Do you want to continue receiving emails from us? Please click here to remain subscribed.
You have no doubt received many emails like that recently. That is because the EU’s General Data Protection Regulation (GDPR), which came into force on 25 May, gives Europeans new rights – and businesses and organisations around the world new obligations – on how our personal data is collected, stored and used.
For sure, it is a hassle to confirm that you want to remain on mailing lists. But on the plus side, if you don’t reply, you’ll free up your overloaded inbox. Without your explicit consent, it is no longer legal to send you special offers from that awful hotel you had the misfortune to stay at in 2013, daily promotions from online retailers for washing machines because you recently bought one and emails from the many lists to which you have been added. In effect, the GDPR acts like a mass unsubscribe button.
For the EU institutions all this commotion has an upside too. While the European Commission and Parliament lament that Europeans are often oblivious to the legislation they craft and enact in Brussels, the GDPR is certainly making a mark. The big question is: will it end up leaving a good impression or a bad one?
Big and bold
The EU already had data-protection rules, but they dated back to 1995, when email was still a novelty and a social network was a group of friends you had a beer with on Saturday night.
But the GDPR is much more than an update. It harmonises data-protection rules across EU countries. It strengthens the single market by stopping EU governments from requiring companies to store data within a particular EU country (except in a few circumstances). Above all, it is the most ambitious legislative response in the world to a burning issue: how do we reap the many benefits of the digital world, while preserving some control over our personal data?
For years, most Europeans had given little thought to this. They had been too busy chatting on Facebook Messenger, uploading holiday photos to impress their “friends”, doing online quizzes about which country (or animal) they would be, and downloading Candy Crush Saga and all sorts of other games and apps, without a second thought about how all their data might be used.
It was easy for companies to take advantage of this, not least with terms and conditions that were so long and complicated that nobody read or understood them. In one experiment, several Londoners unwittingly agreed to “assign their first born child to us for the duration of eternity” as a condition of accessing a free Wi-Fi hotspot.
But Europeans are now increasingly aware of how much information about them is collected, analysed and stored when they interact online – for both good and ill. So even though the GDPR was first drafted back in 2012, its entry into force suddenly looks very timely.
Data-privacy issues are forever in the news these days. Scarcely a day goes by without an apology that personal data such as credit-card details – or, worse, medical ones – have been stolen by hackers from organisations that hadn’t protected them properly.
The personal data of 87 million Facebook users was harvested by a seemingly innocuous quiz app and then sold to Cambridge Analytica, a company whose clients used the database to target political ads that may have helped swing the Brexit referendum and the election of President Trump.
And there is increasing concern about the huge amount of information that a company such as Google collects and stores about us – everywhere you’ve been with your smartphone in your pocket, every web search you’ve done, and much more – to give us better map directions, provide more appropriate search results and, of course, sell better-targeted ads.
Only a few years ago America’s tech titans proclaimed that privacy was dead. But now Facebook founder Mark Zuckerberg feels compelled to reassure the European Parliament that the social network will do more to safeguard users’ privacy.
The GDPR addresses all these issues and more. It requires organisations to inform regulators of a privacy breach within 72 hours. It threatens huge fines on those who harvest people’s data and sell it without their consent. And Google has introduced enhanced privacy controls that explain what data about you it is saving and why, and enable you to easily opt out, while still using Google services without the benefits of personalisation. The implicit bargain – use our services without paying in exchange for providing us with your data – is now explicit.
The GDPR also gives you the right, for free, to obtain access within a month to the data stored about you by an organisation and to have inaccurate or incomplete data corrected. In some cases, you have the right to have correct data deleted – to “be forgotten”.
Costly and cumbersome
But while the GDPR provides big benefits for Europeans, it also has three potential downsides, not just for businesses and organisations, but also for those who use their services.
One issue is compliance. The costs of complying with the GDPR are large and the penalties for not doing so potentially severe – fines of up to €20 million or 4% of global turnover, whichever is higher.
Tech giants are big and profitable enough to employ lots of lawyers to dot all the i’s and cross all the t’s. But for smaller companies and organisations – including your local store or the teachers at your children’s school – compliance costs can be a huge burden.
The GDPR doesn’t just require organisations to be more open and accountable in managing personal data, it stipulates how they need to do so. For instance, they need to employ a data protection officer and draw up detailed data-protection impact assessments. Those are big expenses that small businesses could do without – and that may deter a Silicon Valley start-up from offering its services to Europeans.
Worse, because the GDPR is so complex, small companies may never be sure they are fully compliant, and that uncertainty will weigh on them.
While the costs of trying to comply with the GDPR are large, it remains to be seen how effectively compliance will be enforced in practice. How pro-active will Europeans be in complaining about breaches of the GDPR, and will overstretched regulators have the capacity to respond? It’s conceivable that companies that try to comply will lose out to unscrupulous rivals that don’t.
A second big worry is that the GDPR will hamper the development of artificial intelligence (AI) in Europe. AI typically involves computer algorithms learning from huge datasets to spot patterns that allow them, for instance, to better respond to customer queries, identify potentially bogus insurance claims or enable traffic lights in smart cities to better regulate traffic flows.
Europe has long been in the digital slow lane and can certainly not afford to fall further behind in AI. While the GDPR allows the use of anonymised datasets for scientific research, that exemption doesn’t cover commercial research. That could, for instance, prevent the development of a cool app that would record and analyse Europeans’ vital statistics to warn when someone might have a stroke. In contrast, companies in the US or Asia face no such restrictions.
A third issue is that the GDPR could act as a barrier to trade. It bans transfers of personal data to countries that do not “adequately” protect such data, by which it means in the same way that the EU does. So it is fine to share data with countries that have similar rules (but may enforce them poorly) but not with countries that enforce high standards in a different way. At the time of writing, Argentina is deemed “safe” while Japan, an extremely privacy-conscious country, is not. Moreover, US-based firms are allowed to self-certify compliance thanks to the Privacy Shield, while companies in other countries are not. The danger, then, is that the internet ends up Balkanised, with silos of national data.
One way to avoid that would be for the GDPR to be applied globally. Many big companies are doing just that, because it is costly to comply with different privacy standards and to separate EU citizens’ data from others’. But many countries, including the US, have chosen a different legislative model whereby consumers can conclude any contract they choose.
Which brings us to the heart of the matter. When asked, Europeans say they care immensely about protecting their data. Some genuinely do – and everyone is incensed when abuses come to light. But judging by their actions, most people seem content with the basic trade-off that tech companies typically offer: lots of useful services for free in exchange for collecting data about you to sell you better targeted ads.
If most Europeans chose to opt out from tracking by the likes of Facebook, Google and local media giants that operate the most popular news websites, their profitability would be impaired and they might need to rethink their business model. But how many actually will? Facebook use has actually gone up this year since the Cambridge Analytica scandal.
Many entrepreneurs are betting that people do want alternatives for which users are the customers, not the product. The search engine and browser Duck Duck Go, for instance, doesn’t store your searches. WhatsApp, the encrypted smartphone messaging service, grew explosively by promising never to sell ads. Vero and Idka are among the subscription-based alternatives to Facebook that eventually plan to start charging a monthly fee. Silicon Valley investor Jason Calacanis has even launched a competition to build a billion-user social network that could replace Facebook while protecting people’s privacy.
Let Europeans choose. Competition is healthy – all the more so when people are well-informed.
By Philippe Legrain