Facebook launches a climate change information center and commits to eliminating ‘scope 3’ emissions by 2030

Even as Facebook, the world’s largest social media platform, admits that climate change “is real” and that “the science is unambiguous and the need to act grows more urgent by the day” the platform appears unwilling to take steps to really stand up to the climate change denialism that circulates on its platform. 

The company is set to achieve net zero carbon emissions and be supported fully by renewable energy in its own operations this year.

But as the corporate world slaps a fresh coat of green paint on its business practices, Facebook is looking to get out in front with the launch of a Climate Science Information Center to “connect people with science-based information”.

The company is announcing a new information center, designed after its COVID-19 pandemic response. The center is designed to connect people to factual and up-to-date climate information, according to the company. So far, Facebook says that over 2 billion people have been directed to resources from health authorities with its COVID-19 response.

The company said that it will use The Climate Science Information Center to feature facts, figures, and data from the Intergovernmental Panel on Climate Change (IPCC) and their global network of climate science partners, including the UN Environment Programme (UNEP), The National Oceanic and Atmospheric Administration (NOAA), World Meteorological Organization (WMO) and others. This center is launching in France, Germany, the UK and the US to start. 

While Facebook has been relatively diligent in taking down COVID-19 misinformation that circulates on the platform, removing 7 million posts and labeling another 98 million more for distributing coronavirus misinformation, the company has been accused of being far more sanguine when it comes to climate change propaganda and pseudoscience.

A July article from The New York Times revealed how climate change deniers use the editorial label to skirt Facebook’s policies around climate disinformation. In September 2019 a group called the CO2 Coalition managed to overturn a fact-check that would have labeled a post as misinformation by appealing to Facebook’s often criticized stance on providing and amplifying different opinions. By calling an editorial that contained blatant misinformation on climate science an editorial, the group was able to avoid the types of labels that would have redirected a Facebook user to information from recognized scientific organizations.  

Facebook disputes that characterization. “If it’s labeled an opinion piece, it’s subject to fact checking,” said Chris Cox, the chief product officer at Facebook.

“We look at the stuff that starts to go viral. There’s not a part of our policies that says anything about opinion pieces being exempted at all.”

With much of the Western coast of the United States now on fire, the issues are no longer academic. “We are taking important steps to reduce our emissions and arm our global community with science-based information to make informed decisions and tools to take action, and we hope they demonstrate that Facebook is committed to playing its part and helping to inspire real action in our community,” the company said in a statement.

Beyond its own operations, the company is also pushing to reduce operational greenhouse gases in its secondary supply chain by 75 percent and intends to reach net zero emissions for its value chain — including suppliers and employee commuting and business travel — by 2030, the company said. Facebook did not disclose how much money it would be investing to support that initiative.

France to spend $8.4 billion on digital as part of stimulus plan

The French government unveiled a massive $120 million (€100 billion) stimulus package earlier today to recover from the economic downturn — it represents 4% of the country’s GDP. As part of this support plan, the government plans to spend a significant chunk of money on all things digital — startup investment, infrastructure investment and digital transformation.

I interviewed France’s digital minister Cédric O earlier today to get some details on how it’s going to work. Overall, France will spend $8.4 billion (€7 billion) on digital investments. This is a new investment plan for the next two years.

It’s different from the economic rescue plan that was rolled out earlier this year. That one was designed as a stopgap for the early days of the economic crisis.

“With €7 billion, I think the digital sector is the sector that is receiving the biggest investment overall compared to all other sectors except the environmental sector,” Cédric O said.

France's digital minister Cédric O

France’s digital minister Cédric O. Image Credits: Ludovic Marin / AFP / Getty Images.

Investing in tech startups

Ten years ago, the French government launched an investment program dedicated to innovation, from scientific research to R&D spendings. The government is launching the fourth iteration of this program (Programme d’investissements d’avenir).

It’s a $13 billion investment plan (€11 billion) and it covers a ton of stuff. But nearly $1 billion (€800 million) will be dedicated to state aid for French startups over the next couple of years.

“It represents a volumetric increase,” Cédric O said. “If we look at innovation aids managed by Bpifrance, we have a 60% increase. Startups already know those schemes really well, so it’s going to have an immediate impact.”

In addition to that, as part of the innovation program, France will spend $3 billion (€2.5 billion) over the next five years to invest in startups with Bpifrance acting as a traditional VC firm, and in VC funds directly as limited partners.

There will be more details on the direct investment strategy, but you can expect vertical-focused investments in cybersecurity, quantum computing, green tech, etc.

For the fund of fund investment strategy, the goal here is two-fold — maintaining investments in small VC funds that focus on seed rounds and Series A rounds and filling a gap when it comes to late-stage funds.

“Crises are transition periods with more entrepreneurs, more consolidation and opportunities. We want to make sure that French companies merge rather than foreign companies [acquiring French companies],” Cédric O said.

Injecting cash in the tech ecosystem means bigger French tech companies with more funding will be able to acquire smaller ones. According to the government, boosting bigger French startups through public investment could benefit the tech ecosystem at large. Otherwise, tech giants, such as Google and Facebook, will acquire the most promising French startups.

Bridging the gap between the tech sector and the economy at large

Over the past three years, many have criticized President Emmanuel Macron for helping French startups through generous policies and leaving a large portion of the population behind. That’s why today’s stimulus plan isn’t just about tech startups.

“We have to keep investing massively because it’s the future of work but we have to make sure everyone benefits from those investments,” Cédric O said.

While startups hire more people than other companies, they’re often looking for engineers, data scientists and customer success managers. Given that many people are going to face unemployment, France will spend $360 million (€300 million) on education for the tech sector.

Most French companies aren’t tech companies, so the French government is going to contribute to the digital transformation of small and medium companies with a $460 million investment (€385 million) as well.

“We have to keep investing massively because it’s the future of work but we have to make sure everyone benefits from those investments.” Cédric O

Digital transformation is quite broad; it covers anything from switching to digital invoices to launching an e-commerce branch and buying modern equipment for industrial production. This is going to be one of the toughest parts of the stimulus plan as it’s a highly fragmented market.

“Operationalizing this plan will be one of the main challenges we’ll face. There are 3 million companies in France, 1.5 million small and medium businesses. And reaching those companies has been a challenge for previous governments,” Cédric O said.

In addition to small and medium businesses, car manufacturers and the aviation industry will receive $240 million (€200 million) for digital transformation.

The government is also going to spend $300 million (€250 million) on digital inclusion with public agents helping elderly citizens and simpler administrative services. France already allocated some money for digital inclusion in the past, but the previous plan was only $18 million (€15 million).

And then there are some public spendings on infrastructure, such as an additional $290 million (€240 million) for fiber network and $2 billion (€1.7 billion) to modernize public information systems.

Overall, it’s an ambitious stimulus package. I’m sure startups will find a way to take advantage of new state aid and investment opportunities. I hope traditional companies will also see the benefits.

Facebook threatens to block news sharing in Australia as it lobbies against revenue share law

Adtech giant and self-styled ‘free speech champion’, Facebook, has threatened to pull the plug on the public sharing of news content on Facebook and Instagram in Australia.

The aggressive threat is Facebook’s attempt to lobby against a government plan that will require it and Google to share revenue with regional news media to recompense publishers for distributing and monetizing professionally produced content on their platforms.

Consultation on a draft of the mandatory code — which Australia’s lawmakers say is intended to address “acute bargaining power imbalances” between local news businesses and the adtech duopoly — closed on August 28, with a final version expected imminently from Australia’s Competition and Consumer Commission (ACCC) and then due to be put before parliament.

Facebook’s threat thus looks timed to turn the heat up on lawmakers as they’re about to debate the details of the code. However dangling the prospect of blocking professionally produced news in an attempt to thwart a law change that’s not in its commercial interests will do nothing to reduce lawmakers’ concerns about the level of market power being wielded by tech giants.

Last month Google also warned that if Australia goes ahead with the plan then the quality of regional search results and YouTube recommendations will suffer — becoming “less relevant and helpful” if the law goes into effect.

Both platform giants are essentially saying that unless the bulk of professional reportage can be freely distributed on their platforms, leaving them free to monetize it via serving ads and through the acquisition of associated user data, then unverified user generated content will be left to fill the gap.

The clear implication is that lower grade content — and potentially democracy-denting disinformation — will be left to thrive. Or, in plainer language, the threat boils down to: Give us your journalism for free or watch your society pay the price as our platforms plug the information gap with any old clickbait.

“The ACCC presumes that Facebook benefits most in its relationship with publishers, when in fact the reverse is true. News represents a fraction of what people see in their News Feed and is not a significant source of revenue for us. Still, we recognize that news provides a vitally important role in society and democracy, which is why we offer free tools and training to help media companies reach an audience many times larger than they have previously,” writes Facebook in the same blog post where it threatens — as a ‘last choice’ — to pull the plug on content it describes as playing “a vitally important role in society and democracy” because it doesn’t want to have to pay for it.

Facebook’s calculus is clearly elevating its own commercial interests above free speech. And indeed above democracy and society. Yet the tech giant’s go-to defence for not removing all sorts of toxic disinformation and/or hateful, abusive content — or indeed lying political ads — from circulating on its platform is a claim that it’s defending ‘free speech’. So this is a specially rank, two-faced kind of platform hypocrisy on display.

Last year the comic Sacha Baron Cohen slammed Facebook’s modus operandi as “ideological imperialism” — warning then that unaccountable Silicon Valley ‘robber barons’ are “acting like they’re above the reach of law”. Well, Australians are now getting a glimpse of what happens when the mask further slips.

The ACCC has responded to Facebook’s flex with a steely statement of its own, attributed to chair Rod Sims.

“Facebook’s threat today to prevent any sharing of news on its services in Australia is ill-timed and misconceived,” he writes. “The draft media bargaining code aims to ensure Australian news businesses, including independent, community and regional media, can get a seat at the table for fair negotiations with Facebook and Google.”

“Facebook already pays some media for news content. The code simply aims to bring fairness and transparency to Facebook and Google’s relationships with Australian news media businesses,” he adds.

“As the ACCC and the Government work to finalise the draft legislation, we hope all parties will engage in constructive discussions.”

A similar battle is playing out in France over Google News, following a recent pan-EU law change which extended copyright to news snippets. France has been at the forefront of implementing the change in national law — and Google has responded by changing how it displays news media content in Google News in the country, switching to showing headlines and URLs only (so removing snippets).

However earlier this year France’s competition watchdog slapped down the tactic — saying Google’s unilateral withdrawal of snippets to deny payment to publishers is likely to constitute an abuse of a dominant market position, which it asserted “seriously and immediately damaged the press sector.”

Google’s share of the search market in Europe remains massively dominant — with the tech giant taking greater than 90% marketshare. (Something that underpins a number of regional antitrust enforcements against various aspects of its business.)

In Australia, Facebook’s position as a news distributor appears to be less strong, with the ACCC citing the University of Canberra’s 2020 Digital News Report which found that 39% of Australians use Facebook for general news, and 49% use Facebook for news about COVID-19.

However information and disinformation do not distribute equally, with plenty of studies indicating a faster spread for fake news — which suggests Facebook’s platform power to distribute bullshit is far greater than its role in informing societies by spreading bona fide news. That in turn makes its threat to block genuine reportage an antisocial weaponization of its dominance of social media.

Facebook to pay $125 million in back taxes in France, report says

Facebook France is going to pay $125 million (€106 million) in back taxes according to business magazine Capital — Facebook confirmed the agreement to both Capital and Reuters. French tax authorities raided Facebook’s offices in Paris in 2012 and later opened an investigation on unpaid taxes covering activities between 2009 and 2018.

According to the investigation, Facebook allegedly optimized its effective tax rate in France by funneling sales to other subsidiaries in different European countries.

It’s a grey area as funneling sales to a different country is legal. But you have to prove that there wasn’t any sales person based in France selling to a French customer. Those contracts can be reclassified as French contracts.

Many tech companies have had to pay back taxes in France for the same issue. For instance, Google agreed to pay a $549 million fine and $510 million in back taxes in 2019. Similarly, Apple settled a dispute covering $572 million in back taxes.

This is a new strategy for French authorities. Companies can avoid a public fight if they settle with tax authorities directly. This way, companies avoid some public backlash and it speeds up the process. Amazon was the first company to settle in 2018.

“We take our tax obligations seriously, pay the taxes we owe in all markets where we operate,” Facebook told Reuters. As a result, the company’s revenue in France has jumped from €56 million to €389 million between 2017 and 2018, representing a nearly 600% revenue increase in 12 months.

We’ve reached out to Facebook and will update this article if we learn more.

Omio takes $100M to shuttle through the coronavirus crisis

Multimodal travel platform Omio (formerly GoEuro) has raised $100M in late stage funding to help see its business through the coronavirus crisis. It also says it’s eyeing potential M&A opportunities within the hard-hit sector.

New and existing investors in the Berlin -based startup participated in the late stage convertible note, although omio isn’t disclosing any new names. Among the list of returning investors are: Temasek, Kinnevik, Goldman Sachs, NEA and Kleiner Perkins. Omio’s business has now pulled in around $400M in total since being founded back in 2013 — with the prior raise being a $150M round back in 2018.

In a supporting statement on the latest raise, Georgi Ganev, CEO of Kinnevik, said: “We are very impressed how fast and effective Omio adapted to such an unprecedented crisis for the global travel industry. The management team has delivered quickly and we can see the robustness of the business model which is well diversified across markets and transport modes. We are looking forward to supporting Omio on its way to become the go-to destination for travellers across the world.”

While COVID-19 has thrown up major headwinds to global tourism and travel — with foreign trips discouraged by specific government quarantine requirements, and the overarching requirement for people to maintain social distancing meaning certain types of holidays or activities are less attractive or even feasible, Omio is nonetheless sounding upbeat — reporting a partial recovery in bookings this summer in Europe.

In Germany and France it says bookings are above 50% of the pre-COVID-19 level at this point, despite only “marginal” marketing spend over the crisis period.

Its business is likely better positioned than some in the travel space to adapt to changes in how people are moving around and holidaying, given it caters to multiple modes of transport. The travel aggregator platform spans flights, rail, buses and even ferry routes, allowing users to quickly compare different modes of transport for their planned journey.

More recently Omio has added car sharing and car rentals to its platform, including via a partnership with rentalcars.com. So as travellers in Europe have adapted to living with COVID-19 — perhaps opting to take more local trips and/or avoiding mass transit when they go on holiday — it’s in a strong position to cater to changing demand through its partnerships with ground transportation networks and providers.

“That diversification in terms of not depending on a single mode of transport has really helped the business come back much stronger, because we’re not depending on — for example — air or bus,” CEO and founder Naren Shaam tells TechCrunch. “The diversification has helped us.”

“People will travel a lot more to smaller regions, explore the countryside a little more,” he predicts, suggesting the current dilution of travel focus it’s seeing — away from usual tourist hotspot destinations in favor of a broader, more rural mix of places — augurs a wider shift to more a diversified, more sustainable type of travel being here to stay.

“It’s not longer just airport to airport travel,” he notes. “People are traveling to where they want to go — and it’s a lot more distributed across geographies, where people want to explore. A platform like ours can accelerate this behaviour because we serve, not just flights, but trains, buses, even ferries etc, you can actually reach any destination with us.”

Direct booking via Omio’s platform is possible where it has partner agreements in place (so not universally across all routes, though it may still be able to offer route planning info).

Its multimodal booking mix extends to 37 countries in Europe and North America — where it launched at the start of this year. Last year it acquired Rome2Rio, bulking out its global flight and transport planning inventory. The grand vision is “all transport, end to end, in a single product”, as Shaam puts it — although executing on that means continuing to build out partnerships and integrations across its market footprint. 

Asked whether the new funding will give Omio enough headroom to see it through the current coronavirus crisis, Shaam tells TechCrunch: “The unknown unknown is how long the crisis lasts. But as we can see if the crisis lasts a couple of years we will make it through that.”

He says the raise will help the business come out of the crisis “stronger” — by enabling Omio to spend on adapting its product to meet changing consumer demand, such as the shift to ground transportation. “All of those things we can use these capital to shape the future of how the travel industry actually interacts with consumers,” he suggests.

Another shift in the industry that’s been triggered by the coronavirus relates to consumer expectations around information. In short, people expect a lot more travel intel up front.

“We have hypotheses on what comes back [post-crisis]. I think travel will be a lot more information centric, especially coming out of COVID-19. Customers will seek clarity in the near term around basic information around what regions can I travel to, do I need to quarantine, do I need to wear a mask inside the train etc,” he says.

“But that’ll drive a type of consumer behavior where they are seeking more information and companies will need to provide this information to satisfy the consumer needs of the future. Because consumers are getting used to having relevant information at the right point in time. So it’s not a data dump of all information… it’s when I get to the train station, what do I need to do?

“Each of those is almost hyperlocal in terms of information and that’s going to drive a change in consumer behaviour.”

Omio’s initial response to this need for more information up front was the launch of a hub — called the Open Travel Index — where users can look up information on restrictions related to specific destinations to help them plan their journey.

However he admits it’s a struggle to keep up with requirements that can switch over night (in one recent example, the UK added France to a list of countries from which returning travellers must self quarantine for two weeks — leading to a mad dash by scores of holidaymakers trying to beat a 4am deadline to get back on UK soil).

“This is a product we launched about a month and a half ago that tells you, if you’re based in the UK, where you can go in Europe,” he says. “We need to update it faster because information’s changing very, very quickly — so it’s on us now to figure out how to keep up with the constant changes of information.”

Discussing other COVID-19 changes, Shaam points to the shift to apps that’s being accelerated by the public health crisis — a trend that’s being replicated in multiple industries of course, not just travel.

“More than half of the ground transport industry was booked at a kiosk at a station [before COVID-19]. So this will drive a clear change with people uncomfortable touching a kiosk button,” he adds, arguing that that shift will help create better consumer products in the sector.

“If you imagine the kind of consumer products that the app/web world has created you can imagine that should come to the consumer experiences in travel,” he suggests. “So these are the things, I think, that will come in terms of consumer behavior and it’s up to us to make sure that we lead that change as a company.”

“We’re investing quite heavily in some of the other shifts that we’re seeing — in terms of days to departure, flexibility of fares, more insurance type products so you can cancel,” he adds. “We’re also trying to help customers in terms of whether they can go.

“We’re investing heavily in routing so you can connect modes of transport, not just flights, so you can travel longer distances with just trains. And we’re also in talks with all our suppliers to say hey, how can we help you come back — because not all suppliers are state monopolies. There’s a lot of small, medium suppliers on our product and we want to bring them back as well so we’re investing there as well.”

On M&A, Shaam says growth via acquisition is “definitely on the radar for us”. Though he also says it’s not top of the priority list right now.

“We’ve actively got our ears out. More so now, going forward, than looking back — because the last four months, imagine what we went through as a travel company, I just wanted to stablize that situation and bring us to a stable position,” he says.

“We are still in COVID-19. The situation’s not yet over, so our primary goal coming out of this is very much investing in the shifts in consumer behavior in our core product… Any M&A acquisitions we’ll do is more opportunistic, based on [factors like] pricing and what’s happening in the industry.

“But more of our capital and my time and everything will go a lot more to build the future of transport. Because that’s going to change so much more for so many millions of consumers that use our product today.”

There is still plenty of work that can be done on Omio’s core proposition — aka, linking up natural travel search for consumers by knitting together a diverse mix and range of service providers in a way that shrinks the strain of travel planning, and building out support for even more multifaceted trips people might wish to take in future.

“No one brings the natural search for consumers. Consumers just want to go London to Portsmouth. They don’t say ‘London Portsmouth train’. They do that today because that’s what the industry forces them to do — so by enabling this core product to work where you can search any modes of transport, anywhere in Europe, one click to buy, everything is a simple, mobile ticket, and you use the whole product on the app — that’s the big driver for the industry,” Shaam adds.

“On top of that you’ve got shifts towards ground transport, shifts towards app, shifts towards sustainability, which is a big topic — even pre-COVID-19 — that we can actually help drive even more change coming out of this. These are the bigger opportunities for us.”

Uncertainty clearly remains a constant for the travel sector now that COVID-19 has become a terrible ‘new normal’. So even with an unexpected summer travel bump in Europe it remains to be seen what will happen in the coming months as the region moves from summer to winter.

“In general the overall business outlook we’re taking is purely something of more caution,” says Shaam. “We just don’t know. Anything at all with respect to COVID-19, no one knows, basically. I’ve seen a number of reports in the industry but no one really knows. So in general our outlook is one of caution. And that’s why we were surprised in our uptick already through the summer. We didn’t even expect that kind of growth with near zero marketing spend levels.”

“We’ll adapt,” he adds. “The business is high variable costs so we can scale up and down fairly easily, so it’s asset light and these things help us adapt. And let’s see what happens in the winter.”

Over in the US — where Omio happened to launch slightly ahead of the COVID-19 crisis — he says it’s been a very different story, with no bookings bump. “No surprise, given the situation there,” he says, emphasizing the importance of government interventions to help control the spread of the virus.

“Governments play a very important role here. Europe has done a superior job compared to a lot of other regions in the world… But entire economies [in the region] depend on tourism,” he says. “Hopefully entire [European] countries shouldn’t go into shutdowns again because the systems are strong enough to identify local spike in cases and they ring fence it very quickly and can act on it. It’s the same as us as a company. If there’s a second wave we know how to react because we’ve gone through this horrible phrase one… So using those learnings and applying them quickly I think will help stabilize the industry as a whole.”

EU websites’ use of Google Analytics and Facebook Connect targeted by post-Schrems II privacy complaints

A month after Europe’s top court struck down a flagship data transfer arrangement between the EU and the US as unsafe, European privacy campaign group, noyb, has filed complaints against 101 websites with regional operators which it’s identified as still sending data to the US via Google Analytics and/or Facebook Connect integrations.

Among the entities listed in its complaint are ecommerce companies, publishers & broadcasters, telcos & ISPs, banks and universities — including Airbnb Ireland, Allied Irish Banks, Danske Bank, Fastweb, MTV Internet, Sky Deutschland, Takeaway.com and Tele2, to name a few.

“A quick analysis of the HTML source code of major EU webpages shows that many companies still use Google Analytics or Facebook Connect one month after a major judgment by the Court of Justice of the European Union (CJEU) — despite both companies clearly falling under US surveillance laws, such as FISA 702,” the campaign group writes on its website.

“Neither Facebook nor Google seem to have a legal basis for the data transfers. Google still claims to rely on the ‘Privacy Shield’ a month after it was invalidated, while Facebook continues to use the ‘SCCs’ [Standard Contractual Clauses], despite the Court finding that US surveillance laws violate the essence of EU fundamental rights.”

We’ve reached out to Facebook and Google with questions about their legal bases for such transfers — and will update this report with any response.

Privacy watchers will know that noyb’s founder, Max Schrems, was responsible for the original legal challenge that took down an anterior EU-US data arrangement, Safe Harbor, all the way back in 2015. His updated complaint ended up taking down the EU-US Privacy Shield last month — although he’d actually targeted Facebook’s use of a separate data transfer mechanism (SCCs), urging its data supervisor, Ireland’s DPC, to step in and suspend its use of that tool.

The regulator chose to go to court instead, raising wider concerns about the legality of EU-US data transfer arrangements — which resulted in the CJEU concluding that the Commission should not have granted the US a so-called ‘adequacy agreement’, thus pulling the rug out from under Privacy Shield.

The decision means the US is now what’s considered a ‘third country’ in data protection terms, with no special arrangement to enable it to process EU users’ information.

More than that, the court’s ruling also made it clear EU data watchdogs have a responsibility to intervene where they suspect there are risks to EU people’s data if it’s being transferred to a third country via SCCs.

European data watchdogs swiftly warned there would be no grace period for entities still illegally relying on Privacy Shield — so anyone listed in the above complaint that’s still referencing the defunct mechanism in their privacy policy won’t even have a proverbial figleaf to hide their legal blushes.

noyb’s contention with this latest clutch of complaints is that none of the aforementioned 101 websites has a valid legal basis to keep transferring visitor data to the US via the embedded Google Analytics and/or Facebook Connect integrations.

“We have done a quick search on major websites in each EU member state for code from Facebook and Google. These code snippets forward data on each visitor to Google or Facebook. Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now,” said Schrems, honorary chair of noyb.eu, in a statement.

Since the CJEU’s Schrems II ruling, and indeed since the Safe Harbor strike down, the US Department of Commerce and European Commission have stuck their heads in the sand — signalling they intend to try cobbling together another data pact to replace the defunct Privacy Shield (which replaced the blasted-to-smithereens (un)Safe Harbor. So, er… ).

Yet without root-and-branch reform of US surveillance law, any third pop by respective lawmakers at papering over the legal schism of US national security priorities vs EU privacy rights is just as surely doomed to fail.

The more cynical among you might say the high level administrative manoeuvers around this topic are, in fact, simply intended to buy more time — for the data to keep flowing and ‘business as usual’ to continue.

But there is now substantial legal risk attached to a strategy of trying to pretend US surveillance law doesn’t exist.

Here’s Schrems again, on last month’s CJEU ruling, suggesting that Facebook and Google could be in the frame for legal liability if they don’t proactively warn EU customers of their data responsibilities: “The Court was explicit that you cannot use the SCCs when the recipient in the US falls under these mass surveillance laws. It seems US companies are still trying to convince their EU customers of the opposite. This is more than shady. Under the SCCs the US data importer would instead have to inform the EU data sender of these laws and warn them. If this is not done, then these US companies are actually liable for any financial damage caused.”

And as noyb’s press release notes, GDPR’s penalties regime can scale as high as 4% of the worldwide turnover of the EU sender and the US recipient of personal data. So, again, hi Facebook, hi Google…

The crowdfunded campaign group has pledged to continue dialling up the pressure on EU regulators to act and on EU data processors to review any US data transfer arrangements — and “adapt to the clear ruling by the EU’s supreme court”, as it puts it.

Other types of legal action are also starting to draw on Europe’s General Data Protection Regulation (GDPR) framework — and, importantly, attract funding — such as two class action style suits filed against Oracle and Salesforce’s use of tracking cookies earlier this month. (As we said when GDPR came into force back in 2018, the lawsuits are coming.)

Now, with two clear strikes from the CJEU on the issue of US surveillance law vs EU data protection, it looks like it’ll be diminishing returns for US tech giants hoping to pretend everything’s okay on the data processing front.

noyb is also putting its money where its mouth is — offering free guidelines and model requests for EU entities to use to help them get their data affairs in prompt legal order. 

“While we understand that some things may need some time to rearrange, it is unacceptable that some players seem to simply ignore Europe’s top court,” Schrems added, in further comments on the latest flotilla of complaints. “This is also unfair towards competitors that comply with these rules. We will gradually take steps against controllers and processors that violate the GDPR and against authorities that do not enforce the Court’s ruling, like the Irish DPC that stays dormant.”

We’ve reached out to Ireland’s Data Protection Commission to ask what steps it will be taking in light of the latest noyb complaints, a number of which target websites that appear to be operated by an Ireland-based legal entity.

Schrems original 2013 complaint against Facebook’s use of SCCs also ended up in Ireland, where the tech giant — and many others — locates its EU EQ. Schrem’s request that the DPC order Facebook to suspend its use of SCCs still hasn’t been fulfilled, some seven years and five complaints later. And the regulator continues to face accusations of inaction, given the growing backlog of cross-border GDPR complaints against tech giants like Facebook and Google.

Ireland’s DPC has still yet to issue a single final decision on any of these major GDPR complaints. But the legal pressure for it and all EU regulators to get a move on and enforce the bloc’s law will only increase, even as class action style lawsuits are filed to try to do what regulators have failed to.

Earlier this summer the Commission acknowledged a lack of uniformly “vigorous” enforcement of GDPR in a review of the mechanism’s first two years of operation.

“The European Data Protection Board [EDPB] and the data protection authorities have to step up their work to create a truly common European culture — providing more coherent and more practical guidance, and work on vigorous but uniform enforcement,” said Věra Jourová, Commission VP for values and transparency then, giving the Commission’s first public assessment of whether GDPR is working.

We’ve also reached out to France’s CNIL to ask what action it will be taking in light of the noyb complaints.

Following the judgement in July the French regulator said it was “conducting a precise analysis”, along with the EDPB, with a view to “drawing conclusions as soon as possible on the consequences of the ruling for data transfers from the European Union to the United States”.

Since then the EDPB guidance has come out — inking the obvious: That transfers on the basis of Privacy Shield “are illegal”. And while the CJEU ruling did not invalidate the use of SCCs it gave only a very qualified green light to continued use.

As we reported last month, the ability to use SCCs to transfer data to the U.S. hinges on a data controller being able to offer a legal guarantee that “U.S. law does not impinge on the adequate level of protection” for the transferred data.

“Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place,” the EDPB added.

TikTok found to have tracked Android users’ MAC addresses until late last year

Until late last year social video app TikTok was using an extra layer of encryption to conceal a tactic for tracking Android users via the MAC address of their device which skirted Google’s policies and did not allow users to opt out, The Wall Street Journal reports. Users were also not informed of this form of tracking, per its report.

Its analysis found that this concealed tracking ended in November as US scrutiny of the company dialled up, after at least 15 months during which TikTok had been gathering the fixed identifier without users’ knowledge.

A MAC address is a unique and fixed identifier assigned to an Internet connected device — which means it can be repurposed for tracking the individual user for profiling and ad targeting purposes, including by being able to re-link a user who has cleared their advertising ID back to the same device and therefore to all the prior profiling they wanted to jettison.

TikTok appears to have exploited a known bug on Android to gather users’ MAC addresses which Google has still failed to plug, per the WSJ.

A spokeswoman for TikTok did not deny the substance of its report, nor engage with specific questions we sent — including regarding the purpose of this opt-out-less tracking. Instead she sent the below statement, attributed to a spokesperson, in which company reiterates what has become a go-to claim that it has never given US user data to the Chinese government:

Under the leadership of our Chief Information Security Officer (CISO) Roland Cloutier, who has decades of experience in law enforcement and the financial services industry, we are committed to protecting the privacy and safety of the TikTok community. We constantly update our app to keep up with evolving security challenges, and the current version of TikTok does not collect MAC addresses. We have never given any TikTok user data to the Chinese government nor would we do so if asked.

“We always encourage our users to download the most current version of TikTok,” the statement added.

With all eyes on TikTok, as the latest target of the Trump administration’s war on Chinese tech firms, scrutiny of the social video app’s handling of user data has inevitably dialled up.

And while no popular social app platform has its hands clean when it comes to user tracking and profiling for ad targeting, TikTok being owned by China’s ByteDance means its flavor of surveillance capitalism has earned it unwelcome attention from the US president — who has threatened to ban the app unless it sells its US business to a US company within a matter of weeks.

Trump’s fixation on China tech, generally, is centered on the claim that the tech firms pose threats to national security in the West via access to Western networks and/or user data.

The US government is able to point to China’s Internet security law which requires firms to provide the Chinese Communist Party with access to user data — hence TikTok’s emphatic denial of passing data. But the existence of the law makes such claims difficult to stick.

TikTok’s problems with user data don’t stop there, either. Yesterday it emerged that France’s data protection watchdog has been investigating TikTok since May, following a user complaint.

The CNIL’s concerns about how the app handled a user request to delete a video have since broadened to encompass issues related to how transparently it communicates with users, as well as to transfers of user data outside the EU — which, in recent weeks, have become even more legally complex in the region.

Compliance with EU rules on data access rights for users and the processing of minors’ information are other areas of stated concern for the regulator.

Under EU law any fixed identifier (e.g. a MAC address) is treated as personal data — meaning it falls under the bloc’s GDPR data protection framework, which places strict conditions on how such data can be processed, including requiring companies to have a legal basis to collect it in the first place.

If TikTok was concealing its tracking of MAC addresses from users it’s difficult to imagine what legal basis it could claim — consent would certainly not be possible. The penalties for violating GDPR can be substantial (France’s CNIL slapped Google with a $57M fine last year under the same framework, for example).

The WSJ’s report notes that the FTC has said MAC addresses are considered personally identifiable information under the Children’s Online Privacy Protection Act — implying the app could also face a regulatory probe on that front, to add to its pile of US problems.

Presented with the WSJ’s findings, Senator Josh Hawley (R., Mo.) told the newspaper that Google should remove TikTok’s app from its store. “If Google is telling users they won’t be tracked without their consent and knowingly allows apps like TikTok to break its rules by collecting persistent identifiers, potentially in violation of our children’s privacy laws, they’ve got some explaining to do,” he said.

We’ve reached out to Google for comment.

TikTok is being investigated by France’s data watchdog

More worries for TikTok: A European data watchdog that’s landed the biggest blow on a tech giant to date — slapping Google with a $57M fine last year (upheld in June) — now has an open investigation into the social video app du jour, TechCrunch has confirmed.

A spokeswoman for France’s CNIL told us it opened an investigation into how the app handles user data in May 2020, following a complaint related to a request to delete a video. Its probe of the video sharing platform was reported earlier by Politico.

Under the European Union’s data protection framework, citizens who have given consent for their data to be processed continue to hold a range of rights attached to their personal data, including the ability to request a copy or deletion of the information, or ask for their data in a portable form.

Additional requirements under the EU’s GDPR (General Data Protection Regulation) include transparency obligations to ensure accountability with the framework. Which means data controllers must provide data subjects with clear information on the purposes of processing — including in order to obtain legally valid consent to process the data.

The CNIL’s spokeswoman told us its complaint-triggered investigation into TikTok has since widened to include issues related to transparency requirements about how it processes user data; users’ data access rights; transfers of user data outside the EU; and steps the platform takes to ensure the data of minors is adequately protected — a key issue, given the app’s popularity with teens.

French data protection law lets children consent to the processing of their data for information social services such as TikTok at aged 15 (or younger with parental consent).

As regards the original complaint, the CNIL’s spokeswoman said the person in question has since been “invited to exercise his rights with TikTok under the GDPR, which he had not taken beforehand” (via Google Translate).

We’ve reached out to TikTok for comment on the CNIL investigation.

One question mark is it’s not clear whether the French watchdog will be able to see its investigation of TikTok to full conclusion.

In further emailed remarks its spokeswoman noted the company is seeking to designate Ireland’s Data Protection Commission (DPC) as its lead authority in Europe — and is setting up an establishment in Ireland for that purpose. (Related: Last week TikTok announced a plan to open its first data center in Europe, which will eventually hold all EU users’ data, also in Ireland.)

If TikTok is able to satisfy the legal conditions it may be able to move any GDPR investigation to the DPC — which has gained a reputation for being painstakingly slow to enforce complex cross-border GDPR cases. Though in late May it finally submitted a first draft decision (on a Twitter case) to the other EU data watchdogs for review. A final decision in that case is still pending.

“The [TikTok] investigations could therefore ultimately be the sole responsibility of the Irish protection authority, which will have to deal with the case in cooperation with the other European data protection authorities,” the CNIL’s spokeswoman noted, before emphasizing there is a standard of proof it will have to meet.

“To come under the sole jurisdiction of the Irish authority and not of each of the authorities, Tiktok will nevertheless have to prove that its establishment in Ireland fulfils the conditions of a ‘principal establishment’ within the meaning of the GDPR.”

Under Europe’s GDPR framework, national data watchdogs have powers to issue penalties of up to 4% of a company’s global annual turnover and can also order infringing data processing to cease. But to do any of that they have to first investigate and go through the process of issuing a decision. In cross-border cases where multiple watchdogs have an interest, there’s also a requirement to liaise with other regulators to ensure there’s broad consensus on any decision.

Google is building a new private subsea cable between Europe and the U.S.

Google today announced its plans to build a new subsea cable with landing points in New York in the U.S. and Bude, UK and Bilbao, Spain in Europe. The new cable, named after the pioneering computer scientist Grace Hopper, will join Google’s various other private subsea cables like Curie between the U.S. and South America, Dunant between the U.S. and France, and Equiano between Europe and Africa.

The new cable is scheduled to go online in 2022 and will be built by SubCom, which Google also contracted for work on its Dunant and Curie cables.

Image Credits: Google

Google plans to launch a new Google Cloud region in Madrid in the near future, so it’s maybe no surprise that it is also looking at how it can best connect the region to its global network. The new cable marks Google’s first cable to Spain and its first private subsea cable route to the UK.

The cable will feature 16 fiber pairs, which is a pretty standard number, but as the Google team stresses, it will be the first to use a new switching architecture the company developed in cooperation with SubCom. This new system is meant to provide increased reliability and to enable the company to better move traffic around outages.

Grace Hopper will be Google’s fourth wholly-owned cable. In addition to these private cables, the company is also a member of a number of consortiums that jointly operate cables around the world. In total, Google has now announced investments in 15 subsea cables, though it is also reportedly part of the upcoming Blue-Raman Cable that will run between India and Italy via Israel. The company has yet to confirm its participation in this project, though.

French court slaps down Google’s appeal against $57M GDPR fine

France’s top court for administrative law has dismissed Google’s appeal against a $57M fine issued by the data watchdog last year for not making it clear enough to Android users how it processes their personal information.

The State Council issued the decision today, affirming the data watchdog CNIL’s earlier finding that Google did not provide “sufficiently clear” information to Android users — which in turn meant it had not legally obtained their consent to use their data for targeted ads.

“Google’s request has been rejected,” a spokesperson for the Conseil D’Etat confirmed to TechCrunch via email.

“The Council of State confirms the CNIL’s assessment that information relating to targeting advertising is not presented in a sufficiently clear and distinct manner for the consent of the user to be validly collected,” the court also writes in a press release [translated with Google Translate] on its website.

It found the size of the fine to be proportionate — given the severity and ongoing nature of the violations.

Importantly, the court also affirmed the jurisdiction of France’s national watchdog to regulate Google — at least on the date when this penalty was issued (January 2019).

The CNIL’s multimillion dollar fine against Google remains the largest to date against a tech giant under Europe’s flagship General Data Protection Regulation (GDPR) — lending the case a certain symbolic value, for those concerned about whether the regulation is functioning as intended vs platform power.

While the size of the fine is still relative peanuts vs Google’s parent entity Alphabet’s global revenue, changes the tech giant may have to make to how it harvests user data could be far more impactful to its ad-targeting bottom line. 

Under European law, for consent to be a valid legal basis for processing personal data it must be informed, specific and freely given. Or, to put it another way, consent cannot be strained.

In this case French judges concluded Google had not provided clear enough information for consent to be lawfully obtained — including objecting to a pre-ticked checkbox which the court affirmed does not meet the requirements of the GDPR.

So, tl;dr, the CNIL’s decision has been entirely vindicated.

Reached for comment on the court’s dismissal of its appeal, a Google spokeswoman sent us this statement:

People expect to understand and control how their data is used, and we’ve invested in industry-leading tools that help them do both. This case was not about whether consent is needed for personalised advertising, but about how exactly it should be obtained. In light of this decision, we will now review what changes we need to make.

GDPR came into force in 2018, updating long standing European data protection rules and opening up the possibility of supersized fines of up to 4% of global annual turnover.

However actions against big tech have largely stalled, with scores of complaints being funnelled through Ireland’s Data Protection Commission — on account of a one-stop-shop mechanism in the regulation — causing a major backlog of cases. The Irish DPC has yet to issue decisions on any cross border complaints, though it has said its first ones are imminent — on complaints involving Twitter and Facebook.

Ireland’s data watchdog is also continuing to investigate a number of complaints against Google, following a change Google announced to the legal jurisdiction of where it processes European users’ data — moving them to Google Ireland Limited, based in Dublin, which it said applied from January 22, 2019 — with ongoing investigations by the Irish DPC into a long running complaint related to how Google handles location data and another major probe of its adtech, to name two

On the GDPR one-stop shop mechanism — and, indirectly, the wider problematic issue of ‘forum shopping’ and European data protection regulation — the French State Council writes: “Google believed that the Irish data protection authority was solely competent to control its activities in the European Union, the control of data processing being the responsibility of the authority of the country where the main establishment of the data controller is located, according to a ‘one-stop-shop’ principle instituted by the GDPR. The Council of State notes however that at the date of the sanction, the Irish subsidiary of Google had no power of control over the other European subsidiaries nor any decision-making power over the data processing, the company Google LLC located in the United States with this power alone.”

In its own statement responding to the court’s decision, the CNIL notes the court’s view that GDPR’s one-stop-shop mechanism was not applicable in this case — writing: “It did so by applying the new European framework as interpreted by all the European authorities in the guidelines of the European Data Protection Committee.”

Privacy NGO noyb — one of the privacy campaign groups which lodged the original ‘forced consent’ complaint against Google, all the way back in May 2018 — welcomed the court’s decision on all fronts, including the jurisdiction point.

Commenting in a statement, noyb’s honorary chairman, Max Schrems, said: “It is very important that companies like Google cannot simply declare themselves to be ‘Irish’ to escape the oversight by the privacy regulators.”

A key question is whether CNIL — or another (non-Irish) EU DPA — will be found to be competent to sanction Google in future, following its shift to naming its Google Ireland subsidiary as the regional data processor. (Other tech giants use the same or a similar playbook, seeking out the EU’s more ‘business-friendly’ regulators.)

On the wider ruling, Schrems also said: “This decision requires substantial improvements by Google. Their privacy policy now really needs to make it crystal clear what they do with users’ data. Users must also get an option to agree to only some parts of what Google does with their data and refuse other things.”

French digital rights group, La Quadrature du Net — which had filed a related complaint against Google, feeding the CNIL’s investigation — also declared victory today, noting it’s the first sanction in a number of GDPR complaints it has lodged against tech giants on behalf of 12,000 citizens.

“The rest of the complaints against Google, Facebook, Apple and Microsoft are still under investigation in Ireland. In any case, this is what this authority promises us,” it added in another tweet.