As its data flows woes grow, Google lobbies for quickie fix to EU-US transfers

As the legal uncertainty in Europe clouding use of US cloud services cranks up, Google has responded by firing up its lobbying engines to call for US and European lawmakers to get a move on and come up a new rubberstamp to grease transatlantic data flows as usual as the bloc’s regulators finally start to find their banhammers.

Last week, Austria’s data protection authority decided that a local website’s use of Google Analytics to have breached the bloc’s General Data Protection Regulation (GDPR) over the risk of US intelligence agencies being able to access site users’ personal data.

In a blog post calling for “a new EU-US data transfer framework”, Google’s Kent Walker flags this decision before seeking to downplay its significant — writing that Google has offered its eponymous analytics service to business for 15 years and “never once received the type of demand the DPA speculated about”, before adding: “We don’t expect to receive one because such a demand would be unlikely to fall within the narrow scope of the relevant law.”

It’s a reassuring-sounding soundbite by Google’s (and its parent Alphabet’s) chief lawyer and president of global affairs.

The problem is, legally speaking, it’s irrelevant — as it’s roughly the equivalent of Walker saying ‘waaa, EU law is not fair!’.

The lack of rights and redress for foreigners whose information gets scooped up by US authorities — or is at risk of getting scooped up — as a result of sweeping US surveillance laws (such as FISA 702), which apply broadly to electronic service providers like Google, is in stark conflict with the EU’s data protection framework which requires that an “essentially equivalent” level of protection applies to EU people’s information if it’s exported outside the bloc.

The key point is Europeans’ personal data must be effectively shielded from the risk of unauthorized access/misuse — NB: data doesn’t actually have to have been grabbed by the NSA for any laws to apply! — in order for the level of protection wrapping exported data to be considered legally adequate.

This is not a blanket ban on personal data transfers out of the EU to third countries because EU law leaves open the possibility that, where there are risks, so called “supplementary measures” may be applied to these kinds of transfers to raise the level of protection to the required standard.

These special measures could be additions at a legal, organization or procedural level (e.g. contract clauses, data retention policies); or, indeed, specific technical measures (like data localization; or true end-to-end encryption with zero access to the data via a third country-based provider or any of their subsidiaries) — or, for added assurance, a blend of several layered add-ons.

Google claims it had applied enough such extras to boost the level of data protection in the Austrian case.

However the DPA disagreed — finding Google’s claimed supplements did not cut the mustard, for all Walker’s claims of “extensive supplementary measures“.

It’s notable that his sentence immediately qualifies that claim — saying the measures apply “practical and effective protection of data to any reasonable standard”.

So, essentially, Google’s lobbying sleight of hand there seeks to replace actual EU legal standards over personal data transfers with a Google-defined “reasonable” standard (which has already been found unreasonable by at least two EU data supervisors… ).

It’s evident that rather than Google change its business practices — say, by offering Google Analytics users data localization plus encryption key escrow via an EU-based third party, plus some robust contractual clauses about challenging access requests — the tech giant is resorting to loudly yelling for lawmakers to ‘fix’ its legal headache with a quickie data transfer pact.

The problem for Google is that the legal conflict between US surveillance law and EU data protection law isn’t something that can be quickly and quietly papered over anymore.

The European Commission has tried doing that before, and while the Safe Harbor (RIP) arrangement for transatlantic data transfers stood for around 15 years before the EU’s top court struck it down, the replacement Privacy Shield only managed about four before the court struck again, even more definitively.

EU lawmakers are unlikely to want a third bullseye — even if they are keen on (and still in talks about) a replacement Privacy Shield to grease EU-US commerce.

The so-called ‘Schrems II’ CJEU decision that shattered the EU-US Privacy Shield did not close the door to personal data exports entirely but the court was careful to seek to pre-empt the risk of non-compliant-business-as-usual by underscoring that data flows must be assessed on a case by case basis and notified in advance to DPAs which — the court also made clear — can’t just sit on their hands and do in fact have a legal duty to suspend risky transfers.

The ruling also reiterated that EU-US transfers specifically are risky — hence blasting Privacy Shield (and Safe Harbor) to smithereens.

This is why US cloud services are so clearly in the frame.

The lack of a federal privacy law in the US which can offer an equivalent to EU’s GDPR is the underlying problem. And that essentially means the missing piece is also substantial reform of US surveillance laws — something that’s provided impossible to achieve so far (even regarding warrantless spying on US citizens, let alone foreigners).

In the meanwhile, more enforcements against non-compliant data transfers are looming.

If the Austrian’s decision over a single, local website’s use of Google Analytics risks sounding like small fry, around a hundred similar complaints were filed across the bloc back in August 2020, by European privacy campaigner noyb — also targeting use of Facebook Connect — so scores of similar decisions are pending.

Which means a potential pipeline of problems for Google in Europe over tools like Google Analytics…

Last fall the European Data Protection Board set up a taskforce to co-ordinate the response to this flotilla of complaints. So where one DPA has found use of Google Analytics breaches the GDPR others are likely to follow shortly.

(Note for example the Dutch DPA — which issued emergency guidance last week warning that use of Google Analytics “may soon not be allowed”. In an FAQ section of its website where it makes the warning — under the topic of “how can I protect the privacy of my website visitors with Google Analytics” — the regulator also wrote: “The AP [itself] is currently investigating two complaints about the use of Google Analytics in the Netherlands. Upon completion of that investigation, in early 2022, the AP will be able to say whether Google Analytics is now allowed or not.”)

In another notable recent decision, the European Data Protection Supervisor (EDPS) reprimanded the European Parliament over the presence of Google Analytics and Stripe in the code of a COVID-19 test booking website that had been built for it by a third party supplier. Again, use of Google Analytics was found to breach the regulation given the problem of US data transfers — although the website provider had also failed to properly implement cookie consents so there were multiple compliance problems in that case. And while the Parliament escaped a fine (on procedural grounds) the regulatory hot water led it to yank Google Analytics long before the decision landed.

So how many other European entities will now be looking increasingly uneasily at their website plug-ins? (After all, alternatives to tools like Google Analytics which don’t require schlepping data to the US do already exist. So the old ‘no one got sacked for installing US tech calculus may start to shift.)

Google’s blog prefers to spin the possibility that it’s about to lose a whole bunch of European customers into a typical Big Tech projection that the doom will rain down mercilessly as a nuclear storm — seeking to whip up fear among lawmakers over the impact on small businesses of them not “aligning” the literal law with Google’s preferred way of doing business.

Case by case

What’s clear is that the regulatory noose is tightening when it comes to Chapter V of the GDPR — and that has major implications for many US tech giants as their services often involve transferring user data outside the bloc.

The legal risks are varied, though, since data flows are now being analyzed on a case by case basis.

Which is also why having a top-level transfer deal is so sought for — since it massively simplifies compliance issues involved in exporting EU users’ data.

In another case, Facebook has been spectacularly successful at fending off regulatory action against its EU-US data transfers for literally years, thanks to its forum shopping and deep pockets to splash money on lawyers. But its data flows are surely operating on borrowed time — after a preliminary suspension order by Ireland in 2020; and Facebook’s subsequent failure to block it in the Irish courts.

Ireland’s regulator agreed it would “swiftly” finalize a decision on those EU-to-US flows over a year ago.

Nor is it only Google and Facebook on the hook here.

Since May, the EDPS has been investigating EU institutions’ cloud contracts with AWS and Microsoft over similar compliance concerns.

If the EU’s chief data supervisor concludes those US cloud services are also unable to adequately protect Europeans’ data it could essentially order that alternative services be found to take their place.

And that could then kick off a snowball of service switching, given the EDPS’ steering role as the EU’s top data supervisor.

So Google is quite right that the data flows issue could have multiple impacts.

A finding of compliance problems with those US cloud contracts is not certain, though — because, one again, each data transfer is different. And it’s possible that adequate supplementary measures are being applied in those cases.

AWS, for example, survived a legal challenge related to use of its service in France last year. In that case the website (Doctolib) had been hosted by AWS in the EU (with data centers in France and Germany). But as the EU entity (AWS Sarl) is a subsidiary of US-based AWS, which is subject to US law, the legal challenge concerned its extraterritorial effects — and the potential for US authorities to obtain data from an EU-based subsidiary via the US-based parent regardless of the data not leaving the EU.

The extraterritorial reach of US law creates an extra layer of compliance headaches for even those US cloud giants that do offer data localization via an EU subsidiary. (Or, to put it another way, data localization alone still may not be enough.)

In the Doctolib case, the French court ruled that the data was sufficiently protected owing to a series of applied supplementary measures — both legal and technical — and also based on their assessment of the specifics of the data transfers and procedures put in place.

Specifically, the data being processed by AWS was not considered by the court to be health data (which attracts a very high level of compliance requirements) as it was more limited in scope (related to booking vaccine appointments).

Additionally, the data retention had been limited to three months; data was encrypted and the key held by a trusted third party in the EU (not by AWS Sarl). And, furthermore, a contract between Doctolib and AWS Sarl included a clause setting out a specific procedure in the event of an access request by a foreign authority — including a guarantee that AWS Sarl would challenge any general access request from a public authority.

So, in other words, a full package of measures had been applied — and were, in the end, found to be sufficient by the French court.

Google’s Walker is therefore quite right when he writes that the CJEU’s July 2020 ruling “did not impose an inflexible standard”.

Compliance with EU-US data flows post-Schrems II has been demonstrated to be possible — and indeed available. Just not, per recent regulatory decisions, if you’re using Google Analytics…

Spinning for time

Despite what is clearly a major problem for Google in Europe, in his blog post, Walker seeks to spin the compliance issue as more an existential crisis for its customers (“publishers and small businesses”) — and even for the “open, global internet” as a whole — warning that the Austrian decision “may portend broader challenges” and suggesting “hundreds of billion euros” of damage could be done to Europe’s economy if lawmakers don’t figure out how to stop the regulatory banhammers from falling.

Yet given that other US services have found ways to comply with Schrems II that’s clearly plain wrong — as well as terrible hubris.

It is also hypocrisy. If Google was once synonymous with the open web, as a small, garage-based startup building a better search engine, the rapacious adtech giant — whose business is under investigation in both the EU and the US on multiple fronts, spanning antitrust, consumer protection and privacy charges, to name a few — that it’s turned into is a lot more walled garden than open web these days.

Instead of taking the necessary steps to adapt its business processes to respect EU law — by developing supplementary measures that are actually deemed sufficient by regulators — Google has reached down to rattle its sabre, pointing to its market power in a bid to scare legislators into aligning their pesky rules with how it mints money.

“Businesses in both Europe and the U.S. are looking to the European Commission and the U.S. Department of Commerce to quickly finalize a successor agreement to the Privacy Shield that will resolve these issues,” pens Walker, before trumpeting that: “The stakes are too high — and international trade between Europe and the U.S. too important to the livelihoods of millions of people — to fail at finding a prompt solution to this imminent problem.”

Google’s motivation in penning the blog post likely has more than half eye on cooling the nerves of shareholders who may be spooked by regulatory enforcements. Hence repeat suggestions that a fix is about to materialized with talk of governments “finaliz[ing]” a “revised agreement” that can be “a durable framework” (i.e. that won’t just get shot down again by the CJEU in a few years).

There is a very half-hearted and passing mention to US surveillance reform too, with Walker claiming: “We have long advocated for government transparency, lawful processes, and surveillance reform.”

But his loudest call is for a quick fix — with the Google president segueing instantly from the topic of surveillance reform to redouble his push for the quickest of fixes (“we urge quick action”), and further pressing: “At this juncture, we urge both governments to take a flexible and aligned approach to resolving this important issue.”

This is unfortunate phrasing since, technically speaking, the EU is not a “government”. But since Google’s grasp of the detail of EU data protection compliance has been found wanting we should not be surprised that it doesn’t really understand EU governance either.

TechCrunch contacted the European Commission with questions about the negotiations towards Google’s sought for quickie replacement data transfer deal.

A spokesperson for the EU’s executive cautioned that “some time” is needed given the “complexity” involved in trying to “strike a balance between privacy and national security”, as they put it — emphasizing that any replacement arrangement must be “fully compliant with the requirements set by the EU court”.

“Securing a new arrangement for safe transatlantic data flows is a priority for us and our U.S. partners,” they told us, adding that “negotiations have intensified in the past months, with discussions at technical and political level” — which they specified have included regular contacts between commissioner Reynders and his counterpart, US Secretary for commerce, Gina Raimondo (with the last one taking place in mid-December).

“Only an arrangement that is fully compliant with the requirements set by the EU court can deliver the stability and legal certainty stakeholders expect on both sides of the Atlantic,” they also told us, adding: “These negotiations take some time, given also the complexity of the issues discussed and the need to strike a balance between privacy and national security.”

Asked about replacements that companies seeking legal certainly in the meanwhile can make use of, the spokesperson said only [emphasis ours]: “Until we find a sustainable solution with the US, other tools for international data transfers such as the Standard Contractual Clauses can still be used under certain conditions. That is one of the reasons why we adopted modernised Standard Contractual Clauses in June 2021.”


A hard rain is coming for UK’s crypto boom

The UK’s ad-fuelled boom in crypto trading looks to be headed for major speed restrictions: The country’s financial watchdog said it will beef up rules around marketing of crypto assets and could even put limits on who can invest, following government confirmation yesterday that it will extend the regulator’s remit to cover crypto.

In recent years, ads for crypto have been plastered over billboards across the UK capital — fuelling a boom in trading that has led to a few slaps from the advertising standards watchdog.

In December, the Advertising Standards Authority banned seven crypto ads for “irresponsibly taking advantage of consumers’ inexperience and for failing to illustrate the risk of the investment” — saying it hoped to produce new guidance on crypto advertising.

But the financial watchdog’s intervention looks set to put a more significant dampener on the UK crypto bubble.

In an announcement trailing the proposed changes, the Financial Conduct Authority (FCA) said it’s acting in response to concerns about the “ease and speed” that people can make high risk investments — in line with a Consumer Investment Strategy it published last year.

The plan for new crypto rules — which the FCA said will be confirmed by summer 2022 — include proposed restrictions on the marketing and uptake of cryptoassets.

“[T]he FCA plans to categorise qualifying cryptoassets as ‘Restricted Mass Market Investments’, meaning consumers would only be able to respond to cryptoasset financial promotions if they are classed as restricted, high net worth or sophisticated investors,” the regulator writes.

“Firms issuing such promotions would have to adhere to FCA rules, such as the requirement to be clear, fair and not misleading,” it adds.

The regulator is consulting on the proposals — with a deadline of March 23 for responses.

In a statement, Sarah Pritchard, the FCA’s executive director of markets, added: “Too many people are being led to invest in products they don’t understand and which are too risky for them. People need clear, fair information and proper risk warnings if they are to invest with confidence, which is the central aim of our consumer investments strategy.”

Yesterday the government confirmed it will legislate to bring the promotion of cryptoassets within the scope of financial promotions legislation to tackle misleading advertising — writing (or, well, warning) that: “This means the promotion of qualifying cryptoassets will be subject to FCA rules in line with the same high standards that other financial promotions such as stocks, shares, and insurance products are held to.”

In a statement, chancellor, Rishi Sunak, added: “Cryptoassets can provide exciting new opportunities, offering people new ways to transact and invest — but it’s important that consumers are not being sold products with misleading claims.

“We are ensuring consumers are protected, while also supporting innovation of the cryptoasset market.”

Cryptoasset consumer research, published by the FCA last summer, suggested that some 2.3 million Brits owned crypto (out of a UK population of ~52M) — which amounts to just under 4.5% of Brits holding crypto. In 2020 the FCA said that around 1.9M Brits held cryptoassets — suggesting there’s been a percentage increase of ~21% year over year, per the research.

Other estimates of the number of Brits holding crypto that have been bandied around by crypto press in recent months have touted even bigger figures (but, well, the crypto trading press is itself often located inside the hype bubble).

The marketing frenzy around crypto trading in the UK certainly appears to have fuelled rising awareness among the population, with the FCA finding that 78% of adults had heard of cryptocurrencies — up from 42% in 2019; and 73% in 2020.

However in another finding that likely sharpened its concern, the regulator found that despite rising awareness the level of understanding of cryptocurrencies was declining — suggesting “some crypto users may not fully understand what they’re buying”, as it (politely) puts it. Ya think?!

The FCA research also found fewer crypto users regard buying the assets as a gamble (38%, down from 47%); and more see them as an alternative or complement to mainstream investments, with half of crypto users saying they intend to invest more…

Ergo, it’s not difficult to see why the UK government and financial regulator have decided it’s past time to step in with regulatory limits to stop clueless Brits from throwing money at Ponzi-like schemes wrapped in shiny crypto marketing.

Other countries are taking similar steps.

Just this week, Singapore’s financial regulator announced its own clamp down on crypto marketing (via Nikkei Asia).

Some other countries are going even further — with planned cryptocurrency bans in China and India.

The free-for-all trading party isn’t over yet but regulators around the globe are slowly closing in on cryptoland’s gangsta paradise.


FTC challenges consolidation in tech with review of merger guidelines

It’s a sign of the times that on the very same morning, the FTC and Justice Department announced a thorough review of corporate merger policies with an eye to preventing anti-competitive acquisitions — and a megacorp announced a $69 billion deal that would further consolidate an industry already dominated by a handful of players.

That’s not to say that the Microsoft-Activision deal is necessarily anti-competitive, but they certainly will have their job cut out for them in proving that it isn’t. As a publisher, platform, hardware maker and service provider in gaming, Microsoft’s acquisition of Activision Blizzard puts several of the world’s most popular gaming franchises firmly in its stable — and potentially out of arch-rival Sony’s.

Maybe that’s just how competition works these days. But what this FTC review presupposes is… maybe it shouldn’t?

What exactly the new rules are to be isn’t yet set, the announcement drew very obvious dotted lines around the areas the agencies are hoping to rein in without actually naming names. In fact (as is frequently but not always the process in recasting rules) public comment is called for on all matters, so the areas of focus are ostensibly notional, though one assumes they have a draft ready now. (In fact I suspect FTC Chair Lina Khan had it in her briefcase when she was confirmed.)

The review would seek to revisit the conditions under which a merger or acquisition would be viewed with suspicion, such as whether it will “tend to create a monopoly,” a somewhat loose turn of phrase technically in the guidelines now but not very well defined.

Also under consideration would be the way markets themselves are defined, which is key to establishing anticompetitive practices. For instance, what market is Facebook in, legally speaking? Communications, “social media” (however we define that), advertising, or what? Unless that sort of thing is pinned down, companies can slip between the cracks, arguing one day that they’re an advertiser and the next that they’re a communications provider, usually whichever suits their needs for escaping regulation. (Broadband providers have been drawing out a similar advantageous vacillation for decades.)

The FTC will also be looking at updating guidelines on “potential and nascent competitors,” the kind frequently snapped up for tens of billions of dollars when it looks like they can’t be contained any longer.

Monopsony power and how it relates to labor markets is also being looked at, which is where one company (or more than one in collusion) dominates the market for buying a particular service. Say if Uber for some reason employs 90 percent of all personal transportation drivers in a state, what opportunities for leverage and abuse does that offer, and how can those be counteracted?

The most explicit call-out, however, is certainly the final bullet on the list of items

Unique characteristics of digital markets: The agencies seek information on how to account for key areas of the modern economy like digital markets in the guidelines, which often have characteristics like zero-price products, multi-sided markets, and data aggregation that the current guidelines do not address in detail.

What exactly is the effect of things like Amazon Prime, which despite being unquestionably convenient in many ways is part of a complex market and system of markets, and as such may prove problematic from a competition standpoint? Without the ability to even ask and answer such questions, Amazon will fall through the aforementioned cracks and its policies may be blindly accepted as beneficial upon superficial inquiry.

Asking the general public whether they think a company amounts to a monopsony, or whether their acquisition of a competitor amounts is questionable, seems on the face of it a little unaccountable. But the public comment period does two things.

First, it creates an opportunity for soliciting broad support from the public across the U.S., establishing the process as good politics. Some canny Representative may require a bit of convincing that their constituency cares about such things. Though as we saw with the net neutrality push, this is hardly sufficient to guarantee success.

Second, it allows for real input from interested parties — trade associations, activists, NGOs, and so on — who can put together serious comments that make substantive policy and research suggestions. Having a basket of non-partisan think tanks to sprinkle in as footnotes justifying various approaches is a bulwark against rules being considered “arbitrary or capricious” and being nullified or challenged.

A highly readable statement by Khan summarizes the situation well and gives important context to the idea of updating rules — it’s something we’ve been doing all along, and it’s long past time we do it again. It’s hard to put it better than she does, with the directness that made her Amazon’s Antitrust Paradox paper so compelling:

Major technological and economic changes, meanwhile, have led to shifts in how businesses compete and grow, creating new interconnections and dynamics across multiple dimensions.

Evidence suggests that decades of mergers have been a key driver of consolidation across industries, with this latest merger wave threatening to concentrate our markets further yet.

While the current merger boom has delivered massive fees for investment banks, evidence suggests that many Americans historically have lost out, with diminished opportunity, higher prices, lower wages, and lagging innovation. 7 A lack of competition also appears to have left segments of our economy more brittle, as consolidated supply and reduced investment in capacity can render us less resilient in the face of shocks.

Just as we must revise our theories and models to fit new facts and evidence, we must ensure our merger guidelines accurately reflect the realities of the modern economy. Matching our analysis to contemporary business strategy requires that our tools be dynamic and holistic rather than static and atomistic.

The comments are open now and will remain so for 60 days. Feel free to add your own.

After Dutch antitrust order, Apple starts letting local dating apps use alternative payment options

Another regulatory brick in the wall for Apple: The iPhone maker agreed this weekend to changes to its App Store in the Netherlands focused on dating apps, agreeing to allow local developers of dating apps to be able to offer non-Apple based payments (via Reuters).

In December, the Netherlands Authority for Consumers and Markets (ACM) found Apple in breach of national competition rules — ordering it to adjust what it described as “unreasonable conditions” in the App Store that apply to dating app providers.

Apple had been facing the threat of a financial penalty if it failed to make changes by the weekend.

The tech giant went to court to seek an injunction against the order last month, including seeking to prevent the regulator from publishing its decision and applying for a temporary suspension of the order.

However, in a December ruling, the court largely rejected Apple’s arguments — giving the company until January 15 to comply with the order to let dating app providers offer alternative payment options to their users.

“The case concerns the conditions Apple imposes on dating app providers if they want to sell digital content in their apps (such as ‘superlikes’ and ‘boosts’). Those conditions mean, among other things, that payments from consumers must be made to Apple as a so-called commission agent of the dating app providers using certain software (the IAP API) that Apple has built into its iOS operating system. The dating app providers may not use any other payment settlement method and may not refer to another payment method in their apps,” the Rotterdam Court wrote [translated from Dutch using machine translation] at the time.

“With regard to this part of the conditions, the preliminary relief judge follows the position of ACM that with these conditions Apple is abusing its dominant position in the market for app store services for dating app providers. Apple’s arguments that it would not have an economic dominant position and that the conditions are necessary are not successful.”

“The ruling means that Apple must allow dating app providers for their dating apps that they offer or want to offer in the Dutch Store Front of the App Store to choose which party they have to settle payments for digital content and services sold within the app, and that those dating app providers may refer to payment systems outside the app for in-app purchases,” the court added, giving Apple a six weeks grace before the financial penalty for continued non-compliance would apply.

In the event, Apple has chosen compliance — while it continues to fight to overturn the order in the courts.

In a statement late Friday, ahead of the court-amended deadline to comply, Apple informed developers of the change to how it operates its store in the Netherlands.

It also confirmed it is appealing the ACM ruling, laying out its case that the changes risk degrading the user experience and could create risks for user privacy and security — with Apple writing:

“Because we do not believe these orders are in our users’ best interests, we have appealed the ACM’s decision to a higher court. We’re concerned these changes could compromise the user experience, and create new threats to user privacy and data security. In the meantime, we are obligated to make the mandated changes which we’re launching today and we will provide further information shortly.”

In the statement Apple also takes great care to warn local developers that if they take up the option to include non-Apple payment options in their apps there will be a reduction in the services Apple can provide their users as a result — while also emphasizing that app makers can choose to continue to use its in-app payment system without the need for any changes to how they operate.

Here’s the relevant chunk of text:

“To comply with the ACM’s order, we’re introducing two optional new entitlements exclusively applicable to dating apps on the Netherlands App Store that provide additional payment processing options for users. Dating app developers who want to continue using Apple’s in-app purchase system may do so and no further action is needed. Before considering applying for one of these entitlements, it’s important to understand that some App Store features that you may use won’t be available to your customers, in part because we cannot validate the security and safety of payments that take place outside of the App Store’s private and secure payment system. Because Apple will not be directly aware of purchases made using alternative methods, Apple will not be able to assist users with refunds, purchase history, subscription management, and other issues encountered when purchasing digital goods and services through these alternative purchasing methods. You will be responsible for addressing such issues with customers.”

An Apple spokesman confirmed to TechCrunch that the restrictions on local dating apps that offer users non-Apple based payment methods for in-app purchases relate to refunds, subscription management and similar services — pointing to the portion of the statement where it underscores how app users will be on their own if purchasing digital goods from a developer that’s taking payment via non-Apple infrastructure.

In additional information to local dating app developers, Apple further emphasizes:

“It will be your responsibility to assist your users if questions or issues arise stemming from alternative payment options. Because Apple will not be directly aware of purchases made using alternative methods, Apple will not be able to assist users with refunds, payment history, subscription management, and other issues encountered when purchasing digital goods and services through these alternative purchasing methods. You will be responsible for addressing such issues with customers.”

Apple’s spokesman confirmed that developers who choose not use Apple’s In-App Purchase (IAP) technology can either link out or use a third-party payment method within the app — pointing to further information it has provided developers here.

It does not appear that local developers switching away from Apple’s IAP tech will be able to access entirely commission-free payments, however.

In information provided to developers, Apple also notes [emphasis ours]: “Consistent with the ACM’s order, dating apps that are granted an entitlement to link out or use a third-party in-app payment provider will pay Apple a commission on transactions.”

Apple’s spokesman declined to provide any additional details about this — such as whether the commission Apple will charge on any non-Apple/third party payments is lower than its standard IAP commission. But presumably it is.

On its website the company further notes that “more information on all aspects of the entitlements will be available shortly”.

Big Tech’s Big Antitrust Reckoning

While this regulator-enforced change only applies to iOS developers in the Netherlands — and only to dating apps — it offers a taster of additional App Store rule changes that could follow as European regulators continue to dial up their attention on how Apple operates the store after years of complaints over its “tax” on in-app payments.

A number of competition regulators in Asia have also targeted Apple over in-app payments — and, earlier this month in South Korea, Apple agreed to let local devs use third party payment options in their apps following a law banning payment mandates.

Meanwhile, over in the US, Apple has been appealing against an order following litigation by developers that it must allow devs to communicate with users about alternative payment methods available outside their iOS apps.

In Europe, the App Store remains under close antitrust scrutiny across the region — with open investigations by the European Commission (which issued a formal charge focused on the music streaming market last April) and the UK’s Competition and Markets Authority (CMA), to name two.

Germany’s Federal Cartel Office also begun its own Apple App Store probe this summer.

A major mobile market study — looking at Apple and Google’s duopoly control of the ecosystem — by the UK’s CMA is also ongoing. But in a preliminary finding in December the regulator gave a heavy hint that enforcement is coming — highlighting in-app payments as a concern, with the CMA suggesting that current approaches by Apple and Google could be contributing to higher prices for consumers and squeezing competition.

The UK is in the process of reforming digital competition law to create a new ex ante — and explicitly pro-competition — regime that will apply to the most powerful platforms, aka those judged to have so-called ‘strategic market status’.

Whether Apple meets the bar of that future law remains to be seen but the company is already in the CMA’s crosshairs — and enforcements could be on the horizon as a result of the investigation the regulator started last March to consider whether Apple imposes “unfair or anti-competitive terms on developers”.

Similar legislative reforms targeting Big Tech are in train in the EU — where lawmakers are busy hashing out the fine details of the Digital Markets Act.

The Commission proposed the regulation at the end of 2020, suggesting a fixed set of operational requirements on gatekeeping Internet giants — coupled with centralized enforcement to avoid regulatory capture and enforcement bottlenecks — which means the biggest tech companies are facing far tighter limits on how they can do business in the EU in the near future.

Germany’s FCO, meanwhile, already has ex ante powers to smack tech giants — with so-called paramount market significance in its case. And, earlier this month, Google was the first tech giant to get a taster of its more alacritous antitrust action, as the FCO confirmed it meets the legal threshold for special powers to kick in. Soon after, Google made an offer of operational commitments related to how it operates News Showcase, one of its products that remains under FCO probe.

The German regulator is, similarly, in the process of deciding if Apple’s business meets the operational bar for faster antitrust enforcement. So a pipeline of enforcements looks likely.

In a set of further competition-related enforcements, France has also been going after Google hard on the news front — hitting the company with a massive fine last summer. Its antitrust regulator has leveraged a pan-EU update to digital copyright law to extract local operational commitments soon after the update was transposed into national law.

Also recently, France’s antitrust watchdog has obtained a series of commitments from Google around adtech, following another bevvy of complaints.

As has the UK’s CMA — which is busy forcing Google to reshape its plans around Privacy Sandbox. In that case the tech giant has offered to make the commitments global if the UK regulator accepts them.

One thing is clear: Big Tech’s operational room for manoeuvre is shrinking fast as regulators around the world up their interventions and get smarter about joint working, digital market analysis and knowledge sharing.

The only silver lining for the biggest beasts of tech is perhaps that talk of breaking up platform empires has been dialled back in regions like Europe.

Tighter regulation appears to be the preference for Europe’s competition regulators — likely as it’s seen as a more realistic (and faster) route for reshapeing the local market impact of US Internet giants.

However, when it comes to major structural remedies that could see tech empires drastically reshaped, US giants now have plenty of problems on home turf.


Fintech and insurtech innovation in Brazil set to take off on regulatory tailwinds

Brazilian instant payment system Pix ended 2021 having powered more than 8 billion transactions, according to statistics from the country’s Central Bank. This is quite an impressive figure for an offering only launched in November 2020 and goes to show how ubiquitous Pix has become in the country.

You could describe Pix as “a government-built version of Venmo,” as João Pedro Thompson, founder of fintech Z1, told TechCrunch. However, the analogy doesn’t fully capture the fact that Pix appeals to many more than just digitally savvy teenagers repaying friends for coffee. Otherwise, it wouldn’t be used by six of 10 Brazilians.

In a country where many people are still unbanked and queuing to pay bills is part of daily life, the impact of being able to pay anyone instantly can’t be understated. In addition, Pix now supports more services, such as letting you withdraw cash from businesses.

It’s interesting that Pix is an institutional initiative, part of a wider range of public efforts to transform Brazil’s financial landscape. “The Central Bank has been doing a tremendous job and Pix is one of the most relevant structural changes,” Brazilian VC Bruno Yoshimura told TechCrunch when we wrote about Latin America’s fintech boom.

I’ve lived in Brazil, so this naturally piqued my interest. At the time, entrepreneurs were constantly complaining about bureaucracy, and their highest hope was that institutions would just stay out of the way. But now, VCs and founders are actually praising the Central Bank for its initiatives and the opportunities it has created.

“Both Open Banking and Pix will level the playfield for new challenges, and we expect to see a lot of innovation around them,” Yoshimura said, referring to another of the Central Bank’s projects.

It’s not just Pix, and it’s not only the Central Bank’s BC# agenda either. Brazil’s Superintendence of Private Insurance (Susep) is working on open insurance plans, which means that insurtech could be the next sector to benefit from regulatory tailwinds.

To understand what’s going on with regulations in Brazil, and how this is affecting startups, I reached out to experts with firsthand knowledge of Latin America’s fintech ecosystem.

On the VC side, I got in touch with Amy Cheetham, a partner at Costanoa Ventures, whose recent investments include Rio de Janeiro-based Plug; and Alma Mundi VenturesJavier Santiso for additional thoughts on insurtech. On the startup side, I spoke with CEOs Rodrigo Teijeiro from RecargaPay and Pedro Sônego de Oliveira from TruePay.

Opportunities abound

“The open banking initiatives adopted by Brazil’s Central Bank are absolutely tailwinds for fintech innovation,” Costanoa’s Amy Cheetham said. “As consumers regain control of their data, it creates space for new entrants to the banking ecosystem and creates more competition, giving consumers access to better, cheaper, fairer, and more secure financial products and services. This includes giving fintechs the power to build for previously [underserved] or unserved segments of the population,” she explained.

RecargaPay is one of the startups leveraging the new regulations to expand their B2C services. “Our mission at RecargaPay,” founder Teijeiro said, “is to democratize mobile payments and financial services in Brazil, so open banking and Pix are the perfect recipe to accelerate our mission.”

Teijeiro is particularly appreciative of Pix and its “incredible” trajectory. “What was accomplished in just one year was a tremendous disruption benefiting millions of Brazilians by making their payments easier, faster and cheaper. For this, the Brazilian Central Bank deserves to be recognized as the ‘fintech startup of the year,'” he said, describing Pix’s impact on cash going mobile as “a huge blessing for RecargaPay.”

Give users genuine control over ad targeting, MEPs urged

Over 30 civil society organizations, pro-privacy tech businesses and European startups are making a last ditch pitch to try to convince EU lawmakers to put stricter limits on surveillance advertising as a major vote looms on an update to the bloc’s digital rules.

The European Parliament will vote shortly to confirm its negotiating position on the Digital Services Act (DSA) — and the 30 signatories to the joint statement on “surveillance-based advertising” are urging MEPs to back amendments to the DSA to tighten the rules on how people’s data can be used for targeting ads.

In a nutshell they argue that inferred personal data (aka what a platform can learn/guess about you by snooping on your digital activity) should be out of bounds for ad targeting — and that advertisers should only be able to use information that has been consciously provided to them for targeting their marketing by the individuals in question.

An example of how that could work might be that a platform periodically asking a user to select a few categories of goods/interests for which they’re happy to receive marketing offers — such as, say, beauty products, hiking/outdoors gear, holidays, or culture/art.

They would then only be able to use such signals for ad targeting, making it contextual, rather than creepy.

This is not so very radical a suggestion.

Regulators in the region have in fact been warning that tracking based ads are on borrowed time for years, given systemic breaches of EU privacy laws. Though actual regulator enforcement against adtech has been harder to spot.

Most recently the outgoing UK data protection commissioner urged the industry to reform — and move away from the current paradigm of tracking and profiling — saying the future must be about providing Internet users with a genuine choice over how they are targeted with marketing messages.

The signatories to the statement calling for parliamentarians to get behind this kind of ad targeting reform argue it would have major benefits — preventing problems associated with the covert surveillance of web users which can lead to abusive ads that manipulate and exploit.

The theories of harm around microtargeted ads have been much discussed in recent years — with risks of behavioral targeting being linked to discrimination, exploitation of vulnerable people/groups, and democracy-denting election interference, to name a few.

Surveillance advertising’s problem is that it can’t be publicly accountability because it lacks genuine transparency.

Yet there are other ways to target ads that don’t require creepy snooping and behavioral profiling.

“We are convinced that targeted digital ads can be delivered effectively and with respect for users’ choice and privacy (i.e. without covert surveillance practices), provided that exclusively data specifically provided by users for that purpose is processed, in a transparent and accountable manner,” the signatories write.

The statement dubs the use of “inferred data, which reveals users’ vulnerabilities and, by definition, is collected or generated without their awareness and control” as “a particularly problematic practice in digital advertising”, arguing: “It is time to end this practice as it causes significant harm on an individual and societal level, as evidenced by extensive academic research and recent revelations including the Facebook Files and the whistleblower Frances Haugen’s testimony or Mozilla’s YouTube Regrets study.”

“It is in the best interest of companies engaging in digital advertising to respect users’ choice, autonomy, and expressed (not inferred) preferences,” they go on, pointing to survey results which found that 75% of social media users in France and Germany are not comfortable when their behavioural data is used to target them with advertising.

“While small and medium-sized businesses legitimately use online advertising to reach their clients, they do not need to rely on intrusive surveillance as a means to that end,” they further argue.

The statement suggests that the main beneficiaries of current adtech’s ‘surveillance free-for-all’ — and the pervasive, covert massive tracking of Internet users — are likely to be US tech giants.

While progressive European startups — which have been trying for years to scale alternative, privacy respecting approaches for ad targeting — are being competitively disadvantaged by the rights-violating data abuses of US giants.

“The only actors who benefit from exploitation of users’ vulnerabilities and cross-site tracking are US-based large online platforms, with an interest to preserve their dominant position in the digital advertising market,” the statement argues, calling for “regulatory incentives” so that “progressive” privacy-focused startups can scale their rights-respecting services and make them more accessible for small brands.

“Putting an end to the most invasive practices will strengthen small European brands and GDPR [General Data Protection Regulation] compliant digital services, as well as local media as it would promote fair competition in digital advertising and reinstate the power of quality.”

It’s an argument that should — in theory — play well with Europeans elected representatives in the parliament.

However in recent years US tech giants — led by Google and Facebook — have been pouring millions into lobbying efforts in Brussels in a bid to steer lawmakers away from policies that could damage their surveillance-based business models. So this is in no way a fair fight.

Key among the tech giant lobbying claims has been the suggestion that tougher rules on targeting will hit Europe’s small businesses. Indeed, Facebook (now Meta) has gone so far as to claim that banning surveillance ads would decimate the bloc’s economy.

But of course they would say that, wouldn’t they…


The 17 civil society organizations signing the joint statement are: the Panoptykon Foundation, Access Now, Alliance4Europe, Amnesty International, Article 19, Bits of Freedom, Civil Liberties Union for Europe (Liberties), Defend Democracy, Fair Vote, Global Witness, Irish Council for Civil Liberties, #jesuisla, The Norwegian Consumer Council, Ranking Digital Rights (RDR), The Signals Network, SumOfUs and Uplift.

While the 14 business representatives backing the call for a ban on use of inferred data for ad targeting are:

Disconnect, Casey Oppenheim, co-founder and CEO
DuckDuckGo, Gabriel Weinberg, CEO and Founder
Ecosia, Christian Kroll, CEO
Fastmail, Bron Gondwana, CEO and Nicola Nye, chief of staff
Kobler, Erik Bugge, CEO
Mailfence, Patrick De Schutter, co-Founder and MD
Mojeek, Colin Hayhurst, CEO
Opt Out Advertising, Tom van Bentheim, CEO
Piwik PRO, Maciej Zawadzinski, CEO
Quodari, Paul Pennarts, CEO
Startmail, Robert Beens, CEO
Startpage, Robert Beens, CEO
Strossle, Ha kon Tillier, CEO
Tutanota, Matthias Pfau, CEO

An earlier push by a number of MEPs towards the end of last year to get an outright ban on surveillance-based ad targeting included in the DSA did not prevail.

Although a parliamentary committee did back tightening restrictions on tracking-based advertising in another draft package of EU legislation that will apply to the most powerful Internet gatekeepers (so plenty of US giants), aka the Digital Markets Act (DMA) — by beefing up consent requirements for ad targeting and adding a complete prohibition on behavioral targeting of minors.

But the 31 signatories to today’s statement argue that the IMCO tweaks do not go far enough against the data industrial surveillance complex, writing: “We urge Members of the European Parliament to support plenary amendments to Article 24 of the DSA which go beyond the existing IMCO compromise and rule out surveillance practices in digital advertising — such as the use of inferred data — while supporting users’ genuine choice.”

Karolina Iwańska, a lawyer and policy analyst for the Panoptykon Foundation, also told us: “Unfortunately the compromise around ads in the IMCO committee is very weak and largely maintaining status quo” — adding that: “Big tech’s ‘SME’ lobbying was very successful.”

“We believe that a true compromise between a full ban on the use of personal data (unrealistic at this point) and status quo (everything allowed if consent is collected) is possible — but has sadly been ignored in the parliament,” she added, saying the anti-surveillance campaigners are now hoping to convince MEPs to back reform of personalized ads by limiting targeting to expressed preferences — which they believe will give Internet users “genuine control”.

The effort will need to work fast if it’s to achieve its aim.

Per Iwańska, the campaigners have drafted an amendment — but have yet to get backing from MEPs to submit it so that the parliament as a whole would be able to vote on it at the plenary. Clearly it’ll be crunch time for this push over the next few days.

Under the EU’s co-legislative process the Commission proposes legislation and that’s then followed by a process of wider negotiations between Member States and the European Parliament on the policy detail — with the chance for upcoming EU rules to be reworked and reshaped before they’re finally adopted.

Both the DSA and the DMA were proposed at the end of 2020 by the European Commission, with the DSA aimed at updating the bloc’s ecommerce rules and dialling up accountability on digital businesses by widening requirements to define areas of additional responsibility around content.

While the DMA targets the competition- and consumer-crushing market power of Internet giants, with a set of ex ante rules aimed at preventing abusive practices.

Trilogue negotiations on the DSA are due to start soon — once the parliament confirms its position in next week’s plenary vote. And — ultimately — there will need to be another plenary vote in the parliament on the final text. So campaigners against surveillance advertising may have other points in the process to try to push strategic amendments.

One thing is clear: The lobbying will continue throughout this year.

Any restrictions on ad targeting in the EU will still also have to wait for the legislation to be adopted and come into force — with EU lawmakers set to apply a grace period for digital businesses to come into compliance. So any rule changes won’t bite for many months more at least.

While the DMA — which appears to be moving pretty speedily through the co-legislative process — could get up and running relatively quickly, perhaps in 2023, the DSA looks likely to take longer before it comes into force; perhaps not until 2024.

In the meanwhile, the tracking and targeting continues…

Opportunity not fear: Reframing cybersecurity to build a safer net for all

The TechCrunch Global Affairs Project examines the increasingly intertwined relationship between the tech sector and global politics.

Throughout 2021, global news seemed to ricochet between the rapid spread of new iterations of COVID-19 and cyber criminality — both becoming increasingly creative and disruptive as they mutate in a battle for survival; both interlinked as cybercriminals profit from rapid digitalization forced by COVID-19 lockdowns. In a recent interview, a prominent cybersecurity executive pointed out that alongside birth, death and taxes, the only other guarantee in our current lives is the exponential growth of digital threats.

Yet misperceptions over cybersecurity — particularly that it is complex, costly, onerous and even futile — has led many emerging economies to leave cybersecurity behind as they seek to join the Fourth Industrial Revolution. But without mature cybersecurity policies, states might find themselves unable to fully realize the potential of their digital economies.

Reframing cybersecurity as a path to opportunity and competitive advantage in the development of innovation ecosystems could be the key to increasing individual states’ cyber resilience, as well as strengthening the global digital ecosystem for all.

Innovation or security?

As 10 billion devices are set to join the Internet of Things (IoT) by 2025, emerging digital economies are vying to be at the center of this revolution. In 2020, about $2.4 billion worth of investment was deployed in African startups and Africa’s e-commerce sales are projected to reach $75 billion by 2025. It is home to half of the 40 fastest-growing emerging and developing countries and is currently the most entrepreneurial continent. This trend will only accelerate as initiatives to close the digital divide by 2030 connect the remaining 78% of the population to the internet.
Read more from the TechCrunch Global Affairs Project

But as internet access expands, so too, will global cybercrime. Experts estimate that cybercrime will cost the world economy $10.5 trillion annually by 2025. While digitally advanced nations have responded by bolstering their cyber defenses, Africa’s innovation ecosystem remains one of the most under-protected globally.

Only 10 out of 55 African countries have ratified the African Union Convention on Data Protection and Cybersecurity (the Malabo Convention) and Africa continues to be the lowest-scoring continent on the International Telecommunication Union’s (ITU) Global Cybersecurity Index. Despite ITU and World Bank initiatives, only 29 countries in Africa have any type of cybersecurity legislation and only 19 have cyber incident and emergency response teams. This leaves African economies exposed and African leaders outside of the bodies shaping global cybersecurity policy.

When viewed globally, this rapid investment in innovation systems without concurrent investment in security creates a digital maturity-security paradox, in which attackers can exploit the gap between these two levels of maturity. In turn, those entities within the states and the states themselves are left doubly exposed and vulnerable as they become low-hanging fruit susceptible to opportunistic and malicious cyber criminals.

Image Credits: Garson

In a dynamic reminiscent of vaccine geopolitics, this runs the risk of leaving states with fledgling and fragile innovation systems exposed.

Cybersecurity fight or flight?

It would be logical to assume that the increase of cyber incidents — and the sticker shock costs associated with them — should lead to increased cybersecurity. Yet, counterintuitively, the narratives of cybersecurity that spur action in the West either lead to policy paralysis or restrictive knee jerk reactions.

As game theorist and Nobel laureate Thomas C. Schelling noted “there is a tendency in our planning to confuse the unfamiliar with the improbable … what is improbable need not be considered seriously.” Many digitally developing states consider themselves outside of the great power politics that underpin malicious cyber activity. It seems improbable to them that they would be victims to the magnitude of action witnessed in Russian-U.S. cyberspace confrontations, the China-U.S. race for digital supremacy, or the Iran-Israel digital war of attrition. Protecting from such cyberattacks is low on the list of policy imperatives.

Digitally advanced nations have responded to the rapid proliferation of cyber threats with cybersecurity mechanisms such as new legislation with draconian punishments for failure to report cyber incidents and ransomware payments and coordinated international initiatives to paralyze ransomware gangs such as REvil. At the other end of the spectrum, digitally developing states are often ill-incentivized and ill-equipped to unravel the perceived complexity of cybersecurity measures required to address these threats.

This is compounded by a wariness of Western cybersecurity paradigms, which many see as a form of potential technological neo-colonialism. Demands for regulatory compliance, adoption of norms and purchase of Western cybersecurity technologies are often perceived as stifling these nations’ opportunities for growth. And, attempts at trying to shame states into cybersecurity compliance can be perceived as an attack on their sovereignty, which could backfire and drive states to seek alternative paradigms such as internet shutdowns that may ultimately threaten their access to the benefits of the free, open and interoperable internet.

More frequently, though, leaders often react to overwhelming threats with paralysis — and fail to act at all.

It is the CISO’s mantra that cybersecurity is a team sport. In the global context, this means ensuring that developing digital economies want to be part of the team. To achieve this cybersecurity needs a radical makeover.

Radically reframing cybersecurity

Cybersecurity advocates can start by reframing cybersecurity as an opportunity to build a vibrant and resilient innovation ecosystem rather than a burden or a restraint. New narratives that emphasize the attractiveness and value of cybersecurity are needed to counteract perceptions of unreasonable standards that stifle innovation.

For instance surveys show that cybersecurity and data privacy is a major source of competitiveness for retailers, outranking even price sensitivity. Meanwhile, recent U.S. and British initiatives, like the new State Department Cyber Bureau and the U.K.’s National Cyber Strategy 2022 have highlighted strong cyber ecosystems as strategic advantages.

Governments of mature digital economies, multilateral institutions and cybertech providers should emphasize that those states able to protect themselves will be the most sought-after partners in the digital revolution. They will also be those able to shape global conversations on cybersecurity.

The value of safer net for all

A vibrant and competitive digital economy that leads to prosperity for all requires open and interoperable networks that are trusted, safe and secure. States that are able to leverage best practices to secure their innovation ecosystems will lead the way in disruptive development. But to induce states, SMEs and individuals to take cybersecurity seriously requires a shift from advocating policy built from fear toward policy built on an optimistic rationale for cybersecurity. 

Changing the narrative also requires digitally mature states to provide sustained support to those more vulnerable. This is more than digitally developing states being just a market for cybertech exports and cybersecurity strategy blueprints, but a commitment to helping develop the infrastructure that unleashes the benefits of cybersecurity locally and globally. Through a radical reframing of cybersecurity as an opportunity, states and societies can work together to ensure that innovation systems built on safe digital inclusion can create a safer net for all and the potential of the internet as a force for good will be realized.

Read more from the TechCrunch Global Affairs Project

Securing the global digital economy beyond the China challenge

The TechCrunch Global Affairs Project examines the increasingly intertwined relationship between the tech sector and global politics.

The push by countries at all levels of development to modernize their information and communications networks has created unprecedented demand for technological infrastructure. Governments and industry are investing billions of dollars to expand digital connectivity worldwide. New deployments of 4G, 5G, satellites and fiber-optic cables could create huge opportunities for host nations but pose significant risks if networks are built without adequate safeguards. The U.S. has a role to play in securing the future of the internet and the global digital economy but will need to move beyond confrontation with China to succeed.

China’s network effects

Digital access is the foundation for digital services, like fintech and e-commerce, that connect communities to trade and financial resources. As startups in Latin America and Sub-Saharan Africa draw billions in investment, their services require a strong and wide-reaching information communications technology (ICT) backbone to flourish.

​​China, through its Digital Silk Road, Belt and Road Space Information Corridor and other state-led initiatives, has become a leading purveyor of ICT infrastructure virtually everywhere, especially by financing projects in less affluent nations. But these investments come with a price: cybersecurity and manipulation risks due to the influence of China’s government on its vendors.
Read more from the TechCrunch Global Affairs Project

Due to legal obligations to the Chinese state — including sharing customer data at its request — China’s tech firms cannot guarantee that they will put their clients first. Many firms also host internal Party organizations that influence decision-making. The Communist Party of China (CPC) is not omnipotent — some companies have slow-rolled compliance with information requests — but the CPC’s ongoing crackdown on tech companies is diminishing their ability to circumvent directives.

But because network modernization is an economic imperative and Chinese firms often offer lower prices than their global competitors, many countries choose to source their technology despite these political and security hazards.

While the risks posed by companies such as Huawei are not evidence of collaboration with China’s government, these legal and institutional pressures, combined with engineers’ track record of spying for other national governments, such as in Uganda and Zambia, suggest that even China’s most powerful ICT companies can be susceptible to co-option. As the digital economy grows and diversifies, more kinds of data, from personal communications to financial, business, health and other sensitive information will become vulnerable to a “data trap.”

While state intervention is not guaranteed, the CPC’s approach to foreign affairs heightens that likelihood. Beijing wants international audiences to accommodate its priorities and activities and pursues “information dominance” with that purpose in mind. Data is important for understanding the information environment and shaping perceptions of the CPC, so access to and influence over ICT infrastructure — the vehicle for modern communications — makes the companies that provide it pivotal to Chinese foreign policy.

Information dominance also means preference for CPC-friendly content and platforms, which hinders opportunities for local populations. For example, StarTimes, a Beijing-based media company that upgraded and operates television networks in 30 African countries, received hundreds of millions of dollars from China’s EXIM Bank to enter African markets. It offers state-run media channels in its cheapest subscriptions or even for free which “tell the China story well” to local audiences, at the cost of excluding bandwidth dedicated to local perspectives or media free from CPC propaganda.

America’s response: Still loading

In response to the spread of China’s network projects, U.S. policymakers have begun to tackle vendor security assessments and expand government mechanisms to finance ICT. Buried under the Trump administration’s “us or China” rhetoric, the State Department’s Clean Network initiative included country-agnostic criteria for assessing vendor-based cyber risks and support for the multilateral Prague Proposals, which underscored non-technical aspects of 5G security. The administration also retooled the U.S. International Development Finance Corporation (DFC) to better support digital modernization and network construction. In an early victory for DFC, Ethiopia selected a Vodafone-led group in lieu of a bid linked to China’s Silk Road Fund, despite long-standing relationships with Huawei and ZTE to supply telecommunications.

These developments highlight the U.S. commitment to generating alternatives, in collaboration with other countries. But these measures alone may be insufficient to address the scale of China’s approach. In addition to vast government investments into overseas projects, China has subsidized its tech giants to such an extent that Huawei once proposed a 5G project at “a price that wouldn’t even cover the cost of parts.”

The United States, while motivated to offset China’s influence, should not look to outspend it or mimic its approach. Instead, U.S. leadership should mobilize a variety of sustainable investments, find technology solutions to make tech adoption cheaper and pitch neutral infrastructure that will offer equitable opportunities for local economies.

The White House should spearhead creation of a multilateral digital development bank to make more resources available to states looking to modernize their networks. Doing so would also add heft to commitments the Biden administration has made under the G7’s Build Back Better World initiative.

In coordination with Congress, the Biden administration should also back efforts to lower the cost of equipment itself to sustainably compete with China’s low-priced kit. One solution is interoperability in technology standards; Open RAN for 5G networks is one example of how this approach has already proven less expensive than traditional network architecture.

Another avenue to lower costs is to invest in research and development for network technologies that can replace the most expensive legacy components. For example, fiber-optic cables are expensive to deploy on land; workarounds may include wireless optic solutions or integration of satellite mesh networks with terrestrial systems.

Finally, the White House should explore ways to integrate net neutrality principles into network financing projects run by agencies such as DFC. Net neutrality could offer economic benefits to host nations by keeping the digital playing field open for local media and innovation. Neutral networks would set the foundation for a third way forward from what has been criticized as digital colonization by China’s government and similar criticisms of the U.S. private sector.

A digital network is ultimately a means to an end: infrastructure for interpersonal communications, content, services, industry and innovation. While few countries, at least for now, supply ICT infrastructure to the majority of the world, that majority should have full access to the opportunities it can offer. A revised route to digital modernization, premised on open participation, can not only offset the local costs of China’s cyber and influence power, but pave the way for an equitable internet for all.

Read more from the TechCrunch Global Affairs Project

Europe’s antitrust policy shouldn’t ignore China 

The TechCrunch Global Affairs Project examines the increasingly intertwined relationship between the tech sector and global politics.

Europe has a well-earned reputation for regulating Big Tech, taking the lead on privacy, data protection and especially competition. Now, new antitrust legislation that introduces criteria to identify large online “gatekeepers” is winding its way through the European Parliament. But while the Digital Markets Act is expected to target a number of U.S. tech companies, if used strategically the DMA — and European antitrust and competition policy writ large — can also be a tool to compete with China.

In the past few years, Europe has slowly awakened to China’s challenge to transatlantic technology leadership. Although many Europeans are slowly converging on Washington’s threat perceptions, Europe still lacks the tools and political will to address challenges emanating from Beijing’s juggernauts.

While transatlantic policy responses to China should be aligned, they need not be the same. The United States and Europe should leverage their respective strengths and toolboxes to combat China’s market distorting practices in the technology sphere. And Europe should bring its comparative advantage — developing and enforcing competition policy — to bear to compete with China, beginning with the DMA.
Read more from the TechCrunch Global Affairs Project

Beijing’s tech giants are competing for size and control of the global technology ecosystem — a dynamic the transatlantic partners cannot afford to ignore. The Chinese Communist Party (CCP) has set the goal of market domination for their largest technology companies. To achieve this goal, the CCP is engaged in anti-competitive behavior to improve their companies’ market positions. In addition to state subsidies, the CCP often provides sweetheart deals to companies to improve their market standing.

The 5G case study illustrates this dynamic. The Chinese government provided 5G champion Huawei with $75 billion of state support through tax breaks, discounted resources and financing assistance. Meanwhile, China’s domestic market enables state-backed champions — including Huawei — to leverage very little competition and high market share within China to offer services for a fraction of the price in third countries. When faced with this reality, Europe’s leading producers of 5G technology, Nokia and Ericsson, previously struggled to compete with Huawei in their home market. Beijing’s domestic economic policy thus has global consequences.

In the past year, European countries have formed investment screening mechanisms to combat Beijing’s growing footprint in Europe. Yet, they still have work to do. Of the 27 member states, only 18 have established investment screening mechanisms, though an additional six are in development. There are also reasons to question the mechanism’s efficacy. The European Commission only blocked eight of the 265 projects they examined. Only 8% of the examined projects were Chinese projects. And they don’t explicitly tackle anti-competitive behavior.

That’s beginning to change. In May 2021, the European Commission proposed a regulation on foreign subsidies distorting the internal market, which introduces tools to investigate and potentially halt financial contributions by a non-EU government involving foreign subsidies. But while Europe’s nascent efforts are encouraging, they are not enough to address Chinese companies’ market positions and the Chinese government’s distortive policies.

Nonetheless, Europe is well positioned to leverage its regulatory momentum. Given China’s multifaceted playbook, Europe should think beyond subsidies. To effectively compete with China’s tech giants and address the unfair market position of Chinese companies, Europe must use antitrust regulations to target Chinese companies engaging in anti-competitive behavior, including by calibrating the Digital Markets Act (DMA). Pairing investment screenings with antitrust policy would give Brussels ample tools to address Beijing’s anti-competitive behavior.

Combating China’s anti-competitive behavior through antitrust policy is a logical extension of Europe’s toolkit. While the United States traditionally views antitrust policy through the lens of consumer welfare, Europe often views antitrust policy through the lens of market competition. Furthermore, Europe is often loath to view Chinese companies through a national security or anti-China frame. While investment screenings mechanisms focus on national security, antitrust and competition policy is pursued to ensure market competition in Europe. This framing makes addressing Beijing’s anti-competitive practices through antitrust policy a natural fit for Europe. In fact, last week, members of the European Parliament argued that the DMA should be extended to China’s Alibaba. 

Such a move would also correct for perceived anti-American bias when it comes to antitrust enforcement. Commission officials maintain that Chinese companies do not do enough business in Europe to be subject to DMA. But that approach means that American firms are targeted by European regulators almost exclusively. Yet when viewed through a geopolitical lens, China’s technology national champions pose a greater threat than U.S. technology companies to Europe’s innovation ecosystem. This continues to be a point of contention in Washington and threatens to weaken the transatlantic relationship.

While Europe often bristles at the United States’ anti-China framing of technology issues, moving forward with a pro-democracy affirmative agenda — Europe’s preferred framing of the challenge — requires the United States and Europe to bolster their respective innovation ecosystems. Exclusively targeting U.S. companies in the Digital Markets Act threatens to hobble potential transatlantic cooperation and hinder an affirmative transatlantic agenda.

While the Digital Markets Act is not wrong to keep U.S. tech companies accountable, it is an opportunity for Europe to use antitrust and competition policy to recalibrate an approach to the China challenge that fits European perceptions and strengths. Europe shouldn’t miss this opportunity to address China’s market distorting behavior and to add another tool to its toolbox to push back on China’s anti-competitive behavior.
Read more from the TechCrunch Global Affairs Project

The US government needs a commercialization strategy for quantum

The TechCrunch Global Affairs Project examines the increasingly intertwined relationship between the tech sector and global politics.

Quantum computers, sensors and communications networks have the potential to bring about enormous societal and market opportunities — along with an equal amount of disruption. Unfortunately for most of us it takes a Ph.D. in physics to truly understand how quantum technologies work, and luminaries in the field of physics will be the first to admit that even their understanding of quantum mechanics remains incomplete.

Fortunately you don’t need an advanced degree in physics to grasp the magnitude of potential change: computers that can help us design new materials that fight the climate crisis, more accurate sensors without a reliance on GPS that enable truly autonomous vehicles and more secure communications networks are just a few of the many technologies that may emerge from quantum technology.
Read more from the TechCrunch Global Affairs Project

The challenge of the quantum industry isn’t ambition; it’s scale. Physicists know how to design useful quantum devices. The challenge is building larger devices that scale along with innovative business models. The confluence of talented physicists, engineers and business leaders tackling the problem is reason for much confidence. More private investors are placing bets on the technology. They can’t afford not to — we may look back on the commercialization of quantum and compare it to the steam engine, electricity, and the internet — all of which represented fundamental platform shifts in how society tackled problems and created value.

More difficult than quantum physics, however, is getting the U.S. government’s regulatory and funding strategy right toward the technology. Aligning various government entities to push forward an industry while navigating landmines of regulation, Byzantine government contracting processes and the geopolitical realities of both the threats and disruptions that quantum technology portends will be a challenge much greater than building a million-qubit quantum computer.

While this claim may be slight hyperbole, I’ve now worked in both worlds and seen it up close and personal. As a former CIA case officer, even at the “tip of the spear,” I’ve seen how slowly the government moves if left to its own devices. However, I’ve also seen the value it can bring if the right influencers in the right positions decide to make hard decisions.

The government can help pave the pathway for commercialization or cut the industry off at its knees before it has a chance to run. The U.S. government needs a quantum commercialization strategy in addition to its quantum R&D strategy. We need to get out of the lab and into the world. To push the industry forward, the government should:

  1. Push more funding to the Defense Advanced Research Projects Agency (DARPA). We can thank DARPA for the internet and GPS. I imagine we will one day thank DARPA, and some parts of the Department of Energy, for quantum. With increased funding, DARPA should consider allocating larger amounts per company focused on longer-term research in quantum error correction and quantum navigation.
  2. Ask the National Science Foundation (NSF) to buy 20 different universities different types of quantum computers for use by researchers and students. The NSF should provide grants to physics departments at historically Black colleges and universities (HBCUs) and at economically disadvantaged schools in the Established Program to Stimulate Competitive Research (EPSCoR) program to increase diversity in the quantum technology industry.
  3. Create a large, well-funded program within the Department of Defense for quantum sensors that goes beyond small-scale research. For example, the Pentagon could fund a $200 million dollar program to field a quantum positioning system (QPS) that is rugged, compact, more accurate and more secure than current GPS systems.
    Like ambitious defense programs for new fighter jets and nuclear modernization, deep tech companies cannot cross the “valley of death” on one $800,000 contract at a time. They need significant long-term commitments, especially in such a hardware-intensive field like quantum technology. Otherwise, we’ll condemn physicists and engineers to spending their time writing proposals to compete for future projects in order to keep the lights on.
    The government should also provide exponentially more funding to the Pentagon’s National Security Innovation Capital (NSIC) program. NSIC’s role is to help hardware-focused companies cross the valley of death with non-dilutive investments. If the government is really serious about this, then these investments need to be at the level of at least $5 million and above.
    The money going into this hardware commercialization will inevitably lead to devices used by the average person and other discoveries. The same quantum positioning systems that power submarine navigation can also power commercial autonomous vehicles and sensors for smart and more environmentally-friendly cities. Smartphones, the internet and MRI machines are examples of unintended discoveries. The U.S. taxpayer will recoup their money in long-term value creation even when some companies inevitably fail or miss their intended targets.
  4. Despite the government’s important role, it needs to know where to stay out of the way. The government shouldn’t create additional regulation through export controls until U.S. companies have built a globally dominant quantum capability. I understand the national security threats we face in emerging technologies and the U.S. government’s desire to stop rampant IP theft, anti-competitive practices and the use of these technologies for authoritarian ends and power projection purposes. But a key element to our national and economic security has been our openness. Regulation at this early stage will only stymie our ability to build global quantum companies and be a greater threat.

The U.S. government must inject more money more quickly into the commercial sector for these emerging technologies. This new technological era demands that we compete at a pace and scale that the government budgeting process currently is not built to handle. Smaller companies can move fast and we are in an era where speed, not efficiency, matters most in the beginning because we have to scale up before our geopolitical competition, which is directly pouring tens of billions of dollars into the sector.

When I was at the CIA, I often heard the words “Acta non verba” or “deeds not words.” In this case, the deeds are putting money on the table in the right ways, as well as not regulating the industry too early. Not everyone in senior U.S. government positions has to believe in quantum’s potential. I wouldn’t blame them if they have some doubts — this is truly beyond rocket science. But the smart move is to hedge. The U.S. government should make such a bet by pushing a commercialization strategy now. At the least it shouldn’t stand in the way of it.

Read more from the TechCrunch Global Affairs Project