China’s grocery delivery battle heats up with Meituan’s entry

Fast, affordable food delivery service has been life-changing for many working Chinese, but some still prefer to whip up their own meals. These people may not have the time to pick up fresh ingredients from brick-and-mortar stores, so China’s startups and large companies are trying to make home-cooked meals more effortless for busy workers by sending vegetables and meats to apartment doors.

The fresh grocery sector in China recorded 4.93 trillion yuan ($730 billion) in total sales last year, growing steadily from 3.37 trillion yuan in 2012 according to data collected by Euromonitor and Hua Chuang Securities. Most of these transactions still happen inside wet markets and supermarkets, leaving online retail, which accounted for only 3 percent of total grocery sales in 2016, much room for growth.

Ecommerce leaders Alibaba and JD.com have already added grocery to their comprehensive online shopping malls, nestling in the market with more focused players like Tencent-backed MissFresh (每日优鲜), which has raised $1.4 billion to date. The field has just grown a little more crowded with new entrant Meituan, the Tencent-backed food delivery and hotel booking giant that raised $4.2 billion through a Hong Kong listing last year.

meituan grocery

Screenshots of the Meituan Maicai app / Image: Meituan Maicai

The service, which comes in a new app called “Meituan Maicai” or Meituan grocery shopping that’s separate from the company’s all-in-one app, set out in Shanghai in January before it muscled into Beijing last week. The move follows Meituan’s announcement in its mid-2018 financial report to get in on grocery delivery.

Meituan’s solution to take grocery the last mile is not too different from those of its peers. Users pick from its 1,500 stock keeping units ranging from yogurt to pork loin, fill their in-app shopping carts and pay via their phones, the firm told TechCrunch. Meituan then dispatches its delivery fleets to people’s doors in as little as 30 minutes.

The instant delivery is made possible by a satellite of physical “service stations” across neighborhoods that serve warehousing, packaging and delivering purposes. Placing offline hubs alongside customers also allows data-driven internet firms to optimize warehouse stocking based on local user preferences. For instance, people from an upscale residential area probably eat and shop differently from those in other parts of the city.

Meituan’s foray into grocery shopping further intensifies its battle with Alibaba to control how Chinese people eat. Alibaba’s Hema Supermarket has been running on a similar setup that uses its neighborhood stores as warehouses and fulfillment centers to facilitate 30-minute delivery within a three-kilometer radius. For years, Meituan’s food delivery arm has been going neck-and-neck with Ele.me, which Alibaba scooped up last year. More recently, Alibaba and Meituan are racing to get restaurants to sign up for their proprietary software, which can supposedly give owners more insights into diners and beef up customer engagement.

As part of its goal to be an “everything” app, Meituan has tried out many new initiatives in the lead-up to its initial public offering but was also quick to put them on hold. The firm acquired bike-sharing service Mobike last April only to shutter its operations across Asia in less than a year for cost-saving. Meituan also paused expansion on its much-anticipated ride-hailing business.

But grocery delivery appears to be closer to Meituan’s heart, the “eating” business, to put in its own words. Meituan is tapping its existing infrastructure to get the job done, for example, by summoning its food delivery drivers to serve the grocery service during peak hours. As the company noted in its earnings report last year, the grocery segment could leverage its “massive user base and existing world’s largest intra-city on-demand delivery network.”


Source: Tech Crunch

A look at new power banks from OmniCharge and Fuse Chicken

When you’ve been doing this job long enough, you start to develop strange interests (though some might compellingly argue that strange interests are a prerequisite). Lately for me it’s been power banks. Quite possibly the least sexy product in all of consumer electronics outside of the ever-ubiquitous dongle.

I don’t know what to tell you. Blame the fact that I’m traveling every other week for this job. There are also all of the liveblogs from years’ past that got cut off in the last few minutes as my poor ancient MacBook put itself to sleep during those last precious battery percentages. Low batteries give me anxiety. I’m the guy who’s the first to notice when your phone’s screenshot is below 10 percent.

So the power bank has become constant accessory in my life, both home and on the road. Until last year, I used to carry a massive one that was just north of 20,000mAh. The peace of mind to back pain ration seemed sensible enough, but I learned the hard way that, not only do Chinese airports have a limit on battery size, they chuck yours in the trash without a second thought if you go over. It’s a quick way to lose $150.

The good news, however, is that between USB-C, wireless charging and the magic of crowdfunding, it seems we might be living through the golden age of the power bank. I know, right? What a time to be alive.

Point is, there are a lot of choices out there. Anker and Amazon’s house brand RAVPower both offer some good options on a budget. There’s also mainstay Mophie for those who don’t mind paying a bit of a premium for design.

Fuse Chicken was actually a brand that was new to me when they hit me up to try out their latest product. It’s a name I definitely would have remembered — because, honestly, it’s pretty terrible. Memorable, but terrible. Maybe that’s why the company went with such a mundane name for what’s a really interesting charger.

My dad ones told me that he gave my sister and I boring first names because we had such an unusual surname. I have no idea if this is true, but it’s an interesting story and could well apply here.

The Universal is a good example of making the most of out a form factor. It manages to jam a lot of features in without creating a Frankenstein’s Monster worthy of the name Fuse Chicken. On its face, the product looks like a black and white version of Amazon’s default power bricks. It serves that purpose, of course, coupled with a trio of swappable international wall adapters (bonus points for travelers).

But the brick also sports a 6,700mAh battery inside, so you can continue charging gadgets while unplugged. That’s ideal for a phone — you can keep a laptop alive for a bit as well, but you’re going to burn through that pretty quickly. There’s also a wireless charging pad up top, so you can power up another phone or, say, a new set of AirPods at the same time. The side of the device features a small display showing off how much juice is left.

It’s great having a bank that’s also a plug, though like Apple’s brick, it’s much too massive to plug into many vertical outlets. I learned this lesson the hard way on a recent coast to coast flight. Thankfully, though, it’s compatible with Apple’s extension cable.

OmniCharge, meanwhile, is a company I’ve been following since their earliest Kickstarter days. Matter of fact, the aforementioned power bank that’s currently sitting in a Chinese garbage dump is one of their products. R.I.P. noble battery pack.

The Omni Mobile 12,800 mAh is a much more basic product that the company’s earliest offerings. There’s no display for power information here — instead you have to rely on four lights to let you know how much juice is left.

As with most of the company’s products, I do quite like the design language. It’s subtle and unobtrusive and fits nicely inside a backpack. It’s definitely too big for carrying around in a pocket, however. Thanks the wonders of USB it will charge a laptop, as well, though once again, you’re going to run through that 12,800 mAh pretty quickly, if you do.

The Fuse Chicken and OmniCharge run $85 and $99, respectively. They’ve both served me well as travel companions these last few weeks. Here’s to long flights and avoiding life’s landfill.


Source: Tech Crunch

Mark Zuckerberg actually calls for regulation of content, elections, privacy

It’s been a busy day for Facebook exec op-eds. Earlier this morning, Sheryl Sandberg broke the site’s silence around the Christchurch massacre, and now Mark Zuckerberg is calling on governments and other bodies to increase regulation around the sorts of data Facebook traffics in. He’s hoping to get out in front of heavy-handed regulation and get a seat at the table shaping it.

The founder published a letter simultaneously on his own page and The Washington Post, the latter of which is an ideal way to get your sentiments on every desk inside the beltway. In the wake a couple of years that have come with black eyes and growing pains, Zuckerberg notes that if he had it to do over again, he’d ask for increased external scrutiny in four key areas:

  • Harmful content – He wants overarching rules and benchmarks social apps can be measured by
  • Election integrity – He wants clear government definitions of what constitutes a political or issue ad
  • Privacy – He wants GDPR-style regulations globally that can impose sanctions on violators
  • Data portability – He wants users to be able to bring their info from one app to another

The story of why the letter breaks down each doubles as kind of recent history of the social network. Struggles and missteps have defined much of Facebook’s last few years, with several controversies often swirling around the social network at once. Not every CEO gets asked to testify in front of Congress. Facebook houses and controls an incredible collection of data, playing a key role in everything from ad targeting and interpersonal relationships to news cycles and elections.

I’ve spent most of the past two years focusing on issues like harmful content, elections integrity and privacy. I think…

Posted by Mark Zuckerberg on Saturday, March 30, 2019

“Lawmakers often tell me we have too much power over speech, and frankly I agree,” Zuckerberg writes, three days after issuing a blanket ban on “white nationalism” and “white separatism.” He goes on to describe the company’s work with various governments, along with its development of independent oversight committee, before anyone can accuse the company of completely passing the buck.

“One idea is for third-party bodies to set standards governing the distribution of harmful content and to measure companies against those standards,” Zuckerberg writes, “Regulation could set baselines for what’s prohibited and require companies to build systems for keeping harmful content to a bare minimum.”

Zuckerberg goes on to encourage increased legislation around election tampering and political advertisements. Notably, the U.S. Department of Housing and Urban Development hit Facebook earlier this week with charges that its targeted ads violate the Fair Housing Act.

The op-ed rings somewhat hollow, though, because there’s plenty that Facebook could do to improve in these four areas without help from the government.

Facebook’s harmful content policies have long been confusing, inconsistent, and isolated. For example, Infowars conspiracy theorist Alex Jones was removed from Facebook but not from Instagram. Meanwhile, bad actors can just hop between social networks to spread problematic posts. Facebook should apply enforcement of its policies across its whole family of apps, publicly work through its logic for why it does or doesn’t remove things instead of having those discussions leak, and cooperate better with fellow social networks to coordinate blanket takedowns of the worst offenders.

As for election integrity, Facebook made a big advance this week by placing all active and old inactive political ad campaigns into keyword-searchable Ad Library. But after pressure from news publishers who didn’t want their ads promoting politicized articles to be included beside traditional campaign ads, Facebook exempted them. Those ads can still influence the electorate, and while they should be classified separately, they should still be archived for research.

On privacy, well, there’s a ton to be done. One major area where it could improve is allowing people to more completely opt out of search, including by their phone number, to avoid stalkers. And better controls should be available for how Facebook uses your contact info when uploaded in the address books of other users.

Finally, with data portability, Facebook has been dragging its feet. A year ago, we published a deep dive into how Facebook only lets you export your social graph as a list of friends’ names which can’t be easily used to find them on other social networks. Facebook must make its social graph truely interoperable so users don’t lose their community if they switch apps. That would coerce Facebook to treat users better since leaving would actually be a viable option.

Taking these steps would show regulators that Zuckerberg isn’t just paying lip service in hopes of getting a more lenient sentence. It would demonstrate he’s ready to make change that serves society.


Source: Tech Crunch

CMU team develops a robot and drone system for mine rescues

On our final day in Pittsburgh, we find ourself in a decommissioned coal mine. Just northeast of the city proper, Tour-Ed’s owners run field trips and tours during the warmer months, despite the fact that the mine’s innards run a constant 50 degrees or so, year round.

With snow still melted just beyond the entrance, a team of students from Carnegie Mellon and Oregon State University are getting a pair of robots ready for an upcoming competition. The small team is one of a dozen or so currently competing in DARPA’s Subterranean Challenge.

The multi-year SUbT competition is designed to “explore new approaches to rapidly map, navigate, search, and exploit complex underground environments, including human-made tunnel systems, urban underground, and natural cave networks.” In particular, teams are tasked with search and rescue missions in underground structures, ranging from mines to caves to subway stations.

The goal of the $2 million challenge is design a system capable of navigating complex underground terrains, in case of cave-ins or other disasters. The robots are created to go where human rescuers can’t — or, at very least, shouldn’t.

The CMU team’s solution features multiple robots, with a foul-wheeled rover and a small, hobbyist style drone taking center state. “Our system consists of ground robots that will be able to track and follow the terrain,” says CMU’s Steve Willits, who serves as an adviser on the project. “We also have an unmanned aerial vehicle consisting of a hexacopter. It’s equipped with all of instrumentation that it will need to explore various area of the mine.”

The rover uses a combination of 3D cameras and LIDAR to navigate and map the environment, while looking for humans amid the rubble. Should it find itself unable to move, due to debris, small passage ways or a manmade obstacle like stairs, the drone is designed to lift off from the rear and continue the search.

All the while, the rover drops ultra rugged WIFI repeaters off its rear like a breadcrumb trail, extending its signal in the process. Most of this is still early stages. While the team was able to demonstrate the rover and drone in action, it still hasn’t mastered a method for getting them to work in tandem.

Testing the robots will begin in September, with the Tunnel Circuit That’s followed in March 2020 by the manmade Urban Circuit and then a Cave Circuit that September. A final event will be held in September 2012.


Source: Tech Crunch

Equity transcribed: What the Lyft IPO means for IPO-ready unicorns

Welcome back to this week’s transcribed edition of Equity, TechCrunch’s venture capital-focused podcast that unpacks the numbers behind the headlines. We’re running an experiment for Extra Crunch members that puts the words of our wildly popular venture capital podcast, Equity, in your eyes instead of your ears.

This week, Kate Clark and Alex Wilhelm recorded an emergency episode to discuss Lyft’s IPO, which debuted Friday. The crew has been talking about the ridesharing company for a long time and this week, it closed its first day of trading up 9% after a 21% opening pop. So if you don’t like podcasts but still want the goodness that is Equity, you can have a read of this week’s episode below. It’s been edited for clarity.

For access to the full transcription, become a member of Extra Crunch. Learn more and try it for free. 


Kate Clark: Hello and welcome to Equity. I’m tech crunches, Kate Clark and I’m joined today by Alex Wilhelm of Crunchbase news.

Alex Wilhelm: Hey everybody.

Kate Clark: How’s it going?

Alex Wilhelm: We’ve been doing a lot of Equity lately. I almost feel bad, but also all the IPOs we’ve been waiting for are finally here, so I’m kind of excited and glad.

Kate Clark: I mean, yeah. A couple extra episodes is the least we can do given that one of the most highly anticipated IPOs ever was just completed today. But I think we’re all a little bit relieved that the Lyft extravaganza has sort of come to a, well, I guess it’s not over now we just get to report on their earnings.

 

Alex Wilhelm: Yeah. But I mean at least this portion of the story is complete. Like we’ve been talking about them eventually going public for quarters and quarters now. Now it’s just Lyft had a good or bad quarter, it’s a two minute story and we can move on.

So it’s nice to have gotten here. But can we go back to the beginning and there’s not a lot of steps Kate, that though you and I have been tracking very almost religiously, but for a lot of people probably not as close. So I was thinking we could kind of go back to the beginning of Lyft’s public journey and quickly walk everyone through the numbers, if that makes sense.


Source: Tech Crunch

Sheryl Sandberg says Facebook is ‘exploring’ restrictions following Christchurch attacks

In an open letter published by the New Zealand Herald, Facebook COO Sheryl Sandberg finally addressed the shocking mass shootings that left 50 dead at two Christchurch mosques. The first of part of the deadliest mass shooting in modern new Zealand history was live-streamed on Facebook by the attacker.

But while the site’s technology was used the broadcast the horrific attacks, Facebook has largely stayed silent on the matter in the intervening two weeks. Sandberg broke that silence in her letter, which addressed grieving families and a shaken nation. The note addresses aspects that the site could have handled better, but the company still appears to be at something of a loss for how to handle such an event.

“Many of you have also rightly questioned how online platforms such as Facebook were used to circulate horrific videos of the attack,” Sandberg writes. “We are committed to reviewing what happened and have been working closely with the New Zealand Police to support their response.”

The executive adds that the company is working on technologies to identity re-upload. The letter stops short of offering specific answers or a blueprint for its policy, going forward.

“We have heard feedback that we must do more – and we agree,” Sandberg says. “In the wake of the terror attack, we are taking three steps: strengthening the rules for using Facebook Live, taking further steps to address hate on our platforms, and supporting the New Zealand community. First, we are exploring restrictions on who can go Live depending on factors such as prior Community Standard violations.”

Both Facebook and YouTube have been subject to widespread criticism over the roles their platforms have played in propagating the images from these horrific attacks. YouTube was quick to issue a statement, noting that it would “work cooperatively with the authorities.”


Source: Tech Crunch

Yoshi’s Crafted World is classic gaming joy, Nintendo-style

In 1995, Yoshi had his moment. The character’s Super Mario World debut was so strong, Nintendo handed the dinosaur sidekick his own sequel. A surprise divergence from the Mario franchise found the character escorting a baby version of the plumber in search of his kidnapped twin.

Super Mario World 2: Yoshi’s Island was regarded as an instant classic for the Super Nintendo. The positive reaction was due, in part, to some bold aesthetic choices. The game featured a shaky line style, both in keeping with the playful infant motif and to further highlight that the title wasn’t just another Mario game.

Yoshi’s island has received a number of its own sequels and spinoffs over the years. This is, after all, Nintendo we’re talking about here. The company has turned riding out IP into a kind of art form. But while many of those followups were generally well-received, but none managed to capture the pure joy of the original.

2015’s Yoshi’s Wooly World came close, but ultimately failed to meet the high standards of many Mario fans. And the fact that the Wii U was ultimately a doomed console didn’t help matters much.

From a design perspective, Yoshi’s Crafted World clearly shares a lot of common DNA with that predecessor and, for that matter, Kirby’s Epic Yarn, with developer Good-Feel being a common denominator in all three.  But the Switch title is a far more fully realized and cohesive package than the Wii U title. And like Yoshi’s Island before it, it’s a joy to play.

The first time I saw gameplay footage, I’d assume the game was a bit more of an open-world adventure — the Yoshi’s Island to Super Mario Galaxy’s Super Mario World. But while the new title gives you some choices, it never lets you stray too far from the standard platformer path.

To this day, side scrollers continue to be Nintendo’s bread and butter, even as it pushes the boundaries of gaming with other titles. At its worst, that means redundancy. At its best, however, Nintendo manages to put a fresh spin on the age old genre, as is the case here.

Clever mechanics like 3D world flipping and paths that point Yoshi down roads in a third dimension keep gameplay interesting. The addition of seemingly infinite Mario 3-style cardboard costumes, coupled with the DIY crafted design language, meanwhile, make it downright joy to play.

Yoshi’s Crafted World is an all-ages title, through and through. In fact, on first playing, the game asks whether you want to play “Mellow Mode” or “Classic Mode,” reassuring you that you can switch things up at any time. Even in Classic Mode, the game does a fair bit of handholding.

But the game’s simple and slow pace is more comfort than annoyance for even older players. The title plays like a casual game, writ large with a fun through line that finds Yoshi hunting down scattered “Dream Gems,” like so many Dragon Balls. It’s never as immersive or addicting as a title like Mario Galaxy, but that’s not necessarily a bad thing. It’s the kind of game you can happily play in spurts and come back to, after you’re done living your life.

It’s a reminder that games can be an escape from, rather than cause of, frustration and stress. And it’s definitely the best Yoshi star vehicle in nearly 25 years.


Source: Tech Crunch

Ride-hailing, bike and scooter companies probably raised less money than you thought

After years of fierce competition as private companies, Uber and Lyft are going public on U.S. markets. Scooter service providers, the transportation trend du jour, raised hundreds of millions of dollars to scatter scooters on city sidewalks (to the chagrin of residents and regulators alike) throughout 2017 and 2018. On the other side of the Pacific, Grab and Go-Jek are raising gobs of cash as they continue to scale upward and outward.

Of all the seed, early and late-stage venture funding raised over the past couple of years, how much of the total went to companies in the ride-hailing, food delivery and last-mile transportation categories (which encompasses bikes and scooters)? Probably not as much as you’d think.

Taken together, companies in these sectors raised less than 10 percent of the total venture dollar volume reported for each of the past five full calendar years.

We’ve charted it out based on yearly totals. Take a peek:

To be sure, we’re still talking about a lot of money here. Companies in these three categories raised more than $22 billion in venture funding rounds (not including private equity) in 2017 and more than $18 billion in 2018.

Ventures in the transportation space loom large in the media, and how could they not? It’s a forbiddingly capital-intensive market to play in, requiring companies to raise massive sums, which make for good headlines.

In its early years, competition between on-demand, point-to-point transportation marketplace companies rewarded brashness and speed with early scale and the long-term structural advantages conferred to first the firms which grew the fastest.

But those advantages may not have been as stiff as first expected. Lyft beat Uber to the public markets, raised its valuation during its IPO roadshow, priced at the top of its extended range and then popped 21 percent when it started trading.

That success means that the red chunks of our above chart weren’t all fool’s bets. Instead, a good chunk of the equity represented is now liquid. Of course, there’s a lot more work to do for literally every other ride-hailing, ridesharing, scooter-renting and other wheels-providing unicorns in the world: They still have to go public.


Source: Tech Crunch

Covert data-scraping on watch as EU DPA lays down “radical” GDPR red-line

An interesting decision came out of Poland’s data protection agency this week after the watchdog issued its first fine under Europe’s General Data Protection Regulation (GDPR).

On the surface the enforcement doesn’t look so remarkable: A ‘small’ ~€220K fine was handed to a Sweden-headquartered European digital marketing company, Bisnode, which has an office in Poland, after the national Personal Data Protection Office (UODO) decided the company had failed to comply with data subject rights obligations set out in Article 14 of the GDPR.

But the decision also requires it contact the close to six million people it did not already reach out to in order to fulfil its Article 14 information notification obligation, with the DPA giving the company three months to comply.

Bisnode previously estimated it would cost around €8M (~$9M) in registered postal costs to send so many letters, never mind the burden of handling any related admin.

So, as ever, the strength of data protection enforcement under GDPR is a lot more than the deterrent of top-line fines. It’s accompanying orders that can really rearrange business practices.

Local press reports that Bisnode has said it will delete the sanctioned records, presumably rather than shell out to send millions of letters. It also intends to challenge the UODO’s decision, initially in Polish courts — relying on caveats contained in Article 14 which relate to how much effort a data controller has to expend to contact people to tell them it’s processing their data.

It’s reportedly willing to fight all the way up to Europe’s top court, if necessary. (We’ve reached out to Bisnode for confirmation of its next steps.)

Any legal challenge to the UODO’s enforcement decision could therefore end up clarifying (and/or setting) some harder limits around covert scraping of personal data, if it reaches the CJEU — potentially affecting operators in multiple industries and sectors such as business intelligence, advertising and even cyber threat intelligence. So Privacy watchers have pricked up their ears.

“The decision is seen as radical, as it interprets Article 14 literally,” Dr Lukasz Olejnik, independent cybersecurity and privacy advisor, and research associate at the Center for Technology and Global Affairs at Oxford University, tells TechCrunch.

“UODO has taken a very principled position, arguing that the company business model is fully based on processing scraped data, and that the company has taken a decision willingly. UODO also argues that the company was aware of the obligation, as it did contact part of the people via email.”

While there are big and potentially costly implications for data-scrapers across various industries down the legal line, depending on how Bisnode’s appeal/s pan out, Olejnik adds a judicious caveat — noting that “each case might be different and have its specifics”.

There’s certainly no guarantee that the DPA’s decision will lead to a de facto ban on covert commercial data-scraping.

But there is fresh legal uncertainty for those quietly helping themselves to public databases of Europeans’ personal data. While repurposing such stuff for a commercial use may also be far more expensive than you think.

Right to be informed

Article 14 of the GDPR creates an obligation on data controllers to inform people whose personal data they intend to process when the information in question has not been directly obtained from them. So, for instance, when personal data has been scraped off the public Internet.

The relevant chunk of the regulation is pretty long — but key points include that the person whose data has been scraped must be informed who has their data (which includes anyone the data has been shared with, and any proposed international transfers); the types of data obtained; what is going to be done with; and the legal basis for the processing.

Data subjects must also be informed of their right to complain so they can object if they don’t like what you  want to do with their data.

The information obligation is also purpose specific; so if the data controller later wants to do something else with the scraped data there’s an obligation to send a new Article 14 notice.

Data subjects must be informed, at the latest, within a month of obtaining their information (as well as per intended purpose). While if the data is to be used for direct marketing the subject must be informed the first time they get sent a communication, if not sooner.

In the case of Bisnode it obtained a variety of personal data from public registers and other public databases pertaining to millions of entrepreneurs and business owners — including their names, national ID numbers and any legal events related to their business activity.

Registered addresses and/or company addresses appear to have been standard in the public data it scraped but other contact data was not, and Bisnode only obtained email addresses for a small sub-set of the individuals. It subsequently sent emails to those people — fulfilling its Article 14 information obligation in their case.

But, at issue, is that instead of sending text messages or snail mail notifications to all the other people whose email addresses it did not have — aka the vast majority; some 5.7M people — Bisnode made a conscious decision not to reach out to them directly. Instead it posted a notice on its website in the stated belief that fulfilled its Article 14 obligations.

“We recognise the right for sole proprietors to be informed of the fact that their data is processed by us. In this case, Bisnode has complied to the General Data Protection Regulation Art. 14 by posting the information on our website,” it wrote in an initial statement following the UODO’s decision, also posted on its website.

“We question the DPA’s interpretation of what is considered a proportionate effort. In the instances we have had email addresses (679,000 addresses), there we have sent out Art. 14 information via email, but to demand in addition that 5.7 million records of sole proprietors and members of corporate bodies of companies et al, be informed via postal mail or telephone cannot be considered a proportionate effort,” it added.

“In our view, information via email, other digital channels or via advertisements in national daily newspapers is preferable for recipients as well as senders.”

The DPA drastically disagrees — hence the penalty and other enforcement action.

Explaining its decision the watchdog says Bisnode clearly knew about its obligations under Article 14 and thereby made a conscious decision not to directly inform the majority of people whose personal data it had obtained for business purposes on cost grounds alone — when it should rather have accounted for its legal obligations related to data acquisition as a core component of business costs.

“The President of UODO states that the mere inclusion of information required in art. 14 par. 1 and par. 2 of the Regulation 2016/679, on the Company’s website, in the situation where the Company has the address data (and sometimes also phone numbers) of natural persons running a sole proprietorship (currently or in the past), enabling traditional mailing of correspondence containing information required by this provision (or transferring them by telephone), cannot be considered as sufficient fulfilment by the Company of the obligation referred to in art. 14 par. 1-3 of Regulation 2016/679,” runs the relevant chunk of legalese in the UODO decision [translated from Polish via Google Translate].

“The Company, as a professional in this type of activity, should be required to shape the business side of its business, which would take into account all the costs necessary to ensure its compliance with legal provisions (in this case, the provisions on the protection of personal data),” it adds, going on to further press its view that Bisnode’s decision not to reach out to inform the vast majority of individuals because it decided it was too expensive is exactly the problem, especially as its core business relies on processing people’s data.

The DPA’s decision also notes that Bisnode decided against sending SMS messages to another sub-set of people whose telephone numbers it did hold — again claiming as an excuse “the high costs of such an action”.

On the €8M figure which the company estimated would be the cost of posting Article 14 notifications to the 5.7M, the watchdog says there was in fact no obligation to send registered letters specifically (which is how Bisnode seems to have arrived at that estimate); or indeed to use any specific communication medium.

So it could presumably have sent (cheaper) standard mail, or even used its own staff (or hired temps) to spend a couple of days manually posting notifications to the individuals concerned. (Sidenote: Maybe there’s a new type of data notification compliance-tech robot/drone delivery startup to be created here… Knock-knock! Article14 delivery bot at the door to read you your rights…)

The UODO points out that GDPR’s Article 14 provision does not specify any particular means of fulfilling the obligation to inform. It just requires the data controller actually reach out.

An active manner vs disproportionate effort

The “essence of fulfilling the obligation” is to act in “an active manner”, it writes — so that means providing information to a data subject without them having to participate in enabling their own notification.

So just posting a passive notification under a tab on a website, as Bisnode did, would seem to go against that essence — as it clearly requires the people whose data is involved expending effort to find out.

And if they don’t even know their data was scraped in the first place how would they know where — or even to — go looking? It’s very unlikely they’d just stumble upon the notification by chance on Bisnode’s website and join the dots. Not without some kind of wider broadcast announcing its presence.

“The need for active notification is emphasized by the Article 29 Working Party, in the Transparency Guidelines under Regulation 2016/679 adopted on 29 November 2017 (most recently amended and adopted on 11 April 2018),” the UODO’s decision further notes, citing guidance from an influential pan-EU data protection oversight body that’s now known as the European Data Protection Board and responsible for helping ensure consistency of application of GDPR across the bloc.

In a press release accompanying its decision, the UODO also makes a point of specifying the number and proportion of people who objected to Bisnode using their data after it did contact them directly (i.e. by email) — writing: “Out of about 90,000 people who were informed about the processing by the company, more than 12,000 objected to the processing of their data.”

Which highlights the fact that informing people about commercial and marketing-related uses of their data can, and usually does, result in a bunch of them saying ‘no don’t do that’ — an outcome that’s not exactly aligned with the interests of a marketing company like Bisnode which obviously wants to maximize the reach of its database.

But a shrinking marketing database may well be the price of respecting people’s privacy rights and doing business legally in Europe. And Bisnode’s interpretation of what is and isn’t “proportionate”, vis-a-vis Article 14, does look self-servingly aligned with its own business interests rather than with the rights of EU citizens.

If the legal rights of EU people to know what’s being done with their personal data can just be sidestepped by a data controller holding only selective types of contact data (for instance) that risks putting a pretty big loophole in the data protection framework. (Although in a similar case from a few years ago the UODO reached a different decision in regards another company that did not have addresses at its disposal.)

There are some caveats included in Article 14 — allowing for a data controller to dispense with the requirement to inform data subjects if doing so “proves impossible or would involve a disproportionate effort” — but they are conspicuously linked in the text of GDPR to non-commercial examples: “[I]n particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”.

Safe to say, a b2b marketing business doesn’t fit the bill there.

A further caveat — which removes the obligation to inform the data subject if it is “likely to render impossible or seriously impair the achievement of the objectives of that processing” — would also seem a tough one to argue for a marketing purpose such as Bisnode’s.

It’s true that, as the complaints following its emailed Article 14 notifications indicate, there will very likely be a proportion of objections from those informed about a marketing purpose for their data. But the complaint stats cited by the UODO reveal that only a minority (~13%) of those emailed actively objected to Bisnode’s use of their data — a figure that does not seem so catastrophically large as to “seriously impair” the company’s overall business objective.

Of course it will be for judges to decide on all these details. But the looming legal fight will be around what constitutes “proportionate effort” — and in which circumstances those Article 13 caveats are allowed to apply.

“The ‘disproportionate effort’ in Article 14(5) is the core issue,” agrees Olejnik. “While including information solely on a website might be sufficient in some cases, but it is not clear if this applies in this case in particular. It is rather clear that the majority of people affected have no idea that their data are processed.”

“What the courts decide is anyone’s guess. It will be a truly interesting case to observe,” he adds.

In terms of immediate practical implications flowing from the UODO’s decision Olejnik says those are also unclear for now — not least because of Bisnode’s plan to fight all the way up to the CJEU if it can. (Meaning its appeal process could take years.)

“The company is also saying in public that its different EU branches are following a similar practice, but did not draw the attention of DPA,” Olejnik continues, adding: “It is however clear that some form of information obligation needs to be made. I believe this is an interesting precedent.

“While it may be shocking to some, this is the GDPR enforcement in action. Prior to enforcement, many would doubt if some text of GDPR means what it means. Well, it appears that to DPAs, it might indeed mean what it mean, if you know what I mean.”

The growing cost and risk of personal data

There is arguably a rather similar story going on, in parallel, around ‘free and informed’ consent under GDPR in relation to online ad targeting — which has turned into a major legal battleground since the regulation came into force last year. Multiple complaints remain in play targeting various data-for-ads tech platforms, as well as attacking core adtech processes for using and sharing personal data without proper consent and/or adequately robust protection.

With the GDPR not yet a year old, major enforcements are still lacking. But there are signs regulators are preparing to draw equally firm lines in the sand on this front too.

Given all the effort going into obfuscating and/or trying to ‘compliance-wash’ how the adtech industry strip-mines personal data, those most systematic personal data-harvesters similarly appear to have calculated that the cost of fully informing individuals is simply too high.

Also because they surely stand to lose a big chunk of their marketing muscle if every user whose personal information is being exploited for ads was offered a genuine, fully informed and entirely free choice to say no way.

But that doesn’t mean they can just sidestep the requirement. Enforcement is coming for any lurking lack of compliance there too.

Zooming out, it’s not clear what proportion of personal data is scraped from the Internet vs being actively provided by the user (albeit, not necessarily freely and willingly provided — as is the nub of this GDPR ‘forced consent’ complaint, for instance).

“Obtaining such comparative data would difficult at a scale,” admits Olejnik.

There’s no doubt plenty of nefarious actors engage in ‘fully unlicensed’ online data-scraping to run illegal spam campaigns or sell it to hackers planning phishing expeditions. And clearly no regulation under the sun that will put a firm lid on that. Though increased legal risk may at least provide a disincentive to less hardened cyber criminals.

In the commercial sector, where regulation has a more powerful bite, the lines between scraping and ‘providing’ data are frequently self-servingly blurred by the entities involved — seeking to workaround the law.

So, again, robust enforcement decisions that get upheld by jurisprudence are sorely needed to define and set down firm red-lines about how people’s data can be respectfully handled.

Let’s also not forget the scandalous acts of the now defunct political data company, Cambridge Analytica, which covertly scraped personal data off of Facebook’s platform to build psychographic profiles of American voters to try to influence domestic political outcomes — something which would certainly constitute a breach of Article 14, i.e. were such actions applied to EU peoples under the bloc’s current data protection regime.

An egregious example like Cambridge Analytica shows the clear logic of GDPR creating a framework for protecting people from non-disclosed use of their personal information — by offering a check against unwelcome misuse. As indeed does Facebook’s long history of abject failure to properly protect user data.

It’s not clear whether GDPR could have stopped a rogue actor like Cambridge Analytica. Though the heftier fines baked into the regime do mean data-scraping is no longer the ‘help yourself, free for all’ it apparently was back in 2014.

At the same time, multiple Facebook businesses remain under investigation in Europe: The Irish DPA has ten open investigations against multiple Facebook-owned platforms over questions of GDPR compliance. So watch that space. (And watch, too, Facebook announcing a sudden ‘pivot’ to ‘privacy… )

Covertly harvesting personal at scale now finally involves serious legal risk — at least in Europe.

And in light of the UODO’s strong stance on Article 14 there’s a little more reason for data scrapers to worry more.

Full disclosure

One final note on UODO and Bisnode: In a slightly odd quirk, the watchdog decided not to publicly name the company — choosing to pseudonymize it by editing out certain details from the published decision text.

It’s not clear why the DPA did so. Nor was its attempt to hide the name effective. Olejnik says he was quickly able to reverse its pseudonymization. While Bisnode also subsequently chose to out itself by going public with its disagreement.

Other European DPAs do disclose the targets of their decisions as a general rule. So it’s definitely a leftfield choice by the Polish watchdog.

A spokesperson for the UODO told us it does not always avoid disclosing the name of entities subject to its decisions but in this case said its president took the view that “information about the administrative fine and its justification is sufficient” — adding that in its view the most important element is to inform the public about decisions issued and “their substance”, including providing details of the decisive arguments in its decision-making process.

But given the lack of a specific justification and especially the weakness of the pseudonymization Olejnik suggests not publicly naming Bisnode was a questionable decision.

“Based on the information from the decision it did not take me much time to ‘reverse’ the pseudonymization and reveal the company name. This puts the decision behind pseudonymization under question,” he suggests. “Though I believe the public has a right to expect transparency in the first place — the decision to pseudonymize was controversial in the first place. To say the least, it forbids users to learn about the case, the misuse, and potentially even learn if they may have been affected.”

There is perhaps no small irony in a privacy watchdog choosing to ineffectively withhold the name of a company that had failed to inform a large number of private individuals that it covertly held their data.


Source: Tech Crunch