Connect with us

Uncategorized

Privacy complaint targets European parliament’s COVID-19 test-booking site

Published

on

The European Parliament is being investigated by the EU’s lead data regulator over a complaint that a website it set up for MEPs to book coronavirus tests may have violated data protection laws.

The complaint, which has been filed by six MEPs and is being supported by the privacy campaign group noyb, alleges third party trackers were dropped without proper consent and that cookie banners presented to visitors were confusing and deceptively designed.

It also alleges personal data was transferred to the US without a valid legal basis, making reference to a landmark legal ruling by Europe’s top court last summer (aka Schrems II).

The European Data Protection Supervisor (EDPS), which oversees EU institutions’ compliance with data rules, confirmed receipt of the complaint and said it has begun investigating.

It also said the “litigious cookies” had been disabled following the complaints, adding that the parliament told it no user data had in fact been transferred outside the EU.

“A complaint was indeed filed by some MEPs about the European Parliament’s coronavirus testing website; the EDPS has started investigating it in accordance with Article 57(1)(e) EUDPR (GDPR for EU institutions),” an EDPS spokesman told TechCrunch. “Following this complaint, the Data Protection Office of the European Parliament informed the EDPS that the litigious cookies were now disabled on the website and confirmed that no user data was sent to outside the European Union.”

“The EDPS is currently assessing this website to ensure compliance with EUDPR requirements. EDPS findings will be communicated to the controller and complainants in due course,” it added.

MEP, Alexandra Geese, of Germany’s Greens, filed an initial complaint with the EDPS on behalf of other parliamentarians.

Two of the MEPs that have joined the complaint and are making their names public are Patrick Breyer and Mikuláš Peksa — both members of the Pirate Party, in Germany and the Czech Republic respectively.

We’ve reached out to the European Parliament and the company it used to supply the testing website for comment.

The complaint is noteworthy for a couple of reasons. Firstly because the allegations of a failure to uphold regional data protection rules look pretty embarrassing for an EU institution. Data protection may also feel especially important for “politically exposed persons like Members and staff of the European Parliament”, as noyb puts it.

Back in 2019 the European Parliament was also sanctioned by the EDPS over use of US-based digital campaign company, NationBuilder, to process citizens’ voter data ahead of the spring elections — in the regulator’s first ever such enforcement of an EU institution.

So it’s not the first time the parliament has got in hot water over its attention to detail vis-a-vis third party data processors (the parliament’s COVID-19 test registration website is being provided by a German company called Ecolog Deutschland GmbH). Once may be an oversight, twice starts to look sloppy…

Secondly, the complaint could offer a relatively quick route for a referral to the EU’s top court, the CJEU, to further clarify interpretation of Schrems II — a ruling that has implications for thousands of businesses involved in transferring personal data out of the EU — should there be a follow-on challenge to a decision by the EDPS.

“The decisions of the EDPS can be directly challenged before the Court of Justice of the EU,” noyb notes in a press release. “This means that the appeal can be brought directly to the highest court of the EU, in charge of the uniform interpretation of EU law. This is especially interesting as noyb is working on multiple other cases raising similar issues before national DPAs.”

Guidance for businesses involved in transferring data out of the EU who are trying to understand how to (or often whether they can) be compliant with data protection law, post-Schrems II, is so far limited to what EU regulators have put out.

Further interpretation by the CJEU could bring more clarifying light — and, indeed, less wiggle room for processors wanting to keep schlepping Europeans’ data over the pond legally, depending on how the cookie crumbles (if you’ll pardon the pun).

noyb notes that the complaint asks the EDPS to prohibit transfers that violate EU law.

“Public authorities, and in particular the EU institutions, have to lead by example to comply with the law,” said Max Schrems, honorary chairman of noyb, in a statement. “This is also true when it comes to transfers of data outside of the EU. By using US providers, the European Parliament enabled the NSA to access data of its staff and its members.”

Per the complaint, concerns about third party trackers and data transfers were initially raised to the parliament last October — after an MEP used a tracker scanning tool to analyze the COVID-19 test booking website and found a total of 150 third-party requests and a cookie were placed on her browser.

Specifically, the EcoCare COVID-19 testing registration website was found to drop a cookie from the US-based company Stripe, as well as including many more third-party requests from Google and Stripe.

The complaint also notes that a data protection notice on the site informed users that data on their usage generated by the use of Google Analytics is “transmitted to and stored on a Google server in the US”.

Where consent was concerned, the site was found to serve users with two different conflicting data protection notices — with one containing a (presumably copypasted) reference to Brussels Airport.

Different consent flows were also presented, depending on the user’s region, with some visitors being offered no clear opt out button. The cookie notices were also found to contain a ‘dark pattern’ nudge toward a bright green button for ‘accepting all’ processing, as well as confusing wording for unclear alternatives.

A screengrab of the cookie consent prompt that the parliament’s COVID-19 test booking website displayed at the time of writing – with still no clearly apparent opt-out for non-essential cookies (Image credit: TechCrunch)

The EU has stringent requirements for (legally) gathering consents for (non-essential) cookies and other third party tracking technologies which states that consent must be clearly informed, specific and freely given.

In 2019, Europe’s top court further confirmed that consent must be obtained prior to dropping non-essential trackers. (Health-related data also generally carries a higher consent-bar to process legally in the EU, although in this case the personal information relates to appointment registrations rather than special category medical data).

The complaints allege that EU cookie consent requirements are not being met on the website.

While the presence of requests for US-based services (and the reference to storing data in the US) is a legal problem in light of the Schrems II judgement.

The US no longer enjoys legally frictionless flows of personal data out of the EU after the CJEU torpedoed the adequacy arrangement the Commission had granted (invalidating the EU-US Privacy Shield mechanism) — which in turn means transfers of data on EU peoples to US-based companies are complicated.

Data controllers are responsible for assessing each such proposed transfer, on a case by case basis. A data transfer mechanism called Standard Contractual Clauses was not invalidated by the CJEU. But the court made it clear SCCs can only be used for transfers to third countries where data protection is essentially equivalent to the legal regime offered in the EU — doing so at the same time as saying the US does not meet that standard.

Guidance from the European Data Protection Board in the wake of the ruling suggests that some EU-US data transfers may be possible to carry in compliance with European law. Such as those that involve encrypted data with no access by the receiving US-based entity.

However the bar for compliance varies depending on the specific context and case.

Additionally, for a subset of companies that are definitely subject to US surveillance law (such as Google) the compliance bar may be impossibly high — as surveillance law is the main legal sticking point for EU-US transfers.

So, once again, it’s not a good look for the parliament website to have had a notice on its COVID-19 testing website that said personal data would be transferred to a Google’s server in the US. (Even if that functionality had not been activated, as seems to have been claimed.)

Another reason the complaint against the European Parliament is noteworthy is that it further highlights how much web infrastructure in use within Europe could be risking legal sanction for failing to comply with regional data protection rules. If the European Parliament can’t get it right, who is?

noyb filed a raft of complaints against EU websites last year which it had identified still sending data to the US via Google Analytics and/or Facebook Connect integrations a short while after the Schrems II ruling. (Those complaints are being looked into by DPAs across the EU.)

Facebook’s EU data transfers are also very much on the hook here. Earlier this month the tech giant’s lead EU data regulator agreed to ‘swiftly resolve’ a long-standing complaint over its transfers.

Schrems filed that complaint all the way back in 2013. He told us he expects the case to be resolved this year, likely within around six to nine months. So a final decision should come in 2021.

He has previously suggested the only way for Facebook to fix the data transfers issue is to federate its service, storing European users’ data locally. While last year the tech giant was forced to deny it would shut its service in Europe if its lead EU regulator followed through on enforcing a preliminary order to suspend transfers (which it blocked by applying for a judicial review of the Irish DPC’s processes).

The alternative outcome Facebook has been lobbying for is some kind of a political resolution to the legal uncertainty clouding EU-US data transfers. However the European Commission has warned there’s no quick fix — and reform of US surveillance law is needed.

So with options for continued icing of EU data protection enforcement against US tech giants melting fast in the face of bar-setting CJEU rulings and ongoing strategic litigation like this latest noyb-supported complaint pressure is only going to keep building for pro-privacy reform of US surveillance law. Not that Facebook has openly come out in support of reforming FISA yet.

Lyron Foster is a Hawaii based African American Musician, Author, Actor, Blogger, Filmmaker, Philanthropist and Multinational Serial Tech Entrepreneur.

Continue Reading
Comments

Uncategorized

Lime unveils new ebike as part of $50 million investment to expand to more 25 cities

Published

on

Lime said Monday it has allocated $50 million towards its bike-share operation, an investment that has been used to develop a new ebike and will fund its expansion this year to another 25 cities in North America, Europe, and Australia and New Zealand. 

If the company hits its goal, Lime’s bike-share service will be operational in 50 cities globally by the end of 2021.

The latest generation e-bike, known internally as 6.0, has a swappable battery that is interchangeable with Lime’s newest scooter. Additional upgrades to the e-bike include increased motor power, a phone holder, a new handlebar display, an electric lock that replaces the former generation’s cable lock and an automatic two-speed transmission. The new bikes are expected to launch and scale this summer. 

The hardware upgrade builds off of the 5.8, a bike developed by Jump that was supposed to be deployed in 2020. That never happened at scale because Uber, which owned Jump, offloaded the unit to Lime as part of a complex $170 million investment round announced in May.

“Jump made great hardware,” Lime President Joe Kraus said in a recent interview. “And we made some further improvements on top with the new bike.”

The hardware upgrades and expansion were funded from its own operational funds, not new financing from outside investors, Kraus said. The funding was possible as a result of Lime achieving its first full quarter of profitability in 2020, according to the company.

“We have figured out how to be profitable and we are funding this,” Kraus said.

Lime not only added a new motor to the bike, it moved its location in an aim to make it easier to handle at low speeds and enough power to climb hills, Kraus said. The swappable battery was perhaps its most important upgrade directly tied to its drive towards profitability, Kraus added.

“When our operations teams is roaming around the city, they take can care of bikes and the scooter fleet, which allows us to both operate profitably and continue to have affordable pricing,” he added.

Lime’s investment in its ebike operation comes a month after it announced plans to add electric mopeds to its micromobility platform as the startup aims to own the spectrum of inner city travel from jaunts to the corner store to longer distance trips up to five miles. Lime is launching the effort by deploying 600 electric mopeds on its platform this spring in Washington D.C. The company is also working with officials to pilot the mopeds in Paris. Eventually, the mopeds will be offered in a “handful of cities” over the next several months.

“This idea of how to service more trips five miles within a city is part of why we continue to do multi modality,” Kraus said. “When we add a new modality like bikes into a scooter city, or when we add scooters to a bike city both modalities go up in usage.”

Continue Reading

Uncategorized

Istanbul’s Dream Games snaps up $50M and launches its first game, the puzzle-based Royal Match

Published

on

On the back of Zynga acquiring Turkey’s Peak Games for $1.8 billion last year and then following it up with another gaming acquisition in the country, Turkey has been making a name for itself as a hub for mobile gaming startups, and specifically those building casual puzzle games, the wildly popular and very sticky format that takes players through successive graphic challenges that test their logic, memory and ability to think under time pressure.

Today, one of the more promising of those startups, Istanbul-based, Peak alum-founded Dream Games, is announcing the GA launch of its first title, Royal Match (on both iOS and Android), along with $50 million in funding to double down on the opportunity ahead — the largest Series A raised by a startup in Turkey to date.

While Dream Games will focus for the moment on building out the audience for puzzle games with more innovative ideas, it also has its sights set on a bigger goal.

“We’re building this as an entertainment company,” CEO Soner Aydemir said in an interview, where he described Pixar as a key inspiration not just for size but for quality in its category. “What they did for animated movies, we want to do for mobile gaming. We are focusing on casual puzzle games first because everyone plays these, but we will also move forward with other genres. We want to be a huge interactive entertainment company that builds high quality games.”

The Series A is being led by Index Ventures, with participation also from Balderton Capital and Makers Fund. The latter two backed Dream Games previously, in a $7.5 million seed round in 2019. Index, meanwhile, is a notable VC to have on board: other successful gaming startups it has backed include Discord, King, Roblox and Supercell.

Interestingly, this is not Index’s first investment in a gaming startup founded by Peak Games alums: in December it led a $6 million round for another Istanbul mobile casual puzzle gaming startup founded by ex-Peak employees: Bigger Games.

Dream Games is not disclosing its valuation with this round.

Dream Games raising $57.5 million ahead of launching any games — or proving whether they get any traction — may sound like a risky bet, but there is some context to the story that sets up the odds in this startup’s favor.

The founding team all come from Peak Games, the Istanbul gaming startup that was so nice, Zynga bought it twice — first, in the form of one small acquisition of some specific titles, and then the whole company some years later.

CEO Soner Aydemir is Peak’s former director of product who built the company’s two biggest hits, Toy Blast and Toon Blast. Ikbal Namli and Hakan Saglam were Peak’s former engineering leads. And Peak product manager Eren Sengul and an ex-Peak 3D artist Serdar Yilmaz round out the rest of the founding team.

(Aydemir notes that the team left and formed Dream Games in 2019, about a year before Zynga’s full acquisition.)

The other indicators that Dream Games is on to something are its metrics for its limited test run of Royal Match.

Royal Match — in which players are tasked with helping King Robert restore his royal castle “to its former glory” by rebuilding it through a series of match-3 levels and obstacles, with new rooms, royal chambers and gardens making up the different levels of the game — was launched first as a limited test on iOS and Android in the U.K. and Canada in July leading up to this launch. In that time, Aydemir said it saw 1 million downloads and 200,000 daily average users.

“We think the numbers are very promising compared to previous experiences,” he said.

While Aydemir likes to describe Dream as an “entertainment” company, there is a lot of technology going into the product, from the graphics and the mechanics of the puzzles themselves through to the data science behind them.

“If you want to create an iconic game, you need to combine engineering, art and data science together with high quality user acquisition and a strong marketing approach,” he said.

And he believes that when you focus on these it will inevitably lead to quality, which means you no longer have to focus on simply trying to find a hit.

“We don’t like that approach,” he said. “We don’t want to find a hit.”

That was also the mix that Index also wanted to back.

“Building iconic titles requires a harmonious mix of craft, science and flawless execution,” said Index Ventures partner Stephane Kurgan, who led the round together with Index’s Sofia Dolfe. “The Dream Games team has perfected this mix over many years of working together, and has put it on full display in Royal Match. We could not be more excited to work with them in their journey to build the next global casual champion.”

While Dream Games’ long-term ambition is to build out interactive experiences around different audiences and genres, Aydemir said that casual games, and puzzles in particular, have proven to be a huge hit with consumers.

The strength of that trend has up to now meant that puzzle games generally have proven to have more staying power than other genres in mobile games, which have soared in popularity but also somewhat fizzled out.

“Every year we see the bigger market of users growing by 20%,” he said. “It will remain for decades.”

Interestingly, the focus on casual gaming startups in Turkey seems like a perfect storm of sorts. Undeniably, the proven success of Peak has brought in more punters, but it has also shown the way to developers: you can build a successful and global consumer tech startup out of Turkey, and perhaps puzzles — which focus on shapes — are especially good at transcending different language barriers.. Alongside that, Aydemir pointed out that the country is strong on engineers and developers but slim on opportunities with bigger tech companies.

“Mobile gaming is a younger industry, so that presents an opportunity,” he said.

Updated to correct that Index is not an investor in Rovio, and that the limited test had 200,000, not 200, DAUs.

Continue Reading

Uncategorized

Qualcomm veteran to replace Alain Crozier as Microsoft Greater China boss

Published

on

Microsoft gets a new leader for its Greater China business. Yang Hou, a former executive at Qualcomm, will take over Alain Crozier as the chairman and chief executive officer for Microsoft Greater China Region, according to a company announcement released Monday.

More to come…

Continue Reading

Trending