Last month, the European Union’s sweeping new data privacy law came into force. The General Data Protection Regulation is a watershed moment in the fight for privacy and security online. Under threat of eight-digit fines, companies will finally think twice about the way they use and store people’s personal information.
Amid the fanfare, privacy advocates have called for a similar law in the United States. The U.S. has no federal data privacy law, just a patchwork of state-level and sector-specific regulations. As the world’s largest economy and the global engine of technological innovation, their argument is that a US version of the GDPR would cement the new data protection paradigm worldwide.
{mosads}But this gives the GDPR far too much credit and underestimates the lengths companies will go to protect their cash crop: your private information. The truth is, the GDPR does not stop Internet companies from harvesting your personal data. Nor does it absolutely require them to use the strongest forms of data security available, like end-to-end encryption. Of course it doesn’t: That would mean giving users total control of their own information.
Consider an analogy. Right now, most Internet companies have a copy of your house key. Even though the GDPR asks them to knock before letting themselves in, the arrangement is still based on trust. Encryption removes trust from the equation by giving the user the only set of keys. It remains to be seen how regulators will enforce the GDPR, but the letter of the law leaves encryption as a suggestion, not the rule.
Another EU data privacy law is now in the works, but the so-called ePrivacy Regulation, in its current draft, is even weaker on encryption than the GDPR. And big data companies (mainly Google and Facebook) have already mobilized their lobbyists against it, claiming the law would gut profits and stifle innovation.
It’s easy to see why they’re so scared. For them, online ads are a booming trade. Revenues have increased every year except 2008, according to the Interactive Advertising Bureau. Between 2015 and 2016, revenue jumped 22 percent. (Google and Facebook alone were responsible for 99 percent of that growth.)
Big data companies already control an unimaginable amount of information about all of us. One database marketing firm, Acxiom, stores an average of 1,500 data points on 96 percent of the U.S. population. Facebook even creates psychological profiles of users, categorizing them as, for example, “overwhelmed” or “anxious” based on their behavior. The GDPR does not stop this activity. Users can avoid this kind of surveillance and exploitation only by leaving Facebook.
As it turns out, that’s just what they’re doing. In 2017, even before the #DeleteFacebook movement, 2.8 million Americans under 25 left the platform, according to the research firm eMarketer. And Facebook itself said people spent 50 million fewer hours per day on the site in its fourth quarter report.
It’s not just Facebook. Only 3 percent of Europeans trust email and cloud storage providers to protect their personal information, according to the European Commission’s Eurobarometer survey. In the U.S., 92 percent of people “worry about privacy online,” according to a survey by TrustE. The GDPR may offer partial assurances, but trust in the old ad-based Internet model, which converts private information into profit, is already at rock bottom.
And consumer behavior is changing as a result. Analysts expect the encryption software market to grow at a staggering 35 percent annually over the next four years, faster than the entire Software as a Service market over the same period. Virtually every cloud service, from Gmail to Dropbox, suddenly has a competitor offering end-to-end encryption. It is now possible to use cloud-based email, file storage and sharing, messaging, notes, calendar, and more without ever giving the company access to the data on their servers. Secure alternatives will continue to proliferate.
If governments are serious about privacy, they have a role to play in helping people discover these privacy-focused services. Instead of — or in addition to — passing regulations, they can encourage entrepreneurship in the privacy sector. Innovation grants and tax incentives could go to companies that put users’ privacy first. These awards could even be funded with the fines collected from GDPR violators.
Data exploitation will cease to be a viable business model when consumers understand the value of services that put them in control of their data. Google and Facebook will lose, unless they can adapt to the new reality. Hackers will lose when they can only steal encrypted data.
And who will be the winners? Innovators and entrepreneurs will soon see a technology sector invigorated by new competition from startups offering security and privacy.
But the biggest winners will be all of us when we bury the ad-based model for good.
Andy Yen is a particle physicist and founder of ProtonMail, the world’s largest encrypted email service.