French court slaps down Google’s appeal against $57M GDPR fine

France’s top court for administrative law has dismissed Google’s appeal against a $57M fine issued by the data watchdog last year for not making it clear enough to Android users how it processes their personal information.

The State Council issued the decision today, affirming the data watchdog CNIL’s earlier finding that Google did not provide “sufficiently clear” information to Android users — which in turn meant it had not legally obtained their consent to use their data for targeted ads.

“Google’s request has been rejected,” a spokesperson for the Conseil D’Etat confirmed to TechCrunch via email.

“The Council of State confirms the CNIL’s assessment that information relating to targeting advertising is not presented in a sufficiently clear and distinct manner for the consent of the user to be validly collected,” the court also writes in a press release [translated with Google Translate] on its website.

It found the size of the fine to be proportionate — given the severity and ongoing nature of the violations.

Importantly, the court also affirmed the jurisdiction of France’s national watchdog to regulate Google — at least on the date when this penalty was issued (January 2019).

The CNIL’s multimillion dollar fine against Google remains the largest to date against a tech giant under Europe’s flagship General Data Protection Regulation (GDPR) — lending the case a certain symbolic value, for those concerned about whether the regulation is functioning as intended vs platform power.

While the size of the fine is still relative peanuts vs Google’s parent entity Alphabet’s global revenue, changes the tech giant may have to make to how it harvests user data could be far more impactful to its ad-targeting bottom line. 

Under European law, for consent to be a valid legal basis for processing personal data it must be informed, specific and freely given. Or, to put it another way, consent cannot be strained.

In this case French judges concluded Google had not provided clear enough information for consent to be lawfully obtained — including objecting to a pre-ticked checkbox which the court affirmed does not meet the requirements of the GDPR.

So, tl;dr, the CNIL’s decision has been entirely vindicated.

Reached for comment on the court’s dismissal of its appeal, a Google spokeswoman sent us this statement:

People expect to understand and control how their data is used, and we’ve invested in industry-leading tools that help them do both. This case was not about whether consent is needed for personalised advertising, but about how exactly it should be obtained. In light of this decision, we will now review what changes we need to make.

GDPR came into force in 2018, updating long standing European data protection rules and opening up the possibility of supersized fines of up to 4% of global annual turnover.

However actions against big tech have largely stalled, with scores of complaints being funnelled through Ireland’s Data Protection Commission — on account of a one-stop-shop mechanism in the regulation — causing a major backlog of cases. The Irish DPC has yet to issue decisions on any cross border complaints, though it has said its first ones are imminent — on complaints involving Twitter and Facebook.

Ireland’s data watchdog is also continuing to investigate a number of complaints against Google, following a change Google announced to the legal jurisdiction of where it processes European users’ data — moving them to Google Ireland Limited, based in Dublin, which it said applied from January 22, 2019 — with ongoing investigations by the Irish DPC into a long running complaint related to how Google handles location data and another major probe of its adtech, to name two

On the GDPR one-stop shop mechanism — and, indirectly, the wider problematic issue of ‘forum shopping’ and European data protection regulation — the French State Council writes: “Google believed that the Irish data protection authority was solely competent to control its activities in the European Union, the control of data processing being the responsibility of the authority of the country where the main establishment of the data controller is located, according to a ‘one-stop-shop’ principle instituted by the GDPR. The Council of State notes however that at the date of the sanction, the Irish subsidiary of Google had no power of control over the other European subsidiaries nor any decision-making power over the data processing, the company Google LLC located in the United States with this power alone.”

In its own statement responding to the court’s decision, the CNIL notes the court’s view that GDPR’s one-stop-shop mechanism was not applicable in this case — writing: “It did so by applying the new European framework as interpreted by all the European authorities in the guidelines of the European Data Protection Committee.”

Privacy NGO noyb — one of the privacy campaign groups which lodged the original ‘forced consent’ complaint against Google, all the way back in May 2018 — welcomed the court’s decision on all fronts, including the jurisdiction point.

Commenting in a statement, noyb’s honorary chairman, Max Schrems, said: “It is very important that companies like Google cannot simply declare themselves to be ‘Irish’ to escape the oversight by the privacy regulators.”

A key question is whether CNIL — or another (non-Irish) EU DPA — will be found to be competent to sanction Google in future, following its shift to naming its Google Ireland subsidiary as the regional data processor. (Other tech giants use the same or a similar playbook, seeking out the EU’s more ‘business-friendly’ regulators.)

On the wider ruling, Schrems also said: “This decision requires substantial improvements by Google. Their privacy policy now really needs to make it crystal clear what they do with users’ data. Users must also get an option to agree to only some parts of what Google does with their data and refuse other things.”

French digital rights group, La Quadrature du Net — which had filed a related complaint against Google, feeding the CNIL’s investigation — also declared victory today, noting it’s the first sanction in a number of GDPR complaints it has lodged against tech giants on behalf of 12,000 citizens.

“The rest of the complaints against Google, Facebook, Apple and Microsoft are still under investigation in Ireland. In any case, this is what this authority promises us,” it added in another tweet.

Daily Crunch: Twitter rolls out audio tweets

Twitter tries to make audio tweets a thing, the U.K. backtracks on its contact-tracing app and Apple’s App Store revenue share is at the center of a new controversy.

Here’s your Daily Crunch for June 18, 2020.

1. Twitter begins rolling out audio tweets on iOS

Twitter is rolling out audio tweets, which do exactly what you’d expect — allow users to share thoughts in audio form. The feature will only be available to some iOS users for now, though the company says all iOS users should have access “in the coming weeks.” (No word on an Android or web rollout yet.)

This feature potentially allows for much longer thoughts than a 280-character tweet. Individual audio clips will be limited to 140 seconds, but if you exceed the limit, a new tweet will be threaded beneath the original.

2. UK gives up on centralized coronavirus contacts-tracing app — switches to testing model backed by Apple and Google

The U.K.’s move to abandon the centralized approach and adopt a decentralized model is hardly surprising, but the time it’s taken the government to arrive at the obvious conclusion does raise some major questions over its competence at handling technology projects.

3. Apple doubles down on its right to profit from other businesses

Apple this week is getting publicly dragged for digging in its heels over its right to take a cut of subscription-based transactions that flow through its App Store. This is not a new complaint, but one that came to a head this week over Apple’s decision to reject app updates from Basecamp’s newly launched subscription-based email app called Hey.

4. Payfone raises $100M for its mobile phone-based digital verification and ID platform

Payfone has built a platform to identify and verify people using data (but not personal data) gleaned from your mobile phone. CEO Rodger Desai said the plan for the funding is to build more machine learning into the company’s algorithms, expand to 35 more geographies and to make strategic acquisitions to expand its technology stack.

5. Superhuman’s Rahul Vohra says recession is the ‘perfect time’ to be aggressive for well-capitalized startups

We had an extensive conversation with Vohra as part of Extra Crunch Live, also covering why the email app still has more than 275,000 people on its wait list. (Extra Crunch membership required.)

6. Stockwell, the AI-vending machine startup formerly known as Bodega, is shutting down July 1

Founded in 2017 by ex-Googlers, the AI vending machine startup formerly known as Bodega first raised blood pressures — people hated how it was referenced and poorly “disrupted” mom-and-pop shops in one fell swoop — and then raised a lot of money. But ultimately, it was no match for COVID-19 and how it reshaped our lifestyles.

7. Apply for the Startup Battlefield

With TechCrunch Disrupt going virtual, this is your chance to get featured in front of our largest audience ever. The post says you’ve only got 72 hours left, but the clock has been ticking since then — the deadline is 11:59pm Pacific tomorrow, June 19. So get on it!

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here.

Google is launching a way to buy Android app subscriptions outside of the app itself

Alongside the Android 11 beta news and updates to Android developer tools, Google has quietly rolled out a significant change in how Android app developers can market their subscriptions on the Google Play Store. The company confirmed a select set of developers are testing a new feature that allows consumers to purchase an app’s subscription outside of the app itself. That is, instead of having to click through in-app pop-ups and read the fine print inside an app, consumers can choose to buy an app’s subscription directly from its Play Store listing page — even if they don’t yet have the app installed.

Google vaguely announced the change in a blog post, but didn’t offer concrete details as to how this feature worked, instead describing it only as way for users “to discover and purchase items outside your app.”

The functionality is being made available through the Android Billing Library version 3, which Google recently introduced. The new library can power a subscription promo code redemption experience, where users can redeem free trials before the app is installed. And it allows consumers to resubscribe to subscriptions they used to pay for from the Google Play subscriptions center.

But the most notable part of the update is how it allows developers to sell subscriptions directly on their app’s details page. Now, next to the app’s “Install” button, consumers will be able to instead choose to click a separate button to purchase the app’s subscription and even its free trial.

In an example, the robocall-blocking app Truecaller shows a button next to “Install” which reads, instead, “Free trial & Install.” Beneath this, a window provides all the details about the app’s subscription, including the free trial length, the cost when the trial ends, and what the subscription offers, in terms of feature set.

This more transparent marketing option benefits consumers and developers alike.

Today, too many consumers are still being duped by tricky subscriptions that don’t play by app store guidelines. The problem isn’t unique to Android apps, unfortunately. A report from security firm Sophos found that more than 3.5 million iOS users have installed fleeceware apps from Apple’s App Store, for example.

Google, for its part, introduced a new set of Play Store policies in April with the goal of ensuring that users are able to understand the terms of the subscription offer, the free trial period, and how they can cancel the subscription, if desired. The updated policy bans things like hidden terms, unclear billing frequencies, and hidden pricing.

This new feature offering a separate button just for subscriptions could give users another way to learn about the app’s pricing and feature set before making a commitment to download the app.

This, in turn, could help reduce user churn — as fewer users would drop out of the app once they realize the features they needed were only offered as a paid option. It could also help developers attract more valuable paid subscribers by allowing potential users an easy way to compare their subscription pricing with competitors, while additionally reducing user requests for refunds.

For now, Android users can only purchase subscriptions outside the app from a limited set of developers who have been testing the feature, Google says.

The company tells us it will expand this feature to include other virtual goods in the future.

This latest change isn’t the only way Google is trying to increase transparency around subscriptions.

In a video shared with developers, the company noted it’s made improvements to its checkout cart on Google Play to add further distinctions between trial periods and regular pricing. Google also now sends out email reminders to alert users when free trials are ending and it now pops up a notification when an app is uninstalled to remind users they may also want to cancel the app’s subscription.

Google is also changing the option that lets a customer pause a subscription. Starting on November 1, 2020, this will default to “on,” and other features like Account Hold and Restore will be required for app subscription-based apps. Plus, developers will be able to pop-up a list of reasons to keep a subscription when a user hits the cancel button.

“We believe that in increasing user trust around subscriptions, you will benefit from an increase higher-quality subscribers and lower refund and chargeback rates,” says Google Play Commerce product manager, Mrinalini Loew, in the video.

 

Google brings Meet to Gmail on mobile

Google today announced a deeper integration between Gmail on mobile and its Meet video conferencing service. Now, if you use Gmail on Android or iOS and somebody sends you a link to a Meet event, you can join the meeting right from your inbox.

That obviously isn’t radically different from how things work today, where Gmail will take you right into the Meet app, but the major difference here is that you won’t have to install the dedicated Meet app anymore to join a call from Gmail.

The second and maybe bigger update — and this one won’t launch until a few weeks from now — is that the mobile Gmail app will also get a new Meet tab at the bottom of the screen. This new tab will show you all your upcoming Meet meetings in Google Calendar and will allow you to start a meeting, get a link to share or schedule a meeting in Calendar.

If you’re not a Meet power user, then you can turn this tab off, too, which I assume a lot of people will do, given that not everybody will want to give up screen estate in their email app for a dedicated Meet button.

It’s interesting to see that Google is trying to bring Gmail and Meet so closely together. The act of moving between two different apps for email and meetings never felt like a burden, but Google clearly wants more people to be aware of Meet (especially now that it offers a free tier) and remove any friction that could keep potential users from using it. The company already integrated Meet into the Gmail web app, where it felt pretty natural given that Gmail on the web long featured support for Hangouts (RIP, I guess?) and its predecessors. On mobile, though, it feels a bit forced. Hangouts, after all, was never a built-in part of Gmail on mobile either.

US Commerce Dept. amends Huawei ban to allow for development of 5G standards

The United States Department of Commerce today issued a change to its sweeping Huawei ban. Proponents of the move note that the change in policy ought not be regarded as a softening on the government’s stance toward the embattled hardware maker, but instead is an attempt to develop more streamlined standards for 5G, along with the company, which has been one of the primary forces in its development 

According to the Department:

This action is meant to ensure Huawei’s placement on the Entity List in May 2019 does not prevent American companies from contributing to important standards-developing activities despite Huawei’s pervasive participation in standards-development organizations.

The change is designed to allow Huawei and U.S. to both play a role in hashing out the parameters for the next-generation wireless technology. “The United States will not cede leadership in global innovation. This action recognizes the importance of harnessing American ingenuity to advance and protect our economic and national security,” Commerce Secretary Wilbur Ross said in a statement. “The Department is committed to protecting U.S. national security and foreign policy interests by encouraging U.S. industry to fully engage and advocate for U.S. technologies to become international standards.”

The new  Bureau of Industry and Security (BIS) rule essentially allows companies to share information about technologies in order to develop a joint standard without requiring an export license. Beyond that, however, the DOC has no stated plans to ease up after placing Huawei on its entities list last year.

The Chinese smartphone maker was included in the blacklist over a litany of ongoing complaints, including its ties to national government, concerns over spying and alleged sanction violations with Iran. The move has had a profound impact on the company, including a severing of its ties to Google, which formed the software backbone of its mobile line through Android and a suit of included apps. Subsequent handsets, including the recently released P40 Pro+, have been shipped without the software on board.