Your address will show here +12 34 56 78
Consumer, Personal Data, Privacy, Tech

Facebook let Netflix and Spotify access private messages from users, startling documents reveal

Leaked documents show tech giant continued sharing user details despite public statements saying it had stopped years earlier

For years, Facebook gave some of the world’s largest technology companies more intrusive access to users’ personal data than it has disclosed, effectively exempting those business partners from its usual privacy rules, according to internal records and interviews.

The special arrangements are detailed in hundreds of pages of Facebook documents obtained by The New York Times. The records, generated in 2017 by the company’s internal system for tracking partnerships, provide the most complete picture yet of the social network’s data-sharing practices. They also underscore how personal data has become the most prized commodity of the digital age, traded on a vast scale by some of the most powerful companies in Silicon Valley and beyond.

The exchange was intended to benefit everyone. Pushing for explosive growth, Facebook got more users, lifting its advertising revenue. Partner companies acquired features to make their products more attractive. Facebook users connected with friends across different devices and websites. But Facebook also assumed extraordinary power over the personal information of its 2.2 billion users — control it has wielded with little transparency or outside oversight.

The social network allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent, the records show, and gave Netflix and Spotify the ability to read Facebook users’ private messages.

The social network permitted Amazon to obtain users’ names and contact information through their friends, and it let Yahoo view streams of friends’ posts as recently as this summer, despite public statements that it had stopped that type of sharing years earlier.

Facebook has been reeling from a series of privacy scandals, set off by revelations in March that a political consulting firm, Cambridge Analytica, improperly used Facebook data to build tools that aided President Donald Trump’s 2016 campaign. Acknowledging that it had breached users’ trust, Facebook insisted it had instituted stricter privacy protections long ago. Mark Zuckerberg, the chief executive, assured lawmakers in April that people “have complete control” over everything they share on Facebook.

But the documents, as well as interviews with about 50 former employees of Facebook and its corporate partners, reveal Facebook allowed certain companies access to data despite those protections. They also raise questions about whether Facebook ran afoul of a 2011 consent agreement with the Federal Trade Commission that barred the social network from sharing user data without explicit permission.

In all, the deals described in the documents benefited more than 150 companies — most of them tech businesses, including online retailers and entertainment sites, but also car-makers and media organisations. Their applications sought the data of hundreds of millions of people a month, the records show. The deals, the oldest of which date to 2010, were all active in 2017. Some were still in effect this year.

In an interview, Steve Satterfield, Facebook’s director of privacy and public policy, said none of the partnerships violated users’ privacy or the FTC agreement. Contracts required the companies to abide by Facebook policies, he added.

Still, Facebook executives have acknowledged missteps during the past year. “We know we’ve got work to do to regain people’s trust,” Mr Satterfield said. “Protecting people’s information requires stronger teams, better technology and clearer policies, and that’s where we’ve been focused for most of 2018.” He said the partnerships were “one area of focus” and Facebook was in the process of winding many of them down.

Facebook has found no evidence of abuse by its partners, a spokesperson said. Some of the largest partners, including Amazon, Microsoft and Yahoo, said they had used the data appropriately, but declined to discuss the sharing deals in detail. Facebook did say it had mismanaged some of its partnerships, allowing certain companies’ access to continue long after they had shut down the features that required the data.

With most of the partnerships, Mr Satterfield said, the FTC agreement did not require the social network to secure users’ consent before sharing data because Facebook considered the partners extensions of itself — service providers that allowed users to interact with their Facebook friends. The partners were prohibited from using the personal information for other purposes, he said. “Facebook’s partners don’t get to ignore people’s privacy settings.”

Data privacy experts disputed Facebook’s assertion that most partnerships were exempted from the regulatory requirements, expressing scepticism that businesses as varied as device makers, retailers and search companies would be viewed alike by the agency. “The only common theme is that they are partnerships that would benefit the company in terms of development or growth into an area that they otherwise could not get access to,” said Ashkan Soltani, former chief technologist at the FTC.

Mr Soltani and three former employees of the FTC’s consumer protection division, which brought the case that led to the consent decree, said in interviews that its data-sharing deals had probably violated the agreement.

“This is just giving third parties permission to harvest data without you being informed of it or giving consent to it,” said David Vladeck, who formerly ran the FTC’s consumer protection bureau. “I don’t understand how this unconsented-to data harvesting can at all be justified under the consent decree.”

Details of the agreements are emerging at a pivotal moment for the world’s largest social network. Facebook has been hammered with questions about its data sharing from lawmakers and regulators in the United States and Europe. The FTC this spring opened a new inquiry into Facebook’s compliance with the consent order, while the Justice Department and Securities and Exchange Commission are also investigating the company.

Facebook’s stock price has fallen, and a group of shareholders has called for Mr Zuckerberg to step aside as chairman. Shareholders also have filed a lawsuit alleging that executives failed to impose effective privacy safeguards. Angry users started a #DeleteFacebook movement.

This month, a British parliamentary committee investigating internet disinformation released internal Facebook emails, seized from the plaintiff in another lawsuit against Facebook. The messages disclosed some partnerships and depicted a company preoccupied with growth, whose leaders sought to undermine competitors and briefly considered selling access to user data.

As Facebook has battled one crisis after another, the company’s critics, including some former advisers and employees, have singled out the data-sharing as cause for concern.

“I don’t believe it is legitimate to enter into data-sharing partnerships where there is not prior informed consent from the user,” said Roger McNamee, an early investor in Facebook. “No one should trust Facebook until they change their business model.

Unlike Europe, where social media companies have had to adapt to stricter regulation, the United States has no general consumer privacy law, leaving tech companies free to monetise most kinds of personal information as long as they do not mislead their users. The FTC, which regulates trade, can bring enforcement actions against companies that deceive their customers.

Besides Facebook, the FTC has consent agreements with Google and Twitter stemming from alleged privacy violations.

For some advocates, the torrent of user data flowing out of Facebook has called into question not only Facebook’s compliance with the FTC agreement, but also the agency’s approach to privacy regulation.

“There has been an endless barrage of how Facebook has ignored users’ privacy settings, and we truly believed that in 2011 we had solved this problem,” said Marc Rotenberg, head of the Electronic Privacy Information Centre, an online privacy group that filed one of the first complaints about Facebook with federal regulators. “We brought Facebook under the regulatory authority of the FTC after a tremendous amount of work. The FTC has failed to act.”

According to Facebook, most of its data partnerships fall under an exemption to the FTC agreement. The company argues the partner companies are service providers — companies that use the data only “for and at the direction of” Facebook and function as an extension of the social network.

But Mr Vladeck and other former FTC officials said Facebook was interpreting the exemption too broadly.

When The Times reported last summer on the partnerships with device-makers, Facebook used the term “integration partners” to describe BlackBerry, Huawei and other manufacturers that pulled Facebook data to provide social-media-style features on smartphones. All such integration partners, Facebook asserted, were covered by the service provider exemption.

Since then, as the social network has disclosed its data-sharing deals with other kinds of businesses — including internet companies such as Yahoo — Facebook has labelled them integration partners, too.

Facebook even re-categorised one company, the Russian search giant Yandex, as an integration partner.

Facebook records show Yandex had access in 2017 to Facebook’s unique user IDs even after the social network stopped sharing them with other applications, citing privacy risks. A spokesperson for Yandex, which was accused last year by Ukraine’s security service of funnelling its user data to the Kremlin, said the company was unaware of the access and did not know why Facebook had allowed it to continue. They added the Ukrainian allegations “have no merit.”

In October, Facebook said Yandex was not an integration partner. But in early December, as The Times was preparing to publish this article, Facebook told congressional lawmakers that it was.

How closely Facebook monitored its data partners is uncertain. Most of Facebook’s partners declined to discuss what kind of reviews or audits Facebook subjected them to. Two former Facebook partners, whose deals with the social network dated to 2010, said they could find no evidence that Facebook had ever audited them. One was BlackBerry. The other was Yandex.



Consumer, Legislation, Personal Data, Privacy, Trending

General Medical Council and doctors’ unions hit out at government’s ‘cavalier approach’ to patient data.

Police forces will be able to “strong-arm” NHS bodies into handing over confidential patient data under planned laws that have sparked fury from doctors’ groups and the UK’s medical watchdog.

Ministers are planning new powers for police forces that would “set aside” the existing duty of confidentiality that applies to patient data held by the NHS and will instead require NHS organisations to hand over data police say they need to prevent serious violence.

Last week, England’s national data guardian, Dr Nicola Byrne, told The Independent she had serious concerns about the impact of the legislation going through parliament, and warned that the case for introducing the sweeping powers had not been made.

Now the UK’s medical watchdog, the General Medical Council (GMC), has also criticised the new law, proposals for which are contained in the Police, Crime and Sentencing Bill, warning it fails to protect patients’ sensitive information and could disproportionately hit some groups and worsen inequalities.

Human rights group Liberty said the proposed law is so broad that police forces will be able to “strong-arm information” from the NHS and other bodies, and that this could include information about people’s health, religious beliefs and political links. It added: “Altogether, these provisions are likely to give rise to significant and severe breaches of individuals’ data rights.”

Under the proposed legislation, which will be debated in the House of Lords in the coming weeks, local health boards will be legally required to provide confidential patient information when it is requested by police. The bill explicitly sets aside the existing common-law duty of confidentiality.

The purpose is to prevent serious violence, but there is already provision to allow patient information to be shared with police where there is a public interest need, such as the threat of violence or preventing a crime. The bill does not set out in detail what kinds of data could be handed over.

Under the proposed new law, police would have the power to demand information regardless of whether the NHS considered it to be in the public interest or not.

Professor Colin Melville, medical director at the GMC, told The Independent: “We are concerned the bill doesn’t protect patients’ sensitive health information and risks undermining the trust at the heart of doctor-patient relationships. We also share concerns held by others that an erosion of this trust may disproportionately affect certain communities and deepen societal inequalities.”

The GMC has raised its objections with the Home Office, which has said that the law will still require organisations to meet data protection rules before sharing any information.

But the doctors’ union, the British Medical Association (BMA), said in a briefing for members of the House of Lords that this would not provide adequate protection.

It said that health information had “long been afforded special legal status, over and beyond the Data Protection Act, in the form of the common-law duty of confidentiality”, which had been upheld by several court cases.

It added that the bill would “override the duty of medical confidentiality, including by legally requiring identifiable health information about individuals to be shared with the police”, saying: “We believe that setting aside of the duty of confidentiality, to require confidential information to be routinely given to the police when requested, will have a highly damaging impact on the relationship of trust between doctors and their patients. A removal of a long-established protection for confidential health information, alongside a broad interpretation of ‘serious crime’, may mean many patients are reluctant or fearful to consult or to share information with doctors,”

Dr Claudia Paoloni, president of the Hospital Consultants and Specialists Association, said the new law would “seriously undermine” the existing trust-based relationship with patients, and would create barriers to them seeking care: “We have significant concerns about what appears to be a cavalier approach to long-held principles, without clear objectives, and which is likely to have unintended consequences. Unless these concerns around individual patient confidentiality can be satisfactorily answered, we believe such powers should be removed from the bill.

“Other than the most serious crimes, which are already covered by precedent on disclosure on public interest grounds, it remains unclear precisely in what way laws to force the release of individuals’ medical records would be used.”

The latest data controversy comes after the NHS was forced to pause plans to share GP patient data with third parties to aid research, after an outcry from some doctors and patients over how the information would be used.

A Home Office spokesperson said: “Appropriate safeguards are in place, and any information shared must be proportionate. The bill makes clear that information can only be shared in accordance with data protection laws.”



Legislation, Personal Data, Privacy, Tech, Trending

The cyberspace pioneer is skeptical about a blockchain-based internet

Web inventor Tim Berners-Lee wants to rescue his creation from centralization. But does he align himself with Web3’s promise of salvation?

At TNW Conference, the computer scientist gave a one-word answer: “Nope.”

That snub may seem to clash with Berners-Lee’s recent actions. The 67-year-old now campaigns to save his “dysfunctional” brainchild from the clutches of Big Tech.

He’s also made a cool $5.4million by selling an NFT — one of Web3’s supposed pillars. But the Brit has his own vision for the web’s successor: a decentralized architecture that gives users control of their data.

Berners-Lee want to build it on a platform he calls Solid — but you can call it Web 3.0.
“We did talk about it as Web 3.0 at one point, because Web 2.0 was a term used for the dysfunction of what happens with user-generated content on the large platforms,” he said.

“People have called that Web 2.0, so if you want to call this Web 3.0, then okay.”

On the blockchain, it just doesn’t work. Berners-Lee shares Web3’s purported mission of transferring data from Big Tech to the people. But he’s taking a different route to the target. While Web3 is based on blockchain, Solid is built with standard web tools and open specifications. Private information is stored in decentralized data stores called “pods,” which can be hosted wherever the user wants. They can then choose which apps can access their data. This approach aims to provide interoperability, speed, scalability, and privacy.

“When you try to build that stuff on the blockchain, it just doesn’t work,” said Berners-Lee.



Consumer, Legislation, Privacy, Tech

The world-leading data law changed how companies work. But four years on, there’s a lag on cleaning up Big Tech.

One thousand four hundred and fifty-nine days have passed since data rights nonprofit NOYB fired off its first complaints under Europe’s flagship data regulation, GDPR. The complaints allege Google, WhatsApp, Facebook, and Instagram forced people into giving up their data without obtaining proper consent, says Romain Robert, a program director at the nonprofit. The complaints landed on May 25, 2018, the day GDPR came into force and bolstered the privacy rights of 740 million Europeans. Four years later, NOYB is still waiting for final decisions to be made. And it’s not the only one.

Since the General Data Protection Regulation went into effect, data regulators tasked with enforcing the law have struggled to act quickly on complaints against Big Tech firms and the murky online advertising industry, with scores of cases still outstanding. While GDPR has immeasurably improved the privacy rights of millions inside and outside of Europe, it hasn’t stamped out the worst problems: Data brokers are still stockpiling your information and selling it, and the online advertising industry remains littered with potential abuses.

Now, civil society groups have grown frustrated with GDPR’s limitations, while some countries’ regulators complain the system to handle international complaints is bloated and slows down enforcement. By comparison, the information economy moves at breakneck speed. “To say that GDPR is well enforced, I think it’s a mistake. It’s not enforced as quickly as we thought,” Robert says. NOYB has just settled a legal case against the delays in its consent complaints. “There’s still what we call an enforcement gap and problems with cross-border enforcement and enforcement against the big players,” adds David Martin Ruiz, a senior legal officer at the European Consumer Organization, which filed a complaint about Google’s location tracking four years ago.

Lawmakers in Brussels first proposed reforming Europe’s data rules back in January 2012 and passed the final law in 2016, giving companies and organizations two years to fall in line. GDPR builds upon previous data regulations, super-charging your rights and altering how businesses must handle your personal data, information like your name or IP address. GDPR doesn’t ban the use of data in certain cases, such as police use of intrusive facial recognition; instead, seven principles sit at its heart and guide how your data can be handled, stored, and used. These principles apply equally to charities and governments, pharmaceutical companies and Big Tech firms.

Crucially, GDPR weaponized these principles and handed each European country’s data regulator the power to issue fines of up to 4 percent of a firm’s global turnover and order companies to stop practices that violate GDPR’s principles. (Ordering a company to stop processing people’s data is arguably more impactful than issuing fines.) It was never likely that GDPR fines and enforcement were going to flow quickly from regulators—in competition law, for instance, cases can take decades—but four years after GDPR started, the total number of major decisions against the world’s most powerful data companies remains agonizingly low.

Under the dense series of rules that make up GDPR, complaints against a company that operates in multiple EU countries are usually funneled to the country where its main European headquarters are based. This so-called one-stop-shop process dictates that the country leads the investigation. The tiny nation of Luxembourg handles complaints against Amazon; the Netherlands deals with Netflix; Sweden has Spotify; and Ireland is responsible for Meta’s Facebook, WhatsApp, and Instagram, plus all of Google’s services, Airbnb, Yahoo, Twitter, Microsoft, Apple, and LinkedIn.

A glut of early and complex GDPR complaints has led to backlogs at regulators, including the Irish body, and international cooperation has been slowed down by paperwork. Since May 2018, the Irish regulator has completed 65 percent of cases involving cross-border decisions—400 are outstanding, according to the regulator’s own stats. Other cases, launched by NOYB against Netflix (Netherlands), Spotify (Sweden), and PimEyes (Poland) have all also dragged on for years.

Europe’s data regulators claim GDPR enforcement is still maturing and that it is working well and improving over time. (Officials from France, Ireland, Germany, Norway, Luxembourg, Italy, the UK, and Europe’s two independent bodies, the EDPS and EDPB, were all interviewed for this article.) The number of fines has ramped up as the legislation has aged, hitting a running total of €1.6 billion (around $1.7 billion). The biggest? Luxembourg fined Amazon €746 million, and Ireland fined WhatsApp €225 million last year. (Both companies are appealing the decisions). At the same time, one lesser-known Belgian fine could change how the entire ad tech industry works. However, officials concede that changes to the way GDPR is enforced could speed up the process and ensure swifter action.

Helen Dixon is at the heart of Europe’s GDPR enforcement, with the Irish Data Protection Commission (DPC) responsible for an outsized number of Big Tech firms. The DPC has faced criticism for struggling to keep up with the number of complaints under its purview, drawing ire from fellow regulators and calls to reform the body. “If everything comes at you at the same time, clearly there’s going to be a lag in terms of prioritizing and dealing sequentially with the issues while standing up what is a very significant legal framework,” Dixon says, defending her office’s performance. Dixon says the DPC has had to handle GDPR’s complexity from scratch, leading to many cases and new processes, and there aren’t simple answers for many of them.

“I would classify the DPC as being very effective in the first four years of application of the GDPR,” Dixon says. “The fact that DPC has stood up a new legal framework that many described as ‘the law of everything’ in a couple of short years, and implemented what are very significant sanctions in the form of fines and corrective measures already in that time period” shows its success, Dixon says. The organization has enforced measures against Twitter, WhatsApp, Facebook, and Groupon, among thousands of national cases, during this time.

“There should be an independent review of how to reform and strengthen the DPC,” says Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties. “We cannot know from outside what the problems are.” Ryan adds that blame can’t just be leveled at the Irish regulator. “The European Commission has immense power. The GDPR is supposed to be an immense project. And the Commission has neglected the GDPR,” he says. “It doesn’t just propose the laws, it also has to see that they are applied.”

o far, the European Commission has backed enforcement of GDPR in Ireland and across the continent. “The Commission has consistently called on data protection authorities to continue stepping up their enforcement efforts,” Didier Reynders, the European Commissioner for Justice, says in a statement. “We have launched six infringement procedures under the GDPR.” These legal cases include action against Slovenia for failing to import GDPR into its national law and questioning the independence of the Belgian data authority.

However, following a complaint from Ryan in February, the EU Ombudsman, a watchdog for European institutions, opened an inquiry into how the Commission has been monitoring data protection in Ireland. (The Ombudsman says the Commission has until May 25 to reply, after asking for its initial deadline to be extended. Reynders says the Commission does not comment on ongoing inquiries). If the Commission does look into Ireland, it could make recommendations, says Estelle Massé, the global data protection lead at Access Now, a technology-focused civil rights organization. “There is an issue, and if you don’t intervene in this way, I don’t really see how the situation will resolve,” Massé says. “It has to go through an infringement procedure.”

Despite clear enforcement problems, GDPR has had an incalculable effect on data practices broadly. EU countries have made decisions in thousands of local cases and issued guidance to organizations to say how they should use people’s data. Spain’s LaLiga soccer league was fined after its app spied on users, retailer H&M was fined in Germany after it saved details about employees’ personal lives, the Netherlands’ tax body was fined over its use of a ‘blacklist,’ and these are just a handful of the successful cases.

Some of GDPR’s impact is also hidden—the law isn’t just about fines and ordering companies to change—and it has improved company behaviors. “If you compare the awareness about cybersecurity, about data protection, about privacy, as it looked like 10 years ago and it looks today, these are completely different worlds,” says Wojciech Wiewiórowski, the European Data Protection Supervisor, who oversees GDPR cases against European institutions, such as Europol.

Companies have been put off using people’s data in dubious ways, experts say, when they wouldn’t have thought twice about it pre-GDPR. One recent study estimated that the number of Android apps on Google’s Play store has dropped by a third since the introduction of GDPR, citing better privacy protections. “More and more businesses have allocated significant budgets to doing data protection compliance,” says Hazel Grant, head of the privacy, security, and information group at London-headquartered law firm Fieldfisher. Grant says that when GDPR decisions are made—such as Austria’s decision to make the use of Google Analytics unlawful—companies are concerned about what it means for them. “Four or five years ago, that enforcement wouldn’t have happened,” Grant says. “And if it had happened, maybe a few data protection lawyers would have known about it—it wouldn’t have been out there with clients coming to us saying we need advice on this.”

But at Big Tech levels where data is plentiful, the scale of complying with GDPR is different. One recent internal Facebook document obtained by Motherboard hints that the company doesn’t really know what it does with your data—an assertion Facebook denied at the time. Equally, a WIRED and Reveal joint investigation at the end of 2021 found serious shortcomings in the ways Amazon handles customer data. (Amazon said it had an “exceptional” track record in protecting data.)

Microsoft declined a request to comment. Neither Google nor Facebook provided comment in time for publication.

“There is a lag, especially on Big Tech, enforcing the law on Big Tech—and Big Tech means cross-border cases, and that means the one-stop-shop and the cooperation among the data protection authorities,” says Ulrich Kelber, the head of the German federal data protection regulator. The one-stop-shop allows all of Europe’s regulators to have a say on the final decision of the lead regulator in that case, which can then be challenged. Ireland’s fine against WhatsApp grew from the original proposed penalty of as little as €30 million to €225 million after other regulators weighed in. Another Irish case against Instagram is currently being discussed, Dixon says, which will add months to its final outcome.

The one-stop-shop was created under GPDR, meaning the process has started with teething problems, but four years in, a lot still needs to be improved. Tobias Judin, the head of international at Norway’s data protection authority, says that each week several drafts of decisions are circulated among Europe’s data regulators. “In the vast majority of those cases, we actually agree,” Judin says. (German authorities object the most.) Decisions can face a lot of back and forth between regulators, wrapped up in bureaucracy. “We do question whether, in those cases that have a European-wide impact, it makes sense and whether it is feasible that these cases are solely dealt with by one data protection authority until we reach the decision stage,” Judin says.

Luxembourg’s data regulator hit Amazon with a record-breaking €746 million fine last year, its first case against the retailer. Amazon is contesting the fine in court—in a statement to WIRED, the company repeated its assertion that “there has been no data breach, and no customer data has been exposed to any third party”—but Luxembourg’s regulator says investigations will always be lengthy despite it bringing in new ways to investigate companies. “I think under one year or one-half year, I think it’s almost impossible to have it closed before such a delay,” says Alain Herrmann, one of Luxembourg’s four data protection commissioners. “There are huge [amounts of] information to deal with.” Herrmann says Luxembourg has a few other international cases ongoing, but national secrecy laws prevent it from talking about them. “It’s just the [one-stop-shop] system, the lack of resources, the lack of clear law and procedure, which makes their job even more difficult,” Robert says.

The French data regulator has, in some ways, sidestepped the international GDPR process by directly pursuing companies’ use of cookies. Despite common beliefs, annoying cookie pop-ups don’t come from GDPR—they’re governed by the EU’s separate E-Privacy law, and the French regulator has taken advantage of this. Marie-Laure Denis, the head of French regulator CNIL, has hit Google, Amazon, and Facebook with hefty fines for bad cookie practices. Perhaps more importantly, it has forced companies to change their behavior. Google is altering its cookie banners across the whole of Europe following the French enforcement.

“We are starting to see really concrete changes to the digital ecosystems and evolution of practices, which is really what we are looking [for],” Denis says. She explains that CNIL will next look at data collection by mobile apps under the E-Privacy law, and cloud data transfers under GDPR. The cookie enforcement effort wasn’t to avoid GDPR’s protracted process, but it was more efficient, Denis says. “We still believe in the GDPR enforcement mechanism, but we need to make it work better—and quicker.”

In the last year, there have been growing calls to change how GDPR works. “Enforcement should be more centralized for big affairs,” Viviane Redding, the politician who proposed GDPR back in 2012, said of the data law in May last year. The calls have come as Europe passed its next two big pieces of digital regulation: the Digital Services Act and the Digital Markets Act. The laws, which focus on competition and internet safety, handle enforcement differently from GDPR; in some instances, the European Commission will investigate Big Tech companies. The move is a nod to the fact that GDPR enforcement may not have been as smooth as politicians would have liked.

There appears to be little appetite to reopen GDPR itself; however, smaller tweaks could help improve enforcement. At a recent meeting of data regulators held by the European Data Protection Board, a body that exists to guide regulators, countries agreed that some international cases will work to fixed deadlines and timelines and said they would try to “join forces” on some investigations. Norway’s Judin says the move is positive but questions how effective it will be in practice.

Massé, from Access Now, says a small amendment to GDPR could significantly address some of the biggest current enforcement problems. Legislation could ensure data protection authorities handle complaints in the same way (including using the same forms), explicitly lay out how the one-stop-shop should work, and make sure that procedures in individual countries are the same, Massé says. In short, it could clarify how GDPR enforcement should be handled by every country.



Personal Data, Privacy, Tech

There’s a New Yorker cartoon from the early 90’s that you may have seen. A dog, perched at a desktop computer keyboard, explains to his fellow canine: “On the Internet, nobody knows you’re a dog.” Back then, the internet was synonymous with anonymity, and privacy wasn’t an issue because the tools to track every click and pixel of a user’s activity didn’t exist yet. If that cartoon were revised today, it might read, “On the internet, everybody knows what brand of kibble you eat and every time you sniff another dog’s butt.”

dealistic origins

At its inception, the internet’s promise of the free flow of information to and from every corner of the world was exhilarating. Today, companies know more about us than perhaps our closest family members and friends do, and the lack of privacy is suffocating. We don’t control our own data online: Big Tech companies do, and our government refuses to do anything about it. Increasingly, many technologists are advocating for “data dignity” or the idea that we deserve more control over the use of our personal data.

It is still possible to forge a better path for our digital future. We formed EthicalTech to transform technology as a force for good and accelerate the development of a better internet for everyone. EthicalTech is a multidisciplinary coalition that builds standards for an ethical internet with privacy at its core.

Paradise lost

The journey to rediscovering the internet as it was meant to be and reasserting our data dignity starts with understanding how we got here. Despite taxpayer dollars funding key internet components and breakthroughs through public institutions, the government chose to leave the web essentially unregulated. The idealistic promise envisioned by early adopters was steamrolled by businesses doing what businesses do best: generate returns for shareholders and putting our privacy second.

The laissez faire approach soon gave rise to the most valuable digital currency of all: the cookie. First-party cookies—premised on the idea that if you visit a website, you’re in a first-party, or direct, relationship with that site’s owner—allowed the site owner to cater to your needs. Third-party cookies, or those created by a business different from the website you’re visiting, extended personalization and utility across the internet but also opened the door to tracking us everywhere we go online. It’s a phenomenon we made worse when, bamboozled by the lure of social media, we turned over our data for free products and services, not realizing that we—or at least our data—had become the product.

As it turns out, the same market dynamics and network effects that lure a critical mass of users to a platform like Facebook or Google also result in few big winners. The internet economy consolidated around these behemoths, who used cookies to seize control over the data economy and maintained market power at the expense of your privacy. Now, when the regulators come knocking, Big Tech turns regulation on its head. For example, Google’s announcement that it would deprecate third-party cookies wasn’t, despite its claims, about respecting privacy. Instead, it was a bait-and-switch for Google to simply prioritize their own first-party cookies over competitor first-party data. Such oligopolistic data dominance is no better than a competitive market when it comes to privacy. True privacy and data dignity is when the people control their own data.

Demanding data dignity

Can Big Tech change its ways? All along, companies insisted they had policies to respect privacy and empower people to make their own choices. Facebook, at its launch, even sought to distinguish itself from MySpace by emphasizing that it would put privacy first. It didn’t. After all, no Facebook policies were breached when, in 2016, it facilitated Cambridge Analytica’s harvesting of privacy data from more than 87 million Facebook users. And Facebook was not alone; an endless number of companies skim our data without our knowledge or consent.

On the regulatory side, government has been slow and clumsy. Efforts like the European Union’s General Data Protection Regulation, or GDPR, and California’s Privacy Rights Act, or CPRA, have attempted to define new rules of the road. The problem is that tech firms move faster than governments and often operate in spaces where they have a significant information advantage over regulators. As a result, even as awareness of data dignity builds, Big Tech remains free to track our movements, gather information about us, and sell those insights as they wish.

Our collective awareness is increasing; now we need to turn that awareness into collective action. EthicalTech is bringing together experts and leaders from the private, public, and non-profit sectors to find common sense solutions for enacting data dignity. Together, we can create the infrastructure for an ethical internet where privacy standards are built in. It is up to us to recapture the initial promise of the internet and allow future generations to trust they can interact, co-create, and exist in a digital world with their privacy intact.



Consumer, Personal Data, Privacy, Tech

De datahonger van Big Tech loopt steeds meer tegen muren op. Europese privacywaakhonden floten Google al terug. Ook andere techbedrijven realiseren zich dat ze meer aandacht voor de privacy van hun gebruikers moeten hebben. Dat heeft een grote invloed op wat voor informatie voor marketeers beschikbaar is. Wacht dus niet met het zoeken naar alternatieven.

Google Analytics is niet langer een optie om bezoekers van websites te analyseren. Medio januari kwam de Oostenrijkse privacywaakhond DSB als eerste tot de conclusie dat Google Analytics in strijd is met de GDPR/AVG en niet langer gebruikt mag worden door organisaties die gegevens verwerken van EU-burgers. Eind januari volgde de Noorse privacytoezichthouder Datatilsynet en begin februari kwam ook de Franse privacy- en data-autoriteit CNIL tot de conclusie dat Google Analytics niet langer gebruikt mag worden in dat land. In navolging daarvan heeft CNIL medio april drie websites in Frankrijk bevolen om te stoppen met Google Analytics. De potentiële boete is niet mis: tot €20 miljoen of 4 procent van de jaaromzet.

De Nederlandse Autoriteit Persoonsgegevens (AP) onderzoekt dit nog en heeft nog geen officieel besluit genomen, maar waarschuwt Nederlandse organisaties al om Google Analytics niet meer te gebruiken. Mede naar aanleiding van deze ontwikkelingen heeft Google het einde van Universal Analytics (Google Analytics 3) al aangekondigd voor 1 juli 2023. Google Analytics 4 is weliswaar al beschikbaar, maar werkt totaal anders dan GA3. Organisaties moeten in feite hun Analytics-aanpak helemaal opnieuw opbouwen. Het is een flinke uitdaging om die transitie in iets meer dan een jaar door te voeren, terwijl ook in GA4 niet alle privacyvraagstukken op een goede manier worden aangepakt.

Inperken van ‘big tech’

Maar het is niet alleen Google Analytics dat teveel informatie van internetgebruikers verzamelt. Ook andere techreuzen, zoals Amazon, Meta (Facebook) en Apple slaan bakken vol informatie van gebruikers op. Het is te verwachten dat ook daar binnenkort een einde aan komt, zeker nu de EU-lidstaten en het Europees parlement eind maart een akkoord hebben bereikt over de Digital Markets Act (DMA). Deze wet moet die macht van Big Tech inperken, voor meer concurrentie zorgen en de privacy van EU-burgers beter beschermen.

Al deze ontwikkelingen betekenen dat marketeers en gebruikers op zoek moeten gaan naar alternatieven die meer oog hebben voor privacy. Hoewel de privacy van internetgebruikers in de Europese Unie steeds beter wordt beschermd met de AVG-wetgeving (GDPR), komen de Big Tech-bedrijven (Google, Apple, Facebook en Amazon, kortweg GAFA) regelmatig in het nieuws vanwege privacyschandalen. Zo worstelde Facebook geruime tijd met de beroemde Cambridge Analytica-affaire en moest Mark Zuckerberg zich in het Amerikaanse Congres verantwoorden over hoe Facebook met de privacy van gebruikers omgaat.

De privacyschendingen van Big Tech worden door de consument ook daadwerkelijk als negatief ervaren. Uit Europees onderzoek blijkt dat 41% van de Europeanen geen gegevens over zichzelf wil delen met particuliere bedrijven. Volgens Pew Research is bijna 70% van de Amerikanen van mening dat hun persoonsgegevens worden misbruikt. Consumentengegevens zijn een van de waardevolste handelsgoederen ter wereld, maar de macht van deze techreuzen is te groot geworden. Die macht van de grote techbedrijven heeft al geleid tot een reeks antitrustzaken.

Google FloC en Topics?

Gelukkig is Big Tech zelf inmiddels ook tot de conclusie gekomen dat het blijven negeren van privacy-eisen van gebruikers een bedreiging vormt voor het succes van hun bedrijf. Als techbedrijven gegevens van gebruikers willen gebruiken, zullen ze dat moeten doen op een manier die de consumenten accepteren. Daarom beginnen ze serieuzer te worden over het waarborgen van de privacy de apparaten of toepassingen van gebruikers.

Google heeft al aangegeven dat cookies van derden door de Chrome-browser vanaf 2023 geblokkeerd zullen worden. En dat is voor de grootste speler op de online advertentiemarkt op zijn zachtst gezegd opmerkelijk. Het lijkt een overwinning op het gebied van privacy, maar dat betekent niet dat er een einde komt aan het verzamelen van gebruikersgegevens. Nadat Google aanvankelijk inzette op de zogenoemde FLoC-technologie, (Federated Learning of Cohorts), maakte het bedrijf in januari van dit jaar bekend dat het toch niet verder zou gaan met dit cookie-alternatief. In plaats daarvan worden ‘Topics de nieuwe manier van Google om gebruikers in te delen in categorieën met vergelijkbare interesses, zodat bedrijven ze op die manier contextuele advertenties kunnen gaan voorschotelen. Met Topics verzamelt Chrome informatie over de interesses van gebruikers terwijl ze websites bezoeken. Deze gegevens worden dan drie weken bewaard. Op dit moment heeft Google het aantal Topics beperkt tot 300, maar is van plan om dit later uit te breiden.

Het feit dat advertenties hiermee contextueel worden, is weliswaar een stap in de goede richting, maar toch worden er zo voor reclamedoeleinden nog steeds gegevens doorgegeven vanuit een browser. Ook Topics is dus bedoeld om gegevens over de interesses van Chrome-gebruikers te verzamelen en deze te delen met derden, die op basis daarvan advertenties tonen. Andere browsers, zoals Safari, Firefox of Brave, doen dat niet.

Geef consument de controle

De beste manier om met de onverzadigbare datahonger van Big Tech om te gaan, is door te zoeken naar alternatieven. Kernbegrip daarbij is dataminimalisering, oftewel: alleen die bepaalde informatie verzamelen en gebruiken van bezoekers die nodig is voor het uitvoeren van een bepaalde handeling of het aanbieden van een dienst. We zullen de behoefte van consumenten aan privacy moeten accepteren en ze de controle weer moeten geven. Vanuit technisch oogpunt moeten ze de mogelijkheid hebben om hun goedkeuring voor het gebruik van hun gegevens in te trekken of tegen te houden als zij het merk associëren met praktijken die zij niet op prijs stellen. Bedrijven moeten alleen gegevens verzamelen en gebruiken voor een specifiek en legitiem doel. Dit zijn sleutelbeginselen die niet alleen belangrijk zijn voor de AVG, maar voor de meeste privacywetten elders in de wereld.

Het wordt steeds duidelijker dat er zonder expliciete toestemming van gebruikers niets meer gedaan mag worden met hun data. Dit betekent voor marketingafdelingen dat het aantal datapunten dat ze voor hun acties kunnen gebruiken met de helft of misschien zelfs meer zal afnemen. Bedrijven moeten daarom heel goed nagaan welke bezoekersdata essentieel zijn en wat de beste manier is om die data op de juiste manier te kunnen verzamelen.

Zoals de verschillende privacyautoriteiten in Europa inmiddels adviseren, is het verstandig om uit te kijken naar een alternatief voor Google Analytics, dat wél aan de privacyregels voldoet. Gelukkig zijn er al uitstekende Europese alternatieven, zoals Plausible, Simple Analytics, Splitbee of Piwik PRO. Wacht daarmee niet tot er een daadwerkelijk verbod is op Google Analytics, maar begin er direct mee, zodat er een sterke en op vertrouwen gebaseerde relatie met klanten opgebouwd kan worden.



Consumer, Legislation, Privacy, Tech, Trending
The Digital Services Act will reshape the online world
The EU has agreed on another ambitious piece of legislation to police the online world.

Early Saturday morning, after hours of negotiations, the bloc agreed on the broad terms of the Digital Services Act, or DSA, which will force tech companies to take greater responsibility for content that appears on their platforms. New obligations include removing illegal content and goods more quickly, explaining to users and researchers how their algorithms work, and taking stricter action on the spread of misinformation. Companies face fines of up to 6 percent of their annual turnover for noncompliance.

“The DSA will upgrade the ground-rules for all online services in the EU,” said European Commission President Ursula von der Leyen in a statement. “It gives practical effect to the principle that what is illegal offline, should be illegal online. The greater the size, the greater the responsibilities of online platforms.”

“What is illegal offline, should be illegal online”

Margrethe Vestager, the European Commissioner for Competition who has spearheaded much of the bloc’s tech regulation, said the act would “ensure that platforms are held accountable for the risks their services can pose to society and citizens.”

The DSA shouldn’t be confused with the DMA or Digital Markets Act, which was agreed upon in March. Both acts affect the tech world, but the DMA focuses on creating a level playing field between businesses while the DSA deals with how companies police content on their platforms. The DSA will therefore likely have a more immediate impact on internet users.

Although the legislation only applies to EU citizens, the effect of these laws will certainly be felt in other parts of the world, too. Global tech companies may decide it is more cost-effective to implement a single strategy to police content and take the EU’s comparatively stringent regulations as their benchmark. Lawmakers in the US keen to rein in Big Tech with their own regulations have already begun looking to the EU’s rules for inspiration.

The final text of the DSA has yet to be released, but the European Parliament and European Commission have detailed a number of obligations it will contain:

  1. Targeted advertising based on an individual’s religion, sexual orientation, or ethnicity is banned. Minors cannot be subject to targeted advertising either.
  2. “Dark patterns” — confusing or deceptive user interfaces designed to steer users into making certain choices — will be prohibited. The EU says that, as a rule, canceling subscriptions should be as easy as signing up for them.
  3. Large online platforms like Facebook will have to make the working of their recommender algorithms (used for sorting content on the News Feed or suggesting TV shows on Netflix) transparent to users. Users should also be offered a recommender system “not based on profiling.” In the case of Instagram, for example, this would mean a chronological feed (as it introduced recently).
  4. Hosting services and online platforms will have to explain clearly why they have removed illegal content as well as give users the ability to appeal such takedowns. The DSA itself does not define what content is illegal, though, and leaves this up to individual countries.
  5. The largest online platforms will have to provide key data to researchers to “provide more insight into how online risks evolve.”
  6. Online marketplaces must keep basic information about traders on their platform to track down individuals selling illegal goods or services.
  7. Large platforms will also have to introduce new strategies for dealing with misinformation during crises (a provision inspired by the recent invasion of Ukraine).

The DSA will, like the DMA, distinguish between tech companies of different sizes, placing greater obligations on bigger companies. The largest firms — those with at least 45 million users in the EU, like Meta and Google — will face the most scrutiny. These tech companies have lobbied hard to water down the requirements in the DSA, particularly those concerning targeted advertising and handing over data to outside researchers.

Although the broad terms of the DSA have now been agreed upon by the member states of the EU, the legal language still needs to be finalized and the act officially voted into law. This last step is seen as a formality at this point, though. The rules will apply to all companies 15 months after the act is voted into law, or from January 1st, 2024, whichever is later.


Consumer, Legislation, Privacy, Tech, Trending

French regulators have hit Google and Facebook with 210 million euros ($237 million) in fines over their use of “cookies”, the data used to track users online, authorities said Thursday.

US tech giants, including the likes of Apple and Amazon, have come under growing pressure over their [business] practices across Europe, where they have faced massive fines and plans to impose far-reaching EU rules on how they operate.

The 150-million-euro fine imposed on Google was a record by France’s National Commission for Information Technology and Freedom (CNIL), beating a previous cookie-related fine of 100 million euros against the company in December 2020.

Facebook was handed a 60-million-euro fine.

“CNIL has determined that the sites, and (Google-owned) do not allow users to refuse the use of cookies as simply as to accept them,” the regulatory body said.

The two platforms have three months to adapt their practices, after which France will impose fines of 100,000 euros per day, CNIL added.

Google told AFP it would change its practices following the ruling. “In accordance with the expectations of internet users… we are committed to implementing new changes, as well as to working actively with CNIL in response to its decision,” the US firm said in a statement.

Cookies are little packets of data that are set up on a user’s computer when they visit a website, allowing web browsers to save information about their session.

They are highly valuable for Google and Facebook as ways to personalise advertising — their primary source of revenue.

But privacy advocates have long pushed back. Since the European Union passed a 2018 law on personal data, internet companies face stricter rules that oblige them to seek the direct consent of users before installing cookies on their computers.

90 notices issued

CNIL argued that Google, Facebook and YouTube make it very easy to consent to cookies via a single button, whereas rejecting the request requires several clicks.

It had given internet companies until April 2021 to adapt to the tighter privacy rules, warning that they would start facing sanctions after that date.

French newspaper Le Figaro was the first to be sanctioned, receiving a fine of 50,000 euros in July for allowing cookies to be installed by advertising partners without the direct approval of users, or even after they had rejected them.

CNIL said recently that it had sent 90 formal notices to websites since April.

In 2020, it inflicted fines of 100 million and 35 million euros respectively on Google and Amazon for their use of cookies.

The fines were based on an earlier EU law, the General Data Protection Regulation, with CNIL arguing that the companies had failed to give “sufficiently clear” information to users about cookies.



Legislation, Personal Data, Privacy, Tech

The European Parliament has backed new rules for data sharing, in a move the EU hopes will help harness the power of data and artificial intelligence (AI) to boost innovation across the continent.

The new legislation aims to increase the availability of data for businesses and individuals while setting a raft of new standards for data sharing across the bloc. It will apply to manufacturers, companies and users.

It was first proposed in late 2020 to offer “an alternative European model” to the data handling practices of major US tech platforms. The idea is to create common European data spaces in a variety of fields including health, energy, agriculture, mobility and finance.

The legislation, known as the Data Governance Act (DGA), was approved by EU lawmakers on Wednesday with 501 votes to 12, and 40 abstentions.

It now needs to be formally adopted by the Council before entering into force.

“Our goal with the DGA is to set the foundation for a data economy in which people and businesses can trust. Data sharing can only flourish if trust and fairness are guaranteed, stimulating new business models and social innovation,” said Angelika Niebler, the German MEP who steered the legislation through parliament.

“Experience has shown that trust – be it trust in privacy or in the confidentiality of valuable business data – is a paramount issue. The Parliament insisted on a clear scope, making sure that the credo of trust is inscribed in the future of Europe’s data economy”.

Data transfer disputes

The legislation is part of a broader EU strategy to break Big Tech’s hold over the data sphere.

The EU is also working on a Data Act that specifically looks at who can create value from data and aims to “place safeguards against unlawful data transfer,” which could affect US or other foreign tech companies.

The European Commission published its draft of that act in late February, with commission Vice President Margrethe Vestager saying at the time: “We want to give consumers and companies even more control over what can be done with their data, clarifying who can access data and on what terms.”

Data disputes between the EU and Big Tech have been growing in recent years.

Meta recently warned it could pull Facebook and Instagram out of Europe if it’s unable to transfer, store and process Europeans’ data on US-based servers.

Harnessing the power of AI

According to estimates by the European Commission, the amount of data generated by public bodies, businesses and citizens will be multiplied by five between 2018 and 2025.

“We are at the beginning of the age of AI and Europe will require more and more data. This legislation should make it easy and safe to tap into the rich data silos spread all over the EU,” Niebler said.

“The data revolution will not wait for Europe. We need to act now if European digital companies want to have a place among the world’s top digital innovators”.

MEPs said they had negotiated with EU ministers to ensure there were no loopholes that would allow companies outside of the EU to abuse the scheme.

They are pushing to make the most of data for “objectives of general interest” such as scientific research, health, climate change and mobility.



Consumer, Corporate, Legislation, Personal Data, Privacy, Trending

In September 2021, the Kingdom of Saudi Arabia issued its Personal Data Protection Law to regulate the processing of personal data. The PDPL is the first federal, sector-agnostic data privacy legislation in Saudi Arabia. Organizations will be faced with significant changes to their operations to ensure compliance.

The PDPL comes into effect only 180 days after the publication in the Official Gazette, meaning the law will be effective March 23, subject to the passage of the implementing regulations. For the first two years, it will be enforced under the Saudi Data and Artificial Intelligence Authority, after which a transition to the National Data Management Office will be considered.   

Like other new data protection laws and updates within the broader Middle East and North Africa region, some elements within the PDPL are similar to those of other international data protection regulations. The law also includes numerous unique requirements — such as data transfer and localization requirements — businesses will need to pay careful attention to. Fulfilling these requirements may be operationally burdensome and early planning will be critical to avoid significant setbacks.
The PDPL also includes extraterritorial effect so organizations based outside Saudi Arabia will still be subject to the law and its requirements if they process the personal data of Saudi residents.

What does the law introduce?
The PDPL introduces a number of requirements that could significantly impact how companies in the Kingdom operate. The most notable include:

Registration requirements. 
Data controllers, the organizations that determine the means and purpose of processing of personal data, must register via an electronic portal which includes an annual registration fee.

Records of processing. 
Data controllers must create and maintain a record of how they process personal data, and it must be registered with the SDAIA. Any foreign company operating in the Kingdom and processing personal data of Saudi residents must appoint a local representative. More guidance regarding when this requirement will become effective is forthcoming from the SDAIA. Organizations will also be expected to appoint data officers to manage compliance with the law.

Data subject rights.
Individuals are now provided with new rights to their data, namely that they have the right to information about how their data is processed, the ability to access copies of their data and request corrections, and the right to have their data destroyed. Individuals will also have the right to lodge complaints with the regulatory authority.

Data transfers.
Data transfers outside the Kingdom are only permitted in limited circumstances. However, even if the transfer meets one of the permitted exceptions, the data controller must receive approval by an appropriate government authority, amongst other conditions.

The principal legal basis for processing under the law is consent. Personal data may only be processed without consent in certain circumstances. Individuals will also have the right to withdraw their consent to the processing of their personal data. Importantly, data controllers must also have prior consent of individuals to send direct marketing and must provide an opt-out mechanism.

Impact assessments.
Data controllers must assess projects, products and services to identify data protection risks posed to individuals.

Privacy notice.
Data controllers must implement a privacy notice specifying how data will be processed prior to collecting personal data from individuals.

Breach notification.
Data controllers will be expected to report data breaches to the regulatory authority as soon as they become aware of an incident.

Sensitive data.
Information such as genetic, health, credit and financial data will fall under scope of the law. This data is also likely to be subject to additional regulation.

So how do we prepare?
Like most compliance efforts, early preparation is essential, especially to achieve compliance with some of the more onerous requirements detailed in the PDPL. As a priority, organizations should follow this six-point plan:

Step 1: Understand the data. 
Organizations must understand what data they hold, how it is used and who it is shared with. This can be accomplished by creating a record of processing activities to trace data through the information lifecycle. This document can be used as a single source of truth and to inform other compliance activities.

Step 2: Establish governance. 
Identifying local representatives where appropriate and appointing data officers will be an essential step. These individuals should be integrated into existing data protection or security networks of governance to enable the successful communication and escalation of risks.

Step 3: Create policies and procedures.
Policies and processes must be updated to reflect the new data protection responsibilities, including procedural guidance for responding to data subject rights requests and issuing data breach notifications. Policy refreshes must also address the assessment of data protection and security standards in place among third parties.

Step 4: Implement and test breach plans.
Organizations need a robust data breach plan that articulates each step involved in responding to a breach, the individuals and teams involved, and the timelines to complete each step. Testing your plan will help to ensure your teams are cohesive and ready should an actual incident occur.

Step 5: Identify international data transfers.
Using the ROPAs as a starting point, organizations should seek to understand what data is transferred internationally and where it is transferred to. This includes understanding how limitations in the law may affect these transfers and beginning to adopt strategies for compliance.

Step 6: Provide training and change management.
Training is an effective tool to develop a sustainable culture of compliance. To complement training activities, organizations should consider identifying change management strategies to help ensure that the compliance activities are embedded successfully.