Google threatens to close its search engine in Australia as it lobbies against digital news code

Google has threatened to close its search engine in Australia — as it dials up its lobbying against draft legislation that is intended to force it to pay news publishers for reuse of their content.

Facebook would also be subject to the law. And has previously said it would ban news from being shared on its products owing if the law was brought in, as well as claiming it’s reduced its investment in the country as a result of the legislative threat.

“The principle of unrestricted linking between websites is fundamental to Search. Coupled with the unmanageable financial and operational risk if this version of the Code were to become law it would give us no real choice but to stop making Google Search available in Australia,” Google warned today.

Last August the tech giant took another pot-shot at the proposal, warning that the quality of its products in the country could suffer and might stop being free if the government proceeded with a push to make the tech giants share ad revenue with media businesses.

Since last summer Google appears to have changed lobbying tack — apparently giving up its attempt to derail the law entirely in favor of trying to reshape it to minimize the financial impact.

Its latest bit of lobbying is focused on trying to eject the most harmful elements (as it sees it) of the draft legislation — while also pushing its News Showcase program, which it hastily spun up last year, as an alternative model for payments to publishers that it would prefer becomes the vehicle for remittances under the Code.

The draft legislation for Australia’s digital news Code which is currently before the parliament includes a controversial requirement that tech giants, Google and Facebook, pay publishers for linking to their content — not merely for displaying snippets of text.

Yet Google has warned Australia that making it pay for “links and snippets” would break how the Internet works.

In a statement to the Senate Economics Committee today, its VP for Australia and New Zealand, Mel Silva, said: “This provision in the Code would set an untenable precedent for our business, and the digital economy. It’s not compatible with how search engines work, or how the internet works, and this is not just Google’s view — it has been cited in many of the submissions received by this Inquiry.

“The principle of unrestricted linking between websites is fundamental to Search. Coupled with the unmanageable financial and operational risk if this version of the Code were to become law it would give us no real choice but to stop making Google Search available in Australia.”

Google is certainly not alone in crying foul over a proposal to require payments for links.

Sir Tim Berners-Lee, inventor of the world wide web, has warned that the draft legislation “risks breaching a fundamental principle of the web by requiring payment for linking between certain content online”, among other alarmed submissions to the committee.

In written testimony he goes on:

“Before search engines were effective on the web, following links from one page to another was the only way of finding material. Search engines make that process far more effective, but they can only do so by using the link structure of the web as their principal input. So links are fundamental to the web.

“As I understand it, the proposed code seeks to require selected digital platforms to have to negotiate and possibly pay to make links to news content from a particular group of news providers.

“Requiring a charge for a link on the web blocks an important aspect of the value of web content. To my knowledge, there is no current example of legally requiring payments for links to other content. The ability to link freely — meaning without limitations regarding the content of the linked site and without monetary fees — is fundamental to how the web operates, how it has flourished till present, and how it will continue to grow in decades to come.”

However it’s notable that Berners-Lee’s submission does not mention snippets. Not once. It’s all about links.

Meanwhile Google has just reached an agreement with publishers in France — which they say covers payment for snippets of content.

In the EU, the tech giant is subject to an already reformed copyright directive that extended a neighbouring right for news content to cover reuse of snippets of text. Although the directive does not cover links or “very short extracts”.

In France, Google says it’s only paying for content “beyond links and very short extracts”. But it hasn’t said anything about snippets in that context.

French publishers argue the EU law clearly does cover the not-so-short text snippets that Google typically shows in its News aggregator — pointing out that the directive states the exception should not be interpreted in a way that impacts the effectiveness of neighboring rights. So Google looks like it would have a big French fight on its hands if it tried to deny payments for snippets.

But there’s still everything to play for in Australia. Hence, down under, Google is trying to conflate what are really two separate and distinct issues (payment for links vs payment for snippets) — in the hopes of reducing the financial impact vs what’s already baked into EU law. (Although it’s only been actively enforced in France so far, which is ahead of other EU countries in transposing the directive into national law).

In Australia, Google is also heavily pushing for the Code to “designate News Showcase” (aka the program it launched once the legal writing was on the wall about paying publishers) — lobbying for that to be the vehicle whereby it can reach “commercial agreements to pay Australian news publishers for value”.

Of course a commercial negotiation process is preferable (and familiar) to the tech giant vs being bound by the Code’s proposed “final offer arbitration model” — which Google attacks as having “biased criteria”, and claims subjects it to “unmanageable financial and operational risk”.

“If this is replaced with standard commercial arbitration based on comparable deals, this would incentivise good faith negotiations and ensure we’re held accountable by robust dispute resolution,” Silva also argues.

A third provision the tech giant is really keen gets removed from the current draft requires it to give publishers notification ahead of changes to its algorithms which could affect how their content is discovered.

“The algorithm notification provision could be adjusted to require only reasonable notice about significant actionable changes to Google’s algorithm, to make sure publishers are able to respond to changes that affect them,” it suggests on that.

It’s certainly interesting to consider how, over a few years, Google’s position has moved from ‘we’ll never pay for news’ — pre- any relevant legislation — to ‘please let us pay for licensing news through our proprietary licensing program’ once the EU had passed a directive now being very actively enforced in France (with the help of competition law) and also with Australia moving toward inking a similar law.

Turns out legislation can be a real tech giant mind-changer.

Of course the idea of making anyone pay to link to content online is obviously a terrible idea — and should be dropped.

But if that bit of the draft is a negotiating tactic by Australians lawmakers to get Google to accept that it will have to pay publishers something then it appears to be winning one.

And while Google’s threat to close down its search engine might sound ‘full on’, as Silva suggests, when you consider how many alternative search engines exist it’s hardly the threat it once was.

Especially as plenty of alternative search engines are a lot less abusive toward users’ privacy.

UK resumes privacy oversight of adtech, warns platform audits are coming

The UK’s data watchdog has restarted an investigation of adtech practices that, since 2018, have been subject to scores of complaints across Europe under the bloc’s General Data Protection Regulation (GDPR).

The high velocity trading of Internet users’ personal data can’t possibly be compliant with GDPR’s requirement that such information is adequately secured, the complaints contend.

Other concerns attached to real-time bidding (RTB) focus on consent, questioning how this can meet the required legal standard with data being broadcast to so many companies — including sensitive information, such as health data or religious and political affiliation and sexual orientation.

Since the first complaints were filed the UK’s Information Commissioner’s Office (ICO) has raised its own concerns over what it said are systemic problems with lawfulness in the adtech sector. But last year announced it was pausing its investigation on account of disruption to businesses from the COVID-19 pandemic.

Today it said it’s unpausing its multi-year probe to keep on prodding.

In an update on its website, ICO deputy commissioner, Simon McDougall, ICO, who takes care of “Regulatory Innovation and Technology” at the agency, writes that the eight-month freeze is over. And the audits are coming.

“We have now resumed our investigation,” he says. “Enabling transparency and protecting vulnerable citizens are priorities for the ICO. The complex system of RTB can use people’s sensitive personal data to serve adverts and requires people’s explicit consent, which is not happening right now.”

“Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, also raises questions around the security and retention of this data,” he goes on. “Our work will continue with a series of audits focusing on digital market platforms and we will be issuing assessment notices to specific companies in the coming months. The outcome of these audits will give us a clearer picture of the state of the industry.”

It’s not clear what data the ICO still lacks to come to a decision on complaints that are approaching 2.5 years old at this point. But the ICO has committed to resume looking at adtech — including at data brokers, per McDougall, who writes that “we will be reviewing the role of data brokers in this adtech eco-system”.

“The investigation is vast and complex and, because of the sensitivity of the work, there will be times where it won’t be possible to provide regular updates. However, we are committed to publishing our final findings, once the investigation is concluded,” he goes on, managing expectations of any swift resolution to this vintage GDPR complaint.

Commenting on the ICO’s continued reluctance to take enforcement action against adtech despite mounds of evidence of rampant breaches of the law, Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties who was involved in filing the first batch of RTB GDPR complaints — and continues to be a vocal critic of EU regulatory inaction against adtech — told TechCrunch: “It seems to me that the facts are clearly set out in the ICO’s mid 2019 adtech report.

“Indeed, that report merely confirms the evidence that accompanied our complaints in September 2018 in Ireland and the UK. It is therefore unclear why the ICO requires several months further. Nor is it clear why the ICO accepted empty gestures from the IAB and Google a year ago.”

“I have since published evidence of the impact that failure to enforce has had: Including documented use of RTB data to influence an election,” he added. “As that evidence shows, the scale of the vast data breach caused by the RTB system has increased significantly in the three years since I blew the whistle to the ICO in early 2018.”

Despite plentiful data on the scale of the personal data leakage involved in RTB, and widespread concern that all sorts of tangible harms are flowing from adtech’s mass surveillance of Internet users (from discrimination and societal division to voter manipulation), the ICO is in no rush to enforce.

In fact, it quietly closed the 2018 complaint last year — telling the complainants it believed it had investigated the matter “to the extent appropriate”. It’s in the process of being sued by the complainants as a result — for, essentially, doing nothing about their complaint. (The Open Rights Group, which is involved in that legal action, is running this crowdfunder to raise money to take the ICO to court.)

So what does the ICO’s great adtech investigation unpausing mean exactly for the sector?

Not much more than gentle notice you might be the recipient of an “assessment notice” at some future point, per the latest mildly worded ICO blog post (and judging by its past performance).

Per McDougall, all organizations should be “assessing how they use personal data as a matter of urgency”.

He has also committed the ICO to publishing “final findings” at some future point. So — to follow, post-pause — yet another report. And more audits.

“We already have existing, comprehensive guidance in this area, which applies to RTB and adtech in the same way it does to other types of processing — particularly in respect of consentlegitimate interestsdata protection by design and data protection impact assessments (DPIAs),” he goes on, eschewing talk of any firmer consequences following should all that guidance continue being roundly ignored.

He ends the post with a nod to the Competition and Markets Authority’s recent investigation of Google’s Privacy Sandbox proposals (to phase out support for third party cookies on Chrome) — saying the ICO is “continuing” to work the CMA on that active antitrust complaint.

You’ll have to fill in the blanks as to exactly what work it might be doing there — because, again, McDougall isn’t saying. If it’s a veiled threat to the adtech industry to finally ‘get with the ICO’s privacy program’, or risk not having it fighting adtech’s corner in that crux antitrust vs privacy complaint, it really is gossamer thin.

Privacy complaint targets European parliament’s COVID-19 test-booking site

The European Parliament is being investigated by the EU’s lead data regulator over a complaint that a website it set up for MEPs to book coronavirus tests may have violated data protection laws.

The complaint, which has been filed by six MEPs and is being supported by the privacy campaign group noyb, alleges third party trackers were dropped without proper consent and that cookie banners presented to visitors were confusing and deceptively designed.

It also alleges personal data was transferred to the US without a valid legal basis, making reference to a landmark legal ruling by Europe’s top court last summer (aka Schrems II).

The European Data Protection Supervisor (EDPS), which oversees EU institutions’ compliance with data rules, confirmed receipt of the complaint and said it has begun investigating.

It also said the “litigious cookies” had been disabled following the complaints, adding that the parliament told it no user data had in fact been transferred outside the EU.

“A complaint was indeed filed by some MEPs about the European Parliament’s coronavirus testing website; the EDPS has started investigating it in accordance with Article 57(1)(e) EUDPR (GDPR for EU institutions),” an EDPS spokesman told TechCrunch. “Following this complaint, the Data Protection Office of the European Parliament informed the EDPS that the litigious cookies were now disabled on the website and confirmed that no user data was sent to outside the European Union.”

“The EDPS is currently assessing this website to ensure compliance with EUDPR requirements. EDPS findings will be communicated to the controller and complainants in due course,” it added.

MEP, Alexandra Geese, of Germany’s Greens, filed an initial complaint with the EDPS on behalf of other parliamentarians.

Two of the MEPs that have joined the complaint and are making their names public are Patrick Breyer and Mikuláš Peksa — both members of the Pirate Party, in Germany and the Czech Republic respectively.

We’ve reached out to the European Parliament and the company it used to supply the testing website for comment.

The complaint is noteworthy for a couple of reasons. Firstly because the allegations of a failure to uphold regional data protection rules look pretty embarrassing for an EU institution. Data protection may also feel especially important for “politically exposed persons like Members and staff of the European Parliament”, as noyb puts it.

Back in 2019 the European Parliament was also sanctioned by the EDPS over use of US-based digital campaign company, NationBuilder, to process citizens’ voter data ahead of the spring elections — in the regulator’s first ever such enforcement of an EU institution.

So it’s not the first time the parliament has got in hot water over its attention to detail vis-a-vis third party data processors (the parliament’s COVID-19 test registration website is being provided by a German company called Ecolog Deutschland GmbH). Once may be an oversight, twice starts to look sloppy…

Secondly, the complaint could offer a relatively quick route for a referral to the EU’s top court, the CJEU, to further clarify interpretation of Schrems II — a ruling that has implications for thousands of businesses involved in transferring personal data out of the EU — should there be a follow-on challenge to a decision by the EDPS.

“The decisions of the EDPS can be directly challenged before the Court of Justice of the EU,” noyb notes in a press release. “This means that the appeal can be brought directly to the highest court of the EU, in charge of the uniform interpretation of EU law. This is especially interesting as noyb is working on multiple other cases raising similar issues before national DPAs.”

Guidance for businesses involved in transferring data out of the EU who are trying to understand how to (or often whether they can) be compliant with data protection law, post-Schrems II, is so far limited to what EU regulators have put out.

Further interpretation by the CJEU could bring more clarifying light — and, indeed, less wiggle room for processors wanting to keep schlepping Europeans’ data over the pond legally, depending on how the cookie crumbles (if you’ll pardon the pun).

noyb notes that the complaint asks the EDPS to prohibit transfers that violate EU law.

“Public authorities, and in particular the EU institutions, have to lead by example to comply with the law,” said Max Schrems, honorary chairman of noyb, in a statement. “This is also true when it comes to transfers of data outside of the EU. By using US providers, the European Parliament enabled the NSA to access data of its staff and its members.”

Per the complaint, concerns about third party trackers and data transfers were initially raised to the parliament last October — after an MEP used a tracker scanning tool to analyze the COVID-19 test booking website and found a total of 150 third-party requests and a cookie were placed on her browser.

Specifically, the EcoCare COVID-19 testing registration website was found to drop a cookie from the US-based company Stripe, as well as including many more third-party requests from Google and Stripe.

The complaint also notes that a data protection notice on the site informed users that data on their usage generated by the use of Google Analytics is “transmitted to and stored on a Google server in the US”.

Where consent was concerned, the site was found to serve users with two different conflicting data protection notices — with one containing a (presumably copypasted) reference to Brussels Airport.

Different consent flows were also presented, depending on the user’s region, with some visitors being offered no clear opt out button. The cookie notices were also found to contain a ‘dark pattern’ nudge toward a bright green button for ‘accepting all’ processing, as well as confusing wording for unclear alternatives.

A screengrab of the cookie consent prompt that the parliament’s COVID-19 test booking website displayed at the time of writing – with still no clearly apparent opt-out for non-essential cookies (Image credit: TechCrunch)

The EU has stringent requirements for (legally) gathering consents for (non-essential) cookies and other third party tracking technologies which states that consent must be clearly informed, specific and freely given.

In 2019, Europe’s top court further confirmed that consent must be obtained prior to dropping non-essential trackers. (Health-related data also generally carries a higher consent-bar to process legally in the EU, although in this case the personal information relates to appointment registrations rather than special category medical data).

The complaints allege that EU cookie consent requirements are not being met on the website.

While the presence of requests for US-based services (and the reference to storing data in the US) is a legal problem in light of the Schrems II judgement.

The US no longer enjoys legally frictionless flows of personal data out of the EU after the CJEU torpedoed the adequacy arrangement the Commission had granted (invalidating the EU-US Privacy Shield mechanism) — which in turn means transfers of data on EU peoples to US-based companies are complicated.

Data controllers are responsible for assessing each such proposed transfer, on a case by case basis. A data transfer mechanism called Standard Contractual Clauses was not invalidated by the CJEU. But the court made it clear SCCs can only be used for transfers to third countries where data protection is essentially equivalent to the legal regime offered in the EU — doing so at the same time as saying the US does not meet that standard.

Guidance from the European Data Protection Board in the wake of the ruling suggests that some EU-US data transfers may be possible to carry in compliance with European law. Such as those that involve encrypted data with no access by the receiving US-based entity.

However the bar for compliance varies depending on the specific context and case.

Additionally, for a subset of companies that are definitely subject to US surveillance law (such as Google) the compliance bar may be impossibly high — as surveillance law is the main legal sticking point for EU-US transfers.

So, once again, it’s not a good look for the parliament website to have had a notice on its COVID-19 testing website that said personal data would be transferred to a Google’s server in the US. (Even if that functionality had not been activated, as seems to have been claimed.)

Another reason the complaint against the European Parliament is noteworthy is that it further highlights how much web infrastructure in use within Europe could be risking legal sanction for failing to comply with regional data protection rules. If the European Parliament can’t get it right, who is?

noyb filed a raft of complaints against EU websites last year which it had identified still sending data to the US via Google Analytics and/or Facebook Connect integrations a short while after the Schrems II ruling. (Those complaints are being looked into by DPAs across the EU.)

Facebook’s EU data transfers are also very much on the hook here. Earlier this month the tech giant’s lead EU data regulator agreed to ‘swiftly resolve’ a long-standing complaint over its transfers.

Schrems filed that complaint all the way back in 2013. He told us he expects the case to be resolved this year, likely within around six to nine months. So a final decision should come in 2021.

He has previously suggested the only way for Facebook to fix the data transfers issue is to federate its service, storing European users’ data locally. While last year the tech giant was forced to deny it would shut its service in Europe if its lead EU regulator followed through on enforcing a preliminary order to suspend transfers (which it blocked by applying for a judicial review of the Irish DPC’s processes).

The alternative outcome Facebook has been lobbying for is some kind of a political resolution to the legal uncertainty clouding EU-US data transfers. However the European Commission has warned there’s no quick fix — and reform of US surveillance law is needed.

So with options for continued icing of EU data protection enforcement against US tech giants melting fast in the face of bar-setting CJEU rulings and ongoing strategic litigation like this latest noyb-supported complaint pressure is only going to keep building for pro-privacy reform of US surveillance law. Not that Facebook has openly come out in support of reforming FISA yet.

Privacy complaint targets European parliament’s COVID-19 test-booking site

The European Parliament is being investigated by the EU’s lead data regulator over a complaint that a website it set up for MEPs to book coronavirus tests may have violated data protection laws.

The complaint, which has been filed by six MEPs and is being supported by the privacy campaign group noyb, alleges third party trackers were dropped without proper consent and that cookie banners presented to visitors were confusing and deceptively designed.

It also alleges personal data was transferred to the US without a valid legal basis, making reference to a landmark legal ruling by Europe’s top court last summer (aka Schrems II).

The European Data Protection Supervisor (EDPS), which oversees EU institutions’ compliance with data rules, confirmed receipt of the complaint and said it has begun investigating.

It also said the “litigious cookies” had been disabled following the complaints, adding that the parliament told it no user data had in fact been transferred outside the EU.

“A complaint was indeed filed by some MEPs about the European Parliament’s coronavirus testing website; the EDPS has started investigating it in accordance with Article 57(1)(e) EUDPR (GDPR for EU institutions),” an EDPS spokesman told TechCrunch. “Following this complaint, the Data Protection Office of the European Parliament informed the EDPS that the litigious cookies were now disabled on the website and confirmed that no user data was sent to outside the European Union.”

“The EDPS is currently assessing this website to ensure compliance with EUDPR requirements. EDPS findings will be communicated to the controller and complainants in due course,” it added.

MEP, Alexandra Geese, of Germany’s Greens, filed an initial complaint with the EDPS on behalf of other parliamentarians.

Two of the MEPs that have joined the complaint and are making their names public are Patrick Breyer and Mikuláš Peksa — both members of the Pirate Party, in Germany and the Czech Republic respectively.

We’ve reached out to the European Parliament and the company it used to supply the testing website for comment.

The complaint is noteworthy for a couple of reasons. Firstly because the allegations of a failure to uphold regional data protection rules look pretty embarrassing for an EU institution. Data protection may also feel especially important for “politically exposed persons like Members and staff of the European Parliament”, as noyb puts it.

Back in 2019 the European Parliament was also sanctioned by the EDPS over use of US-based digital campaign company, NationBuilder, to process citizens’ voter data ahead of the spring elections — in the regulator’s first ever such enforcement of an EU institution.

So it’s not the first time the parliament has got in hot water over its attention to detail vis-a-vis third party data processors (the parliament’s COVID-19 test registration website is being provided by a German company called Ecolog Deutschland GmbH). Once may be an oversight, twice starts to look sloppy…

Secondly, the complaint could offer a relatively quick route for a referral to the EU’s top court, the CJEU, to further clarify interpretation of Schrems II — a ruling that has implications for thousands of businesses involved in transferring personal data out of the EU — should there be a follow-on challenge to a decision by the EDPS.

“The decisions of the EDPS can be directly challenged before the Court of Justice of the EU,” noyb notes in a press release. “This means that the appeal can be brought directly to the highest court of the EU, in charge of the uniform interpretation of EU law. This is especially interesting as noyb is working on multiple other cases raising similar issues before national DPAs.”

Guidance for businesses involved in transferring data out of the EU who are trying to understand how to (or often whether they can) be compliant with data protection law, post-Schrems II, is so far limited to what EU regulators have put out.

Further interpretation by the CJEU could bring more clarifying light — and, indeed, less wiggle room for processors wanting to keep schlepping Europeans’ data over the pond legally, depending on how the cookie crumbles (if you’ll pardon the pun).

noyb notes that the complaint asks the EDPS to prohibit transfers that violate EU law.

“Public authorities, and in particular the EU institutions, have to lead by example to comply with the law,” said Max Schrems, honorary chairman of noyb, in a statement. “This is also true when it comes to transfers of data outside of the EU. By using US providers, the European Parliament enabled the NSA to access data of its staff and its members.”

Per the complaint, concerns about third party trackers and data transfers were initially raised to the parliament last October — after an MEP used a tracker scanning tool to analyze the COVID-19 test booking website and found a total of 150 third-party requests and a cookie were placed on her browser.

Specifically, the EcoCare COVID-19 testing registration website was found to drop a cookie from the US-based company Stripe, as well as including many more third-party requests from Google and Stripe.

The complaint also notes that a data protection notice on the site informed users that data on their usage generated by the use of Google Analytics is “transmitted to and stored on a Google server in the US”.

Where consent was concerned, the site was found to serve users with two different conflicting data protection notices — with one containing a (presumably copypasted) reference to Brussels Airport.

Different consent flows were also presented, depending on the user’s region, with some visitors being offered no clear opt out button. The cookie notices were also found to contain a ‘dark pattern’ nudge toward a bright green button for ‘accepting all’ processing, as well as confusing wording for unclear alternatives.

A screengrab of the cookie consent prompt that the parliament’s COVID-19 test booking website displayed at the time of writing – with still no clearly apparent opt-out for non-essential cookies (Image credit: TechCrunch)

The EU has stringent requirements for (legally) gathering consents for (non-essential) cookies and other third party tracking technologies which states that consent must be clearly informed, specific and freely given.

In 2019, Europe’s top court further confirmed that consent must be obtained prior to dropping non-essential trackers. (Health-related data also generally carries a higher consent-bar to process legally in the EU, although in this case the personal information relates to appointment registrations rather than special category medical data).

The complaints allege that EU cookie consent requirements are not being met on the website.

While the presence of requests for US-based services (and the reference to storing data in the US) is a legal problem in light of the Schrems II judgement.

The US no longer enjoys legally frictionless flows of personal data out of the EU after the CJEU torpedoed the adequacy arrangement the Commission had granted (invalidating the EU-US Privacy Shield mechanism) — which in turn means transfers of data on EU peoples to US-based companies are complicated.

Data controllers are responsible for assessing each such proposed transfer, on a case by case basis. A data transfer mechanism called Standard Contractual Clauses was not invalidated by the CJEU. But the court made it clear SCCs can only be used for transfers to third countries where data protection is essentially equivalent to the legal regime offered in the EU — doing so at the same time as saying the US does not meet that standard.

Guidance from the European Data Protection Board in the wake of the ruling suggests that some EU-US data transfers may be possible to carry in compliance with European law. Such as those that involve encrypted data with no access by the receiving US-based entity.

However the bar for compliance varies depending on the specific context and case.

Additionally, for a subset of companies that are definitely subject to US surveillance law (such as Google) the compliance bar may be impossibly high — as surveillance law is the main legal sticking point for EU-US transfers.

So, once again, it’s not a good look for the parliament website to have had a notice on its COVID-19 testing website that said personal data would be transferred to a Google’s server in the US. (Even if that functionality had not been activated, as seems to have been claimed.)

Another reason the complaint against the European Parliament is noteworthy is that it further highlights how much web infrastructure in use within Europe could be risking legal sanction for failing to comply with regional data protection rules. If the European Parliament can’t get it right, who is?

noyb filed a raft of complaints against EU websites last year which it had identified still sending data to the US via Google Analytics and/or Facebook Connect integrations a short while after the Schrems II ruling. (Those complaints are being looked into by DPAs across the EU.)

Facebook’s EU data transfers are also very much on the hook here. Earlier this month the tech giant’s lead EU data regulator agreed to ‘swiftly resolve’ a long-standing complaint over its transfers.

Schrems filed that complaint all the way back in 2013. He told us he expects the case to be resolved this year, likely within around six to nine months. So a final decision should come in 2021.

He has previously suggested the only way for Facebook to fix the data transfers issue is to federate its service, storing European users’ data locally. While last year the tech giant was forced to deny it would shut its service in Europe if its lead EU regulator followed through on enforcing a preliminary order to suspend transfers (which it blocked by applying for a judicial review of the Irish DPC’s processes).

The alternative outcome Facebook has been lobbying for is some kind of a political resolution to the legal uncertainty clouding EU-US data transfers. However the European Commission has warned there’s no quick fix — and reform of US surveillance law is needed.

So with options for continued icing of EU data protection enforcement against US tech giants melting fast in the face of bar-setting CJEU rulings and ongoing strategic litigation like this latest noyb-supported complaint pressure is only going to keep building for pro-privacy reform of US surveillance law. Not that Facebook has openly come out in support of reforming FISA yet.

Privacy complaint targets European parliament’s COVID-19 test-booking site

The European Parliament is being investigated by the EU’s lead data regulator over a complaint that a website it set up for MEPs to book coronavirus tests may have violated data protection laws.

The complaint, which has been filed by six MEPs and is being supported by the privacy campaign group noyb, alleges third party trackers were dropped without proper consent and that cookie banners presented to visitors were confusing and deceptively designed.

It also alleges personal data was transferred to the US without a valid legal basis, making reference to a landmark legal ruling by Europe’s top court last summer (aka Schrems II).

The European Data Protection Supervisor (EDPS), which oversees EU institutions’ compliance with data rules, confirmed receipt of the complaint and said it has begun investigating.

It also said the “litigious cookies” had been disabled following the complaints, adding that the parliament told it no user data had in fact been transferred outside the EU.

“A complaint was indeed filed by some MEPs about the European Parliament’s coronavirus testing website; the EDPS has started investigating it in accordance with Article 57(1)(e) EUDPR (GDPR for EU institutions),” an EDPS spokesman told TechCrunch. “Following this complaint, the Data Protection Office of the European Parliament informed the EDPS that the litigious cookies were now disabled on the website and confirmed that no user data was sent to outside the European Union.”

“The EDPS is currently assessing this website to ensure compliance with EUDPR requirements. EDPS findings will be communicated to the controller and complainants in due course,” it added.

MEP, Alexandra Geese, of Germany’s Greens, filed an initial complaint with the EDPS on behalf of other parliamentarians.

Two of the MEPs that have joined the complaint and are making their names public are Patrick Breyer and Mikuláš Peksa — both members of the Pirate Party, in Germany and the Czech Republic respectively.

We’ve reached out to the European Parliament and the company it used to supply the testing website for comment.

The complaint is noteworthy for a couple of reasons. Firstly because the allegations of a failure to uphold regional data protection rules look pretty embarrassing for an EU institution. Data protection may also feel especially important for “politically exposed persons like Members and staff of the European Parliament”, as noyb puts it.

Back in 2019 the European Parliament was also sanctioned by the EDPS over use of US-based digital campaign company, NationBuilder, to process citizens’ voter data ahead of the spring elections — in the regulator’s first ever such enforcement of an EU institution.

So it’s not the first time the parliament has got in hot water over its attention to detail vis-a-vis third party data processors (the parliament’s COVID-19 test registration website is being provided by a German company called Ecolog Deutschland GmbH). Once may be an oversight, twice starts to look sloppy…

Secondly, the complaint could offer a relatively quick route for a referral to the EU’s top court, the CJEU, to further clarify interpretation of Schrems II — a ruling that has implications for thousands of businesses involved in transferring personal data out of the EU — should there be a follow-on challenge to a decision by the EDPS.

“The decisions of the EDPS can be directly challenged before the Court of Justice of the EU,” noyb notes in a press release. “This means that the appeal can be brought directly to the highest court of the EU, in charge of the uniform interpretation of EU law. This is especially interesting as noyb is working on multiple other cases raising similar issues before national DPAs.”

Guidance for businesses involved in transferring data out of the EU who are trying to understand how to (or often whether they can) be compliant with data protection law, post-Schrems II, is so far limited to what EU regulators have put out.

Further interpretation by the CJEU could bring more clarifying light — and, indeed, less wiggle room for processors wanting to keep schlepping Europeans’ data over the pond legally, depending on how the cookie crumbles (if you’ll pardon the pun).

noyb notes that the complaint asks the EDPS to prohibit transfers that violate EU law.

“Public authorities, and in particular the EU institutions, have to lead by example to comply with the law,” said Max Schrems, honorary chairman of noyb, in a statement. “This is also true when it comes to transfers of data outside of the EU. By using US providers, the European Parliament enabled the NSA to access data of its staff and its members.”

Per the complaint, concerns about third party trackers and data transfers were initially raised to the parliament last October — after an MEP used a tracker scanning tool to analyze the COVID-19 test booking website and found a total of 150 third-party requests and a cookie were placed on her browser.

Specifically, the EcoCare COVID-19 testing registration website was found to drop a cookie from the US-based company Stripe, as well as including many more third-party requests from Google and Stripe.

The complaint also notes that a data protection notice on the site informed users that data on their usage generated by the use of Google Analytics is “transmitted to and stored on a Google server in the US”.

Where consent was concerned, the site was found to serve users with two different conflicting data protection notices — with one containing a (presumably copypasted) reference to Brussels Airport.

Different consent flows were also presented, depending on the user’s region, with some visitors being offered no clear opt out button. The cookie notices were also found to contain a ‘dark pattern’ nudge toward a bright green button for ‘accepting all’ processing, as well as confusing wording for unclear alternatives.

A screengrab of the cookie consent prompt that the parliament’s COVID-19 test booking website displayed at the time of writing – with still no clearly apparent opt-out for non-essential cookies (Image credit: TechCrunch)

The EU has stringent requirements for (legally) gathering consents for (non-essential) cookies and other third party tracking technologies which states that consent must be clearly informed, specific and freely given.

In 2019, Europe’s top court further confirmed that consent must be obtained prior to dropping non-essential trackers. (Health-related data also generally carries a higher consent-bar to process legally in the EU, although in this case the personal information relates to appointment registrations rather than special category medical data).

The complaints allege that EU cookie consent requirements are not being met on the website.

While the presence of requests for US-based services (and the reference to storing data in the US) is a legal problem in light of the Schrems II judgement.

The US no longer enjoys legally frictionless flows of personal data out of the EU after the CJEU torpedoed the adequacy arrangement the Commission had granted (invalidating the EU-US Privacy Shield mechanism) — which in turn means transfers of data on EU peoples to US-based companies are complicated.

Data controllers are responsible for assessing each such proposed transfer, on a case by case basis. A data transfer mechanism called Standard Contractual Clauses was not invalidated by the CJEU. But the court made it clear SCCs can only be used for transfers to third countries where data protection is essentially equivalent to the legal regime offered in the EU — doing so at the same time as saying the US does not meet that standard.

Guidance from the European Data Protection Board in the wake of the ruling suggests that some EU-US data transfers may be possible to carry in compliance with European law. Such as those that involve encrypted data with no access by the receiving US-based entity.

However the bar for compliance varies depending on the specific context and case.

Additionally, for a subset of companies that are definitely subject to US surveillance law (such as Google) the compliance bar may be impossibly high — as surveillance law is the main legal sticking point for EU-US transfers.

So, once again, it’s not a good look for the parliament website to have had a notice on its COVID-19 testing website that said personal data would be transferred to a Google’s server in the US. (Even if that functionality had not been activated, as seems to have been claimed.)

Another reason the complaint against the European Parliament is noteworthy is that it further highlights how much web infrastructure in use within Europe could be risking legal sanction for failing to comply with regional data protection rules. If the European Parliament can’t get it right, who is?

noyb filed a raft of complaints against EU websites last year which it had identified still sending data to the US via Google Analytics and/or Facebook Connect integrations a short while after the Schrems II ruling. (Those complaints are being looked into by DPAs across the EU.)

Facebook’s EU data transfers are also very much on the hook here. Earlier this month the tech giant’s lead EU data regulator agreed to ‘swiftly resolve’ a long-standing complaint over its transfers.

Schrems filed that complaint all the way back in 2013. He told us he expects the case to be resolved this year, likely within around six to nine months. So a final decision should come in 2021.

He has previously suggested the only way for Facebook to fix the data transfers issue is to federate its service, storing European users’ data locally. While last year the tech giant was forced to deny it would shut its service in Europe if its lead EU regulator followed through on enforcing a preliminary order to suspend transfers (which it blocked by applying for a judicial review of the Irish DPC’s processes).

The alternative outcome Facebook has been lobbying for is some kind of a political resolution to the legal uncertainty clouding EU-US data transfers. However the European Commission has warned there’s no quick fix — and reform of US surveillance law is needed.

So with options for continued icing of EU data protection enforcement against US tech giants melting fast in the face of bar-setting CJEU rulings and ongoing strategic litigation like this latest noyb-supported complaint pressure is only going to keep building for pro-privacy reform of US surveillance law. Not that Facebook has openly come out in support of reforming FISA yet.

Google inks agreement in France on paying publishers for news reuse

Google has reached an agreement with an association of French publishers over how it will be pay for reuse of snippets of their content. This is a result of application of a ‘neighbouring right’ for news which was transposed into national law following a pan-EU copyright reform agreed back in 2019.

The tech giant had sought to evade paying French publishers for use of content snippets in its news aggregation and search products by no longer displaying them in the country.

But in April last year the French competition watchdog quashed its attempt to avoid payments, using an urgent procedure known as interim measures — deeming Google’s unilateral withdrawal of snippets to be unfair and damaging to the press sector, and likely to constitute an abuse of a dominant market position.

A few months later Google lost an appeal against the watchdog’s injunction ordering it to negotiate to pay for reuse of snippets — leaving it little choice but to sit at the table with French publishers and talk payment.

L’Alliance de la Presse d’Information Générale (APIG), which represents the interests of around 300 political and general information press titles in France, announced the framework agreement today, writing that it sets the terms of negotiation with its members for Google’s reuse of their content.

In a statement, Pierre Louette, CEO of Groupe Les Echos – Le Parisien, and president of L’Alliance, said: “After long months of negotiations, this agreement is an important milestone, which marks the effective recognition of the neighboring rights of press publishers and the beginning of their remuneration by digital platforms for the use of their online publications.”

Google has also put out a blog post — lauding what it said is a “major step forward” after months of negotiations with French publishers.

The agreement “establishes a framework within which Google will negotiate individual licensing agreements with IPG certified publishers within APIG’s membership, while reflecting the principles of the law”, it said.

IPG certification refers to a status that online media organizations in France can gain if they meet certain quality standards, such as having at least one professional journalist on staff and having a main purpose of creating permanent and continuous content that provides political and general information of interest to a wide and varied audience.

“These agreements will cover publishers’ neighboring rights, and allow for participation in News Showcase, a new licencing program recently launched by Google to provide readers access to enriched content,” Google added, making reference to a news partnership program it announced last year — which it said would have an initial $1BN investment.

Google has not confirmed how much money will be distributed to publishers in France solely under the agreed framework over content reuse which is directly linked to the neighbouring right.

And the News Showcase program which Google spun up quickly last year looks conveniently designed to help it obfuscate the value of individual payments it may be legally required to make to publishers for reusing their content.

The tech giant told us it is in conversations with publishers in many countries to negotiate agreements for News Showcase — a program that is not limited to the EU.

It also said earlier investments announced with publishers under Showcase come as it anticipates legal regimes that may exist once the EU’s copyright directive is implemented in other countries, adding that it will evaluate laws as and when they are introduced.

(NB: France was among the first EU countries to the punch to transpose the copyright directive; application of the neighbouring right will expand across the bloc as other Member States bake the directive into national law.)

On the French agreements specifically, Google said they are for its News Showcase but are also inclusive of the publisher’s neighboring rights, after we asked about the separation between payments that will be made under the French framework and Google’s News Showcase. So about as clear as mud, then.

The tech giant did tell us it has reached individual agreements with a handful of French publishers so far, including (major national newspaper titles) Le Monde, Le Figaro and Libération.

It added that payments will go direct to publishers and terms will not be disclosed — noting they are strictly confidential. It also said these individual deals with publishers take account of the neighbouring right framework but also reflect individual publisher needs and differences.

On criteria for payments for neighbouring rights, Google’s blog post states: “The remuneration that is included in these licensing agreements is based on criteria such as the publisher’s contribution to political and general information (IPG certified publishers), the daily volume of publications, and its monthly internet traffic.”

On this, Google also told us it is focused on IPG publishers because the French law is too (it pointed to a line of the law that states: “The amount of this remuneration takes into account elements such as human, material and financial investments made by publishers and press agencies, the contribution to press publications to political and general information and the importance of use of press publications by online public communication services.”)

But it added that its door remains open to discussion with other non APIG publishers.

We also reached out to L’Alliance with questions and will update this report with any response.

Although individual payments to publishers under the French framework are not being disclosed the agreement looks like a major win for Europe’s press sector — which had lobbied extensively to extend copyright to news snippets via the EU’s controversial copyright reform.

Some individual EU Member States — including Germany and Spain — previously attempted to get Google to pay publishers by baking similar copyright provisions into national law. But in those instances Google either forced publishers to give it their snippets for free (by playing traffic-hungry publishers off against each other) or shut down Google News entirely. So some payment is clearly better than nada.

That said, with details of the terms of individual deals not disclosed — and no clarity over exactly how remunerations will be calculated — there’s a lot that remains murky over Google paying for news reuse.

Neither Google nor L’Alliance have said how much money will be distributed in total under the French agreement to covered publishers. 

Another issue we’re curious about is how the framework will protect publishers from changes to Google’s search algorithms that could have a negative impact on traffic to their sites.

This seems important given that monthly traffic is one of the criteria being used to determine payment. (And it’s not hard to find examples of such negative search ‘blips’.)

It also looks clear that the more publishers Google can attract into its ‘News Showcase’ program, the more options Google will have for displaying news snippets in its products — and therefore at a price it has more power to set.

So the longer term impact of the application of the EU’s copyright directive on publisher revenues — and, indeed, how it might influence the quality of online journalism that Google accelerates into Internet users’ eyeballs — remains to be seen.

The French competition watchdog’s investigation also remains ongoing. Google said it continues to engage with that probe.

In 2019 the national watchdog slapped Google with a €150 million fine for abusing its dominant position in the online search advertising market — sanctioning it for “opaque and difficult to understand” operating rules for its ad platform, Google Ads, and for applying them in “an unfair and random manner.”

While, last October, the US Justice Department filed an antitrust suit against Google — alleging that the company is “unlawfully maintaining monopolies in the markets for general search services, search advertising, and general search text advertising”.

The UK’s competition watchdog has also raised concerns about the ad market dominance of Google and Facebook, asking for views on breaking up Google back in 2019. The UK government has since said it will establish a pro-competition regulator to put limits on big tech.

EU chief warns over ‘unfiltered’ hate speech and calls for Biden to back rules for big tech

In a speech to the European Parliament today marking the inauguration of US president Joe Biden, the president of the European Commission has called for Europe and the US to join forces on regulating tech giants, warning of the risks of “unfiltered” hate speech and disinformation being weaponized to attack and undermine democracies.

Ursula von der Leyen pointed to the shock storming of the US capital earlier this month by supporters of outgoing president Donald Trump as an example of how wild claims being spread and amplified online can have tangible real-world consequences, including for democratic institutions.

“Just a few days ago, several hundred [Trump supporters] stormed the Capitol in Washington, the heart of American democracy. The television images of that event shocked us all. That is what happens when words incite action,” she said. “That is what happens when hate speech and fake news spread like wildfire through digital media. They become a danger to democracy.”

European institutions are also being targeted with “hate and contempt for our democracy spreading unfiltered through social media to millions of people”, she warned, pointing to similarly disturbing attacks that have taken place in the region in recent years. Such as an attempt by right-wing extremists in Germany to storm the Reichstag building last summer and the 2016 murder of UK politician, Jo Cox, by a fascist extremist.

“Of course, the storming of the [US] Capitol was different. But in Europe, too, there are people who feel disadvantaged and are very angry,” she said, suggesting feelings of exclusion and injustice can make people vulnerable to believing the “rampant” conspiracy theories that platforms have allowed to circulate freely online, and which she characterized as “often a confused mixture of completely absurd fantasies”.

“We must make sure that messages of hate and fake news can no longer be spread unchecked,” she added, reiterating the case for regulating social media by pressing the case for imposing “democratic limits on the untrammelled and uncontrolled political power of the Internet giants”.

The European Commission has already set out its blueprint for overhauling the region’s digital rulebook when it unveiled the draft Digital Services Act and Digital Markets Act last month. Although it won’t be including hard legal limits on disinformation in the package — preferring to continue with a voluntary, but beefed up code of conduct for content that falls into a grey area where it may be harmful but isn’t actually illegal.

von der Leyen said the aim for the regulations is to ensure “if something is illegal offline it must also be illegal online”. The Commission has also said the tech policy package is about forcing platforms to take more responsibility for the content they spread and monetize.

But it’s not yet clear how the proposed laws will ultimately tackle the tricky issue of how assessments are made to remove (or reinstate) speech; and whether platforms will continue to make those judgements (under a regulator’s guidance and watchful eye), or whether they end up entirely independent of platform control.

What the Commission has suggested is closer to the former but the proposal has to go through the EU’s co-legislative process — so such details are likely to be debated and could be amended prior to adoption into law.

“We want the platforms to be transparent about how their algorithms work. We cannot accept a situation where decisions that have a wide-ranging impact on our democracy are being made by computer programs without any human supervision,” von der Leyen went on. “And we want it laid down clearly that internet companies take responsibility for the content they disseminate.”

She also reiterated the concern expressed in recent days about the unilateral actions taken by tech giants to close down Trump’s megaphone — echoing comments by political leaders across Europe earlier this month who dubbed the display of raw platform power, from companies like Twitter, as ‘problematic’; and said it must result in regulatory consequences for tech giants.  

“No matter how right it may have been for Twitter to switch off Donald Trump’s account five minutes after midnight, such serious interference with freedom of expression should be based on laws and not on company rules,” she said, adding: “It should be based on decisions of politicians and parliaments and not of Silicon Valley managers.”

In the speech, the EU president also expressed hope that the Biden administration will be inclined to arc toward Europe’s agenda on digital regulation — as part of the anticipated post-Trump reboot of EU-US relations.

The Commission recently adopted a new transatlantic agenda in which it laid out a number of policy areas it hopes for joint-working with the US — with tech governance key among the areas of hoped for policy cooperation.

von der Leyen reiterated the idea that a joint Trade and Technology Council could be “a first step” toward the EU and US fashioning a “digital economy rulebook that is valid worldwide”.

“It is in this digital field that Europe has so much to offer the new government in Washington,” she suggested. “The path we have taken in Europe can be an example for approaches at international level. As has long been the case with the General Data Protection Regulation.

“Together we could create a digital economy rulebook that is valid worldwide: From data protection and privacy to the security of technical infrastructure. A body of rules based on our values: human rights and pluralism, inclusion and protection of privacy.”

While there’s evidently a keen appetite in the EU to reset US relations post-Trump, it remains to be seen how much of a policy reboot the Biden administration will usher in vis-a-vis big tech.

He has not been as vocal a critic of platform giants as other Democratic challengers for the presidency. And the Obama administration, which he of course served in, had very cosy ties to Silicon Valley.

Concerns have also been raised in recent days about Biden’s potential picks for a key appointment at the justice office — in light of antitrust probes of big tech vs the prospective appointees’ deep links to tech giants and/or promotion of historical mergers. So it hardly looks like a model for a full and clean reset.

While the tricky issue of pro-privacy reform of US surveillance laws — which EU commissioners have warned will be needed to resolve the legal uncertainty clouding data transfers from the region to the US (and which tech giants themselves have largely avoided in their own lobbying) — seems likely to need legislation from Congress, rather than being a change that could be driven solely by the Biden administration.

The chances of the incoming president being inclined to champion such a relatively wonky tech-policy issue when he has so much else in his ‘needs urgent attention’ in-tray also seem relatively slim. But even slender odds can look promising after the Trump era.  

Valve and five PC games publishers fined $9.4M for illegal geo-blocking

A four-year antitrust investigation into PC games geo-blocking in the European Union by distribution platform Valve and five games publishers has led to fines totalling €7.8 million (~$9.4M) after the Commission confirmed today that the bloc’s rules had been breached.

The geo-blocking practices investigated since 2017 concerned around 100 PC video games of different genres, including sports, simulation and action games.

In addition to Valve — which has been fined just over €1.6M — the five sanctioned games publishers are: Bandai Namco (fined €340k), Capcom (€396k), Focus Home (€2.8M), Koch Media (€977k) and ZeniMax (€1.6M).

The Commission said the fines were reduced by between 10% and 15% owing to cooperation from the companies, with the exception of Valve who it said chose not to cooperate (a “prohibition Decision” rather than a fine reduction was applied in its case).

Valve has been contacted for comment.

The antitrust investigation begun in February 2017, with a formal statement of objections issued just over two years later when the Commission accused the companies of “entering into bilateral agreements to prevent consumers from purchasing and using PC video games acquired elsewhere than in their country of residence” in contravention of EU rules.

The mechanisms used by the companies to prevent certain cross-border sales of certain PC games were geo-blocked Steam activation keys and bilateral licensing and distribution agreements to restrict certain cross-border sales.

EU lawmakers has now found that these business practices partitioned certain European markets according to national borders — denying regional consumers the benefits of the EU’s Digital Single Market to shop around for the best offer.

Commenting in a statement, EVP Margrethe Vestager, who heads up competition policy for the bloc, said: “Today’s sanctions against the ‘geo-blocking’ practices of Valve and five PC video game publishers serve as a reminder that under EU competition law, companies are prohibited from contractually restricting cross-border sales. Such practices deprive European consumers of the benefits of the EU Digital Single Market and of the opportunity to shop around for the most suitable offer in the EU.”.

According to the Commission’s investigation, geo-blocking of Steam activation keys prevented activation of certain of the five games’ publishers titles outside of Czechia, Poland, Hungary, Romania, Slovakia, Estonia, Latvia and Lithuania.

It said agreements between the companies to geo-block activation keys had lasted between one and five years and were found to have been implemented at various times between September 2010 and October 2015.

While four of the games publishers (not Capcom) were found to have entered into licensing and distribution agreements with various PC games distributors (not Value) in the European Economic Area (EEA) which contained clauses which restricted cross-border sales of the affected titles within the EEA, including the aforementioned Central and Eastern European countries.

The Commission said these agreements lasted generally longer (“between three and 11 years”), and were implemented at different times between March 2007 and November 2018.

Since the investigation started, EU lawmakers have passed a regulation against unjustified geo-blocking. Although the legislation only applies to PC video games distributed on CDs or DVDs, not to downloads. So games are only partially covered.

A Commission review of how the geo-blocking regulation is operating, published last November, discussed a possible extension of its scope in a range of areas, including for games. However it did not make a strong case for that change. (It also found demand for cross-border access to games (and software generally) relatively low vs other content services.)

But while games distributed via digital downloads look set to remain outside the scope of the EU’s unjustified geo-blocking regulation, the fines against Valve et al show that geo-blocking can still be a legal minefield as contractual agreements to restrict cross-border sales run counter to the bloc’s antitrust rules.

The specific breaches are of Article 101 of the Treaty on the Functioning of the European Union (TFEU) and Article 53 of the Agreement on the European Economic Area which prohibit agreements between companies that prevent, restrict or distort competition within the EU’s Single Market, per the Commission.

Landbot closes $8M Series A for its ‘no code’ chatbot builder

Barcelona-based Landbot, a ‘no-code’ chatbot builder, has bagged a $8M Series A led by the Spanish-Israeli VC firm Swanlaab, alongside support from Spain’s innovation-focused public agency, CDTI. Previous investors Nauta Capital, Encomenda and Bankinter also participated in the round.

We last chatted to Landbot back in 2018 when it raised a $2.2M seed and had 900+ customers. It’s grown that to ~2,200 paying customers, with some 50,000 individuals now using its tool (across both free and paid accounts).

Since its seed it’s also increased recurrent revenues 10x — and is expecting growth to keep stepping up, fuelled by the new financing.

It says the coronavirus pandemic has supercharged demand for conversational landing pages as all sorts of businesses look for ways to automate higher volumes of digitally inbound customer comms, without needing to make major investments in in-house IT.

Landbot’s customers range from SMEs to specific teams and products within larger organisations, with the startup name-checking the likes of Nestlé, MediaMarkt, CocaCola, Cepsa, PcComponentes and Prudential among its customer roster.

“We are seeing strong traction from industries like eCommerce, Financial Services and Marketing Agencies,” CEO & co-founder Jiaqi Pan tells TechCrunch. “The ecommerce segment is one we have seen the most growth in since COVID-19, where we increased 2x the number of customers from ecommerce industry.”

The new funding will be used to double Landbot’s team during 2021 (currently it employs 40 people) — with hiring planned across sales, marketing and engineering.

The startup, which launched its ‘no code’ flavor of chatbot builder back in 2017, previously relocated HQ from Valencia to Barcelona to help with recruitment.

Since Landbot’s launch, the burgeoning ‘no code/low code’ movement has become a fully fledged trend driven by demand for productivity- and lead-boosting digital services outstripping most businesses’ supply of expert in-house techies able to build stuff.

Hence the rise of service-builder tools that make customizable tech capabilities accessible to non-technical staff.

The pandemic has merely poured more fuel on this fire — and low-friction tools like Landbot are clearly reaping the rewards.

Interestingly, as well as competing with other conversational chatbot builders, like San Francisco-based ManyChat, Landbot says it’s seeing traction from customers who are seeking to replace web forms with more engaging chat interfaces.

Its drag-and-drop chatbot builder tool supports information workers to design what Landbot bills as “an immersive web page experience filled with gifs and visual elements to capture the attention of the end-user” — so you can understand the appeal for SMEs to be able to replace their boring old static forms with an experience any smartphone user is familiar with from using messaging apps like WhatsApp.

“In terms of the main competitor in the no-code space, we have some overlap with ManyChat as the most direct competitor for Chatbot. On the other hand, as we have a lot of customers using us to replace their forms we are competing also against form builders like Typeform,” says Pan, the latter another Barcelona-based startup which similarly bills itself as a platform for “conversational” and “interactive” data collection.

Landbot notes it recently acquired India-based Morph.AI, a chat-based marketing automation tool, which it’s using to help convert social, website and ad traffic into leads — also with the aim of further expanding into presence in the Asian market.

To date, 90% of its customers are international, with 60% coming from the U.S., U.K. and Germany.

Commenting on the Series A in a statement, Juan Revuelta, general partner of Swanlaab, said: “The beauty of Landbot is in the drag and drop solution of the product. The simplicity is critical to making this product accessible to everyone across many different types of business. If you’re a small company you don’t have the luxury of time or money to solve issues in customer service or run lavish marketing campaigns.

“Landbot helps all businesses to have truly frictionless conversations with customers and exchange the data they need to make smarter decisions and scale. The team has had a remarkable 2020, and we’re excited to support them in helping more businesses this year.”

Europe is working on a common framework for ‘vaccine passports’

The European Union is preparing the ground for vaccine passports. A common approach for mutual recognition of vaccination documentation is of the “utmost importance”, the Commission said today, adding that it wants “an appropriate trust framework” to be agreed upon by the end of January — “to allow Member States’ certificates to be rapidly useable in health systems across the EU and beyond”.

“Vaccination certificates allow for a clear record of each individual’s vaccination history, to ensure the right medical follow-up as well as the monitoring of possible adverse effects,” it writes, adding that: “A common EU approach to trusted, reliable and verifiable certificates would allow people to use their records in other Member States. Though it is premature to envisage the use of vaccine certificates for other purposes than health protection, an EU approach may facilitate other cross-border applications of such certificates in the future.”

It’s not clear what form (or forms) these pan-EU coronavirus vaccine certificates will take as yet — but presumably there will be both paper-based and digital formats, to ensure accessibility.

Nor is it clear exactly how EU citizens’ identity and medical data will be protected as checks on vaccination status take place. Or, indeed, who the trusted entities storing and managing sensitive health data will be. All that detail is to come — and may well vary by Member State, depending on how immunity certification verification systems get implemented.

Last week a number of tech companies, including Microsoft, Oracle and Salesforce, announced involvement in a separate, cross-industry effort to establish a universal standard for vaccination status that they said would build on existing standards, such as the SMART Health Cards specification which adheres to HL7 FHIR (Fast Healthcare Interoperability Resources).

That tech-backed effort is pushing for an “encrypted digital copy of [a person’s] immunization credentials to store in a digital wallet of their choice,” with a backup available as a printed QR code that includes W3C-standards verifiable credentials for those not wanting or able to use a smartphone. The PR also talked about a “privacy-preserving health status verification” solution that is at least in part “blockchain-enabled.”

Nothing so specific is being proposed for the common EU approach as yet. And it looks clear that a number of vaccine credential standards will be put forward globally — as a potential universal standard. (The Commission is touting its forthcoming framework on that front too.)

Whatever is devised in the EU must ensure compliance with the region’s data protection framework (which bakes in requirements for security and privacy by design and default when processing people’s information). So it could offer better privacy protection than a private sector-led effort, for example.

The EU’s eHealth Network — a body which includes representatives from relevant Member States’ authorities who are supported by a wider European Joint Action body, called eHAction — will be responsible for defining the minimum dataset needed for vaccination certificates used at the EU level, per the Commission.

It says this must include “a unique identifier and an appropriate trust framework ensuring privacy and security”.

Expect relevant stakeholders such as Europe’s Data Protection Supervisor and Data Protection Board to weigh in with expert advice, as happened last year with coronavirus contacts tracing apps.

“The Commission will continue to work with Member States on vaccination certificates which can be recognised and used in health systems across the EU in full compliance with EU data protection law — and scaled up globally through the certification systems of the World Health Organisation,” EU lawmakers add, saying the forthcoming framework will be presented in the WHO “as a possible universal standard”.

Commenting in the challenges ahead for developing privacy-safe vaccination verification, Lukasz Olejnik, a Europe-based independent cybersecurity and privacy researcher and consultant, told TechCrunch: “It is tricky to follow privacy by design for this particular [use-case]. It is unclear if anyone will be interested in identifying possible innovative privacy-preserving frameworks such as anonymous cryptographic credentials.

“In the end perhaps we will end up with some approach using verifiable credentials, but establishing trust will remain a challenge. What will be the source of trust? Is it possible to prove a particular status without the need to disclose the user identity? These are the core questions.”

“I hope this proposal will be public and transparent,” he added of the EU framework.

It’s worth emphasizing that all this effort is a bit ‘cart before the horse’ at this stage — being as it’s still not confirmed whether any of the currently available COVID-19 vaccinations, which have been developed primarily to protect the recipient from serious illness, also prevent transmission of the disease or not.

Nonetheless, systems for verifying proof of immunization status are fast being spun up — ushering in the possibility of ‘vaccine passport’ checks for travellers within the EU down the road, for example. It’s also not hard to envisage businesses requesting COVID-19 vaccination certification before granting access to a physical facility or service, in a bid to reassure customers they can spend money safety — i.e. once such documentation exists and can be verified in a standardized way.

Standardized frameworks for vaccination credentials could certainly have very broad implications for personal freedoms in the near future, as well as wide ramifications for privacy — depending on how these systems are architected, managed and operated.

Europe’s privacy and security research community mobilized heavily last year as the pandemic triggered early proposals to develop coronavirus contacts tracing apps — contributing to a push for exposure notification apps to be decentralized to ensure privacy of individuals’ social graph. However efforts toward establishing vaccination certification systems don’t appear to have generated the same level of academic engagement as yet.

In an analysis of the implications of immunity certificates, published last month, Privacy International warned that any systems that require proof of vaccination for entry or a service would be unfair “until everyone has access to an effective vaccine” — a bar that remains far off indeed.

European countries, which are among the global leaders on COVID-19 vaccination rollouts, have still only immunized tiny minorities of their national populations so far. (Even as the Commission today urged Member States to set targets to vaccinate a minimum of 80% of health and social care professionals and people over 80 by March 2021; and at least 70% of the total adult population by summer — targets which look like fantastical wishful thinking right now.)

“Governments must find alternatives to delivering vaccination schemes which do not perpetuate and reinforce exclusionary and discriminatory practices,” the rights group further urged, also warning that COVID-19 immunity should not be used as a justification for expanding or instating digital identity schemes.