Augmented reality and the next century of the web

Howdy friends, this is the web version of my Week in Review newsletter, it’s here to entice you to sign up and get it in your inbox every week.

Last week, I showcased how Twitter was looking at the future of the web with a decentralized approach so that they wouldn’t be stuck unilaterally de-platforming the next world leader. This week, I scribbled some thoughts on another aspect of the future web, the ongoing battle between Facebook and Apple to own augmented reality. Releasing the hardware will only be the start of a very messy transition from smartphone-first to glasses-first mobile computing.

Again, if you so desire you can get this in your inbox from the newsletter page, and follow my tweets @lucasmtny


The Big Thing

If the last few years of new “reality” tech has telegraphed anything, it’s that tech companies won’t be able to skip past augmented reality’s awkward phase, they’re going to have to barrel through it and it’s probably going to take a long-ass time.

The clearest reality is that in 2021 everyday users still don’t seem quite as interested in AR as the next generation of platform owners stand to benefit from a massive transition. There’s some element of skating to where the puck is going among the soothsayers that believe AR is the inevitable platform heir etc. etc., but the battle to reinvent mobile is at its core a battle to kill the smartphone before its time has come.

A war to remake mobile in the winner’s image

It’s fitting that the primary backers of this AR future are Apple and Facebook, ambitious companies that are deeply in touch with the opportunities they could’ve capitalized on if they could do it all over again.

While Apple and Facebook both have thousands of employees toiling quietly in the background building out their AR tech moats, we’ve seen and heard much more on Facebook’s efforts. The company has already served up several iterations of their VR hardware through Oculus and has discussed publicly over the years how they view virtual reality and augmented reality hardware converging. 

Facebook’s hardware and software experiments have been experimentations in plain sight, an advantage afforded to a company that didn’t sell any hardware before they started selling VR headsets. Meanwhile Apple has offered up a developer platform and a few well-timed keynote slots for developers harnessing their tools, but the most ambitious first-party AR project they’ve launched publicly on iOS has been a measuring tape app. Everything else has taken place behind closed doors.

That secrecy tends to make any reporting on Apple’s plans particularly juicy. This week, a story from Bloomberg’s Mark Gurman highlights some of Apple’s next steps towards a long-rumored AR glasses product, reporting that Apple plans to release a high-end niche VR device with some AR capabilities as early as next year. It’s not the most surprising but showcases how desperate today’s mobile kingpins are to ease the introduction of a technology that has the potential to turn existing tech stacks and the broader web on their heads.

Both Facebook and Apple have a handful of problems getting AR products out into the world, and they’re not exactly low-key issues:

  1. hardware isn’t ready
  2. platforms aren’t ready
  3. developers aren’t ready
  4. users don’t want it yet

This is a daunting wall, but isn’t uncommon among hardware moonshots. Facebook has already worked its way through this cycle once with virtual reality over several generations of hardware, though there were some key difference and few would call VR a mainstream success quite yet.

Nevertheless, there’s a distinct advantage to tackling VR before AR for both Facebook and Apple, they can invest in hardware that’s adjacent to the technologies their AR products will need to capitalize on, they can entice developers to build for a platform that’s more similar to what’s coming and they can set base line expectations for consumers for a more immersive platform. At least this would all be the case for Apple with a mass market VR device closer to Facebook’s $300 Quest 2, but a pricey niche device as Gurman’s report details doesn’t seem to fit that bill quite so cleanly.

The AR/VR content problem 

The scenario I’d imagine both Facebook and Apple are losing sleep over is that they release serviceable AR hardware into a world where they are wholly responsible for coming up with all the primary use cases.

The AR/VR world already has a hefty backlog of burnt developers who might be long-term bullish on the tech but are also tired of getting whipped around by companies that seem to view the development of content ecosystems simply as a means to ship their next device. If Apple is truly expecting the sales numbers of this device that Bloomberg suggests — similar to Valve’s early Index headset sales — then color me doubtful that there will be much developer interest at all in building for a stopgap device, I’d expect ports of Quest 2 content and a few shining stars from Apple-funded partners.

I don’t think this will me much of a shortcut for them.

True AR hardware is likely going to have different standards of input, different standards of interaction and a much different approach to use cases compared to a device built for the home or smartphone. Apple has already taken every available chance to entice mobile developers to embrace phone-based AR on iPhones through ARKit, a push they have seemed to back off from at recent developer-centric events. As someone who has kept a close eye on early projects, I’d say that most players in the space have been very underwhelmed by what existing platforms enable and what has been produced widely.

That’s really not great for Apple or Facebook and suggests that both of these companies are going to have to guide users and developers through use cases they design. I think there’s a convincing argument that early AR glasses applications will be dominated by first-party tech and may eschew full third-party native apps in favor of tightly controlled data integrations more similar to how Apple has approached developer integrations inside Siri.

But giving developers a platform built with Apple or Facebook’s own dominance in mind is going to be tough to sell, underscoring the fact that mobile and mobile AR are going to be platforms that will have to live alongside each other for quite a bit. There will be rich opportunities for developers to create experiences that play with 3D and space, but there are also plenty of reasons to expect they’ll be more resistant to move off of a mutually enriching mobile platform onto one where Facebook or Apple will have the pioneer’s pick of platform advantages. What’s in it for them?

Mobile’s OS-level winners captured plenty of value from top-of-funnel apps marketplaces, but the down-stream opportunities found mobile’s true prize, a vastly expanded market for digital ads. With the opportunity of a mobile do-over, expect to find pioneering tech giants pitching proprietary digital ad infrastructure for their devices. Advertising will likely be augmented reality’s greatest opportunity allowing the digital ads market to create an infinite global canvas for geo-targeted customized ad content. A boring future, yes, but a predictable one.

For Facebook, being a platform owner in the 2020s means getting to set their own limitations on use cases, not being confined by App Store regulations and designing hardware with social integrations closer to the silicon. For Apple, reinventing the mobile OS in the 2020s likely means an opportunity to more meaningfully dominate mobile advertising.

It’s a do-over to the tune of trillions in potential revenues.

What comes next

The AR/VR industry has been stuck in a cycle of seeking out saviors. Facebook has been the dearest friend to proponents after startup after startup has failed to find a speedy win. Apple’s long-awaited AR glasses are probably where most die-hards are currently placing their faith.

I don’t think there are any misgivings from Apple or Facebook in terms of what a wild opportunity this to win, it’s why they each have more people working on this than any other future-minded project. AR will probably be massive and change the web in a fundamental way, a true Web 3.0 that’s the biggest shift of the internet to date.

That’s doesn’t sound like something that will happen particularly smoothly.

I’m sure that these early devices will arrive later than we expect, do less than we expect and that things will be more and less different from the smartphone era’s mobile paradigms in ways we don’t anticipate. I’m also sure that it’s going to be tough for these companies to strong-arm themselves into a more seamless transition. This is going to be a very messy for tech platforms and is a transition that won’t happen overnight, not by a long shot.


Other things

The Loon is dead
One of tech’s stranger moonshots is dead, as Google announced this week that Loon, it’s internet balloon project is being shut down. It was an ambitious attempt to bring high-speed internet to remote corners of the world, but the team says it wasn’t sustainable to provide a high-cost service at a low price. More

Facebook Oversight Board tasked with Trump removal
I talked a couple weeks ago — what feels like a lifetime ago — about how Facebook’s temporary ban of Trump was going to be a nightmare for the company. I wasn’t sure how they’d stall for more time of a banned Trump before he made Facebook and Instagram his central platform, but they made a brilliant move, purposefully tying the case up in PR-favorable bureaucracy, tossing the case to their independent Oversight Board for their biggest case to date. More

Jack is Back
Alibaba’s head honcho is back in action. Alibaba shares jumped this week when the Chinese e-commerce giant’s billionaire CEO Jack Ma reappeared in public after more than three months after his last public appearance, something that stoked plenty of conspiracies. Where he was during all this time isn’t clear, but I sort of doubt we’ll be finding out. More

Trump pardons Anthony Levandowski
Trump is no longer President, but in one of his final acts, he surprisingly opted to grant a full pardon to one Anthony Levandowski, the former Google engineer convicted of stealing trade secrets regarding their self-driving car program. It was a surprising end to one of the more dramatic big tech lawsuits in recent years. More

Xbox raises Live prices
I’m not sure how this stacks in importance relative to what else is listed here, but I’m personally pissed that Microsoft is hiking the price of their streaming subscription Xbox Live Gold. It’s no secret that the gaming industry is embracing a subscription economy, it will be interesting to see what the divide looks like in terms of gamer dollars going towards platform owners versus studios. More

Musk offers up $100M donation to carbon capture tech
Elon Musk, who is currently the world’s richest person, tweeted out this week that he will be donating $100 million towards a contest to build the best technology for carbon capture. TechCrunch learned that this is connected to the Xprize organization. More details


Extra Things

I’m adding a section going forward to highlight some of our Extra Crunch coverage from the week, which dives a bit deeper into the money and minds of the moneymakers.

Hot IPOs hang onto gains as investors keep betting on tech
“After setting a $35 to $39 per-share IPO price range, Poshmark sold shares in its IPO at $42 apiece. Then it opened at $97.50. Such was the exuberance of the stock market regarding the used goods marketplace’s debut.
But today it’s worth a more modest $76.30 — for this piece we’re using all Yahoo Finance data, and all current prices are those from yesterday’s close ahead of the start of today’s trading — which sparked a question: How many recent tech IPOs are also down from their opening price?” More

How VCs invested in Asia and Europe in 2020
“Wrapping our look at how the venture capital asset class invested in 2020, today we’re taking a peek at Europe’s impressive year, and Asia’s slightly less invigorating set of results. (We’re speaking soon with folks who may have data on African VC activity in 2020; if those bear out, we’ll do a final entry in our series concerning the continent.)” More

Hello, Extra Crunch Community!
“We’re going to be trying out some new things around here with the Extra Crunch staff front and center, as well as turning your feedback into action more than ever. We quite literally work for you, the subscriber, and want to make sure you’re getting your money’s worth, as it were.” More


Until next week,
Lucas Matney

This Week in Apps: TikTok viral hit breaks Spotify records, inauguration boosts news app installs, judge rules against Parler

Welcome back to This Week in Apps, the weekly TechCrunch series that recaps the latest in mobile OS news, mobile applications and the overall app economy.

The app industry is as hot as ever, with a record 218 billion downloads and $143 billion in global consumer spend in 2020.

Consumers last year also spent 3.5 trillion minutes using apps on Android devices alone. And in the U.S., app usage surged ahead of the time spent watching live TV. Currently, the average American watches 3.7 hours of live TV per day, but now spends four hours per day on their mobile devices.

Apps aren’t just a way to pass idle hours — they’re also a big business. In 2019, mobile-first companies had a combined $544 billion valuation, 6.5x higher than those without a mobile focus. In 2020, investors poured $73 billion in capital into mobile companies — a figure that’s up 27% year-over-year.

This week, we’re looking into how President Biden’s inauguration impacted news apps, the latest in the Parler lawsuit, and how TikTok’s app continues to shape culture, among other things.

Top Stories

Judge says Amazon doesn’t have to host Parler on AWS

logos for AWS (Amazon Web Services) and Parler

Logos for AWS (Amazon Web Services) and Parler. Image Credits: TechCrunch

U.S. District Judge Barbara Rothstein in Seattle this week ruled that Amazon won’t be required to restore access to web services to Parler. As you may recall, Parler sued Amazon for booting it from AWS’ infrastructure, effectively forcing it offline. Like Apple and Google before it, Amazon had decided that the calls for violence that were being spread on Parler violated its terms of service. It also said that Parler showed an “unwillingness and inability” to remove dangerous posts that called for the rape, torture and assassination of politicians, tech executives and many others, the AP reported.

Amazon’s decision shouldn’t have been a surprise for Parler. Amazon had reported 98 examples of Parler posts that incited violence over the past several weeks before its decision. It told Parler these were clear violations of the terms of service.

Parler’s lawsuit against Amazon, however, went on to claim breach of contract and even made antitrust allegations.

The judge shot down Parler’s claims that Amazon and Twitter were colluding over the decision to kick the app off AWS. Parler’s claims over breach of contract were denied, too, as the contract had never said Amazon had to give Parler 30 days to fix things. (Not to mention the fact that Parler breached the contract on its side, too.) It also said Parler had fallen short in demonstrating the need for an injunction to restore access to Amazon’s web services.

The ruling only blocks Parler from forcing Amazon to again host it as the lawsuit proceeds, but is not the final ruling in the overall case, which is continuing.

TikTok drives another pop song to No. 1 on Billboard charts, breaks Spotify’s record

@livbedumb♬ drivers license – Olivia Rodrigo

We already knew TikTok was playing a large role in influencing music charts and listening behavior. For example, Billboard last year noted how TikTok drove hits from Sony artists like Doja Cat (“Say So”) and 24kGoldn (“Mood”), and helped Sony discover new talent. Columbia also signed viral TikTok artists like Lil Nas X, Powfu, StaySolidRocky, Jawsh 685, Arizona Zervas and 24kGoldn. Meanwhile, Nielsen has said that no other app had helped break more songs in 2020 than TikTok.

This month, we’ve witnessed yet another example of this phenomenon. Olivia Rodrigo, the 17-year-old star of Disney+’s “High School Musical: The Musical: the Series” released her latest song, “Drivers License” on January 8. The pop ballad and breakup anthem is believed to be referencing the actress’ relationship with co-star Joshua Bassett, which gave the song even more appeal to fans.

Upon its release the song was heavily streamed by TikTok users, which helped make it an overnight sensation of sorts. According to a report by The WSJ, Billboard counted 76.1 million streams and 38,000 downloads in the U.S. during the week of its release. It also made a historic debut at No. 1 on the Hot 100, becoming the first smash hit of 2021.

On January 11, “Drivers License” broke Spotify’s record for most streams per day (for a non-holiday song) with 15.17 million global streams. On TikTok, meanwhile, the number of videos featuring the song and the views they received doubled every day, The WSJ said.

Charli D’Amelio’s dance to it on the app has now generated 5 million “Likes” across nearly 33 million views, as of the time of writing.

@charlidamelio♬ drivers license – Olivia Rodrigo

Of course, other TikTok hits have broken out in the past, too — even reaching No. 1 like “Blinding Lights” (The Weeknd) and “Mood” (24kGoldn). But the success of “Drivers License” may be in part due to the way it focuses on a subject that’s more relevant to TikTok’s young, teenage user base. It talks about first loves and being dumped for the other girl. And its title and opening refer to a time many adults have forgotten: the momentous day when you get your driver’s license. It’s highly relatable to the TikTok crowd who fully embraced it and made it a hit.

Weekly News

Platforms: Apple

  • Apple stops signing iOS 12.5, making iOS 12.5.1 the only versions of iOS available to older devices.
  • A report claims Apple’s iOS 15 update will cut support for devices with an A9 chip, like the iPhone 6, iPhone 6s Plus and the original iPhone SE.
  • New analysis estimates Apple’s upcoming iOS privacy changes will cause a roughly 7% revenue hit for Facebook in Q2. The revenue hit will continue in following quarters and will be “material.”

Platforms: Google

  • Google adds “trending” icons to the Play Store. New arrow icons appeared in the Top Charts tab, which indicate whether an app’s downloads are trending up or down, in terms of popularity. This could provide an early signal about those that may still be rising in the charts or beginning to fall out of favor, despite their current high position.
  • Google appears to be working on a Restricted Networking mode for Android 12. The mode, discovered by XDA Developers digging in the Android Open Source Project, would disable network access for all third-party apps.

Gaming

  • Goama (or Go Games) introduced a way for developers to integrate social games into their apps, which was showcased at CES. The company focuses on Asia and Latin America and has more than 15 partners, including GCash and Rappi, for digital payments and communications.
  • Fortnite maker Epic Games is getting into movies. The animated feature film Gilgamesh will use Epic’s Unreal Engine technology to tell the story of the king-turned-deity. The movie is not an in-house project, but rather is financed through Epic’s $100M MegaGrants fund.

Augmented Reality

  • Patents around Apple’s AR and VR efforts describe how a system could be identified in a way that’s similar to FaceID, then either permitted or denied the ability to change their appearance in the game.
  • Pinterest launches AR try-on for eyeshadow in its mobile app using Lens technology and ModiFace data. The app already offered AR try-on for lipsticks.

Entertainment

  • The CW app became the No. 1 app on the App Store this week, topping TikTok, Instagram and YouTube, thanks to CW’s season premieres of Batwoman, All American, Riverdale and Nancy Drew.
  • Users of podcasting app Anchor, owned by Spotify, say the app isn’t bringing them any sponsorship opportunities, as promised, beyond those from Spotify and Anchor itself.
  • YouTube launches hashtag landing pages on the web and in its mobile app. The pages are accessible when you click hashtags on YouTube, not via search, and weirdly rank the “best” videos through some inscrutable algorithm.
  • Apple’s Podcasts app adds a new editorial feature, Apple Podcasts Spotlight, meant to increase podcast listening by showcasing the best podcasts as selected by Apple editors.

E-commerce

  • WeChat facilitated 1.6 trillion yuan (close to $250 billion) in annual transactions through its “mini programs” in 2020. The figure is more than double that of 2019.

Fintech

  • Douyin, the Chinese version of TikTok, launched an e-wallet, Douyin Pay. The wallet will supplement the existing payment options, Alipay and WeChat Pay, and will help to support the Douyin app’s growing e-commerce business.
  • Neobank Monzo founder Tom Blomfield left the startup, saying he struggled during the pandemic. “I think [for] a lot of people in the world…going through a pandemic, going through lockdown and the isolation involved in that has an impact on people’s mental health,” he told TechCrunch.
  • New estimates indicate about 50% of the iPhone user base (or 507 million users) now use Apple Pay. 
  • Samsung’s newest phones drop support for MST, which emulates a mag stripe at terminals that don’t support NFC.

Social

  • Indian messaging app, StickerChat, owned by Hike, is shutting down. Founder Kavin Bharti Mittal said India will never have a homegrown messenger unless it bars Western companies from its market. Hike pivoted this month to virtual social apps, Vibe and Rush, which it believes have more potential.
  • Instagram head Adam Mosseri, in a Verge podcast, said he’s not happy with Reels so far, and how he feels most people probably don’t understand the difference between Instagram video and IGTV. He says the social network needs to simplify and consolidate ideas.
  • Facebook and Instagram improve their accessibility features. The apps’ AI-generated image captions now offer far more details about who or what is in the photos, thanks to improvements in image recognition systems.
  • TikTok launches a Q&A feature that lets creators respond to fan questions using text or videos. The feature, rolled out to select creators with more than 10,000 followers, makes it easier to see all the questions in one place.

Health & Fitness

  • Health and fitness app spending jumped 70% last year in Europe to record $544 million, a Sensor Tower report says. The year-over-year increase is far larger than 2019, when growth was just 37.2%. COVID-19 played a large role in this shift as people turned to fitness apps instead of gyms to stay in shape.

Government & Policy

  • Biden’s inauguration boosted installs of U.S. news apps up to 170%, Sensor Tower reported. CNN was the biggest mover, climbing 530 positions to reach No. 41 on the App Store, and up 170% in terms of downloads. News Break was the second highest, climbing 13 positions to No. 65. Right-wing outlet Newsmax climbed 43 spots to reach No. 108. In 2020, the top news apps were: News Break (23.7 million installs); SmartNews (9 million); CNN (5 million); and Fox News (4 million). This month, however, News Break saw 1.2 million installs, followed by Newsmax with about 863,000 installs, the report said.
  • Ireland’s Data Protection Commission (DPC) sent a draft decision to fellow EU Data Protection Authorities over the WhatsApp-Facebook data sharing policy. This means a decision on the matter is coming closer to a resolution in terms of what standards of transparency is required by WhatsApp.
  • German app developer Florian Mueller of FOSS Patents filed a complaint with the EU, U.S. DOJ and other antitrust watchdogs around the world over Apple and Google’s rejection of his COVID-related mobile game. Both stores had policies to only approve official COVID-19 apps from health authorities. Mueller renamed the game Viral Days and removed references to the novel coronavirus to get the app approved. However, he still feels the stores’ rules are holding back innovation.

Productivity

  • Basecamp’s Hey, which famously fought back against Apple’s App Store rules over IAP last year, has launched a business-focused platform, Hey for Work, expected to be public in Q1. The app has more App Store ratings than rival Superhuman, a report found. Currently, Hey has a 4.7-star rating across 3.3K reviews; Superhuman has 3.9 rating across only 274 reviews.

Trends

  • Baby boomers are increasingly using apps. Baby boomers/Gen Xers in the U.S. spent 30% more time year-over-year in their most used apps, App Annie reports. That’s a larger increase than either Millennials or Gen Z, at 18% and 16%, respectively.

Funding and M&A

  • Curtsy, a clothing resale app for Gen Z women, raised an $11 million Series A led by Index Ventures. The app tackles some of the problems with online resale by sending shipping supplies and labels to sellers, and by making the marketplace accessible to new and casual sellers.
  • Storytelling platform Wattpad acquired by South Korea’s Naver for $600 million. The reading apps whose stories have turned into book and Netflix hits will be incorporated into Naver’s publishing platform Webtoon.
  • On-demand delivery app Glovo partnered with Swiss-based real estate firm, Stoneweg, which is investing €100 million in building and refurbishing real estate in key markets to build out Glovo’s network of “dark stores.”
  • Pocket Casts app is up for sale. The podcast app was acquired nearly three years ago by a public radio consortium of top podcast producers (NPR, WNYC Studios, WBEZ Chicago and This American Life). The owners have now agreed to sell the app, which posted a net loss in 2020. (NPR’s share of the loss was over $800,000.)
  • Travel app Maps.me raised $50 million in a round led by Alameda Research. The funding will go toward the launch of a multi-currency wallet. Cryptocurrency lender Genesis Capital and institutional cryptocurrency firm CMS Holdings also participated in the round, Coindesk reported.
  • Bangalore-based hyperlocal delivery app Dunzo raised $40 million in a round that included investment from Google, Lightbox, Evolvence, Hana Financial Investment, LGT Lightstone Aspada and Alteria.
  • London-based food delivery app Deliveroo raised $180 million in new funding from existing investors, led by Durable Capital Partners and Fidelity Management, valuing the business at more than $7 billion.
  • Dating Group acquired Swiss startup Once, a dating app that sends one match per day, for $18 million.

Downloads

Bodyguard

Image Credits: Bodyguard

A French content moderation app called Bodyguard, detailed here by TechCrunch, has brought its service to the English-speaking market. The app allows you to choose the level of content moderation you want to see on top social networks, like Twitter, YouTube, Instagram and Twitch. You can choose to hide toxic content across a range of categories, like insults, body shaming, moral harassment, sexual harassment, racism and homophobia and indicate whether the content is a low or high priority to block.

Beeper

Image Credits: Beeper

Pebble’s founder and current YC Partner Eric Migicovsky has launched a new app, Beeper, that aims to centralize in one interface 15 different chat apps, including iMessage. The app relies on an open-source federated, encrypted messaging protocol called Matrix that uses “bridges” to connect to the various networks to move the messages. However, iMessage support is more wonky, as the company actually ships you an old iPhone to make the connection to the network. But this system allows you to access Beeper on non-Apple devices, the company says. The app is slowly onboarding new users due to initial demand. The app works across MacOS, Windows, Linux‍, iOS and Android and charges $10/mo for the service.

 

Extra Crunch roundup: Digital health VC survey, edtech M&A, deep tech marketing, more

I had my first telehealth consultation last year, and there’s a high probability that you did, too. Since the pandemic began, consumer adoption of remote healthcare has increased 300%.

Speaking as an unvaccinated urban dweller: I’d rather speak to a nurse or doctor via my laptop than try to remain physically distanced on a bus or hailed ride traveling to/from their office.

Even after things return to (rolls eyes) normal, if I thought there was a reliable way to receive high-quality healthcare in my living room, I’d choose it.

Clearly, I’m not alone: a May 2020 McKinsey study pegged yearly domestic telehealth revenue at $3 billion before the coronavirus, but estimated that “up to $250 billion of current U.S. healthcare spend could potentially be virtualized” after the pandemic abates.

That’s a staggering number, but in a category that includes startups focused on sexual health, women’s health, pediatrics, mental health, data management and testing, it’s clear to see why digital-health funding topped more than $10 billion in the first three quarters of 2020.

Drawing from The TechCrunch List, reporter Sarah Buhr interviewed eight active health tech VCs to learn more about the companies and industry verticals that have captured their interest in 2021:

  • Bryan Roberts and Bob Kocher, partners, Venrock
  • Nan Li, managing director, Obvious Ventures
  • Elizabeth Yin, general partner, Hustle Fund
  • Christina Farr, principal investor and health tech lead, OMERS Ventures
  • Ursheet Parikh, partner, Mayfield Ventures
  • Nnamdi Okike, co-founder and managing partner, 645 Ventures
  • Emily Melton, founder and managing partner, Threshold Ventures

Full Extra Crunch articles are only available to members
Use discount code ECFriday to save 20% off a one- or two-year subscription


Since COVID-19 has renewed Washington’s focus on healthcare, many investors said they expect a friendly regulatory environment for telehealth in 2021. Additionally, healthcare providers are looking for ways to reduce costs and lower barriers for patients seeking behavioral support.

“Remote really does work,” said Elizabeth Yin, general partner at Hustle Fund.

We’ll cover digital health in more depth this year through additional surveys, vertical reporting, founder interviews and much more.

Thanks very much for reading Extra Crunch this week; I hope you have a relaxing weekend.

Walter Thompson
Senior Editor, TechCrunch
@yourprotagonist

8 VCs agree: Behavioral support and remote visits make digital health a strong bet for 2021

Woman having a medicine video conferencing with her doctor using digital tablet. Senior woman on a video call with a doctor using her tablet computer at home.

Image Credits: Luis Alvarez (opens in a new window) / Getty Images

Lessons from Top Hat’s acquisition spree

Image Credits: Bryce Durbin

In the last year, edtech startup Top Hat acquired three publishing companies: Fountainhead Press, Bludoor and Nelson HigherEd.

Natasha Mascarenhas interviewed CEO and founder Mike Silagadze to learn more about his content acquisition strategy, but her story also discussed “some rumblings of consolidation and exits in edtech land.”

How VCs invested in Asia and Europe in 2020

Last year, U.S.-based VCs invested an average of $428 million each day in domestic startups, with much of the benefits flowing to fintech companies.

This morning, Alex Wilhelm examined Q4 VC totals for Europe, which had its lowest deal count since Q1 2019, despite a record $14.3 billion in investments.

Asia’s VC industry, which saw $25.2 billion invested across 1,398 deals is seeing “a muted recovery,” says Alex.

“Falling seed volume, lots of big rounds. That’s 2020 VC around the world in a nutshell.”

Decrypted: With more SolarWinds fallout, Biden picks his cybersecurity team

Image Credits: Treedeo (opens in a new window) / Getty Images

In this week’s Decrypted, security reporter Zack Whittaker covered the latest news in the unfolding SolarWinds espionage campaign, now revealed to have impacted the U.S. Bureau of Labor Statistics and Malwarebytes.

In other news, the controversy regarding WhatsApp’s privacy policy change appears to be driving users to encrypted messaging app Signal, Zack reported. Facebook has put changes at WhatsApp on hold “until it could figure out how to explain the change without losing millions of users,” apparently.

Hot IPOs hang onto gains as investors keep betting on tech

A big IPO debut is a juicy topic for a few news cycles, but because there’s always another unicorn ready to break free from its corral and leap into the public markets, it doesn’t leave a lot of time to reflect.

Alex studied companies like Lemonade, Airbnb and Affirm to see how well these IPO pop stars have retained their value. Not only have most held steady, “many have actually run up the score in the ensuing weeks,” he found.

Dear Sophie: What are Biden’s immigration changes?

lone figure at entrance to maze hedge that has an American flag at the center

Image Credits: Bryce Durbin / TechCrunch

Dear Sophie:

I work in HR for a tech firm. I understand that Biden is rolling out a new immigration plan today.

What is your sense as to how the new administration will change business, corporate and startup founder immigration to the U.S.?

—Free in Fremont

Hello, Extra Crunch community!

Hello in Different Languages

Image Credits: atakan (opens in a new window) / Getty Images

I began my career as an avid TechCrunch reader and remained one even when I joined as a writer, when I left to work on other things and now that I’ve returned to focus on better serving our community.

I’ve been chatting with some of the folks in our community and I’d love to talk to you, too. Nothing fancy, just 5-10 minutes of your time to hear more about what you want to see from us and get some feedback on what we’ve been doing so far.

If you would be so kind as to take a minute or two to fill out this form, I’ll drop you a note and hopefully we can have a chat about the future of the Extra Crunch community before we formally roll out some of the ideas we’re cooking up.

Drew Olanoff
@yoda

In 2020, VCs invested $428m into US-based startups every day

Last year was a disaster across the board thanks to a global pandemic, economic uncertainty and widespread social and political upheaval.

But if you were involved in the private markets, however, 2020 had some very clear upside — VCs flowed $156.2 billion into U.S.-based startups, “or around $428 million for each day,” reports Alex Wilhelm.

“The huge sum of money, however, was itself dwarfed by the amount of liquidity that American startups generated, some $290.1 billion.”

Using data sourced from the National Venture Capital Association and PitchBook, Alex used Monday’s column to recap last year’s seed, early-stage and late-stage rounds.

How and when to build marketing teams at deep tech companies

Pole lifting rubber duck with hook in its head

Image Credits: Andy Roberts (opens in a new window) / Getty Images

Building a marketing team is one of the most opaque parts of spinning up a startup, but for a deep tech company, the stakes couldn’t be higher.

How can technical founders working on bleeding-edge technology find the right people to tell their story?

If you work at a post-revenue, early-stage deep tech startup (or know someone who does), this post explains when to hire a team, whether they’ll need prior industry experience, and how to source and evaluate talent.

Bustle CEO Bryan Goldberg explains his plans for taking the company public

Bustle Digital Group CEO Bryan Goldberg

Bustle Digital Group CEO Bryan Goldberg. Image Credits: Bustle Digital Group

Senior Writer Anthony Ha interviewed Bustle Digital Group CEO Bryan Goldberg to get his thoughts on the state of digital media.

Their conversation covered a lot of ground, but the biggest news it contained focuses on Goldberg’s short-term plans.

“Where do I want to see the company in three years? I want to see three things: I want to be public, I want to see us driving a lot of profits and I want it to be a lot bigger, because we’ve consolidated a lot of other publications,” he said.

It may not be as glamorous as D2C, but beauty tech is big money

The U.S. Federal Trade Commission is not a huge fan of personal-care D2C brands merging with traditional consumer product companies.

This month, razor startup Billie and Proctor & Gamble announced they were calling off their planned merger after the FTC filed suit.

For similar reasons, Edgewell Personal Care dropped its plans last year to buy Harry’s for $1.37 billion.

In a harsher regulatory environment, “the path to profitability has become a more important part of the startup story versus growth at all costs,” it seems.

Twilio CEO says wisdom lies with your developers

SAN FRANCISCO, CA – SEPTEMBER 12: Founder and CEO of Twilio Jeff Lawson speaks onstage during TechCrunch Disrupt SF 2016 at Pier 48 on September 12, 2016 in San Francisco, California. Image Credits: Steve Jennings/Getty Images for TechCrunch

Companies that build their own tools “tend to win the hearts, minds and wallets of their customers,” according to Twilio CEO Jeff Lawson.

In an interview with enterprise reporter Ron Miller for his new book, “Ask Your Developer,” Lawson says founders should use developer teams as a sounding board when making build-versus-buy decisions.

“Lawson’s basic philosophy in the book is that if you can build it, you should,” says Ron.

Backed by Vint Cerf, Emortal wants to protect your digital legacy from ‘bit-rot’

We are all pumping out data into the cloud. Some of it we’d like to keep forever. Emortal is a startup that wants to help you organize, protect, preserve and pass on your ‘digital legacy’ and protect it from becoming unreadable, otherwise known as ‘bit-rot’. The project has received backing from the legendary Vint Cerf, one of the co-creators and founding fathers of the internet.

Emortal, which has been in engineering R&D for more than 10 years, has raised $5.7 million from ‘friends and family’. It is now raising $2.7 million in a crowdfunding on the UK’s Crowdcube platform, following what it says was a successful BETA test.

The company will use Google architecture to preserve digital memories – photographs, documents, correspondence, videos, interviews and more – indefinitely into the future. The idea is that this will ensure that as, operating systems, devices and tech evolves, your entire digital legacy will remain safe, secure and accessible – to only those you choose.

The platform is now set to be launched in the UK and US in Q3 this year and will be designed for occasional considered use, for example when taking a picture at a christening, rather than saving every photo you take. It will charge a flat, standard subscription fee of £4.99 a month.

Cerf said in a statement: “The cornerstone of the Emortal proposition is to tie data preservation in with digital legacy protection to ensure that our digital memories are safe and accessible for generations to come.”

Colin Culross, founder and CEO of Emortal said: “We are keen to use the Crowdcube platform for this raise because Emortal is a service designed for ALL families. We believe the most powerful way for the business to grow is to have thousands of our customers investing in the business.” 

How VCs invested in Asia and Europe in 2020

Wrapping our look at how the venture capital asset class invested in 2020, today we’re taking a peek at Europe’s impressive year, and Asia’s slightly less invigorating set of results. (We’re speaking soon with folks who may have data on African VC activity in 2020; if those bear out, we’ll do a final entry in our series concerning the continent.)

After digging into the United States’ broader venture capital results from last year with an extra eye on fintech and unicorn investing, at least one trend was clear: venture capital is getting later and larger (as expected).

Record dollar amounts were being invested, but across falling deal volume. More money and fewer rounds meant larger rounds, often going to the late and super-late stage startups in the market.

Unicorns are feasting, in other words, while some younger startups struggle to raise capital.


The Exchange explores startups, markets and money. Read it every morning on Extra Crunch, or get The Exchange newsletter every Saturday.


There have been some encouraging signs of seed activity, mind, but full-year data made it clear that in America, the more mature startups had the best of it.

But what about the rest of the world? After parsing KPMG data concerning both how VCs invested in Europe (here) and Asia (here) last year, there are clear echoes. But not entire reproductions.

Let’s discuss key data points from the two reports. This will be illustrative, brief and painless. Into the data!

European VCs: Rich, but not evenly distributed

Compared to historical investment levels, KPMG’s European VC report describes a venture capital scene at its peak. Q4 2020 saw $14.3 billion invested into EU startups across 1,192 deals, the highest dollar amount charted and a modest besting of the previous record set in Q3 2020.

However, despite impressive investment totals, the number of deals that the money was spread over proved lackluster.

The Q4 2020 deal count was the lowest on record since the continent’s deal peak in Q1 2019. Squinting at the provided chart, it appears that deal volume in Europe has fallen from around 2,200 in that peak quarter, to Q4’s fewer than 1,200 deals.

Blobr, the ‘no-code’ company turning APIs into products, raises €1.2M pre-seed

Blobr, a Paris-based startup operating in the no-code space with tech to make it easier for companies to expose and monetise their existing APIs, has raised €1.2 million in pre-seed funding.

The round is led by pan-European pre-seed and seed investor Seedcamp, with participation from New Wave, Kima, and various angel investors. Blobr is also the first company to take investment from New Wave — the new European venture capital firm co-founded by Pia d’Iribarne and Jean de la Rochebrochard — since the VC confirmed it had closed $56 million in deployable capital from an all-star lineup of investors, including Iliad’s Xavier Niel, Benchmark’s Peter Fenton, and Tony Fadell of Apple fame.

Blobr, founded by Alexandre Airvault (CEO) and Alexandre Mai (CTO), is aiming to become the default “business and product layer” for APIs. This idea is to enable product and business people to manage and monetize a company’s application programming interfaces without technical knowledge or the need fo use up more internal engineering resources. And by doing so, the startup believes we’ll see much more innovative use of APIs as commercial data and functionality is made accessible by more third parties to build on top.

“We believe companies should stop thinking of APIs as mere pipes and start building them as products to unleash their power,” says Airvault. “This means APIs should be priced, customized and managed with a user-oriented mindset and not only a tech one”.

To make this a reality, Blobr is designed to empower product and business owners to “make data-sharing a profitable model,” while reducing their dependence on tech. “I believe this approach is what will drive the data exchanges to the next level,” he explains.

Blobr’s no code technology offers quite a lot of functionality already. From one existing internal API, you can filter confidential information or GDPR related data; it’s also possible to deliver different API output depending on customer segmentation so you only expose the data that’s needed; and API usage can be linked to usage based business models or a monthly subscription in Stripe.

Airvault says the startup’s main competitors include API management solutions from Google, IBM, Axway, and Mulesoft. “Those platforms are tailored for internal APIs but are not thought of and optimized to manage APIs as products. They are tailored for technical people whereas Blobr as a no code solution is built from scratch for product and business people to avoid technical people to be involved in the equation,” he adds.

‘Slow dating’ app Once is acquired by Dating Group for $18M as it seeks to expand its portfolio

Five-year-old ‘slow dating’ app Once has been acquired by the Dating Group, one of the largest companies in the dating world, for $18 million in cash and stock. Dating Group has 73 million registered users across a range of portfolio fatting apps including Dating.com.

Clémentine Lalande, co-founder and CEO of Once, will continue leading the company under a 2-year agreement. Fellow Co-founder Jean Meyer retained a stake in the company after departing two years ago.

Once has 9 million users on its platform, while the startup also garnered a further one million from a spin-out app it later launched called Pickable.

Once is as a dating app that uses matching algorithms to deliver just one match per day to each user. It pitched itself as an alternative to the frenetically-paced apps such as Tinder and Bumble. Indeed, Bumble revealed last week that two in five people of those it surveyed are taking longer to get to know someone as a result of pandemic lockdowns. And 38% Bumble users admit that it had made them want something more serious. So Once had a ready market.

Each pair on the Once app has 24 hours of each other’s attention and can continue chatting if they “like” each other. The AI looks at the account’s info, dating preferences and previous history in order to find the best possible match. Users can also rate each particular profile to let the AI better understand their taste.

In a statement, Lalande said: “I am thrilled to join the Dating Group today, both because of their proven focus on post-swiping dating alternatives, and to leverage the huge synergies between Once and Dating Group. In such a concentrated and competitive market having a large partner will allow us to augment our reach and accelerate geographical expansion”.

Bill Alena, chief investment officer at Dating Group said: “We strongly believe in the concept of AI and making quality matches. We see a huge potential in integrating Once into our portfolio. We’re excited to have Clémentine join Dating Group, she and her team have built a fascinating product and with this acquisition, Dating Group expands deeper into the Western European market.”

Dating Group has offices in seven countries and a team of more than 500 professionals with more than 73 million registered users across the entire portfolio. Its brands include Dating.com, DateMyAge, Dil Mil, Cherish, Tubit, AnastasiaDate, ChinaLove.

UK resumes privacy oversight of adtech, warns platform audits are coming

The UK’s data watchdog has restarted an investigation of adtech practices that, since 2018, have been subject to scores of complaints across Europe under the bloc’s General Data Protection Regulation (GDPR).

The high velocity trading of Internet users’ personal data can’t possibly be compliant with GDPR’s requirement that such information is adequately secured, the complaints contend.

Other concerns attached to real-time bidding (RTB) focus on consent, questioning how this can meet the required legal standard with data being broadcast to so many companies — including sensitive information, such as health data or religious and political affiliation and sexual orientation.

Since the first complaints were filed the UK’s Information Commissioner’s Office (ICO) has raised its own concerns over what it said are systemic problems with lawfulness in the adtech sector. But last year announced it was pausing its investigation on account of disruption to businesses from the COVID-19 pandemic.

Today it said it’s unpausing its multi-year probe to keep on prodding.

In an update on its website, ICO deputy commissioner, Simon McDougall, ICO, who takes care of “Regulatory Innovation and Technology” at the agency, writes that the eight-month freeze is over. And the audits are coming.

“We have now resumed our investigation,” he says. “Enabling transparency and protecting vulnerable citizens are priorities for the ICO. The complex system of RTB can use people’s sensitive personal data to serve adverts and requires people’s explicit consent, which is not happening right now.”

“Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, also raises questions around the security and retention of this data,” he goes on. “Our work will continue with a series of audits focusing on digital market platforms and we will be issuing assessment notices to specific companies in the coming months. The outcome of these audits will give us a clearer picture of the state of the industry.”

It’s not clear what data the ICO still lacks to come to a decision on complaints that are approaching 2.5 years old at this point. But the ICO has committed to resume looking at adtech — including at data brokers, per McDougall, who writes that “we will be reviewing the role of data brokers in this adtech eco-system”.

“The investigation is vast and complex and, because of the sensitivity of the work, there will be times where it won’t be possible to provide regular updates. However, we are committed to publishing our final findings, once the investigation is concluded,” he goes on, managing expectations of any swift resolution to this vintage GDPR complaint.

Commenting on the ICO’s continued reluctance to take enforcement action against adtech despite mounds of evidence of rampant breaches of the law, Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties who was involved in filing the first batch of RTB GDPR complaints — and continues to be a vocal critic of EU regulatory inaction against adtech — told TechCrunch: “It seems to me that the facts are clearly set out in the ICO’s mid 2019 adtech report.

“Indeed, that report merely confirms the evidence that accompanied our complaints in September 2018 in Ireland and the UK. It is therefore unclear why the ICO requires several months further. Nor is it clear why the ICO accepted empty gestures from the IAB and Google a year ago.”

“I have since published evidence of the impact that failure to enforce has had: Including documented use of RTB data to influence an election,” he added. “As that evidence shows, the scale of the vast data breach caused by the RTB system has increased significantly in the three years since I blew the whistle to the ICO in early 2018.”

Despite plentiful data on the scale of the personal data leakage involved in RTB, and widespread concern that all sorts of tangible harms are flowing from adtech’s mass surveillance of Internet users (from discrimination and societal division to voter manipulation), the ICO is in no rush to enforce.

In fact, it quietly closed the 2018 complaint last year — telling the complainants it believed it had investigated the matter “to the extent appropriate”. It’s in the process of being sued by the complainants as a result — for, essentially, doing nothing about their complaint. (The Open Rights Group, which is involved in that legal action, is running this crowdfunder to raise money to take the ICO to court.)

So what does the ICO’s great adtech investigation unpausing mean exactly for the sector?

Not much more than gentle notice you might be the recipient of an “assessment notice” at some future point, per the latest mildly worded ICO blog post (and judging by its past performance).

Per McDougall, all organizations should be “assessing how they use personal data as a matter of urgency”.

He has also committed the ICO to publishing “final findings” at some future point. So — to follow, post-pause — yet another report. And more audits.

“We already have existing, comprehensive guidance in this area, which applies to RTB and adtech in the same way it does to other types of processing — particularly in respect of consentlegitimate interestsdata protection by design and data protection impact assessments (DPIAs),” he goes on, eschewing talk of any firmer consequences following should all that guidance continue being roundly ignored.

He ends the post with a nod to the Competition and Markets Authority’s recent investigation of Google’s Privacy Sandbox proposals (to phase out support for third party cookies on Chrome) — saying the ICO is “continuing” to work the CMA on that active antitrust complaint.

You’ll have to fill in the blanks as to exactly what work it might be doing there — because, again, McDougall isn’t saying. If it’s a veiled threat to the adtech industry to finally ‘get with the ICO’s privacy program’, or risk not having it fighting adtech’s corner in that crux antitrust vs privacy complaint, it really is gossamer thin.

Privacy complaint targets European parliament’s COVID-19 test-booking site

The European Parliament is being investigated by the EU’s lead data regulator over a complaint that a website it set up for MEPs to book coronavirus tests may have violated data protection laws.

The complaint, which has been filed by six MEPs and is being supported by the privacy campaign group noyb, alleges third party trackers were dropped without proper consent and that cookie banners presented to visitors were confusing and deceptively designed.

It also alleges personal data was transferred to the US without a valid legal basis, making reference to a landmark legal ruling by Europe’s top court last summer (aka Schrems II).

The European Data Protection Supervisor (EDPS), which oversees EU institutions’ compliance with data rules, confirmed receipt of the complaint and said it has begun investigating.

It also said the “litigious cookies” had been disabled following the complaints, adding that the parliament told it no user data had in fact been transferred outside the EU.

“A complaint was indeed filed by some MEPs about the European Parliament’s coronavirus testing website; the EDPS has started investigating it in accordance with Article 57(1)(e) EUDPR (GDPR for EU institutions),” an EDPS spokesman told TechCrunch. “Following this complaint, the Data Protection Office of the European Parliament informed the EDPS that the litigious cookies were now disabled on the website and confirmed that no user data was sent to outside the European Union.”

“The EDPS is currently assessing this website to ensure compliance with EUDPR requirements. EDPS findings will be communicated to the controller and complainants in due course,” it added.

MEP, Alexandra Geese, of Germany’s Greens, filed an initial complaint with the EDPS on behalf of other parliamentarians.

Two of the MEPs that have joined the complaint and are making their names public are Patrick Breyer and Mikuláš Peksa — both members of the Pirate Party, in Germany and the Czech Republic respectively.

We’ve reached out to the European Parliament and the company it used to supply the testing website for comment.

The complaint is noteworthy for a couple of reasons. Firstly because the allegations of a failure to uphold regional data protection rules look pretty embarrassing for an EU institution. Data protection may also feel especially important for “politically exposed persons like Members and staff of the European Parliament”, as noyb puts it.

Back in 2019 the European Parliament was also sanctioned by the EDPS over use of US-based digital campaign company, NationBuilder, to process citizens’ voter data ahead of the spring elections — in the regulator’s first ever such enforcement of an EU institution.

So it’s not the first time the parliament has got in hot water over its attention to detail vis-a-vis third party data processors (the parliament’s COVID-19 test registration website is being provided by a German company called Ecolog Deutschland GmbH). Once may be an oversight, twice starts to look sloppy…

Secondly, the complaint could offer a relatively quick route for a referral to the EU’s top court, the CJEU, to further clarify interpretation of Schrems II — a ruling that has implications for thousands of businesses involved in transferring personal data out of the EU — should there be a follow-on challenge to a decision by the EDPS.

“The decisions of the EDPS can be directly challenged before the Court of Justice of the EU,” noyb notes in a press release. “This means that the appeal can be brought directly to the highest court of the EU, in charge of the uniform interpretation of EU law. This is especially interesting as noyb is working on multiple other cases raising similar issues before national DPAs.”

Guidance for businesses involved in transferring data out of the EU who are trying to understand how to (or often whether they can) be compliant with data protection law, post-Schrems II, is so far limited to what EU regulators have put out.

Further interpretation by the CJEU could bring more clarifying light — and, indeed, less wiggle room for processors wanting to keep schlepping Europeans’ data over the pond legally, depending on how the cookie crumbles (if you’ll pardon the pun).

noyb notes that the complaint asks the EDPS to prohibit transfers that violate EU law.

“Public authorities, and in particular the EU institutions, have to lead by example to comply with the law,” said Max Schrems, honorary chairman of noyb, in a statement. “This is also true when it comes to transfers of data outside of the EU. By using US providers, the European Parliament enabled the NSA to access data of its staff and its members.”

Per the complaint, concerns about third party trackers and data transfers were initially raised to the parliament last October — after an MEP used a tracker scanning tool to analyze the COVID-19 test booking website and found a total of 150 third-party requests and a cookie were placed on her browser.

Specifically, the EcoCare COVID-19 testing registration website was found to drop a cookie from the US-based company Stripe, as well as including many more third-party requests from Google and Stripe.

The complaint also notes that a data protection notice on the site informed users that data on their usage generated by the use of Google Analytics is “transmitted to and stored on a Google server in the US”.

Where consent was concerned, the site was found to serve users with two different conflicting data protection notices — with one containing a (presumably copypasted) reference to Brussels Airport.

Different consent flows were also presented, depending on the user’s region, with some visitors being offered no clear opt out button. The cookie notices were also found to contain a ‘dark pattern’ nudge toward a bright green button for ‘accepting all’ processing, as well as confusing wording for unclear alternatives.

A screengrab of the cookie consent prompt that the parliament’s COVID-19 test booking website displayed at the time of writing – with still no clearly apparent opt-out for non-essential cookies (Image credit: TechCrunch)

The EU has stringent requirements for (legally) gathering consents for (non-essential) cookies and other third party tracking technologies which states that consent must be clearly informed, specific and freely given.

In 2019, Europe’s top court further confirmed that consent must be obtained prior to dropping non-essential trackers. (Health-related data also generally carries a higher consent-bar to process legally in the EU, although in this case the personal information relates to appointment registrations rather than special category medical data).

The complaints allege that EU cookie consent requirements are not being met on the website.

While the presence of requests for US-based services (and the reference to storing data in the US) is a legal problem in light of the Schrems II judgement.

The US no longer enjoys legally frictionless flows of personal data out of the EU after the CJEU torpedoed the adequacy arrangement the Commission had granted (invalidating the EU-US Privacy Shield mechanism) — which in turn means transfers of data on EU peoples to US-based companies are complicated.

Data controllers are responsible for assessing each such proposed transfer, on a case by case basis. A data transfer mechanism called Standard Contractual Clauses was not invalidated by the CJEU. But the court made it clear SCCs can only be used for transfers to third countries where data protection is essentially equivalent to the legal regime offered in the EU — doing so at the same time as saying the US does not meet that standard.

Guidance from the European Data Protection Board in the wake of the ruling suggests that some EU-US data transfers may be possible to carry in compliance with European law. Such as those that involve encrypted data with no access by the receiving US-based entity.

However the bar for compliance varies depending on the specific context and case.

Additionally, for a subset of companies that are definitely subject to US surveillance law (such as Google) the compliance bar may be impossibly high — as surveillance law is the main legal sticking point for EU-US transfers.

So, once again, it’s not a good look for the parliament website to have had a notice on its COVID-19 testing website that said personal data would be transferred to a Google’s server in the US. (Even if that functionality had not been activated, as seems to have been claimed.)

Another reason the complaint against the European Parliament is noteworthy is that it further highlights how much web infrastructure in use within Europe could be risking legal sanction for failing to comply with regional data protection rules. If the European Parliament can’t get it right, who is?

noyb filed a raft of complaints against EU websites last year which it had identified still sending data to the US via Google Analytics and/or Facebook Connect integrations a short while after the Schrems II ruling. (Those complaints are being looked into by DPAs across the EU.)

Facebook’s EU data transfers are also very much on the hook here. Earlier this month the tech giant’s lead EU data regulator agreed to ‘swiftly resolve’ a long-standing complaint over its transfers.

Schrems filed that complaint all the way back in 2013. He told us he expects the case to be resolved this year, likely within around six to nine months. So a final decision should come in 2021.

He has previously suggested the only way for Facebook to fix the data transfers issue is to federate its service, storing European users’ data locally. While last year the tech giant was forced to deny it would shut its service in Europe if its lead EU regulator followed through on enforcing a preliminary order to suspend transfers (which it blocked by applying for a judicial review of the Irish DPC’s processes).

The alternative outcome Facebook has been lobbying for is some kind of a political resolution to the legal uncertainty clouding EU-US data transfers. However the European Commission has warned there’s no quick fix — and reform of US surveillance law is needed.

So with options for continued icing of EU data protection enforcement against US tech giants melting fast in the face of bar-setting CJEU rulings and ongoing strategic litigation like this latest noyb-supported complaint pressure is only going to keep building for pro-privacy reform of US surveillance law. Not that Facebook has openly come out in support of reforming FISA yet.

Privacy complaint targets European parliament’s COVID-19 test-booking site

The European Parliament is being investigated by the EU’s lead data regulator over a complaint that a website it set up for MEPs to book coronavirus tests may have violated data protection laws.

The complaint, which has been filed by six MEPs and is being supported by the privacy campaign group noyb, alleges third party trackers were dropped without proper consent and that cookie banners presented to visitors were confusing and deceptively designed.

It also alleges personal data was transferred to the US without a valid legal basis, making reference to a landmark legal ruling by Europe’s top court last summer (aka Schrems II).

The European Data Protection Supervisor (EDPS), which oversees EU institutions’ compliance with data rules, confirmed receipt of the complaint and said it has begun investigating.

It also said the “litigious cookies” had been disabled following the complaints, adding that the parliament told it no user data had in fact been transferred outside the EU.

“A complaint was indeed filed by some MEPs about the European Parliament’s coronavirus testing website; the EDPS has started investigating it in accordance with Article 57(1)(e) EUDPR (GDPR for EU institutions),” an EDPS spokesman told TechCrunch. “Following this complaint, the Data Protection Office of the European Parliament informed the EDPS that the litigious cookies were now disabled on the website and confirmed that no user data was sent to outside the European Union.”

“The EDPS is currently assessing this website to ensure compliance with EUDPR requirements. EDPS findings will be communicated to the controller and complainants in due course,” it added.

MEP, Alexandra Geese, of Germany’s Greens, filed an initial complaint with the EDPS on behalf of other parliamentarians.

Two of the MEPs that have joined the complaint and are making their names public are Patrick Breyer and Mikuláš Peksa — both members of the Pirate Party, in Germany and the Czech Republic respectively.

We’ve reached out to the European Parliament and the company it used to supply the testing website for comment.

The complaint is noteworthy for a couple of reasons. Firstly because the allegations of a failure to uphold regional data protection rules look pretty embarrassing for an EU institution. Data protection may also feel especially important for “politically exposed persons like Members and staff of the European Parliament”, as noyb puts it.

Back in 2019 the European Parliament was also sanctioned by the EDPS over use of US-based digital campaign company, NationBuilder, to process citizens’ voter data ahead of the spring elections — in the regulator’s first ever such enforcement of an EU institution.

So it’s not the first time the parliament has got in hot water over its attention to detail vis-a-vis third party data processors (the parliament’s COVID-19 test registration website is being provided by a German company called Ecolog Deutschland GmbH). Once may be an oversight, twice starts to look sloppy…

Secondly, the complaint could offer a relatively quick route for a referral to the EU’s top court, the CJEU, to further clarify interpretation of Schrems II — a ruling that has implications for thousands of businesses involved in transferring personal data out of the EU — should there be a follow-on challenge to a decision by the EDPS.

“The decisions of the EDPS can be directly challenged before the Court of Justice of the EU,” noyb notes in a press release. “This means that the appeal can be brought directly to the highest court of the EU, in charge of the uniform interpretation of EU law. This is especially interesting as noyb is working on multiple other cases raising similar issues before national DPAs.”

Guidance for businesses involved in transferring data out of the EU who are trying to understand how to (or often whether they can) be compliant with data protection law, post-Schrems II, is so far limited to what EU regulators have put out.

Further interpretation by the CJEU could bring more clarifying light — and, indeed, less wiggle room for processors wanting to keep schlepping Europeans’ data over the pond legally, depending on how the cookie crumbles (if you’ll pardon the pun).

noyb notes that the complaint asks the EDPS to prohibit transfers that violate EU law.

“Public authorities, and in particular the EU institutions, have to lead by example to comply with the law,” said Max Schrems, honorary chairman of noyb, in a statement. “This is also true when it comes to transfers of data outside of the EU. By using US providers, the European Parliament enabled the NSA to access data of its staff and its members.”

Per the complaint, concerns about third party trackers and data transfers were initially raised to the parliament last October — after an MEP used a tracker scanning tool to analyze the COVID-19 test booking website and found a total of 150 third-party requests and a cookie were placed on her browser.

Specifically, the EcoCare COVID-19 testing registration website was found to drop a cookie from the US-based company Stripe, as well as including many more third-party requests from Google and Stripe.

The complaint also notes that a data protection notice on the site informed users that data on their usage generated by the use of Google Analytics is “transmitted to and stored on a Google server in the US”.

Where consent was concerned, the site was found to serve users with two different conflicting data protection notices — with one containing a (presumably copypasted) reference to Brussels Airport.

Different consent flows were also presented, depending on the user’s region, with some visitors being offered no clear opt out button. The cookie notices were also found to contain a ‘dark pattern’ nudge toward a bright green button for ‘accepting all’ processing, as well as confusing wording for unclear alternatives.

A screengrab of the cookie consent prompt that the parliament’s COVID-19 test booking website displayed at the time of writing – with still no clearly apparent opt-out for non-essential cookies (Image credit: TechCrunch)

The EU has stringent requirements for (legally) gathering consents for (non-essential) cookies and other third party tracking technologies which states that consent must be clearly informed, specific and freely given.

In 2019, Europe’s top court further confirmed that consent must be obtained prior to dropping non-essential trackers. (Health-related data also generally carries a higher consent-bar to process legally in the EU, although in this case the personal information relates to appointment registrations rather than special category medical data).

The complaints allege that EU cookie consent requirements are not being met on the website.

While the presence of requests for US-based services (and the reference to storing data in the US) is a legal problem in light of the Schrems II judgement.

The US no longer enjoys legally frictionless flows of personal data out of the EU after the CJEU torpedoed the adequacy arrangement the Commission had granted (invalidating the EU-US Privacy Shield mechanism) — which in turn means transfers of data on EU peoples to US-based companies are complicated.

Data controllers are responsible for assessing each such proposed transfer, on a case by case basis. A data transfer mechanism called Standard Contractual Clauses was not invalidated by the CJEU. But the court made it clear SCCs can only be used for transfers to third countries where data protection is essentially equivalent to the legal regime offered in the EU — doing so at the same time as saying the US does not meet that standard.

Guidance from the European Data Protection Board in the wake of the ruling suggests that some EU-US data transfers may be possible to carry in compliance with European law. Such as those that involve encrypted data with no access by the receiving US-based entity.

However the bar for compliance varies depending on the specific context and case.

Additionally, for a subset of companies that are definitely subject to US surveillance law (such as Google) the compliance bar may be impossibly high — as surveillance law is the main legal sticking point for EU-US transfers.

So, once again, it’s not a good look for the parliament website to have had a notice on its COVID-19 testing website that said personal data would be transferred to a Google’s server in the US. (Even if that functionality had not been activated, as seems to have been claimed.)

Another reason the complaint against the European Parliament is noteworthy is that it further highlights how much web infrastructure in use within Europe could be risking legal sanction for failing to comply with regional data protection rules. If the European Parliament can’t get it right, who is?

noyb filed a raft of complaints against EU websites last year which it had identified still sending data to the US via Google Analytics and/or Facebook Connect integrations a short while after the Schrems II ruling. (Those complaints are being looked into by DPAs across the EU.)

Facebook’s EU data transfers are also very much on the hook here. Earlier this month the tech giant’s lead EU data regulator agreed to ‘swiftly resolve’ a long-standing complaint over its transfers.

Schrems filed that complaint all the way back in 2013. He told us he expects the case to be resolved this year, likely within around six to nine months. So a final decision should come in 2021.

He has previously suggested the only way for Facebook to fix the data transfers issue is to federate its service, storing European users’ data locally. While last year the tech giant was forced to deny it would shut its service in Europe if its lead EU regulator followed through on enforcing a preliminary order to suspend transfers (which it blocked by applying for a judicial review of the Irish DPC’s processes).

The alternative outcome Facebook has been lobbying for is some kind of a political resolution to the legal uncertainty clouding EU-US data transfers. However the European Commission has warned there’s no quick fix — and reform of US surveillance law is needed.

So with options for continued icing of EU data protection enforcement against US tech giants melting fast in the face of bar-setting CJEU rulings and ongoing strategic litigation like this latest noyb-supported complaint pressure is only going to keep building for pro-privacy reform of US surveillance law. Not that Facebook has openly come out in support of reforming FISA yet.