Two ways to read the story
- Quick Read
- Deep Read ( 4 Min. )
As you may have noticed from the flood of privacy updates inundating your email inbox, the European Union’s General Data Protection Regulation goes into effect today. The law, which imposes new rules on how companies may handle customers’ personal data, applies only to information belonging to customers in the EU, but its effects are already being felt globally. It shifts much of the onus of data protection onto businesses, but, amid the new burdens, some observers see an opportunity for tech companies to regain their customers’ trust, an increasingly valuable commodity in an era of data breaches, online stalking, and psychologically targeted hate speech and political propaganda. “Online customers are increasingly more sophisticated than they were 20 years ago, and they do pay attention to how their data is used,” says Paul Jordan, managing director of Europe for the International Association of Privacy Professionals. “So there is an opportunity for companies to build a new trust paradigm with an online consumer base.”
European regulators were once dismissed as pesky, procedural, and preoccupied with privacy. But as their new data protection regulation, considered among the toughest in the world, goes into effect today, their perspective could become the de facto global standard.
The European Union’s General Data Protection Regulation (GDPR) establishes a range of new rules for how companies handle the personal data of customers in the EU. But, as the flurry of privacy updates filling up American email inboxes illustrates, it is already changing the way that companies outside the 28-nation bloc are doing business with customers, wherever they might be located.
Critics of the law have emphasized the burdens that it imposes on businesses outside the European Union. But some observers say that, just as state-level environmental standards were once considered unnecessarily costly but now figure among national, mainstream consumer demands, companies could adopt the privacy measures to market their trustworthiness to customers outside Europe. Trust is an increasingly valuable commodity in an era of data breaches, online stalking, and psychologically targeted hate speech and political propaganda.
“You can look at this as legal compliance,” says Paul Jordan, managing director of Europe for the International Association of Privacy Professionals (IAPP). “But I think smart companies will look at this as a business enablement exercise as well.”
“Online customers are increasingly more sophisticated than they were 20 years ago, and they do pay attention to how their data is used,” says Mr. Jordan, who is based in Brussels. “So there is an opportunity for companies to build a new trust paradigm with an online consumer base.”
Your data, your rights
The regulation, which replaces a 1995 EU directive, enables those in the EU to request for free from companies any personal data they hold about them, and then have it corrected or deleted: the so-called “right to be forgotten.” Under the new law, businesses will need to explain in plain language what information they hold and how it’s used. Giving consent to use personal data must be “an affirmative act”: pre-ticked boxes or other “opt-out” mechanisms are not permitted. Noncompliance invites hefty fines – up to 20 million euros ($23 million) or 4 percent of annual global revenue, whichever is larger.
David Erdos, an expert in privacy law at the University of Cambridge in Britain, says that the regulation’s ultimate effectiveness depends on how vigorously it is enforced.
“Data protection has had a lot of challenges to be effectively implemented, and simply creating a new law doesn’t solve those fundamental difficulties,” he says. “In some ways it makes them more extreme, because if the rules now are more rigorous, and there is already a very significant implementation gap, then the problem of the implementation gap grows even larger come Friday.”
Questions remain over whether regulators will have adequate resources. And the learning curve is steep, for companies and the public alike. Julian Jaursch, of Digitale Gesellschaft, or Digital Society, a small nonprofit in Berlin, is running a German-government funded campaign for users that went live earlier this month called “Your Data, Your Rights.” “There is a lot of education that is needed,” he says.
A ‘flexing of state power’
Once facing the claim they are anti-technology – or at least anti-Silicon Valley – many European bureaucrats have insisted that they are creating a tool that speaks to the values of the 21st century, one that could raise standards everywhere.
“[GDPR] represents real flexing of state power in ways that are almost reminiscent of the 19th century, in the sense that the state is taking on the role of public risk guarantors,” says Trevor Butterworth, vice president of research for CynjaTech, an American company that specializes in data protection and privacy. “They see a risk in people people's data being abused, and they’re stepping in to say ‘look we’ve got rights and we're going to guarantee them protection.’ ”
Polls have long showed that Europeans – with histories of state police, dictatorships, and repression – tend to prioritize privacy more than Americans do: Pew research found in 2014 that 85 percent of Germans favored the new standards, compared to just 29 percent of Americans.
But with Russian meddling in the US election or the data breach with Facebook and Cambridge Analytica, American minds have started to shift. “I think the two positions are converging as opposed to the opposite,” Jordan, of the IAPP, says.
That could make American companies more willing to use GDPR as a blueprint for privacy policies outside Europe. Microsoft and Facebook have already said as much.
It's not unheard of for governing bodies to enact laws that spill beyond their geographic borders. California, for example, has since the 1960s set vehicle emissions standards tighter than those mandated by the federal government. And because the Golden State presents such a large market for automobiles, many automakers have adopted California emissions standards for vehicles sold in all 50 US states.
But perhaps a better analogy for the GDPR is not environmental protection, says Mr. Butterworth, but the establishment of food safety standards at the turn of the 20th century.
“Why was the FDA created primarily? Well it was because nobody could trust the food they were eating,” he says. “People were clearly willing to poison their customers to make a profit. The FDA changed that. It could not have been easy to deal with these new rules. But ultimately the benefit was enormous. We can trust the food.”
A two-tiered system?
Calli Schroeder, an attorney with Lewis, Bess, Williams & Weese in Denver, who specializes in data privacy and security, says that the regulation carries a cost, either in updating standards or opting out of the EU market to avoid the regulation. But it also presents an opportunity: “You can make your company look really good by saying you’re going to give everyone the same rights,” she says.
Americans might become more demanding, especially if the privacy standards are bifurcated.
“The interesting question is, do American companies say we’re going to have a two-track system, we’re going to give all these rights to Europeans who use our products and we’re just going to strip mine Americans of their data?” Butterworth says. “Is that even economically rational? Is that feasible in terms of brand management? I don’t know. I don’t think so.”