FreshRSS

🔒
❌ About FreshRSS
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

Europe’s top court slaps down ‘zero rating’ again

By Natasha Lomas

Europe’s top court has dealt another blow to ‘zero rating’ — ruling for a second time that the controversial carrier practice goes against the European Union’s rules on open Internet access.

‘Zero rating’ refers to commercial offers that can be made by mobile network operators to entice customers by excluding the data consumption of certain (often popular) apps from a user’s tariff.

The practice is controversial because it goes against the ‘level playing field’ principle of the open Internet (aka ‘net neutrality’).

EU legislators passed the bloc’s first set of open Internet/net neutrality rules back in 2015 — with the law coming into application in 2016 — but critics warned at the time over vague provisions in the regulation which they suggested could be used by carriers to undermine the core fairness principle of treating all Internet traffic the same.

Some regional telcos have continued to put out zero rating offers — which has led to a number of challenges to test the robustness of the law. But the viability of zero rating within the EU must now be in doubt given the double slap-down by the CJEU.

In its first major decision last yearrelating to a challenge against Telenor in Hungary — the court found that commercial use of zero rating was liable to limit the exercise of end users’ rights within the meaning of the regulation.

Its ruling today — which relates to a challenge against zero rating by Vodafone and Telekom Deutschland in Germany (this time with a roaming component) — comes to what looks like an even clearer conclusion, with the court giving the practice very short shrift indeed.

“By today’s judgments, the Court of Justice notes that a ‘zero tariff’ option, such as those at issue in the main proceedings, draws a distinction within internet traffic, on the basis of commercial considerations, by not counting towards the basic package traffic to partner applications. Such a commercial practice is contrary to the general obligation of equal treatment of traffic, without discrimination or interference, as required by the regulation on open internet access,” it writes in a (notably brief) press release summarizing the judgement.

“Since those limitations on bandwidth, tethering or on use when roaming apply only on account of the activation of the ‘zero tariff’ option, which is contrary to the regulation on open internet access, they are also incompatible with EU law,” it added.

We’ve reached out to Vodafone and Telekom Deutschland for comment on the ruling.

In a statement welcoming the CJEU’s decision, the European consumer protection association BEUC’s senior digital policy officer, Maryant Fernández Pérez, subbed the ruling “very positive news for consumers and those who want the internet to stay open to all”.

“When companies like Vodafone use these ‘zero tariff’ rates, they essentially lock-in consumers and limit what the Internet can offer to them. Zero-rating is detrimental to consumer choice, competition, innovation, media diversity and freedom of information,” she added.

WhatsApp faces $267M fine for breaching Europe’s GDPR

By Natasha Lomas

It’s been a long time coming but Facebook is finally feeling some heat from Europe’s much trumpeted data protection regime: Ireland’s Data Protection Commission (DPC) has just announced a €225 million (~$267M) for WhatsApp.

The Facebook-owned messaging app has been under investigation by the Irish DPC, its lead data supervisor in the European Union, since December 2018 — several months after the first complaints were fired at WhatsApp over how it processes user data under Europe’s General Data Protection Regulation (GDPR), once it begun being applied in May 2018.

Despite receiving a number of specific complaints about WhatsApp, the investigation undertaken by the DPC that’s been decided today was what’s known as an “own volition” enquiry — meaning the regulator selected the parameters of the investigation itself, choosing to fix on an audit of WhatsApp’s ‘transparency’ obligations.

A key principle of the GDPR is that entities which are processing people’s data must be clear, open and honest with those people about how their information will be used.

The DPC’s decision today (which runs to a full 266 pages) concludes that WhatsApp failed to live up to the standard required by the GDPR.

Its enquiry considered whether or not WhatsApp fulfils transparency obligations to both users and non-users of its service (WhatsApp may, for example, upload the phone numbers of non-users if a user agrees to it ingesting their phone book which contains other people’s personal data); as well as looking at the transparency the platform offers over its sharing of data with its parent entity Facebook (a highly controversial issue at the time the privacy U-turn was announced back in 2016, although it predated GDPR being applied).

In sum, the DPC found a range of transparency infringements by WhatsApp — spanning articles 5(1)(a); 12, 13 and 14 of the GDPR.

In addition to issuing a sizeable financial penalty, it has ordered WhatsApp to take a number of actions to improve the level of transparency it offer users and non-users — giving the tech giant a three-month deadline for making all the ordered changes.

In a statement responding to the DPC’s decision, WhatsApp disputed the findings and dubbed the penalty “entirely disproportionate” — as well as confirming it will appeal, writing:

“WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision.” 

It’s worth emphasizing that the scope of the DPC enquiry which has finally been decided today was limited to only looking at WhatsApp’s transparency obligations.

The regulator was explicitly not looking into wider complaints — which have also been raised against Facebook’s data-mining empire for well over three years — about the legal basis WhatsApp claims for processing people’s information in the first place.

So the DPC will continue to face criticism over both the pace and approach of its GDPR enforcement.

…system to add years until this fine will actually be paid – but at least it's a start… 10k cases per year to go! 😜

— Max Schrems 🇪🇺 (@maxschrems) September 2, 2021

 

Indeed, prior to today, Ireland’s regulator had only issued one decision in a major cross-border cases addressing ‘Big Tech’ — against Twitter when, back in December, it knuckle-tapped the social network over a historical security breach with a fine of $550k.

WhatsApp’s first GDPR penalty is, by contrast, considerably larger — reflecting what EU regulators (plural) evidently consider to be a far more serious infringement of the GDPR.

Transparency is a key principle of the regulation. And while a security breach may indicate sloppy practice, systematic opacity towards people whose data your adtech empire relies upon to turn a fat profit looks rather more intentional; indeed, it’s arguably the whole business model.

And — at least in Europe — such companies are going to find themselves being forced to be up front about what they’re doing with people’s data.

Is GDPR working?  

The WhatsApp decision will rekindle the debate about whether the GDPR is working effectively where it counts most: Against the most powerful companies in the world, who are also of course Internet companies.

Under the EU’s flagship data protection regulation, decisions on cross border cases require agreement from all affected regulators — across the 27 Member States — so while the GDPR’s “one-stop-shop” mechanism seeks to streamline the regulatory burden for cross-border businesses by funnelling complaints and investigations via a lead regulator (typically where a company has its main legal establishment in the EU), objections can be raised to that lead supervisory authority’s conclusions (and any proposed sanctions), as has happened here, in this WhatsApp case.

Ireland originally proposed a far more low-ball penalty of up to €50M for WhatsApp. However other EU regulators objected to the draft decision on a number of fronts — and the European Data Protection Board (EDPB) ultimately had to step in and take a binding decision (issued this summer) to settle the various disputes.

Through that (admittedly rather painful) joint-working, the DPC was required to increase the size of the fine issued to WhatsApp. In a mirror of what happened with its draft Twitter decision — where the DPC has also suggested an even tinier penalty in the first instance.

While there is a clear time cost in settling disputes between the EU’s smorgasbord of data protection agencies — the DPC submitted its draft WhatsApp decision to the other DPAs for review back in December, so it’s taken well over half a year to hash out all the disputes about WhatsApp’s lossy hashing and so forth — the fact that ‘corrections’ are being made to its decisions and conclusions can land — if not jointly agreed but at least arriving via a consensus being pushed through by the EDPB — is a sign that the process, while slow and creaky, is working.

Even so, Ireland’s data watchdog will continue to face criticism for its outsized role in handling GDPR complaints and investigations — with some accusing the DPC of essentially cherry-picking which issues to examine in detail (by its choice and framing of cases) and which to elide entirely (by those issues it doesn’t open an enquiry into or complaints it simply drops or ignores), with its loudest critics arguing it’s therefore still a major bottleneck on effective enforcement of data protection rights across the EU. And the associated conclusion for that critique is that tech giants like Facebook are still getting a pretty free pass to violate Europe’s privacy rules.

But while it’s true that a $267M penalty is still the equivalent of a parking ticket for Facebook, orders to change how such adtech giants are able to process people’s information have the potential to be a far more significant correction on problematic business models. Again, though, time will be needed to tell.

In a statement on the WhatsApp decision today, noyb — the privacy advocay group founded by long-time European privacy campaigner Max Schrems, said: We welcome the first decision by the Irish regulator. However, the DPC gets about ten thousand complaints per year since 2018 and this is the first major fine. The DPC also proposed an initial €50MK fine and was forced by the other European data protection authorities to move towards €225M, which is still only 0.08% of the turnover of the Facebook Group. The GDPR foresees fines of up to 4% of the turnover. This shows how the DPC is still extremely dysfunctional.”

Schrems also noted that he and noyb still have a number of pending cases before the DPC — including on WhatsApp.

In further remarks, Schrems and noyb said: “WhatsApp will surely appeal the decision. In the Irish court system this means that years will pass before any fine is actually paid. In our cases we often had the feeling that the DPC is more concerned with headlines than with actually doing the hard groundwork. It will be very interesting to see if the DPC will actually defend this decision fully, as it was basically forced to make this decision by its European counterparts. I can imagine that the DPC will simply not put many resources on the case or ‘settle’ with WhatsApp in Ireland. We will monitor this case closely to ensure that the DPC is actually following through with this decision.”

Report: India may be next in line to mandate changes to Apple’s in-app payment rules

By Ingrid Lunden

Summer is still technically in session, but a snowball is slowly developing in the world of apps, and specifically the world of in-app payments. A report in Reuters today says that the Competition Commission of India, the country’s monopoly regulator, will soon be looking at an antitrust suit filed against Apple over how it mandates that app developers use Apple’s own in-app payment system — thereby giving Apple a cut of those payments — when publishers charge users for subscriptions and other items in their apps.

The suit, filed by an Indian non-profit called “Together We Fight Society”, said in a statement to Reuters that it was representing consumer and startup interests in its complaint.

The move would be the latest in what has become a string of challenges from national regulators against app store operators — specifically Apple but also others like Google and WeChat — over how they wield their positions to enforce market practices that critics have argued are anti-competitive. Other countries that have in recent weeks reached settlements, passed laws, or are about to introduce laws include Japan, South Korea, Australia, the U.S. and the European Union.

And in India specifically, the regulator is currently working through a similar investigation as it relates to in-app payments in Android apps, which Google mandates use its proprietary payment system. Google and Android dominate the Indian smartphone market, with the operating system active on 98% of the 520 million devices in use in the country as of the end of 2020.

It will be interesting to watch whether more countries wade in as a result of these developments. Ultimately, it could force app store operators, to avoid further and deeper regulatory scrutiny, to adopt new and more flexible universal policies.

In the meantime, we are seeing changes happen on a country-by-country basis.

Just yesterday, Apple reached a settlement in Japan that will let publishers of “reader” apps (those for using or consuming media like books and news, music, files in the cloud and more) to redirect users to external sites to provide alternatives to Apple’s proprietary in-app payment provision. Although it’s not as seamless as paying within the app, redirecting previously was typically not allowed, and in doing so the publishers can avoid Apple’s cut.

South Korean legislators earlier this week approved a measure that will make it illegal for Apple and Google to make a commission by forcing developers to use their proprietary payment systems.

And last week, Apple also made some movements in the U.S. around allowing alternative forms of payments, but relatively speaking the concessions were somewhat indirect: app publishers can refer to alternative, direct payment options in apps now, but not actually offer them. (Not yet at least.)

Some developers and consumers have been arguing for years that Apple’s strict policies should open up more. Apple however has long said in its defense that it mandates certain developer policies to build better overall user experiences, and for reasons of security. But, as app technology has evolved, and consumer habits have changed, critics believe that this position needs to be reconsidered.

One factor in Apple’s defense in India specifically might be the company’s position in the market. Android absolutely dominates India when it comes to smartphones and mobile services, with Apple actually a very small part of the ecosystem.

As of the end of 2020, it accounted for just 2% of the 520 million smartphones in use in the country, according to figures from Counterpoint Research quoted by Reuters. That figure had doubled in the last five years, but it’s a long way from a majority, or even significant minority.

The antitrust filing in India has yet to be filed formally, but Reuters notes that the wording leans on the fact that anti-competitive practices in payments systems make it less viable for many publishers to exist at all, since the economics simply do not add up:

“The existence of the 30% commission means that some app developers will never make it to the market,” Reuters noted from the filing. “This could also result in consumer harm.”

Reuters notes that the CCI will be reviewing the case in the coming weeks before deciding whether it should run a deeper investigation or dismiss it. It typically does not publish filings during this period.

Google appeals ‘disproportionate’ French copyright, talks fine

By Natasha Lomas

Google is appealing the more than half a billion-dollar fine it got slapped with by France’s competition authority in July.

The penalty relates to the adtech giant’s approach toward paying news publishers for content reuse.

In a statement today, Sebastien Missoffe, a Google France VP and country manager, characterized the fine as “disproportionate” — claiming that the $592 million penalty is not justified in light of Google’s “efforts” to cut a deal with news publishers and comply with updated copyright rules. Which reads like fairly weak sauce, as defence statements go.

“We are appealing the French Competition Authority’s decision which relates to our negotiations between April and August 2020. We disagree with a number of legal elements, and believe that the fine is disproportionate to our efforts to reach an agreement and comply with the new law,” wrote Missoffe, adding: “Irrespective of this, we recognize neighboring rights and we continue to work hard to resolve this case and put deals in place. This includes expanding offers to 1,200 publishers, clarifying aspects of our contracts, and we are sharing more data as requested by the French Competition Authority in their July Decision.”

Back in 2019, the European Union agreed on an update to digital copyright rules which extended cover to the ledes of news stories — snippets of which aggregators such as Google News had for years routinely scraped and displayed.

Individual EU Member States then needed to transpose the updated pan-EU reforms into their national laws — with France leading the pack to do so.

The country’s competition watchdog has also been leading the charge in enforcing updated rules against Google — ordering the tech giant to negotiate with publishers last year and following that up with a whopping fine when publishers complained to it about how Google was treating those talks.

Announcing the penalty this summer, the Autorité de la Concurrence accused the tech giant of attempting to unilaterally impose a global news licensing product it operates upon local publishers in a bid to avoid having to put a separate financial value on neighbouring rights remuneration — where there is a legal requirement (under EU and French law) upon it to negotiate with said publishers…

The watchdog’s full list of grievances against Google’s modus operandi was very long — check out our earlier report here — so it’s not clear how much of a placeholder action this appeal by Google is.

Per Reuters, the Autorité has said the appeal will not hold up the penalty nor impede the timeline of the order it already issued — which, in mid July, gave Google a two month timeframe to revise its offer and provide publishers with all the required info, with the threat of daily fines (of €900,000) if it failed to meet all its requirements by then. So there are now only a couple of weeks to go before that deadline.

Google may thus be hoping that by announcing an appeal now it will help ‘concentrate’ publishers’ minds — and encourage them to accept — whatever tweaked offer it comes up with, hence its statement noting an ‘expanded’ offer (now covering 1,200 publishers), and talk of “clarifying aspects of our contracts” and “sharing more data”, all of which were areas where Google got roundly spanked by the Autorité. 

UK names John Edwards as its choice for next data protection chief as gov’t eyes watering down privacy standards

By Natasha Lomas

The UK government has named the person it wants to take over as its chief data protection watchdog, with sitting commissioner Elizabeth Denham overdue to vacate the post: The Department of Digital, Culture, Media and Sport (DCMS) today said its preferred replacement is New Zealand’s privacy commissioner, John Edwards.

Edwards, who has a legal background, has spent more than seven years heading up the Office of the Privacy Commissioner In New Zealand — in addition to other roles with public bodies in his home country.

He is perhaps best known to the wider world for his verbose Twitter presence and for taking a public dislike to Facebook: In the wake of the 2018 Cambridge Analytica data misuse scandal Edwards publicly announced that he was deleting his account with the social media — accusing Facebook of not complying with the country’s privacy laws.

An anti-‘Big Tech’ stance aligns with the UK government’s agenda to tame the tech giants as it works to bring in safety-focused legislation for digital platforms and reforms of competition rules that take account of platform power.

Official announcement

Government announces preferred candidate for Information Commissioner – https://t.co/2fri3ROyhm https://t.co/i8b4OBcwzC

— John Edwards (@JCE_PC) August 26, 2021

If confirmed in the role — the DCMS committee has to approve Edwards’ appointment; plus there’s a ceremonial nod needed from the Queen — he will be joining the regulatory body at a crucial moment as digital minister Oliver Dowden has signalled the beginnings of a planned divergence from the European Union’s data protection regime, post-Brexit, by Boris Johnson’s government.

Dial back the clock five years and prior digital minister, Matt Hancock, was defending the EU’s General Data Protection Regulation (GDPR) as a “decent piece of legislation” — and suggesting to parliament that there would be little room for the UK to diverge in data protection post-Brexit.

But Hancock is now out of government (aptly enough after a data leak showed him breaching social distancing rules by kissing his aide inside a government building), and the government mood music around data has changed key to something far more brash — with sitting digital minister Dowden framing unfettered (i.e. deregulated) data-mining as “a great opportunity” for the post-Brexit UK.

For months, now, ministers have been eyeing how to rework the UK’s current (legascy) EU-based data protection framework — to, essentially, reduce user rights in favor of soundbites heavy on claims of slashing ‘red tape’ and turbocharging data-driven ‘innovation’. Of course the government isn’t saying the quiet part out loud; its press releases talk about using “the power of data to drive growth and create jobs while keeping high data protection standards”. But those standards are being reframed as a fig leaf to enable a new era of data capture and sharing by default.

Dowden has said that the emergency data-sharing which was waived through during the pandemic — when the government used the pressing public health emergency to justify handing NHS data to a raft of tech giantsshould be the ‘new normal’ for a post-Brexit UK. So, tl;dr, get used to living in a regulatory crisis.

A special taskforce, which was commissioned by the prime minister to investigate how the UK could reshape its data policies outside the EU, also issued a report this summer — in which it recommended scrapping some elements of the UK’s GDPR altogether — branding the regime “prescriptive and inflexible”; and advocating for changes to “free up data for innovation and in the public interest”, as it put it, including pushing for revisions related to AI and “growth sectors”.

The government is now preparing to reveal how it intends to act on its appetite to ‘reform’ (read: reduce) domestic privacy standards — with proposals for overhauling the data protection regime incoming next month.

Speaking to the Telegraph for a paywalled article published yesterday, Dowden trailed one change that he said he wants to make which appears to target consent requirements — with the minister suggesting the government will remove the legal requirement to gain consent to, for example, track and profile website visitors — all the while framing it as a pro-consumer move; a way to do away with “endless” cookie banners.

Only cookies that pose a ‘high risk’ to privacy would still require consent notices, per the report — whatever that means.

Oliver Dowden, the UK Minister for Digital, Culture, Media and Sport, says that the UK will break away from GDPR, and will no longer require cookie warnings, other than those posing a 'high risk'.https://t.co/2ucnppHrIm pic.twitter.com/RRUdpJumYa

— dan barker (@danbarker) August 25, 2021

“There’s an awful lot of needless bureaucracy and box ticking and actually we should be looking at how we can focus on protecting people’s privacy but in as light a touch way as possible,” the digital minister also told the Telegraph.

The draft of this Great British ‘light touch’ data protection framework will emerge next month, so all the detail is still to be set out. But the overarching point is that the government intends to redefine UK citizens’ privacy rights, using meaningless soundbites — with Dowden touting a plan for “common sense” privacy rules — to cover up the fact that it intends to reduce the UK’s currently world class privacy standards and replace them with worse protections for data.

If you live in the UK, how much privacy and data protection you get will depend upon how much ‘innovation’ ministers want to ‘turbocharge’ today — so, yes, be afraid.

It will then fall to Edwards — once/if approved in post as head of the ICO — to nod any deregulation through in his capacity as the post-Brexit information commissioner.

We can speculate that the government hopes to slip through the devilish detail of how it will torch citizens’ privacy rights behind flashy, distraction rhetoric about ‘taking action against Big Tech’. But time will tell.

Data protection experts are already warning of a regulatory stooge.

While the Telegraph suggests Edwards is seen by government as an ideal candidate to ensure the ICO takes a “more open and transparent and collaborative approach” in its future dealings with business.

In a particularly eyebrow raising detail, the newspaper goes on to report that government is exploring the idea of requiring the ICO to carry out “economic impact assessments” — to, in the words of Dowden, ensure that “it understands what the cost is on business” before introducing new guidance or codes of practice.

All too soon, UK citizens may find that — in the ‘sunny post-Brexit uplands’ — they are afforded exactly as much privacy as the market deems acceptable to give them. And that Brexit actually means watching your fundamental rights being traded away.

In a statement responding to Edwards’ nomination, Denham, the outgoing information commissioner, appeared to offer some lightly coded words of warning for government, writing [emphasis ours]: “Data driven innovation stands to bring enormous benefits to the UK economy and to our society, but the digital opportunity before us today will only be realised where people continue to trust their data will be used fairly and transparently, both here in the UK and when shared overseas.”

The lurking iceberg for government is of course that if wades in and rips up a carefully balanced, gold standard privacy regime on a soundbite-centric whim — replacing a pan-European standard with ‘anything goes’ rules of its/the market’s choosing — it’s setting the UK up for a post-Brexit future of domestic data misuse scandals.

You only have to look at the dire parade of data breaches over in the US to glimpse what’s coming down the pipe if data protection standards are allowed to slip. The government publicly bashing the privacy sector for adhering to lax standards it deregulated could soon be the new ‘get popcorn’ moment for UK policy watchers…

UK citizens will surely soon learn of unfair and unethical uses of their data under the ‘light touch’ data protection regime — i.e. when they read about it in the newspaper.

Such an approach will indeed be setting the country on a path where mistrust of digital services becomes the new normal. And that of course will be horrible for digital business over the longer run. But Dowden appears to lack even a surface understanding of Internet basics.

The UK is also of course setting itself on a direct collision course with the EU if it goes ahead and lowers data protection standards.

This is because its current data adequacy deal with the bloc — which allows for EU citizens’ data to continue flowing freely to the UK is precariously placed — was granted only on the basis that the UK was, at the time it was inked, still aligned with the GDPR.

So Dowden’s rush to rip up protections for people’s data presents a clear risk to the “significant safeguards” needed to maintain EU adequacy.

Back in June, when the Commission signed off on the UK’s adequacy deal, it clearly warned that “if anything changes on the UK side, we will intervene”. Moreover, the adequacy deal is also the first with a baked in sunset clause — meaning it will automatically expire in four years.

So even if the Commission avoids taking proactive action over slipping privacy standards in the UK there is a hard deadline — in 2025 — when the EU’s executive will be bound to look again in detail at exactly what Dowden & Co. have wrought. And it probably won’t be pretty.

The longer term UK ‘plan’ (if we can put it that way) appears to be to replace domestic economic reliance on EU data flows — by seeking out other jurisdictions that may be friendly to a privacy-light regime governing what can be done with people’s information.

Hence — also today — DCMS trumpeted an intention to secure what it billed as “new multi-billion pound global data partnerships” — saying it will prioritize striking ‘data adequacy’ “partnerships” with the US, Australia, the Republic of Korea, Singapore, and the Dubai International Finance Centre and Colombia.

Future partnerships with India, Brazil, Kenya and Indonesia will also be prioritized, it added — with the government department cheerfully glossing over the fact it’s UK citizens’ own privacy that is being deprioritized here.

“Estimates suggest there is as much as £11 billion worth of trade that goes unrealised around the world due to barriers associated with data transfers,” DCMS writes in an ebullient press release.

As it stands, the EU is of course the UK’s largest trading partner. And statistics from the House of Commons library on the UK’s trade with the EU — which you won’t find cited in the DCMS release — underline quite how tiny this potential Brexit ‘data bonanza’ is, given that UK exports to the EU stood at £294 billion in 2019 (43% of all UK exports).

So even the government’s ‘economic’ case to water down citizens’ privacy rights looks to be puffed up with the same kind of misleadingly vacuous nonsense as ministers’ reframing of a post-Brexit UK as ‘Global Britain’.

Everyone hates cookies banners, sure, but that’s a case for strengthening not weakening people’s privacy — for making non-tracking the default setting online and outlawing manipulative dark patterns so that Internet users don’t constantly have to affirm they want their information protected. Instead the UK may be poised to get rid of annoying cookie consent ‘friction’ by allowing a free for all on people’s data.

 

EU hits Amazon with record-breaking $887M GDPR fine over data misuse

By Carly Page

Luxembourg’s National Commission for Data Protection (CNPD) has hit Amazon with a record-breaking €746 million ($887m) GDPR fine over the way it uses customer data for targeted advertising purposes.

Amazon disclosed the ruling in an SEC filing on Friday in which it slammed the decision as baseless and added that it intended to defend itself “vigorously in this matter.”

“Maintaining the security of our customers’ information and their trust are top priorities,” an Amazon spokesperson said in a statement. “There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed.

“We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”

The penalty is the result of a 2018 complaint by French privacy rights group La Quadrature du Net, a group that claims to represent the interests of thousands of Europeans to ensure their data isn’t used by big tech companies to manipulate their behavior for political or commercial purposes. The complaint, which also targets Apple, Facebook Google and LinkedIn and was filed on behalf of more than 10,000 customers, alleges that Amazon manipulates customers for commercial means by choosing what advertising and information they receive.

La Quadrature du Net welcomed the fine issued by the CNPD, which “comes after three years of silence that made us fear the worst.”

“The model of economic domination based on the exploitation of our privacy and free will is profoundly illegitimate and contrary to all the values that our democratic societies claim to defend,” the group added in a blog post published on Friday.

The CNPD has also ruled that Amazon must commit to changing its business practices. However, the regulator has not publicly committed on its decision, and Amazon didn’t specify what revised business practices it is proposing.

The record penalty, which trumps the €50 million GDPR penalty levied against Google in 2019, comes amid heightened scrutiny of Amazon’s business in Europe. In November last year, the European Commission announced formal antitrust charges against the company, saying the retailer has misused its position to compete against third-party businesses using its platform. At the same time, the Commission a second investigation into its alleged preferential treatment of its own products on its site and those of its partners.

Colombia’s Merqueo bags $50M to expand its online grocery delivery service across Latin America

By Mary Ann Azevedo

Merqueo, which operates a full-stack, on-demand delivery service in Latin America, has landed $50 million in a Series C round of funding.

IDC Ventures, Digital Bridge and IDB Invest co-led the round, which also included participation from MGM Innova Group, Celtic House Venture Partners, Palm Drive Capital and previous shareholders. The financing brings the Bogota, Colombia-based startup’s total raised to $85 million since its 2017 inception.

Merqueo CEO and co-founder Miguel McAllister knows a thing or two about the delivery space in Latin America, having also co-founded Domicilios.com, a Latin American food delivery company that was bought by Berlin-based Delivery Hero and later merged with Brazil’s iFood.

McAllister describes Merqueo as a “pure-play online supermarket with a fully integrated grocery delivery service” that sources directly from large brands and local suppliers, bypassing intermediaries and “delivering directly from its dark store network.” (Dark stores are traditional retail stores that have been converted to local fulfillment centers.”

Merqueo offers more than 8,000 products, including fresh foods, packaged goods, home essentials, beverages and frozen products. It currently operates in more than 25 cities in Colombia, Mexico and Brazil and has over 600,000 users.

Image Credits: Merqueo

It must be doing something right. The startup is close to $100 million in “run-rate revenue,” according to McAllister, having grown more than 2.5x in 2020. Merqueo also reached positive cash flow in Colombia, its most mature market. Over the last year, large Latin American retail chains and retailers have approached the company about potentially acquiring it, McAllister said.

Part of the company’s success might be attributed to the speed and flexibility it offers. Users can choose how and when to receive their groceries according to their needs, with the startup offering delivery in as little as 10 minutes or three to four hours. Users can also schedule delivery of their groceries in two-hour intervals for the same day or the next day.

Also, owning and controlling the “entire” vertical supply chain gives it the ability to obtain better margins, offer competitive pricing and achieve healthy unit economics, according to McAllister.

Merqueo plans to use its new capital in part to expand geographically. The company is currently in phase one of its expansion to Brazil, entering initially in Sao Paulo later this month. Next year, it expects to launch in other Brazilian cities such as Rio de Janeiro, Fortaleza and Salvador de Bahia.

The market opportunity in Latin America is massive considering that online grocery sales only represent just 1% of the market –– far lower than in the U.S., EU or China, for example. Other players in the increasingly crowded space include GoPuff in the U.S., Getir out of Turkey and Mexico-based Jüsto, which raised $65 million in a Series A led by General Atlantic earlier this year.

“The pandemic accelerated the adoption of online grocery shopping in LatAm,” McAllister told TechCrunch. “The region went from 0.3% share of online groceries to 1%. And after the pandemic, we are seeing a 50% increase in the pace of user adoption.” Overall, the $85 billion e-commerce market in Latin America is growing rapidly, with projections of it reaching $116.2 billion in 2023.

Currently, Merqueo has over 1,300 employees in LatAm, up 60% from last year. It plans to continue hiring with the proceeds from the Series C round as well work “to become the largest and most ambitious dark stores network of Latin America.”

Alejandro Rodríguez, managing partner at IDC Ventures, is naturally bullish on Merqueo’s potential.

“From all the opportunities we looked into, Merqueo is undoubtedly the most advanced in the region. … The Merqueo team has proved they know how to scale the business and how to get to profitability,” Rodríguez told TechCrunch.

Online grocery delivery is a business with many technical and operational complexities, he said. In his view, Merqueo’s technology and operational expertise allow it to tackle those issues in a way that has led to “the best customer experience that we have seen in a scalable way.”

“They have the best combination of both great service metrics and healthy unit economics,” Rodríguez added.

European Investment Fund puts $30M in Fabric Ventures’ new $130M digital assets fund

By Mike Butcher

Despite their rich engineering talent, Blockchain entrepreneurs in the EU often struggle to find backing due to the dearth of large funds and investment expertise in the space. But a big move takes place at an EU level today, as the European Investment Fund makes a significant investment into a blockchain and digital assets venture fund.

Fabric Ventures, a Luxembourg-based VC billed as backing the “Open Economy” has closed $130 million for its 2021 fund, $30 million of which is coming from the European Investment Fund (EIF). Other backers of the new fund include 33 founders, partners, and executives from Ethereum, (Transfer)Wise, PayPal, Square, Google, PayU, Ledger, Raisin, Ebury, PPRO, NEAR, Felix Capital, LocalGlobe, Earlybird, Accelerator Ventures, Aztec Protocol, Raisin, Aragon, Orchid, MySQL, Verifone, OpenOcean, Claret Capital, and more. 

This makes it the first EIF-backed fund mandated to invest in digital assets and blockchain technology.

EIF Chief Executive Alain Godard said:  “We are very pleased to be partnering with Fabric Ventures to bring to the European market this fund specializing in Blockchain technologies… This partnership seeks to address the need [in Europe] and unlock financing opportunities for entrepreneurs active in the field of blockchain technologies – a field of particular strategic importance for the EU and our competitiveness on the global stage.”

The subtext here is that the EIF wants some exposure to these new, decentralized platforms, potentially as a bulwark against the centralized platforms coming out of the US and China.

And yes, while the price of Bitcoin has yo-yo’d, there is now $100 billion invested in the decentralized finance sector and $1.5 billion market in the NFT market. This technology is going nowhere.

Fabric hasn’t just come from nowhere, either. Various Fabric Ventures team members have been involved in Orchestream, the Honeycomb Project at Sun Microsystems, Tideway, RPX, Automic, Yoyo Wallet, and Orchid.

Richard Muirhead is Managing Partner, and is joined by partners Max Mersch and Anil Hansjee. Hansjee becomes General Partner after leaving PayPal’s Venture Fund, which he led for EMEA. The team has experience in token design, market infrastructure, and community governance.

The same team started the Firestartr fund in 2012, backing Tray.io, Verse, Railsbank, Wagestream, Bitstamp, and others.

Muirhead said: “It is now well acknowledged that there is a need for a web that is user-owned and, consequently, more human-centric. There are astonishing people crafting this digital fabric for the benefit of all. We are excited to support those people with our latest fund.”

On a call with TechCrunch Muirhead added: “The thing to note here is that there’s a recognition at European Commission level, that this area is one of geopolitical significance for the EU bloc. On the one hand, you have the ‘wild west’ approach of North America, and, arguably, on the other is the surveillance state of the Chinese Communist Party.”

He said: “The European Commission, I think, believes that there is a third way for the individual, and to use this new wave of technology for the individual. Also for businesses. So we can have networks and marketplaces of individuals sharing their data for their own benefit, and businesses in supply chains sharing data for their own mutual benefits. So that’s the driving view.”

The European VC market is so hot it may skip its summer holiday

By Anna Heim

The startup market is having a moment around the world, but few regions can brag as much as Europe when it comes to venture capital investment. Yes, the United States is putting up impressive numbers and Indian startups are booming. But Europe is such a bright spot in the larger world of private startup investment that it deserves more solo attention.

The data coming out of the continent is staggering: According to a Dealroom report, some €49 billion was raised by European startups in the first six months of 2021. That’s 2.9x as much as was raised by the region’s technology upstarts in the first half of 2020, and easily crests previous full-year records set in 2020 and 2019.


The Exchange explores startups, markets and money.

Read it every morning on Extra Crunch or get The Exchange newsletter every Saturday.


The epic start to 2021 for European startup fundraising crushes any preceding year that The Exchange has data for, erasing concerns that the continent simply won’t be able to create breakout tech companies that compete globally.

There are other signals that things are red-hot in Europe, including the recent direct listing of Wise on the London Stock Exchange. The company was valued at a huge $11 billion price when it did so.

Rapid investment and big exits are now the norm out of Europe. Naturally, we wanted to learn more about where venture dollars may point in the future. What follows is a synthesis of market data and notes from Diana Koziarska, a partner at SMOK Ventures; Vinoth Jayakumar, a partner at Draper Esprit; Simon Schmincke, a partner at Creandum; and Javier Santiso, a partner at Mundi Ventures.

The picture that emerges is one of sustained optimism, an expectation that venture investment is going to blast through traditional lulls and sustain a rapid-fire cadence during the rest of 2021. Records shall be smashed. But inside the various superlatives, a few sectors may do better than others. And Europe’s comparative gains in the venture capital world aren’t without impacts. Let’s explore what data says about the first half of 2021 in Europe’s startup market, and what its in-crowd expects for the rest of the year.

Inside Europe’s epic start to 2021

The European startup market is putting up notable results for both early-stage and super-late-stage funding. Dealroom reports that in the first half of 2021, some €18.1 billion was raised by European startups in the form of rounds greater than €250 million. For reference, the entire European startup market raised €16.7 billion in the first half of 2020.

But there’s also solid data indicating that Europe is doing a better job than ever in getting smaller companies off the ground. The same Dealroom report indicates that while Europe has created 15% of new global unicorns since 2020, it created 20% of new Series A-stage startups and a huge 35% of seed-stage tech upstarts.

China, in contrast, is the opposite; the country has 8% of new unicorns since 2020, 6% of Series A-stage startups and just 3% of the world’s seed-stage tech upstarts.

The interesting China dynamic is repeated in other statistics. Dealroom reports that Latin American venture capital is up 5.5x on a year-over-year basis in H1 2021. Asia excluding China is up 2.3x, as is investment in the United States. In China, a far smaller 1.6x growth rate was seen in the half-year period. But inside that data is the fact that every region we just listed set records in H1 2021, while China posted a figure that was sharply down from prior peak results.

This shows that regions that see a boom in investment can later see declines. But at least in the near term, that doesn’t seem to be in the cards.

This tool tells you if NSO’s Pegasus spyware targeted your phone

By Zack Whittaker

Over the weekend, an international consortium of news outlets reported that several authoritarian governments — including Mexico, Morocco, and the United Arab Emirates — used spyware developed by NSO Group to hack into the phones of thousands of their most vocal critics, including journalists, activists, politicians and business executives.

A leaked list of 50,000 phone numbers of potential surveillance targets was obtained by Paris-based journalism non-profit Forbidden Stories and Amnesty International, and shared with the reporting consortium, including the Washington Post and The Guardian. Researchers analyzed the phones of dozens of victims to confirm they were targeted by the NSO’s Pegasus spyware, which can access all of the data on a person’s phone. The reports also confirm new details of the government customers themselves, which NSO Group closely guards. Hungary, a member of the European Union where privacy from surveillance is supposed to be a fundamental right for its 500 million residents, is named as an NSO customer.

The reporting shows for the first time how many individuals are likely targets of NSO’s intrusive device-level surveillance. Previous reporting had put the number of known victims in the hundreds or over a thousand.

NSO Group sharply rejected the claims. NSO has long said that it doesn’t know who its customers target, which it reiterated in a statement to TechCrunch on Monday.

Researchers at Amnesty, whose work was reviewed by the Citizen Lab at the University of Toronto, found that NSO can deliver Pegasus by sending a victim a link which when opened infects the phone, or silently and without any interaction at all through a “zero-click” exploit, which takes advantage of vulnerabilities in the iPhone’s software. Citizen Lab researcher Bill Marczak said in a tweet that NSO’s zero-clicks worked on iOS 14.6, which until today was the most up-to-date version.

Amnesty’s researchers showed their working by publishing meticulously detailed technical notes and a toolkit that they said may help others identify if their phones have been targeted by Pegasus.

The Mobile Verification Toolkit, or MVT, works on both iPhones and Android devices, but slightly differently. Amnesty said that more forensic traces were found on iPhones than Android devices, which makes it easier to detect on iPhones. MVT will let you take an entire iPhone backup (or a full system dump if you jailbreak your phone) and feed in for any indicators of compromise (IOCs) known to be used by NSO to deliver Pegasus, such as domain names used in NSO’s infrastructure that might be sent by text message or email. If you have an encrypted iPhone backup, you can also use MVT to decrypt your backup without having to make a whole new copy.

The Terminal output from the MVT toolkit, which scans iPhone and Android backup files for indicators of compromise. (Image: TechCrunch)

The toolkit works on the command line, so it’s not a refined and polished user experience and requires some basic knowledge of how to navigate the terminal. We got it working in about ten minutes, plus the time to create a fresh backup of an iPhone, which you will want to do if you want to check up to the hour. To get the toolkit ready to scan your phone for signs of Pegasus, you’ll need to feed in Amnesty’s IOCs, which it has on its GitHub page. Any time the indicators of compromise file updates, download and use an up-to-date copy.

Once you set off the process, the toolkit scans your iPhone backup file for any evidence of compromise. The process took about a minute or two to run and spit out several files in a folder with the results of the scan. If the toolkit finds a possible compromise, it will say so in the outputted files. In our case, we got one “detection,” which turned out to be a false positive and has been removed from the IOCs after we checked with the Amnesty researchers. A new scan using the updated IOCs returned no signs of compromise.

Given it’s more difficult to detect an Android infection, MVT takes a similar but simpler approach by scanning your Android device backup for text messages with links to domains known to be used by NSO. The toolkit also lets you scan for potentially malicious applications installed on your device.

The toolkit is — as command line tools go — relatively simple to use, though the project is open source so not before long surely someone will build a user interface for it. The project’s detailed documentation will help you — as it did us.

Read more:


You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more

❌