The effects of the European Union’s sweeping new data privacy laws, set for implementation in May, won’t be limited to Europe, argues Albert Gidari, director of privacy at the Center for Internet & Society at Stanford Law School.
Known as the General Data Protection Regulation, these laws will restrict how tech companies collect, store, and use personal data from people across the EU—as well as require companies to clearly explain how they plan to use personal information.
Here, Gidari explains the new regulations and how they might affect American users:
What will these new laws actually do for personal privacy? Do you expect the EU regulations to improve privacy for everyone, not just Europeans?
The GDPR applies to the personal data of EU residents, so theoretically the changes in EU law would not provide greater protections for residents of the rest of the world. But, the GDPR applies extraterritorially to those companies that process the personal data of any EU resident so the practical effect of the law is to force platforms and Internet companies around the globe to comply with GDPR requirements everywhere.
The alternative would be for companies to create two separate systems and infrastructure to separate EU data, which simply isn’t practical in an interconnected world. That means people everywhere will see increased transparency about what data is collected, how it is used, to whom it is disclosed, and have the ability to limit all of the above.
Even though the compliance date is around the corner, we are still waiting to see how the GDPR will be implemented in each country so people should look at this as a process that will take time. But because the fines are so great under the GDPR (up to 4 percent of global revenue), companies have had to anticipate compliance in many areas to be ready.
Facebook rolled out a new consent form for targeted advertising and more. It was introduced globally, rather than just in Europe.
Do these new laws go too far, or not far enough, in regulating the personal privacy of users?
Whether the GDPR goes too far or not far enough in protecting privacy depends a lot on who is answering the question.
Certainly, companies have had to invest a small fortune in changing systems to meet requirements. For example, Google has hired hundreds of people to review requests for erasure, known as the right to be forgotten. Perhaps large companies can afford the compliance costs, but startups complain that these changes are bad for innovation.
Individuals largely have welcomed the changes, particularly the increased transparency and the right to see what data has been collected and to whom it has been disclosed, and to withhold consent yet still receive the service. There is no doubt that GDPR increases the protections for individual privacy, but at what cost remains to be seen.
Lastly, the GDPR creates momentum throughout the rest of the world for increased privacy regulation because cross-border data flows will be affected if the receiving country lacks adequate privacy protections. So we will see a global increase in privacy regulation as a result.
Will GDPR laws hit Google and Facebook targeted digital marketing revenues?
I don’t think revenue impact is the right way to look at the GDPR changes because the GDPR certainly doesn’t outlaw advertising, nor would we have a largely free internet if it did.
All of the advertising-based business models for online companies will be affected by the GDPR however. How and when a user profile can be created and shared is perhaps the greatest change in the law. Interest-based advertising will continue, but targeted advertising based on profiles aggregated by collecting data from multiple sources will be prohibited absent consent.
So changes in advertising definitely will affect how companies do business but it isn’t going to eliminate advertising.
Will GDPR make it less likely to have a Cambridge Analytics situation?
If by CA situation, we mean a third-party app that wrongly uses data it was otherwise authorized to access, then GDPR will not change the result. Users consented to the app accessing their data. The fact that user data included data on their friends as well, and that data was accessed by CA, already has been changed by FB.
GDPR does create an environment, however, where platforms will be more responsible for the acts of their third-party partners and vendors. So to the extent greater auditing of apps for example might have identified the CA situation, we can expect platforms to be much more careful with third-party access to data and users to have more control through consent mechanisms in the future.
Is there any legislation pending in Congress to address digital privacy in the US?
Unfortunately, we are unlikely to see any comprehensive federal privacy legislation in the near future.
The states are more proactive—for example, California has a ballot initiative called the California Consumer Privacy Act of 2018, which would install GDPR-like requirements as to consent, disclosure, and transparency for California residents. But it seems very unlikely that there will be an omnibus privacy law at the federal level—our history and experience is just different than the EU, which has long treated privacy as a human right applicable horizontally across all industry sectors whereas in the US privacy is treated on an industry-by-industry basis or vertically. Privacy laws are tailored to the risks associated with the industry here.
Source: Sharon Driscoll for Stanford University