Connect with us

Tech

In bad news for US cloud services, Austrian website’s use of Google Analytics found to breach GDPR

Published

on

In bad news for US cloud services, Austrian website’s use of Google Analytics found to breach GDPR

A decision by Austria’s data protection watchdog upholding a complaint against a website related to its use of Google Analytics does not bode well for use of US cloud services in Europe.

The decision raises a big red flag over routine use of tools that require transferring Europeans’ personal data to the US for processing — with the watchdog finding that IP address and identifiers in cookie data are the personal data of site visitors, meaning these transfers fall under the purview of EU data protection law.

In this specific case, an IP address “anonymization” function had not been properly implemented on the website. But, regardless of that technical wrinkle, the regulator found IP address data to be personal data given the potential for it to be combined — like a “puzzle piece” — with other digital data to identify a visitor.

Consequently the Austrian DPA found that the website in question — a health focused site called netdoktor.at, which had been exporting visitors’ data to the US as a result of implementing Google Analytics — had violated Chapter V of the EU’s General Data Protection Regulation (GDPR), which deals with data transfers out of the bloc.

“US intelligence services use certain online identifiers (such as the IP address or unique identification numbers) as a starting point for the surveillance of individuals,” the regulator notes in the decision [via a machine translation of the German language text], adding: “In particular, it cannot be excluded that these intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant.”

In reaching its conclusion, the regulator assessed various measures Google said it had implemented to protect the data in the US — such as encryption at rest in its data centers; or its claim that the data “must be considered as pseudonymous” — but did not find sufficient safeguards had been put in place to effectively block US intelligence services from accessing the data, as required to meet the GDPR’s standard.

“As long as the second respondent himself [i.e. Google] has the possibility to access data in plain text, the technical measures invoked cannot be considered effective in the sense of the above considerations,” it notes at one point, dismissing the type of encryption used as inadequate protection.

Austria’s regulator also quotes earlier guidance from German DPAs to back up its dismissal of Google’s “pseudonymous” claim — noting that this states:

” …the use of IP addresses, cookie IDs, advertising IDs, unique user IDs or other identifiers to (re)identify users do not constitute appropriate safeguards to comply with data protection principles or to safeguard the rights of data subjects. This is because, unlike in cases where data is pseudonymised in order to disguise or delete the identifying data so that the data subjects can no longer be addressed, IDs or identifiers are used to make the individuals distinguishable and addressable. Consequently, there is no protective effect. They are therefore not pseudonymisations within the meaning of Recital 28, which reduce the risks for the data subjects and assist data controllers and processors in complying with their data protection obligations.”

The DPA’s wholesale dismissal of any legally relevant impact of the bundle of aforementioned “Technical and Organizational Measures” (such as standard encryption) — which were cited by Google to try to fend off the complaint — is significant because such claims are the prevailing tactic used by US-based cloud giants to try to massage compliance and ensure EU-to-US data transfers continue so they can continue business as usual.

So if this tactic is getting called out here, as a result of a single website’s use of Google Analytics, it can and will be sanctioned by EU regulators elsewhere. After all, Google Analytics is everywhere online.

(See also the extensive list of extremely standard measures cited by Facebook in an internal assessment of its EU-to-US data transfers’ — in which it too tries to claim ‘compliance’ with EU law, per an earlier document reveal.)

The complaint back story here is that back in August 2020 European privacy campaign group noyb filed a full 101 complaints with DPAs across the bloc targeting websites with regional operators that it had identified as sending data to the US via Google Analytics and/or Facebook Connect integrations.

Use of such analytics tools may seem intensely normal but — legally speaking, in the EU — it’s anything but because EU-to-US transfers of personal data have been clouded in legal uncertainty for years.

The underlying conflict boils down to a clash between European privacy rights and US surveillance law — as the latter affords foreigners zero rights over how their data is scooped up and snooped on, nor any route to legal redress for whatever happens to their information when it’s in the US, making it extremely difficult for exported EU data to get the necessary standard of “essentially equivalent” protection that it gets at home when it’s abroad.

To radically simplify: EU law says European levels of protection must travel with data. While US law says ‘we’re taking your data; we’re not telling you what we’re doing; and you can’t do anything about it anyway, sucker!’.

US cloud providers that are subject to Section 702 of the Foreign Intelligence Surveillance Act (FISA) are all in the frame — which takes in a broad sweep of tech giants, including Google and Facebook, since this law applies broadly to “electronic communications services”.

While Executive Order 12,333, a Reagan era mandate that’s also relevant as it also expanded intelligence agency powers to acquire data, is thought to target vulnerabilities in telecoms infrastructure.

The EU-US legal clash between privacy and surveillance dates back almost a decade at this point.

It was catalyized by the 2013 Snowden disclosures which revealed the extent of US government mass surveillance programs — and led, back in 2015, to the EU’s Court of Justice to invalidate the Safe Harbor arrangement between the bloc and the US on the grounds that EU data could no longer be considered safe when it went over the pond.

And whereas Safe Harbor had stood for around 15 years, its hastily agreed replacement — the EU-US Privacy Shield — lasted just four. So the lifespan of commercially minded European Commission decisions seeking to grease transatlantic data flows in spite of the massive privacy risks has been shrinking radically.

Some complaints about risky EU-to-US data transfers also date back almost a decade at this point. But there’s fresh enforcement energy in the air since a landmark ruling by the CJEU in July 2020 — which struck down the Commission’s reupped data transfer arrangement (Privacy Shield), which — since 2016 — had been relied upon by thousands of companies to rubberstamp their US transfers.

The court did not outlaw personal data transfers to so-called third countries entirely. Which is why these data flows didn’t cease overnight smack bang in the middle of 2020.

However it clarified that such data flows must be assessed on a case by case basis for risks. And it made it clear that DPAs could not just turn a blind eye to compliance — hi Ireland! — rather they must proactively step in and suspend transfers in cases where they believe data is flowing to a risky location like the US.

In a much watched for follow-on interpretation of the court ruling, the European Data Protection Board’s (EDPB) guidance confirmed that personal data transfers out of the EU may still be possible — if a set of narrow circumstances and/or conditions apply. Such as the data can be genuinely anonymized so that it is truly no longer personal data.

Or if you can apply a suite of supplementary measures (such as technical stuff like applying robust end-to-end encryption — meaning there’s zero access to decrypted data possible by a US entity) — in order to raise the level of legal protection.

The problem for adtech firms like Google and Facebook is that their business models are all about accessing people’s data. So it’s not clear how such data-mining giants could apply supplementary measures that radically limit their own access to this core business data without a radical change of model. Or, well, federating their services — and localizing European data and processing in the EU.

The Austrian DPA decision makes it clear that Google’s current package of measures, related to how it operates Google Analytics, is not adequate because it does not remove the risk of surveillance agencies accessing people’s data.

The decision puts heavy underscoring on the need for any such supplementary measures to actually enhance standard provisions if they’re to do anything at all for your chances of compliance.

Supplementary of course means extra. tl;dr you can’t pass off totally standard security processes, procedures, policies, protocols and measures as some kind of special Schrems II-busting legal magic, no matter how much you might want to.

(A quick comparable scenario that might hammer home the point: One can’t — legally speaking — hold a party during a pandemic if lockdown rules ban social gatherings simply by branding a ‘bring your own bottle’ garden soirée as a work event. Not even if you’re the prime minister of the UK. At least not if you want to remain in post for long, anyway… )

It’s fair to say that the the tech industry response to the Schrems II ruling has been a massive, collective putting of heads into sand. Or, as the eponymous Max Schrems himself, honorary chair of noyb, puts it in a statement: “Instead of adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options.”

This charade has been possible because — to date — there hasn’t been much regulatory renforcement following the July 2020 ruling.

Despite the European Data Protection Board warning immediately that there would be no grace period for coming into compliance.

To the untrained eye that might suggest the industry’s collective strategy — of ignoring the legal nightmare wrapping EU-to-US transfers in the hopes the problem would just go away — has been working.

But, as the Austria decision indicates, regulatory gears are grinding towards a bunch of rude awakenings.

The European Commission — which remains eager for a replacement to the EU-US Privacy Shield — has also warned there will be no quick fix this time around, suggesting major reforms of US surveillance law are required to bridge the legal divide. (Although negotiations between the Commission and the US on a replacement data transfer agreement are continuing.)

In the meanwhile Schrems II enforcements are starting to flow — and orders to cease US data flows may soon follow.

In another sign of enforcement ramping up, the European Data Protection Supervisor (EDPS) — just this week — upheld a complaint against the European Parliament over US data transfers involving use of Google Analytics and Stripe.

The EDPS’ decision reprimands the parliament and also orders it to fix outstanding issues within one month.

The other 101 complaints noyb filed back in 2020 are also still awaiting decisions. And as Schrems notes EU DPAs have been coordinating their response to the data transfer issue. So there’s likely to be a pipeline of enforcements striking at usage of US cloud services in the coming months. And, well, a lot of sand falling out of eyes.

Here’s Schrems on the Austria DPA’s reasoning again: “This is a very detailed and sound decision. The bottom line is: Companies can’t use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.”

“We expect similar decisions to now drop gradually in most EU member states,” he adds, further noting that Member State authorities have been coordinating their response to the flotilla of complaints (the EDPB announced a taskforce on the issue last fall).

“In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU,” Schrems also said, adding: “I would personally prefer better protections in the US, but this is up to the US legislator — not to anyone in Europe.”

While netdoktor has been found to have violated the GDPR, it’s not clear whether it will face a penalty as yet.

It may also seek to appeal the Austrian DPA’s decision.

The company has since moved its HQ to Germany, which complicates the regulatory jurisdiction component of this process — and means it may face additional enforcement, such as an order banning transfers, in a follow on action by a German regulator.

There is another notable element of the decision that has gone Google’s way — for now.

While the regulator upheld the complaint against netdoktor it did not find against Google’s US business for receiving/processing the data — deciding that the rules on data transfers only apply to EU entities and not to the US recipients.

That bit of the decision is a disappointment to noyb which is considering whether to appeal — with Schrems arguing: “It is crucial that the US providers cannot just shift the problem to EU customers.”

noyb further flags that Google may still face some pending sanction, however, as the Austria DPA has said it will investigate further in relation to potential violations of Article 5, 28 and 29 GDPR (related to whether Google is allowed to provide personal data to the US government without an explicit order by the EU data exporter).

The DPA has said it will issue a separate decision on that. So Google may yet be on the hook for a GDPR breach in Austria.

Penalties under the regulation can scale as high as 4% of a company’s annual global turnover. Although orders to ban data transfers may ultimately prove a lot more costly to certain types of data-mining business models.

To wit: Long time EU privacy watchers will be aware that Facebook’s European business is on penalty time in Ireland over this same EU-US transfers issue. A preliminary order that Facebook suspend transfers was issued by Ireland in fall 2020 — triggering legal action from the social media giant to try to block the order.

Facebook’s court challenge failed but a final decision remains pending from the Irish regulator — which promised noyb a swift resolution of the vintage complaint a full year ago. So the clock really is ticking on that data transfer complaint. And someone should phone Meta’s chief spin doctor, Nick Clegg, to ask if he’s ready to pull the plug on Facebook’s European service yet?

 

Source: Tech

Tech

Spendesk is the fifth French startup to reach unicorn status this month

Published

on

Fintech startup Spendesk is announcing that it has raised an extension to its Series C round. Tiger Global is investing $114 million (€100 million) in the startup. Following today’s funding round, the company says that is has reached a valuation of more than $1.14 billion (more than €1 billion).

In other words, Spendesk is a new unicorn in the French tech ecosystem. Funding news has been accelerating over the last few months in France. In January alone, five startups announced that they have crossed the threshold to reach unicorn status — PayFit, Ankorstore, Qonto, Exotec and Spendesk.

Back Market, an e-commerce marketplace focused on refurbished smartphones and electronics devices, has also raised a mega round and reached a $5.7 billion valuation.

Let’s go back to Spendesk. The startup offers an all-in-one corporate spend management platform for medium companies in Europe. Originally focused on virtual cards for online payments, the company has expanded its product offering to tackle everything related to corporate spending.

Spendesk customers can order physical cards for employees, team members can use the platform to pay outstanding invoices, file expense reports, manage budgets and generate spending reports. By offering everything in a single service, Spendesk wants to simplify accounting and approvals in general so that money moves more freely.

The startup defines its platform as a “7-in-1 spend management solution”, meaning that Spendesk is no longer just a product that lets you order debit cards for your employees.

“We have had this goal since the beginning — we really want to become this platform, this operational system to manage your spending,” co-founder and CEO Rodolphe Ardant told me. “When we started working on the product, we looked at each use case and designed the right workflow for that.”

In particular, Spendesk helps you formalize your internal processes. You can define team budgets, set up complicated approval workflows for expensive payments, automate some pesky tasks, such as VAT extraction.

“We target mid-market clients. Those are customers with 50 to 1,000 employees. We have a few clients that are bigger than that and a few clients that are smaller than that,” Ardant said.

And the company currently has 3,500 clients — around half of them are based in France while other clients are mostly based in Germany and the U.K. Clients have spent €3 billion through Spendesk in 2021 alone.

With its central positioning in the financial stack, Spendesk needs to interface perfectly with other financial tools — banks on one side and ERP products on the other side.

The startup currently supports many of the popular accounting tools used by European companies, such as Xero and Datev. Spendesk customers can also export transaction batches and import them into Sage, Cegid and other accounting software solutions.

Spendesk is also working on automating the integrations with your bank accounts, which could be particularly useful for companies with multiple bank accounts. For instance, you could imagine setting up a rule that automatically triggers a transfer between your German bank account and your Spendesk account when you want to pay a German supplier.

Image Credits: Spendesk

Spend management in Europe

Spendesk isn’t the only spend management solution in Europe. There are some competitors, such as Pleo, which recently reached a $4.7 billion valuation, and Soldo — another well-funded competitor as it has raised $180 million last year.

In the U.S. as well, companies like Brex and Ramp have reached sky-high valuations. And yet, Spendesk doesn’t think it has the same positioning as American startups.

“On the American market, it shouldn’t be called the spend management industry — it’s the corporate card industry. Players like Brex and Ramp position themselves as a payment method,” Spendesk co-founder and CEO Rodolphe Ardant told me. “Europe’s corporate culture is a culture of debit — not credit. We don’t provide payment methods, we provide a process.”

It’s a slight difference in product positioning, so it’s going to be interesting to see if a European spend management startup can successfully enter the U.S. and vice versa.

When it comes to business model as well, Spendesk considers itself as a software-as-a-service company with recurring subscriptions. The startup didn’t want to share any hard numbers for its revenue. Its CEO just said that Spendesk’s revenue “more than doubles every year.”

With today’s funding round, Spendesk plans to triple the size of its team over the next two years. The company plans to have 1,000 employees by the end of 2023.

Source: Tech

Continue Reading

Tech

Crypto.com expands venture arm to $500 million to back early-stage web3 startups

Published

on

Crypto.com, a popular cryptocurrency exchange, has extended its venture arm’s fund size to $500 million as it looks to more aggressively back early-stage startups to help the nascent ecosystem grow, following similar moves by rivals Binance, Coinbase and FTX.

The broadening of Crypto.com Capital comes less than a year after the Singapore-headquartered firm unveiled its maiden fund of $200 million. The fund, unlike those of many of its rivals, has no LPs (meaning, it’s fully financed by the firm’s balance sheet.)

The maiden fund, whose individual checks run up to $10 million in size, has been so far deployed to back about 20 startups including YGG SEA, multi-chain crypto portfolio tracker DeBank, cross-chain token infrastructure Efinity and Ethereum scaling solution Matter Labs.

Crypto.com will continue to focus on backing early-stage startups, said Jon Russell, who joined the firm as a general partner this month, in an interview with TechCrunch.

With the fund, Crypto.com is broadly focusing on gaming, decentralized-finance and startups innovating on cross-chain solutions. But he cautioned that the industry could change and expand, as it has in recent years, to areas “we don’t know about,” hence the firm is keeping an eye out on everything.

Tuesday’s announcement also further illustrates the growing involvement of cryptocurrency exchanges in being the rainmaker – and beneficiary – of the ecosystem which encompasses the industry in which they operate.

FTX, which has backed over 15 startups, last week announced a $2 billion crypto fund. Its founder, Sam Bankman-Fried, also owns Alameda Research, a venture firm that has backed close to 100 web3 startups.

Coinbase Ventures, the investment arm of the only crypto exchange that is publicly traded, and Binance, the world’s largest cryptocurrency exchange by trading volume, are also among the most prolific investors in the web3 space.

Venture investment in crypto / web3 in 2021 by category (Image credits: Galaxy Digital)

The funding activity in the space, even as most of the aforementioned names often co-invest in startups, is at an all-time high. VCs invested more than $33 billion in crypto/web3 startups in 2021, more than all prior years combined, Galaxy Digital, another prolific investor in the space, wrote in a recent report.

“Valuations in the crypto/blockchain space were 141% higher than the rest of the venture capital space in Q4, highlighting a founder-friendly environment and the intense competition among investors for deal allocations,” the report added.

Scores of venture capital firms have also raised new funds for their crypto investments. Just last year, Andreessen Horowitz added a $2.2 billion crypto fund, Paradigm unveiled a $2.5 billion fund, and Hivemind Capital Partners announced a $1.5 billion fund. Katie Haun, who co-led a16z’s $2.2 billion crypto fund, has left the firm to launch her own crypto-focused fund.

Russell – a former journalist who previously had stints at TechCrunch, The Next Web, and The Ken – said Crypto.com is backing startups to help the ecosystem grow.

“If you’re in the industry, it’s in your interest to help companies grow in the ecosystem and the ecosystem itself to grow,” he said. (Worth pointing out that Solana, Avalanche, Polkadot — as well as some of their major investors — are also aggressively backing startups that are building applications for the native blockchains.)

The startups Crypto.com backs are under no obligation to list their tokens on Crypto.com over any of its rivals or offer the exchange any other preferential treatment, he said. The exchange team similarly doesn’t have a soft spot for the investment arm’s portfolio firms, he added.

(What’s up with the career move? “I’ve been crypto curious for a number of years but I wasn’t gasping to dive in full-time. This project appeals to me because Crypto.com is ambitious but yet it does things the right way. There’s certainly a lot of hype and hot air in crypto and web3 right now, but it’s impossible to ignore the talent that’s pouring into the industry,” he said.)

Crypto.com, which started its life as a blog of professor Matt Blaze (who sold the domain to the crypto exchange), has aggressively expanded in the past year as it looks to court more users. The Singapore-headquartered firm last year agreed to pay more than $700 million for the naming rights of the Staples Center in Los Angeles. The downtown Los Angeles complex has been rebranded as Crypto.com Arena for the next 20 years.

The firm, which bills itself as the “fastest-growing” crypto exchange, said at the time of the announcement that the move is positioned to make cryptocurrencies mainstream. Crypto.com, which processes trade volumes of over $2.5 billion every day, also teamed up with Hollywood star Matt Damon last year to promote the brand and cryptocurrencies.

The Damon-starring ad equated buying crypto tokens and NFTs to one of the greatest and boldest accomplishments in the history of humankind. Hyperbole, to be sure, but having the most mainstream American actor as Crypto.com’s celebrity sponsor has certainly helped bring the trading platform, and all that it sells, into the mainstream. The ad went viral and also attracted criticism for being cringeworthy.

Source: Tech

Continue Reading

Tech

Focused on smaller cities, Vietnamese social commerce startup Mio raises $8M Series A

Published

on

Mio, the Vietnamese social commerce platform, has raised an $8 million Series A, less than a year after announcing its seed round. The funding was led by Jungle Ventures, Patamar Capital and Oliver Jung, with participation from returning investors GGV, Venturra, Hustle Fund, iSEED SEA and Gokul Rajaram.

TechCrunch first covered Mio at the time of its $1 million seed funding in May 2021. Founded in 2020, Mio is a group buying platform that focuses on selling fresh produce and groceries in Tier 2 and 3 cities in Vietnam. The company is able to offer next day delivery because it built a logistics infrastructure that enables it to send produce directly from farms to customers.

The Series A brings Mio’s total raised to $9.1 million, and will be used to expand its logistics and fulfillment system, enter new areas in Vietnam and add new product categories like fast-moving consumer goods (FMCG) and household appliances.

Mio co-founder and chief executive officer Trung Huynh said that since TechCrunch first covered Mio seven months ago, it has achieved 10x gross merchandise value growth, a 10x increase in agents, or resellers, and grew its team from 60 people to 240. It now fulfills more than 10,000 pieces of fresh produce per day, operating in Ho Chi Minh, Thu Duc, Binh Duong, Dong Nai and Long An, with plans to expand into northern Vietnam.

The numbers “strengthened our conviction in this model and its potential,” he said. “We need fresh capital to accelerate hiring, product development and supply chain to keep up with the pace of growth as we deepen our presence in existing geographies and expand to new provinces.”

Mio is able to offer next day deliveries because its vertically integrated mayor layers of the value chain, including procurement, warehousing, order sorting and bulk delivery. The startup owns the majority of its logistics infrastructure and uses its own fleet of couriers. Its ability to delivery fresh produce directly from farms to customers in less than 16 hours contributed to higher customer retention and growth, Huynh said, and it will continue to shorten delivery times. .

Mio resellers are called Mio Partners. Huynh said one of the driving factors behind Mio is targeting the right people for the program, or “housewives and stay-home-moms in lower income regions who love sharing value-for-money products to their social circle of friends.”

They aggregate orders, usually from friends and family, and orders are delivered to them in batches for distribution. The startup claims Mio Partners can make up to $400 a month, including a 10% commission on each order and additional commissions based on the monthly performance of other resellers they referred to the program.

“There is a strong possibility” that Mio will expand beyond Vietnam, Huynh said, “but will only be considered at a more appropriate time after we successfully built our playbook for Vietnam.”

Source: Tech

Continue Reading

Trending