage over small businesses.”

Image credit: noyb.eu

And the winner of Startup Battlefield Europe at VivaTech is… Wingly

At the very beginning, there were 15 startups. After a morning of incredibly fierce competition, we now have a winner.

Startups participating in the Startup Battlefield have all been hand-picked to participate in our highly competitive startup competition. They all presented in front of multiple groups of VCs and tech leaders serving as judges for a chance to win €25,000 and an all-expense paid trip for two to San Francisco to participate in the Startup Battlefield at TechCrunch’s flagship event, Disrupt SF 2018.

After many deliberations, TechCrunch editors pored over the judges’ notes and narrowed the list down to five finalists: Glowee, IOV, Mapify, Wakeo and Wingly.

These startups made their way to the finale to demo in front of our final panel of judges, which included: Brent Hoberman (Founders Factory), Liron Azrielant (Meron Capital), Keld van Schreven (KR1), Roxanne Varza (Station F), Yann de Vries (Atomico) and Matthew Panzarino (TechCrunch).

And now, meet the Startup Battlefield Europe at VivaTech winner.

Winner: Wingly

Wingly is a flight-sharing platform that connects pilots and passengers. Private pilots can add flights they have planned, then potential passengers can book them.

Runner-Up: IOV

IOV is building a decentralized DNS for blockchains. By implementing the Blockchain Communication Protocol, the IOV Wallet will be the first wallet that can receive and exchange any kind of cryptocurrency from a single address of value.

Macron defends the European way of tech regulation

French President Emmanuel Macron gave a speech at VivaTech in Paris, alternating between French and English. He defended a third way to regulate tech companies, which is different from the U.S. and from China.

Macron thinks Europe should have a say when it comes to regulation — and it shouldn’t be just about privacy. Of course, he defended GDPR and online privacy, but he also talked about taxes, cyberbullying, the protection of independent workers and more.

What is at stake is how we build a European model reconciling innovation and common good Emmanuel Macron

Yesterday, Macron hosted 50 tech CEOs to talk about leveraging tech for the common good, especially when it comes to education, labor and diversity. Microsoft CEO Satya Nadella talked about the event before Macron took the stage.

Macron first started with a few numbers on the French tech ecosystem. “I want to talk to the entire French ecosystem here today. What we’re all doing is essential for our country and the world,” he said.

Based on his numbers, startups raised $2.9 billion in France last year (€2.5 billion). That’s three times as much as in 2015. He then listed some of the recent changes, from corporate taxes to France’s open data policy and the French Tech Visa.

He didn’t have much to say about the tech industry in particular. You could feel that he has a lot on his plate right now and that tech is more or less an afterthought.

“France is changing like crazy. And that's why we can say that France is back,” he said in English to conclude the first part of his speech.

“My second message is for Africa because you decided to invite Africa to VivaTech this year,” he said.

Macron then announced that France is going to invest some public money in the most promising African startups. “For the past six months, the French Development Agency has worked hard on this,” he said. “And the French Development Agency is going to announce in the coming weeks a new specific program of €65 million [$76 million] in order to invest small amounts, €30,000 to €50,000 per startup.”

Michel Euler / AFP / Getty Images

A message to big tech companies

Finally, Macron talked about the Tech for Good Summit and tech regulation in general. “We’re currently experiencing a revolution. I truly believe in that revolution and our country believes in it too,” he said. “But you can’t deny that some people in our country and in the world fear change.”

“Tech companies haven’t always been exemplary. Some haven’t complied with taxation laws and it has fostered mistrust — even from French entrepreneurs.”

Macron then defended France’s project to create a European tax on big tech companies. If the French Government can convince other European Governments, big tech companies would be taxed on local revenue in each European country. It could be a way to avoid tax optimization schemes. Smaller European countries with a lower corporate tax rate don’t seem convinced yet.

“I'm a big tech optimist and this country does believe in innovation,” he said. “But it's not enough — making money, creating jobs and making shareholders happy is great. Especially creating jobs as far as I'm concerned.”

Macron also criticized U.S. regulation on tech companies, saying that the U.S. Government is not doing enough when it comes to online harassment, taxes, labor and more.

He then criticized the Chinese model, saying that the Chinese Government is not doing enough when it comes to privacy, human rights and gender equality.

“What is at stake is how we build a European model reconciling innovation and common good,” he said. “We have to work together to build this common framework.”

After yesterday’s commitments, the French Government is going to track tech companies every six months to see if they actually implement what they promised when it comes to tech for good.

He also finished by saying that the Tech for Good Summit should become an annual initiative. Tech CEOs will be invited once again to the Élysée next year ahead of VivaTech.

Instapaper on pause in Europe to fix GDPR compliance “issue”

Remember Instapaper? The Pinterest-owned, read-it-later bookmarking service is taking a break in Europe — apparently while it works on achieving compliance with the region’s updated privacy framework, GDPR, which will start being applied from tomorrow.

Instapaper’s notification does not say how long the self-imposed outage will last.

The European Union’s General Data Protection Regulation updates the bloc’s privacy framework, most notably by bringing in supersized fines for data violations, which in the most serious cases can scale up to 4% of a company’s global annual turnover.

So it significantly ramps up the risk of, for example, having sloppy security, or consent flows that aren’t clear and specific enough (if indeed consent is the legal basis you’re relying on for processing people’s personal information).

That said, EU regulators are clearly going to tread softly on the enforcement front in the short term. And any major fines are only going to hit the most serious violations and violators — and only down the line when data protection authorities have received complaints and conducted thorough investigations.

So it’s not clear exactly why Instapaper believes it needs to pause its service to European users. It’s also had plenty of time to prepare to be compliant — given the new framework was agreed at the back end of 2015. We’ve reached out to Pinterest with questions and will update this story with any response.

In an exchange on Twitter, Pinterest product engineering manager Brian Donohue — who, prior to acquisition was Instapaper’s CEO — flagged that the product’s privacy policy “hasn’t been changed in several years”. But he declined to specify exactly what it feels its compliance issue is — saying only: “We’re actively working to resolve the issue.”

In a customer support email that we reviewed, the company also told one European user: “We’ve been advised to undergo an assessment of the Instapaper service to determine what, if any, changes may be appropriate but to restrict access to IP addresses in the EU as the best course of action.”

“We’re really sorry for any inconvenience, and we are actively working on bringing the service back online for residents in Europe,” it added.

The product’s privacy policy is one of the clearer T&Cs we’ve seen. It also states that users can already access “all your personally identifiable information that we collect online and maintain”, as well as saying people can “correct factual errors in your personally identifiable information by changing or deleting the erroneous information” — which, assuming those statements are true, looks pretty good for complying with portions of GDPR that are intended to give consumers more control over their personal data.

Instapaper also already lets users delete their accounts. And if they do that it specifies that “all account information and saved page data is deleted from the Instapaper service immediately” (though it also cautions that “deleted data may persist in backups and logs until they are deleted”).

In terms of what Instapaper does with users’ data, its privacy policy claims it does not share the information “with outside parties except to the extent necessary to accomplish Instapaper’s functionality”.

But it’s also not explicitly clear from the policy whether or not it’s passing information to its parent company Pinterest, for example, so perhaps it feels it needs to add more detail there.

Another possibility is Instapaper is working on compliance with GDPR’s data portability requirement. Though the service has offered exports options for years. But perhaps it feels these need to be more comprehensive.

As is inevitable ahead of a major regulatory change there’s a good deal of confusion about what exactly must be done to comply with the new rules. And that’s perhaps the best explanation for what’s going on with Instapaper’s pause.

Though, again, there’s plenty of official and detailed guidance from data protection agencies to help.

Unfortunately it’s also true that there’s a lot of unofficial and dubious quality advice from a cottage industry of self-styled ‘GDPR consultants’ that have sprung up with the intention of profiting off of the uncertainty. So — as ever — do your due diligence when it comes to the ‘experts’ you choose.

Adyen confirms it will IPO and list in Amsterdam, valuing the payments giant at $7B-$11B

The floodgates are definitely open for IPOs in the tech world right now, and the latest is coming out of Europe. Adyen, a company that powers payments for large and smaller e-commerce merchants and others, has said that it plans to publicly list on the Euronext Amsterdam exchange, keeping the company’s financial future close to where Adyen itself was founded and is based rather than taking it to the US markets as some other European unicorns, like Spotify, have opted to do.

The news comes in the wake of reports that it was planning to announce its plans this week.

Adyen’s offering prospectus does not detail how much it plans to raise, or what sort of valuation it’s likely to reach in a public listing. It confirmed will be selling up to 15 percent of its shares, valued at a valuation of between €6 billion and €9 billion ($7 billion – $11 billion) after the IPO. We have reached out to the company for further detail on that front.

For some context, Adyen last confirmed its valuation publicly back in 2015, when it raised funding from Iconiq, the investment firm that manages funds from Mark Zuckerberg’s family and other high-net-worth tech leaders, at a $2.3 billion valuation. In other words, it’s a big jump, reflecting the company’s growth over the last couple of years.

Adyen said in the prospectus that its net revenues for the year that ended December 2017 were €218 million, up 38 percent on 2016, with total processed volumes of €108 billion in 2017 up from €66 billion in 2016, or 63 percent growth. It’s also profitable, with an EBITDA of €99 million, or a margin of 45.5 percent. Net income for Q1 was €24.1 million, up €10 million over the same period a year before.

Adyen has also clinched some key deals that point to continuing growth. Competing against the likes of Worldpay and PayPal, Adyen stole a march on the latter when it moved in to become the primary payments provider to eBay. After the former parent of PayPal spun out the company, it subsequenly put the deal out for tender and Adyen clinched it. (PayPal will still remain an option, but will not be the main provider.)

“We feel that we are still in the early stages of a remarkable journey. Our focus remains on building new functionality and on helping our merchants grow,” Pieter van der Does, the CEO and co-founder of Adyen, said in a statment. “This offering provides us with the freedom to keep building the company, while offering our shareholders a path to liquidity. Adyen will remain a company that is driven by a long-term vision and strategy.”

Other key customers include Uber (itself still growing like a weed, despite its many setbacks and divestments), Netflix, Facebook, Spotify, Etsy, Vodafone, Sephora, Tory Burch, L’Oréal and booking.com — underscoring how the company’s own growth is mirroring the increasing ubiquity and acceptance of digital payments.

The other area to watch and note with Adyen is that it’s looking to extend beyond basic payment processing technology: the company picked up a banking license at the end of last year and plans to expand in settlement services that would have previously been provided by banks. This will also help it grow its margins and overall revenues.

 

 

 

Announcing the 15 companies competing in Startup Battlefield Europe

TechCrunch scoured all of Europe to find the most innovative and disruptive early-stage startups to launch at TechCrunch Startup Battlefield Europe 2018 at VivaTech. And today starting at 9:05 am CET on the TechCrunch homepage you can watch the pitches from the latest 15 Startup Battlefield companies

Each company will pitch for six minutes on the Pitch B stage at VivaTech, followed by a rigorous six-minute Q&A with esteemed judges from all over Europe. Five companies will be selected to pitch in the finals this evening at 6:15 pm on the VivaTech Main Stage in front of a fresh crop of judges.

Our teams come from a diverse set of industries and are using a range of technologies, from insurance tech to biotech, and from blockchain technology to the latest in bioluminescent capture. Some are first-time founders and others have already negotiated $60 million financing rounds and developed tokens with over a billion-dollar market cap. These founders are challenging industry norms, and replacing the status quo of today’s businesses with technologies that support circular economy, optimized IoT design, GDPR-compliant data innovation and so much more.

Many of the problems these startups attempt to solve are rooted in personal experiences: One entrepreneur is building an insole to help Parkinson’s patients, like her father, regain their ability to sense the ground beneath them. Another entrepreneur grew up in a port city watching the dysfunction of shipments and became fixated on making them more seamless. And there’s an entrepreneur participating who built a flight marketplace, realizing first-hand that hobby pilots’ empty seats were a market opportunity waiting to be unlocked.

Here are the 15 Startup Battlefield Europe companies and the order in which they will pitch:

Session 1 at 9:05 am CET: Statice, Anorak, Tapoly, Wakeo, BIMlosophy

Session 2 at 10:30 am CET: Glowee, Mapify, DROVA, Walk With Path, StatusToday

Session 3 at 12:00 pm CET: Wingly, Varanida, Solely Original Shoes, Wisebatt, IOV

Over the last two months, these 15 startups refined their business models, demos and messaging with TechCrunch’s Startup Battlefield team and editors. Today, it will culminate onstage as they share their business with the world and answer the judges’ questions about the viability of their businesses.

Battlefield alumni have raised more than $8.2 million with over 105 successful exits, so investors, get your checkbooks ready. One of these 15 startups will receive the TechCrunch Startup Battlefield Top European startup award along with €25,000 in equity-free money.

TechCrunch Editor-in-Chief Matthew Panzarino and I will kick off Startup Battlefield Europe at 9:05 am CET. You can find more information about Startup Battlefield Europe here.

Revolut adds Ripple and Bitcoin Cash support

Fintech startup Revolut is adding Bitcoin Cash and Ripple to its cryptocurrency feature. While cryptocurrency isn’t really Revolut’s focus point, it’s a good way to get started with cryptocurrencies.

If you have a Revolut account, you can now buy and hold Bitcoin, Litecoin, Ethereum, Ripple and Bitcoin Cash. Behind the scene, the startup has partnered with Bitstamp to process the transactions. Revolut currently charges a 1.5 percent fee for cryptocurrency transactions. There are currently 100,000 cryptocurrency transactions per day.

Compared to a traditional cryptocurrency exchange, you can’t send or receive cryptocurrencies from your Revolut account. You don’t get a bitcoin address for instance. All you can do is buy tokens in the app. If you want to transfer those tokens somewhere else, you’ll have to sell them for USD, GBP, etc. and then buy cryptocurrencies on a traditional exchange using your fiat money.

Recently, the startup also announced a new feature called Vaults. Revolut users can set up a vault to save money over time.

You can round up your spare change every time you make a transaction. For instance, if you pay $3.47 for that delicious ice cream, you’ll save 53 cents in your vault. You can also multiple that amount so that you save multiple times your spare change with each transaction. Many fintech startups also provide this feature.

You can also set up recurring payments to set aside a bit of money each day, each week or each month. Interestingly, you get to choose the currency of your vault. So it means that you can decide to buy ethers with spare change and weekly payments for instance. It’s a great way to hedge against the volatility of cryptocurrencies.

Users don’t earn interests on vaults. It’s just a way to set some money aside that doesn’t appear in your main Revolut account. You can decide to close your vault whenever you want.

Square brings its Stand for iPad tablets to the UK

Square, the company that provides payments and other business services to merchants, is today taking another step in its gradual expansion outside of the U.S. Stand — one of Square’s key pieces of hardware, turning an iPad into a point of sale system — is launching in the U.K.

It will sell for £64 (+VAT) and will be sold alongside existing products that Square offers in the U.K. — Square Reader, its Point of Sale app, Instant Deposit, Virtual Terminal and Cash app. (Square Register, the company’s all-in-one product for larger businesses that sells for $999, is not yet available outside the U.S.)

The move comes just over a year after Square launched in the U.K., its first market in Europe, and also on the heels of a big move from two of its biggest competitors: last week, PayPal said it would acquire iZettle, sometimes referred to as “the Square of Europe,” for $2.2 billion.

Those two developments underscore both the challenges and opportunities ahead for Square.

On the one hand, the company is tapping into a big market opportunity by creating services that cater to the often-overlooked small and medium business sector — and the Stand, which extends a tablet into a more interactive payment terminal, plays into that.

On the other hand, the consolidation underway between iZettle and PayPal points to how stronger competitors — PayPal’s market cap is nearly four times that of Square — going after the same business as Square, will put pressure on the company. (As a point of comparison, iZettle’s tablet stands range in price from £49 to £99.)

Square may be smaller, but it has picked up a lot of loyalty for its services and innovations. Square says that today the company has two million business customers using its products globally. It doesn’t break out numbers by geography or product. But given how many merchants use more than just a phone to take payments and run other sales software (a phone being the basic building block of Square’s original card payment processor), it was a much-requested feature.

“Square Stand was built to provide sellers with a unique and beautiful solution that makes taking in-person payments simple, elegant and fast,” said Jesse Dorogusker, Square’s hardware lead and designer of the Stand. “Sellers in the U.K. have been asking for a full countertop solution for their businesses since we first introduced Square.”

Despite its popularity and how it seemed to appear and take off amid a surge of smartphone and tablet adoption and use in the U.S., Square has taken a very deliberate route when it’s come to growing outside its home country, where payment methods, regulations and languages might all be different. Today, the company has operations in the United States, Canada, Japan, Australia and the U.K. It also has an office in Ireland but not active payments or other business.

Asked about where Square might like to go next, the company has remained mum.

“Nothing to share on that front,” a spokesperson said. “We are just getting started here in the U.K. and iterating fast to bring new services to market. Since we entered the U.K. market in 2017 we have continued to bring our U.K. sellers important products at a steady pace.”