Europe’s mammoth new data-protection law tilts the playing field away from big technology groups and towards consumers. In the short term, giants like Facebook and Google may find it easier than smaller companies to get users’ consent to make money from personal information. But over time, they’ll face a hostile European Union whose regulators are equipped with powerful new weapons. Breakingviews explains what’s at stake.
My inbox is full of emails asking me to 'stay in touch'. Who should I blame?
Brussels, mostly. EU lawmakers spent four years cooking up the General Data Protection Regulation, or GDPR, which comes into force on Friday. The 56,000-word law — about the length of Shakespeare’s Hamlet and Othello combined — forces organisations to get explicit consent before processing European citizens’ personal data. That includes email addresses on a marketing database.
The law states that users should also be able to access, erase and move their information to another service. And companies must keep a record of data processing so that regulators can judge whether they’re GDPR-compliant.
Many of the provisions were already part of EU or national law. But the GDPR’s hefty new sanctions have spooked companies into redoubling their data-protection efforts. If a national regulator identifies a breach of the GDPR, the business could be fined the higher of 20 million euros or 4 per cent of its annual global turnover — and even be banned from processing data.
What does Europe mean by 'Data'?
The legal definition is “any information that relates to an identified or identifiable living individual”. In practice, that means names, home and email addresses, location data from smartphones and other devices, medical records, internet protocol (IP) addresses and so-called cookie identifiers used to target advertising on web browsers.
Generic email addresses don’t count. Nor does anonymised or encrypted data, unless the information could be used to identify an individual.
What will companies do differently?
It depends on the sector, but any business whose core activities involve handling personal information must appoint a data protection officer. All organisations must also report any data-security breaches to their national regulator within 72 hours.
A key part of the GDPR is that it sets a high bar for what counts as user consent. Publishers and social media companies like Facebook or Twitter could previously rely on implicit consent, or jargon-heavy terms and conditions, to gain access to users’ information.
From Friday, that won’t cut it. Companies which process or control personal data must get “affirmative … freely given, specific, informed and unambiguous” permission. That shifts the burden from consumers — who previously had to opt out of any data gathering they disagreed with — to the company, which must now obtain a clear opt-in.
Facebook, for example, last month asked its users to opt into facial recognition in photos and the use of data gathered on third-party sites. Similarly, companies using email marketing databases must show that all the names on the list actively consented to having their details stored. Hence the flood of emails.
Will Europeans give consent?
Surveys suggest not. Of more than 3,000 people polled by HubSpot Research, about 60 per cent said they would choose not to receive phone calls or emails from companies. The same proportion would demand that businesses delete all their records, using their GDPR-enforced “right to be forgotten”. Around half, meanwhile, would opt out of targeted advertising or receiving tracking cookies on their browser.
Yet there’s a difference between intention and action. Take the widespread campaign to #DeleteFacebook after the social media giant admitted in March that Cambridge Analytica had harvested millions of its users’ profiles. Facebook’s results for the first three months of the year showed daily active users were up 2 per cent in Europe and 1 per cent in the United States and Canada.
The implication is that behemoths like Facebook, Google and Amazon are so entrenched that the cost to users of opting out — or switching to another provider — outweighs unease about data-harvesting. Wells Fargo analysts reckon the hit to revenue at Facebook and Google this year will be a low single-digit percentage of revenue.
Smaller and medium-sized businesses with less essential services, on the other hand, could struggle. They may also find that the burden of compliance pushes up costs, arguably pushing up economies of scale in sectors that rely heavily on data.
Regulation is good for Big Tech?
Not necessarily. A key aim of the GDPR is to give consumers more power over technology companies, especially large ones. This gives European regulators a powerful new set of weapons for their ongoing battle against the perceived dominance of these companies.
Take Germany. The country’s competition regulator in December explicitly linked the principles of the GDPR to its preliminary finding that Facebook’s use of third-party data constituted an abuse of the US group’s dominant market power. The company has since changed its terms so that users must opt in.
The regulators’ general concern, however, was that some web services are so dominant that they can effectively dictate terms of use to consumers. If not opting in means being cut off from a ubiquitous product like Google Maps or WhatsApp, is consent “freely given”?
In a worst-case scenario, regulators could use their new GDPR powers to prosecute an antitrust fight. That ought to make Facebook founder Mark Zuckerberg and his fellow tech CEOs sit up and take notice.