Google’s “no choice” screen on Android isn’t working, says Ecosia — querying the EU’s approach to antitrust enforcement

Google alternative Ecosia is on a mission to turn search clicks into trees. The Berlin based not-for-profit reached a major milestone earlier this month, having used ad revenue generated by users of its privacy-sensitive search engine to plant more than 100 million trees across 25 countries worldwide — targeted at biodiversity hotspots.

However these good feels have been hit hard by the coronavirus pandemic. Ecosia has seen its monthly revenues slashed by half since COVID-19 arrived in Europe, with turnover falling from €2.6M in February to just €1.4M in June. It’s worried that its promise of planting a tree every 0.8 seconds is at risk.

It has also suffered a knock to regional visibility as a result of boycotting an auction process that Android OS maker Google has been running throughout this year, as a response to a 2018 Commission antitrust decision that found the tech giant had violated EU competition rules in how it operates the smartphone platform — including via conditions placed on phone makers to pre-load its own services (like Google search) as device defaults.

An auction process now determines which rival search engines appear on a search ‘choice screen’ Google began showing to Android users in Europe in the wake of the Commission decision. Currently, Google offers three paid slots via the auction to non-Google search engines. Android users setting up a new device always see Google’s own search engine as one of the four total options.

The tech giant’s rivals have consistently argued this ‘pay to play’ model is no remedy for its anti-competitive behavior with Android, the world’s dominant smartphone OS. Although most (including DuckDuckGo) felt forced to participate in its auction process from the get-go. Forgoing the most prominent route to the Android search market isn’t exactly a luxury most businesses could afford.

Ecosia, a not-for-profit, was the last major hold out. But now it says it’s been forced to end its boycott in a bid to remain competitive in the region. This means it will participate in the next auction round for the Android choice screen — scheduled for the beginning of Q4. If it wins any per country slots it will appear as a search choice option to those Android users in future, though likely not til next year given the length of the auction process.

It remains highly critical of Google’s pay-to-play model, arguing it’s no remedy for the antitrust violations identified by the Commission. It also laments that EU lawmakers are taking a ‘wait and see’ approach to determining whether Google’s ‘remedy’ is actually restoring competition, given all the evidence to the contrary.

“The main reason why we boycotted the auction is because we think it’s highly unfair and anticompetitive,” says Ecosia CEO Christian Kroll, speaking to TechCrunch via video chat. “Not only do we think that fair competition shouldn’t be sold off in an auction but also the way the auction is designed basically makes sure that only the least interesting options can win.

“Since we have a business model where we use most of our revenues to plant trees we basically can’t really win in an auction model. If you’re already a search engine that’s quite well known… then you have a lot of cannibalization effects through this screen. So we’re basically paying for traffic that we would get for free anyway… So it’s just super unfair and anticompetitive.”

Kroll expresses emphatic surprise that the Commission didn’t immediately reject Google’s auction model for the choice screen — saying it seems as if they’ve learned nothing from the EU’s earlier intervention against Microsoft’s tying of its Internet Explorer browser with its dominant desktop OS, Windows. (In that case the saga ended after Microsoft agreed to implement a ballot screen offering a choice of up to 12 browsers, which paved the road for Google to later gain share with its own Chrome browser.)

For a brief initial period last year Google did offer a fee-less choice screen in Europe, pushing this out to existing Android devices — with search rivals selected based on their market popularity per country (which, in some markets, included Ecosia).

However the tech giant said then that it would be “evolving” its implementation over time. And a few months later an auction model was announced as incoming for new Android devices — with that ‘pay-to-play’ approach kicking off at the start of this year.

Search rivals including DuckDuckGo and Qwant immediately cried foul. Yet the response from the Commission has been to kick the can — with regulators offering platitudes that said they would “closely monitor”. They also claimed to be “committed to a full and effective implementation of the decision”.

However the missing adjective in that statement is ‘fast’. Google rivals would argue that for a remedy to be effective it needs to happen really fast, like now — or, for some of them, the risk really is going out of business. After all, the Commission’s Android antitrust decision (which, yes, Google is appealing) already dates back two full years

“I find it very surprising that the European Commission hasn’t rejected [Google’s auction model] from the start because some of the key principles from what made the choice screen successful in the Microsoft case have just been completely disregarded and been turned around by Google to turn the whole concept of a choice screen to their advantage,” says Kroll. “We’re not even calling it the ‘choice screen’ internally, we just call it the ‘auction screen’. And since we’re now stopping to boycott we call it the ‘no choice screen’.”

“It’s Google’s way to give the impression that there’s free choice but there is no free choice,” he adds. “If Google’s objective here would be to create choice for the user then they would present the most interesting options, which are the search engines with the highest marketshares — so definitely us, DuckDuckGo and maybe some other players as well. But that’s not what they’re trying to do.”

Kroll points out that another German search rival to Google, Cliqz, had to pull the plug on its anti-tracking alternative at the start of this year — meaning there’s now one less homegrown anti-tracking rival to Google in play. And while Ecosia feels it has no choice but to participate in Google’s auction game Kroll says it also can’t know whether or not participating will result in Ecosia overpaying Google for leads that then mean it generates less revenue and can’t plant as many trees… Or, well, any trees if the worst were to happen.

(NB: Kroll was speaking to TechCrunch ahead of signing an NDA that Google requires participants of the auction to sign which puts a legal limit on what they can say about the process once they’re involved — which, in turn, is a problematic element that another European search rival, Qwant, has also complained is unfair… )

“We don’t have any choice left, other than to participate,” adds Kroll. “Because we want to have access to the Android platform. So basically Google has successfully bullied everyone to play to its own rules — and it’s a game where Google is not only the referee but also they get a free ticket and they are also players…

“Somehow Google magically convinced the public but I think also the European Commission that they need to generate revenue in an auction because they have so many costs through the Android development and so on. It is of course true that they have costs… but they are also generating massive profit through the deals that they then make with the device makers and those profits are not at all shared.”

Kroll points out that Google shells out a (reported) $12BN per year to be the default search engine in Safari on Apple’s iOS platform — even as it pays nothing to get in front of the vast majority of mobile searchers’ eyeballs via Android (and does the same with Chrome).

“If they would pay the same amount of money for those platform they would soon be bankrupt,” he argues. “So they are getting all this for free and they are also getting other benefits for free — like having the Play Store preinstalled, like having Google Maps preinstalled, YouTube preinstalled and so on — which are all revenue sources. But they’re not sharing any of those revenue. They just try to outsource all of the costs that they have to their competitors, which is I think very unfair.”

While Alphabet, Google’s parent entity, doesn’t break out Google Play revenue specifically from within a generic “advertising” bucket when it reports its financials, data from SensorTower for the first half of 2020 suggests it generated $17.3BN in Play Store revenue alone over this six-month period, up 21% year-over-year. And Play is just one of the moneyspinners Google derives via ‘free’ Android.

Since the Commission’s antitrust 2018 decision against Android Kroll argues that nothing has changed for search competitors like Ecosia which are trying to offer consumers a more interesting value exchange for their clicks.

“What Google is doing very successfully is they’re just playing on time,” he suggests. “Our competitor, Cliqz, already went bankrupt because of that. So the strategy seems to work really well for Google. And we also can’t afford to lose access to those platforms… I really hope that the European Commission will actually do something about this because it has been done successfully in the Microsoft case and we just need exactly the same.”

Kroll also flags DuckDuckGo’s design suggestions for “a fair choice screen” — which we covered here last year but which Google (and the Commission) have so far simply ignored.

He suspects regulators are waiting to see how the market looks in another year or more. But of course by then it may be too late to save more alternative search engines from a Cliqz-style demise, thereby further strengthening Google’s position. Which would obviously be the opposite of an antitrust remedy.

Commissioner Margrethe Vestager already conceded last year that another of her interventions against the tech giant — the Google AdSense antitrust case — is an example of “enforcement that hasn’t succeeded because it has failed to restore competition”. So if she’s not careful her record on failed remedies could dent her high profile reputation for being an antitrust chief who’s at least willing to take on tech giants. Where competition is concerned, it must be all about outcomes — or what are you even doing as claimed law ‘enforcers’?

“I always fear that the point might come when big corporates are more powerful than our public institutions and I’m wondering if this point isn’t already reached,” adds Kroll, positing that it’s not clear whether the EU — as an economic and political project now facing plenty of its own issues — will have enough resilience to be able to enforce its own competition law in the near future. So really his key point is: If not now, when? (Or, well, how?)

It’s certainly true that there’s a growing disconnect between what the Commission is saying around competition policy and digital markets — where it’s alive to the critique that regulatory interventions need to be able to move much faster if they’re to prevent monopoly power irreversibly tipping these markets (it’s currently consulting on whether to give itself greater powers of intervention) — and its hands-off approach to how to remedy market failure. tl;dr there’s no effective enforcement without effective remedies. So dropping the ball after the fact of a decision really defeats the whole operation.

Vestager clearly recognizes there’s a problem in the digital context — telling the EU parliament last year: “We have to consider remedies that are much more far reaching”. (Albeit, still not committing to having much more far reaching remedies.) Yet in parallel she preaches ‘wait and see’ as her overarching philosophy — a policy ‘push-pull’ which seems to be preventing the unit from even entertaining taking on a more agile, active and iterative role in supporting markets towards actual restoration of competition. At least not before a lengthy consultation exercise which further kicks the can,

If EU lawmakers can’t learn the lessons from their own relatively recent digital antitrust history (Microsoft tying IE to Windows) to effectively enforce what is a pretty straightforwardly similar antitrust case (Google tying search & its other services to Android), you have to question why they think they need new antitrust tools to properly tackle digital monopolies now. Given they don’t seem able to effectively wield the tools they’ve already got.

It does rather look increasingly like the current crop of EU regulators have lost conviction — and/or fallen prey to risk aversion — in the face of platform power moves. (To wit: There are whispers the Commission is preparing to wave through Google’s acquisition of Fitbit, on paper-thin promises from Google, despite major concerns raised about privacy and increased data consolidation — which, if true, would again mean the Commission ignoring its own recent history of naively swallowing other similar tech giant claims.)

“My feeling is, what has happened in the Microsoft case… there was just somebody in the Commission crazy enough to say this is what the decision is and you have to do it… And maybe it just takes those kind of guts. That’s then maybe a political question. Is Vestager willing to really pick those battles?” asks Kroll.

“My feeling is if people really understand the situation then they would care but you actually need to do a little bit of explaining that it’s not good to have a dominant player that is in such an important sector like search, and that is basically shutting down the market for everybody else.”

Asked what his message is for the US lawmakers now actively eyeing antitrust concerns around Google — and indeed much of big tech — Kroll says: “I’m a fan of competition and I also admire Google; I think Google is a very clever company but I think there is a point reached where there’s so much concentration of power that it gets dangerous for society… We’ve been suffering quite a lot from all the dominance that Google has in the various sectors. There are just things that Google are doing that are obviously anticompetitive.”

One specific thing he suggests regulators take a close look at is how much money Google pays Apple to be the default search option on Safari. “It’s paying more money than it can actually afford to win the Safari search volume — that I think is very anticompetitive,” he argues. “They already own two-thirds of the market and they basically buy whatever’s left over so that they can just cement their dominance.

“The regulators should have a very close look at that and disallow Google to participate in any of those bids for default positions in other browsers in the future. I think that would even be beneficial for browsers because in the long term there would finally be competition for those spots again. Currently Google’s just winning them because they’re running out of options and there are not many other search providers left to choose from.”

He also argues they need to make Google repair “some of the damage they’ve done” — i.e. as a result of unfairly gaining marketshare — by enforcing what he calls “a really fair choice screen”; non-paid and based on relevance for users. And by doing so on Android and Chrome devices. 

“I think until a year ago if you visited Google.com with your Safari browser or Firefox browser then Google would recommend to install Chrome. And for me that’s a clear abuse of one dominant position to support another part of your company,” he argues. “Google needs to repair that and that needs to happen very quickly — because otherwise other companies might [go out of business].”

“We’re still doing okay but we have been hit heavily by corona and we have a huge loss in revenue. Other companies might be hit even worse, I don’t know. And we don’t have the same deep pockets that the big players have. So other companies might disappear if nothing’s done soon,” he adds. 

We reached out to Google and the European Commission for comment.

A Google spokesperson pointed us to its FAQ about the auction. In further remarks which they specified could not be directly quoted they claimed an auction is a fair and objective method of determining how to fill available slots, adding that the revenue generated via the auction helps Google continue to invest in developing and maintaining Android.

While a spokeswoman for the Commission told us it has been “discussing” the choice screen mechanism with Google, following what she described as “relevant feedback from the market, in particular in relation to the presentation and mechanics of the choice screen and to the selection mechanism of rival search providers”.

The spokeswoman also reiterated earlier comments, that the Commission is continuing to monitor Google’s choice screen implementation and is “committed to a full and effective implementation of the decision”.

However a source familiar with the matter said EU lawmakers view paid premium placement for a few cents as far superior to what Google was offering rivals before — i.e. no visibility at all — and thus take the view that that something is better than nothing.

Google’s “no choice” screen on Android isn’t working, says Ecosia — querying the EU’s approach to antitrust enforcement

Google alternative Ecosia is on a mission to turn search clicks into trees. The Berlin based not-for-profit reached a major milestone earlier this month, having used ad revenue generated by users of its privacy-sensitive search engine to plant more than 100 million trees across 25 countries worldwide — targeted at biodiversity hotspots.

However these good feels have been hit hard by the coronavirus pandemic. Ecosia has seen its monthly revenues slashed by half since COVID-19 arrived in Europe, with turnover falling from €2.6M in February to just €1.4M in June. It’s worried that its promise of planting a tree every 0.8 seconds is at risk.

It has also suffered a knock to regional visibility as a result of boycotting an auction process that Android OS maker Google has been running throughout this year, as a response to a 2018 Commission antitrust decision that found the tech giant had violated EU competition rules in how it operates the smartphone platform — including via conditions placed on phone makers to pre-load its own services (like Google search) as device defaults.

An auction process now determines which rival search engines appear on a search ‘choice screen’ Google began showing to Android users in Europe in the wake of the Commission decision. Currently, Google offers three paid slots via the auction to non-Google search engines. Android users setting up a new device always see Google’s own search engine as one of the four total options.

The tech giant’s rivals have consistently argued this ‘pay to play’ model is no remedy for its anti-competitive behavior with Android, the world’s dominant smartphone OS. Although most (including DuckDuckGo) felt forced to participate in its auction process from the get-go. Forgoing the most prominent route to the Android search market isn’t exactly a luxury most businesses could afford.

Ecosia, a not-for-profit, was the last major hold out. But now it says it’s been forced to end its boycott in a bid to remain competitive in the region. This means it will participate in the next auction round for the Android choice screen — scheduled for the beginning of Q4. If it wins any per country slots it will appear as a search choice option to those Android users in future, though likely not til next year given the length of the auction process.

It remains highly critical of Google’s pay-to-play model, arguing it’s no remedy for the antitrust violations identified by the Commission. It also laments that EU lawmakers are taking a ‘wait and see’ approach to determining whether Google’s ‘remedy’ is actually restoring competition, given all the evidence to the contrary.

“The main reason why we boycotted the auction is because we think it’s highly unfair and anticompetitive,” says Ecosia CEO Christian Kroll, speaking to TechCrunch via video chat. “Not only do we think that fair competition shouldn’t be sold off in an auction but also the way the auction is designed basically makes sure that only the least interesting options can win.

“Since we have a business model where we use most of our revenues to plant trees we basically can’t really win in an auction model. If you’re already a search engine that’s quite well known… then you have a lot of cannibalization effects through this screen. So we’re basically paying for traffic that we would get for free anyway… So it’s just super unfair and anticompetitive.”

Kroll expresses emphatic surprise that the Commission didn’t immediately reject Google’s auction model for the choice screen — saying it seems as if they’ve learned nothing from the EU’s earlier intervention against Microsoft’s tying of its Internet Explorer browser with its dominant desktop OS, Windows. (In that case the saga ended after Microsoft agreed to implement a ballot screen offering a choice of up to 12 browsers, which paved the road for Google to later gain share with its own Chrome browser.)

For a brief initial period last year Google did offer a fee-less choice screen in Europe, pushing this out to existing Android devices — with search rivals selected based on their market popularity per country (which, in some markets, included Ecosia).

However the tech giant said then that it would be “evolving” its implementation over time. And a few months later an auction model was announced as incoming for new Android devices — with that ‘pay-to-play’ approach kicking off at the start of this year.

Search rivals including DuckDuckGo and Qwant immediately cried foul. Yet the response from the Commission has been to kick the can — with regulators offering platitudes that said they would “closely monitor”. They also claimed to be “committed to a full and effective implementation of the decision”.

However the missing adjective in that statement is ‘fast’. Google rivals would argue that for a remedy to be effective it needs to happen really fast, like now — or, for some of them, the risk really is going out of business. After all, the Commission’s Android antitrust decision (which, yes, Google is appealing) already dates back two full years

“I find it very surprising that the European Commission hasn’t rejected [Google’s auction model] from the start because some of the key principles from what made the choice screen successful in the Microsoft case have just been completely disregarded and been turned around by Google to turn the whole concept of a choice screen to their advantage,” says Kroll. “We’re not even calling it the ‘choice screen’ internally, we just call it the ‘auction screen’. And since we’re now stopping to boycott we call it the ‘no choice screen’.”

“It’s Google’s way to give the impression that there’s free choice but there is no free choice,” he adds. “If Google’s objective here would be to create choice for the user then they would present the most interesting options, which are the search engines with the highest marketshares — so definitely us, DuckDuckGo and maybe some other players as well. But that’s not what they’re trying to do.”

Kroll points out that another German search rival to Google, Cliqz, had to pull the plug on its anti-tracking alternative at the start of this year — meaning there’s now one less homegrown anti-tracking rival to Google in play. And while Ecosia feels it has no choice but to participate in Google’s auction game Kroll says it also can’t know whether or not participating will result in Ecosia overpaying Google for leads that then mean it generates less revenue and can’t plant as many trees… Or, well, any trees if the worst were to happen.

(NB: Kroll was speaking to TechCrunch ahead of signing an NDA that Google requires participants of the auction to sign which puts a legal limit on what they can say about the process once they’re involved — which, in turn, is a problematic element that another European search rival, Qwant, has also complained is unfair… )

“We don’t have any choice left, other than to participate,” adds Kroll. “Because we want to have access to the Android platform. So basically Google has successfully bullied everyone to play to its own rules — and it’s a game where Google is not only the referee but also they get a free ticket and they are also players…

“Somehow Google magically convinced the public but I think also the European Commission that they need to generate revenue in an auction because they have so many costs through the Android development and so on. It is of course true that they have costs… but they are also generating massive profit through the deals that they then make with the device makers and those profits are not at all shared.”

Kroll points out that Google shells out a (reported) $12BN per year to be the default search engine in Safari on Apple’s iOS platform — even as it pays nothing to get in front of the vast majority of mobile searchers’ eyeballs via Android (and does the same with Chrome).

“If they would pay the same amount of money for those platform they would soon be bankrupt,” he argues. “So they are getting all this for free and they are also getting other benefits for free — like having the Play Store preinstalled, like having Google Maps preinstalled, YouTube preinstalled and so on — which are all revenue sources. But they’re not sharing any of those revenue. They just try to outsource all of the costs that they have to their competitors, which is I think very unfair.”

While Alphabet, Google’s parent entity, doesn’t break out Google Play revenue specifically from within a generic “advertising” bucket when it reports its financials, data from SensorTower for the first half of 2020 suggests it generated $17.3BN in Play Store revenue alone over this six-month period, up 21% year-over-year. And Play is just one of the moneyspinners Google derives via ‘free’ Android.

Since the Commission’s antitrust 2018 decision against Android Kroll argues that nothing has changed for search competitors like Ecosia which are trying to offer consumers a more interesting value exchange for their clicks.

“What Google is doing very successfully is they’re just playing on time,” he suggests. “Our competitor, Cliqz, already went bankrupt because of that. So the strategy seems to work really well for Google. And we also can’t afford to lose access to those platforms… I really hope that the European Commission will actually do something about this because it has been done successfully in the Microsoft case and we just need exactly the same.”

Kroll also flags DuckDuckGo’s design suggestions for “a fair choice screen” — which we covered here last year but which Google (and the Commission) have so far simply ignored.

He suspects regulators are waiting to see how the market looks in another year or more. But of course by then it may be too late to save more alternative search engines from a Cliqz-style demise, thereby further strengthening Google’s position. Which would obviously be the opposite of an antitrust remedy.

Commissioner Margrethe Vestager already conceded last year that another of her interventions against the tech giant — the Google AdSense antitrust case — is an example of “enforcement that hasn’t succeeded because it has failed to restore competition”. So if she’s not careful her record on failed remedies could dent her high profile reputation for being an antitrust chief who’s at least willing to take on tech giants. Where competition is concerned, it must be all about outcomes — or what are you even doing as claimed law ‘enforcers’?

“I always fear that the point might come when big corporates are more powerful than our public institutions and I’m wondering if this point isn’t already reached,” adds Kroll, positing that it’s not clear whether the EU — as an economic and political project now facing plenty of its own issues — will have enough resilience to be able to enforce its own competition law in the near future. So really his key point is: If not now, when? (Or, well, how?)

It’s certainly true that there’s a growing disconnect between what the Commission is saying around competition policy and digital markets — where it’s alive to the critique that regulatory interventions need to be able to move much faster if they’re to prevent monopoly power irreversibly tipping these markets (it’s currently consulting on whether to give itself greater powers of intervention) — and its hands-off approach to how to remedy market failure. tl;dr there’s no effective enforcement without effective remedies. So dropping the ball after the fact of a decision really defeats the whole operation.

Vestager clearly recognizes there’s a problem in the digital context — telling the EU parliament last year: “We have to consider remedies that are much more far reaching”. (Albeit, still not committing to having much more far reaching remedies.) Yet in parallel she preaches ‘wait and see’ as her overarching philosophy — a policy ‘push-pull’ which seems to be preventing the unit from even entertaining taking on a more agile, active and iterative role in supporting markets towards actual restoration of competition. At least not before a lengthy consultation exercise which further kicks the can,

If EU lawmakers can’t learn the lessons from their own relatively recent digital antitrust history (Microsoft tying IE to Windows) to effectively enforce what is a pretty straightforwardly similar antitrust case (Google tying search & its other services to Android), you have to question why they think they need new antitrust tools to properly tackle digital monopolies now. Given they don’t seem able to effectively wield the tools they’ve already got.

It does rather look increasingly like the current crop of EU regulators have lost conviction — and/or fallen prey to risk aversion — in the face of platform power moves. (To wit: There are whispers the Commission is preparing to wave through Google’s acquisition of Fitbit, on paper-thin promises from Google, despite major concerns raised about privacy and increased data consolidation — which, if true, would again mean the Commission ignoring its own recent history of naively swallowing other similar tech giant claims.)

“My feeling is, what has happened in the Microsoft case… there was just somebody in the Commission crazy enough to say this is what the decision is and you have to do it… And maybe it just takes those kind of guts. That’s then maybe a political question. Is Vestager willing to really pick those battles?” asks Kroll.

“My feeling is if people really understand the situation then they would care but you actually need to do a little bit of explaining that it’s not good to have a dominant player that is in such an important sector like search, and that is basically shutting down the market for everybody else.”

Asked what his message is for the US lawmakers now actively eyeing antitrust concerns around Google — and indeed much of big tech — Kroll says: “I’m a fan of competition and I also admire Google; I think Google is a very clever company but I think there is a point reached where there’s so much concentration of power that it gets dangerous for society… We’ve been suffering quite a lot from all the dominance that Google has in the various sectors. There are just things that Google are doing that are obviously anticompetitive.”

One specific thing he suggests regulators take a close look at is how much money Google pays Apple to be the default search option on Safari. “It’s paying more money than it can actually afford to win the Safari search volume — that I think is very anticompetitive,” he argues. “They already own two-thirds of the market and they basically buy whatever’s left over so that they can just cement their dominance.

“The regulators should have a very close look at that and disallow Google to participate in any of those bids for default positions in other browsers in the future. I think that would even be beneficial for browsers because in the long term there would finally be competition for those spots again. Currently Google’s just winning them because they’re running out of options and there are not many other search providers left to choose from.”

He also argues they need to make Google repair “some of the damage they’ve done” — i.e. as a result of unfairly gaining marketshare — by enforcing what he calls “a really fair choice screen”; non-paid and based on relevance for users. And by doing so on Android and Chrome devices. 

“I think until a year ago if you visited Google.com with your Safari browser or Firefox browser then Google would recommend to install Chrome. And for me that’s a clear abuse of one dominant position to support another part of your company,” he argues. “Google needs to repair that and that needs to happen very quickly — because otherwise other companies might [go out of business].”

“We’re still doing okay but we have been hit heavily by corona and we have a huge loss in revenue. Other companies might be hit even worse, I don’t know. And we don’t have the same deep pockets that the big players have. So other companies might disappear if nothing’s done soon,” he adds. 

We reached out to Google and the European Commission for comment.

A Google spokesperson pointed us to its FAQ about the auction. In further remarks which they specified could not be directly quoted they claimed an auction is a fair and objective method of determining how to fill available slots, adding that the revenue generated via the auction helps Google continue to invest in developing and maintaining Android.

While a spokeswoman for the Commission told us it has been “discussing” the choice screen mechanism with Google, following what she described as “relevant feedback from the market, in particular in relation to the presentation and mechanics of the choice screen and to the selection mechanism of rival search providers”.

The spokeswoman also reiterated earlier comments, that the Commission is continuing to monitor Google’s choice screen implementation and is “committed to a full and effective implementation of the decision”.

However a source familiar with the matter said EU lawmakers view paid premium placement for a few cents as far superior to what Google was offering rivals before — i.e. no visibility at all — and thus take the view that that something is better than nothing.

As remote work booms, Everphone grabs ~$40M for its ‘device as a service’ offer

The latest startup to see an uplift in inbound interest flowing from the remote work boom triggered by the coronavirus pandemic is Berlin-based Everphone, which sells a ‘mobile as a service’ device rental package that caters to businesses needing to kit staff out with mobile hardware plus associated support.

Everphone is announcing a €34 million Series B funding round today, led by new investor signals Venture Capital. Other new investors joining the round include German carrier Deutsche Telekom — investing via its strategic investment fund, Telekom Innovation Pool — US-based early stage VC AlleyCorp and Dutch bank NIBC.

The Series B financing will go on expanding to meet rising demand, with the startup telling TechCrunch it’s expecting to see a 70-100% increase in sales volume vs the pre-crisis period, thanks to a doubling of inbound leads during the pandemic.

“The global pandemic has been a catalyst for growth in the field of digitization,” said CEO and co-founder, Jan Dzulko, in a statement. “We are currently experiencing a significant increase in demand at home and abroad, which is why we are aiming for European expansion with the funding.”

Everphone describes its offer as a one-stop-shop, with the service covering not just the rental of (new or refurbished) smartphones and tablets but an administration and management wrapper that covers support needs, including handling repairs/replacements — with the promise of replacements within 24 hours if needed and less client risk from not having to wrangle traditional rental insurance fine print.

Other touted pluses of its “device as a service” approach include flexibility (users get to choose from a range of iOS and Android devices); lower cost (pricing depends on customer size, device choice and rental term but starts at €7,99 a month for a refurbished budget device, rising up to €49,99 a month for high end kit with a 12-month upgrade); and rental bundles which can include standard mobile device management software (such as Cortado and AirWatch) so customers can plug the rental hardware into their existing IT policies and processes.

Everphone reckons this service wrapper — which can also extend to including paid apps (such as Babbel for language learning) as an employee on-device perk/benefit in the bundle — differentiates its offer vs incumbent leasing providers, such as CHG-Meridian or De Lage Landen, and from wholesale distributors.

It also touts its global rollout capability as a customer draw, checking the scalability box.

While its investors (including German carrier, DK) are being fired up by the conviction that the COVID-19 induced shift away from the office to home working will create a boom in demand for well managed and secured work phones to mitigate the risk of personal devices and personal data mingling improperly with work stuff. (On that front Everphone’s website is replete with references to Europe’s data protection framework, GDPR, repurposed as scare marketing.)

“Everphone envisions that every employee will one day work via their smartphone,” added Marcus Polke, partner at signals Venture Capital, in a supporting statement. “With this employee-centric approach and integrated platform, everphone goes far beyond the mere outsourcing of a smartphone IT infrastructure.”

The 2016-founded startup has more than 400 customers signed up at this point, both SMEs and multinationals such as Ernst & Young. It caters to both ends of the market with an off-the-shelf package and self-service device management portal that’s intended for SMEs of between 100 and 1,500 employees — plus custom integrations for larger entities of up to 30,000 employees.

It says it’s able to offer “highly competitive” prices for renting new devices because it gives returned kit a second life, refurbishing and reselling devices on the consumer market. “Thanks to this profitable secondary lifespan, we are able to offer highly competitive prices and extensive service levels on our rental devices,” Everphone writes on its website.

The second hand smartphone market has also been seeing regional growth. Swappie, a European ecommerce startup that sells refurbished iPhones, aligning with EU lawmakers’ push for a ‘right to repair’ for electronics, raised its own ~$40M Series B only last month, for example. Its secondhand marketplace is one potential outlet for Everphone’s rented and returned iPhones.

As remote work booms, Everphone grabs ~$40M for its ‘device as a service’ offer

The latest startup to see an uplift in inbound interest flowing from the remote work boom triggered by the coronavirus pandemic is Berlin-based Everphone, which sells a ‘mobile as a service’ device rental package that caters to businesses needing to kit staff out with mobile hardware plus associated support.

Everphone is announcing a €34 million Series B funding round today, led by new investor signals Venture Capital. Other new investors joining the round include German carrier Deutsche Telekom — investing via its strategic investment fund, Telekom Innovation Pool — US-based early stage VC AlleyCorp and Dutch bank NIBC.

The Series B financing will go on expanding to meet rising demand, with the startup telling TechCrunch it’s expecting to see a 70-100% increase in sales volume vs the pre-crisis period, thanks to a doubling of inbound leads during the pandemic.

“The global pandemic has been a catalyst for growth in the field of digitization,” said CEO and co-founder, Jan Dzulko, in a statement. “We are currently experiencing a significant increase in demand at home and abroad, which is why we are aiming for European expansion with the funding.”

Everphone describes its offer as a one-stop-shop, with the service covering not just the rental of (new or refurbished) smartphones and tablets but an administration and management wrapper that covers support needs, including handling repairs/replacements — with the promise of replacements within 24 hours if needed and less client risk from not having to wrangle traditional rental insurance fine print.

Other touted pluses of its “device as a service” approach include flexibility (users get to choose from a range of iOS and Android devices); lower cost (pricing depends on customer size, device choice and rental term but starts at €7,99 a month for a refurbished budget device, rising up to €49,99 a month for high end kit with a 12-month upgrade); and rental bundles which can include standard mobile device management software (such as Cortado and AirWatch) so customers can plug the rental hardware into their existing IT policies and processes.

Everphone reckons this service wrapper — which can also extend to including paid apps (such as Babbel for language learning) as an employee on-device perk/benefit in the bundle — differentiates its offer vs incumbent leasing providers, such as CHG-Meridian or De Lage Landen, and from wholesale distributors.

It also touts its global rollout capability as a customer draw, checking the scalability box.

While its investors (including German carrier, DK) are being fired up by the conviction that the COVID-19 induced shift away from the office to home working will create a boom in demand for well managed and secured work phones to mitigate the risk of personal devices and personal data mingling improperly with work stuff. (On that front Everphone’s website is replete with references to Europe’s data protection framework, GDPR, repurposed as scare marketing.)

“Everphone envisions that every employee will one day work via their smartphone,” added Marcus Polke, partner at signals Venture Capital, in a supporting statement. “With this employee-centric approach and integrated platform, everphone goes far beyond the mere outsourcing of a smartphone IT infrastructure.”

The 2016-founded startup has more than 400 customers signed up at this point, both SMEs and multinationals such as Ernst & Young. It caters to both ends of the market with an off-the-shelf package and self-service device management portal that’s intended for SMEs of between 100 and 1,500 employees — plus custom integrations for larger entities of up to 30,000 employees.

It says it’s able to offer “highly competitive” prices for renting new devices because it gives returned kit a second life, refurbishing and reselling devices on the consumer market. “Thanks to this profitable secondary lifespan, we are able to offer highly competitive prices and extensive service levels on our rental devices,” Everphone writes on its website.

The second hand smartphone market has also been seeing regional growth. Swappie, a European ecommerce startup that sells refurbished iPhones, aligning with EU lawmakers’ push for a ‘right to repair’ for electronics, raised its own ~$40M Series B only last month, for example. Its secondhand marketplace is one potential outlet for Everphone’s rented and returned iPhones.

cargo.one gets $18.6M to take its air freight booking platform over the pond

Berlin -based cargo.one, which runs a marketplace for booking air freight, has closed an $18.6 million Series A round of funding led by Index Ventures.

Next47 and prior backers Creandum, Lufthansa Cargo and Point Nine Capital also participated in the round, along with a number of angel investors — including Tom Stafford of DST Global and Carlos Gonzalez-Cadenas (COO of GoCardless and former Chief Product Officer of Skyscanner).

The August 2017-founded startup says it’s seen bookings rise during the coronavirus crisis travel crunch as airlines seek alternatives to selling seats to passengers.

Over the past 12 months the startup says it’s scaled GMV by 10x and is expecting continued fast-paced growth as COVID-19 accelerates the adoption of digital distribution in air cargo.

The new funding will go on expanding the business, with the team aiming to increase the number of airlines signed up — including beefing up coverage in Europe. cargo.one is also targeting expanding into North America and Asia — planning to triple headcount to 70 staff by the end of the year via an aggressive hiring drive.

Currently it has 12 airlines signed up to use the platform to book in freight shipments, including Lufthansa, All Nippon Airways, Finnair, Etihad, AirBridgeCargo and TAP Air Portugal. It launched the booking product two summers ago, with Lufthansa Cargo as the first airline signed up.

“cargo.one is a two-sided marketplace, connecting airlines with forwarders of all sizes,” says co-founder and MD Oliver Neumann, discussing the business model. “We receive a commission fee from the airlines for selling their air freight capacities on our platform. For freight forwarders the access to the booking platform is free.”

The platform offers real-time visibility of available air freight across covered airlines and routes — aiming to replace what can be an arduous process of phone and/or email back and forth for its target users (freight forwarding offices).

Airlines set prices for air freight products sold via cargo.one.

“The air cargo market has been stuck in the 90s when compared to the passenger business. The vast majority of air cargo to this day is booked by calling the airlines directly. Many processes are still manual and time-consuming,” says Neumann, who describes the product as “more than just a booking platform”.

“We design, build and maintain custom integrations to our airline partners, creating both the front end for freight forwarders and integrating into the systems of the airlines and helping them improve the back-end infrastructure. That’s why we refer to it as the operating system for air cargo.”

“At cargo.one we are building a 100% digital solution and enable airlines to transform their business digitally. Over the past years, cargo.one has built tailored technical integrations with airline partners that enable them to distribute their capacity online without the need to overhaul their infrastructure,” he adds.

Currently, cargo.one’s platform has some 1.1M+ air freight offers per month, covering 120+ countries and 300 airports globally.

On the customer side it has more than 1,500 freight forwarding offices signed up at this point — which it touts as including “21 of the top 25 companies globally”.

“From January to June 2020, cargo.one saw the number of air cargo search requests by freight forwarders quadruple. In response to increased demand from airlines and freight forwarders, we expect to triple the size of the business by the end of the year,” adds Neumann.

Index’s Martin Mignot and Max Rimpel led the Series A investment in cargo.one.

Commenting on the funding in a statement, Mignot, said: “cargo.one has formed close partnerships with major global airlines, who have subsequently seen their cargo business expand significantly. Conversations with dozens of other airlines in the Americas and Asia show the clear need for a simple booking engine for air cargo, and early signs of the far-reaching impact it will have on the airline industry and businesses around the world who rely on it to serve their customers.”

Venture capital has been pouring into the logistics space over the past decade, chasing an increasing number of startups spotting opportunities to apply digital efficiencies to the movement of physical goods — including aiming to replace freight forwarders themselves, in the case of another Berlin logistics startup, FreightHub, which raised a $30M Series B last year for a logistics play that covers sea, air and rail freight.

cargo.one gets $18.6M to take its air freight booking platform over the pond

Berlin -based cargo.one, which runs a marketplace for booking air freight, has closed an $18.6 million Series A round of funding led by Index Ventures.

Next47 and prior backers Creandum, Lufthansa Cargo and Point Nine Capital also participated in the round, along with a number of angel investors — including Tom Stafford of DST Global and Carlos Gonzalez-Cadenas (COO of GoCardless and former Chief Product Officer of Skyscanner).

The August 2017-founded startup says it’s seen bookings rise during the coronavirus crisis travel crunch as airlines seek alternatives to selling seats to passengers.

Over the past 12 months the startup says it’s scaled GMV by 10x and is expecting continued fast-paced growth as COVID-19 accelerates the adoption of digital distribution in air cargo.

The new funding will go on expanding the business, with the team aiming to increase the number of airlines signed up — including beefing up coverage in Europe. cargo.one is also targeting expanding into North America and Asia — planning to triple headcount to 70 staff by the end of the year via an aggressive hiring drive.

Currently it has 12 airlines signed up to use the platform to book in freight shipments, including Lufthansa, All Nippon Airways, Finnair, Etihad, AirBridgeCargo and TAP Air Portugal. It launched the booking product two summers ago, with Lufthansa Cargo as the first airline signed up.

“cargo.one is a two-sided marketplace, connecting airlines with forwarders of all sizes,” says co-founder and MD Oliver Neumann, discussing the business model. “We receive a commission fee from the airlines for selling their air freight capacities on our platform. For freight forwarders the access to the booking platform is free.”

The platform offers real-time visibility of available air freight across covered airlines and routes — aiming to replace what can be an arduous process of phone and/or email back and forth for its target users (freight forwarding offices).

Airlines set prices for air freight products sold via cargo.one.

“The air cargo market has been stuck in the 90s when compared to the passenger business. The vast majority of air cargo to this day is booked by calling the airlines directly. Many processes are still manual and time-consuming,” says Neumann, who describes the product as “more than just a booking platform”.

“We design, build and maintain custom integrations to our airline partners, creating both the front end for freight forwarders and integrating into the systems of the airlines and helping them improve the back-end infrastructure. That’s why we refer to it as the operating system for air cargo.”

“At cargo.one we are building a 100% digital solution and enable airlines to transform their business digitally. Over the past years, cargo.one has built tailored technical integrations with airline partners that enable them to distribute their capacity online without the need to overhaul their infrastructure,” he adds.

Currently, cargo.one’s platform has some 1.1M+ air freight offers per month, covering 120+ countries and 300 airports globally.

On the customer side it has more than 1,500 freight forwarding offices signed up at this point — which it touts as including “21 of the top 25 companies globally”.

“From January to June 2020, cargo.one saw the number of air cargo search requests by freight forwarders quadruple. In response to increased demand from airlines and freight forwarders, we expect to triple the size of the business by the end of the year,” adds Neumann.

Index’s Martin Mignot and Max Rimpel led the Series A investment in cargo.one.

Commenting on the funding in a statement, Mignot, said: “cargo.one has formed close partnerships with major global airlines, who have subsequently seen their cargo business expand significantly. Conversations with dozens of other airlines in the Americas and Asia show the clear need for a simple booking engine for air cargo, and early signs of the far-reaching impact it will have on the airline industry and businesses around the world who rely on it to serve their customers.”

Venture capital has been pouring into the logistics space over the past decade, chasing an increasing number of startups spotting opportunities to apply digital efficiencies to the movement of physical goods — including aiming to replace freight forwarders themselves, in the case of another Berlin logistics startup, FreightHub, which raised a $30M Series B last year for a logistics play that covers sea, air and rail freight.

Russia’s BestDoctor attracts international investors for its $4.5M round

The private medical insurance market is expanding year on year by over 5%, and that includes in Russia where the insurance market – which grew by 4% in 2019 – has reached a value of almost $22 billion.

So it’s not that surprising that Russian insurtech startup BestDoctor has now closed its third round of financing for $4.5 million. Lead investors AddVenture, based out of Moscow, and Target Global, based out of Berlin, were joined by the London-based LVL1 fund, which had previously invested in the company.

BestDoctor is an online medical insurance platform offering private medical insurance for companies and their employees. As well as insurance, its also delivers 24/7 health support and medical consultations via its mobile app. Users can also get access to recommendations on preventive care and online support from BestDoctor physicians. The idea is that users save up to 23% on their annual medical expenses, and up to 95% of users renew the contract after a year.
 
Its clients largely consist of Russian corporates including Voximplant, Faberlic, Ivideon, Prisma Labs and Rambler Group, which add up to over 30,000 people. It also collaborates with 11,000 clinics across Russia.

Mark Sanevich, BestDoctor’s CEO and co-founder says the need for online medical services was amplified during the pandemic: “Our business received a strong boost. Now we are going to focus on establishing a comprehensive platform on the basis of medical insurance.”

Target Global Managing Partner Mikhail Lobanov said: “BestDoctor is a rare example of a company that combines medicine and high-tech, while directly connecting employers with medical clinics. High-tech private medical insurance, with the ability to consult a doctor 24/7 ensures transparency of all expenses.”

AddVenture managing partner Maxim Medvedev said: “By summer 2019, BestDoctor had a good head start: it had large enterprise clients, the company figured out the market’s problems and needs, and dozens of product ideas were tested.”

BestDoctor plans to spend the newly raised funds on developing its software and also plans to expand its sales activity, concentrating on new product segments.

Clouds gather over US cloud services, after CJEU ruling

In the wake of yesterday’s landmark ruling by Europe’s top court — striking down a flagship transatlantic data transfer framework called Privacy Shield, and cranking up the legal uncertainty around processing EU citizens’ data in the US in the process — Europe’s lead data protection regulator has fired its own warning shot at the region’s data protection authorities (DPAs), essentially telling them to get on and do the job of intervening to stop people’s data flowing to third countries where it’s at risk.

Countries like the U.S.

The original complaint that led to the the Court of Justice of the EU (CJEU) ruling focused on Facebook’s use of a data transfer mechanism called Standard Contractual Clauses (SCCs) to authorize moving EU users’ data to the US for processing.

Complainant Max Schrems asked the Irish Data Protection Commission (DPC) to suspend Facebook’s SCC data transfers in light of US government mass surveillance programs. Instead the regulator went to court to raise wider concerns about the legality of the transfer mechanism.

That in turn led Europe’s top judges to nuke the Commission’s adequacy decision which underpinned the EU-US Privacy Shield — meaning the US no longer has a special arrangement greasing the flow of personal data from the EU. Yet, at the time of writing, Facebook is still using SCCs to process EU users’ data in the US. Much has changed but the data hasn’t stopped flowing — yet.

Yesterday the tech giant said it would “carefully consider” the findings and implications of the CJEU decision on Privacy Shield, adding that it looked forward to “regulatory guidance”. It certainly didn’t offer to proactively flip a kill switch and stop the processing itself.

Ireland’s DPA, meanwhile, which is Facebook’s lead data regulator in the region, sidestepped questions over what action it would be taking in the wake of yesterday’s ruling — saying it (also) needed (more) time to study the legal nuances.

The DPC’s statement also only went so far as to say the use of SCCs for taking data to the US for processing is “questionable” — adding that case by case analysis would be key.

The regulator remains the focus of sustained criticism in Europe over its enforcement record for major cross-border data protection complaints — with still zero decisions issued more than two years after the EU’s General Data Protection Regulation (GDPR) came into force, and an ever growing backlog of open investigations into the data processing activities of platform giants.

In May, the DPC finally submitted its first draft decision on a cross-border case (an investigation into a Twitter security breach) to other DPAs for review, saying it hoped the decision would be finalized in July. At the time of writing we’re still waiting for the bloc’s regulators to reach consensus on that.

The painstaking pace of enforcement around Europe’s flagship data protection framework remains a problem for EU lawmakers — whose two-year review last month called for uniformly “vigorous” enforcement by regulators.

The European Data Protection Supervisor (EDPS) made a similar call today, in the wake of the Schrems II ruling — which only looks set to further complicate the process of regulating data flows by piling yet more work on the desks of underfunded DPAs.

“European supervisory authorities have the duty to diligently enforce the applicable data protection legislation and, where appropriate, to suspend or prohibit transfers of data to a third country,” writes EDPS, Wojciech Wiewiórowski, in a statement which warns against further dithering or can-kicking on the intervention front.

“The EDPS will continue to strive, as a member of the European Data Protection Board (EDPB), to achieve the necessary coherent approach among the European supervisory authorities in the implementation of the EU framework for international transfers of personal data,” he goes on, calling for more joint working by the bloc’s DPAs.

Wiewiórowski’s statement also highlights what he dubs “welcome clarifications” regarding the responsibilities of data controllers and European DPAs — to “take into account the risks linked to the access to personal data by the public authorities of third countries”.

“As the supervisory authority of the EU institutions, bodies, offices and agencies, the EDPS is carefully analysing the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies. The example of the recent EDPS’ own-initiative investigation into European institutions’ use of Microsoft products and services confirms the importance of this challenge,” he adds.

Part of the complexity of enforcement of Europe’s data protection rules is the lack of a single authority; a varied patchwork of supervisory authorities responsible for investigating complaints and issuing decisions.

Now, with a CJEU ruling that calls for regulators to assess third countries themselves — to determine whether the use of SCCs is valid in a particular use-case and country — there’s a risk of further fragmentation should different DPAs jump to different conclusions.

Yesterday, in its response to the CJEU decision, Hamburg’s DPA criticized the judges for not also striking down SCCs, saying it was “inconsistent” for them to invalidate Privacy Shield yet allow this other mechanism for international transfers. Supervisory authorities in Germany and Europe must now quickly agree how to deal with companies that continue to rely illegally on the Privacy Shield, the DPA warned.

In the statement Hamburg’s data commissioner, Johannes Caspar, added: “Difficult times are looming for international data traffic.”

He also shot off a blunt warning that: “Data transmission to countries without an adequate level of data protection will… no longer be permitted in the future.”

Compare and contrast that with the Irish DPC talking about use of SCCs being “questionable”, case by case. (Or the UK’s ICO offering this bare minimum.)

Caspar also emphasized the challenge facing the bloc’s patchwork of DPAs to develop and implement a “common strategy” towards dealing with SCCs in the wake of the CJEU ruling.

In a press note today, Berlin’s DPA also took a tough line, warning that data transfers to third countries would only be permitted if they have a level of data protection essentially equivalent to that offered within the EU.

In the case of the US — home to the largest and most used cloud services — Europe’s top judges yesterday reiterated very clearly that that is not in fact the case.

“The CJEU has made it clear that the export of data is not just about the economy but people’s fundamental rights must be paramount,” Berlin data commissioner Maja Smoltczyk said in a statement [which we’ve translated using Google Translate].

“The times when personal data could be transferred to the US for convenience or cost savings are over after this judgment,” she added.

Both DPAs warned the ruling has implications for the use of cloud services where data is processed in other third countries where the protection of EU citizens’ data also cannot be guaranteed too, i.e. not just the US.

On this front, Smoltczyk name-checked China, Russia and India as countries EU DPAs will have to assess for similar problems.

“Now is the time for Europe’s digital independence,” she added.

Some commentators (including Schrems himself) have also suggested the ruling could see companies switching to local processing of EU users data. Though it’s also interesting to note the judges chose not to invalidate SCCs — thereby offering a path to legal international data transfers, but only provided the necessary protections are in place in that given third country.

Also issuing a response to the CJEU ruling today was the European Data Protection Board (EDPB). Aka the body made up of representatives from DPAs across the bloc. Chair Andrea Jelinek put out an emollient statement, writing that: “The EDPB intends to continue playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA citizens and organisations and stands ready to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law.”

Short of radical changes to US surveillance law it’s tough to see how any new framework could be made to legally stick, though. Privacy Shield’s predecessor arrangement, Safe Harbour, stood for around 15 years. Its shiny ‘new and improved’ replacement didn’t even last five.

In the wake of the CJEU ruling, data exporters and importers are required to carry out an assessment of a country’s data regime to assess adequacy with EU legal standards before using SCCs to transfer data there.

“When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The examination of the latter shall be done in light of the non-exhaustive factors set out under Art 45(2) GDPR,” Jelinek writes.

“If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of.”

Again, it’s not clear what “additional measures” a platform could plausibly deploy to ‘fix’ the gaping lack of redress afforded to foreigners by US surveillance law. Major legal surgery does seem to be required to square this circle.

Jelinek said the EDPB would be studying the judgement with the aim of putting out more granular guidance in future. But her statement warns data exporters they have an obligation to suspend data transfers or terminate SCCs if contractual obligations are not or cannot be complied with, or else to notify a relevant supervisory authority if it intends to continue transferring data.

In her roundabout way, she also warns that DPAs now have a clear obligation to terminate SCCs where the safety of data cannot be guaranteed in a third country.

“The EDPB takes note of the duties for the competent supervisory authorities (SAs) to suspend or prohibit a transfer of data to a third country pursuant to SCCs, if, in the view of the competent SA and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country, and the protection of the data transferred cannot be ensured by other means, in particular where the controller or a processor has not already itself suspended or put an end to the transfer,” Jelinek writes.

One thing is crystal clear: Any sense of legal certainty US cloud services were deriving from the existence of the EU-US Privacy Shield — with its flawed claim of data protection adequacy — has vanished like summer rain.

In its place, a sense of déjà vu and a lot more work for lawyers.

Clouds gather over US cloud services, after CJEU ruling

In the wake of yesterday’s landmark ruling by Europe’s top court — striking down a flagship transatlantic data transfer framework called Privacy Shield, and cranking up the legal uncertainty around processing EU citizens’ data in the US in the process — Europe’s lead data protection regulator has fired its own warning shot at the region’s data protection authorities (DPAs), essentially telling them to get on and do the job of intervening to stop people’s data flowing to third countries where it’s at risk.

Countries like the U.S.

The original complaint that led to the the Court of Justice of the EU (CJEU) ruling focused on Facebook’s use of a data transfer mechanism called Standard Contractual Clauses (SCCs) to authorize moving EU users’ data to the US for processing.

Complainant Max Schrems asked the Irish Data Protection Commission (DPC) to suspend Facebook’s SCC data transfers in light of US government mass surveillance programs. Instead the regulator went to court to raise wider concerns about the legality of the transfer mechanism.

That in turn led Europe’s top judges to nuke the Commission’s adequacy decision which underpinned the EU-US Privacy Shield — meaning the US no longer has a special arrangement greasing the flow of personal data from the EU. Yet, at the time of writing, Facebook is still using SCCs to process EU users’ data in the US. Much has changed but the data hasn’t stopped flowing — yet.

Yesterday the tech giant said it would “carefully consider” the findings and implications of the CJEU decision on Privacy Shield, adding that it looked forward to “regulatory guidance”. It certainly didn’t offer to proactively flip a kill switch and stop the processing itself.

Ireland’s DPA, meanwhile, which is Facebook’s lead data regulator in the region, sidestepped questions over what action it would be taking in the wake of yesterday’s ruling — saying it (also) needed (more) time to study the legal nuances.

The DPC’s statement also only went so far as to say the use of SCCs for taking data to the US for processing is “questionable” — adding that case by case analysis would be key.

The regulator remains the focus of sustained criticism in Europe over its enforcement record for major cross-border data protection complaints — with still zero decisions issued more than two years after the EU’s General Data Protection Regulation (GDPR) came into force, and an ever growing backlog of open investigations into the data processing activities of platform giants.

In May, the DPC finally submitted its first draft decision on a cross-border case (an investigation into a Twitter security breach) to other DPAs for review, saying it hoped the decision would be finalized in July. At the time of writing we’re still waiting for the bloc’s regulators to reach consensus on that.

The painstaking pace of enforcement around Europe’s flagship data protection framework remains a problem for EU lawmakers — whose two-year review last month called for uniformly “vigorous” enforcement by regulators.

The European Data Protection Supervisor (EDPS) made a similar call today, in the wake of the Schrems II ruling — which only looks set to further complicate the process of regulating data flows by piling yet more work on the desks of underfunded DPAs.

“European supervisory authorities have the duty to diligently enforce the applicable data protection legislation and, where appropriate, to suspend or prohibit transfers of data to a third country,” writes EDPS, Wojciech Wiewiórowski, in a statement which warns against further dithering or can-kicking on the intervention front.

“The EDPS will continue to strive, as a member of the European Data Protection Board (EDPB), to achieve the necessary coherent approach among the European supervisory authorities in the implementation of the EU framework for international transfers of personal data,” he goes on, calling for more joint working by the bloc’s DPAs.

Wiewiórowski’s statement also highlights what he dubs “welcome clarifications” regarding the responsibilities of data controllers and European DPAs — to “take into account the risks linked to the access to personal data by the public authorities of third countries”.

“As the supervisory authority of the EU institutions, bodies, offices and agencies, the EDPS is carefully analysing the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies. The example of the recent EDPS’ own-initiative investigation into European institutions’ use of Microsoft products and services confirms the importance of this challenge,” he adds.

Part of the complexity of enforcement of Europe’s data protection rules is the lack of a single authority; a varied patchwork of supervisory authorities responsible for investigating complaints and issuing decisions.

Now, with a CJEU ruling that calls for regulators to assess third countries themselves — to determine whether the use of SCCs is valid in a particular use-case and country — there’s a risk of further fragmentation should different DPAs jump to different conclusions.

Yesterday, in its response to the CJEU decision, Hamburg’s DPA criticized the judges for not also striking down SCCs, saying it was “inconsistent” for them to invalidate Privacy Shield yet allow this other mechanism for international transfers. Supervisory authorities in Germany and Europe must now quickly agree how to deal with companies that continue to rely illegally on the Privacy Shield, the DPA warned.

In the statement Hamburg’s data commissioner, Johannes Caspar, added: “Difficult times are looming for international data traffic.”

He also shot off a blunt warning that: “Data transmission to countries without an adequate level of data protection will… no longer be permitted in the future.”

Compare and contrast that with the Irish DPC talking about use of SCCs being “questionable”, case by case. (Or the UK’s ICO offering this bare minimum.)

Caspar also emphasized the challenge facing the bloc’s patchwork of DPAs to develop and implement a “common strategy” towards dealing with SCCs in the wake of the CJEU ruling.

In a press note today, Berlin’s DPA also took a tough line, warning that data transfers to third countries would only be permitted if they have a level of data protection essentially equivalent to that offered within the EU.

In the case of the US — home to the largest and most used cloud services — Europe’s top judges yesterday reiterated very clearly that that is not in fact the case.

“The CJEU has made it clear that the export of data is not just about the economy but people’s fundamental rights must be paramount,” Berlin data commissioner Maja Smoltczyk said in a statement [which we’ve translated using Google Translate].

“The times when personal data could be transferred to the US for convenience or cost savings are over after this judgment,” she added.

Both DPAs warned the ruling has implications for the use of cloud services where data is processed in other third countries where the protection of EU citizens’ data also cannot be guaranteed too, i.e. not just the US.

On this front, Smoltczyk name-checked China, Russia and India as countries EU DPAs will have to assess for similar problems.

“Now is the time for Europe’s digital independence,” she added.

Some commentators (including Schrems himself) have also suggested the ruling could see companies switching to local processing of EU users data. Though it’s also interesting to note the judges chose not to invalidate SCCs — thereby offering a path to legal international data transfers, but only provided the necessary protections are in place in that given third country.

Also issuing a response to the CJEU ruling today was the European Data Protection Board (EDPB). Aka the body made up of representatives from DPAs across the bloc. Chair Andrea Jelinek put out an emollient statement, writing that: “The EDPB intends to continue playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA citizens and organisations and stands ready to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law.”

Short of radical changes to US surveillance law it’s tough to see how any new framework could be made to legally stick, though. Privacy Shield’s predecessor arrangement, Safe Harbour, stood for around 15 years. Its shiny ‘new and improved’ replacement didn’t even last five.

In the wake of the CJEU ruling, data exporters and importers are required to carry out an assessment of a country’s data regime to assess adequacy with EU legal standards before using SCCs to transfer data there.

“When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The examination of the latter shall be done in light of the non-exhaustive factors set out under Art 45(2) GDPR,” Jelinek writes.

“If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of.”

Again, it’s not clear what “additional measures” a platform could plausibly deploy to ‘fix’ the gaping lack of redress afforded to foreigners by US surveillance law. Major legal surgery does seem to be required to square this circle.

Jelinek said the EDPB would be studying the judgement with the aim of putting out more granular guidance in future. But her statement warns data exporters they have an obligation to suspend data transfers or terminate SCCs if contractual obligations are not or cannot be complied with, or else to notify a relevant supervisory authority if it intends to continue transferring data.

In her roundabout way, she also warns that DPAs now have a clear obligation to terminate SCCs where the safety of data cannot be guaranteed in a third country.

“The EDPB takes note of the duties for the competent supervisory authorities (SAs) to suspend or prohibit a transfer of data to a third country pursuant to SCCs, if, in the view of the competent SA and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country, and the protection of the data transferred cannot be ensured by other means, in particular where the controller or a processor has not already itself suspended or put an end to the transfer,” Jelinek writes.

One thing is crystal clear: Any sense of legal certainty US cloud services were deriving from the existence of the EU-US Privacy Shield — with its flawed claim of data protection adequacy — has vanished like summer rain.

In its place, a sense of déjà vu and a lot more work for lawyers.

Meditation app Meditopia secures $15M Series A co-led by Creandum and Highland

The coronavirus continues to hit people hard mentally, and this has meant a boom for mental death and meditation apps. According to a recent report from app store intelligence firm Sensor Tower, the world’s 10 largest English-language mental wellness apps in April saw a combined 2 million more downloads during the month of April 2020 compared with January, reaching close to 10 million total downloads for the month. The charts were dominated by market leaders such as Calm, Headspace and others such as “Relax: Master Your Destiny”.

However, a slightly lesser know app called Meditopia featured, and that’s because it’s become a big leader non-English speaking markets.

Today it’s announced a Series A investment of $15M co-led by Creandum, and Highland Europe . Carl Fritjofsson of Creandum and Fergal Mullen of Highland Europe will join Meditopia’s Board of Directors. Total funding prior to this round was $3.2m. This new round takes the total to $18.2m.

Based between Istanbul and Berlin, Meditopia has majored on localization for 75 global markets, in 10 languages, with a focus on long-term mental wellbeing programs. Since launching in 2017 Meditopia has grown to 14M users across 75 countries.

Until recently, most meditation and mental health apps were built to suit the needs of English-speaking, Western culture, especially in the way these apps dealt with topics such as gender.

The startup was founded by Fatih Celebi, Berk Yilmaz and Ali Murat Ceylan.

In a statement, Murat said: “Mental wellness is something everyone should be able to achieve, regardless of their country of origin, native language, socio-economic status, ethnicity, or religion. We first focused our efforts on our home country Turkey before expanding worldwide so whether you are Latino, Japanese, Russian, North American, or Arab, you can find support and coaching in our global community.”

Carl Fritjofsson, Partner at Creandum commented: “We’ve followed Meditopia for the past two years and have been incredibly impressed by how they’ve been able to capture this opportunity across the world, all while being one of the most capital-efficient run companies around.”

Fergal Mullen, Founding Partner at Highland Europe said: “For too long, the technology available was created for English-speaking groups alone. Meditopia provides the alternative; a solution that helps its members get to the heart of what they need in a way that suits them. We’re thrilled to be a part of getting this vital service to those people.”