As Brexit talks engulf European and UK politics, another smoldering issue threatens far-worse damage to the EU/UK relationship, and indeed the global economy.
Last May, the EU implemented sweeping new data privacy and protection laws meant to protect the Personal Data (PD) of those in the EU—importantly—be they citizens, temporary residents or visitors, from unauthorized use, AND, extra-territorially, wherever in the world their personal data is stored or used.
The issues stem from the EU’s broad definition of PD and the long history in Europe of privacy being viewed as a fundamental human right, against too much history of dictatorships and fascist control. The EU’s General Data Protection Regulation (GDPR) took effect, provoking a new era of tech-company corporate accountability.
The GDPR didn’t just standardize data privacy and protection across all (current) 28 member states of Europe, but refined both how to seek permission to use personal data and refreshed the personal rights of each person in the EU to view and take control of their own personal data.
With almost 95,000 privacy complaints filed, they have only just started to process those investigations, findings, and enforcements
As 2018 came to a close, it was revealed that some major tech companies use personal data in ways that violates personal privacy in many ways.
Large data handlers like Facebook, Google, and Amazon have come under close examination by EU regulators, forcing CEOs in the “personal surveillance data business” to defend, and even rethink, their business models (e.g., Google now cites privacy regulation as a major threat to their business model in corporate documents). These have included both Privacy Regulators around GDPR (e.g., UK ICO, Ireland DPC, etc.) and EU competition regulators. Under the new GDPR these companies, without exception, must follow EU privacy law. The issues rest primarily with the advertising data insights these companies have created using proprietary algorithms. The invasiveness is secretive and at times unsettling as these companies seem to know when someone will buy a pair of socks!
At first glance, it might seem as if the first year of GDPR compliance has been largely uneventful, at least in terms of other leading global news stories. It’s really a journey, as the EU regulators and analysts have shared. With almost 95,000 privacy complaints filed, they have only just started to process those investigations, findings, and enforcements. So many of the “privacy fines” we’ve seen since GDPR went live were really cases that occurred pre-GDPR and thus much smaller in scope and penalties under the prior EU privacy regulation. What has been happening quietly, almost behind the scenes, is a tacit acceptance that data privacy from the person-centered perspective must begin with forcing larger companies such as Facebook, Google, and Amazon to comply. This hangs over companies in the consumer tech sector like thick fog. American businesses and culture do not like anyone telling them how to run things. Apparently, this is also true for GDPR compliance, adding to a persistent lack of full compliance.
A December 2018 Forrester survey commissioned by Microsoft found that more than half of businesses failed to meet GDPR compliance checkpoints.9 Other highlights included:
- 57 % instituted “privacy by design”
- 59 % “collected evidence of having addressed GDPR compliance risks”
- 57 % “trained business personnel on GDPR requirements”
- 62 % “vetted third-party vendors”
This last item is perhaps the most troubling: 38% have yet to vet their third-party software vendors. This means that a significant portion of the global economy is not meeting GDPR compliance. The Forrester survey’s primary findings were that only 11 % of global companies are prepared to undergo the type of digital transformation needed to fully comply with GDPR-based privacy needs of citizens. In its entirety, GDPR has yet to make a significant impact, at least one beyond large tech company compliance.
A key implied issue that ultimately influences GDPR compliance checkpoints is the balance between intrusion into a company’s business practices and its ability for profitmaking. Industry leaders such as Kon Leong, CEO of ZL Technologies, note that “built into the challenge is the paradox that achieving complete data privacy required by GDPR entails an unprecedented level of intrusion. In order to truly protect personal data, you [must] know exactly where and whose it is. This necessarily requires intrusion, which many don’t understand.” Leong’s point is apt because the global economy depends on the flow of information. What is the balance? As conveyed by Richard Hogg, Global GDPR Evangelist, IBM, “Identity is a key challenge and duty around GDPR privacy compliance.”
ENFORCEMENT AND PRECEDENT SETTING
With the new GDPR mandate in place, EU member countries have a valuable tool for ensuring compliance even as these companies undertake actions to protect their business models. Ireland, for example, has “opened 10 statutory inquiries into Facebook and other Facebook-owned platforms in the first seven months since” GDPR adoption last May.10
The Irish Data Protection Commission (DPC) commissioner Helen Dixon notes the inquiries match the public’s interest in “understanding and controlling” their own personal data. The Irish DPC fully intends that these be precedent-setting. Given the widespread global use of Facebook and its plethora of connected apps, such inquiries from other EU member countries cannot be far behind.
In perhaps the most egregious case yet, a whistleblower forced Facebook to reveal that “as many as 600 million users’ passwords were stored in plain text and accessible to 20,000 employees, of which 2,000 made more than 9 million searches that accessed the passwords going back to 2012.”11 Added to this blatant breach of basic cybersecurity practices is the fact that Facebook knew about the issue back in January and spent several months trying to keep it from the public.12 They would surely have been embarrassing questions to answer during the recent U.S. Congressional hearings.
As Forbes points out, cybersecurity at Facebook just might be obsolete. In the wake of the sensational stories regarding recent Russian interference into American elections, “Facebook did not conduct a top-down security audit of its authentication systems.” This is a profound, if not provocative, revelation, particularly given Zuckerberg’s promise to reform Facebook’s business practices.
That promise, made to Congress just prior to GDPR’s May 2018 roll-out, seems now to be empty. While Zuckerberg testified, his company continued its intrusive practices, even as he tried to simplify for legislators Facebook’s business practices. What Zuckerberg did not tell Congress was that “GDPR has highlighted not only the privacy impact of a data-driven society,” notes Kon Leong, “but also the issues that come with enterprises’ siloed IT architecture.” Facebook’s IT architecture was (and probably still is) compromised.
In the business world, laws and regulations are street signs to setting precedent. During this initial phase of GDPR compliance, it is crucial that leading EU countries, such as Germany, take positions of authority. Germany’s Federal Cartel Office, the federal agency that regulates Germany’s competition laws, set a new precedent in a February 2019 court ruling. In an anti-competition class-action case, the German court severely limited Facebook’s ability to collect user data inside Germany. This essentially walls off Germany’s Facebook users from the rest of Facebook’s user base. The precedent set by German regulators was substantial. Facebook (at least in Germany) can longer use tactics such as using user data to make fictitious profiles. Moreover, it can no longer use Facebook Pixel, a single character imbedded in a page that transmits data back to the company’s servers. With the German precedent, Facebook can no longer claim what it does with user data on its platform is proprietary.
In some ways, the first year of “GDPR-live” was marked by both confusion and denial that such regulation was really needed. Today, the establishment of a nation-specific precedent is the exception, not the rule. However, enough cannot be said about the fact that Germany is one of the main economic powers of the globe. Without German leadership, GDPR might die an unceremonious death. The same must happen in other countries involved in setting global economic policy.
In short, GDPR-style privacy must come to the United States. Thankfully, California is leading the way with its California Consumer Privacy Act (CCPA), which is going live January 2020.