Europe is about to stake a claim to protect the privacy of individual data on the internet that far outstrips the norm in the United States. What’s more, against a background of fresh uproar over misuse of data centered on Facebook, it sets the stage for a confrontation with Washington and the giant American corporations that dominate the internet.
The General Data Protection Regulation (GDPR) – to be implemented on May 25 – is a far-reaching set of rules focused on the shielding of individual privacy and exchange of data across borders. All companies operating across the European Union, and doing business with its 500 million people, must abide by it.
The scandal over alleged misuse of Facebook data from 50 million people by London-based political data firm Cambridge Analytica comes just ahead of the introduction of the GDPR, and can be expected to provide ammunition to European Union officials who argue that the big U.S. internet companies cannot be trusted to regulate themselves (Financial Times, may be paywalled).
While there’s activism in the United States around the exchange of data and level of personal consent, official concern over data privacy is far weaker than in Europe. The Privacy Shield program administered by the U.S. Department of Commerce, which applies to business data between the EU and United States, isn’t a comprehensive solution.
Some see protectionist tendencies in Europe against the dominance of American technology companies; but the roots of European concerns over individual privacy go deeper, and include firsthand experience of totalitarian governments (Bertelsmann Foundation).
While the big U.S. internet companies – known in the European Commission as GAFA (Google, Apple, Facebook, Amazon) – move fast and with a high degree of freedom, regulation is catching up.
GDPR is Europe’s response to the exponential growth of data, and aims to protect people – and their privacy – as a priority.
“Data protection must be embedded in daily life. Data protection [is] serious and it should not be delegated to IT or lawyers, or just in case,” European Data Protection Supervisor Giovanni Buttarelli told WikiTribune.
Among key elements in the new legislation are:
- The so-called “extra-territorial applicability” of GDPR means data must be held in or accessible from the European Union.
- “Privacy-by-design” concept must be built in to services from the start, with explicit consent and greater clarity on use of data.
- Greater fines for non-compliance: those in breach of GDPR can be fined up to 4 percent of annual global turnover or €20 million (whichever is greater).
(See WikiTribune’s community explainer on the GDPR).
Changing attitudes across Atlantic
The United States has always differed on privacy with the EU, as shown by both sides’ legal frameworks. Though the “right to privacy” is upheld in both the Universal Declaration of Human Rights and the European Convention on Human Rights (Article 8), it’s not explicitly mentioned in the U.S. Constitution.
“In the wake of thousands of breaches and security lapses, and some pretty egregious misuses of data, the consensus, largely, is that consumers need more protection when it comes to data. And the GDPR is going to effectuate that, to the surprise of a lot of people in the U.S.,” he told WikiTribune.
In 2017 alone, massive data breaches occurred from major companies including Yahoo, Deloitte, Equifax, and Verizon (Wired).
A recent study from the Pew Research Center found that nearly two-thirds of respondents, 64 percent, reported data theft. The study also said half of all Americans believe their information is less secure now than five years ago. Many don’t trust institutions to protect their data, whether it’s the government or private sector.
“GDPR is a game changer in the U.S. for many companies,” said Gidari. “The big companies, at least, have made huge strides in achieving compliance with the requirements, contrary to some perception that there’s a lot of resistance to it.
“Companies have really accepted it and, as a result, ironically, it isn’t [just] the European community and residents who will see the big benefit from it, it’s actually U.S. consumers.”
A 21st-century approach
GDPR represents an evolution in Europe’s history of data protection. It replaces the Data Protection Directive (DPD), implemented in 1995 when the internet was still in its infancy. Other countries, including Sweden and the UK, later followed suit with their own sets of comprehensive data rules. One of the new regulation’s aims is to harmonize differing approaches.
The change from the DPD to GDPR is an acknowledgement of how much the internet has changed – from “open” to a so-called state of “surveillance capitalism” – and that the old regulation system is no longer fit for the digital age. About 40 percent of the world – 3.9 billion people (Internet Live Stats) – now has access to the internet, opening up a growing market and creating a vast trove of information.
The change also reflects increasing concern over unauthorized monitoring or use of data, which came into focus when whistleblower Edward Snowden exposed the extent of U.S. National Security Agency spying in 2013.
“I am an economist, so I know that there is no such thing as a free lunch,” she said. “You pay with one currency or another – either cents, or you pay with your data, or you pay with the advertisements that you accept. And I think people are becoming more and more aware of the fact that their personal data do have a value.
“What we see in Europe is that a huge proportion of citizens find that they are not in control.”
GDPR strengthens the rights of individuals by giving them more control over how businesses use their personal data. These include the right to be informed, to access and to rectify personal data records if they are inaccurate or incomplete. The right to erasure, also known as the “right to be forgotten,” means consumers can request companies delete their data – this could be done simply because someone is no longer a customer of a company.
Google revealed in its latest transparency report that more than 2.4 million people have filed “right to be forgotten” requests since the EU passed the law in 2014. The vast majority of requests (89 percent) came from individuals, and politicians and celebrities were represented disproportionately.
New era, new rules
Since internet use became common about 25 years ago, the amount of data exchanged has escalated exponentially.
According to a 2017 report by IBM, 90 percent of the world’s data were generated in the previous two years alone. Every day, users create 2.5 EB (exabytes) of data, unintentionally allowing interested parties to collect information about political or religious views, or locations and movements. Much of this data drive innovative industries, such as artificial intelligence and the burgeoning sector of digitally controlled devices, the Internet-of-Things (IoT).
Peter Trainor, co-founder of artificial intelligence company UsAi, said that though he believes GDPR is good, it represents a “nightmare scenario” for his industry.
“AI needs a massive amount of data … [but now] people must be provided with an explanation of a decision made about them – that’s the killer blow for AI and machine-learning,” he said. “The machines are often making decisions out of our direct control … inferring a decision that [we] would otherwise expect a person to make.”
Even so, Trainor added that overall, GDPR is positive because it informs people on the importance of their data.
“It at least gives the public an overview of the fact that they have data, and it’s valuable, and brands own or use it,” he said. “The majority of people don’t understand data. [GDPR] lifts the lid off it and ensures all brands and providers of AI are transparent.”
‘GAFA’ set an example
The four most powerful American tech giants – Google, Apple, Facebook, Amazon, or GAFA as they’re known in European Commission parlance – rely on large amounts of data to conduct their businesses. Google and Facebook combined are set to bring in 84 percent of global advertising revenue, excluding China, according to a 2017 forecast from GroupM, a media agency owned by advertising and communications conglomerate WPP.
But the relationship between GAFA companies and the EU has always been tense. For example, in 2017, the EU slapped a €2.14bn antitrust fine on Google for what it said was manipulation of its search engine results in favor of its shopping services. Google is still appealing the fine.
Nonetheless, GAFA companies have appeared ready to comply with GDPR, deploying hundreds of Data Protection Officers (DPOs) to prepare for the May deadline.
Facebook announced in January it will roll out a global privacy settings hub that will “make it much easier for people to manage their data,” said its COO Sheryl Sandberg. The New York Times reported that Facebook also decided not to roll out some of its new products, since they would violate privacy laws.
However, in a recent Reuters exclusive, Facebook is trying to reduce its legal liabilities under GDPR. This means that non-EU citizens won’t be protected even if their data is processed in the EU.
The New York Times also reported Google has started letting people all over the world choose which data they want to share via its various products, including Gmail and Google Docs. Amazon has also been improving data encryption on its cloud storage.
These extra steps are taken because the penalties are much greater under GDPR. The maximum fine for the most serious offenses is 4 percent of an organization’s global turnover, or €20 million ($24.6m), whichever is greater.
Data is power
Data might be the new oil, but who owns it? This report by The Economist maintains that it’s internet giants such as Google or Facebook. But GDPR dictates, in the case of personal data, that it’s private citizens, effectively changing the public’s power relationship with companies.
Recent revelations in data breaches mean that people all over the world are realizing how their personal information could be jeopardized and exploited. Uber is a notorious example of a company accused of mishandling the data of its customers, and now has to go through 20 years of auditing (TechCrunch). A 2017 ICO survey showed most UK adults don’t trust businesses with their data.
“If GDPR represents anything, it’s that you have to access and plan for and foresee the negative consequences of your product or service – not just the benefits,” said Stanford’s Gidari.
“We’ve lived in a world for 20 years where we only focused on the good stuff and ignored the bad stuff that was or could happen,” he said.
“I think the heart of GDPR in the end is that companies better think about the positives and the negatives together and mitigate the negative to the extent possible or at least give users some choice in it.”
A future web
In his book, The Attention Merchants, legal scholar Tim Wu – who coined the phrase “net neutrality” – explored how companies turned the web into an attention-machine to monetize the public’s data, offering “free services” while earning billions along the way.
Wu’s vision (The Guardian) of the internet is one that’s unlikely to break away from the historic cycle of communication technologies, which started out as chaotic and open, to eventually being controlled by industries.
But will GDPR change who controls the internet?
“This one’s a game changer for everyone” – UK Information Commissioner
Experts agree GDPR will shift the balance of power between citizens and companies – certainly within the European Union. At the least, it will reduce corporate control of the web by creating friction over how data is harvested.
“If you eliminate the ability to profit [from advertisement], then you eliminate the ability for ‘free’ services [e.g. Google] to survive, and really see a dramatically different internet,” said Gidari.
Perhaps most importantly, GDPR is about changing “how we think about data protection,” said Elizabeth Denham, Information Commissioner of the ICO, in a 2017 speech.
“[GDPR] brings a more 21st-century approach to the processing of personal data. And it puts an onus on businesses to change their entire ethos to data protection,” she said. “Make no mistake, this one’s a game changer for everyone.”
See WikiTribune related articles:
- WikiProject: World business prepares for EU data protection rule
- Europe’s new General Data Protection Regulation explained
- WikiProject: Facebook, data collection, and you
- Google says it had 2.4 million ‘right to be forgotten’ requests
- Facebook says ‘outraged’ by investigation into misuse of data