Another privacy-related fine for Facebook in Europe: The Spanish data protection regulator has issued a €1.2M (~$1.4M) fine against the social media behemoth for a series of violations regarding its data-harvesting activities.
Spain’s AEPD said an investigation into how Facebook collects, stores and uses data for advertising purposes found it is doing so without obtaining adequate user consent.
It says it identified two serious infringements and one very serious infringement of data protection law — with the total sanction breaking down to €300,000 for each of the first breaches and €600,000 for the second.
The regulator found Facebook collects data on ideology, sex, religious beliefs, personal tastes and navigation — either directly, through users’ use of its services or from third party pages — without, in its judgement, “clearly informing the user about the use and purpose”.
Not obtaining express consent of users to process sensitive personal data is classified as a very serious offense under local DP law.
“This situation also occurs when users are not members of the social network but have ever visited one of its pages, as well as when users who are registered on Facebook browse through third party pages, even without logging on to Facebook. In these cases, the platform adds the information collected in said pages to the one associated with your account in the social network. Therefore, the AEPD considers that the information provided by Facebook to users does not comply with data protection regulations,” it noted.
The regulator is also unhappy that Facebook does not delete harvested data once it has finished using it — saying it had been able to verify Facebook does not delete web browsing habits data, but in fact “retains and reuses it later associated with the same user”.
It also found this to be true even when the company had been explicitly requested to delete data by a user.
“Regarding data retention, when a social network user has deleted his account and requests the deletion of the information, Facebook captures and treats information for more than 17 months through a deleted account cookie. Therefore, the AEPD considers that the personal data of the users are not canceled in full or when they are no longer useful for the purpose for which they were collected or when the user explicitly requests their removal, according to the requirements of the LOPD [local data protection law], which represents a serious infringement,” it said.
The regulator asserted that a Facebook user “with an average knowledge of the new technologies does not become aware of the collection of data, nor of their storage and subsequent treatment, nor of what they will be used”.
It also points out that unregistered Internet users would not be unaware that the social network collects their browsing data — something that has already got Facebook into trouble with other European DPAs.
Commenting on the regulator’s action, a Facebook spokesperson told us the company intends to appeal the decision, while also noting that its European business is (currently) regulated under Irish data protection rules, where its EU HQ is sited.
It provided the following statement:
We take note of the DPA’s decision with which we respectfully disagree. Whilst we value the opportunities we’ve had to engage with the DPA to reinforce how seriously we take the privacy of people who use Facebook, we intend to appeal this decision. As we made clear to the DPA, users choose which information they want to add to their profile and share with others, such as their religion. However, we do not use this information to target adverts to people.
Facebook has long complied with EU data protection law through our establishment in Ireland. We remain open to continuing to discuss these issues with the DPA, whilst we work with our lead regulator the Irish Data Protection Commissioner as we prepare for the EU’s new data protection regulation in 2018.
The size of the AEPR fine is of course a mere pinprick for Facebook whose 2016 revenue was $27.64BN. So really its appeal against the fine is about the company trying to bat away any perception that it violates privacy by refuting the substance of the violations being asserted here.
But seen through the prism of stricter incoming EU data protection rules, under the new GDPR regime which comes into force next May, there are certainly serious financial considerations for Facebook’s business pertaining to privacy — as the new EU regime includes a far larger stick to beat companies that are judged to have violated data protection rules while also tightening up privacy rules by, for example, expanding the definition of personal data and giving EU citizens the right to ask for their data to be deleted.
Companies will be facing fines of up to 4% of their global annual turnover for privacy violations under GDPR. So, in Facebook’s case, privacy-related fines could start to scale to over a billion dollars. And penalties of that size aren’t something the tech giant can too often and too easily sweep under its revenue carpet.
Even as GDPR strengthens the consent requirements for processing personal data, and expands the risk of holding and processing lots of personal data.
In addition, a company like Facebook, which processes data across multiple EU Member States’ territories, may find the new regulation creates a situation where it faces more concerted action from other DPAs, i.e. beyond their local data authority where they’ve established a European base. So, in Facebook’s case, it may not so easily be able to claim to be only under the jurisdiction of the Irish DPA. And in Europe, it’s fair to say that some DPAs are decided more pro-privacy than others.
Asked about its GDPR preparations, Facebook previously told us it has designated a cross-functional team to “fully analyze the legislation and help us understand what this would mean from a legal, policy and product perspective” — saying this is “the largest cross functional team in the history of the Facebook family”.
It is also now looking to recruit a data protection officer — a position mandated under GDPR.
“Ahead of next May we are working with our product, design and engineering teams to enhance existing products and build new products in a way that simultaneously provides an intuitive, user-centric experience and permits us to meet our obligations under the GDPR,” added Stephen Deadman, Facebook’s deputy chief global privacy officer, in a statement.
Paypal to allow users to buy, hold and sell four cryptocurrencies
“The shift to digital forms of currencies is inevitable, bringing with it clear advantages in terms of financial inclusion and access; efficiency, speed and resilience of the payments system; and the ability for governments to disburse funds to citizens quickly,” said Dan Schulman, president and CEO, PayPal.“Our global reach, digital payments expertise, two-sided network, and rigorous security and compliance controls provide us with the opportunity, and the responsibility, to help facilitate the understanding, redemption and interoperability of these new instruments of exchange. We are eager to work with central banks and regulators around the world to offer our support, and to meaningfully contribute to shaping the role that digital currencies will play in the future of global finance and commerce.”
This is great news for crypto but I’m told it shouldn’t have been entirely unexpected In June, there was a report that Paypal was working on direct crypto sales.
Nokia awarded contract to build 4G network on the moon
Nokia has been awarded a contract to establish a 4G network on the moon. The contract is one of several that NASA is awarding to companies as it plans a return to the moon.
The $14.1 million contract was given to Nokia’s US subsidiary and is a small part of the $370 million total awarded to companies such as SpaceX. The cellular service will allow astronauts, rovers, lunar landers, and habitats to communicate with one another according to Jim Reuter, the Associate Administrator for NASA’s Space.
The 4G network that Nokia will build will be miles superior to the form of communication that was used during the early missions to the moon.
This is not Nokia’s first attempt to launch an LTE network on the moon. It planned to do so in 2018 in collaboration with PTScientists, a German space firm, and Vodafone UK to launch an LTE network at the site of the Apollo 17 landing but the plan never came to fruition.
Stripe acquires Nigeria’s Paystack for $200M+ to expand into the African continent
When Stripe announced earlier this year that it had picked up another $600 million in funding, it said one big reason for the funding was to expand its API-based payments services into more geographies. Today the company is coming good on that plan in the form of some M&A.
Stripe is acquiring Paystack, a startup out of Lagos, Nigeria that, like Stripe, provides a quick way to integrate payments services into an online or offline transaction by way of an API. (We and others have referred to it in the past as “the Stripe of Africa.”)
Paystack currently has around 60,000 customers, including small businesses, larger corporates, fintechs, educational institutions and online betting companies, and the plan will be for it to continue operating independently, the companies said.
Terms of the deal are not being disclosed, but sources close to it confirm that it’s over $200 million. That makes this the biggest startup acquisition to date to come out of Nigeria, as well as Stripe’s biggest acquisition to date anywhere. (Sendwave, acquired by WorldRemit in a $500 million deal in August, is based out of Kenya.)
It’s also a notable shift in Stripe’s strategy as it continues to mature: Typically, it has only acquired smaller companies to expand its technology stack, rather than its global footprint.
The deal underscores two interesting points about Stripe, now valued at $36 billion and regularly tipped as an IPO candidate. (Note: It has never commented on those plans up to now.) First is how it is doubling down on geographic expansion: Even before this news, it had added 17 countries to its platform in the last 18 months, along with progressive feature expansion. And second is how Stripe is putting a bet on the emerging markets of Africa specifically in the future of its own growth.
“There is enormous opportunity,” said Patrick Collison, Stripe’s co-founder and CEO, in an interview with TechCrunch. “In absolute numbers, Africa may be smaller right now than other regions, but online commerce will grow about 30% every year. And even with wider global declines, online shoppers are growing twice as fast. Stripe thinks on a longer time horizon than others because we are an infrastructure company. We are thinking of what the world will look like in 2040-2050.”
For Paystack, the deal will give the company a lot more fuel (that is, investment) to build out further in Nigeria and expand to other markets, CEO Shola Akinlade said in an interview.
“Paystack was not for sale when Stripe approached us,” said Akinlade, who co-founded the company with Ezra Olubi (who is the CTO). “For us, it’s about the mission. I’m driven by the mission to accelerate payments on the continent, and I am convinced that Stripe will help us get there faster. It is a very natural move.”
Paystack had been on Stripe’s radar for some time prior to acquiring it. Like its U.S. counterpart, the Nigerian startup went through Y Combinator — that was in 2016, and it was actually the first-ever startup out of Nigeria to get into the world-famous incubator. Then, in 2018, Stripe led an $8 million funding round for Paystack, with others participating, including Visa and Tencent. (And for the record, Akinlade said that Visa and Tencent had not approached it for acquisition. Both have been regular investors in startups on the continent.)
In the last several years, Stripe has made a number of investments into startups building technology or businesses in areas where Stripe has yet to move. This year, those investments have included backing an investment in universal checkout service Fast, and backing the Philippines-based payment platform PayMongo.
Collison said that while acquiring Paystack after investing in it was a big move for the company, people also shouldn’t read too much into it in terms of Stripe’s bigger acquisition policy.
“When we invest in startups we’re not trying to tie them up with complicated strategic investments,” Collison said. “We try to understand the broader ecosystem, and keep our eyes pointed outwards and see where we can help.”
That is to say, there are no plans to acquire other regional companies or other operations simply to expand Stripe’s footprint, with the interest in Paystack being about how well they’d built the company, not just where they are located.
“A lot of companies have been, let’s say, heavily influenced by Stripe,” Collison said, raising his eyebrows a little. “But with Paystack, clearly they’ve put a lot of original thinking into how to do things better. There are some details of Stripe that we consider mistakes, but we can see that Paystack ‘gets it,’ it’s clear from the site and from the product sensibilities, and that has nothing to do with them being in Africa or African.”
Stripe, with its business firmly in the world of digital transactions, already has a strong line in the detection and prevention of fraud and other financial crimes. It has developed an extensive platform of fraud protection tools, but even with that, incidents can slip through the cracks. Just last month, Stripe was ordered to pay $120,000 in a case in Massachusetts after failing to protect users in a $15 million cryptocurrency scam.
Now, bringing on a business from Nigeria could give the company a different kind of risk exposure. Nigeria is the biggest economy in Africa, but it is also one of the more corrupt on the continent, according to research from Transparency International.
And related to that, it also has a very contentious approach to law and order. Nigeria has been embroiled in protests in the last week with demonstrators calling for the disbanding of the country’s Special Anti-Robbery Squad, after multiple accusations of brutality, including extrajudicial killings, extortion and torture. In fact, Stripe and Paystack postponed the original announcement in part because of the current situation in the country.
But while those troubles continue to be worked through (and hopefully eventually resolved, by way of government reform in response to demonstrators’ demands), Paystack’s acquisition is a notable foil to those themes. It points to how talented people in the region are identifying problems in the market and building technology to help fix them, as a way of improving how people can transact, and in turn, economic outcomes more generally.
The company got its start back when Akinlade, for fun (!) built a quick way of integrating a card transaction into a web page, and it was the simplicity of how it worked that spurred him and his co-founder to think of how to develop that into something others could use. That became the germination of the idea that eventually landed them at YC and in the scope of Stripe.
“We’re still very early in the Paystack payments ecosystem, which is super broken,” said Akinlade. The company today provides a payments API, and it makes revenue every time a transaction is made using it. He wouldn’t talk about what else is on Paystack’s radar, but when you consider Stripe’s own product trajectory as a template, there is a wide range of accounting, fraud, card, cash advance and other services to meet business needs that could be built around that to expand the business. “Most of what we will be building in Africa has not been built yet.”
Last month, at Disrupt, we interviewed another successful entrepreneur in the country, Tunde Kehinde, who wisely noted that more exits of promising startups — either by going public or getting acquired — will help lift up the whole ecosystem. In that regard, Stripe’s move is a vote of confidence not just for the potential of the region, but for those putting in the efforts to build tech and continue improving outcomes for everyone.
Security3 days ago
Philips consulting’s strategy to cyber security
Internet3 days ago
Why Anna Kendrick Is The ‘Most Dangerous Celebrity On The Internet’
The Motivator3 days ago
China’s revamped law bans online services that ‘induce addiction’ in kids
Tech News3 days ago
Nokia awarded contract to build 4G network on the moon
The Motivator3 days ago
How to Empower and Support Young Entrepreneurs (Resources & Tips)
The Future3 days ago
Microsoft Documents Confirm Futuristic Surface Plans
Internet3 days ago
Irish regulator probes Facebook’s handling of children’s data on Instagram
Systems3 days ago
Samsung developing two new high-end Exynos chipsets, one features AMD GPU