Did the Facebook saga prove the EU right on privacy?

In the wake of the Facebook data scandal, the European Union is looking prophetic. The EU’s long-planned tech privacy rules, known as the General Data Protection Regulation (GDPR) will come into force next month, amid a global furore over how personal information can be manipulated. It is a rare moment when regulators in Brussels are hailed for their foresight – not just by politicians across Europe, but also in US by lawmakers on Capitol Hill and tech giants in Silicon Valley.

So should European policymakers congratulate themselves for having produced the right policy at the right time?

Privacy is prized much more in Europe than across the Atlantic. Speaking in the European Parliament Plenary on April 18, French President Emmanuel Macron talked about “the European model…that is developing today in our approach to the digital revolution, where Europeans are just as committed to innovation as they are to fair rules and the protection of their private lives.”

He was speaking a week after Facebook boss Mark Zuckerberg appeared before the US Congress for two days of hearings to admit, “I think the GDPR in general is going to be a very positive step for the internet.”

The GDPR rules give individuals much greater control over how their data are used. Organisations can only collect data for specified purposes and can’t then use that data in other ways. People will have the right to know what personal information is stored about them and to ask for it to be deleted. It comes with jumbo fines of up to 4% of a company’s global turnover.

When the GDPR was proposed, it was widely criticized as anti-business and especially targeted at American tech companies. Others argued that it would hold back European data driven innovation.

The plaudits came after the public outcry about the personal information of 87 million Facebook users being harvested and used by controversial political consulting firm Cambridge Analytica, to profile and target voters during the Brexit referendum and the US elections in 2016.

The GDPR is far from being the only EU activity affecting the tech industry. The Commission has also levied big fines against Google and Apple. It plans to hit Google, Facebook and Apple with new digital taxes that would raise €5bn for EU governments. And it wants Facebook, Twitter and other to do more to tackle fake news or face being regulated ahead of next year’s European Parliament elections. Meanwhile, last month, Mr Macron warned that Google and Facebook are becoming too big to be governed and could be dismantled.

These proposals are still controversial, and inevitably the EU has been accused of protectionism in the face of a (mostly US) tech wave. This criticism is sometimes embellished with political reproaches about the EU being an unaccountable bureaucracy.

Those who guided the GDPR through its long gestation will be looking forward to celebrating its birth on May 25. The Commission and the MEPs involved say the new rules are needed now more than ever to protect people in an era of huge cyber-attacks and data leaks. EU Justice Commissioner Vera Jourova said last week that she had no doubt that tech firms other than Facebook are affected by data protection issues. “We want Europeans to be the masters of their privacy and it must be guaranteed by anyone who is collecting the data, who is monetizing and selling the data,” she said.

Many companies have already notified users about updated privacy policies. Apple, for example, says it will roll out new privacy management tools to make it simpler to get a copy of your data, request a correction to your data, deactivate your account and delete your account completely.

But before we get too smug, let’s remember that the birth is indeed just the beginning. The real job is to translate that good feeling into economic and societal value for Europeans and prove the critics wrong.

GDPR’s implementation will be at least as important as the regulation itself. The European Commission, the national data protection authorities (DPAs), and the Article 29 Working Party of DPA representatives are producing useful guidelines. Indeed, the regulation’s Article 40 positively encourages the Commission, member states, industry associations and others to produce sector specific codes of conduct “to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.”

Some countries are setting up public/private collaborations to guide innovators and help them make the most of GDPR. There are issues still to resolve around transparency in machine learning algorithms, for example, and the privacy professionals group IAPP has just issued a guide to machine learning.

There are also broader EU efforts to keep tabs on the tech sector. On April 25, the European Parliament is hosting a high-level conference entitled, ‘Shaping our digital future’, where MEPs will debate with representatives from tech giants like Google and Facebook on issues like bridging digital divide, promoting online business, boosting innovation, all while respecting privacy.

So European regulators should indeed be congratulated for producing regulation that chimes with the public mood. But it is not enough. More work has to be done to implement these rules in a way that boosts confidence in our increasingly digital society while ensuring we maximise its economic benefits. The EU has to keep the right balance as it navigates this next task.

Author: John Higgins

Leave a Reply