Connect with us

Uncategorized

Privacy complaint targets European parliament’s COVID-19 test-booking site

Published

on

The European Parliament is being investigated by the EU’s lead data regulator over a complaint that a website it set up for MEPs to book coronavirus tests may have violated data protection laws.

The complaint, which has been filed by six MEPs and is being supported by the privacy campaign group noyb, alleges third party trackers were dropped without proper consent and that cookie banners presented to visitors were confusing and deceptively designed.

It also alleges personal data was transferred to the US without a valid legal basis, making reference to a landmark legal ruling by Europe’s top court last summer (aka Schrems II).

The European Data Protection Supervisor (EDPS), which oversees EU institutions’ compliance with data rules, confirmed receipt of the complaint and said it has begun investigating.

It also said the “litigious cookies” had been disabled following the complaints, adding that the parliament told it no user data had in fact been transferred outside the EU.

“A complaint was indeed filed by some MEPs about the European Parliament’s coronavirus testing website; the EDPS has started investigating it in accordance with Article 57(1)(e) EUDPR (GDPR for EU institutions),” an EDPS spokesman told TechCrunch. “Following this complaint, the Data Protection Office of the European Parliament informed the EDPS that the litigious cookies were now disabled on the website and confirmed that no user data was sent to outside the European Union.”

“The EDPS is currently assessing this website to ensure compliance with EUDPR requirements. EDPS findings will be communicated to the controller and complainants in due course,” it added.

MEP, Alexandra Geese, of Germany’s Greens, filed an initial complaint with the EDPS on behalf of other parliamentarians.

Two of the MEPs that have joined the complaint and are making their names public are Patrick Breyer and Mikuláš Peksa — both members of the Pirate Party, in Germany and the Czech Republic respectively.

We’ve reached out to the European Parliament and the company it used to supply the testing website for comment.

The complaint is noteworthy for a couple of reasons. Firstly because the allegations of a failure to uphold regional data protection rules look pretty embarrassing for an EU institution. Data protection may also feel especially important for “politically exposed persons like Members and staff of the European Parliament”, as noyb puts it.

Back in 2019 the European Parliament was also sanctioned by the EDPS over use of US-based digital campaign company, NationBuilder, to process citizens’ voter data ahead of the spring elections — in the regulator’s first ever such enforcement of an EU institution.

So it’s not the first time the parliament has got in hot water over its attention to detail vis-a-vis third party data processors (the parliament’s COVID-19 test registration website is being provided by a German company called Ecolog Deutschland GmbH). Once may be an oversight, twice starts to look sloppy…

Secondly, the complaint could offer a relatively quick route for a referral to the EU’s top court, the CJEU, to further clarify interpretation of Schrems II — a ruling that has implications for thousands of businesses involved in transferring personal data out of the EU — should there be a follow-on challenge to a decision by the EDPS.

“The decisions of the EDPS can be directly challenged before the Court of Justice of the EU,” noyb notes in a press release. “This means that the appeal can be brought directly to the highest court of the EU, in charge of the uniform interpretation of EU law. This is especially interesting as noyb is working on multiple other cases raising similar issues before national DPAs.”

Guidance for businesses involved in transferring data out of the EU who are trying to understand how to (or often whether they can) be compliant with data protection law, post-Schrems II, is so far limited to what EU regulators have put out.

Further interpretation by the CJEU could bring more clarifying light — and, indeed, less wiggle room for processors wanting to keep schlepping Europeans’ data over the pond legally, depending on how the cookie crumbles (if you’ll pardon the pun).

noyb notes that the complaint asks the EDPS to prohibit transfers that violate EU law.

“Public authorities, and in particular the EU institutions, have to lead by example to comply with the law,” said Max Schrems, honorary chairman of noyb, in a statement. “This is also true when it comes to transfers of data outside of the EU. By using US providers, the European Parliament enabled the NSA to access data of its staff and its members.”

Per the complaint, concerns about third party trackers and data transfers were initially raised to the parliament last October — after an MEP used a tracker scanning tool to analyze the COVID-19 test booking website and found a total of 150 third-party requests and a cookie were placed on her browser.

Specifically, the EcoCare COVID-19 testing registration website was found to drop a cookie from the US-based company Stripe, as well as including many more third-party requests from Google and Stripe.

The complaint also notes that a data protection notice on the site informed users that data on their usage generated by the use of Google Analytics is “transmitted to and stored on a Google server in the US”.

Where consent was concerned, the site was found to serve users with two different conflicting data protection notices — with one containing a (presumably copypasted) reference to Brussels Airport.

Different consent flows were also presented, depending on the user’s region, with some visitors being offered no clear opt out button. The cookie notices were also found to contain a ‘dark pattern’ nudge toward a bright green button for ‘accepting all’ processing, as well as confusing wording for unclear alternatives.

A screengrab of the cookie consent prompt that the parliament’s COVID-19 test booking website displayed at the time of writing – with still no clearly apparent opt-out for non-essential cookies (Image credit: TechCrunch)

The EU has stringent requirements for (legally) gathering consents for (non-essential) cookies and other third party tracking technologies which states that consent must be clearly informed, specific and freely given.

In 2019, Europe’s top court further confirmed that consent must be obtained prior to dropping non-essential trackers. (Health-related data also generally carries a higher consent-bar to process legally in the EU, although in this case the personal information relates to appointment registrations rather than special category medical data).

The complaints allege that EU cookie consent requirements are not being met on the website.

While the presence of requests for US-based services (and the reference to storing data in the US) is a legal problem in light of the Schrems II judgement.

The US no longer enjoys legally frictionless flows of personal data out of the EU after the CJEU torpedoed the adequacy arrangement the Commission had granted (invalidating the EU-US Privacy Shield mechanism) — which in turn means transfers of data on EU peoples to US-based companies are complicated.

Data controllers are responsible for assessing each such proposed transfer, on a case by case basis. A data transfer mechanism called Standard Contractual Clauses was not invalidated by the CJEU. But the court made it clear SCCs can only be used for transfers to third countries where data protection is essentially equivalent to the legal regime offered in the EU — doing so at the same time as saying the US does not meet that standard.

Guidance from the European Data Protection Board in the wake of the ruling suggests that some EU-US data transfers may be possible to carry in compliance with European law. Such as those that involve encrypted data with no access by the receiving US-based entity.

However the bar for compliance varies depending on the specific context and case.

Additionally, for a subset of companies that are definitely subject to US surveillance law (such as Google) the compliance bar may be impossibly high — as surveillance law is the main legal sticking point for EU-US transfers.

So, once again, it’s not a good look for the parliament website to have had a notice on its COVID-19 testing website that said personal data would be transferred to a Google’s server in the US. (Even if that functionality had not been activated, as seems to have been claimed.)

Another reason the complaint against the European Parliament is noteworthy is that it further highlights how much web infrastructure in use within Europe could be risking legal sanction for failing to comply with regional data protection rules. If the European Parliament can’t get it right, who is?

noyb filed a raft of complaints against EU websites last year which it had identified still sending data to the US via Google Analytics and/or Facebook Connect integrations a short while after the Schrems II ruling. (Those complaints are being looked into by DPAs across the EU.)

Facebook’s EU data transfers are also very much on the hook here. Earlier this month the tech giant’s lead EU data regulator agreed to ‘swiftly resolve’ a long-standing complaint over its transfers.

Schrems filed that complaint all the way back in 2013. He told us he expects the case to be resolved this year, likely within around six to nine months. So a final decision should come in 2021.

He has previously suggested the only way for Facebook to fix the data transfers issue is to federate its service, storing European users’ data locally. While last year the tech giant was forced to deny it would shut its service in Europe if its lead EU regulator followed through on enforcing a preliminary order to suspend transfers (which it blocked by applying for a judicial review of the Irish DPC’s processes).

The alternative outcome Facebook has been lobbying for is some kind of a political resolution to the legal uncertainty clouding EU-US data transfers. However the European Commission has warned there’s no quick fix — and reform of US surveillance law is needed.

So with options for continued icing of EU data protection enforcement against US tech giants melting fast in the face of bar-setting CJEU rulings and ongoing strategic litigation like this latest noyb-supported complaint pressure is only going to keep building for pro-privacy reform of US surveillance law. Not that Facebook has openly come out in support of reforming FISA yet.

Lyron Foster is a Hawaii based African American Musician, Author, Actor, Blogger, Filmmaker, Philanthropist and Multinational Serial Tech Entrepreneur.

Continue Reading
Comments

Uncategorized

Freemium isn’t a trend — it’s the future of SaaS

Published

on

As the COVID-19 lockdowns cascaded around the world last spring, companies large and small saw demand slow to a halt seemingly overnight. Enterprises weren’t comfortable making big, long-term commitments when they had no clue what the future would hold.

Innovative SaaS companies responded quickly by making their products available for free or at a steep discount to boost demand.

While Zoom gets all the attention, there were hundreds of free SaaS tools to help folks through the pandemic. Pluralsight ran a #FreeApril campaign, offering free access to its platform for all of April. Cloudflare made its Teams product free from March until September 1, 2020. GitHub went free for teams in April and slashed the price of its paid Team plan.

A selection of new free, free trial and low-priced offerings from leading SaaS companies. Image Credits: Kyle Poyar/OpenView.

The free products were aimed squarely at end users — whether it be a developer, individual marketer, sales rep or someone else at the edge of an organization. These end users were stuck at home during the pandemic, yet they desperately needed software to power their working lives.

End users prefer to do the vast majority of their research online before ever talking to a sales rep, making free products the ideal way to reach them.

End users prefer to do the vast majority of their research online before ever talking to a sales rep, making free products the ideal way to reach them. Many end users want to jump straight into a product, no hassle or credit card or budget approval required.

After they’ve set up an account and customized it for their workflow, end users have essentially already made a purchase decision with their time — all without ever feeling like they were in an active buying cycle.

An end user-focused free offering became an essential SaaS survival strategy in 2020.

But these free offerings didn’t go away as lockdowns loosened up. SaaS companies instead doubled down on freemium because they realized that doing so had a real and positive impact on their business. In doing so, they busted the outdated myths that have held 82% of SaaS companies back from offering their own free plan.

Myth: A free offering will cannibalize paying customers

GoDaddy is a digital behemoth, known for being a ’90s-era pioneer in web domains as well as for their controversial Super Bowl ads. The company has steadily diversified into business software, now generating roughly $700 million in ARR from its business applications segment and reaching millions of paying customers. There are very few businesses that would see greater potential revenue cannibalization from launching a free product than GoDaddy.

But GoDaddy didn’t let fear stop them from testing freemium when lockdowns set in. Freemium started out as a small-scale experiment in spring 2020 for the websites and marketing product. GoDaddy has since increased the experiment to 50% of U.S. website traffic, with plans to scale to 100% of U.S. traffic and open availability to other markets in 2021.

Continue Reading

Uncategorized

Metafy adds $5.5M to its seed round as the market for games coaching grows

Published

on

This morning Metafy, a distributed startup building a marketplace to match gamers with instructors, announced that it has closed an additional $5.5 million to its $3.15 million seed round. Call it a seed-2, seed-extension or merely a baby Series A; Forerunner Ventures, DCM and Seven Seven Six led the round as a trio.

Metafy’s model is catching on with its market. According to its CEO Josh Fabian, the company has grown from incorporation to gross merchandise volume (GMV) of $76,000 in around nine months. That’s quick.

The startup is building in public, so we have its raw data to share. Via Fabian, here’s how Metafy has grown since its birth:

From the company. As a small tip, if you want the media to care about your startup’s growth rate, share like this!

When TechCrunch first caught wind of Metafy via prior seed investor M25, we presumed that it was a marketplace that was built to allow esports pros and other highly capable gamers teach esports-hopefuls get better at their chosen title. That’s not the case.

Don’t think of Metafy as a marketplace where you can hire a former professional League of Legends player to help improve your laning-phase AD carry mechanics. Though that might come in time. Today a full 0% of the company’s current GMV comes from esports titles. Instead, the company is pursuing games with strong niche followings, what Fabian described as “vibrant, loyal communities.” Like Super Smash Brothers, its leading game today in terms of GMV generated.

Why pursue those titles instead of the most competitive games? Metafy’s CEO explained that his startup has a particular take on its market — that it focuses on coaches as its core customer, over trainees. This allows the startup to focus on its mission of making coaching a full-time gig, or at least one that pays well enough to matter. By doing so, Metafy has cut its need for marketing spend, because the coaches that it onboards bring their own audience. This is where the company is targeting games with super-dedicated user bases, like Smash. They fit well into its build for coaches, onboard coaches, coaches bring their fans, GMV is generated model.

Metafy has big plans, which brings us back to its recent raise. Fabian told TechCrunch any game with a skill curve could wind up on Metafy. Think chess, poker or other games that can be played digitally. To build toward that future, Metafy decided to take on more capital so that it could grow its team.

So what does its $5.5 million unlock for the startup? Per its CEO, Metafy is currently a team of 18 with a monthly burn rate of around $80,000. He wants it to grow to 30 folks, with nearly all of its new hires going into its product org, broadly.

TechCrunch’s perspective is that gaming is not becoming mainstream, but that it has already done so. Building for the gaming world, then, makes good sense, as tools like Metafy won’t suffer from the same boom/bust cycles that can plague game developers. Especially as the startup becomes more diversified in its title base.

Normally we’d close by noting that we’ll get back in touch with the company in a few quarters to see how it’s getting on in growth terms. But because it’s sharing that data publicly, we’ll simply keep reading. More when we have a few months’ more data to chew on.

Continue Reading

Uncategorized

Snap to launch a new Creator Marketplace this month, initially focused on Lens Creators

Published

on

Snap on Wednesday announced its plan to soon launch a Creator Marketplace, which will make it easier for businesses to find and partner with Snapchat creators, including Lens creators, AR creators and later, prominent Snapchat creators known as Snap Stars. At launch, the marketplace will focus on connecting brands and AR creators for AR ads. It will then expand to support all Snap Creators by 2022.

The company had previously helped connect its creator community with advertisers through its Snapchat Storytellers program, which first launched into pilot testing in 2018 — already a late arrival to the space. However, that program’s focus was similar to Facebook’s Brand Collabs Manager, as it focused on helping businesses find Snap creators who could produce video content.

Snap’s new marketplace, meanwhile, has a broader focus in terms of connecting all sorts of creators with the Snap advertising ecosystem. This includes Lens Creators, Developers and Partners, and then later, Snap’s popular creators with public profiles.

Snap says the Creator Marketplace will open to businesses later this month to help them partner with a select group of AR Creators in Snap’s Lens Network. These creators can help businesses build AR experiences without the need for extensive creative resources, which makes access to Snap’s AR ads more accessible to businesses, including smaller businesses without in-house developer talent.

Lens creators have already found opportunity working for businesses that want to grow their Snapchat presence — even allowing some creators to quit their day jobs and just build Lenses for a living. Snap has been further investing in this area of its business, having announced in December a $3.5 million fund directed toward AR Lens creation. The company said at the time there were tens of thousands of Lens creators who had collectively made over 1.5 million Lenses to date.

Using Lenses has grown more popular, too, the company had noted, saying that more than 180 million people interact with a Snapchat Lens every day — up from 70 million daily active users of Lenses when the Lens Explorer section first launched in the app in 2018.

Now, Snap says that over 200 million Snapchat users interact with augmented reality on a daily basis, on average, out of its 280 million daily users. The majority (over 90%) of these users are 13 to 25-year-olds. In total, users are posting over 5 billion Snaps per day.

Snap says the Creator Marketplace will remain focused on connecting businesses with AR Lens Creators throughout 2021.

The following year, it will expand to include the community of professional creators and storytellers who understand the current trends and interests of the Snap user base and can help businesses with their ad campaigns. The company will not take a cut of the deals facilitated through the Marketplace, it says.

This would include the creators making content for Snap’s new TikTok rival, Spotlight, which launched in November 2020. Snap encouraged adoption of the feature by shelling out $1 million per day to creators of top videos. In March 2021, over 125 million Snapchat users watched Spotlight, it says.

Image Credits: Snapchat

Spotlight isn’t the only way Snap is challenging TikTok.

The company also on Wednesday announced it’s snagging two of TikTok’s biggest stars for its upcoming Snap Originals lineup: Charli and Dixie D’Amelio. The siblings, who have gained over 20 million follows on Snapchat this past year, will star in the series “Charli vs. Dixie.” Other new Originals will feature names like artist Megan Thee Stallion, actor Ryan Reynolds, twins and influencers Niki and Gabi DeMartino, and YouTube beauty vlogger Manny Mua, among others.

Snap’s shows were watched by over 400 million people in 2020, including 93% of the Gen Z population in the U.S., it noted.

 

Continue Reading

Trending