LONDON — Theres just over a month before Europes new privacy standards come into force, and the back-slapping has already begun.
Under the EUs General Data Protection Regulation, or GDPR, the recent Facebook data scandal would not have happened, according to Vĕra Jourová, the blocs justice commissioner. U.S. lawmakers — until recently not the biggest fans of Europes tough stance on data protection — now speak publicly about mimicking the Continents new privacy rules.
Even Mark Zuckerberg, Facebooks chief executive, says his company will apply some of the upcoming standards across its digital empire of 2.2 billion users worldwide.
But for those hoping this privacy upgrade will end all the publics fears about the misuse of data by companies and governments — sorry, thats not going to happen.
We shouldnt expect too much from these privacy laws, even if they are fast becoming a global standard. For one, the rules rely on relatively unknown national privacy regulators to enforce them as much as on reluctant businesses to comply with them.
“Data protection may be a luxury of the few” — Katherine Getao, Kenyas Ministry of Information
Many existing data collection practices, including the widespread harvesting of peoples online information, will still continue when these new standards kick in on May 25.
And the regulatory burden, particularly for companies outside of Europe selling their wares in the region, will likely ratchet up.
Higher standards will make it harder for anyone other than the most deep-pocketed multinationals to compete for business in a world where failure to adhere to Europes privacy rules could carry a hefty cost — up to €20 million or 4 percent of companies global revenue, whichever is higher.
“Data protection may be a luxury of the few,” said Katherine Getao, ICT secretary in Kenyas Ministry of Information, Communications and Technology. “Were just at the stage of getting data into digital formats. All of the investments spent on preparing for Europes standard means there wont be money left for anything else.”
Great power, great responsibility
For Europes new privacy rules truly to have teeth, privacy regulators will have to be willing to bite. And most of their track records show little willingness to do so.
These agencies, according to officials from several authorities, who spoke on condition of anonymity because they were not authorized to speak publicly, said the recent Facebook data scandal has helped raise awareness about their beefed-up roles.
But, they admitted, EU national watchdogs still face an uphill struggle to come to grips with their expanded regulatory role at a time when most of their budgets are still relatively small and they remained, on average, understaffed.
Previously, such limitations wouldnt mean much because national data protection agencies were far from the public eye. Fines for wrongdoing — and some of these watchdogs didnt even have that power — represented a mere slap on the wrist for companies misuse of personal data.
But now that financial penalties could reach billions of euros for the most egregious violations, corporate lawyers are prepared to go to battle to protect their clients.
Facebook CEO Mark Zuckerberg prepares to testify before the House energy and commerce committee | Chip Somodevilla/Getty Images
The higher stakes will expose almost all EU privacy regulators to a greater level of legal scrutiny than they are accustomed to, as well as lengthy cases and legal appeals that could make Googles decade-long standoff with the European Commissions antitrust authority look like a walk in the park.
“Theyll have to prepare for a lot more pushback from the organizations that theyre investigating,” said Ot van Daalen, a professor at the University of Amsterdam. “The stakes will be a lot higher.”
New rules, same data collection
Europes expanded privacy standards also will do little to stop companies from harvesting personal data.
Data-hungry industries are now worth hundreds of billions of euros each year, and mass-collection of information has become central to the financial future of firms ranging from Facebook and Google to Siemens and Volkswagen.
Under the new rules, people will have greater control over how their information is collected and used, allowing them to pull consent from companies that collect their data for one purpose, but which then want to use it for something else.
But that doesnt mean individuals will be given carte blanche over “free” digital services that rely on selling advertising based on peoples online habits.
Most of the general public know next to nothing about the upcoming data protection revamp.
They will still have to hand over their web histories, contacts details and other identifiable information — digital data, it should go without saying, that lies at the heart of the recent Facebook scandal.
Even the social networking giant, which faces global regulatory demands to clamp down on how much data it collects on its users, wont be turning off the tap.
Stephen Deadman, the companys global deputy chief privacy officer, said that while people in Europe will soon be asked more frequently to give consent for how their data will be used, Facebook is based on — and funded by — using that information to offer users a tailored online experience, including online advertising that people will not be able to opt out of.
“Serving people targeted ads helps to fund the service,” he said. “Thats critical.”
GDPR: Reinforcing the status quo?
In the build up to May 25, Europe has eagerly trumpeted its new privacy standards as both good for consumers and companies, ensuring everyone who wants to do business on the Continent must play by the same rules.
But most of the general public know next to nothing about the upcoming data protection revamp. And the extra regulatory burden may cement the dominance of a few deep-pocketed companies with the financial resources to comply with the regulation, which even its biggest cheerleaders admit will put a significant burden on companies, big and small.
People pass by the Google logo at the Web Summit in Lisbon on November 8, 2017 | Patricia de Melo Moreira/AFP via Getty Images
The likes of Google, Facebook and the worlds largest financial institutions, for instance, spent years investing in new compliance structures and hiring hundreds of new lawyers, coders and designers to make sure they would follow the letter of the upcoming law.
Many startups and small non-tech businesses have been unable to make similar investments, and are hoping that they will fly under authorities radar as they struggle to bring their data practices up to snuff.
Its true that Europe, and the wider world, needs new privacy laws designed for the online age. But it will be best to save the congratulations around the regions revamped data protection standards until we see how such rules can be enforced, and whether they alter behavior of people and companies alike.
If history has taught us anything, its that any new legislation — even the most well-meaning — leads to unintended consequences. Theres no reason to think that Europes privacy overhaul will be any different.
Mark Scott is chief technology correspondent at POLITICO.