Happy GDPR Day

 You’re reading the Benton Foundation’s Weekly Round-up, a recap of the biggest (or most overlooked) telecommunications stories of the week. The round-up is delivered via e-mail each Friday.

Round-Up for the Week of May 21-25, 2018

Robbie McBeath

On May 25, the European Union’s new data and privacy law takes effect. The E.U.’s General Data Protection Regulation (GDPR) changes the rules for companies that collect, store or process large amounts of information on residents of the E.U., requiring more openness about what data the companies have and with whom they share it. The GDPR will have a large impact on U.S. companies and establishes Europe as the global leader on data protection. 

What is the GDPR?

The European Parliament adopted the GDPR in April 2016, replacing the E.U.’s 1995 law governing data protection. GDPR is a sweeping law that is anything but simple. “The law is staggeringly complex,” wrote University of Colorado Professor Alison Cool in the New York Times. She continues:

[T]he regulation is intentionally ambiguous, representing a series of compromises. It promises to ease restrictions on data flows while allowing citizens to control their personal data, and to spur European economic growth while protecting the right to privacy. It skirts over possible differences between current and future technologies by using broad principles. But those broad principles don’t always accord with current data practices.

Generally speaking, the law requires more openness about what data companies have and whom they share it with and gives E.U. ‘data subjects’ the rights over their data. [A ‘data subject,’ if you're scoring at home, is any person whose personal data is being collected, held or processed.] The GDPR clarifies individual rights to the personal data collected by companies around the world for targeted advertising and other purposes.

Professor Cool noted that many of the law’s broad principles, though they avoid references to specific technologies, are nevertheless based on already-outdated assumptions about technology. For example, some of the rules on data portability are premised on the notion that some company has your data physically stored somewhere, and that users have the right to take it out. But, in the era of big data and cloud services, data rarely exists in only one place.

What the rules really mean is likely to be decided in European courts, “which is sure to be a drawn-out and confusing process,” said Professor Cool.

Importantly, the GDPR unifies the variety of data rules and regulations in play in different European countries. Anick Jesdanun of the Associated Press wrote, “Instead of separate rules in separate nations across Europe, there’s now a single set for the entire E.U. The new rules apply to all users in the 28-nation E.U., regardless of where the companies collecting, analyzing and using their data are located.” Any U.S. company -- large or small, with millions of European users or just one -- will have to comply with the GDPR.

Broadly, the new rules mean that:

  • Companies will have to use plain language to explain how they collect and use data. Companies will keep on collecting and analyzing personal data from your phone, the apps you use, and the sites you visit. The big difference is that now the companies will have to justify why they are collecting and using that information. As a result, companies are flooding users—including users here in the U.S.—with notices that aim to better explain their practices and the privacy choices they offer.

  • Companies are required to give E.U. users the ability to access and delete data and to object to how their data is being used. Firms have to clarify how long they retain data.

  • Companies must disclose, within 72 hours, when they suffer data breaches. (By contrast, Yahoo did not reveal a breach that involved three billion users for over two years)

  • GDPR violators face fines of up to 20 million euros ($24 million) or 4 percent of annual global revenue — whichever is greater.

Are Companies Ready?

The GDPR takes effect today,  May 25 -- but that doesn’t mean companies are ready.  

“Very few companies are going to be 100 percent compliant on May 25th,” said Jason Straight, an attorney and chief privacy officer at United Lex, a company that sets up GDPR-compliance programs for businesses. “Companies, especially U.S. companies, are definitely scrambling here in the last month to get themselves ready.” In a survey of over 1,000 companies conducted by the Ponemon Institute in April, half of the companies said they won’t be compliant by the deadline. When broken down by industry, 60 percent of tech companies said they weren’t ready.

“There are some companies we’ve talked to, where they say, ‘Are you kidding? If we told them how we were using their data, they’d never give it to us in the first place.’ I’m kind of like, ‘Yeah, that’s sort of the point.’” -- Attorney Jason Straight

Facebook intends to be ready for GDPR, although we’re not sure whether the company will apply the strong data protections to U.S. users. In early April, Facebook CEO Mark Zuckerberg said the company intends to make available to all of its users the same privacy protections that it has to implement in Europe. “We intend to make all the controls and settings available everywhere, not just in Europe,” Zuckerberg said. “Overall, regulations like the GDPR are very positive.” But in his testimony during a joint hearing of the Senate's Judiciary and Commerce Committees a few days later on April 10, Zuckerberg stated his support "in principle" for a GDPR-like opt-in standard for users before they give up their data — but he didn't commit, adding "details matter."

More than two dozen privacy groups wrote to large U.S. companies to use the GDPR as a baseline for their own U.S. data protection policies. The GDPR "places limits on the gathering and use of personal data and establishes clear responsibilities for companies that collect it, as well as clear rights for people whose data is gathered," the groups pointed out in their letter. “Since you will be providing these protections for hundreds of millions of people in Europe, there is no question that you are capable of applying the same protections worldwide. We insist that you do."

Additionally, Senators Ed Markey (D-MA), Dick Durbin (D-IL), Richard Blumentahl (D-CT), and Bernie Sanders (I-VT) joined to co-sponsor a congressional resolution calling on those companies to "provide Americans with privacy protections included in the European law." The resolution is not a mandate, but rather a "sense of the Senate" encouragement to apply the E.U. standards to U.S. users and an explanation of the importance of privacy rules. “When the European privacy law takes effect, the American people are going to wonder why they are getting second-class privacy protections,” said Senator Markey. “If companies can afford to protect Europeans’ privacy, they can also afford to do so for their American customers and users. Under the European rules, privacy is not an afterthought, and consumers, not corporations, are in charge of personal information. The American people want and deserve a comprehensive privacy bill of rights, and it is time Congress acts to protect this important 21st century right.”

Data Privacy in the E.U. vs the U.S.: Will the GDPR Inform U.S. Policy?

The E.U. has set a high bar for personal data protection, but will the GDPR inform data protection policy conversations in the U.S.? 

As former-Federal Communications Commission Chairman Tom Wheeler wrote this week:

The GDPR debate about privacy has been going on for almost six years, during which American policymakers have ignored corporate subversion of personal privacy. While their European counterparts wrestled with the issues and resisted a massive lobbying campaign, the U.S. Congress has looked the other way.

Worse than looking the other way, the Trump Administration and [Republican-led] Congress repealed the only existing regulations to protect the privacy of American consumers. The Obama-era Federal Communications Commission (FCC) imposed privacy protection obligations on the networks that take consumers to and from the internet, seeing everywhere a person goes and everything they do. The networks and the internet platform companies teamed up to lobby the new Republican government to repeal those protections. Worse yet, they not only repealed the privacy protections, but also told the FCC they could never again require similar protections.

Unless the U.S. and other countries adopt privacy rules similar to those in the E.U.— something that is not likely any time soon — many companies are likely to maintain double privacy standards for users. E.U. residents and “data subjects who are in the Union” will receive one set of privacy protections, while U.S. users may see another.

Some in the Administration even see the E.U.’s actions as a crackdown on Silicon Valley done out of jealousy. Silicon Valley venture capitalist Peter Thiel said that E.U. regulators envy the U.S. tech industry’s success. “[T]here are no successful tech companies in Europe and they are jealous of the U.S. so they are punishing us,” he said back in March.

Others see E.U. protectionism in the wake of privacy breaches and U.S. surveillance concerns. A Heritage Foundation report, The U.S. Must Draw a Line on the E.U.’s Data-Protection Imperialism, stated, “[T]he E.U.’s campaign has not been about data protection: It has been a form of regulation protectionism that uses E.U. rule-making to discriminate against U.S. businesses and to increase the power of the European Union by appealing to the anti-Americanism of those who regard U.S. intelligence agencies, and the U.S.’s Section 702 authorities, as their enemy.”

Tom Wheeler thinks the U.S. should incorporate the best of the GDPR into our own consumer protections.“Two over-arching principles should frame the debate about the privacy of Americans,” he wrote. “First, personal data is the consumer’s property, parting with that property must be an opt-in decision. Second, privacy should be a forethought rather than an afterthought in the design of digital services.” Wheeler continued:

The GDPR makes a good start at ... privacy by design by defining “privacy by default” and “data protection by design.” Rather than a business plan based on how much data can be collected, GDPR asks how much data is needed to provide the specified service. Similarly, GDPR requires the default assumption to be the protection of information rather than today’s default to exploitation of the information

Such privacy by design is not a revolutionary concept. In 2012, the U.S. Federal Trade Commission (FTC) recommended companies practice the principle, but it was only a suggestion because the FTC lacks the ability to make rules. The GDPR, however, is not a suggestion. Therein lies the heart of the E.U.’s leadership: while the American government prevaricated with suggestions from the FTC and revocation of FCC regulations, the European Union moved forward to get in front of the tsunami of data collection that is on the horizon.

Be sure to follow the ongoing data privacy debates in the U.S. by subscribing to Headlines.

Quick Bits

Weekend Reads (resist tl;dr)

ICYMI from Benton

Events Calendar

By Robbie McBeath.