Connect with us


EU’s lead data supervisor for most of big tech is still using Lotus Notes



The lead data supervisor for a slew of tech giants in the European Union, including Apple, Facebook, Google, LinkedIn, TikTok and Twitter, is still relying on Lotus Notes to manage complaints and investigations lodged under the bloc’s flagship General Data Protection Regulation (GDPR), per freedom of information requests made by the Irish Council for Civil Liberties (ICCL).

Back in its 2016 annual report Ireland’s Data Protection Commission (DPC) stated that one of its main goals for GDPR (and ePrivacy) readiness included “implementation of a new website and case-management system” in time for the regulation coming into force in May 2018. However some five years later this ITC upgrade project is still a work in progress, responses to the ICCL’s FOIs show.

Project deadlines were repeatedly missed, per internal documents now in the public domain, while by October 2020 the cost of the DPC’s ICT upgrade had more than doubled vs an initial projection — ballooning to at least €615,121 (a figure that excludes staff time spent on the project since 2016; and also does not include the cost of maintaining the antiquated Lotus Notes system which is borne by the Irish government’s Department of Justice).

The revelation that the lead data supervisor for much of big tech in Europe is handling complaints using such ‘last-gen’ software not only looks highly embarrassing for the DPC but raises questions over the effectiveness of its senior management.

The DPC continues to face criticism over the slow pace of regulatory enforcement vis-a-vis big tech which, combined with the GDPR’s one-stop-shop mechanism, has led to a huge backlog of cases that the European Commission has conceded is a weakness of the regulation. So the revelation that it’s taking so long to get its own ITC in order will only fuel criticism that the regulator is not fit for purpose.

The wider issue here is the vast gulf in resources and technical expertise between tech giants, many of which are racking up vast profits off of people’s data that they can use to put toward paying armies of in-house lawyers to shield them from the risk of regulatory intervention, vs the tiny, under-resourced public sector agencies tasked with defending users’ rights — without appropriately modern tools to help them do the job.

In Ireland’s case, though, the length of time involved in overhauling its internal ICT does throw the spotlight on management of resources. Not least because the DPC’s budget and headcount has been growing since around 2015, as more resource have been allocated to it to reflect GDPR coming into application.

The ICCL is calling for the Irish government to consider hiring two additional commissioners — to supplement the current (sole) commissioner, Helen Dixon, who was appointed to the role back in 2014.

It notes that Irish law allows for the possibility of having three commissioners.

“The people who are supposed to make sure that Facebook and Google do not misuse the information that they have about each of us, are using a system so antiquated that one former staff member told me it is ‘like attempting to use an abacus to do payroll’,” Dr Johnny Ryan, an ICCL senior fellow, told TechCrunch.

The DPC is not configured for its digital mission,” he added in a statement. “What we have discovered indicates that it cannot run critically important internal technology projects. How can it be expected to monitor what the world’s biggest tech firms do with our data? This raises serious questions not only for the DPC, but for the Irish Government. We have alerted the Irish Government of the strategic economic risk from failing to enforce the GDPR.”

Reached for comment, the DPC told us it has a “functional and fit-for-purpose” Case Management System which it said has been “optimised with new features over the last number of years (including with capability for the generation of statistics and management reports)”.

But it conceded the system is “dated” and “limited” in terms of how much it can be adapted for integration with a new DPC website and web forms and the IMI [information systems management] shared platform used between EU data protection authorities — given that it’s based on Lotus Notes technology. 

“Significant work in specifying the system and building its core modules has been completed,” deputy commission Graham Doyle said. “Some delays in delivery have occurred because of updates to specification of security and infrastructure elements. Some other elements have on demand from the DPC been slowed in order to allow for the resolution between EU DPAs of final intended processes such as those involved in the Article 60 cooperation and consistency mechanism under the GDPR.

“The EDPB [European Data Protection Board] is only now preparing internal guidance on the operationalisation of Article 60 and further on the dispute resolution mechanism under Article 65. These are key features of work between EU DPAs that require hand-offs between systems. In addition, the EU almost 3 years after it intended to has not yet adopted its new e-Privacy legislation. Further, the DPC alongside all other EU DPAs is learning how the procedural and operational aspects of the GDPR are to operate in fine detail and some of them remain to be settled.”

Doyle added that “progress continues” on the new Case Management System investment — saying it’s the DPC’s intention that “initial core modules” of the new system will be rolled out in Q2 2021.

To date, Ireland’s regulator has only issued one decision pertaining to a cross-border GDPR complaint: In December when it fined Twitter $550k over a security breach the company had publicly disclosed in January 2019.

Disagreement between Ireland and other EU DPAs over its initial enforcement proposal added months more to the decision process — and the DPC was finally forced to increase its suggested penalty by up to a few thousand euros following a majority vote.

The Twitter case was hardly smooth sailing but it actually represents a relatively rapid turnaround compared to the seven+ years involved in a separate (2013) complaint (aka Schrems II) — related to Facebook’s international data transfers which predates the GDPR.

With that complaint the DPC chose to go to court to raise concerns about the legality of the data transfer mechanism itself rather than acting on a specific complaint over Facebook’s use of Standard Contractual Clauses. A referral to the European Court of Justice followed and the EU’s highest court ended up torpedoing a flagship data transfer arrangement between the EU and the US.

Despite its legal challenge resulting in the EU-US Privacy Shield being struck down, the DPC still hasn’t pulled the plug on Facebook’s EU transfers. Although last September it did issue a preliminary suspension order — which Facebook immediately challenged (and blocked, temporarily) via judicial review.

Last year the DPC settled a counter judicial review of its processes, brought by the original complainant, agreeing to swiftly finalize the complaint — although a decision is still likely months out. But should finally come this year.

The DPC defends itself against accusations of enforcement foot-dragging by saying it must follow due process to ensure its decisions stand up to legal challenge.

But as criticism of the unit continues to mount revelations that its own flagship internal ICT upgrade is dragging on some five years after it was stated as a DPC priority will do nothing to silence critics.

Last week the EU parliament’s civil liberties committee issued a draft motion calling on the Commission to begin infringement proceedings against against Ireland “for not properly enforcing the GDPR”.

In the statement it wrote of “deep concern” that several complaints against breaches of the GDPR have not yet been decided by the Irish DPC despite GDPR coming into application in May 2018.

The LIBE committee also flagged the Schrems II Facebook transfers case — writing that it is concerned this case “was started by the Irish Data Protection Commissioner, instead taking a decision within its powers pursuant to Article 58 GDPR”.

It’s also notable that the Commission’s latest plans for updating pan-EU platform regulations — the Digital Services Act and Digital Markets Act — propose to side-step the risk of enforcement bottlenecks by suggesting that key enforcement against the largest platforms should be brought in-house to avoid the risk of any single Member State agency standing in the way of cross-border enforcement of European citizens’ data rights, as continues to happen with the GDPR.

Another quirk in relation to the Irish DPC is that the unit is not subject to the full range of freedom of information law. Instead the law only applies in respect of records concerning “the general administration of the Commission”. This means that its “supervisory, regulatory, consultation, complaint-handling or investigatory functions (including case files) are not releasable under the Act”, as it notes on its website.

Freedom of information requests filed by TechCrunch last year — asking the DPC how many times it has used GDPR powers to impose a temporary or absolute ban on data processing — were refused by the regulator on these grounds.

Its refusal to disclose whether or not it has ever asked an infringing entity to stop processing personal data cited the partial coverage of FOI law, saying that ‘general administration’ only refers to “records which have to do with the management of an FOI body such as records referring to personnel, pay matters, recruitment, accounts, information technology, accommodation, internal organization, office procedures and the like”.

While Ireland’s FOI law prevents closer scrutiny of the DPC’s activities the agency’s enforcement record speaks for itself.


Lyron Foster is a Hawaii based African American Musician, Author, Actor, Blogger, Filmmaker, Philanthropist and Multinational Serial Tech Entrepreneur.

Continue Reading


Snowflake latest enterprise company to feel Wall Street’s wrath after good quarter



Snowflake reported earnings this week, and the results look strong with revenue more than doubling year-over-year.

However, while the company’s fourth quarter revenue rose 117% to $190.5 million, it apparently wasn’t good enough for investors, who have sent the company’s stock tumbling since it reported Wednesday after the bell.

It was similar to the reaction that Salesforce received from Wall Street last week after it announced a positive earnings report. Snowflake’s stock closed down around 4% today, a recovery compared to its midday lows when it was off nearly 12%.

Why the declines? Wall Street’s reaction to earnings can lean more on what a company will do next more than its most recent results. But Snowflake’s guidance for its current quarter appeared strong as well, with a predicted $195 million to $200 million in revenue, numbers in line with analysts’ expectations.

Sounds good, right? Apparently being in line with analyst expectations isn’t good enough for investors for certain companies. You see, it didn’t exceed the stated expectations, so the results must be bad. I am not sure how meeting expectations is as good as a miss, but there you are.

It’s worth noting of course that tech stocks have taken a beating so far in 2021. And as my colleague Alex Wilhelm reported this morning, that trend only got worse this week. Consider that the tech-heavy Nasdaq is down 11.4% from its 52-week high, so perhaps investors are flogging everyone and Snowflake is merely caught up in the punishment.

Snowflake CEO Frank Slootman pointed out in the earnings call this week that Snowflake is well positioned, something proven by the fact that his company has removed the data limitations of on-prem infrastructure. The beauty of the cloud is limitless resources, and that forces the company to help customers manage consumption instead of usage, an evolution that works in Snowflake’s favor.

“The big change in paradigm is that historically in on-premise data centers, people have to manage capacity. And now they don’t manage capacity anymore, but they need to manage consumption. And that’s a new thing for — not for everybody but for most people — and people that are in the public cloud. I have gotten used to the notion of consumption obviously because it applies equally to the infrastructure clouds,” Slootman said in the earnings call.

Snowflake has to manage expectations, something that translated into a dozen customers paying $5 million or more per month to Snowflake. That’s a nice chunk of change by any measure. It’s also clear that while there is a clear tilt toward the cloud, the amount of data that has been moved there is still a small percentage of overall enterprise workloads, meaning there is lots of growth opportunity for Snowflake.

What’s more, Snowflake executives pointed out that there is a significant ramp up time for customers as they shift data into the Snowflake data lake, but before they push the consumption button. That means that as long as customers continue to move data onto Snowflake’s platform, they will pay more over time, even if it will take time for new clients to get started.

So why is Snowflake’s quarterly percentage growth not expanding? Well, as a company gets to the size of Snowflake, it gets harder to maintain those gaudy percentage growth numbers as the law of large numbers begins to kick in.

I’m not here to tell Wall Street investors how to do their job, anymore than I would expect them to tell me how to do mine. But when you look at the company’s overall financial picture, the amount of untapped cloud potential and the nature of Snowflake’s approach to billing, it’s hard not to be positive about this company’s outlook, regardless of the reaction of investors in the short term.

Continue Reading


A first look at Coursera’s S-1 filing



After TechCrunch broke the news yesterday that Coursera was planning to file its S-1 today, the edtech company officially dropped the document Friday evening.

Coursera was last valued at $2.4 billion by the private markets, when it most recently raised a Series F round in October 2020 that was worth $130 million.

Coursera’s S-1 filing offers a glimpse into the finances of how an edtech company, accelerated by the pandemic, performed over the past year. It paints a picture of growth, albeit one that came at steep expense.


In 2020, Coursera saw $293.5 million in revenue. That’s a roughly 59% increase from the year prior when the company recorded $184.4 million in top line. During that same period, Coursera posted a net loss of nearly $67 million, up 46% from the previous year’s $46.7 million net deficit.

Notably the company had roughly the same noncash, share-based compensation expenses in both years. Even if we allow the company to judge its profitability on an adjusted EBITDA basis, Coursera’s losses still rose from 2019 to 2020, expanding from $26.9 million to $39.8 million.

To understand the difference between net losses and adjusted losses it’s worth unpacking the EBITDA acronym. Standing for “earnings before interest, taxes, depreciation and amortization,” EBITDA strips out some nonoperating costs to give investors a possible better picture of the continuing health of a business, without getting caught up in accounting nuance. Adjusted EBITDA takes the concept one step further, also removing the noncash cost of share-based compensation, and in an even more cheeky move, in this case also deducts “payroll tax expense related to stock-based activities” as well.

For our purposes, even when we grade Coursera’s profitability on a very polite curve it still winds up generating stiff losses. Indeed, the company’s adjusted EBITDA as a percentage of revenue — a way of determining profitability in contrast to revenue — barely improved from a 2019 result of -15% to -14% in 2020.

Continue Reading


The owner of Anki’s assets plans to relaunch Cozmo and Vector this year



Good robots don’t die — they just have their assets sold off to the highest bidder. Digital Dream Labs was there to sweep up IP in the wake of Anki’s premature implosion, back in 2019. The Pittsburgh-based edtech company had initially planned to relaunch Vector and Cozmo at some point in 2020, launching a Kickstarter campaign in March of last year.

The company eventually raised $1.8 million on the crowdfunding site, and today announced plans to deliver on the overdue relaunch, courtesy of a new distributor.

“There is a tremendous demand for these robots,” CEO Jacob Hanchar said in a release. “This partnership will complement the work our teams are already doing to relaunch these products and will ensure that Cozmo and Vector are on shelves for the holidays.”

I don’t doubt that a lot of folks are looking to get their hands on the robots. Cozmo, in particular, was well-received, and sold reasonably well — but ultimately (and in spite of a lot of funding), the company couldn’t avoid the fate that’s befallen many a robotics startup.

It will be fascinating to see how these machines look when they’re reintroduced. Anki invested tremendous resources into bringing them to life, including the hiring of ex-Pixar and DreamWorks staff to make the robots more lifelike. A lot of thought went into giving the robots a distinct personality, whereas, for instance, Vector’s new owners are making the robot open-source. Cozmo, meanwhile, will have programmable functionality through the company’s app.

It could certainly be an interesting play for the STEM market that companies like Sphero are approaching. It has become a fairly crowded space, but at least Anki’s new owners are building on top of a solid foundation, with the fascinating and emotionally complex toy robots their predecessors created.

Continue Reading