A new era for data protection?

The EU’s General Data Protection Regulation will come into effect on May 25th this year. The regulation will ensure greater data security for EU citizens and will hold firms accountable for the protection of personal data. Facebook, in an attempt to limit potential liability, has ensured that less than 25% of its users will be covered by this legislation. However, analysts have noted that GDPR may soon affect firms across the globe.

Background

Data privacy is an issue of increasing concern.  Governments across the world have begun to notice that data is being weaponised. The Russian misinformation and influence campaigns during the 2016 US Presidential elections are an example of the fact that data may be used maliciously to undermine democratic processes and institutions.

Facebook’s Cambridge Analytica scandal brought the issue of data privacy into the spotlight once more. It drew global attention to the degree of control corporations such as Facebook have over personal information, sparking debates on privacy and data use. Facebook is one of the largest social media corporations in the world today with an average of 2 billion monthly users. It collects and stores several kinds of personal information from its users, education, employment, religion and political views, location history, and mobile phone numbers. Cambridge Analytica, a data mining organisation and political consultancy, received the personal information of approximately 87 million Facebook users through a third-party app. Cambridge Analytica has reportedly been involved in influence campaigns and hundreds of political campaigns across the world.

Facebook CEO Mark Zuckerberg recently admitted that Facebook collects information even on those who are not registered users. Facebook has faced litigation in European courts due to this issue and is currently under investigation by the FTC.

 

EU and data protection.

The European Union has shown initiative in updating its policies to tackle cyber issues. This year alone, a German court ruled that Facebook’s use of personal data was “illegal.” Belgium banned the company from tracking non-users on third-party websites. Britain and France have begun to hold tech companies accountable for not countering inflammatory content propagated on their sites.  Facebook has been fined by Spain for collecting, storing and using data without informed user consent. EU has slapped Alphabet with a record $2.7 billion fine for using its dominance in the industry for pushing its own advertising business.

In 1995, the Data Protection Directive (DPD) (Directive 95/46/EC) came into force in the EU. This directive interpreted human rights law to protect personal information. According to the DPD, “Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes”.

Analysis

The General Data Protection Regulation will replace the DPD in the European Union in May 2018. The GDPR is intended to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy”. As GDPR is a regulation rather than a directive, it will be applicable across all member nations once implemented. 

The GDPR will provide EU citizens with new rights to access, erase, transfer, or correct any personal data held by information companies. It will also make these organisations obliged to manage data better, and implement personal data risk management, policies and procedures. Corporations will be compelled to notify users of data breaches and obtain informed consent from all subjects before collecting any data on them. Customers will have to be informed what their data is being used for. Subjects will have easier methods to object to data processing as well.

GDPR will also provide regulatory bodies with greater powers and impose new fines. Under the GDPR, if privacy laws are breached, a company can be fined up to 4% of its global annual turnover or €20 million. “It’s changing the balance of power from the giant digital marketing companies to focus on the needs of individuals and democratic society,” said Jeffrey Chester, founder of the Center for Digital Democracy.

Facebook has now announced measures that will minimise the number of Facebook users that fall under the new EU rules. Only European users, administered by the organisation’s European headquarters in Ireland, will be protected by GDPR. Facebook has approximately 370 million users in Europe, 239 million in North America, and 1.5 billion users elsewhere. The 1.5 billion users, which were previously protected by EU rules, will now have the same privacy guidelines as North American users. LinkedIn has taken similar measures to relocate its non-European users to offices based outside of Europe.

Facebook CEO Mark Zuckerberg has said that Facebook would comply with the new regulation globally “in spirit.” "The GDPR and EU consumer law set out specific rules for terms and data policies which we have incorporated for EU users. We have been clear that we are offering everyone who uses Facebook the same privacy protections, controls and settings, no matter where they live," said Stephen Deadman, deputy chief global privacy officer at Facebook.

Counterpoint

The GDPR has been criticised for not going far enough. It does not make any direct references such as “data mining”, or “data harvesting”. It has been noted that its hefty fines could affect small businesses disproportionately. Additionally, at nearly 100 articles long, it is highly complex and weighty.

Assessment

Our assessment is that the European Union has made steps to adapt to a world where data privacy is under threat. The GDPR is a strong move to give consumers agency over their own data. We believe that the GDPR is likely to have a global impact. Companies across the world may have to adjust their business practices to comply with the GDPR. Additionally, the GDPR is a recognition of the fact that self-regulation may no longer be a viable option for technology firms. There has been a breach of trust between these firms and their users. It remains to be seen whether other nations will follow the EU in implementing regulation.