Month: March 2019

Fast, affordable food delivery service has been life-changing for many working Chinese, but some still prefer to whip up their own meals. These people may not have the time to pick up fresh ingredients from brick-and-mortar stores, so China’s startups and large companies are trying to make home-cooked meals more effortless for busy workers by sending vegetables and meats to apartment doors.

The fresh grocery sector in China recorded 4.93 trillion yuan ($730 billion) in total sales last year, growing steadily from 3.37 trillion yuan in 2012 according to data collected by Euromonitor and Hua Chuang Securities. Most of these transactions still happen inside wet markets and supermarkets, leaving online retail, which accounted for only 3 percent of total grocery sales in 2016, much room for growth.

Ecommerce leaders Alibaba and JD.com have already added grocery to their comprehensive online shopping malls, nestling in the market with more focused players like Tencent-backed MissFresh (每日优鲜), which has raised $1.4 billion to date. The field has just grown a little more crowded with new entrant Meituan, the Tencent-backed food delivery and hotel booking giant that raised $4.2 billion through a Hong Kong listing last year.

The service, which comes in a new app called “Meituan Maicai” or Meituan grocery shopping that’s separate from the company’s all-in-one app, set out in Shanghai in January before it muscled into Beijing last week. The move follows Meituan’s announcement in its mid-2018 financial report to get in on grocery delivery.

Meituan’s solution to take grocery the last mile is not too different from those of its peers. Users pick from its 1,500 stock keeping units ranging from yogurt to pork loin, fill their in-app shopping carts and pay via their phones, the firm told TechCrunch. Meituan then dispatches its delivery fleets to people’s doors in as little as 30 minutes.

The instant delivery is made possible by a satellite of physical “service stations” across neighborhoods that serve warehousing, packaging and delivering purposes. Placing offline hubs alongside customers also allows data-driven internet firms to optimize warehouse stocking based on local user preferences. For instance, people from an upscale residential area probably eat and shop differently from those in other parts of the city.

Meituan’s foray into grocery shopping further intensifies its battle with Alibaba to control how Chinese people eat. Alibaba’s Hema Supermarket has been running on a similar setup that uses its neighborhood stores as warehouses and fulfillment centers to facilitate 30-minute delivery within a three-kilometer radius. For years, Meituan’s food delivery arm has been going neck-and-neck with Ele.me, which Alibaba scooped up last year. More recently, Alibaba and Meituan are racing to get restaurants to sign up for their proprietary software, which can supposedly give owners more insights into diners and beef up customer engagement.

As part of its goal to be an “everything” app, Meituan has tried out many new initiatives in the lead-up to its initial public offering but was also quick to put them on hold. The firm acquired bike-sharing service Mobike last April only to shutter its operations across Asia in less than a year for cost-saving. Meituan also paused expansion on its much-anticipated ride-hailing business.

But grocery delivery appears to be closer to Meituan’s heart, the “eating” business, to put in its own words. Meituan is tapping its existing infrastructure to get the job done, for example, by summoning its food delivery drivers to serve the grocery service during peak hours. As the company noted in its earnings report last year, the grocery segment could leverage its “massive user base and existing world’s largest intra-city on-demand delivery network.”

Source: Tech Crunch

It’s been a busy day for Facebook exec op-eds. Earlier this morning, Sheryl Sandberg broke the site’s silence around the Christchurch massacre, and now Mark Zuckerberg is calling on governments and other bodies to increase regulation around the sorts of data Facebook traffics in. He’s hoping to get out in front of heavy-handed regulation and get a seat at the table shaping it.

The founder published a letter simultaneously on his own page and The Washington Post, the latter of which is an ideal way to get your sentiments on every desk inside the beltway. In the wake a couple of years that have come with black eyes and growing pains, Zuckerberg notes that if he had it to do over again, he’d ask for increased external scrutiny in four key areas:

• Harmful content – He wants overarching rules and benchmarks social apps can be measured by
• Election integrity – He wants clear government definitions of what constitutes a political or issue ad
• Privacy – He wants GDPR-style regulations globally that can impose sanctions on violators
• Data portability – He wants users to be able to bring their info from one app to another

The story of why the letter breaks down each doubles as kind of recent history of the social network. Struggles and missteps have defined much of Facebook’s last few years, with several controversies often swirling around the social network at once. Not every CEO gets asked to testify in front of Congress. Facebook houses and controls an incredible collection of data, playing a key role in everything from ad targeting and interpersonal relationships to news cycles and elections.

“Lawmakers often tell me we have too much power over speech, and frankly I agree,” Zuckerberg writes, three days after issuing a blanket ban on “white nationalism” and “white separatism.” He goes on to describe the company’s work with various governments, along with its development of independent oversight committee, before anyone can accuse the company of completely passing the buck.

“One idea is for third-party bodies to set standards governing the distribution of harmful content and to measure companies against those standards,” Zuckerberg writes, “Regulation could set baselines for what’s prohibited and require companies to build systems for keeping harmful content to a bare minimum.”

Zuckerberg goes on to encourage increased legislation around election tampering and political advertisements. Notably, the U.S. Department of Housing and Urban Development hit Facebook earlier this week with charges that its targeted ads violate the Fair Housing Act.

The op-ed rings somewhat hollow, though, because there’s plenty that Facebook could do to improve in these four areas without help from the government.

Facebook’s harmful content policies have long been confusing, inconsistent, and isolated. For example, Infowars conspiracy theorist Alex Jones was removed from Facebook but not from Instagram. Meanwhile, bad actors can just hop between social networks to spread problematic posts. Facebook should apply enforcement of its policies across its whole family of apps, publicly work through its logic for why it does or doesn’t remove things instead of having those discussions leak, and cooperate better with fellow social networks to coordinate blanket takedowns of the worst offenders.

As for election integrity, Facebook made a big advance this week by placing all active and old inactive political ad campaigns into keyword-searchable Ad Library. But after pressure from news publishers who didn’t want their ads promoting politicized articles to be included beside traditional campaign ads, Facebook exempted them. Those ads can still influence the electorate, and while they should be classified separately, they should still be archived for research.

On privacy, well, there’s a ton to be done. One major area where it could improve is allowing people to more completely opt out of search, including by their phone number, to avoid stalkers. And better controls should be available for how Facebook uses your contact info when uploaded in the address books of other users.

Finally, with data portability, Facebook has been dragging its feet. A year ago, we published a deep dive into how Facebook only lets you export your social graph as a list of friends’ names which can’t be easily used to find them on other social networks. Facebook must make its social graph truely interoperable so users don’t lose their community if they switch apps. That would coerce Facebook to treat users better since leaving would actually be a viable option.

Taking these steps would show regulators that Zuckerberg isn’t just paying lip service in hopes of getting a more lenient sentence. It would demonstrate he’s ready to make change that serves society.

Source: Tech Crunch

Welcome back to this week’s transcribed edition of Equity, TechCrunch’s venture capital-focused podcast that unpacks the numbers behind the headlines. We’re running an experiment for Extra Crunch members that puts the words of our wildly popular venture capital podcast, Equity, in your eyes instead of your ears.

This week, Kate Clark and Alex Wilhelm recorded an emergency episode to discuss Lyft’s IPO, which debuted Friday. The crew has been talking about the ridesharing company for a long time and this week, it closed its first day of trading up 9% after a 21% opening pop. So if you don’t like podcasts but still want the goodness that is Equity, you can have a read of this week’s episode below. It’s been edited for clarity.

For access to the full transcription, become a member of Extra Crunch. Learn more and try it for free. 

---

Kate Clark: Hello and welcome to Equity. I’m tech crunches, Kate Clark and I’m joined today by Alex Wilhelm of Crunchbase news.

Alex Wilhelm: Hey everybody.

Kate Clark: How’s it going?

Alex Wilhelm: We’ve been doing a lot of Equity lately. I almost feel bad, but also all the IPOs we’ve been waiting for are finally here, so I’m kind of excited and glad.

Kate Clark: I mean, yeah. A couple extra episodes is the least we can do given that one of the most highly anticipated IPOs ever was just completed today. But I think we’re all a little bit relieved that the Lyft extravaganza has sort of come to a, well, I guess it’s not over now we just get to report on their earnings.

 

Alex Wilhelm: Yeah. But I mean at least this portion of the story is complete. Like we’ve been talking about them eventually going public for quarters and quarters now. Now it’s just Lyft had a good or bad quarter, it’s a two minute story and we can move on.

So it’s nice to have gotten here. But can we go back to the beginning and there’s not a lot of steps Kate, that though you and I have been tracking very almost religiously, but for a lot of people probably not as close. So I was thinking we could kind of go back to the beginning of Lyft’s public journey and quickly walk everyone through the numbers, if that makes sense.

Source: Tech Crunch

In an open letter published by the New Zealand Herald, Facebook COO Sheryl Sandberg finally addressed the shocking mass shootings that left 50 dead at two Christchurch mosques. The first of part of the deadliest mass shooting in modern new Zealand history was live-streamed on Facebook by the attacker.

But while the site’s technology was used the broadcast the horrific attacks, Facebook has largely stayed silent on the matter in the intervening two weeks. Sandberg broke that silence in her letter, which addressed grieving families and a shaken nation. The note addresses aspects that the site could have handled better, but the company still appears to be at something of a loss for how to handle such an event.

“Many of you have also rightly questioned how online platforms such as Facebook were used to circulate horrific videos of the attack,” Sandberg writes. “We are committed to reviewing what happened and have been working closely with the New Zealand Police to support their response.”

The executive adds that the company is working on technologies to identity re-upload. The letter stops short of offering specific answers or a blueprint for its policy, going forward.

“We have heard feedback that we must do more – and we agree,” Sandberg says. “In the wake of the terror attack, we are taking three steps: strengthening the rules for using Facebook Live, taking further steps to address hate on our platforms, and supporting the New Zealand community. First, we are exploring restrictions on who can go Live depending on factors such as prior Community Standard violations.”

Both Facebook and YouTube have been subject to widespread criticism over the roles their platforms have played in propagating the images from these horrific attacks. YouTube was quick to issue a statement, noting that it would “work cooperatively with the authorities.”

Source: Tech Crunch

After years of fierce competition as private companies, Uber and Lyft are going public on U.S. markets. Scooter service providers, the transportation trend du jour, raised hundreds of millions of dollars to scatter scooters on city sidewalks (to the chagrin of residents and regulators alike) throughout 2017 and 2018. On the other side of the Pacific, Grab and Go-Jek are raising gobs of cash as they continue to scale upward and outward.

Of all the seed, early and late-stage venture funding raised over the past couple of years, how much of the total went to companies in the ride-hailing, food delivery and last-mile transportation categories (which encompasses bikes and scooters)? Probably not as much as you’d think.

Taken together, companies in these sectors raised less than 10 percent of the total venture dollar volume reported for each of the past five full calendar years.

We’ve charted it out based on yearly totals. Take a peek:

To be sure, we’re still talking about a lot of money here. Companies in these three categories raised more than $22 billion in venture funding rounds (not including private equity) in 2017 and more than $18 billion in 2018.

Ventures in the transportation space loom large in the media, and how could they not? It’s a forbiddingly capital-intensive market to play in, requiring companies to raise massive sums, which make for good headlines.

In its early years, competition between on-demand, point-to-point transportation marketplace companies rewarded brashness and speed with early scale and the long-term structural advantages conferred to first the firms which grew the fastest.

But those advantages may not have been as stiff as first expected. Lyft beat Uber to the public markets, raised its valuation during its IPO roadshow, priced at the top of its extended range and then popped 21 percent when it started trading.

That success means that the red chunks of our above chart weren’t all fool’s bets. Instead, a good chunk of the equity represented is now liquid. Of course, there’s a lot more work to do for literally every other ride-hailing, ridesharing, scooter-renting and other wheels-providing unicorns in the world: They still have to go public.

Source: Tech Crunch

An interesting decision came out of Poland’s data protection agency this week after the watchdog issued its first fine under Europe’s General Data Protection Regulation (GDPR).

On the surface the enforcement doesn’t look so remarkable: A ‘small’ ~€220K fine was handed to a Sweden-headquartered European digital marketing company, Bisnode, which has an office in Poland, after the national Personal Data Protection Office (UODO) decided the company had failed to comply with data subject rights obligations set out in Article 14 of the GDPR.

But the decision also requires it contact the close to six million people it did not already reach out to in order to fulfil its Article 14 information notification obligation, with the DPA giving the company three months to comply.

Bisnode previously estimated it would cost around €8M (~$9M) in registered postal costs to send so many letters, never mind the burden of handling any related admin.

So, as ever, the strength of data protection enforcement under GDPR is a lot more than the deterrent of top-line fines. It’s accompanying orders that can really rearrange business practices.

Local press reports that Bisnode has said it will delete the sanctioned records, presumably rather than shell out to send millions of letters. It also intends to challenge the UODO’s decision, initially in Polish courts — relying on caveats contained in Article 14 which relate to how much effort a data controller has to expend to contact people to tell them it’s processing their data.

It’s reportedly willing to fight all the way up to Europe’s top court, if necessary. (We’ve reached out to Bisnode for confirmation of its next steps.)

Any legal challenge to the UODO’s enforcement decision could therefore end up clarifying (and/or setting) some harder limits around covert scraping of personal data, if it reaches the CJEU — potentially affecting operators in multiple industries and sectors such as business intelligence, advertising and even cyber threat intelligence. So Privacy watchers have pricked up their ears.

“The decision is seen as radical, as it interprets Article 14 literally,” Dr Lukasz Olejnik, independent cybersecurity and privacy advisor, and research associate at the Center for Technology and Global Affairs at Oxford University, tells TechCrunch.

“UODO has taken a very principled position, arguing that the company business model is fully based on processing scraped data, and that the company has taken a decision willingly. UODO also argues that the company was aware of the obligation, as it did contact part of the people via email.”

While there are big and potentially costly implications for data-scrapers across various industries down the legal line, depending on how Bisnode’s appeal/s pan out, Olejnik adds a judicious caveat — noting that “each case might be different and have its specifics”.

There’s certainly no guarantee that the DPA’s decision will lead to a de facto ban on covert commercial data-scraping.

But there is fresh legal uncertainty for those quietly helping themselves to public databases of Europeans’ personal data. While repurposing such stuff for a commercial use may also be far more expensive than you think.

Right to be informed

Article 14 of the GDPR creates an obligation on data controllers to inform people whose personal data they intend to process when the information in question has not been directly obtained from them. So, for instance, when personal data has been scraped off the public Internet.

The relevant chunk of the regulation is pretty long — but key points include that the person whose data has been scraped must be informed who has their data (which includes anyone the data has been shared with, and any proposed international transfers); the types of data obtained; what is going to be done with; and the legal basis for the processing.

Data subjects must also be informed of their right to complain so they can object if they don’t like what you  want to do with their data.

The information obligation is also purpose specific; so if the data controller later wants to do something else with the scraped data there’s an obligation to send a new Article 14 notice.

Data subjects must be informed, at the latest, within a month of obtaining their information (as well as per intended purpose). While if the data is to be used for direct marketing the subject must be informed the first time they get sent a communication, if not sooner.

In the case of Bisnode it obtained a variety of personal data from public registers and other public databases pertaining to millions of entrepreneurs and business owners — including their names, national ID numbers and any legal events related to their business activity.

Registered addresses and/or company addresses appear to have been standard in the public data it scraped but other contact data was not, and Bisnode only obtained email addresses for a small sub-set of the individuals. It subsequently sent emails to those people — fulfilling its Article 14 information obligation in their case.

But, at issue, is that instead of sending text messages or snail mail notifications to all the other people whose email addresses it did not have — aka the vast majority; some 5.7M people — Bisnode made a conscious decision not to reach out to them directly. Instead it posted a notice on its website in the stated belief that fulfilled its Article 14 obligations.

“We recognise the right for sole proprietors to be informed of the fact that their data is processed by us. In this case, Bisnode has complied to the General Data Protection Regulation Art. 14 by posting the information on our website,” it wrote in an initial statement following the UODO’s decision, also posted on its website.

“We question the DPA’s interpretation of what is considered a proportionate effort. In the instances we have had email addresses (679,000 addresses), there we have sent out Art. 14 information via email, but to demand in addition that 5.7 million records of sole proprietors and members of corporate bodies of companies et al, be informed via postal mail or telephone cannot be considered a proportionate effort,” it added.

“In our view, information via email, other digital channels or via advertisements in national daily newspapers is preferable for recipients as well as senders.”

The DPA drastically disagrees — hence the penalty and other enforcement action.

Explaining its decision the watchdog says Bisnode clearly knew about its obligations under Article 14 and thereby made a conscious decision not to directly inform the majority of people whose personal data it had obtained for business purposes on cost grounds alone — when it should rather have accounted for its legal obligations related to data acquisition as a core component of business costs.

“The President of UODO states that the mere inclusion of information required in art. 14 par. 1 and par. 2 of the Regulation 2016/679, on the Company’s website, in the situation where the Company has the address data (and sometimes also phone numbers) of natural persons running a sole proprietorship (currently or in the past), enabling traditional mailing of correspondence containing information required by this provision (or transferring them by telephone), cannot be considered as sufficient fulfilment by the Company of the obligation referred to in art. 14 par. 1-3 of Regulation 2016/679,” runs the relevant chunk of legalese in the UODO decision [translated from Polish via Google Translate].

“The Company, as a professional in this type of activity, should be required to shape the business side of its business, which would take into account all the costs necessary to ensure its compliance with legal provisions (in this case, the provisions on the protection of personal data),” it adds, going on to further press its view that Bisnode’s decision not to reach out to inform the vast majority of individuals because it decided it was too expensive is exactly the problem, especially as its core business relies on processing people’s data.

The DPA’s decision also notes that Bisnode decided against sending SMS messages to another sub-set of people whose telephone numbers it did hold — again claiming as an excuse “the high costs of such an action”.

On the €8M figure which the company estimated would be the cost of posting Article 14 notifications to the 5.7M, the watchdog says there was in fact no obligation to send registered letters specifically (which is how Bisnode seems to have arrived at that estimate); or indeed to use any specific communication medium.

So it could presumably have sent (cheaper) standard mail, or even used its own staff (or hired temps) to spend a couple of days manually posting notifications to the individuals concerned. (Sidenote: Maybe there’s a new type of data notification compliance-tech robot/drone delivery startup to be created here… Knock-knock! Article14 delivery bot at the door to read you your rights…)

The UODO points out that GDPR’s Article 14 provision does not specify any particular means of fulfilling the obligation to inform. It just requires the data controller actually reach out.

An active manner vs disproportionate effort

The “essence of fulfilling the obligation” is to act in “an active manner”, it writes — so that means providing information to a data subject without them having to participate in enabling their own notification.

So just posting a passive notification under a tab on a website, as Bisnode did, would seem to go against that essence — as it clearly requires the people whose data is involved expending effort to find out.

And if they don’t even know their data was scraped in the first place how would they know where — or even to — go looking? It’s very unlikely they’d just stumble upon the notification by chance on Bisnode’s website and join the dots. Not without some kind of wider broadcast announcing its presence.

“The need for active notification is emphasized by the Article 29 Working Party, in the Transparency Guidelines under Regulation 2016/679 adopted on 29 November 2017 (most recently amended and adopted on 11 April 2018),” the UODO’s decision further notes, citing guidance from an influential pan-EU data protection oversight body that’s now known as the European Data Protection Board and responsible for helping ensure consistency of application of GDPR across the bloc.

In a press release accompanying its decision, the UODO also makes a point of specifying the number and proportion of people who objected to Bisnode using their data after it did contact them directly (i.e. by email) — writing: “Out of about 90,000 people who were informed about the processing by the company, more than 12,000 objected to the processing of their data.”

Which highlights the fact that informing people about commercial and marketing-related uses of their data can, and usually does, result in a bunch of them saying ‘no don’t do that’ — an outcome that’s not exactly aligned with the interests of a marketing company like Bisnode which obviously wants to maximize the reach of its database.

But a shrinking marketing database may well be the price of respecting people’s privacy rights and doing business legally in Europe. And Bisnode’s interpretation of what is and isn’t “proportionate”, vis-a-vis Article 14, does look self-servingly aligned with its own business interests rather than with the rights of EU citizens.

If the legal rights of EU people to know what’s being done with their personal data can just be sidestepped by a data controller holding only selective types of contact data (for instance) that risks putting a pretty big loophole in the data protection framework. (Although in a similar case from a few years ago the UODO reached a different decision in regards another company that did not have addresses at its disposal.)

There are some caveats included in Article 14 — allowing for a data controller to dispense with the requirement to inform data subjects if doing so “proves impossible or would involve a disproportionate effort” — but they are conspicuously linked in the text of GDPR to non-commercial examples: “[I]n particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”.

Safe to say, a b2b marketing business doesn’t fit the bill there.

A further caveat — which removes the obligation to inform the data subject if it is “likely to render impossible or seriously impair the achievement of the objectives of that processing” — would also seem a tough one to argue for a marketing purpose such as Bisnode’s.

It’s true that, as the complaints following its emailed Article 14 notifications indicate, there will very likely be a proportion of objections from those informed about a marketing purpose for their data. But the complaint stats cited by the UODO reveal that only a minority (~13%) of those emailed actively objected to Bisnode’s use of their data — a figure that does not seem so catastrophically large as to “seriously impair” the company’s overall business objective.

Of course it will be for judges to decide on all these details. But the looming legal fight will be around what constitutes “proportionate effort” — and in which circumstances those Article 13 caveats are allowed to apply.

“The ‘disproportionate effort’ in Article 14(5) is the core issue,” agrees Olejnik. “While including information solely on a website might be sufficient in some cases, but it is not clear if this applies in this case in particular. It is rather clear that the majority of people affected have no idea that their data are processed.”

“What the courts decide is anyone’s guess. It will be a truly interesting case to observe,” he adds.

In terms of immediate practical implications flowing from the UODO’s decision Olejnik says those are also unclear for now — not least because of Bisnode’s plan to fight all the way up to the CJEU if it can. (Meaning its appeal process could take years.)

“The company is also saying in public that its different EU branches are following a similar practice, but did not draw the attention of DPA,” Olejnik continues, adding: “It is however clear that some form of information obligation needs to be made. I believe this is an interesting precedent.

“While it may be shocking to some, this is the GDPR enforcement in action. Prior to enforcement, many would doubt if some text of GDPR means what it means. Well, it appears that to DPAs, it might indeed mean what it mean, if you know what I mean.”

The growing cost and risk of personal data

There is arguably a rather similar story going on, in parallel, around ‘free and informed’ consent under GDPR in relation to online ad targeting — which has turned into a major legal battleground since the regulation came into force last year. Multiple complaints remain in play targeting various data-for-ads tech platforms, as well as attacking core adtech processes for using and sharing personal data without proper consent and/or adequately robust protection.

With the GDPR not yet a year old, major enforcements are still lacking. But there are signs regulators are preparing to draw equally firm lines in the sand on this front too.

Given all the effort going into obfuscating and/or trying to ‘compliance-wash’ how the adtech industry strip-mines personal data, those most systematic personal data-harvesters similarly appear to have calculated that the cost of fully informing individuals is simply too high.

Also because they surely stand to lose a big chunk of their marketing muscle if every user whose personal information is being exploited for ads was offered a genuine, fully informed and entirely free choice to say no way.

But that doesn’t mean they can just sidestep the requirement. Enforcement is coming for any lurking lack of compliance there too.

Zooming out, it’s not clear what proportion of personal data is scraped from the Internet vs being actively provided by the user (albeit, not necessarily freely and willingly provided — as is the nub of this GDPR ‘forced consent’ complaint, for instance).

“Obtaining such comparative data would difficult at a scale,” admits Olejnik.

There’s no doubt plenty of nefarious actors engage in ‘fully unlicensed’ online data-scraping to run illegal spam campaigns or sell it to hackers planning phishing expeditions. And clearly no regulation under the sun that will put a firm lid on that. Though increased legal risk may at least provide a disincentive to less hardened cyber criminals.

In the commercial sector, where regulation has a more powerful bite, the lines between scraping and ‘providing’ data are frequently self-servingly blurred by the entities involved — seeking to workaround the law.

So, again, robust enforcement decisions that get upheld by jurisprudence are sorely needed to define and set down firm red-lines about how people’s data can be respectfully handled.

Let’s also not forget the scandalous acts of the now defunct political data company, Cambridge Analytica, which covertly scraped personal data off of Facebook’s platform to build psychographic profiles of American voters to try to influence domestic political outcomes — something which would certainly constitute a breach of Article 14, i.e. were such actions applied to EU peoples under the bloc’s current data protection regime.

An egregious example like Cambridge Analytica shows the clear logic of GDPR creating a framework for protecting people from non-disclosed use of their personal information — by offering a check against unwelcome misuse. As indeed does Facebook’s long history of abject failure to properly protect user data.

It’s not clear whether GDPR could have stopped a rogue actor like Cambridge Analytica. Though the heftier fines baked into the regime do mean data-scraping is no longer the ‘help yourself, free for all’ it apparently was back in 2014.

At the same time, multiple Facebook businesses remain under investigation in Europe: The Irish DPA has ten open investigations against multiple Facebook-owned platforms over questions of GDPR compliance. So watch that space. (And watch, too, Facebook announcing a sudden ‘pivot’ to ‘privacy… )

Covertly harvesting personal at scale now finally involves serious legal risk — at least in Europe.

And in light of the UODO’s strong stance on Article 14 there’s a little more reason for data scrapers to worry more.

Full disclosure

One final note on UODO and Bisnode: In a slightly odd quirk, the watchdog decided not to publicly name the company — choosing to pseudonymize it by editing out certain details from the published decision text.

It’s not clear why the DPA did so. Nor was its attempt to hide the name effective. Olejnik says he was quickly able to reverse its pseudonymization. While Bisnode also subsequently chose to out itself by going public with its disagreement.

Other European DPAs do disclose the targets of their decisions as a general rule. So it’s definitely a leftfield choice by the Polish watchdog.

A spokesperson for the UODO told us it does not always avoid disclosing the name of entities subject to its decisions but in this case said its president took the view that “information about the administrative fine and its justification is sufficient” — adding that in its view the most important element is to inform the public about decisions issued and “their substance”, including providing details of the decisive arguments in its decision-making process.

But given the lack of a specific justification and especially the weakness of the pseudonymization Olejnik suggests not publicly naming Bisnode was a questionable decision.

“Based on the information from the decision it did not take me much time to ‘reverse’ the pseudonymization and reveal the company name. This puts the decision behind pseudonymization under question,” he suggests. “Though I believe the public has a right to expect transparency in the first place — the decision to pseudonymize was controversial in the first place. To say the least, it forbids users to learn about the case, the misuse, and potentially even learn if they may have been affected.”

There is perhaps no small irony in a privacy watchdog choosing to ineffectively withhold the name of a company that had failed to inform a large number of private individuals that it covertly held their data.

Source: Tech Crunch