(Yui Mok, AP Images)
Today begins a revolution in how personal data is collected and managed online. The European Union implements its General Data Protection Regulation (GDPR), empowering web users to opt out of having their information gathered by websites, with high penalties for non-compliance.
Dominant companies have built business models on surveilling and profiling users from every corner of the internet. Nearly all revenue is derived from it, mostly from delivering valuable targeting information to advertisers. The platforms know how much money you make, what you spend it on, what you watch and listen to, whom you owe money to, and what you're feeling, on a moment-by-moment basis. GDPR could threaten that strategy.
“It will require such a rethinking of the way Facebook and Google work, I don't know what they will do,” says Jonathan Taplin, author of Move Fast and Break Things, a book that’s critical of the platform economy.
But last month, The Wall Street Journal and The New York Times suggested, suspiciously on the same day, that Facebook and Google would benefit from GDPR, because startup rivals won’t be able to handle the compliance burden. The Times even cited an academic paper buttressing this argument co-written by Catherine Tucker, who has received $155,000 in Google grants.
The idea that regulations necessarily stunt competition is dubious, especially in this case, where Facebook and Google lobbyists persistently argued against the proposal to European regulators.
“I've been told this is the most lobbied issue in the history of the EU,” said Jason Kint, CEO of Digital Content Next, a trade association for online publishers.
If Google and Facebook come out of GDPR on top, it's because they'll have successfully distorted its meaning and offloaded responsibility on partner publishers and websites. It will take determined regulators to avert this. But if they succeed, GDPR will become a global standard that will diminish the power and reach of the tech monopolies, their propaganda aside.
Let's go over what GDPR actually does. All companies that interact with European users will have to identify what personal information they collect, which outside entities can access it, and to what end it will be used. This disclosure must come in simple and unambiguous language, not in a ponderous user agreement written in legalese that is routinely ignored. Since tech companies are increasingly global, you've probably gotten a lot of email notices about changes to privacy policies, regardless of whether you live in Europe.
With few exceptions, users must affirmatively consent to have their data collected, stored, and processed. They can request that their data be erased completely (known as the “right to be forgotten”), or prohibited from sale to third parties. They can transfer all of their data to a different provider, making social media or search sites interoperable. Children under 16 would have to have a parent opt into data collection for them. Tech firms must inform users of a data breach within 72 hours, and cannot condition their products' usage on being able to acquire data.
This consent must be individualized—companies cannot have one page where users agree to all forms of data collection and use. That's crushing for ad tech companies, which must ask users specifically if they want to be targeted with personalized ads as they travel around the web. That’s likely to significantly diminish such products as users decline rampant surveillance. The regulation doesn’t ban targeted ads, but it certainly will reduce their ubiquity.
GDPR violations will cost a company either 20 million euros or 4 percent of annual global revenue, whichever is larger. So a fine against Facebook or Google could easily reach into the billions of dollars. There’s also a private right of action in the regulation, meaning companies out of compliance invite class-action lawsuits.
In short, GDPR puts data back under user control, and ends the pernicious reliance on self-regulation that has governed the tech industry since the internet's founding. Firms have thrived on concealing what the user truly gives up in exchange for searching for news or chatting with friends. GDPR unmasks that, and the result should be positive for users, as well as those websites with nothing to hide and something legitimate to offer. Some fear that users will be inundated with annoying interruptions accompanying each type of data collection. But that gives advantage to sites that figure out how to survive without mass surveillance, creating a more enjoyable experience.
GDPR is only the first step in Europe's war on the surveillance economy.
The imminent ePrivacy regulation would be even more stringent, disallowing automatic data collection even if there’s a “legitimate interest,” like collecting someone’s location so it can show the current weather forecast. According to Citibank, ePrivacy could reduce European ad revenue by a whopping 70 percent, and a 33 percent reduction in ad budgets. Other analyses find ePrivacy to be a far greater threat than GDPR. The idea that Google and Facebook would be financially secure in such a scenario is risible.
That's why the platforms have interpreted GDPR in a way that evades responsibility. Google has told media websites using its ad network that the burden of getting consent for data collection falls on them, shifting liability for non-compliance to the publisher. Under this standard, Google could, as a “data controller,” process information gleaned from users for their own purposes. “If you’re an ad tech company, that’s your way in, you tell a publisher, you get me consent,” said Jason Kint of Digital Content Next.
Publishers have gotten no clarity from Google on their concerns; the company is running out the clock and forcing partners to either accept their terms or lose access to the dominant ad network. It’s an audacious attempt to preserve the business model while perverting the intent of the law.
Similarly, Facebook's design for obtaining user consent is intended to induce users to rapidly agree, maximizing the allowable data collection. They’ve added large “accept and continue” buttons and tiny text where you can see the actual changes. Consenting to the new standards is far easier to accomplish than reviewing or altering them.
This bobbing and weaving from the big players makes the role of the regulators even more crucial. “Will the regulators step in and make sure the big platforms aren't able to re-rig the rules?” asked Jason Kint. “We don't know whether or not they'll have enough juice to mean business.”
Given that almost nobody will be compliant on launch day, and the whole of the regulation is fairly obtuse, establishing principles to guide enforcement is the key. GDPR intends for users to be placed firmly in control of their data, and being duped into consent, or having a third-party grab consent on someone else’s behalf, violates that spirit. The EU competition authorities will have to set an example early.
If they can manage it, they can really change the world. No multinational will want to have one set of rules for Europe and another for everywhere else. This can become a global standard that puts individual privacy ahead of surveillance-based profit.
The critics who point to the inevitable start-up glitches either are hostile to the whole idea, or miss the point. This is the first draft of a new policy regime. There will be revisions, embellishments, and course corrections. We ought to root for its success.