Six months after its proclamation, the European Union’s General Data Protection Regulation (GDPR) is laying the groundwork for its intent to reclaim personal privacy as a human right. Under the GDPR, every consumer owns their own digital data, regardless which medium they use. This directly challenges the business models of global digital giants like Facebook and Amazon, companies that secretly collect and sell personal information about users to advertisers.
“To protect consumers’ privacy and give them greater control over how their data is collected and used,” the Harvard Business Review reported in May, “GDPR requires marketers to secure explicit permission for data-use activities within the EU. With new and substantial constraints on what had been largely unregulated data-collection practices, marketers will have to find ways to target digital ads, depending less (or not at all) on hoovering up quantities of behavioral data.”
The GDPR requires each consumer actively, explicitly give permission to collect personal behavioural data. “Digital marketers know that users of internet-based services like Snapchat, Facebook, and Google technically provide consent by agreeing to these companies’ terms of service when they sign up,” says the article.
The authors pose the question: “But does this constitute an active and genuine choice? Does it indicate that the user is willing to have her personal data harvested across the digital and physical worlds, on- and off-platform, and have that data used to create a behavioral profile for digital marketing purposes? Almost certifiably not.”
“The era of data stealing and data scraping is over,” Larry Harris wrote in a June social marketing magazine. “GDPR will prompt data-driven advertising to be more opt-in and permission-based, and will render widespread tactics like retargeting and remarketing less invasive and obtrusive. These changes will usher in the next era of digital advertising: people-based marketing, or that which utilizes first-party data instead of third-party data/ad-serving.”
In Canada, “PIPEDA and the Privacy Act may be adequate for Canadian companies under the EU’s current directive, but things will change with the forthcoming legislation,” Danny Bradbury wrote in an April issue of Canadian Lawyer. GDPR will introduce large disparities between our privacy laws. “While PIPEDA gives Canadians the right to know what information companies hold about them, a data portability clause in the GDPR enables them to obtain that information and take it elsewhere.”
Consent is another huge issue. “Canada’s consent laws have traditionally been flexible, says David B. Elder, chairman of the communications group at Stikeman Elliott LLP. ‘An awful lot of the personal information collected by businesses is done by an implied consent standard,’ he says.” In contrast, “The GDPR is stricter in its consent mandate. ‘It’s more granular. Different consents are required for different uses and can’t be buttoned together as a single ‘take it or leave it’ package,’ he says.”
“As a tech company, if you’re found noncompliant, you may also risk having entire databases deleted,” warned an article by Jordan Prokopy, Director & Privacy Practice Leader at PwC Canada. If the risks of non-compliance are daunting, he says, a big competitive advantage goes to the tech companies that figure out the GDPR provisions and implement them.
“Privacy protection, now more than ever, can be used as a strategic differentiator to gain market share both locally and internationally,” he writes. “Taking data privacy seriously today could give you the added edge to secure the funding opportunities, buyout, or high valuations you are looking for.”
Recently, I looked at Sir Tim Berners-Lee’s project to reclaim individuals’ privacy on the web. Berners-Lee created the first http:// page in 1989, (and thus, the Internet) and then persuaded his thinktank employer to make the technology available to the public, free of charge.
Annoyed by how advertising trackers slow down the Web and profit from personal information, he has now created a Solid platform that provides each customer of an Internet Service Provider (ISP) with an impregnable personal POD that protects their personal information. He founded Inrupt to sell the Solid platform to ISPs.
Some ISPs and some virus-protection software packages already offer Virtual Private Networks, or VPNs, supposedly walled off from the greater Internet. Similarly, the Brave browser offers to protect personal privacy and to reward creators when their work appears online. The problem with these market solutions is that they don’t reach everyone. At best, privacy becomes another premium for the rich (or digitally adept) to enjoy.
The EU, however, seems to have sliced through the Gordian Knot with a bold stroke. Never mind arguing about where the onus lies, or whether everyone who goes online should buy privacy insurance in the form of new software.
Under the EU directive, Internet data harvesters have no more right to help themselves to our data — much less sell it — than they have to traipse onto somebody else’s property and cut down their pine tree for decoration.
More, ISPs will have to provide something like a POD. “…service providers like Facebook and Google [must] make the data they hold on individuals portable,” says the Harvard Business Review. “This will immediately further dis-incentivize personal data collection and implicate ad-targeting based on behavioral data,” because consumers can take their PODs to the competition at any time.
Regulation from the top has worked before. Back in 1993, in the early days of PINE and LYNX technology, when a PINE email was a thrilling message in white Courier font against a black background, anybody who had an email account, probably had a problem with spam. Spam messages outnumbered personal messages at least ten to one.
People tried to protect themselves individually. The early Eudora email software offered filters that sifted out some spam. Some software programs were available.
In local computer repair shops, software specialists ran programs like Spyware Search & Destroy to root out malware, spyware, and digit-counters, and explained that this was just a temporary fix. The only permanent solution to spam was for the ISPs to tighten up their own filters. And that’s exactly what happened. Internet Service Providers accepted the responsibility to protect their customers from commercial harassment, and the spam rate plummeted.
Obtrusive and invasive as commercial messages can be, the annoyance is a mere inconvenience compared to the threat to our democracies. Intelligence agencies around the world point to Russian propaganda as having disrupted and confused important decisions such as Brexit and the U.S. election. Mark Zuckerberg was recently before the U.S. Congress to account for Facebook’s behaviour in not disclosing such behaviour as soon as in-house investigators found it.
Senator Elizabeth Warren of Massachusetts and others in the new House of Representatives have charged “that Amazon, Facebook and Google are unaccountable monopolies, digital analogues to the railroad trusts of the Gilded Age,” reports the New York Times.
On Octotber 25, the UK data watchdog fined Facebook £500,00 for the breach that allowed Cambridge Analytica access to information about 87 million Facebook users. “The fine is just £500,000 (U.S. $644,000),” reports The Verge, “a small fee for a company that posted $13.2 billion in revenue in the last quarter alone….Under GDPR, the maximum fine would have been £17 million ($22 million) or four percent of Facebook’s global turnover.”
That is to say, the new law has teeth. “The penalty for violating GDPR are significant,” reports Time Magazine. “The maximum fine can be up to $23.5 million or 4 percent of the firm’s revenue, whichever is larger. Even if you’re Amazon, a $7 billion fine is going to smart.“
The Time Magazine article notes that the GDPR is bound to have effects on the U.S. Internet — already permission forms are going out — but there’s a possibility that Europe could end up with a different Internet from other parts of the world.
“Firms like Facebook have already vowed to operate in accordance with GDPR across their global user base — both because it’s easier for Facebook and because it generates good press on the privacy front….” says the Time Magazine article.
Contrasting the EU’s preventive approach to the U.S. remedial approach, the article notes that, “Some say this freedom afforded to [U.S.] tech companies is the triumph of the free market; others argue it’s the failure of that same free market.”
But Europe is going in a very different direction: “…the basic idea behind the law is to orient companies toward ‘privacy by default’ and put people in charge of their personal data. In the eyes of Brussels, data privacy is an intrinsic human right, and therefore should be under the control of the individual user. GDPR is a critical step in that direction.”
Image: Dennis van der Heijden/Flickr
Help make rabble sustainable. Please consider supporting our work with a monthly donation. Support rabble.ca today for as little as $1 per month!