SBF’s anticipated not guilty plea was a ‘smart play’

Sam Bankman-Fried’s not guilty plea to several federal fraud charges was largely anticipated, and something a few legal experts suggested was a tactical response.

The former CEO of crypto exchange FTX, whose company collapsed in November, made the plea in Federal District Court in New York.

It’s very common in the federal criminal justice system for defendants to plead not guilty at their initial appearance, Mary Beth Buchanan, a former U.S. attorney now advising blockchain companies, said to TechCrunch.

The expedited timeline of FTX’s collapse and the legal actions against those involved was unexpected and unprecedented.

“Personally, and judging only from what is publicly known, I think the chances of a plea bargain at the outset of the case are very slim.”AnChain.AI’s Michael Fasanello

In less than two months, Bankman-Fried faced eight federal criminal charges, while others close to him — including FTX co-founder and former CTO Gary Wang and Alameda Research CEO Caroline Ellison — pleaded guilty to multiple charges and accepted plea agreements.

But Bankman-Fried pleaded not guilty “because he had the absolute right to do so,” Anthony Sabino, a professor of law at The Peter J. Tobin College of Business at St. John’s University, said to TechCrunch. “And it was the smart play. Keep your options open. Do not give the government an edge. Wait it out. A deal can always be made later.”

Michael Fasanello, crypto compliance officer at AnChain.AI, agreed. “The initial plea of ‘not guilty’ is really just a formality of process and recognition of the charges by the defendant.”

By pleading not guilty, it gives Bankman-Fried more room to try and strike a deal with prosecutors, if that’s something he and his lawyers want, Sabino noted.

Lewis Kaplan, the senior judge of the U.S. District Court for the Southern District of New York, set Bankman-Fried’s next trial date for October 2. But not everyone expects that date to be set in stone or is confident that Bankman-Fried will hold his plea until then.

“This is not a case where you want to either plead ‘not guilty’ and wage all-out war or plead ‘guilty’ and throw yourself on the mercy of the court,” Fasanello said. “The middle ground is the sweet spot, here.”

Bankman-Fried’s defense team will need more time to prepare, given the expected mountain of evidence to sift through, Sabino said. “Far more important, it is more likely than not the prosecutors and SBF will talk a deal. So time will be needed to negotiate a plea bargain.”

SBF’s anticipated not guilty plea was a ‘smart play’ by Jacquelyn Melinek originally published on TechCrunch

Vimeo enters 2023 with a round of layoffs, impacting 11% of employees

Vimeo rings in the new year with another round of layoffs, affecting 11% of its workforce. In an email to staff today, CEO Anjali Sud cited an “uncertain economic environment” as the reason for the reduction.

“This was a very hard decision that impacts each of us deeply. It is also the right thing to do to enable Vimeo to be a more focused and successful company… It positions us to both invest in our growth priorities and be sustainably profitable while continuing to innovate to bring the power of video to every business in the world,” Sud wrote. She added that impacted employees were told via individual emails and were sent an invitation to meet with their team leader and a member of human resources.

Employees in the Sales and Research & Development departments made up the majority of the layoffs.

This isn’t the first round of layoffs for the video hosting platform, which cut 6% of its staff in July 2022. Since the July layoffs, Vimeo has seen a “further deterioration in economic conditions, in the form of prolonged geopolitical conflict, rising interest rates, and global recession fears,” Sud said. In November, the company reported its third-quarter earnings, showing a loss of about 100,000 subscribers from the previous quarter and an operating loss of $22.9 million.

However, Sud is confident that Vimeo can make a comeback. “We are entering 2023 with a more focused strategy to simplify Vimeo, and ultimately, our team size and composition needs to reflect that focus,” she wrote. “This reduction enables us to achieve our growth and profitability goals in a way that is far less dependent on the broader market, putting us in full control of our destiny.”

In May of last year, Vimeo went public on the New York Stock Exchange. Launched in 2004, Vimeo now claims over 260 million users, including big corporations, small businesses, organizations and content creators.

As of December 2021, Vimeo employed 1,219 full-time workers, per its annual regulatory filing.

Vimeo joins the growing list of tech companies that have downsized in the past few months, from Salesforce and Twitter to Meta, Amazon and more.

Vimeo enters 2023 with a round of layoffs, impacting 11% of employees by Lauren Forristal originally published on TechCrunch

Pee is the magic number, as Withings puts a urine analysis lab in your toilet

Withings, best known for its smart scales, watches, and other health-focused consumer tech, released a new gadget at CES in Las Vegas today. Making a splash in an underserved market, U-Scan aims to help customers track what’s going on in their urine, without having to worry about catching their wastewater in a cup or messing about with test strips. The device syncs to the company’s ever-expanding Health Mate app and promises to give actionable insights.

The U-scan is designed to be installed in the toilet bowl, which gives users hands-free access to urine analysis. While routine in medical settings, Urine is a rarely-tapped opportunity for at-home health monitoring. That may change quite a bit over the next few years if Withings has its way. The company points out that urine has more than 3,000 metabolites, giving an immediate snapshot of the body’s balance and health.

“The ability of U-Scan to perform daily urine analysis from home will allow Withings to take its mission to help consumers fully utilize urine data to an entirely new level,” said Mathieu Letombe, Withings CEO at a press conference. “It’s one of the most exciting and complex products we have ever announced. We begin this journey with U-Scan Cycle Sync and Nutri Balance and look forward to announcing more cartridges on an ongoing basis as well as medical applications of the technology.”

The rechargeable U-Scan reader knows the difference between flush water and urine and ensures it collects only the samples it needs. When in use, urine flows efficiently to a collection inlet, activating a pump when a thermal sensor detects the presence of urine. The sample is guided through a microfluidic circuit and injected into a test pod. Here, the reaction is read by an optical sensor and reported back to the app. Every subsequent flush of the toilet cleans the system, resetting it for the next sample collection.

In Europe, the U-Scan Nutri Balance app shows an analysis of specific gravity, pH, vitamin C and ketone levels. The combination of these measurements helps people monitor their metabolic intake to optimize their daily hydration and nutrients. The ‘actionable’ part of that is that the system can recommend workouts, offer dietary suggestions, and recipes, all to help health-conscious users achieve their goals. The company points out that US functionality of Nutri Balance may vary, depending on what the FDA has to say about the matter.

The product will make its debut in Europe with dwo different health cartridges aimed at consumers. Medically focused cartridges will follow in the not-too-distant future. The price tag is €499.95, and includes one U-Scan reader and a cartridge providing 3 months of testing. The first two cartridges that are becoming available are Cycle Sync, which will help people who have monthly cycles track them, and a Nutri Balance cartridge, which will gives a detailed metabolic guide for nutrition and hydration. The company isn’t sure when the device will be made available in the US, as its launch will be depending on FDA clearance.

Incredibly, U-Scan can tell the difference between various users (and therefore assigning the results to the correct person using the device), through it’s amazingly named Stream ID feature. Low-energy radar sensors embedded within the reader measure multiple variables to identify an individual’s “urine stream signature”, by detecting the movement and distance of the stream. Stream ID information can be affirmed in the app.

In addition to the consumer-focused product, Withings Health Solutions, the company’s business-to-business division serving the healthcare provider market, is making the technology available to partners for research purposes.

The company told TechCrunch it is planning to make the cartridges available on a subscription basis, or on an individual basis.

Pee is the magic number, as Withings puts a urine analysis lab in your toilet by Haje Jan Kamps originally published on TechCrunch

Trade Republic, a popular stock trading app, adds 2% interest on cash

While German startup Trade Republic is better known as a mobile app that helps you buy and sell stock, the company is adding interest on uninvested cash. Users who hold cash in their Trade Republic account will receive 2% in annual interest.

This feature reminds me of Robinhood’s brokerage cash sweep program. In the U.S., Robinhood users currently get 1.5% interest on cash sitting in their accounts.

With this new feature, Trade Republic will likely attract new customers who are looking for higher interest rates as inflation impacts the savings of European consumers. Of course, the company probably hopes that users will also start trading stock with its app. Trade Republic makes money from payment-for-order flow and some small fees.

More precisely, Trade Republic says that interests will be calculated on a daily basis and the startup credits user accounts once per month. Users only generate interest on cash balances up to €50,000. For now, the company promises 2% APY so it’s going to be interesting to see if it can maintain a high interest rate over time.

“With 2% effective annual interest per year, we are passing on the benefits of the new interest rate environment directly to our customers. Every investor can now benefit directly and easily from interest”, co-founder Christian Hecker said in a statement.

Trade Republic currently operates in 17 European countries and was one of the fintech startups that raised a mega funding round in 2021. It reached a $5 billion valuation following its $900 million round.

2022 was a bit different. The company announced a $264 million (€250 million) Series C extension but also laid some people off. In addition to shares, Trade Republic also offers exchange-traded funds (ETFs), derivatives and cryptocurrencies.

Trade Republic, a popular stock trading app, adds 2% interest on cash by Romain Dillet originally published on TechCrunch

Coinbase reaches $100M settlement over background check failures

New York financial regulators have found that the popular cryptocurrency exchange Coinbase violated anti-money laundering laws by failing to conduct adequate background checks. Coinbase will pay a $50 million fine to the New York State Department of Financial Services, and is also required to spend $50 million on improving its compliance program.

Coinbase disclosed that this investigation was in progress in its annual 10k filing in 2021.

State regulators first noticed problems at Coinbase in May 2020 during routine supervisory examinations. The Department of Financial Services found what it called “significant deficiencies” in various compliance programs, including customer due diligence procedures, transaction monitoring systems, Office of Foreign Assets Control (OFAC) programs and anti-money laundering risk assessments. Upon closer examination into potential legal violations, regulators also found issues with Coinbase’s “retention of books and records” and reporting to the state department.

“During the course of the Department’s investigation, the compliance situation inside Coinbase reached a critical stage,” the filing reads. The regulators found that by the end of 2021, Coinbase had a backlog of over 100,000 unreviewed transaction monitoring alerts, plus a backlog 14,000 users requiring enhanced due diligence.

These backlogs were due in part to Coinbase’s dramatic growth in 2021 — the filing says that Coinbase signups in May 2021 were fifteen times higher than January 2020, and by November 2021, there were twenty-five times more monthly transactions than in January 2020.

Regulators say that Coinbase did not have enough staff to keep up with growing compliance needs. Yet when Coinbase laid off 18% of its workforce (or 1,100 people) in June 2022, CEO Brian Armstrong said that the cuts were a result of over-hiring after the company’s 2021 boom.

According to the filing, it was instead the responsibility of over 1,000 third-party contractors to catch up with the backlog, not full-time employees. Regulators found that Coinbase didn’t properly oversee or train these contractors, so “a substantial portion of the alerts reviewed by third parties was rife with errors,” the filing says.

“The training Coinbase provided was not scalable for the size of the contractor force, and attendance at the training sessions was not adequately tracked,” regulators wrote. “The quality control process was not always performed by the contractor organizations to the standards that Coinbase provided, and initially, Coinbase did not have a system in place to audit the quality control that was done.”

As a result of these inaccuracies, regulators wrote that Coinbase failed to report potential instances of money laundering, narcotics trafficking and CSAM-related activity to authorities.

The filing also states that since 2018, Coinbase has been aware of its failures to meet state standards for money laundering and financial terrorism compliance.

“Although Coinbase has worked to correct these issues, its progress has been slow: progress in certain areas did not occur until recently, and work remains outstanding to the present,” the filing states.

The risks of this non-compliance are haven’t been merely hypothetical, regulators wrote.

The department found that one former Coinbase customer had faced criminal charges in the 1990s related to child sexual abuse material (CSAM). After engaging in “suspicious transactions potentially associated with illicit activity” for more than two years, Coinbase detected the activity, shut down the account and cooperated with law enforcement.

Another customer claimed to be an employee of a corporation and managed to gain unauthorized access to that corporation’s bank — by setting up a fraudulent Coinbase account in the name of the corporation, the customer transferred $150 million to their new account. Coinbase didn’t detect this fraud until six days later when contacted by the corporation in question; the money was later recovered after an investigation by law enforcement.

These charges come at a time when consumers are losing trust in popular cryptocurrency exchanges. After filing for bankruptcy, FTX founder and former CEO Sam Bankman-Fried is facing criminal charges including wire fraud and conspiracy to misuse customer funds; Bankman-Fried has plead not guilty to all charges.

“Coinbase has taken substantial measures to address these historical shortcomings and remains committed to being a leader and role model in the crypto space, including partnering with regulators when it comes to compliance,” said Coinbase chief legal officer Paul Grewal. “We believe our investment in compliance outpaces every other crypto exchange anywhere in the world, and that our customers can feel safe and protected while using our platforms.”

Coinbase reaches $100M settlement over background check failures by Amanda Silberling originally published on TechCrunch

Stellantis to mass produce Archer’s electric aircraft in expanded deal

Global automaker Stellantis will mass produce an electric vehicle take-off and landing aircraft for Archer Aviation as part of an expanded partnership that includes giving the startup-turned-publicly traded company access to up to $150 million in additional capital over the next two years.

The agreement, announced Wednesday during CES 2023 in Las Vegas, will make Stellantis the exclusive contract manufacturer for Archer’s Midnight eVTOL aircraft.

Stellantis kicked off its partnership with Archer Aviation in 2020, offering it access to its global supply chain and other expertise. In February 2021, Stellantis expanded its relationship with the aviation startup through a collaboration agreement. That same month Archer announced plans to go public via a merger with special purpose acquisition company Atlas Crest Investment Corp,

The announcement Wednesday goes far beyond a collaboration. Stellantis is not only providing capital and its manufacturing expertise to Archer; the automaker said it will also help build out Archer’s recently announced manufacturing facility in Covington, Georgia. The companies plan to start producing the Midnight aircraft at the factory in 2024.

The Midnight aircraft, which has a 100-mile range, is designed for urban environments where the average trip will be around 20 miles. The aircraft has an expected payload of more than 1,000 pounds and can carry four passengers in addition to the pilot.

In December, the proposed Airworthiness Criteria for the Midnight aircraft was been published in the Federal Register by the FAA, a step towards commercializing urban air mobility. Archer has said it is working to certify Midnight with the FAA in late 2024 and will then use it as part of its Urban Air Mobility network, which it plans to launch in 2025.

Stellantis said it also plans to increase its strategic shareholding in Archer through future purchases of stock in the open market.

Stellantis to mass produce Archer’s electric aircraft in expanded deal by Kirsten Korosec originally published on TechCrunch

Last chance — Apply to present at TechCrunch Early Stage

Time’s running out if you want a chance to show what you know at TechCrunch Early Stage on April 20 in Boston, Massachusetts. What’s that mean, exactly? It’s a shot at presenting your expert content to hundreds of bootstrapping entrepreneurs and fledgling founders at the beginning or very early stages of the startup journey.

The search continues for game-changing, later-stage startup founders and ecosystem experts to help guide their path. Do you have what it takes to be a thought-leader? Apply here now — the application window slams shut this Friday, January 6.

TechCrunch will evaluate all applications and then select the top contenders to participate in Audience Choice voting. Our readers will vote for the sessions they most want to see at TC Early Stage. We’re not talking politics, so vote early, vote often!

Here are the important dates to keep in mind — don’t miss this opportunity to apply!

Application deadline: January 6
Notify Audience Choice participants: January 23
Voting period: January 30 through February 17
Notify winners: By February 22

Previous Early Stage events have covered topics that every startup founder needs to know, including:

How to get your first yes
How to get earned media
Finding product market fit
Scaling from $1 to $10M of ARR

We’re looking for knowledgeable, talented people who can share essential information to help new and early founders build a strong foundation, take their next steps and discover a supportive, inspiring community. Especially folks who can elicit feedback like this:

“Early Stage provided a rich, bootcamp experience with premier founders, VCs and startup community experts. If you’re beginning to build a startup, it’s an efficient way to advance your knowledge across key startup topics.” — Katia Paramonova, founder and CEO of Centrly.

If you want to show what you know, apply now — before the January 6 deadline — and you just might find yourself presenting at TechCrunch Early Stage on April 20 in Boston, Massachusetts.

Is your company interested in sponsoring or exhibiting at TC Early Stage 2023? Contact our sponsorship sales team byfilling out this form.

Last chance — Apply to present at TechCrunch Early Stage by Lauren Simonds originally published on TechCrunch

Dear Sophie: How can I transfer my H-1B to my new startup in 2023?

Here’s another edition of “Dear Sophie,” the advice column that answers immigration-related questions about working at technology companies.

“Your questions are vital to the spread of knowledge that allows people all over the world to rise above borders and pursue their dreams,” says Sophie Alcorn, a Silicon Valley immigration attorney. “Whether you’re in people ops, a founder or seeking a job in Silicon Valley, I would love to answer your questions in my next column.”

TechCrunch+ members receive access to weekly “Dear Sophie” columns; use promo code ALCORN to purchase a one- or two-year subscription for 50% off.

Dear Sophie,

I am RESOLVED: this is the year I finally live my dream and create my startup! I currently have an H-1B for my full-time engineering role at another company.

How can I transfer my visa to my startup? How do we structure the startup for immigration success?

—Restless & Resolved

Dear Restless & Resolved,

Congrats on embarking on this exciting new adventure and taking the first step toward living your dreams!

H-1B transfer is tricky, but it’s possible!

The short answer to your first question is: yes, you can transfer your H-1B visa to your new startup. However, it’s a tricky process, and it’s important to establish the correct, compliant foundation before proceeding.

This set-up process can take time (several months), but the peace of mind you’ll have from knowing that everything is correct will be priceless. You should talk to both a corporate attorney and an immigration attorney. A corporate attorney can help you set up your company, including drafting bylaws, and an immigration attorney can help you determine the best strategy for you and any co-founders based on your personal and business goals.

You will need to take steps to qualify your company to petition you for the H-1B transfer, such as taking on a co-founder and getting funding for your startup.

Structuring your startup

To transfer your H-1B to your startup, you may need to give up control of your startup, (sometimes but not always) give up a major stake in it, and ensure it is structured to meet all immigration visa requirements.

Image Credits: Joanna Buniak / Sophie Alcorn (opens in a new window)

To meet the sponsorship qualifications, you must demonstrate to U.S. Citizenship and Immigration Services (USCIS) that:

Your startup and you have an employer-employee relationship. This often means you must not own more than 50% of your company, and someone else must formally hire you, supervise you and your work, and have the ability to fire you.
Your startup has the ability to pay you the prevailing wage based on your position and geographical location as well as cover operations for the term of the visa petition (usually up to 3 years for an H-1B transfer).

Start planning now and map out your role at your startup, how many co-founders you will have, how much equity everybody else would receive, the roles of your co-founders, and prospective investors. This will enable your attorney to see if your plan is viable and offer any alternatives.

Dear Sophie: How can I transfer my H-1B to my new startup in 2023? by Ram Iyer originally published on TechCrunch

When will IPOs return? The past may hold some clues

I am not sure about you, but lately I’ve been hearing the same chatter from friends and colleagues at startups. It’s usually a version of: “Will my equity ever be worth something?”

Let me start with the harsh truth: Nobody has a crystal ball to anticipate what the market will do or how it will impact private company stock. That may not be the most comforting thing to hear, but I also don’t believe it’s all doom and gloom. Another truth is that this is not the first market reversal, and it won’t be the last either.

For me, the comforting thing to do is look at the data. To better understand where we could end up, I like looking at the past and let history inform where we are now.

So, I looked at five market downturns over the past 20 years and analyzed how they affected private stock, and, most importantly, how long it took the IPO market to reopen. After all, at the end of the day, we’re all searching for the same answer: When will my paper wealth become liquid?

The crisis of 2002: The dot-com bubble

What happened?

Starting in the late ’90s, tech stocks started skyrocketing and were trading at all-time highs. Sound familiar?

Capital was extremely cheap to borrow as interest rates dipped as low as 1.67% (compared to rates in the last few years bottoming out at 0.25%). That spurred investments in riskier assets.

When the market started to collapse, prices were dragged down even further by accounting scandals, such as Enron in 2001, Arthur Andersen in 2002 and WorldCom in 2002.

While there aren’t as many financial scandals today, the environment back then was somewhat similar to what we’re seeing now.

What was different?

The similarities between today’s market and the dot-com bubble end there.

The dot-com bubble was not an economic crisis per se, and it was only contained to the financial markets. Plus, inflation wasn’t part of the molotov cocktail that is a major driver of what’s happening today.

What was the impact on startups?

Startups certainly took a hit. Private markets aren’t as transparent as the public ones, so to get better insight into what was happening, I like to look at the iShares Expanded Tech-Software Sector ETF (ticker IGV). This is an ETF that tracks technology companies — IGV is a basket of 119 software and interactive home entertainment and media stocks (Microsoft, Adobe, Salesforce, Oracle, etc.).

All of these downturns have one thing in common: The IPO window eventually reopened when the economy stabilized.

Even though it is not a 1:1 representation of private markets, since it is an ETF based on public companies, we can infer how multiples evolved during this time because there is a correlation between public and private markets.

Here’s what happened:

The stock market dropped by 55% before the first IPO happened following the crisis.
The EV/revenue multiple of IGV — a measurement that shows how much every $1 of revenue translated into valuation — dropped by 57%.
The IPO market stayed shut for about 15 months.
The first company to go public was Callidus in October, 2003, though it wasn’t the most successful exit.
In June 2004, eight months later, Salesforce went public.
One month after that, Google made its public debut on July 29.

We’re all pretty familiar with the stories of the latter two.

The crisis of 2008: The housing bubble pops

What happened?

Now let’s look at 2008, when we had our most recent major recession. Loan originators, propelled by cheap credit and lax mortgage policies, enabled the fast growth of subprime loans. That caused demand and valuations to skyrocket, creating a feedback loop of further investor demand and origination incentives.

But as interest rates began to rise and liquidity dried up, over-leveraged banks and funds began to rapidly unwind their portfolios. Valuations began to spiral and leverage levels started exploding.

When will IPOs return? The past may hold some clues by Ram Iyer originally published on TechCrunch

Meta’s New Year kicks off with over $410M in fresh EU privacy fines

Meta is kicking off the New Year with more privacy fines and corrective orders hitting its business in Europe. The latest swathe of enforcement relates to EU’s General Data Protection Regulation (GDPR) complaints over the legal basis it claims to run behavioral ads.

The Facebook owner’s lead data protection watchdog in the region, the Irish Data Protection Commission (DPC), announced today that it’s adopted final decisions on two of these long-running enquiries — against Meta owned social networking site, Facebook, and social photo sharing service, Instagram.

The DPC’s press release today announces financial penalties of €210 million (~$223M) for Facebook and €180M (~$191M) for Instagram — and confirms the European Data Protection Board (EDPB)’s binding decision last month on these complaints that contractual necessity is not an appropriate basis for processing personal data for behavioral ads.

These new sanctions add to a pile of privacy fines for Meta in Europe last year — including a €265M penalty for a Facebook data-scraping breach; €405M for an Instagram violation of children’s privacy; €17M for several historical Facebook data breaches; and a €60M penalty over Facebook cookie consent violations — making for a total of €747M in (publicly disclosed) EU data protection and privacy fines handed down to the adtech giant in 2022.

But now, in the first few days of 2023, Meta has landed financial penalties worth more than half last year’s regional total — and more sanctions could be coming shortly.

Corrective measures are also being applied, per the PR — with Meta being ordered to bring its processing into compliance with the GDPR within three months.

This means it can no longer rely on a claim of contractual necessity to run behavioral ads — and will instead have to ask users for their consent. (And cannot profile and target users who do refuse its surveillance ads.)

Commenting in a statement, Max Schrems, the founder of the European privacy rights group (noyb) that filed the original GDPR complaints, said: “This is a huge blow to Meta’s profits in the EU. People now need to be asked if they want their data to be used for ads or not. They must have a ‘yes or no’ option and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent.”

Given how central Meta’s tracking and targeting ad model remains to its business, the tech giant is extremely likely to appeal the decisions — and if it does that it could open up fresh delays while legal arguments against the now ordered enforcement play out in the courts. So there could still be years of wrangling ahead before Meta submits to correction via EU privacy law.

The DPC’s final decisions on these inquiries also still have not been published, so full details on differences of views between data protection authorities — and other interesting tidbits, such as on how the size of the fines have been determined — remain tbc.

But in a press release announcing the two final decisions, the DPC offers its own spin on the regulatory disagreements — writing:

On the question as to whether Meta Ireland had acted in contravention of its transparency obligations, the CSAs [concerned supervisory authorities] agreed with the DPC’s decisions, albeit that they considered the fines proposed by the DPC should be increased.

Ten of the 47 CSAs raised objections in relation to other elements of the draft decisions (one of which was subsequently withdrawn in the case of the draft decision relating to the Instagram service). In particular, this subset of CSAs took the view that Meta Ireland should not be permitted to rely on the contract legal basis on the grounds that the delivery of personalised advertising (as part of the broader suite of personalised services offered as part of the Facebook and Instagram services) could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract.

The DPC disagreed, reflecting its view that the Facebook and Instagram services include, and indeed appear to be premised on, the provision of a personalised service that includes personalised or behavioural advertising. In effect, these are personalised services that also feature personalised advertising. In the view of the DPC, this reality is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service.

The DPC’s PR also confirms the EDPB found an additional breach by Meta of the GDPR fairness principle (i.e. in addition to the transparency breach the DPC found which the Board upheld) — hence it being directed to (further) increase the level of fines imposed.

A third decision against Meta-owned messaging platform WhatsApp (also over this legal basis issue) remains on the DPCs desk — but is slated to arrive in a week or so. (We’re told by the regulator this is owing to a short delay in the DPC receiving the binding decision on that complaint from the EDPB.)

noyb says it’s expecting a fine for WhatsApp in that parallel procedure to be announced in mid January.

Enforcement on forced consent

This clutch of Meta-focused complaints date back to May 2018, when the GDPR came into application across the European Union — after the European privacy rights campaign group targeted the tech giant’s use of so-called “forced consent” (aka, pushing sign-up terms on users that mean they either ‘agree’ to their data being processed for behavioral ads or they can’t use the service).

The Irish regulator’s draft decision on the complaints leaked back in October 2021 — and, in contrast to the EDPB’s binding decision, the DPC did not object to Meta’s reliance on contractual necessity for running behavioral ads. Although it did find violations of the GDPR’s transparency requirements, saying users were unlikely to have understood they were signing up to a Facebook ad contract when they clicked agree on its terms of service.

Hence the DPC originally proposed a smaller penalty (of just $36M) vs the more than 10x larger financial sting in final decisions emerging now (still with the WhatsApp final decision pending).

This far tougher enforcement has been arrived at through the GDPR’s cooperation mechanism — which loops in other EU data protection authorities (who can, and in this case several did, object to a lead supervisor’s draft decision); and casts the EDPB as final arbiter when regulators can’t agree among themselves. So, in this case (and not for the first time), the DPC has been instructed to reach a different outcome than if it had been left to decide alone.

And — as has happened several times before — the standard of enforcement flowing from a collective regulatory process baked into GDPR is higher (and tougher) than it would have been with Ireland acting on its own.

The DPC’s press release frames the outcome rather differently — as a difference of legal interpretations — with the regulator writing that the EDPB “took a different view on the ‘legal basis’ question, finding that, as a matter of principle, Meta Ireland was not entitled to rely on the ‘contract’ legal basis as providing a lawful basis for its processing of personal data for the purpose of behavioural advertising”; and adding: “The final decisions adopted by the DPC on 31 December 2022 reflect the EDPB’s binding determinations as set out above. Accordingly, the DPC’s decisions include findings that Meta Ireland is not entitled to rely on the ‘contract’ legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the ‘contract’ legal basis, amounts to a contravention of Article 6 of the GDPR.”

It will be interesting to see whether Meta’s lawyers seek to make hay with the DPC’s (now publicly) stated view that Facebook and Instagram are “premised on, the provision of a personalised service that includes personalised or behavioural advertising” — and its (convenient-for-Meta) conflation of personalised services and personalised advertising via an expressed stance that such a conjoined pairing is “central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service”, as it puts it — as the tech giant seeks to overturn this GDPR decision against the legal basis it’s relied upon to run behavioral ads in the EU since 2018.

Curiously, the DPC’s view on this ignores the existence of other forms of (non-privacy) violating ads which Meta could use to monetize its service — such as contextual ads.

Its PR is also silent on the question of whether Meta will be ordered to delete all the data it’s been illegally processing since 2018. But litigation funders are unlikely to ignore the opportunity to scale privacy class actions.

There’s further drama unfolding around the DPC’s announcement today, too: Schrems has tweeted to complain that the DPC told it it will not be sent the final decision until after Meta has had a chance to redact the document… “Never seen something like that in 10 years of litigation,” he added. “F*cking crazy.”

..this really means is that the DPC and Meta control the media narrative of what the decision says or does not say as we can’t read or publish it.

We all know that the EDPB f*cked the DPC another time in this case and @NOYBeu won it, but by withholding the details of the case..

— Max Schrems (@maxschrems) January 4, 2023

(Reminder: noyb filed a complaint of criminal corruption against the DPC back in 2021 — accusing the regulator of corruption and “procedural blackmail” in relation to attempts to shut down the public release of documents related to GDPR complaints so this issue was already more than fraught.)

In a press release of its own, noyb’s Schrems further hits out at what he described as the DPC’s “very diabolic public relations game” — writing: “Getting overturned by the EDPB is a major blow for the DPC, no[w] they seem to at least try to gain the public perception of this case. In ten years of litigation I have never seen a decision only being served to one party but not the other. The DPC plays a very diabolic public relations game. By not allowing noyb or the public to read the decision, it tries to shape the narrative of the decision jointly with Meta. It seems the cooperation between Meta and the Irish regulator is well and alive — despite being overruled by the EDPB.”

In a further unusual move by the Irish regulator — which only looks set to crank up criticism of its friction-generating approach to GDPR enforcement — the DPC has announced it’s launching an annulment action against certain “jurisdictional” elements of the EDPB decision.

It told TechCrunch it’s not seeking to annul the Board’s decision on the consent vs contractual necessity issue. Rather it claims it’s unhappy about other elements of the direction the Board issued, via the GDPR Article 65 dispute resolution process, and is accusing the steering body of overreaching its jurisdiction.

This action appears to have been instigated because the Board’s binding decision also directs the DPC to conduct what the Irish regulator couches as “a fresh investigation that would span all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations”.

Such an investigation — were it to actually take place — could really drive a stake through the heart of Meta’s privacy-sucking business model in the EU, where legal experts have been warning for yearsthe tech giant’s consent-less tracking and profiling of citizens is in breach of the bloc’s legal framework on data protection.

So it’s certainly interesting that the DPC is keen to avoid having to open a wide-ranging investigation of Meta’s data handling on the EDPB’s instruction.

Its PR states that the decisions it’s announced today “naturally do not include reference to fresh investigations of all Facebook and Instagram data processing operations that were directed by the EDPB in its binding decisions” — with the regulator explaining its objection thusly:

The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation. The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR. To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the EU in order to seek the setting aside of the EDPB’s directions.

It remains to be seen what the EU’s General Court will make of the DPC’s complaint.

However a legal challenge by WhatsApp to an earlier EDPB binding decision on a separate GDPR inquiry — which also substantially dialled up the level of enforcement it would have faced from an earlier DPC draft decision — was ruled inadmissible by the court last month.

Meta’s New Year kicks off with over $410M in fresh EU privacy fines by Natasha Lomas originally published on TechCrunch

Pin It on Pinterest