Tag: EC

Posted on

Europe is prepared to rule over 5G cybersecurity

The European Commission’s digital commissioner has warned the mobile industry to expect it to act over security concerns attached to Chinese network equipment makers.

The Commission is considering a defacto ban on kit made by Chinese companies including Huawei in the face of security and espionage concerns, per Reuters.

Appearing on stage at the Mobile World Congress tradeshow in Barcelona today, Mariya Gabriel, European commissioner for digital economy and society, flagged network “cybersecurity” during her scheduled keynote, warning delegates it’s stating the obvious for her to say that “when 5G services become mission critical 5G networks need to be secure”.

Geopolitical concerns between the West and China are being accelerated and pushed to the fore as the era of 5G network upgrades approach, as well as by ongoing tensions between the U.S. and China over trade.

“I’m well away of the unrest among all of you key actors in the telecoms sectors caused by the ongoing discussions around the cybersecurity of 5G,” Gabriel continued, fleshing out the Commission’s current thinking. “Let me reassure you: The Commission takes your view very seriously. Because you need to run these systems everyday. Nobody is helped by premature decisions based on partial analysis of the facts.

“However it is also clear that Europe has to have a common approach to this challenge. And we need to bring it on the table soon. Otherwise there is a risk that fragmentation rises because of diverging decisions taken by Member States trying to protect themselves.”

“We all know that this fragmentation damages the digital single market. So therefore we are working on this important matter with priority. And to the Commission we will take steps soon,” she added.

The theme of this year’s show is “intelligent connectivity”; the notion that the incoming 5G networks will not only create links between people and (many, many more) things but understand the connections they’re making at a greater depth and resolution than has been possible before, leveraging the big data generated by many more connections to power automated decision-making in near real time, with low latency another touted 5G benefit (as well as many more connections per cell).

Futuristic scenarios being floated include connected cars neatly pulling to the sides of the road ahead of an ambulance rushing a patient to hospital — or indeed medical operations being aided and even directed remotely in real-time via 5G networks supporting high resolution real-time video streaming.

But for every touted benefit there are easy to envisage risks to network technology that’s being designed to connect everything all of the time — thereby creating a new and more powerful layer of critical infrastructure society will be relying upon.

Last fall the Australia government issued new security guidelines for 5G networks that essential block Chinese companies such as Huawei and ZTE from providing equipment to operators — justifying the move by saying that differences in the way 5G operates compared to previous network generations introduces new risks to national security.

New Zealand followed suit shortly after, saying kit from the Chinese companies posed a significant risk to national security.

While in the U.S. President Trump has made 5G network security a national security priority since 2017, and a bill was passed last fall banning Chinese companies from supplying certain components and services to government agencies.

The ban is due to take effect over two years but lawmakers have been pressuring to local carriers to drop 5G collaborations with companies such as Huawei.

In Europe the picture is so far more mixed. A UK government report last summer investigating Huawei’s broadband and mobile infrastructure raised further doubts, and last month Germany was reported to be mulling a 5G ban on the Chinese kit maker.

But more recently the two EU Member States have been reported to no longer be leaning towards a total ban — apparently believing any risk can be managed and mitigated by oversight and/or partial restrictions.

It remains to be seen how the Commission could step in to try to harmonize security actions taken by Member States around nascent 5G networks. But it appears prepared to set rules.

That said, Gabriel gave no hint of its thinking today, beyond repeating the Commission’s preferred position of less fragmentation, more harmonization to avoid collateral damage to its overarching Digital Single Market initiative — i.e. if Member States start fragmenting into a patchwork based on varying security concerns.

We’ve reached out to the Commission for further comment and will update this story with any additional context.

During the keynote she was careful to talk up the transformative potential of 5G connectivity while also saying innovation must work in lock-step with European “values”.

“Europe has to keep pace with other regions and early movers while making sure that its citizens and businesses benefit swiftly from the new infrastructures and the many applications that will be built on top of them,” she said.

“Digital is helping us and we need to reap its opportunities, mitigate its risks and make sure it is respectful of our values as much as driven by innovation. Innovation and values. Two key words. That is the vision we have delivered in terms of the defence for our citizens in Europe. Together we have decided to construct a Digital Single Market that reflects the values and principles upon which the European Union has been built.”

Her speech also focused on AI, with the commissioner highlighting various EC initiatives to invest in and support private sector investment in artificial intelligence — saying it’s targeting €20BN in “AI-directed investment” across the private and public sector by 2020, with the goal for the next decade being “to reach the same amount as an annual average” — and calling on the private sector to “contribute to ensure that Europe reaches the level of investment needed for it to become a world stage leader also in AI”.

But again she stressed the need for technology developments to be thoughtfully managed so they reflect the underlying society rather than negatively disrupting it. The goal should be what she dubbed “human-centric AI”.

“When we talk about AI and new technologies development for us Europeans it is not only about investing. It is mainly about shaping AI in a way that reflects our European values and principles. An ethical approach to AI is key to enable competitiveness — it will generate user trust and help facilitate its uptake,” she said.

“Trust is the key word. There is no other way. It is only by ensuring trustworthiness that Europe will position itself as a leader in cutting edge, secure and ethical AI. And that European citizens will enjoy AI’s benefits.”

Posted on

Europe agrees platform rules to tackle unfair business practices

The European Union’s political institutions have reached agreement over new rules designed to boost transparency around online platform businesses and curb unfair practices to support traders and other businesses that rely on digital intermediaries for discovery and sales.

The European Commission proposed a regulation for fairness and transparency in online platform trading last April. And late yesterday the European Parliament, Council of the EU and Commission reached a political deal on regulating the business environment of platforms, announcing the accord in a press release today.

The political agreement paves the way for adoption and publication of the regulation, likely later this year. The rules will apply 12 months after that point.

Online platform intermediaries such as ecommerce marketplaces and search engines are covered by the new rules if they provide services to businesses established in the EU and which offer goods or services to consumers located in the EU.

The Commission estimates there are some 7,000 such platforms and marketplaces which will be covered by the regulation, noting this includes “world giants as well as very small start-ups”.

Under the new rules, sudden and unexpected account suspensions will be banned — with the Commission saying platforms will have to provide “clear reasons” for any termination and also possibilities for appeal.

Terms and conditions must also be “easily available and provided in plain and intelligible language”.

There must also be advance notice of changes — of at least 15 days, with longer notice periods applying for more complex changes.

For search engines the focus is on ranking transparency. And on that front dominant search engine Google has attracted more than its fair share of criticism in Europe from a range of rivals (not all of whom are European).

In 2017, the search giant was also slapped with a $2.7BN antitrust fine related to its price comparison service, Google Shopping. The EC found Google had systematically given prominent placement to its own search comparison service while also demoting rival services in search results. (Google rejects the findings and is appealing.)

Given the history of criticism of Google’s platform business practices, and the multi-year regulatory tug of war over anti-competitive impacts, the new transparency provisions look intended to make it harder for a dominant search player to use its market power against rivals.

Changing the online marketplace

The importance of legislating for platform fairness was flagged by the Commission’s antitrust chief, Margrethe Vestager, last summer — when she handed Google another very large fine ($5BN) for anti-competitive behavior related to its mobile platform Android.

Vestager said then she wasn’t sure breaking Google up would be an effective competition fix, preferring to push for remedies to support “more players to have a real go”, as her Android decision attempts to do. But she also stressed the importance of “legislation that will ensure that you have transparency and fairness in the business to platform relationship”.

If businesses have legal means to find out why, for example, their traffic has stopped and what they can do to get it back that will “change the marketplace, and it will change the way we are protected as consumers but also as businesses”, she argued.

Just such a change is now in sight thanks to EU political accord on the issue.

The regulation represents the first such rules for online platforms in Europe and — commissioners’ contend — anywhere in the world.

“Our target is to outlaw some of the most unfair practices and create a benchmark for transparency, at the same time safeguarding the great advantages of online platforms both for consumers and for businesses,” said Andrus Ansip, VP for the EU’s Digital Single Market initiative in a statement.

Elżbieta Bieńkowska, commissioner for internal market, industry, entrepreneurship, and SMEs, added that the rules are “especially designed with the millions of SMEs in mind”.

“Many of them do not have the bargaining muscle to enter into a dispute with a big platform, but with these new rules they have a new safety net and will no longer worry about being randomly kicked off a platform, or intransparent ranking in search results,” she said in another supporting statement.

In a factsheet about the new rules, the Commission specifies they cover third-party ecommerce market places (e.g. Amazon Marketplace, eBay, Fnac Marketplace, etc.); app stores (e.g. Google Play, Apple App Store, Microsoft Store etc.); social media for business (e.g. Facebook pages, Instagram used by makers/artists etc.); and price comparison tools (e.g. Skyscanner, Google Shopping etc.).

The regulation does not target every online platform. For example, it does not cover online advertising (or b2b ad exchanges), payment services, SEO services or services that do not intermediate direct transactions between businesses and consumers.

The Commission also notes that online retailers that sell their own brand products and/or don’t rely on third party sellers on their own platform are also excluded from the regulation, such as retailers of brands or supermarkets.

Where transparency is concerned, the rules require that regulated marketplaces and search engines disclose the main parameters they use to rank goods and services on their site “to help sellers understand how to optimise their presence” — with the Commission saying the aim is to support sellers without allowing gaming of the ranking system.

Some platform business practices will also require mandatory disclosure — such as for platforms that not only provide a marketplace for sellers but sell on their platform themselves, as does Amazon for example.

The ecommerce giant’s use of merchant data remains under scrutiny in the EU. Vestager revealed a preliminary antitrust probe of Amazon last fall — when she said her department was gathering information to “try to get a full picture”. She said her concern is dual platforms could gain an unfair advantage as a consequence of access to merchants’ data.

And, again, the incoming transparency rules look intended to shrink that risk — requiring what the Commission couches as exhaustive disclosure of “any advantage” a platform may give to their own products over others.

“They must also disclose what data they collect, and how they use it — and in particular how such data is shared with other business partners they have,” it continues, noting also that: “Where personal data is concerned, the rules of the GDPR [General Data Protection Regulation] apply.”

(GDPR of course places further transparency requirements on platforms by, for example, empowering individuals to request any personal data held on them, as well as the reasons why their information is being processed.)

The platform regulation also includes new avenues for dispute resolution by requiring platforms set up an internal complaint-handling system to assist business users.

“Only the smallest platforms in terms of head count or turnover will be exempt from this obligation,” the Commission notes. (The exemption limit is set at fewer than 50 staff and less than €10M revenue.)

It also says: “Platforms will have to provide businesses with more options to resolve a potential problem through mediators. This will help resolve more issues out of court, saving businesses time and money.”

But, at the same time, the new rules allow business associations to take platforms to court to stop any non-compliance — mirroring a provision in the GDPR which also allows for collective enforcement and redress of individual privacy rights (where Member States adopt it).

“This will help overcome fear of retaliation, and lower the cost of court cases for individual businesses, when the new rules are not followed,” the Commission argues.

“In addition, Member States can appoint public authorities with enforcement powers, if they wish, and businesses can turn to those authorities.”

One component of the regulation that appears to be being left up to EU Member States to tackle is penalties for non-compliance — with no clear regime of fines set out (as there is in GDPR). So it’s not clear whether the platform regulation might not have rather more bark than bite, at least initially.

“Member States shall need to take measures that are sufficiently dissuasive to ensure that the online intermediation platforms and search engines comply with the requirements in the Regulation,” the Commission writes in a section of its factsheet dealing with how to make sure platforms respect the new rules.

It also points again to the provision allowing business associations or organisations to take action in national courts on behalf of members — saying this offers a legal route to “stop or prohibit non-compliance with one or more of the requirements of the Regulation”. So, er, expect lawsuits.

The Commission says the rules will be subject to review within 18 months after they come into force — in a bid to ensure the regulation keeps pace with fast-paced tech developments.

A dedicated Online Platform Observatory has been established in the EU for the purpose of “monitoring the evolution of the market and the effective implementation of the rules”, it adds.

Posted on

Is Europe closing in on an antitrust fix for surveillance technologists?

The German Federal Cartel Office’s decision to order Facebook to change how it processes users’ personal data this week is a sign the antitrust tide could at last be turning against platform power.

One European Commission source we spoke to, who was commenting in a personal capacity, described it as “clearly pioneering” and “a big deal”, even without Facebook being fined a dime.

The FCO’s decision instead bans the social network from linking user data across different platforms it owns, unless it gains people’s consent (nor can it make use of its services contingent on such consent). Facebook is also prohibited from gathering and linking data on users from third party websites, such as via its tracking pixels and social plugins.

The order is not yet in force, and Facebook is appealing, but should it come into force the social network faces being de facto shrunk by having its platforms siloed at the data level.

To comply with the order Facebook would have to ask users to freely consent to being data-mined — which the company does not do at present.

Yes, Facebook could still manipulate the outcome it wants from users but doing so would open it to further challenge under EU data protection law, as its current approach to consent is already being challenged.

The EU’s updated privacy framework, GDPR, requires consent to be specific, informed and freely given. That standard supports challenges to Facebook’s (still fixed) entry ‘price’ to its social services. To play you still have to agree to hand over your personal data so it can sell your attention to advertisers. But legal experts contend that’s neither privacy by design nor default.

The only ‘alternative’ Facebook offers is to tell users they can delete their account. Not that doing so would stop the company from tracking you around the rest of the mainstream web anyway. Facebook’s tracking infrastructure is also embedded across the wider Internet so it profiles non-users too.

EU data protection regulators are still investigating a very large number of consent-related GDPR complaints.

But the German FCO, which said it liaised with privacy authorities during its investigation of Facebook’s data-gathering, has dubbed this type of behavior “exploitative abuse”, having also deemed the social service to hold a monopoly position in the German market.

So there are now two lines of legal attack — antitrust and privacy law — threatening Facebook (and indeed other adtech companies’) surveillance-based business model across Europe.

A year ago the German antitrust authority also announced a probe of the online advertising sector, responding to concerns about a lack of transparency in the market. Its work here is by no means done.

Data limits

The lack of a big flashy fine attached to the German FCO’s order against Facebook makes this week’s story less of a major headline than recent European Commission antitrust fines handed to Google — such as the record-breaking $5BN penalty issued last summer for anticompetitive behaviour linked to the Android mobile platform.

But the decision is arguably just as, if not more, significant, because of the structural remedies being ordered upon Facebook. These remedies have been likened to an internal break-up of the company — with enforced internal separation of its multiple platform products at the data level.

This of course runs counter to (ad) platform giants’ preferred trajectory, which has long been to tear modesty walls down; pool user data from multiple internal (and indeed external sources), in defiance of the notion of informed consent; and mine all that personal (and sensitive) stuff to build identity-linked profiles to train algorithms that predict (and, some contend, manipulate) individual behavior.

Because if you can predict what a person is going to do you can choose which advert to serve to increase the chance they’ll click. (Or as Mark Zuckerberg puts it: ‘Senator, we run ads.’)

This means that a regulatory intervention that interferes with an ad tech giant’s ability to pool and process personal data starts to look really interesting. Because a Facebook that can’t join data dots across its sprawling social empire — or indeed across the mainstream web — wouldn’t be such a massive giant in terms of data insights. And nor, therefore, surveillance oversight.

Each of its platforms would be forced to be a more discrete (and, well, discreet) kind of business.

Competing against data-siloed platforms with a common owner — instead of a single interlinked mega-surveillance-network — also starts to sound almost possible. It suggests a playing field that’s reset, if not entirely levelled.

(Whereas, in the case of Android, the European Commission did not order any specific remedies — allowing Google to come up with ‘fixes’ itself; and so to shape the most self-serving ‘fix’ it can think of.)

Meanwhile, just look at where Facebook is now aiming to get to: A technical unification of the backend of its different social products.

Such a merger would collapse even more walls and fully enmesh platforms that started life as entirely separate products before were folded into Facebook’s empire (also, let’s not forget, via surveillance-informed acquisitions).

Seized cache of Facebook docs raise competition and consent questions

Facebook’s plan to unify its products on a single backend platform looks very much like an attempt to throw up technical barriers to antitrust hammers. It’s at least harder to imagine breaking up a company if its multiple, separate products are merged onto one unified backend which functions to cross and combine data streams.

Set against Facebook’s sudden desire to technically unify its full-flush of dominant social networks (Facebook Messenger; Instagram; WhatsApp) is a rising drum-beat of calls for competition-based scrutiny of tech giants.

This has been building for years, as the market power — and even democracy-denting potential — of surveillance capitalism’s data giants has telescoped into view.

Calls to break up tech giants no longer carry a suggestive punch. Regulators are routinely asked whether it’s time. As the European Commission’s competition chief, Margrethe Vestager, was when she handed down Google’s latest massive antitrust fine last summer.

Her response then was that she wasn’t sure breaking Google up is the right answer — preferring to try remedies that might allow competitors to have a go, while also emphasizing the importance of legislating to ensure “transparency and fairness in the business to platform relationship”.

But it’s interesting that the idea of breaking up tech giants now plays so well as political theatre, suggesting that wildly successful consumer technology companies — which have long dined out on shiny convenience-based marketing claims, made ever so saccharine sweet via the lure of ‘free’ services — have lost a big chunk of their populist pull, dogged as they have been by so many scandals.

From terrorist content and hate speech, to election interference, child exploitation, bullying, abuse. There’s also the matter of how they arrange their tax affairs.

The public perception of tech giants has matured as the ‘costs’ of their ‘free’ services have scaled into view. The upstarts have also become the establishment. People see not a new generation of ‘cuddly capitalists’ but another bunch of multinationals; highly polished but remote money-making machines that take rather more than they give back to the societies they feed off.

Google’s trick of naming each Android iteration after a different sweet treat makes for an interesting parallel to the (also now shifting) public perceptions around sugar, following closer attention to health concerns. What does its sickly sweetness mask? And after the sugar tax, we now have politicians calling for a social media levy.

Just this week the deputy leader of the main opposition party in the UK called for setting up a standalone Internet regulatory with the power to break up tech monopolies.

Talking about breaking up well-oiled, wealth-concentration machines is being seen as a populist vote winner. And companies that political leaders used to flatter and seek out for PR opportunities find themselves treated as political punchbags; Called to attend awkward grilling by hard-grafting committees, or taken to vicious task verbally at the highest profile public podia. (Though some non-democratic heads of state are still keen to press tech giant flesh.)

In Europe, Facebook’s repeat snubs of the UK parliament’s requests last year for Zuckerberg to face policymakers’ questions certainly did not go unnoticed.

Zuckerberg’s empty chair at the DCMS committee has become both a symbol of the company’s failure to accept wider societal responsibility for its products, and an indication of market failure; the CEO so powerful he doesn’t feel answerable to anyone; neither his most vulnerable users nor their elected representatives. Hence UK politicians on both sides of the aisle making political capital by talking about cutting tech giants down to size.

The political fallout from the Cambridge Analytica scandal looks far from done.

Quite how a UK regulator could successfully swing a regulatory hammer to break up a global Internet giant such as Facebook which is headquartered in the U.S. is another matter. But policymakers have already crossed the rubicon of public opinion and are relishing talking up having a go.

That represents a sea-change vs the neoliberal consensus that allowed competition regulators to sit on their hands for more than a decade as technology upstarts quietly hoovered up people’s data and bagged rivals, and basically went about transforming themselves from highly scalable startups into market-distorting giants with Internet-scale data-nets to snag users and buy or block competing ideas.

Zuckerberg owns or clones most of the “8 social apps” he cites as competition

The political spirit looks willing to go there, and now the mechanism for breaking platforms’ distorting hold on markets may also be shaping up.

The traditional antitrust remedy of breaking a company along its business lines still looks unwieldy when faced with the blistering pace of digital technology. The problem is delivering such a fix fast enough that the business hasn’t already reconfigured to route around the reset. 

Commission antitrust decisions on the tech beat have stepped up impressively in pace on Vestager’s watch. Yet it still feels like watching paper pushers wading through treacle to try and catch a sprinter. (And Europe hasn’t gone so far as trying to impose a platform break up.) 

But the German FCO decision against Facebook hints at an alternative way forward for regulating the dominance of digital monopolies: Structural remedies that focus on controlling access to data which can be relatively swiftly configured and applied.

Vestager, whose term as EC competition chief may be coming to its end this year (even if other Commission roles remain in potential and tantalizing contention), has championed this idea herself.

In an interview on BBC Radio 4’s Today program in December she poured cold water on the stock question about breaking tech giants up — saying instead the Commission could look at how larger firms got access to data and resources as a means of limiting their power. Which is exactly what the German FCO has done in its order to Facebook. 

At the same time, Europe’s updated data protection framework has gained the most attention for the size of the financial penalties that can be issued for major compliance breaches. But the regulation also gives data watchdogs the power to limit or ban processing. And that power could similarly be used to reshape a rights-eroding business model or snuff out such business entirely.

The merging of privacy and antitrust concerns is really just a reflection of the complexity of the challenge regulators now face trying to rein in digital monopolies. But they’re tooling up to meet that challenge.

Speaking in an interview with TechCrunch last fall, Europe’s data protection supervisor, Giovanni Buttarelli, told us the bloc’s privacy regulators are moving towards more joint working with antitrust agencies to respond to platform power. “Europe would like to speak with one voice, not only within data protection but by approaching this issue of digital dividend, monopolies in a better way — not per sectors,” he said. “But first joint enforcement and better co-operation is key.”

The German FCO’s decision represents tangible evidence of the kind of regulatory co-operation that could — finally — crack down on tech giants.

Blogging in support of the decision this week, Buttarelli asserted: “It is not necessary for competition authorities to enforce other areas of law; rather they need simply to identity where the most powerful undertakings are setting a bad example and damaging the interests of consumers.  Data protection authorities are able to assist in this assessment.”

He also had a prediction of his own for surveillance technologists, warning: “This case is the tip of the iceberg — all companies in the digital information ecosystem that rely on tracking, profiling and targeting should be on notice.”

So perhaps, at long last, the regulators have figured out how to move fast and break things.

Posted on

Facebook is launching political ad checks in Nigeria, Ukraine, EU and India in coming months

Facebook is launching some of its self-styled ‘election security’ initiatives into more markets in the coming months ahead of several major votes in countries around the world.

In an interview with Reuters the social networking giant confirmed it’s launching checks on political adverts on its platform in Nigeria, Ukraine and the European Union, reiterating too that ad transparency measures will launch in India ahead of its general election.

Although it still hasn’t confirmed how it will respond in other countries with looming votes this year, including Australia, Indonesia, Israel and the Philippines.

Concern about election interference in the era of mass social media has stepped up sharply since revelations about the volume of disinformation targeted at the 2016 U.S. presidential election (and amplified by Facebook et al).

More than two years later Facebook’s approach to election security remains ad hoc, with different policy and transparency components being launched in different markets — as it says it’s still in a learning mode.

It also claims its variable approach reflects local laws and conversations with governments and civil society groups. Although it says it’s also hoping to have a set of tools that applies to advertisers globally by the end of June.

“Our goal was to get to a global solution. And so, until we can get to that in June, we had to look at the different elections and what we think we can do,” Facebook’s director of global politics and outreach, Katie Harbath told Reuters.

Many markets where Facebook’s platform operates also still have no limits on who can buy and target political ads, as too do many smaller elections, such as local elections.

Even as the checks and balances the company does offer in other markets remain partial and far from perfect. For instance Facebook does not always offer meaningful checks on issue-based political advertising because, in some markets, it narrowly draws the definition as related to parties and candidates only, thereby limiting the effectiveness of the policy.

(And plenty of Kremlin propaganda targeted at the 2016 US presidential election was focused on weaponizing issues to whip up social divisions, for example, such as by playing up racial tensions, rather than promoting or attacking particular candidates.)

Facebook told Reuters it’s launching an authorization process for political advertisers in Nigeria today, ahead of a presidential election on February 16, which requires those running political ads to be located in the country.

It said the same policy will apply to Ukraine next month, ahead of elections on March 31.

Facebook also reiterated that election security measures are incoming ahead of India’s general election last month. From next month it will launch a searchable online library for election ads in India which votes for parliament this spring. The ads will be held in the library for seven years.

It has already launched searchable political ad archives in the U.S., Brazil and the U.K. But again its narrow definition of what constitutes a political ad limits the scope of the transparency measure in the U.K., for example. (Whereas in the U.S. the archive can include ads about much debated issues such as immigration and climate change.)

The Indian archive will contain contact information for some ad buyers or official regulatory certificates, according to Reuters.

While, in the case of individuals buying political ads, Facebook said it would ensure their listed name matches government-issued identity documents.

The European Union, which goes to the polls in May to elect MEPs for the European Parliament, will also get a version of the Indian authorization and transparency system ahead of that vote.

The European Commission has stepped up pressure on tech platforms over election security, announcing a package of measures last month intended to combat democracy-denting disinformation which included pressing platforms to increase transparency around political ads and purge fake accounts.

The EC also said it would be monitoring platforms’ efforts — warning that it wants to see “real progress”, not more “excuses” and “foot-dragging”.

We contacted Facebook for further comment on its international election security efforts but at the time of writing it said it had nothing more to add.

Posted on

Europe issues a deadline for US’ Privacy Shield compliance

The European Commission has finally given the U.S. a deadline related to the much criticized data transfer mechanism known as the EU-US Privacy Shield .

But it’s only asking for the U.S. to nominate a permanent ombudsperson — to handle any EU citizens’ complaints — by February 28, 2019.

If a permanent ombudsperson is not appointed by then the Commission says it will “consider taking appropriate measures, in accordance with the General Data Protection Regulation”.

So not an out-and-out threat to suspend the mechanism — which is what critics and MEPs have been calling for.

But still a fixed deadline at last.

“We now expect our American partners to nominate the Ombudsperson on a permanent basis, so we can make sure that our EU-US relations in data protection are fully trustworthy,” said Andrus Ansip, Commission VP for the Digital Single Market, in a statement.

“All elements of the Shield must be working at full speed, including the Ombudsperson,” added Věra Jourová, the commissioner for justice and consumers.

It’s the first sign the Commission is losing patience with its U.S. counterparts.

Although there’s no doubt the EC remains fully committed to the survival of the business-friendly mechanism which it spent years negotiating after the prior arrangement, Safe Harbor, was struck down by Europe’s top court following NSA whistleblower Edward Snowden’s disclosures of US government surveillance programs.

Its problem is it has to contend with Trump administration priorities — which naturally don’t align with privacy protection for non-US citizens.

While the EU-US Privacy Shield is over two years’ old at this point, president Trump has failed to nominate a permanent ombudsperson to a key oversight role.

The acting civil servant (Judith Garber, principal deputy assistant secretary for the Bureau of Oceans and International Environmental and Scientific Affairs) was also nominated as U.S. ambassador to Cyprus this summer, suggesting a hard limit to her already divided attention on EU citizens’ data privacy.

Despite this problematic wrinkle, the EU’s executive today professed itself otherwise satisfied that the mechanism is ensuring “an adequate level of protection for personal data”, announcing the conclusion of its second annual Privacy Shield review.

The data transfer mechanism is now used by more than 4,000 companies to simplify flows of EU citizens’ personal data to the US.

And the Commission clearly wants to avoid a repeat of the scramble that kicked off when, three years ago, Safe Harbor was struck down and businesses had to find alternative legal means for authorizing essential data flows.

But at the same time Privacy Shield has been under growing pressure. This summer the EU parliament called for the mechanism to be suspended until the U.S. comes into compliance.

The parliament’s Libe committee also called for better monitoring of data transfers was clearly required in light of the Cambridge Analytica Facebook data misuse scandal. (Both companies having been signed up to Privacy Shield.)

The mechanism has also been looped into a separate legal challenge to another data transfer tool after the Irish High Court referred a series of questions to the European Court of Justice — setting the stage for another high stakes legal drama if fundamental European privacy rights are again deemed incompatible with U.S. national security practices.

A decision on that referral remains for the future. But in the meanwhile the Commission looks to be doing everything it can to claim it’s ‘business as usual’ for EU-US data flows.

In a press release today, it lauds steps taken by the U.S. authorities to implement recommendations it made in last year’s Privacy Shield review — saying they have “improved the functioning of the framework”.

Albeit, the detail of these slated ‘improvements’ shows how very low its starting bar was set — with the Commission listing, for e.g.:

  • the strengthening by the Department of Commerce of the certification process and of its proactive oversight over the framework — including setting up mechanisms such as a system of spot checks (it says that 100 companies have been checked; and 21 had “issues that have now been solved” — suggesting a fifth of claimed compliance was, er, not actually compliance)
  • additional “compliance review procedures” such as analysis of Privacy Shield participants’ websites “to ensure that links to privacy policies are correct”; so previously we must assume no one in the U.S. was bothering to check
  • the Department of Commerce put in place a system to identify false claims which the Commission now claims “prevents companies from claiming their compliance with the Privacy Shield, when they have not been certified”; so again, prior to this system being set up certifications weren’t necessary worth the pixels they were painted in

The Commission also claims the Federal Trade Commission has shown “a more proactive approach” to enforcement by monitoring the principles of the Privacy Shield — noting that, for example, it has issued subpoenas to request information from participating companies.

Another change it commends — related to the sticky issue of access to personal data by U.S. public authorities for national security purposes (which is what did for Safe Harbor) — is the appointment of new members of the Privacy and Civil Liberties Oversight Board (PCLOB) — to restore the Board’s quorum.

The denuded PCLOB has been a long running bone of contention for Privacy Shield critics.

“The Board’s report on the implementation of Presidential Policy-Directive No. 28 (PPD-28, which provides for privacy protections for non-Americans) has been made publicly available,” the Commission writes, referring to a key Obama era directive that it has previously said the Shield depends upon. “It confirms that these privacy protections for non-Americans are implemented across the U.S. intelligence community.”

It says it also took into account relevant developments in the U.S. legal system in the area of privacy during the review, noting that: “The Department of Commerce launched a consultation on a federal approach to data privacy to which the Commission contributed and the US Federal Trade Commission is reflecting on its current powers in this area.”

“In the context of the Facebook/Cambridge Analytica scandal, the Commission noted the Federal Trade Commission’s confirmation that its investigation of this case is ongoing,” it adds, kicking the can down the road on that particular data scandal.

Meanwhile, as you’d expect, business groups have welcomed another green light for data to keep being passed.

In a statement responding to the conclusion of the review, the Computer & Communications Industry Association said: “We commend the European Commission for its thorough review. Privacy Shield is a robust framework, with strong data protections, that allows for the daily transfers of commercial data between the world’s two biggest trading partners.”

Posted on

Europe to cap intra-EU call fees as part of overhaul to telecoms rules

European Union institutions have reached a political agreement over an update to the bloc’s telecoms rules that’s rattled the cages of incumbent telcos.

Agreement was secured late yesterday after months of negotiations between the EU parliament and Council, with the former pushing for and securing a price cap on international calls within the bloc — of no more than 19 cents per minute. Texts will also be capped at a maximum of 6 cents each, Reuters reports.

While roaming charges for EU travelers were abolished across the bloc last summer, the parliament was concerned that charges for calls and texts between EU Member States is often disproportionately high — hence pushing for the cap, which was not in the original EC proposal.

The Commission proposed a new European Electronic Communications Code back in 2016, to modernize telecoms rules that had stood since 2009 — to take account of technology and market shifts, and align the rules with its wider Digital Single Market strategy.

The proposal broadly focused on pushing for consistency in spectrum policy and management; reducing regulatory fragmentation; ensuring a level playing field for market players and protections for consumers; and incentivizing investment in high-speed broadband networks.

And on the incentivization front, the new rules agreed yesterday update the powers of national regulators to act against dominant players — such as by being able to impose access to their network.

For a case study on why such interventions might be necessary you could look at the fiber investment and network-access foot-dragging of a former incumbent telco such as BT in the UK, for example, which has long favored eking out copper. While its network infrastructure division OpenReach was last year ordered to be legally separated — around a decade after it was functionally separated by the regulator. Yet complaints over BT’s lack of investment in broadband infrastructure and access for rivals to its networks have, nonetheless, persisted.

On the consumer front, the new EU telecoms Code also includes measures intended to make it easier to change service provider and keep the same phone number; measures around tariff transparency to make it easier for people to compare contractual offers, and the ability to terminate a contract without incurring additional costs; as well as additional protections around bundled services.

For operators there are deregulation measures for co-investments — intended to promote “risk sharing in the deployment of very high capacity networks”. And the Code sets wireless spectrum licenses at at least 20 years — also intended to give carriers the “predictability” they need to speed up 5G and fiber deployments.

Though this is shorter than operators had hoped, and the European Telecommunications Network Operators’ Association (ETNO) — whose membership is made up of incumbent telcos such as BT — has been quick to voice its displeasure, describing the code as a “missed opportunity“, and complaining that it adds extra complexity while also failing to incentivize investment.

“The Code will not ignite the much needed rush to invest in 5G and fibre networks and it will add complexity to an already burdensome system,” it writes. “The agreed law foresees only limited progress on spectrum policy, a complex and watered down compromise on incentivising fibre investment, uncertain triggers for imposing regulatory remedies and no fair playing field for digital services users and providers.”

Smaller, fiber-to-the-home broadband players are sounding much happier though…

ETNO also criticizes what it describes as “the unfortunate decision to regulate intra-EU calls” — arguing this is an unjustified, populist measure, and sniping that it creates legal uncertainty by setting what it couches as “a highly dangerous precedent for all other European industries”.

That’s not the view of the European Consumer Organization, BEUC, which describes the measure as “a good next step towards a real single market for consumers”.

“Consumers should no longer have to worry about excessive costs when calling another EU country from home. The end of roaming charges was a big first step, but it did not deal with the high costs of phone calls to another EU country when at home,” its director general, Monique Goyens, told us in a statement.

“Market concentration is bad for prices and consumer choice. A small group of players should not be able to take control of the market. Thanks to what has been agreed, national regulators can take measures to intervene and maintain a healthy level of competition,” she added.

“Telecom services regularly rank among the top most complained-about markets. This new law upgrades some important consumer protection measures. Telecom clients will for instance be able to end their contract early and choose a better deal.”

And of course the Commission is putting a positive spin on the outcome, two years on from its proposal to modernize the rules.

In a statement welcoming the end of the negotiations, Andrus Ansip, the VP in charge of the Digital Single Market, said: “This agreement is essential to meet Europeans’ growing connectivity needs and boost Europe’s competitiveness. We are laying the groundwork for the deployment of 5G across Europe.”

In another supporting statement, Mariya Gabriel, commissioner for digital economy and society, described the new rules as “bold and balanced” — saying they would provide “faster access to radio spectrum, better services and more protection for consumers, as well as greater investment in very high speed networks”.

While political accord on the new telecoms code has indeed been reached between the EU institutions, members of the EU parliament and Council still need to vote to adopt it — after which the bloc’s Member States will have two years to transpose it into their national laws.

Posted on

Europe to cap intra-EU call fees as part of overhaul to telecoms rules

European Union institutions have reached a political agreement over an update to the bloc’s telecoms rules that’s rattled the cages of incumbent telcos.

Agreement was secured late yesterday after months of negotiations between the EU parliament and Council, with the former pushing for and securing a price cap on international calls within the bloc — of no more than 19 cents per minute. Texts will also be capped at a maximum of 6 cents each, Reuters reports.

While roaming charges for EU travelers were abolished across the bloc last summer, the parliament was concerned that charges for calls and texts between EU Member States is often disproportionately high — hence pushing for the cap, which was not in the original EC proposal.

The Commission proposed a new European Electronic Communications Code back in 2016, to modernize telecoms rules that had stood since 2009 — to take account of technology and market shifts, and align the rules with its wider Digital Single Market strategy.

The proposal broadly focused on pushing for consistency in spectrum policy and management; reducing regulatory fragmentation; ensuring a level playing field for market players and protections for consumers; and incentivizing investment in high-speed broadband networks.

And on the incentivization front, the new rules agreed yesterday update the powers of national regulators to act against dominant players — such as by being able to impose access to their network.

For a case study on why such interventions might be necessary you could look at the fiber investment and network-access foot-dragging of a former incumbent telco such as BT in the UK, for example, which has long favored eking out copper. While its network infrastructure division OpenReach was last year ordered to be legally separated — around a decade after it was functionally separated by the regulator. Yet complaints over BT’s lack of investment in broadband infrastructure and access for rivals to its networks have, nonetheless, persisted.

On the consumer front, the new EU telecoms Code also includes measures intended to make it easier to change service provider and keep the same phone number; measures around tariff transparency to make it easier for people to compare contractual offers, and the ability to terminate a contract without incurring additional costs; as well as additional protections around bundled services.

For operators there are deregulation measures for co-investments — intended to promote “risk sharing in the deployment of very high capacity networks”. And the Code sets wireless spectrum licenses at at least 20 years — also intended to give carriers the “predictability” they need to speed up 5G and fiber deployments.

Though this is shorter than operators had hoped, and the European Telecommunications Network Operators’ Association (ETNO) — whose membership is made up of incumbent telcos such as BT — has been quick to voice its displeasure, describing the code as a “missed opportunity“, and complaining that it adds extra complexity while also failing to incentivize investment.

“The Code will not ignite the much needed rush to invest in 5G and fibre networks and it will add complexity to an already burdensome system,” it writes. “The agreed law foresees only limited progress on spectrum policy, a complex and watered down compromise on incentivising fibre investment, uncertain triggers for imposing regulatory remedies and no fair playing field for digital services users and providers.”

Smaller, fiber-to-the-home broadband players are sounding much happier though…

ETNO also criticizes what it describes as “the unfortunate decision to regulate intra-EU calls” — arguing this is an unjustified, populist measure, and sniping that it creates legal uncertainty by setting what it couches as “a highly dangerous precedent for all other European industries”.

That’s not the view of the European Consumer Organization, BEUC, which describes the measure as “a good next step towards a real single market for consumers”.

“Consumers should no longer have to worry about excessive costs when calling another EU country from home. The end of roaming charges was a big first step, but it did not deal with the high costs of phone calls to another EU country when at home,” its director general, Monique Goyens, told us in a statement.

“Market concentration is bad for prices and consumer choice. A small group of players should not be able to take control of the market. Thanks to what has been agreed, national regulators can take measures to intervene and maintain a healthy level of competition,” she added.

“Telecom services regularly rank among the top most complained-about markets. This new law upgrades some important consumer protection measures. Telecom clients will for instance be able to end their contract early and choose a better deal.”

And of course the Commission is putting a positive spin on the outcome, two years on from its proposal to modernize the rules.

In a statement welcoming the end of the negotiations, Andrus Ansip, the VP in charge of the Digital Single Market, said: “This agreement is essential to meet Europeans’ growing connectivity needs and boost Europe’s competitiveness. We are laying the groundwork for the deployment of 5G across Europe.”

In another supporting statement, Mariya Gabriel, commissioner for digital economy and society, described the new rules as “bold and balanced” — saying they would provide “faster access to radio spectrum, better services and more protection for consumers, as well as greater investment in very high speed networks”.

While political accord on the new telecoms code has indeed been reached between the EU institutions, members of the EU parliament and Council still need to vote to adopt it — after which the bloc’s Member States will have two years to transpose it into their national laws.