Connect with us


Facebook’s internal assessment of EU-US data transfers shows it has no legal leg to stand on, says noyb



Facebook’s internal assessment of EU-US data transfers shows it has no legal leg to stand on, says noyb

In its latest (and last) pre-Christmas document reveal, European privacy advocacy group, noyb, has published details of an 86-page internal assessment by Facebook of its (continued) transfers of European’s personal data to the US — and the resulting conclusion can be best summed up as ‘The Emperor, Mark Zuckerberg, Has No Clothes’.

The convoluted back story here is that Facebook’s transfers of EU users’ data to the US remain ongoing — in spite of two rulings by the bloc’s top court finding the US is a risky jurisdiction for such data (aka Schrems I and Schrems II); and a preliminary order by Facebook’s lead EU DPA, over a year ago, saying it must suspend EU-US transfers in the wake of the aforementioned Schrems II ruling.

And if that wasn’t enough, it’s also almost a year since Facebook’s lead EU DPA, the Irish Data Protection Commission (DPC), settled a legal challenge from noyb — agreeing last January to “swiftly” finalize the complaint in question.

Yet there’s still no final decision from Ireland on the legality of Facebook’s EU-US data transfers — some 8.5 years after the complaint was first filed by noyb founder and chair, Max Schrems. (noyb didn’t even exist when he filed this complaint!)

Asked whether a decision on Facebook’s data transfers will — at long, long last — be issued this year, the DPC’s deputy commissioner, Graham Doyle, told us the inquiry is “fairly well progressed at this stage” but he admitted it will not be finalized in the next few weeks.

Asked if a decision will be issued in January, Doyle ducked specifying a timeframe — saying that the DPC is unsure “exactly when” the decision will be made.

So perhaps 2022 will — finally — be the year of reckoning for Facebook.

But, if not, 2022 may well be a year of substantial reckoning for the Irish DPC which is now facing intense scrutiny over the sedate pace and convoluted form of its enforcements in major cases against tech giants like Facebook.

The European Commission warned earlier this month that unless “effective” enforcement arrives soon it will step in and move the bloc toward a system of centralized oversight.

So the message from EU lawmakers to DPAs such as Ireland (and, really, especially to Ireland) is simple: Use your enforcement powers soon — or you’ll lose them.

Returning to Facebook, if an EU data transfer suspension order does ever actually get enforced, the tech giant faces having to make drastic changes to its infrastructure and/or its business model.

Or it could even shut down service in Europe — a possibility Facebook has floated in an earlier legal submission — although its chief spin doctor, Nick Clegg, quickly denied it would ever actually do that.

Facebook and Clegg have preferred to resort to economic scare tactics to lobby the bloc’s lawmakers against enforcing the rule of law against the national-state-sized data-mining empire — suggesting that any suspension order against Facebook’s data flows would wreak economic damage against European SMEs that use its ad tools to target consumers.

It’s a classic big tech tactic to lobby against tighter regulation of its own market power by claiming that limits on its operations will be far more damaging for the smaller businesses that rely on powerful platforms to reach potential buyers.

The adtech industry also likes to imply that you can either have privacy or competition, not both.

However, on that front, regional competition authorities are becoming increasingly sophisticated in their assessment of adtech platform power — including understanding how data abuse by tech giants can itself be a lever to lock in market power. (See, for example Germany’s Federal Cartel Office’s antitrust case against Facebook’s consentless ‘superprofiling of users.)

So how much runway such self-serving framing has left, as the bloc hastens to pass ex ante rules to boss tech giants, is up for debate.

Facebook has managed to use the courts to defer a final countdown on its data transfers issues for years. But its business model is now under attack on multiple fronts — with the European Parliament, for example, pushing for tighter restrictions on behavioral ads and an outright ban on dark patterns in the Digital Markets Act.

In recent weeks, noyb has also been shining more disinfecting sunlight onto the EU’s enforcement failures — where Facebook is concerned — by protesting at being removed from an ongoing procedure against it by the Irish DPC, after the regulator tried to get it to sign a gag order in exchange for remaining a party to the proceeding.

The DPC has been accused of acting in Facebook’s interests in trying to keep procedural documents confidential without a valid legal basis for ordering third parties not to publish information related to ongoing procedures.

(And other pre-Christmas document-reveals by noyb have made especially awkward reading for the DPC — which can be seen apparently trying to insert a notorious Facebook GDPR consent bypass tactic into European Data Protection Board (EDPB) guidance — by arguing for allowing T&Cs to be laundered via contract clause — and getting roundly slapped back by other EU DPAs.)

Last month, the not-for-profit also took the further step of filing a complaint of criminal corruption against the DPC — in another sign of how frustrated European privacy campaigners have gotten at inaction against rights-trampling tech giants.

As noted above, despite a complaint that dates back to the Snowden disclosures, two landmark CJEU rulings and countless court challenges, Facebook continues to pass Europeans’ data to the US — as if the rule of law can’t touch it.

Yet, back in May, the company lost in the Irish High Court after trying (and failing) to challenge the DPC’s procedure; including by arguing the DPC was being too hasty and did not properly investigate before it sent the preliminary suspension order. (NB: The original complaint dates back to June 2013 so it’s fast approaching a decade old at this point.)

Details of Facebook’s Transfer Impact Assessment (TIA) revealed by noyb yesterday are long on claimed justifications for Facebook to ignore the CJEU — and short on substantive arguments to stand up Facebook’s claim that it’s totally not a problem for it to continue to take European’s data to the US for processing despite the CJEU ruling that there are huge legal implications if you do that.

The CJEU has — not once — but twice struck down flagship transfer agreements between the EU and the US on the grounds that US surveillance law is in fatal conflict with European privacy rights.

And while, back in July 2020, the court did allow the possibility that data can be legally moved out of the EU to third countries, it made it clear that DPAs must step in and suspend data flows where they suspect people’s information is going somewhere where it’s at risk.

Given the court simultaneously struck down the EU-US Privacy Shield, the US was clearly identified as a problem third country.

Add to that, Facebook has the additional problem of its data processing being subject to US surveillance law (via NSA programs like PRISM). So there’s no easy fix for Facebook’s EU data transfers, as we’ve said before.

However having a friendly regulator that doesn’t rush to do anything about really obvious problems is sure to help, though…

In a statement accompanying its publication of details of Facebook’s TIA, Schrems said: “Facebook has been ignoring EU law for 8.5 years now. The newly released documents show that they simply take the view that the Court of Justice is wrong — and Facebook is right. It is an unbelievable ignorance of the rule of law, supported by the lack of enforcement action by the Irish DPC. No wonder that Facebook wants to keep this document confidential. However, it also shows that Facebook has no serious legal defence when continuing to ship European’s data to the US.”

noyb details the contents of the TIA via a number of videos — including several where Schrems summarizes the contents of the document in detail. (In some locations in Europe it also provides data from the TIA itself but notes that it is withholding this content from the UK and Ireland on account of the legal risk of Facebook and/or the DPC bringing baseless SLAPP suits against it to try to exhaust its limited resources.)

Per its analysis, one of Facebook’s tactics to try to deny/evade legal reality is to seize on newer developments, such as the Commission’s updated Standard Contractual Clauses (SCCs) or the adequacy decision recently granted to the UK (despite that country’s own surveillance practices) — to claim as new evidence that the earlier CJEU ruling no longer applies.

That means Facebook has variously sought to argue that the DPC was too quick to come to a conclusion vis-a-vis the legality of its data flows; and that circumstances on the ground have changed in a way that means its flows are now totally fine anyway.

All of which serves to underline how delaying enforcement is itself a key strategy for Facebook to evade the application of EU law.

That, in turn, directly implicates its lead EU regulator — because, by taking such a painstakingly long time over investigations the regulator generates ample time and space for Facebook to come up with fresh lines to cynically reboot its arguments against any enforcement taking place.

In short, it allows for a perpetual game of regulatory whack-a-mole that gives Facebook a thumbs up to carry on with data-mining business as usual in the meanwhile. While EU people’s fundamental rights exist only on paper.

The DPC declined to comment on noyb’s fourth Advent Reading when we reached out.

But here’s Schrems’ assessment again: “The Irish DPC is extremely slow and is not in control of this procedures. Facebook constantly moves to another argument, while the DPC has not even decided on the decision from 2013. Facebook is dominating this procedure — instead of the DPC.”

Per noyb, Facebook’s TIA also details what it claims as “supplementary measures” to boost protection for the data — something the EDPB has said may be possible for data controllers to apply to transfers to risky third countries to make such flows achieve compliance with EU standards.

For example, robust, end-to-end encryption may, in theory, be applied to prevent access to data in a readable form when it’s in the US.

However Facebook’s business model is based on profiling users via its big data analysis of their information so it’s certainly not in a position to lock its own business out of people’s data. Not without a radical change of business model.

Unsurprisingly, then, noyb found the TIA’s section on claimed “supplementary measures” contained nothing more than a (long) list of industry standard policies and procedures. So no extra steps at all, then.

“According to the documents we received, absolutely no new or relevant measures were taken by Facebook on foot of the CJEU judgment of 16.6.2020,” noyb notes.

We reached out to the EDPB for a view on the sorts of policies and procedures Facebook’s TIA lists as “supplementary measures” — and will update this post with any response.

Asked for its response to noyb’s assessment of its TIA, Facebook sent this statement — attributed to a Meta spokesperson:

“Like other companies, we have followed the rules and relied on international transfer mechanisms to transfer data in a safe and secure way. Businesses need clear, global rules, underpinned by the strong rule of law, to protect transatlantic data flows over the long term.”

Source: Tech


Dashworks is a search engine for your company’s sprawling internal knowledge



As a company grows, the amount of important information employees need to keep track of inevitably grows right along with it. And, as your tech stack gets more complicated, that information ends up split up across more places — buried in Slack threads, tucked into Jira tickets, pushed as files on Dropbox, etc.

Dashworks is a startup aiming to be the go-to place for all of that internal knowledge. Part landing page and part search engine, it hooks into dozens of different enterprise services and gives you one hub to find what you need.

On the landing page front, Dashworks is built to be your work laptop’s homepage. It’s got support for broadcasting company wide announcements, building out FAQs, and sharing bookmarks for the things you often need and can never find — your handbooks, your OKRs, your org charts, etc.

More impressive, though, is its cross-tool search. With backgrounds in natural language processing at companies like Facebook and Cresta, co-founders Prasad Kawthekar and Praty Sharma are building a tool that allow you to ask Dashworks questions and have them answered from the knowledge it’s gathered across all of those aforementioned Slack threads, or Jira tickets, or Dropbox files. It’ll give you a search results page of relevant files across the services you’ve hooked in — but if it thinks it knows the answer to your question, it’ll just bubble that answer right to the top of the page, Google Snippets style.

Image Credits: Dashworks

Right now Dashworks can hook into over 30 different popular services, including Airtable, Asana, Confluence, Dropbox, Gmail, Google Drive, Intercom, Jira, Notion, Slack, Salesforce, Trello, and a whole bunch more — with more on the way, prioritized by demand.

Giving another company access to all of those services and the knowledge within might be unsettling — something the Dashworks team seems quite aware of. Kawthekar tells me that their product is SOC-2 certified, that all respective data is wiped from their servers if you choose to disconnect a service, and that, for teams that are equipped to host the tool themselves, they offer a fully on-prem version.

This week Dashworks is announcing that it raised a $4M round led by Point72 ventures, backed by South Park Commons, Combine Fund, Garuda Ventures, GOAT Capital, Unpopular Ventures, and Starling Ventures. Also backing the round is a number of angels, including Twitch co-founder Emmett Shear and Gusto co-founders Josh Reeves and Tomer London. The company was also a part of Y Combinator’s W20 class.

Image Credits: Dashworks

Source: Tech

Continue Reading


Daily Crunch: Google will offer G Suite legacy edition users a ‘no-cost option’



To get a roundup of TechCrunch’s biggest and most important stories delivered to your inbox every day at 3 p.m. PST, subscribe here.

Hello and welcome to Daily Crunch for January 28, 2022! It’s nearly blizzard o’clock where I am, so please enjoy the following newsletter as my final missive before hunkering down. In happier and better news, TechCrunch Early Stage is coming up in just a few months and not only am I hype about it, I’ll hopefully be there IRL. See you soon! – Alex

The TechCrunch Top 3

  • Google invests up to $1B in Airtel: With a $700 million investment and $300 million in “multi-year commercial agreements” with Airtel, and Indian telco, Google has made its second major bet on Indian infra. Recall that Google also put money into Jio, another Indian telco. The deal underscores the importance of the country in the future of technology revenues.
  • What’s ahead for Europe: On the heels of news that European startups had an outsized 2021 when it came to fundraising, TechCrunch explored what’s ahead for the continent. Some expect a slowdown from peak activity, while others anticipate further acceleration. Regardless of which perspective you favor, European venture investment is expected to remain elevated for some time to come.
  • Zapp raises $200M: And speaking of European startups, Zapp, the U.K.-based quick-convenience delivery startup, just raised a massive Series B. The company previously raised $100 million, meaning that this round was big in absolute and comparative terms. As we see some consolidation in the fast-delivery space, this deal caught our eye.


  • Are charter cities the future for African tech growth? TechCrunch’s Tage Kene-Okafor has a great piece up on the site noting that “African cities have the fastest global urban growth rate,” which is leading to overcrowding. Some folks think that “charter cities offer a solution.” Special economic zones of all types have been tried before – will they offer African tech a faster route forward?
  • Personalized learning is hot: Our in-house edtech expert Natasah Mascarenhas has a great piece out today on personalized learning startups – Learnfully, Wayfinder, Empowerly, and others – that are taking the lessons of remote schooling to heart and working to make products that work better for our kids. It’s an encouraging, fascinating story.
  • Rise wants to remake team calendaring: There is no shortage of apps in the market to help individuals and teams work together. But we might not need as many as we have. That’s why Rise is making me think. The team calendaring app just raised a few million, and could replace a few tools that myself and friends use. I wonder if the solution to the Tool Overload of 2022 is tools that do less, intentionally.
  • Canvas wants non-tech folks to be able to squeeze answers from data: Developers are in short supply, so no-code tools that allow folks who don’t sling code to do their own building are blowing up. Similarly, a general dearth of data science talent in the market is creating space for tools like Canvas, which “is going all in with a spreadsheet-like interface for non-technical teams to access the information they need without bothering data teams,” TechCrunch reports.
  • Zigbang buys Samsung IoT business: The IoT promises of yesteryear are coming true, and not. Samsara recently went public on the back of its IoT business. That was a win for the category. That Zigbang, a South Korean proptech startup, is buying Samsung’s IoT unit feels slightly less bullish.
  • Series F-tw? Once upon a time I would have mocked a Series F as indication that the company in question had failed to go public. But that was then. Today Series Fs are not that rare. Indian B2B marketplace Moglix just raised one, which doubled its valuation to $2.6 billion. Tiger co-led the $250 million round.

And if you are looking down the barrel of a blizzard, TechCrunch’s Equity podcast has your downtime covered. Enjoy!

European, North American edtech startups see funding triple in 2021

Image Credits: Bet_Noire (opens in a new window) / Getty Images

Pre-pandemic, VCs were notoriously reluctant to invest in education-related companies. Today, edtech startups are seeing higher average deal sizes, more seed and pre-seed funding from non-VC investors, and an influx of generalists.

According to Rhys Spence, head of research at Brighteye Ventures, funding for edtech startups based in Europe and North America trebled over the last year.

“Exciting companies are spawning across geographies and verticals, and even generalist investors are building conviction that the sector is capable of producing the same kind of outsized returns generated in fintech, healthtech and other sectors,” writes Spence.

(TechCrunch+ is our membership program, which helps founders and startup teams get ahead. You can sign up here.)

Big Tech Inc.

  • Northern Light Venture Capital’s He Huang says the Chinese robotics market is overheated: Per the investor, robotics in China is “riddled with speculation and overvalued companies,” calling the situation a bubble. It’s worth noting that China’s central government is working to retool where its tech investment dollars flow.
  • Robinhood goes down, back up: This morning, in the wake of the company’s lackluster earnings report, TechCrunch dug through why Robinhood’s stock sold off in after-hours, pre-market, and early trading sessions yesterday and today. And then Robinhood turned around and gained ample ground during the rest of the day. It’s a weird market moment, but good news for the U.S. fintech all the same.
  • Google to allow legacy G Suite users to move to free accounts: After angering techies still using the “G Suite legacy free edition” by announcing that it was ending the program and requiring payment, the search giant has decided to ”offer more options to existing users,” TechCrunch reports. Somewhere inside of Google, a business decision just met the market and was flipped on its head. Makes you wonder who is calling the shots over there, and if they previously worked for McKinsey.

TechCrunch Experts

Image Credits: SEAN GLADWELL / Getty Images

TechCrunch wants you to recommend growth marketers who have expertise in SEO, social, content writing and more! If you’re a growth marketer, pass this survey along to your clients; we’d like to hear about why they loved working with you.

Source: Tech

Continue Reading


3 experiments for early-stage founders seeking product-market fit



At Human Ventures, we have a fund for pre-seed and seed-stage investments, a venture studio and an Entrepreneur in Residence (EIR) program.

Through this work, we’ve discovered a lot about how different founders fulfill their journey of customer discovery and product-market fit. One of the largest challenges for pre-seed and seed stage founders is determining where to start: There are a million things to do. What should you do at each stage?

We interviewed three founders from our portfolio, all of whom ran discovery experiments to find their product-market fit at different stages of their company’s development.

Here’s what they had to share:

Pre-MVP/customer discovery phase: Tiny Organics

Tiny Organics is a plant-based baby and toddler food company on a mission to shape childrens’ palates so they’ll choose and love vegetables from their earliest days. The company raised $11 million in their Series A in 2021 and is growing at over 500% annually.

Founders Sofia Laurell and Betsy Fore joined our venture studio as EIRs and went through a six-week discovery sprint. As Sofia explains, they knew they wanted to build something to make parents’ lives easier and threw a lot of initial ideas at the wall from the Finnish baby box 2.0 (Sofia is Finnish) to an easier way to create Instagrammable baby pictures.

They went through multiple exercises to test the viability of new parents’ most pressing and urgent needs:

  • Conduct a “Start with Why” exercise
  • Define the “Jobs to be Done”
  • Create a lean canvas for each (viable) concept
  • Define the user journeys
  • Conduct user surveys using platforms like and 1Q (instant survey tool)
  • Identify and define their customer personas
  • Conduct customer interviews and synthesize them
  • Construct concept prototypes

They also met prospective customers, conducting a focus group of 10-15 moms. When the founders asked them to text them what they were feeding their children along with pictures for a week, they realized the lack of healthy finger foods in the market, thus sparking the idea for Tiny Organics.

Source: Tech

Continue Reading