Written by Saisree Subramanian
The past couple of months have seen a flurry of activity at internet companies. Users have been presented with updated terms of service and privacy policies. And it is no coincidence that multiple companies are moving in this direction simultaneously; they are preparing for the EU General Data Protection Regulation (GDPR) which goes into effect on May 25th this year.
GDPR in a nutshell
GDPR is a regulation that is designed to protect the personal data of EU citizens. It is articulated via 99 articles that are sub-divided into 11 sections and is a very comprehensive approach to personal data protection.
Article 1 of GDPR
It provides better control to the end-user or “data subject”, holding companies/any internet presence heavily accountable for any use of personal data. The impact on both parties’ ends are listed below:
The most hyped aspect of GDPR is the possibility of large fines/penalties for non-compliance. It can warrant a potential maximum fine of EUR 20 million or 4% of the global turnover of the organization, depending on whichever is larger.
Impact on “Surveillance Capitalism”
Surveillance Capitalism, a term coined by celebrated Harvard professor Shoshana Zuboff, simply refers to the mechanism of watching/logging every individual’s actions on the internet and eventually monetizing it. Like many other forms of capitalism, surveillance capitalism also extends to influence individuals, thereby tailoring societal behaviour to extract monetary gains.
The internet economy companies have perfected the art of accumulating our search queries, keywords from our social network inputs, email and website visits to understand consumption patterns and strategically target products towards us. The internet era of advertising is focused on providing the most relevant advertisements; when we click on an advertisement to make a purchase, there are several players who collect and analyze our data, all the while predicting our interests. These players get a share of the money you spend – albeit in minuscule percentages. Anyone who has heard of or used Google Adwords is familiar with some aspects of this phenomenon.
Perhaps the most far-reaching effect of GDPR is to bring all of the players in this value chain out of the shadows and demonstrate how many agents are actually utilizing an individual’s personal data.
To help vendors comply with GDPR, IAB Europe created a “Transparency and Consent Framework”. This allows users to pick and choose the vendors who are allowed access to their personal data. Additionally, it gives rise to a new term called Consent Management Provider (CMP), which refers to a vendor who manages user consent on behalf of others. Google, ostensibly the biggest player in online advertising, will be a CMP and has recently rolled out updates to their advertising policies.
We have seen reports of internet vendors updating terms of service with Facebook and Linkedin as recent examples. Some of these concern themselves with updating the consent framework, informing users how they can export their personal data etc. Others alter the contracting entity for non-EU users, moving their personal-data-processing outside the EU, thereby taking them out of reach of the GDPR. By definition, the GDPR was never applicable to non-EU citizens. However, if the processing entity is in the European Union, they are liable to follow the GDPR. It allows for data export outside the EU for processing under the appropriate international treaties; in this case, the processor is also liable under the GDPR.
An EU citizen filing complaints under the GDPR has the right to seek redressal within his/her own country, even if the terms of service state otherwise. The EU courts have been long inclined towards this, as was seen in the case against Facebook back in 2014. The GDPR has also given EU privacy enthusiasts a platform to move forward with their concerns. Organizations like Noyb are preparing to file complaints once the GDPR goes live and have been preparing for their next activities by crowdfunding.
The Internet Awaits
At one end, we have the EU supervisory authorities coming to play with more rights than ever before and privacy advocates ready to challenge current ways of using customer data. At the other end, there are various business organizations and companies updating their tools and processes, and raising further challenges as they do it.
May 25th, 2018 does not mark the happening of an event, but an important milestone in the history of the internet instead. There will be periods of continuous change, as vendors realize that some of their changes are incomplete or unacceptable, while EU policymakers tweak and update their regulations. It also remains to be seen whether other country regulators demand parity with these European Union regulations, and how this will bring in a further change to the internet economy.