Will Europe's new web privacy rules also bring global standards of trust?

Yves Herman/Reuters
Andrea Jelinek, the head of the European Data Protection Board, a new European body created to enforce the General Data Protection Regulation, gives a news conference in Brussels on May 25.

Two ways to read the story

  • Quick Read
  • Deep Read ( 4 Min. )

As you may have noticed from the flood of privacy updates inundating your email inbox, the European Union’s General Data Protection Regulation goes into effect today. The law, which imposes new rules on how companies may handle customers’ personal data, applies only to information belonging to customers in the EU, but its effects are already being felt globally. It shifts much of the onus of data protection onto businesses, but, amid the new burdens, some observers see an opportunity for tech companies to regain their customers’ trust, an increasingly valuable commodity in an era of data breaches, online stalking, and psychologically targeted hate speech and political propaganda. “Online customers are increasingly more sophisticated than they were 20 years ago, and they do pay attention to how their data is used,” says Paul Jordan, managing director of Europe for the International Association of Privacy Professionals. “So there is an opportunity for companies to build a new trust paradigm with an online consumer base.”

Why We Wrote This

The European Union’s General Data Protection Regulation, which goes into effect today, presents an opportunity for technology companies around the globe to reestablish trust with their customers.

European regulators were once dismissed as pesky, procedural, and preoccupied with privacy. But as their new data protection regulation, considered among the toughest in the world, goes into effect today, their perspective could become the de facto global standard.

The European Union’s General Data Protection Regulation (GDPR) establishes a range of new rules for how companies handle the personal data of customers in the EU. But, as the flurry of privacy updates filling up American email inboxes illustrates, it is already changing the way that companies outside the 28-nation bloc are doing business with customers, wherever they might be located.

Critics of the law have emphasized the burdens that it imposes on businesses outside the European Union. But some observers say that, just as state-level environmental standards were once considered unnecessarily costly but now figure among national, mainstream consumer demands, companies could adopt the privacy measures to market their trustworthiness to customers outside Europe. Trust is an increasingly valuable commodity in an era of data breaches, online stalking, and psychologically targeted hate speech and political propaganda.

Why We Wrote This

The European Union’s General Data Protection Regulation, which goes into effect today, presents an opportunity for technology companies around the globe to reestablish trust with their customers.

“You can look at this as legal compliance,” says Paul Jordan, managing director of Europe for the International Association of Privacy Professionals (IAPP). “But I think smart companies will look at this as a business enablement exercise as well.”

“Online customers are increasingly more sophisticated than they were 20 years ago, and they do pay attention to how their data is used,” says Mr. Jordan, who is based in Brussels. “So there is an opportunity for companies to build a new trust paradigm with an online consumer base.”

Your data, your rights

The regulation, which replaces a 1995 EU directive, enables those in the EU to request for free from companies any personal data they hold about them, and then have it corrected or deleted: the so-called “right to be forgotten.” Under the new law, businesses will need to explain in plain language what information they hold and how it’s used. Giving consent to use personal data must be “an affirmative act”: pre-ticked boxes or other “opt-out” mechanisms are not permitted. Noncompliance invites hefty fines – up to 20 million euros ($23 million) or 4 percent of annual global revenue, whichever is larger.

David Erdos, an expert in privacy law at the University of Cambridge in Britain, says that the regulation’s ultimate effectiveness depends on how vigorously it is enforced.

“Data protection has had a lot of challenges to be effectively implemented, and simply creating a new law doesn’t solve those fundamental difficulties,” he says. “In some ways it makes them more extreme, because if the rules now are more rigorous, and there is already a very significant implementation gap, then the problem of the implementation gap grows even larger come Friday.”

Questions remain over whether regulators will have adequate resources. And the learning curve is steep, for companies and the public alike. Julian Jaursch, of Digitale Gesellschaft, or Digital Society, a small nonprofit in Berlin, is running a German-government funded campaign for users that went live earlier this month called “Your Data, Your Rights.” “There is a lot of education that is needed,” he says.

A ‘flexing of state power’

Once facing the claim they are anti-technology – or at least anti-Silicon Valley – many European bureaucrats have insisted that they are creating a tool that speaks to the values of the 21st century, one that could raise standards everywhere.

“[GDPR] represents real flexing of state power in ways that are almost reminiscent of the 19th century, in the sense that the state is taking on the role of public risk guarantors,” says Trevor Butterworth, vice president of research for CynjaTech, an American company that specializes in data protection and privacy. “They see a risk in people people's data being abused, and they’re stepping in to say ‘look we’ve got rights and we're going to guarantee them protection.’ ”

Polls have long showed that Europeans – with histories of state police, dictatorships, and repression – tend to prioritize privacy more than Americans do: Pew research found in 2014 that 85 percent of Germans favored the new standards, compared to just 29 percent of Americans.

But with Russian meddling in the US election or the data breach with Facebook and Cambridge Analytica, American minds have started to shift. “I think the two positions are converging as opposed to the opposite,” Jordan, of the IAPP, says.

That could make American companies more willing to use GDPR as a blueprint for privacy policies outside Europe. Microsoft and Facebook have already said as much.

It's not unheard of for governing bodies to enact laws that spill beyond their geographic borders. California, for example, has since the 1960s set vehicle emissions standards tighter than those mandated by the federal government. And because the Golden State presents such a large market for automobiles, many automakers have adopted California emissions standards for vehicles sold in all 50 US states.

But perhaps a better analogy for the GDPR is not environmental protection, says Mr. Butterworth, but the establishment of food safety standards at the turn of the 20th century.

“Why was the FDA created primarily? Well it was because nobody could trust the food they were eating,” he says. “People were clearly willing to poison their customers to make a profit. The FDA changed that. It could not have been easy to deal with these new rules. But ultimately the benefit was enormous. We can trust the food.”

A two-tiered system?

Calli Schroeder, an attorney with Lewis, Bess, Williams & Weese in Denver, who specializes in data privacy and security, says that the regulation carries a cost, either in updating standards or opting out of the EU market to avoid the regulation. But it also presents an opportunity: “You can make your company look really good by saying you’re going to give everyone the same rights,” she says.

Americans might become more demanding, especially if the privacy standards are bifurcated.

“The interesting question is, do American companies say we’re going to have a two-track system, we’re going to give all these rights to Europeans who use our products and we’re just going to strip mine Americans of their data?” Butterworth says. “Is that even economically rational? Is that feasible in terms of brand management? I don’t know. I don’t think so.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.