For more than a decade, Cisco has used its substantial financial resources to keep disruption at bay. While its bread and butter business has always been, and remains networking equipment, for much of the last 15 years, it has tried to morph into a software and services company by buying up smaller tech firms regularly.

As I wrote last year, the company has bought 30 startups over the past several years, and it has a long history of building its business on top of acquired entities. If you go back to its origins in the ’90s, Cisco has been involved in more than 200 acquisitions.

The approach has helped the company report decent revenue growth over the years, but the disruption dogs might have finally caught up. Its latest quarterly results, while not downright ugly, did appear to show a company treading water.

The bad news goes beyond the numbers

For starters, Cisco said revenue was flat from a year earlier at $12.8 billion, while analysts were expecting $13.3 billion — a substantial gap. Unfortunately, the bad news didn’t end there.

The company also expects current-quarter revenue to fall 1% to 5.5%. That’s quite a broad range, but any way you slice it, we’re looking at a decrease while analysts were anticipating growth of around 6%.

The next year looks blah as well, with growth pegged at a mere 2% to 3%. To be clear, that’s better than declining revenue, but it looks like the company’s acquisition strategy might not be doing enough to compensate for the lack of revenue from its networking hardware business.

Why does it matter if the revenue growth is slow? Well, slowing revenue growth can turn negative, and because it implies that the company’s profitability in the future will be constrained by its current size.

Given that its rivals’ revenues are rising, and therefore they have more potential upside, declining revenues could make it harder for Cisco to hire and buy — who wants to work for a company when your equity compensation has limited potential for growth, and it’s harder to buy other companies with a stock that is in the doldrums.

We’ve seen public tech companies that fell, or flirted with, single-digit growth wind up under external pressure to sell, sack leadership or break into smaller pieces. Given that Cisco likely doesn’t want any of those things to happen, the rate of revenue growth is critical.

Revenue type matters as well

Lately, Wall Street hasn’t been kind even to companies that have posted substantial increases in revenue. So perhaps it wasn’t surprising when Cisco’s stock dropped 13% the day after it reported.

Hikvision shares fell by 10% after a Financial Times report that the Biden administration is planning to impose more sanctions on the surveillance camera company, accusing it of enabling human right abuses.

The Financial Times reports that the sanctions would have “far-reaching consequences because companies and governments that deal with Hikvision… would risk violating U.S. sanctions.” According to the Financial Times, this would be the first time that the White House has imposed these kinds of sanctions on such a large company. The company is the world’s largest manufacturer of surveillance equipment.

In 2019, Hikvision and Dahua, another surveillance tech company, were placed on the U.S. government entity list for its role in enabling human rights violations among Muslim minority groups in China, including the Uyghurs. And under another sanction imposed in June by the Biden administration, U.S. persons are barred from investing in Hikvision. But many municipalities in the U.S. still use Hikvision cameras. According to contract data reviewed by TechCrunch in May, at least a hundred U.S. counties, towns and cities have bought surveillance equipment made by Hikvision and Dahua. They are able to do so because federal actions do not apply at the state and city level.

In a statement emailed to TechCrunch, a Hikvision spokesperson said, “The potential action by the US Government, as reported, remains to be verified. We believe any such sanction should be based on credible evidence and due process. We look forward to being treated fairly and without bias.”

Hikvision is among a slew of Chinese tech companies that the U.S. government has targeted with individual actions rather than having a coordinated plan to contain their rise.

TikTok was one notable example under the Trump administration. More recently, under the Biden administration, Weibo was added to a delisting watchlist by the Securities and Exchange Commission. DJI, along with seven other companies, was placed on an investment blacklist in December 2021, for alleged involvement in the surveillance of Uyghur Muslims. The drone maker was already on the Department of Commerce’s Entity list, meaning American companies can’t sell it components unless they have a license.

Would you like an NFT with your Starbucks latte? The coffee giant this week announced its plans to enter the Web3 space with the launch of its own NFT collection later this year where the individual digital collectibles also provide their owners with access to exclusive content experiences and other benefits, it said.

The company touted its plans to investors on its fiscal Q2 2022 earnings call by explaining how NFTs can help Starbucks extend its brand’s concept of the “third place” — meaning a place between home and work where people can feel a sense of belonging over coffee.

“Emerging technologies associated with Web3, and specifically NFTs, now enable this aspiration and allow us to extend who Starbucks has always been at our core,” Starbucks Chief Marketing Officer, Brady Brewer told investors on the call. “We are creating the digital third place. To achieve this, we will broaden our framework of what it means for people to be a member of the Starbucks community, adding new concepts such as ownership and community-based membership models that we see developing in the Web3 space,” he added.

The company noted it would build out its NFT community on an “environmentally sustainable” Web3 platform — a decision it said would be more in line with its existing sustainability commitments. The company didn’t indicate what sort of blockchain technology would be involved with its NFT collections, however, but said it was likely to be “multi-chain” or “chain agnostic.”

While Starbucks was light on the details as to what its debut set of NFTs would look like, who would design them, or what sort of membership features they’d provide, it did explain in a subsequent blog post it sees the potential to create an accretive business adjacent to its stores where digital collectibles aren’t just bought and sold in a speculative way, but actually double as an access pass providing customers with special experiences and perks.

“We plan to start with our first NFT collection, membership, and community later this year, based on coffee art and storytelling. It will come with a host of unique experiences and benefits, worthy of a genesis NFT collection from Starbucks,” the post read. This collection would then serve as the backbone to build out future collections and collaborations in the Web3 community, the company said.

While some businesses launch into NFTs without much thought as to how the technology fits into their larger business plans, Starbucks appears to be taking a different approach. It’s brought in Adam Brotman, the architect of its Mobile Order & Pay system and the Starbucks app, to help serve as a special advisor on the project.

Notably, the company is also looking for a new CEO who understands the potential of these new technologies, said current interim CEO Howard Schultz. The longtime exec had returned to head the coffee chain — now undergoing a unionization push — following the departure of Kevin Johnson, who had served as CEO since 2017.

In addition to having a solid understanding of the Starbucks brand and global experience, he said the new CEO should have an understanding of Web3 technologies, as they could help Starbucks better connect with younger people. The NFTs could also provide a way to create incremental traffic and revenue, not only in terms of retail, but also incremental revenue as a result of its own business, the exec added.

“I think the next CEO is going to be a creative person who’s going to understand that the equity of the Starbucks brand has real legitimacy and relevance outside of our stores. And the world we’re living in today, our customer base is getting younger, they’re digital natives, and they expect Starbucks to be as relevant outside of our stores as we are inside,” Schultz explained. “….the new CEO, obviously, needs to have an understanding and a grasp and a conviction on the fact that we can play in multiple theaters that could be accretive on their own merit and complementary to our retail business,” he said.

Investors didn’t ask many questions related to Starbucks’ new NFT venture, instead focusing on learning more about the labor movement’s impact on Strarbucks’ business, the suspension of share buybacks, and the situation in China, among other things.

It’s not surprising that Starbucks would be willing to experiment in the NFT space, though, given the company has made a name for itself as being ahead of the curve when it comes to the embrace new technologies. Its mobile payments system, for example, helped pioneer the idea of using a phone to pay for orders well before Apple Pay and other NFC-based tap-to-pay checkout experiences were broadly available. Today, Mobile Order & Pay is an over $4 billion business, Starbucks said, up 400% in five years and up 20% over last year. Starbucks said it’s now working to roll out enhanced digital tipping so customers could tip even when they weren’t paying with their Starbucks card.

The coffee giant topped its Q2 revenue expectations, with $7.64 billion vs. $7.6 billion expected and earnings per share of 59 cents adjusted, in line with expectations — despite losses in China due to new Covid lockdowns. Q2 net income came in at $674.5 million, or 58 cents per share, up from $659.4 million, or 56 cents per share, in the year-ago quarter. The company didn’t offer a forecast for the quarters ahead, citing several factors including China, inflation, and investments in stores and employees.

Welcome to The TechCrunch Exchange, a weekly startups-and-markets newsletter. It’s inspired by the daily TechCrunch+ column where it gets its name. Want it in your inbox every Saturday? Sign up here. 

Good news! We’re not talking about crypto, Elon Musk or SaaS multiples today. We’re also not talking IPOs, global venture capital trends or the like. Instead, we’re going to talk about putting toothpaste back in the tube. Sound fun? Let’s go.

China’s technology industry

Since the Ant IPO was pulled and the Chinese Communist Party executed off a flat-wild period of regulatory action in 2021, you have probably heard less about China’s technology. That’s because the companies that tended to make the biggest splash in foreign media were concerns like Alibaba, ByteDance and the like — tech companies that touched lots of individuals, including folks outside the country’s national borders.

China’s government decided that such companies had too much influence, and thus needed to be cut down to size. This meant, variously, the decapitation of the for-profit edtech sector, social media regulation, the effective curtailment of foreign listings, punitive data reviews, video game limits along with a long pause in new titles, new rules regarding algorithms and more.

After a period of comparative freedom to innovate, compete and, yes, at times act anticompetitively, China’s domestic tech industry entered 2022 in a very different state than it kicked off 2020. (This isn’t to discount the impacts of COVID-19 on Chinese tech companies; but the move toward remote work and the like was global, and for our purposes today we care more about the regulatory environments shifts in particular.)

The result of the fusillade of regulatory action, a full nelson of top-down control, was probably about what you expected. Some recent headlines for flavor:

• December 2021: A year into China’s tech crackdown, the sky is no longer the limit for China’s Big Tech
• February 2022: No reversal on China’s tech crackdown in sight as Xi calls for more work on laws
• April 2022: Chinese Tech Giants Lose Shine as Growth Stalls

Those should paint a fair enough picture of market sentiment regarding the crackdown. In more monetary terms, the value of many Chinese tech companies fell sharply. After peaking at more than $300 per share in late 2020, Alibaba is worth less than $100 per share today. Didi, which got caught between the Chinese government and the American markets after its IPO, saw its shares peak at a penny over $18 per share. Today it’s worth less than $2 per share.

Stories began to crop up about layoffs and other misery from Chinese tech companies. A few more headlines for context:

• January 2022: As Beijing Takes Control, Chinese Tech Companies Lose Jobs and Hope
• March 2022: China is forcing Alibaba and Tencent to cut over 50,000 jobs
• March 2022: China’s tech layoffs could become a self-inflicted headache for Xi

Given that this was pretty much what anyone with a pulse might have expected from the Chinese government throwing its absolute control around like gravity in a rollercoaster, pushing to remake one of its key economic engines by autocratic fiat in a short period of time, you are probably not surprised. And yet it appears that the Chinese government is, at least to some degree!

How do we know that? Well, observe:

• April 2022: China to end regulatory storm over Big Tech and give sector bigger role in boosting slowing economy, sources say
• April 2022: China Plans Reprieve for Tech Giants, Including Delaying New Rules, as Economy Slows
• April 2022: Beijing moves to mollify tech bosses as COVID threatens economy-source

The context here is that while the rest of the world is largely figuring out a path out of COVID, China’s government is locking down hundreds of millions of its citizens as it chases an impossible goal of zero COVID-19 cases. (The government previously touted its success at keeping the pandemic at bay as evidence of its superiority; such a stance makes any retreat from the goal difficult.) The result of lockdowns and a sharply diminished local tech industry is, surprise, economic malaise.

Not that the Chinese government intends to accept that. After indicating that besting American economic growth is a priority, debt-fueled infrastructure spending is back on the table, along with more real estate speculation, and, it appears, some softening of the rules deluge that its domestic tech market has been forced to endure without complaint.

Good luck?

Can the Chinese government put the tech toothpaste back in the tube? We’ll find out, but if I was an investor or founder I would not build inside the country. Sure, it’s a big market, but not one that you can count on. More when we get Q2 2022 Chinese venture capital data.

We talk about bulls in china shops, but what about bulls running through the streets of entire shopping districts, or other neighborhoods? This morning, Amazon unveiled a new feature that will test just how much of a bull it can be online — beyond its own china shop, so to speak.

Prime — its membership-based scheme that provides free and fast shipping options on a number of products sold on Amazon, alongside a number of other perks like Amazon’s streamed video and music services, used by more than 200 million consumers — is now officially stepping outside of the walls of Amazon itself. Buy with Prime, as the service is officially called, will see Prime members get to extend those Prime benefits — specifically fast and free delivery, free returns, and a seamless checkout experience — to participating third-party merchants on their own sites and apps.

There is no guarantee that this will be a big hit for Amazon. Alexa was huge for the company, and Prime on Amazon itself has been, too. But don’t forget the Fire Phone, or Amazon’s foray into restaurant delivery, or other projects that have been killed over the years.

Be that as it may, there is a giant amount of potential here for the company, so it’s worth spelling out what is going on, some of the context behind this launch (and what that means), and what it’s giving Amazon that it hasn’t had before, and why that matters.

First, the basics

Buy with Prime is starting with merchants that are already using Fulfillment By Amazon (FBA) — which, like Amazon Pay, is an Amazon feature that had already been available outside of Amazon.com and merchants use to outsource shipping and logistics.

Amazon said it will be rolling out to these retailers throughout the rest of this year, and as 2022 progresses it will also be extended to those no already using FBA or selling with Amazon on an invitation basis.

Users look for the Prime logo on these other online stores to find and use the service. Merchants meanwhile integrate by signing up, linking in their Amazon Seller Central accounts, Multi-Channel Fulfillment, and Amazon Pay; and then installing a JavaScript widget. Merchants get access to order data — but Amazon does, too (more on that below).

The whole service is run on a similar idea to AWS, based on SaaS pricing covering a service fee, a payment processing fee, a fulfillment fee and a storage fee — all calculated per unit. “Merchants pay only for what they use,” Amazon writes. “Merchants can expand selection or cancel at any time.”

Amazon is playing this as more convenience and another perquisite for Prime subscribers.

“We always aim to exceed Prime members’ expectations by offering more selection, exclusive deals, quality content, and convenient features,” said Jamil Ghani, VP of Amazon Prime, in a canned statement in Amazon’s official announcement. “With the introduction of Buy with Prime, we’re expanding where members can enjoy trusted and convenient Prime shopping benefits beyond Amazon, adding even more value to their membership. Members will have the flexibility to shop from merchants directly, all while enjoying the fast, free delivery, seamless checkout, and easy returns they’ve come to know and love from Amazon.”

It’s also touting it as part of its strategy to build B2B tools, aimed at merchants selling online.

“For over 20 years, we’ve been empowering small and medium-sized businesses with opportunities to grow,” said Peter Larsen, Amazon’s VP of Buy with Prime, in the same announcement. “Allowing merchants to offer Prime shopping benefits on their own direct-to-consumer online stores is an exciting next step in our mission to help merchants of all sizes grow their business—whether on Amazon or beyond. With shoppers purchasing directly from merchants’ online stores, Buy with Prime will allow merchants to build customer relationships and brand loyalty while offering conversion-driving benefits like fast, free shipping.”

Move slow, break things

As with other very slow rollouts we’ve seen at Amazon, the expansion of Prime beyond Amazon’s walled garden has been in the works for years — more than three, in fact.

Back in March 2019 — when the company unveiled a partnership with WorldPay that enabled merchants outside of Amazon to start to accept Amazon Pay as a payment option alongside others like credit cards, PayPal, Apple Pay and Google Pay — its VP of Amazon Pay at the time, Patrick Gauthier, got very coy when I asked him about its ambitions to extend Prime in a similar way.

Instead, he pointed me to a small trial it was running with fashion retailer All Saints, which was providing Prime shipping benefits to customers if they were already Prime subscribers.

“It has been very successful in terms of customer conversion and lift, and to capture new customers,” he said. He also noted that it ran a different test during Prime Day in 2018, embedding Prime links with third-party merchants (but linking shoppers back to those merchants’ Amazon-based products) to understand the potential opportunity it might have here. “Yes, we have had interest from merchants if and when we decide to go further with Prime,” he added. (Gauthier has since left Amazon to run Convera, Western Union’s Business Solutions spin-out.)

Prime is Amazon’s Prime agent of change

Amazon is famously vague when it comes to user numbers and revenues for specific products. Its last official numbers are from April 2021, when founder (now) executive chairman CEO Jeff Bezos said it had 200 million members. (It now says it has “over 200 million.”)

Amazon Prime arguably has been the primary agent of change in the Amazon universe: first and foremost, it’s been the company’s chief (prime, even) way of building loyalty among customers, who have found the free and quick shipping options to be a huge lever to lowering the barriers to shopping online. The allure of quick and “free” shipping has been strong enough that Prime members turn first to Prime before considering (let along buying) other products when it comes to browsing and purchasing, a route made easier by Amazon’s search feature to search just for Prime-eligible products.

That’s been shown to be powerful enough that people are even willing to opt for a Prime-based product over one that is less expensive, but might take longer to receive, or have the shipping price spelled out more explicitly in the overall price — usually a combination of the two.

Amazon’s also used Prime to introduce completely different product categories, too, from groceries through to streamed media services. Overall Amazon says that Prime covers thousands of films and shows on Prime Video; 2 million songs, thousands of stations and playlists, and thousands of podcasts on Amazon Music; free games with Prime Gaming; over 3,000 books and magazines on Prime Reading; unlimited photo storage with Amazon Photos; grocery delivery and pickup from Amazon Fresh and Whole Foods Market; same-day and other fast deliver options for 15 million items in the U.S. alone; Amazon Pharmacy and prescription access; and more.

Considering how transformative Prime has been to Amazon itself, it’s fair to wonder if Amazon might try to exercise some of that strategy further afield, too. That is to say, if it starts with the bread and butter of its business now — the Marketplace, and the kinds of products third-party sellers already offer on Amazon itself — does it expand next to offering Prime for subscriptions to magazines and newspapers, or to other kinds of media, or to grocery shopping online?

One of the key issues with Amazon for so many has been that third-party brands haven’t been so keen to fit into the Amazon template when it comes to presenting its products. Amazon has tried to make efforts over the years to address this — for example this partnership with Adobe to help D2C brands using Amazon fulfillment to customize their storefronts — but generally even when a merchant has a storefront that looks “different” to the rest of Amazon on Amazon itself, going any deeper than the front page yields the same cookie-cutter river approach that Amazon has standardized across the whole of Amazon.com.

That attitude has driven a lot of business to the likes of Shopify, Commercetools and many others offering “headless” commerce solutions to merchants to build and run storefronts with as little or as much input, and integrating as many third-party solutions including those for logistics and fulfillment, as they are willing to make — a large army of third-party e-commerce technology providers amassing in the name of giving retailers a way to bypass Amazon.

Now, Amazon is playing nice with platforms like BigCommerce. Powering sites on their own terms does away with all of that, and could be a powerful option for a wide swathe of businesses beyond e-commerce, which have a very specific focus on content management.

Move slow, break things

There are many examples of how Amazon has not been the fastest draw when it comes to launching new things. It took Amazon years to add more countries to the Kindle beyond its home market of the U.S. (or really to add much of anything: do a search on TC or Google for the words “kindle” and “finally” to see what I mean). It’s worth wondering whether that drawn-out processes has helped or hindered the growth of e-books, or if it was both and they simply cancelled each other out.

The Kindle is worth looking at when considering how Amazon has done in building products that extend it to new frontiers, as Prime would do. The success of the its home-grown e-reader is undisputed: although Amazon is famously vague when it comes to talking about actual sales numbers, others estimate that its share of e-readers is around 68%.

On the other hand, e-books themselves are still a smaller market compared to the reading market overall, with Pew Research (admittedly using 2019 data) noting that only 7% of respondents said they only read e-books, compared to 37% saying they only read print books (28% read a combination). In other words, changing overall habits may or may not happen, and it will be a slow-burn issue one way or the other. But in the meantime, Amazon itself makes a killing in the market that it has created. That could well be a pattern that gets repeated with Buy with Prime.

Data is Amazon’s oil

Last but not least, there is a fascinating data play here for Amazon, which goes to the heart of how the e-commerce giant is fueling its growth.

Amazon is giving merchants control over aspects of the e-commerce process that would have been out of their hands if they sold through Amazon itself. They can control personalization for shoppers, the algorithms behind what different people are offered and how items get priced, and the wider user interface and experience. But if keep get full control of their data, Amazon now will see it, too.

It’s processing information about its Prime subscribers, key details about their shopping habits, behavior and interests across other kinds of sites that are not designed or run by Amazon — all information that it can in turn use to improve and shape what it sells on Amazon.com.

It goes beyond that, though. Amazon has become a major player in online advertising, an area that will also potentially benefit from richer datasets on browsing and shopping habits, which because this concerns Prime subscribers and processing Prime orders, will be first-party data for the company.

It’s also giving Amazon an interesting crack at an even bigger role in the online universe, that of identity management.

Companies like Facebook (Meta), Apple and Google have all made interesting plays at controlling the “log in” across apps and sites, creating social graphs and user graphs across different walled gardens (benefitting those controlling the log-in services), while also providing a way to manage users and profiles across specific apps and sites (benefitting those app and site publishers).

This gives that concept a new twist, and points to just how Amazon really could control it all. If Facebook focused on the social graph, and companies like Apple or Google have made a play to build the identity graph, Amazon has the potential to build the consumer graph, a bigger overall picture of how the internet moves based on purchasing activity.

PayU, the fintech business controlled by Prosus with operations in 50+ countries — it’s been described as the PayPal of emerging markets — announced a double-deal today to expand its presence in Latin America. The company has acquired Ding, a platform that lets people top up mobile phone credits for others remotely; and it has led a $46 million investment in to Treinta, a financial “superapp” aimed at small businesses. Ding has 300,000 monthly active users transferring about $10 million per month; and Y Combinator alum Treinta, which launched only 18 months ago, has 4 million customers.

Notably, both are based in Colombia but provide services across the Latin America region (and in the case of Ding, globally). For PayU and Prosus, the deals are significant for two main reasons:

First, they are helping Prosus tap into what continues to be a fast-growing market. The company quotes figures from the U.S. Department of Commerce that estimate Colombia alone to have the fifth largest e-commerce market in Latin America, which as a region is projected to reach 260.2 million digital shoppers by the end of 2022, overtaking the U.S., with $167.81 billion in purchases.

Second, the move speaks to how PayU and Prosus are looking to add more diversification to its investment base. It’s a development that’s interesting considering its proximity to Prosus rethinking investments in other regions, specifically the currently-pariah state of Russia, including a $770 million write-down in March of its investment in social network VK.

“Our recent activity in Colombia reflects PayU‘s desire to provide seamless online and cross-border transactions for merchants and consumers,” said Mario Shiliashki, Global CEO of PayU‘s payments division, in a statement. “These are just two examples of how we are providing useful products and services to millions of people in their daily lives. PayU has helped to facilitate the evolution of online payments in Colombia since 2011 and we are proud to be extending our services to promote financial inclusion for SMEs in both Colombia and globally.”

Digging into the individual deals, Ding is the operating name of Tecnipagos, which itself was a spinoff from CredibanCo, a payment services provider in the country that has been around for 50 years. It looks like Ding had never had any outside funding prior to getting spun out and scooped up.

The financial terms of the Ding acquisition — was first reported earlier this month, before it closed — are not being made public, but they may be in future financial statements from Prosus. Prosus itself was listed in 2019 by South African multimedia conglomerate Naspers as a separate, public company that contained all of the company’s tech businesses, which includes PayU and other e-commerce and fintech investments, as well as a significant holding in China’s Tencent. Prosus has a current market cap of $152 billion — a figure largely boosted by that Tencent stake.

For some context on the size of what PayU is acquiring, Ding claims to have some 300,000 monthly active users and makes 30,000 transfers daily totaling some $10 million processed each month.

PayU describes Ding as a payments app, but its focus has squarely up to now been transfers for a single purpose: topping up credit for mobile phones. This in itself is a significant business, and often one that goes hand-in-hand with more general remittance services. Mobile phone credits are used for more than just making calls in emerging markets (the phones become a proxy for bank accounts in many developing markets where traditional banking services are expensive or underdeveloped). Oftentimes money that is sent from friends or family comes in the form of mobile credits. This paves the way for PayU to develop more remittance services around Ding, and potentially extend its existing remittance operations to Ding’s customer base.

The Treinta investment, meanwhile, is a $46 million round along with participation also from LionTree Partners, Ethos VC, TEN13, and other undisclosed investors. Treinta had previously participated in a Y Combinator batch, and backers of the company in its $14.3 million in seed round in 2021 included YC, Levels Up Ventures, Outbound Ventures, Luxor Capital, Mango.vc, Goodwater Capital, Soma Capital, First Check Venture, Houston Angel Network, FJ Labs, Commerce Ventures, Rhombuz Ventures, Acacia Venture Partners and Evening Fund.

Treinta — which means “thirty” in Spanish — is not disclosing its valuation, and PayU also declined to comment on the figure.

The startup has only been around for 18 months and it says that it already has some 4 million SMB customers in 18 countries.

Treinta itself is tapping two trends that are big in fintech at the moment. The first involves a wave of fintech businesses building “all in one” platforms, where customers might come for one specific service — financing, or invoicing, or current account services, for example — and are being upsold to related offerings, which themselves are build around a wider dataset that the fintech is building about that particular customer. These services often bring in technology behind the scenes from third parties, using APIs to embed those white-label products and brand them as their own.

The second is Treinta’s focus on small businesses — a cornerstone of the global economy, yet one that has been traditionally underserved by technology. Treinta estimates that there are some 50 million small businesses (it describes them as “microenterprises”) in Latin America, with some 90% of them yet to adopt any kind of tech at all to manage their finances, so it’s a large potential market.

PayU, as a provider and builder of fintech solutions, will be able to leverage Treinta as a channel for getting its own customer-facing tech deeper into the market in Colombia and the rest of Latin America, but Treinta will also become another retail channel for PayU’s under-the-hood technology.

“By acquiring and investing in businesses like Ding and Treinta, both global and local SMEs are able to expand their business within LatAm, providing the best payments service with the consumer experience first in mind,” said Francisco León, PayU‘s CEO for Latin America, in a statement. “We are very excited to expand the reach of Treinta and Ding’s innovative solutions, particularly as these services are fully aligned with our strategic goal of creating a world without financial borders.”

While a lot of PayU’s activity has been in Asia and emerging markets in Europe, Latin America will be a big focus in coming months it seems. A spokesperson tells us that PayU plans to make further investments in the region this year.

When the European Commission presented its Digital Services Act (DSA) proposal in December 2020, it listed beefed up consumer protections as a headline goal for the flagship update to the bloc’s rules for digital services. But now, as negotiations over the draft law are in the final stretch, where EU co-legislators hash out the detail and seek to reach a compromise between differing positions, consumer protection organizations are warning that key provisions risk being fatally weakened or even dropped entirely.

In a letter sent by the European consumer organization BEUC to the French presidency of the European Council, which is leading the DSA trigloue negotiations with the European Parliament and the Commission, the umbrella group for 46 consumer organizations across 32 countries has urged the EU’s co-legislators not to water down key measures to tackle trader traceability, prohibit so-called ‘dark patterns’ (aka, deceptive design), and ban the use of children’s data and sensitive data for ad targeting.

The bloc is often critized over the opacity of its lawmaking. And these closed door, three-way trilogue negotiations — where a compromise is hammered out between previously stated public positions of the Council and the Parliament on a Commission proposal, with the process led by a Council presidency that rotates between Member State every six months — are certainly one of the least transparent components of EU lawmaking, with the risk that lobbyists can exert unaccountable, last minute influence over the shape of pan-EU law. So fears of late stage stitch-ups to dilute or gut policy proposals are not unwarranted.

The current holder of the rotating Council presidency is France — hence that’s where BEUC’s concerns are being addressed.

“It is with concern that we have seen important consumer relevant provisions watered down in recent compromise proposals put forward by the French Presidency, notably in relation to the obligations of online marketplaces, online advertising, and dark patterns,” it writes in the letter addressed to Fabrice Dubreuil, the deputy permanent representative of France to the European Union. “The co-legislators must be ambitious in their approach on these three key issues, or the DSA will not meet its stated objective of better protecting consumers and their fundamental rights online.”

Traceability of traders

On online marketplaces, BEUC’s concerns focus on traceability of traders — where it is worried that the final DSA text won’t include robust obligations to verify traders’ information and conduct sporadic ‘mystery shopping’ style exercises to carry out checks that goods are as claimed.

BEUC had wanted a much broader liability regime to be brought in for marketplaces. However that did not make it into the Commission proposal. But now it’s worried that even what it describes as “a bare minimum” of checks will be flushed out of the regulation through the trilogue process.

“In the absence of a strengthened liability regime, the due diligence obligations introduced by the DSA regarding the traceability of traders (Article 22) should also include a clear obligation for online marketplaces to conduct periodical, random checks on the services and products they offer,” BEUC argues in the letter.

“Online marketplaces should be required to conduct periodical mystery shopping exercises, in addition to requesting and verifying all necessary trader information as appropriate, to ensure that only legitimate traders are present on their platforms. These periodical random checks would greatly help consumer protection and should be a relatively easy and affordable measure for online marketplaces to enact.”

BEUC’s legal officer, Cláudio Teixeira, who has been leading its work on the regulation, also told us: “We wanted a regime for a clear liability mechanism for marketplaces where the products they offer on their platforms. We didn’t get that. The least we could have had is at least they have the obligation to check very clearly who their traders are and at least randomly keep a peek on the product that they’re selling and just have an idea to test the waters and see they’re not selling anything too dangerous. For us that’s the bare minimum and if there is no ambition for that then what is the DSA for?”

“The DSA is a unique opportunity to stop the problem uphill,” he adds. “Downhill — after the things have already happened, after the damage has been done — sure we could have more redress but we really hope that this opportunity it taken to stop these issues at the source. And the source is rogue traders that come in these platforms, especially from third countries… Most of these products come from China, and a lot of traders are selling from China and most of the time they do not comply with EU regulations and there is absolutely no control. And in these cases, in third countries, there isn’t even the possibility of redress.”

It’s not entirely clear why EU Member States might be less than enthusiastic about placing consumer-centric requirements on marketplaces to check traders and good.

Lobbying from European marketplaces may be one factor — and an EU source we spoke to flagged up the influence of EU retailers on Member States, suggesting homegrown ecommerce giants such as Zalando are afraid of this provision.

Another source suggested there could be wider concern about infringing on the legal principle that prohibits putting a general monitoring obligation on digital services — although it’s hard to see how random checks could be construed as general monitoring.

Teixeira argues that slimmed down trader information requirements would undermine the ability of the DSA to deliver on a core consumer protection promise. “Council I know is also proposing to get rid of some of the information that is to be required,” he says, suggesting that if a less extensive list of information is required it’ll be easier for rogue traders to dodge any ban and just respawn under a new account where they can keep selling the same dodgy products and ripping off consumers.

“Hopefully with the final deal that may not be the case — so we’ll have to see — but Council is definitely pushing for a less stringent amount of information to be requested,” he adds, also warning that any move to downgrade random checks of products to asking traders to submit product documentation and conducting random checks of those documents would amount to little more than consumer protection theatre.

“At the end of the day, for us it still doesn’t solve the issue. Because if you want to do random checks of compliance with EU law by checking documentation not the products itself well you’ll have the same situation [as there can be mismatch between documents and products],” he tells TechCrunch.

“One of the problems we have in the market is that we have products that are sold that are advertised and then the product that the consumer gets is something really different. Or it doesn’t match expectations. Or it’s too big. Or it’s too small. Or it’s a different model. Or the safety requirements do not match. Or it’s not certified. So if you provide that same information that you’ve already provided online, just with added documentation, that’s very fine and nice but at the end of the day if you don’t get the product that was actually advertised or in the same conditions then you have the same problem.”

Dark pattern ban

On dark patterns — aka, widely despised UX designs which deploy a range of tricks to try to deceive and manipulate consumers into making choices likely to be counter to their interests, whether by getting them to give up more data than they would like or to spend more money than they intended — the European Parliament was very clear in its backing for a fulsome prohibition, voting overwhelmingly in January for a ban on such techniques when MEPs set their negotiating position ahead of the trilogues.

BEUC’s concern here is that the French presidency itself is blocking a broader prohibition across digital services by seeking to limit the ban to only “online platforms” or even a smaller subset of very large online platforms (aka VLOPs) — as its letter suggests a “significant number” of Member States are actually open to extending the ‘dark patterns’ prohibition to all providers of intermediation services and would also support stricter measures to protect minors.

Despite BEUC’s belief that there is scope for a majority in Council for more meaningful action to prohibit dark patterns, compromise texts put forward by the French presidency — which TechCrunch has reviewed — have fallen short of that so far.

“Digital services should not use interface design to distort users’ ability to make informed choices, regardless of the nature of the service,” BEUC writes in the letter. “The prohibition on the use of ‘dark patterns’ should not be limited to online platforms or very large online platforms. It should apply to all intermediaries falling under the scope of the DSA. We would also like to echo the concerns of children’s rights organisations regarding the weakening of the provisions regarding the protection of minors, which would be unacceptable.”

“Right now when it comes to dark patterns the scope is still pretty much out in the open,” Teixeira tells us, discussing BEUC’s understanding of the state of negotiations on this issue. “Council initially only wanted it for VLOPs. Now it appears that maybe they are trying for a compromise with online platforms but still when it comes to this we have an issue which is that dark patterns isn’t something that only concerns online platforms. And when it comes to the definition of online platforms there’s another issue there — but the essential point is that dark patterns are a constant across the Internet and… the studies we’ve conducted show that dark patterns predominantly exist even more so outside of the platforms. So when we actually want to tackle the issue of dark patterns and institute a ban just tackling online platforms will not do.”

“We have a very strong position which is backed by a substantial number of other Member States and when we have this it’s very, very, very disconcerting to see Council setting a red line,” he adds. “Because now we see it’s not a red line for Council. In fact a big number of Member States — if not the outright majority — would actually support a wider scope. And we’re very fearful that we’re not going to get this — not because Council doesn’t want this but because the presidency doesn’t want it.“

TechCrunch reached out to the French mission to the EU for a response to BEUC’s concerns but at the time of writing it had not responded.

Teixeira also voiced concern that even the current mooted compromise of banning dark patterns on ‘online platforms’ could be further squeezed through trilogue to just ‘online marketplaces’. And — based on the current definition in the text — his assessment is it wouldn’t be clear if that would cover myriad popular services such as TikTok, or Booking.com, or Yelp, or even marketplaces run on Facebook or Instagram. (Plus he warns that a French presidency compromise could further push to limit the ban to only VLOPs — “which would be even more disastrous”.)

If it’s true there is more widespread support for meaningful restrictions on dark patterns in the Council it’s baffling why that’s not making it into compromises proposed by the French.

There is also growing awareness of and momentum to reform dark patterns so if EU lawmakers end up dropping the ball on a proper ban it will be a huge missed opportunity — and one that would leave European consumers at the mercy of exploitative design choices for years to come.

Ad targeting limits

BEUC’s letter also presses the French presidency to live up to an earlier stated obligation to include a prohibition in the DSA on the use of children’s data and sensitive data for targeted online advertising.

That had looked like a done deal after a political agreement was reached last month in a sister regulation to the DSA — the Digital Markets Act (DMA), which will only apply to the biggest and most powerful Internet gatekeepers.

Under the DMA agreement reached through trilogue talks, tech giants must gain explicit consent from users to combine their personal data for advertising. But at a press conference on March 24 announcing a political agreement that France’s digital minister Cédric O dubbed a “historic step”, he went on to highlight the fact that the co-legislators had taken a further step and agreed complementary provisions to limit tracking ads would also be included in the text of the DSA — telling journalists “with the trust of the negotiators there were certain points connected with advertising where we reached agreement and the agreement that they would appear in the DSA and DMA”.

“The DMA will let us strengthen the requirement for consent — we know that’s very important for the parliament — and then the targeted adversing for the minors and the use of sensitive information for using targeting [advertising] — we find agreement on those points and that they will be included in the DSA so you can show how much trust there was between us to be able to move forward and to take the most logical approach,” O also stipulated at the time.

Yet TechCrunch understands that a compromise text of the DSA initially proposed by the French presidency during the DSA trilogues suggested removing restrictions on the use of minors data and sensitive data for targeted advertising from the text — in favor of inserting a less robustly worded version into the recitals. So, er, so much for trust!

Despite that, EU sources we spoke to for this report suggested that negotiations on this issue are moving in the previously agreed direction — and one source suggested the French ‘switcheroo’ may just have been a “hardball” bargaining tactic rather than a genuine U-turn on what O had promised in public.

We also understand that last week a new (“strong”) article text was proposed by the parliament’s negotiating team — which the Council was set to discuss this week.

Still, as EU lawmakers often like to observe of their own sphinx-like processes, nothing is agreed until everything is agreed — so the two (agreed) restrictions on ad targeting will only be (actually) confirmed at the end of the process.

Evidently, BEUC doesn’t want to take any chances: Its letter also puts pressure on the French presidency not to row back on the previously negotiated bans on processing minors’ data and sensitive data for ad targeting. Again, this is a bare minimum provision in the consumer protection group’s view — BEUC continues to advocate for a complete ban on tracking-based ad targeting. But, in the meanwhile, its point is that the least EU lawmakers can do is adopt the restrictions they already agreed.

“Commercial surveillance is one of the main problems that consumers and our society face in the digital world. Online targeted advertising based on the pervasive tracking and profiling of consumers, also referred to as ‘surveillance advertising’, lies at the heart of commercial surveillance business models. This type of advertising thrives on the exploitation of consumers’ privacy and personal data. It facilitates systemic manipulation and discrimination and fosters disinformation,” it writes in the letter.

“It is imperative to adopt strong measures to create a fairer and safer online environment. As a minimum, the DSA must include the prohibition on the processing of personal data of minors and data of sensitive nature for the purposes of behavioural targeted advertising. Such prohibitions should apply to all intermediary services. This would be an essential step forward
to address some of the most harmful elements of the on-line environment for consumers.”

There’s one more DSA trilogue discussion planned — due to take place at the end of this month — so there’s not much time left to hash out agreement on any remaining disputed elements. Assuming agreement can be reached (a long planned update to the EU’s ePrivacy rules is still pending that, for example).

As well as these core consumer protection issues which BEUC is most concerned with, the regulation covers wide-ranging content moderation and transparency provisions too, and will pile even more enforcement duties on the Commission (i.e. to oversee VLOPs’ compliance), so there is no shortage of complex topics for negotiators to clash over.

But as they do that they would do well to remember the consumer-centric purpose claimed for the original proposal — which the Commission summarized at the end of 2020 by saying: “It will give better protection to consumers and to fundamental rights online, establish a powerful transparency and accountability framework for online platforms and lead to fairer and more open digital markets.”

Consolidation is moving ahead in the world of autonomous driving, with the latest development coming out of Europe. Today, Bosch announced that it would be acquiring Five.ai, the autonomous driving startup that started with big ambitions to build and operate its own fleet of robotaxis but ultimately pivoted to focusing on technology development as a B2B play.

Financial terms of the deal are not being disclosed, the companies said, but Five had been looking for a buyer and Bosch said that it secured the deal by beating out “other takeover bidders.” It will be picking up not just IP from Five, but also some 140 employees in the U.K. Bosch noted that the acquisition is still pending approval by regulators, specifically antitrust authorities.

Five had raised around $78 million in funding, and according to PitchBook data was last valued at $216 million in its last round, a $41 million investment in March 2020 that coincided with the company’s B2B pivot.

Five’s investors were a mix of strategic and financial backers that included the insurance giant Direct Line, the UK government and VCs like Notion and Lakestar… but also Sistema, the Russian investment giant that is listed in London and has been feeling the effects of the sanctions on its home country: most recently it said it might have to de-list from the LSE because of a law that Russia looks prepared to pass requiring Russian companies to terminate their foreign depository programs.

“Bosch intends to acquire all of the shares in Five and we are of course complying and will continue to comply with all legal and statutory requirements, including sanctions,” a spokesperson said when asked about Sistema’s minority stake in Five. From what we understand, if required due to sanctions, Bosch would put funds into a holding account if needed.

Bosch itself has been long on self-driving car technology, although like many, its stated ambitions — it is a major OEM and supplier to the automotive industry and forged a partnership with Daimler in 2017 where it promised fully autonomous vehicles in five years (which would be… 2022) — have been outstripped by self-driving reality. That was a hard truth for Five, too.

“A year and a bit ago we thought we would probably build the entire thing and take it to market as a whole system,” co-founder and CEO Stan Boland told me back in 2020. “But we gradually realized just how deep and complex that would be. It was probably through 2019 that we realized that the right thing to do is to focus in on the key pieces.”

All told, Five had been very quiet in recent times: it last updated its news feed with a partnership with another autonomous tech startup, Cognata, in January 2021, over a year ago; and its last blog post on Medium, on agile working, was in June 2021.

Just as Five had been focused on a pivot to software, Bosch has already been a very active player in that market and how it relates to autonomous systems and other next-generation software and hardware, but it has also been investing in autonomous vehicle companies, too: it’s part of the list of strategic backers of Momenta in China.

“Automated driving is set to make road traffic safer. We want Five to give an extra boost to our work in software development for safe automated driving, and offer our customers European-made technology,” says Dr. Markus Heyn, member of the Bosch board of management and chairman of the Mobility Solutions business sector. Headquartered in Cambridge, U.K., Five is to be part of the Bosch Cross-Domain Computing Solutions division.

“Scale matters in building automated driving technology. Bosch is a global leader in driving assistance technologies, with core technologies and vast data lakes that will be essential in bringing safe self-driving systems to market. We’re excited for Five to become part of Europe’s most powerful SAE Level 4 player and to be a part of Bosch’s future success,” added Stan Boland in a statement in today’s announcement.

The deal comes amid a number of other M&A plays in the world autononous vehicles, including Magna acquiring the assets of Optimus Ride; GM buying out SoftBank’s stake in Cruise; VW reportedly looking to buy out Huawei’s autonomous driving unit; Lidar specialist Luminar buying Freedom Photonics; and more.

Updated with comment from Bosch regarding Sistema’s shareholding in Five.

Privacy watchdogs in Europe are considering a complaint against Apple made by a former employee, Ashley Gjøvik, who alleges the company fired her after she raised a number of concerns, internally and publicly, including over the safety of the workplace.

Gjøvik, a former senior engineering program manager at Apple, was fired from the company last September after she had also raised concerns about her employer’s approach towards staff privacy, some of which were covered by the Verge in a report in August 2021.

At the time, Gjøvik had been placed on administrative leave by Apple after raising concerns about sexism in the workplace, and a hostile and unsafe working environment which it had said it was investigating. She subsequently filed complaints against Apple with the US National Labor Relations Board.

Those earlier complaints link to the privacy complaint she’s sent to international oversight bodies now because Gjøvik says she wants scrutiny of Apple’s privacy practices after it formally told the US government its reasons for firing her — and “felt comfortable admitting they’d fire employees for protesting invasions of privacy”, as she puts it — accusing Apple of using her concerns over its approach to staff privacy as a pretext to terminate her for reporting wider safety concerns and organizing with other employees about labor concerns.

The UK’s Information Commissioner’s Offie (ICO) and France’s CNIL both confirmed receipt of Gjøvik’s privacy complaint against Apple.

A spokesperson for the ICO told TechCrunch: “We are aware of this matter and we will assess the information provided.”

France’s CNIL also sent confirmation that it’s looking at Gjøvik’s complaint.

“We have received this complaint which it is currently being investigated,” a CNIL spokesperson told us, adding: “I cannot communicate any further details at this time.”

The development was first covered by the Telegraph — which reported yesterday that it’s thought to be the first time Gjøvik has sought to press her privacy complaint against Apple in the UK. 

Ireland’s Data Protection Commission (DPC), which is Apple’s main data protection regulator in the European Union for the pan-EU General Data Protection Regulation (GDPR) — and which would, under the regulation’s one-stop-shop mechanism, likely take a lead role on any inquiry related to a GDPR complaint that’s also been lodged with other EU privacy regulators (such as France’s CNIL) — declined to comment. Nor would the DPC confirm or deny receiving Gjøvik’s complaint.

A spokesperson for the DPC said: “The DPC cannot comment on individual cases. All queries that come before the DPC are assessed and progressed in line with the DPC’s complaint-handling functions, where it is appropriate to do so.”

Ireland has a number of GDPR probes ongoing into Apple data processing practices — including into the company’s privacy policies — but the DPC has not yet issued any decisions in relation to those multi-year long investigations.

Were the DPC to decide this complaint merits opening a fresh investigation into Apple, it would likely take years to reach a public outcome given the Irish regulator’s extensive GDPR case file backlog.

In a conclusion to the complaint, Gjøvik urges the regulators to “investigate the matters I raised and open a larger investigation into these topics within Apple’s corporate offices globally”, further alleging: “Apple claims that human rights do not differ based on geographic location, yet Apple also admits that French and German governments would never allow it to do what it is doing in Cupertino, California and elsewhere.”

Face ID Gobbler app

The 54-page “privacy invasion complaint”, which Gjøvik says was submitted to European regulators earlier this month, takes issues with the company’s approach to employee privacy — raising concerns about a number of practices including an internal program by Apple to gather biometrics data from staff using an app called “Gobbler” (later “Glimmer”), apparently as part of the product development process for Face ID.

More broadly, the complaint centers on the breadth of Apple’s secrecy and “anti-employee privacy” policies, as well as what Gjøvik alleges to be “unlawfully restrictive” NDAs.

Apple was contacted for comment on the complaint but at the time of writing the company had not responded.

The tech giant’s approach to inviting employees to engage in product testing which involved capturing biometrics at times left Gjøvik feeling that her participation was mandatory, per the complaint, and — in one instance that she details — she describes responding to what she thought was a “mandatory social event” which turned out to involve manually testing Face ID using the Gobbler app while being penned into a secure outdoor compound in full sunshine.

According to the complaint, information Apple provided internally to staff about Gobbler urged employees to upload data from the app captured in their homes.

“Apple was pressuring employees to upload their ‘faceprint data’ to Apple internal servers, capturing secret photographs and videos of employees, and told employees that face-related logs were automatically uploaded from their iPhones daily,” Gjøvik alleges. 

“It was extraordinarily unclear what data was being automatically uploaded, how and when,” she also claims. “My open questions included whether my personal data was being backed up on employee iCloud backups, synced via iCloud, and/or accessed/copied by Apple’s corporate MDM profiles – or other Global Security surveillance of employee phones. It also disturbed me that the app was taking photos/videos without any notification (sound, signal, etc), which made me think that Apple, if it wanted to, could activate my device cameras and watch me without me knowing at any time as well. I talked to other employees, including managers, with similar concerns.”

Gjøvik cites a public statement by Apple that more than one billion images were used in the development of its Face ID algorithm — claiming the company never answered questions raised by Senator Al Franken who had asked it where those images came from following the launch of Face ID. “What [Apple VP Craig] Federighi did not say is that those images came from employees just like me, whether I wanted to share them or not,” she suggests. 

Per the complaint, Apple informed staff of restrictions on employees uploading data to Gobbler in countries outside the US — although the complaint also cites an email from a Apple manager which states that one such study was being conducted in “the USA, Brazil, Tel Aviv,” and the EU “but not France or Germany”.

“I also saw in notes that the app was forbidden to be used in Japan and China, but then at some point, Apple decided to gather some logs there anyways,” Gjøvik further suggests.

Apple does have offices in Europe — including in the UK, France, Ireland and elsewhere in the region — so it’s at least possible that employees at those locations used the Gobbler app to upload their biometric data. If that happened, it could engage data protection considerations, such as over the legal ground Apple would be able to rely on for processing this data. But whether or not the European regulators who have received her complaint decide there’s something here for them to investigate remains to be seen.

Under the GDPR, consent is one of several possible legal grounds for processing personal data. However for consent to be a valid legal basis, it must be informed, specific and freely given — and, even setting aside questions over whether staff were provided with adequate information on what would be done with their biometric data, an employer-employee power dynamic might undermine their ability to freely consent (i.e. vs feeling they must participate in such testing because it’s their employer asking). So there could be reasons for closer scrutiny.

Gjøvik’s complaint has also been addressed to the European Data Protection Supervisor (EDPS), although a spokesman for the body confirmed the EDPS would not investigate such a matter as its oversight function is focused on the EU’s own institutions, bodies or agencies.

The complaint also lists the Canada’s Office of the Privacy Commissioner as another body to which it has been submitted, along with digital rights groups EFF and Big Brother Watch.

Beyond the Gobbler/Glimmer app, Gjøvik raises concerns about the potential for Apple’s software development ticket/bug reporting system to harvest personal data without staff being properly aware — claiming that the system defaults to sharing reports to all of the company’s software engineering function (potentially tens of thousands of people). It also says these tickets could ask employees to include diagnostic files — which Gjøvik suggests could result in additional personal data from an employee’s personal device, such as their iMessages for example, being passed to Apple without the employee fully realizing it.

In the Verge’s article last year, which quoted Gjøvik and a number of other Apple employees, it was reported that staffers at the company were routinely told to link their personal Apple ID to their work account.

“The blurring of personal and work accounts has resulted in some unusual situations, including Gjøvik allegedly being forced to hand compromising photos of herself to Apple lawyers when her team became involved in an unrelated legal dispute,” the Verge reported, before referencing what it described as a “stringent employment agreement that gives Apple the right to conduct extensive employee surveillance, including ‘physical, video, or electronic surveillance’ as well as the ability to ‘search your workspace such as file cabinets, desks, and offices (even if locked), review phone records, or search any non-Apple property (such as backpacks, purses) on company premises'”.

Another Apple policy the Verge’s report highlighted was a ban on staff wiping any devices before returning them to the company, including if/when they leave Apple — suggesting employees who have linked their personal Apple ID to their work accounts are potentially exposing privacy data to the company when they hand back corporate devices.

Hello and welcome back to Equity, a podcast about the business of startups, where we unpack the numbers and nuance behind the headlines. Every Monday, Grace and Alex scour the news and record notes on what’s going on to kick off the week.

This week was big-tech heavy, as the startup market had a slow start to the week. Sign of the times or one day fluke? We’ll see in time, I suppose.

Here’s what we got into on the show today:

• Stocks are down today, and cryptos are doing even worse in recent days.
• Elon Musk’s flirtation with becoming a Twitter board member is over, the company said. Precisely why Musk backed out is not entirely clear, though the social media company’s statement might hold some clues.
• Shopify is splitting its stock, and changing up its corporate governance structure; crypto volumes are tanking in India following a legal change — and Coinbase is struggling in the country; SailPoint is selling to private equity for $6.9 billion.
• Turning the clock back, the Ellevest round is very cool.
• And to close things out, NIO’s production is on hold in China due to COVID issues. Such much for supply chain recovery.

This week is TechCrunch: Early Stage, which is going to be good fun. See you there!

TikTok has once again delayed the timeline for opening its first data center in the European Union, in Dublin, Ireland — saying the facility is now not expected to be fully operational until next year.

The video sharing social network has been trailing plans to store the data of EU, EEA and UK users in the region since 2020.

This Ireland data center was initially slated to be up and running in early 2022. That timeline was subsequently pushed back to late 2022. Now it’s been punted into 2023.

Currently, TikTok user data is held outside the region, in either Singapore or the US.

Asked about this lengthy delay, a TikTok spokeswoman said: “We initially announced our intention to establish a data centre in August 2020. The challenges resulting from the ongoing global pandemic have significantly impacted our original timeline.”

A European “transparency and accountability center” — which was announced by TikTok in April 2021 as a hub where outside experts could get info on its platform practices in areas like content moderation, security and privacy — has been operating virtually since last year, also on account of the coronavirus pandemic, with the company saying a physical center would also be opened in Ireland in 2022.

TikTok has faced concerns over the security of user data for several years on account of its parent company, Beijing-based ByteDance, being subject to China’s Internet Security Law — which, since 2017, has given the Chinese Chinese Communist Party sweeping powers to obtain data from digital companies.

Ireland’s Data Protection Commission (DPC), which is TikTok’s lead EU privacy regulator, announced two inquiries into the company’s data processing activities in September 2021 — one of which was focused on international data transfers, the other on its handling of children’s data. Although there’s been no update on the progress of its investigations since. (We’ve asked about the data transfers probe and will update if we get a response from the DPC.)

The issue of exports of personal data out of the EU has been mired in legal uncertainty for years, following revelations in 2013 by the NSA whistleblower Edward Snowden of how government mass surveillance programs were extracting data from consumer services like social networks. (Facebook continues to face uncertainty over the legality of its EU-US data transfers in relation to a very long running data transfer complaint, for example, with a revised draft decision sent to it in February.)

While the Snowden revelations centered on US government bulk data intercepts, the Chinese state’s digital surveillance of the Internet is equally (and for some likely even more) problematic from a privacy point of view. Which puts TikTok, as a Chinese-owned social network, in a tricky spot on data security and data governance.

Data localization has been proposed as one way for Internet businesses to shrink these sorts of data transfer-based legal risks and — on as regards the EU — seek to comply with regional data protection rules which require Europeans’ personal data to enjoy the same level of legal safeguards if it’s exported outside the bloc as it has inside.

However a global social network like TikTok which does not firewall usage regionally is never going to be able to entirely silo storage of data based on the user’s region of origin. An EU-based TikTok user might comment on the video of a US-based TikTok user, for example, or indeed vice versa. Where will that data be stored?

That said, there may be a case that certain types of international data flows taking place on these platforms could justifiably claim a legal basis as so-called ‘necessary transfers’ under EU law — such as messages sent intentionally between users.

And if the bulk of TikTok’s EU users’ data is stored inside the bloc, local privacy regulators may also take a kinder view on those remaining data exports.

TikTok describes its plan to localize EU users’ data in the region as a “European data governance strategy” — emphasizing other measures it claims to be taking, such as “strictly limiting” employee access to personal data and minimizing data exports — so that appears to be its hope.

Simultaneously, the company is leaning into the concern which has followed recent data transfer enforcements by EU regulators — such as decisions finding data breaches in relation to use of products like Google Analytics and Stripe — by pointing out that global products need some data to flow in order to be able to, well, function.

“Such a regional approach to data governance enables us to stay aligned with European data sovereignty goals,” argues TikTok’s head of privacy in Europe, Elaine Fox, in a blog post today. “At the same time, we are minimising data flows outside of the region in a way that allows us to maintain the global interoperability needed to ensure that our users here remain connected to our 1 billion strong community — and enjoy the benefits of a global product experience.”

Exports of personal data out of the EU are not illegal, period. The bloc’s top court left the door open for data transfers to so-called third countries in its July 2020 ruling which invalidated a major EU-US data transfer deal — saying it was still possible for data to be exported using mechanisms such as Standard Contractual Clauses (which TikTok’s Fox says the company uses) — provided that the overarching condition of adequate protection for people’s information in the destination country is met.

The EU’s European Data Protection Board followed that ruling with guidance on so called supplementary measures that data controllers may be able to apply to raise the level of protection to the required legal standard.

And while TikTok claims it is applying a mix of such measures to secure transfers it does not go into specific detail of what it’s doing. (That, presumably, is what the DPC will be assessing in its data transfer inquiry.)

“Where data transfers outside of the region are required, we rely on approved methods for data being transferred from Europe, such as standard contractual clauses,” writes Fox. “We also employ a range of complementary technical, contractual and organisational measures so that these transfers are afforded an equivalent level of data protection to that in the UK and EEA. This means in practice that any personal data is protected through a robust set of physical and logical security controls, along with various policies and data access controls for employees.”

TikTok arguably has more cause for concern on the data transfers issue than US-based Internet services because China is simply not going to be granted a transfer deal by the EU (no matter having passed its own data protection regime; geopolitically speaking it’s not workable) — whereas last month the US and the EU announced with the highest level of fanfare that they’d reached a political agreement over a replacement transatlantic data transfer deal. (Adoption will likely take months, however.)

That means US tech platforms like Facebook can look forward to the prospect of — at the least — another extended grace period while they keep passing data and before any fresh legal challenge to EU-US data flows could unpick the regime again.

As a Chinese-owned entity, TikTok won’t be able to rely on such a backstop.

So it’s unsurprising that elsewhere in its blog post the video sharing service seeks to play up the economic value of its regional operations, writing: “We have thousands of employees across the region, working on areas including brand and creator engagement, e-commerce, monetisation, music, privacy, product, public policy, R&D and trust and safety. We’ve announced permanent offices in two of our most important global hubs, Dublin and London. We’re further bolstering our local leadership teams in France, Italy and Spain and are scaling our business in new markets such as Belgium and the Netherlands.”

Data transfers are not TikTok’s only woes in Europe, though.

The social network is facing additional regional scrutiny on the consumer protection front too — with the European Commission initiating a formal dialogue over its ToS last year following a series of complaints.

In the UK the company is also subject to a privacy class action-style lawsuit over its processing of children’s data.

Rick Schostek, EVP of American Honda said it best in a released statement: “Announcing a new battery electric vehicle isn’t exactly headline making news these days.” He’s right. There’s seemingly a new EV everyday (including an electric DeLorean, announced yesterday).

But this announcement is different.

General Motors and Honda today announced a partnership to co-develop affordable electric vehicles. These vehicles should hit North America in 2027. The partnership centers around using the General Motors Ultium EV platform (pictured above) and both automakers’ robust manufacturing capabilities.

“We plan to leverage these strengths to achieve a dramatic expansion in the sales of affordable, compact electric vehicles,” Schostek said. “The foundation of this collaboration is the strength of the relationship between GM and Honda, and the comfort level we have in joint development projects based on successful collaboration in other advanced technology projects focused on electric and autonomous vehicles.”

The exact terms of this partnership are not available at this time. However, Schostek notes that Honda is not, at this time, specifying which vehicles will use GM’s Ultium’s EV platform or Honda’s e:Architecture platform.

“GM and Honda will share our best technology, design and manufacturing strategies to deliver affordable and desirable EVs on a global scale, including our key markets in North America, South America and China,” said Mary Barra, GM chair and CEO, in a released statement. “This is a key step to deliver on our commitment to achieve carbon neutrality in our global products and operations by 2040 and eliminate tailpipe emissions from light duty vehicles in the U.S. by 2035. By working together, we’ll put people all over the world into EVs faster than either company could achieve on its own.”

This partnership is about scale. Together, Honda and GM, have among the most robust manufacturing and distribution processes available and depending on the exact terms, should be able to leverage these strengths to quickly and efficiently flood the market with EVs.

The two automakers have a history of working together, including a previous deal to co-develop the Honda Prologue and Acura’s first EV. The two automakers are also working together with Cruise, and are jointly developing the self-driving Cruise Origin.