Note: This document, while intended to inform our clients about the current data privacy and security challenges experienced by IT companies in the global marketplace, is in no way intended to provide legal advice or to endorse a specific course of action. For advice on your specific situation, consult your legal counsel.
In the year since GDPR took effect, regulators have given millions of reasons to take it seriously: $57 million to be exact, the amount Google was fined back in January. And though the world’s largest internet company was the first to be fined, small businesses have faced the most difficulties.
GDPR‘s biggest impact, however, has been its role in fundamentally altering the conversation about data privacy.
Public perception and political maneuvering regarding the regulation of big tech’s data privacy practices have changed significantly over the last year, and several key tech leaders are now echoing GDPR’s principles and calling for a federal privacy law in the United States.
To recap, the General Data Protection Rules, commonly known as GDPR, became effective May 25, 2018. It was enacted to govern the use of EU citizens’ internet data, regulate data breach reporting, and establish new rights for data subjects.
GDPR’s success has also emboldened activists and regulators seeking to curb the power of the biggest tech companies with a host of new regulations spawned in GDPR’s wake.
GDPR is challenging for small businesses
GDPR is complicated, which makes compliance easier for large corporations with armies of risk management, legal, and IT staff. Big companies are also able to absorb fines more easily than small businesses.
On March 20, EU regulators slapped Google with a massive $1.7 billion fine for antitrust practices. But interestingly, parent company Alphabet’s stock actually rose 2% on the day. This might be because the search giant has more than $100 billion in cash reserves.
A few weeks later, reports emerged that Facebook is preparing to be fined between 3 and 5 billion dollars by the Federal Trade Commission. Facebook shares shot up on the news, presumably because investors were relieved the fine wouldn’t be more.
Conversely, small companies have more difficulty keeping up with data privacy regulations, and any fines they do receive could put them right out of business. In fact, according to Kaspersky, data breach incidents cost small businesses a potentially crippling $120,000 on average.
There’s also evidence that GDPR is having a negative impact on small businesses before they can even get off the ground. Venture and angel investment in European technology startups is down significantly compared to U.S. equivalents since the regulation went into effect.
Small businesses must find ways to keep up with larger players. Compliance software can make the most of limited resources by easing adherence to not only GDPR but also to other regulations such as PCI, FERPA, or HIPAA.
Proliferation of new data privacy laws
GDPR’s impact has been monumental and its sweeping embrace signals a hunger for reigning in big tech’s questionable data privacy practices.
In the time since GDPR took effect, its influence has led to newly proposed and enacted regulations in the United States. The most prominent, and potentially most consequential, new internet regulation is the California Consumer Protection Act (CCPA).
The CCPA is scheduled to go into effect Jan. 1, 2020 and provides California residents with protections similar to those established by GDPR. And because most major tech companies are based in California’s Silicon Valley, the measure is particularly relevant to their interests.
Several other states are also getting in on the action with 24 states now enforcing some sort of data privacy statute with respect to the private sector. That’s double the number from 2016, which happens to be the year GDPR was created and approved by the European Parliament.
For example, in Vermont, a law regulating data brokers—companies that collect data about consumers, process it to add value, and then sell it to other companies—has recently been enacted. Data brokers must now register with the state, employ data security programs, avoid fraudulent collection practices, and offer free credit freezes.
New internet laws are also springing up in other parts of the world. In Brazil, the Lei Geral de Proteção de Dados (LGPD), which translates to the General Law of Data Protection, emulates GDPR protections. The law is scheduled to take effect Aug. 14, 2020, and will regulate the processing of all data related to Brazilian residents.
We are also awaiting the European Union’s formal adoption of the ePrivacy regulation which is intended to complement GDPR. ePrivacy is also known as the “cookie law” because it will change how browser cookies may be deployed, potentially disrupting many ad-revenue-dependent internet companies.
Facebook’s no good, very bad year
The rise of GDPR and related regulations is relevant to all online businesses, but no company has more to lose to increased scrutiny of data privacy practices than does Facebook. Since the Cambridge Analytica scandal broke in March 2018, the world’s biggest social media company has been embroiled in one controversy after another.
To illustrate the impact of GDPR on data privacy, we’ll take a look at Facebook’s evolution on the subject from March 2018 to March 2019.
Timeline of Facebook’s tumultuous year
March 17, 2018
The Cambridge Analytica scandal erupts with several major media outlets publishing stories about the wide misuse of Facebook user data for mass manipulation campaigns during the 2016 presidential election.
April 10-11, 2018
Mark Zuckerberg testifies before Congress, answering questions about the Cambridge Analytica scandal and defending Facebook’s data privacy practices.
May 25, 2018
GDPR goes into effect.
June 7, 2018
Facebook admits that a software bug has changed the privacy settings for up to 14 million users, making private posts viewable by the general public.
July 2, 2018
Facebook reveals yet another bug, this time affecting 800,000 users by removing privacy blocks meant to prevent access by specific users.
July 26, 2018
After reporting lower than expected earnings, Facebook’s market value experiences the greatest single-day drop in market history, losing $120 billion in a matter of hours.
Facebook’s Nasdaq chart from summer of 2018 (Source)
Sept. 28, 2018
Facebook reports that 50 million accounts had been vulnerable to take-over after hackers exploited a security flaw in the site’s View As feature.
Nov. 4, 2018
The BBC breaks the news that at least 81,000 Facebook accounts have been hacked with the private messages of affected users published on the internet.
Dec. 4, 2018
Facebook reveals that a software bug had allowed developers and third-party apps to access the private photos of 6.8 million users.
Dec. 18, 2018
The New York Times publishes an exposé detailing the ways in which Facebook has quietly shared user data with numerous other tech companies.
Jan. 24, 2019
Three days after Google is hit with the first ever GDPR fine, Mark Zuckerberg publishes a defense of his company’s data privacy practices in The Wall Street Journal.
Jan. 29, 2019
TechCrunch reports that the Facebook Research app has been collecting data in violation of Apple’s terms and conditions. In response, Apple suspends Facebook’s IOS-based corporate applications for two days.
Feb. 14, 2019
The Washington Post reports that the Federal Trade Commission (FTC) is negotiating a multibillion dollar fine against Facebook related to data privacy violations.
March 6, 2019
Mark Zuckerberg posts an essay on his personal Facebook page titled “A Privacy-Focused Vision for Social Networking,” in which he admits, “Frankly we don’t currently have a strong reputation for building privacy protective services.”
March 21, 2019
Krebs on Security reports that, since 2012, Facebook has been storing millions of user passwords in a plaintext (i.e., not encrypted) database available to thousands of employees.
March 30, 2019
Mark Zuckerberg posts another op-ed, this time in the New York Times. Rather than defending his company against piles of scandal, Zuckerberg voices support for increased regulation of the internet in four key areas: data portability, harmful content, election integrity, and privacy.
Specifically, Zuckerberg emphasizes the need for a global framework for internet privacy and declares that “new privacy regulation in the United States and around the world should build on the protections GDPR provides.”
So why does Facebook suddenly support GDPR?
It could be that Zuckerberg sees a comprehensive U.S. privacy law as inevitable and wants to have a say in how it’s shaped. Perhaps it’s because adherence to various data privacy regulations at the state level is more difficult than compliance with a single federal standard, not to mention that federal laws are often watered down relative to the state laws they replace.
It may also be that Facebook realizes it can more easily comply with a GDPR-like regulation—or at least more easily soak up fines for non-compliance—than smaller companies, thus making the social media company even more powerful.
Or maybe Zuckerberg’s just had an epiphany and supports GDPR for altruistic reasons, despite the fact that it upends his company’s entire business model. Recent revelations that the FTC is considering holding him personally responsible for Facebook’s privacy failings might also be having an effect.
Whatever the case may be, one year after GDPR, the discussion around data privacy has changed considerably.
The case for data privacy regulation a year after GDPR
Too often, the argument against privacy regulation is “I don’t have anything to hide,” a common sentiment that unfortunately misses the point. Privacy is a fundamental element of dynamic societies, rich cultures, and functioning democracies.
It is privacy that allows us to use the context of our varied experiences to express ourselves and make meaningful individual contributions to society. When our data privacy is commoditized as if it were corn or aluminum, we become little more than our algorithms.
At some point, after receiving similar suggestions and being exposed to related ads, consumers fall into feedback loops that continually reinforce preconceptions and into echo chambers that subtly manipulate future behaviors.
The most alarming aspect of this process is that many of us never ask for any of this to happen; it just happens by virtue of using websites and devices. In fact, there’s reason to believe that people—not to mention senators—have little understanding of how companies such as Facebook and Google make money or how online behavior is tracked for ad targeting.
One recent study found that 57% of users didn’t realize that Google track’s their activity across the internet. Two out of three people (66%) didn’t know that Google can track your location data even when you’re not using a Google app, and a similar number weren’t aware that Google buys and combines data from other sources to target ads more effectively.
Similarly, a recent Pew survey found that 74% of respondents did not know that Facebook tracks their interests for advertisers; 51% were not comfortable with these practices, 31% were just somewhat comfortable, and only 5% felt very comfortable.
While these technologies provide convenience and enhance our lives in many ways, the cost to privacy and individual liberty often outweighs the benefits we get in return, especially when there is little clarity or consent as to how our information is being leveraged and by whom.
For these reasons, internet privacy regulations such as GDPR are critical protections that ensure that we are active participants in how—and perhaps more importantly if—our data is used.
But GDPR is only the first step. Broader consideration of the effects social media and online marketing are having on our society must be considered. The internet at large has changed the way we share information for the good and the bad. It’s finally time to do something about the bad.
Resistance to data privacy regulation is futile
Apple’s Tim Cook has already voiced strong support and, now that Facebook has too, a GDPR-inspired comprehensive U.S. data privacy law seems all but inevitable.
All businesses, especially small and midsize, must endeavor to adopt GDPR’s principles and build upon them to stay ahead of similar legislation, as well as the competition.
This article is part of an ongoing series about the business value of IT
Note: The information contained in this article has been obtained from sources believed to be reliable. The applications selected are examples to show a feature in context, and are not intended as endorsements or recommendations.