Facebook and other internet companies are racing to prepare for a sweeping new European Union (EU) privacy law that aims to give consumers greater control over the use of their data.
The law comes at a critical time for the industry, which is already facing tough questions over its data practices.
{mosads}
The General Data Protection Regulation (GDPR), which goes into effect across the EU on May 25, will drastically change what internet companies can do with customers’ data.
Users will have greater control, including the ability to learn what information companies have on them. The GDPR will also codify what’s known as “the right to be forgotten,” meaning consumers will be able to order web services to delete their data or stop distributing it to third parties. The rules will also require companies to give users the ability to easily revoke consent for handing over personal information.
“I think it’s going to have a fundamental seismic shift in the whole industry because it grants people rights over their data that they don’t currently have,” said David Carroll, an associate professor at the Parsons School of Design who studies digital media and data practices.
“It really empowers consumers to get a better deal; we’ve never really had a say in the deal,” Carroll added.
Companies must also be upfront about what they are doing with users’ personal information. Regulators say that web services will no longer be able to cloak the terms of their data practices in legalese.
“One of the main tenets of GDPR is to make sure that there is trust and to make it clear what the data is being used for,” said Greg Sparrow, vice president and general manager of CompliancePoint.
The impending deadline has companies scrambling to bring themselves in line with the new law. Violations under the new rules would be met with hefty fines of $24.6 million or 4 percent of a company’s global revenue — whichever is larger.
Hovering over those efforts is the data scandal that saw a political consulting firm with ties to President Trump’s 2016 campaign improperly obtain the personal information of 50 million Facebook users.
Cambridge Analytica, which did work for the president’s campaign and several other Republican politicians, reportedly paid a researcher for data he obtained through a third-party app on Facebook. The researcher obtained the data even though users had not consented to handing over their information for political purposes.
Věra Jourová, the EU’s consumer protection chief, thinks the incident underscores why privacy regulations like the GDPR are crucial.
“In my view this is not only about data protection [from] breaches, this is about a threat to democracy and individual freedoms,” Jourová said in an interview with Bloomberg earlier this month.
“I can say that in Europe we are ready for these cases,” she added.
A Facebook spokesperson told The Hill in a statement that the company is making sure its services comply with the new laws and will announce new updates before the deadline.
The spokesperson also pointed to a January speech that Chief Operating Officer Sheryl Sandberg gave in Brussels in which she promised Facebook would look to go beyond the law’s requirements.
In January, Facebook released a set of privacy principles and established a global privacy center to better inform their users on how the company operates. And this week, in response to the outcry over Cambridge Analytica, it announced it will no longer allow the use of third-party data for targeted advertising.
At a minimum, GDPR means most companies will have to rethink how they interact with users.
Marshall Erwin, director of trust and security at Mozilla, said that his company rewrote its privacy policy and overhauled its privacy settings to prepare for the new European regulatory regime. But Mozilla designed its services, like its signature Firefox browser, to collect minimal amounts of user data, he said.
“It is going to be much more challenging for a lot of other companies that collect more data from their users, that have much more complex data collection mechanisms,” Erwin said.
“There’s a lot of potential for GDPR to give users a lot more control,” he added. “The real impact there is going to depend on how seriously companies take those requirements.”
The EU has not been kind to American tech giants. In 2016, regulators ordered Apple to pay Ireland more than $15 billion in back taxes after concluding the country had granted it illegal tax breaks. Internet companies are facing antitrust and privacy investigations from European authorities, and the EU is also considering slapping them with a new tax for online transactions.
Last year, Google was hit with a record $2.9 billion antitrust fine for favoring its own comparison shopping tool in its search results.
A Google spokesman declined to comment on its preparations for the new privacy law, but the company has promised to comply. Like Facebook, Google has faced mounting criticism for its collection of user data and its partnership with third-party services that target advertisements based on users’ activities and personal information.
Many of the tech giants’ biggest critics have been cheering the EU law and urging regulators in the U.S. to study it as a road map for crafting their own privacy rules.
But Carroll thinks internet companies won’t wait for the U.S. to impose its own regulations. He argues that it won’t make sense financially for the industry to operate two different internets on either side of the Atlantic.
“The market will adapt to GDPR regardless of what lawmakers on Capitol Hill do,” he said.
“There will be a more positive way of doing business,” Carroll predicted. “It will make the internet a safer, less disgusting place.”
Ali Breland contributed.