What Is GDPR and What Can America Learn From it?
After four years of debate, the General Data Protection Regulation is finally going into effect later this month. Personal privacy is of particular concern, but GDPR effect on consumers and Silicon Valley is still shaking out.
As the recent Cambridge Analytica and Facebook scandal highlighted, America is much like the wild west when it comes to protecting consumers’ private data.
Broadband providers in particular have a nasty habit of selling every shred of browsing, call, and location data not nailed down, and large ISPs and Silicon Valley giants alike have routinely made it a top priority to scuttle both state and federal attempts at meaningful rules governing that behavior.
After all, an informed and empowered consumer means it’s far more likely that people will opt out of data monetization schemes, reducing overall revenues. That’s why no matter how dedicated to “privacy solutions” large U.S. companies claim to be, they routinely attempt to scuttle said solutions at every and any opportunity.
While empty lip service has been the preferred solution to routine privacy abuses here in the States, the European Union has taken a harder tack.
Back in early 2016, the European Parliament voted to approve major reforms to data protection across the entire EU, replacing privacy guidelines that hadn’t been updated since 1995.
Those reforms came in two parts: General Data Protection Regulation (GDPR) designed to give EU citizens better control of their personal data, and the Data Protection Directive, which covers how personal data is used by police in the EU. GDPR goes into effect Friday.
What Is GDPR?
The GDPR portion, which takes effect Friday in the UK, not only attempts to ensure that data collection and sales are more transparent to the end user, but that users have greater control over their own data. Many of the requirements are similar to proposed U.S. FCC privacy rules the Trump administration scuttled at the behest of industry lobbyists last year.
The GDPR rules require that companies:
- Provide working opt-out tools
- Clearly disclose data breaches to end users (within 72 hours of learning about it)
- Allow users the ability to download and retain a complete copy of their own private data
Under the rules, users also have the authority to withdraw their consent at any time, in stark contrast to policies of the past.
The GDPR also empowers regulators to fine any company that does business in the EU if it misuses, exploits, or otherwise mishandles private consumer data. It also expands the definition of “personal data” to include location data, online identifiers (such as IP addresses) and other metadata.
"The new rules will give users back the right to decide on their own private data,” said Green Party GDPR advocate Jan Philipp Albrecht at the time. “Businesses that have accessed users' data for a specific purpose would generally not be allowed to transfer the data without the user being asked. Users will have to give clear consent for their data to be used."
The rules effectively make privacy protection and fundamental security practices the de facto standard instead of just a “nice idea.” It’s effectively the exact opposite of what we’re doing here in the States, where giant corporations like Verizon have successfully convinced regulators that “public shame” is all that’s necessary to keep companies on their best behavior.
Criticism of GDPR
That said, the EU measure is also facing some legitimate criticism.
As we’ve noted previously, some provisions in the GDPR may clash with existing rules governing WHOIS, a protocol for looking up the names and contact information for people who have registered a website domain.
Critics (including the companies opposing the measure) have also expressed concerns about the unintended consequences of the proposal, exemplified by Facebook’s decision to suspend plans to launch an AI-based system designed to keep an eye out for potentially suicidal users for fear that it might run afoul of the GDPR.
Others have expressed worries about the GDPR’s potentially negative impact on free speech. More specifically, some privacy experts worry that the GDPR’s “right to be forgotten” requirements (which demand that companies pull illegal or inaccurate data offline) is likely to result in non-transparent over-reach by companies attempting to comply.
“The GDPR does not provide meaningful procedural barriers to over-removal,” Daphne Keller at Stanford Law School's Center for Internet and Society recently warned. “In many cases, it appears to strongly tilt the playing field in favor of honoring even dubious RTBF requests—like ones Google received from priests trying to hide sexual abuse scandals, or financial professionals who wanted their fraud convictions forgotten.”
Despite several years of criticism on this front, EU lawmakers have not addressed the need for “adequate safeguards for those whose speech may wind up being trampled,” according to Keller.
And while many companies are scrambling to comply with the GDPR, some companies outside of the EU have simply decided that compliance isn’t worth the cost or hassle. As a result, they’ve decided to simply block EU users from accessing their services altogether.
What it means for the US
It’s also worth noting that the GDPR may have the opposite impact. It’s entirely possible that companies forced to comply with GDPR may simply adopt the privacy framework as the gold standard across multiple territories for simplicity’s sake. In that way, the EU’s new privacy proposal could wind up benefitting internet users regardless of where they live.
If the proposal works well, it could provide the framework for other apathetic countries to follow. Especially here in the States, where policy catatonia has so far been the preferred “solution” to a decade of routine consumer privacy abuses and major hacking scandals.
That said, any problems caused by the GDPR will assuredly be used as nightmare fodder by companies trying to dodge similar privacy protections elsewhere. Again, informed and empowered consumers are more likely to avoid data monetization schemes, which is why apathy remains many industry giants’ preferred “solution” to the internet’s privacy crisis.