When Europes tough privacy rules came into force on May 25, 2018, policymakers and industry executives expected a series of dominoes would soon start to fall.
Global technology giants like Facebook would feel the heat of fines of up to 4 percent of their total yearly revenue. Companies like Google would think twice before pushing ahead with aggressive new ways of collecting peoples data. Smaller rivals would be given greater space to compete.
But a year later, none of those dominoes have yet fallen, according to interviews with senior policymakers, tech executives and privacy campaigners.
Big fines and sweeping enforcement actions have been largely absent, as under-resourced European regulators struggle to define their mission — and take time to build investigations that will likely end up in court.
New forms of data collection, including Facebooks reintroduction of its facial recognition technology in Europe and Googles efforts to harvest information on third-party websites, have been given new leases on life under Europes General Data Protection Regulation, or GDPR.
Smaller firms — whose fortunes were of special concern to the framers of the regions privacy revamp — also have suffered from the relatively high compliance costs and the perception, at least among some investors, that they cant compete with Silicon Valleys biggest names.
“Big companies like Facebook are 10 steps ahead of everyone else, and 100 steps ahead of regulators,” declared Paul-Olivier Dehaye, a privacy expert who helped uncover Facebooks Cambridge Analytica scandal. “There are very big questions about what theyre doing.”
The patchy record of Europes data protection overhaul — on the one-year anniversary of its implementation — has given industry an opportunity to blunt similar efforts outside the European Union to emulate the regions new privacy rules.
Campaigners and some lawmakers from Colombia to South Africa and even the United States clamor to import similar protections, claiming that only strict restrictions will grant citizens sufficient control over their data.
But aggressive industry lobbying in capitals worldwide has worked hard to frame Europes laws as overly cumbersome, particularly for small companies, with technology groups warning other politicians not to merely copy Europe in the rejiggering of their own local privacy standards.
“A lot of small and medium-sized businesses are still struggling,” said John Miller, vice president of policy at the Information Technology Industry Council, a trade group in Washington, D.C. that represents many of Silicon Valleys biggest names. “How do we protect the rights of consumers here without making the law quite so onerous?”
GDPR, one year on
It was not supposed to be this way.
When Europe unveiled its privacy revamp, European officials hailed it as a major victory for consumers — a message that piggybacked on the publics growing awareness of their data rights after Facebooks Cambridge Analytica scandal, in which roughly 87 million of its users worldwide had their data misused during political campaigns.
Policymakers like Andrea Jelinek, an Austrian official in charge of a pan-regional group of EU data protection regulators, gave evidence to the U.S. Congress on how Europe has implemented its new laws. Mark Zuckerberg, Facebooks chief executive, promised to offer European-style protections to all of his companys 2.2 billion global users.
But since the regions standards came into force a year ago, few companies have yet to have their wings clipped by the new regulation — and some of the worlds largest tech companies have used their significant in-house regulatory and financial muscle to turn Europes privacy push to their advantage.
“There has been a dramatic change both in the attitudes toward the tech firms and, I would say, in the views of European privacy law” — Marc Rotenberg, executive director of the Electronic Privacy Information Center
So far, almost 100,000 privacy complaints have been filed with national privacy regulators, though only a few have led to meaningful penalties, according to the International Association of Privacy Professionals, an industry trade body. Total fines have now reached roughly €56 million, although almost all of that came from a one-off €50 million levy against Google by French officials (the search giant is appealing that decision).
National agencies — often small, obscure regulatory offshoots that lack the manpower or legal resources to keep large multinationals at bay — have struggled to give Europes privacy rules real bite, despite widespread government efforts to increase their yearly budgets. Officials urge restraint, saying that it will take time for the full force of Europes privacy rules to take effect and that companies are already changing how they collect peoples data because of potential blockbuster fines.
“Even after 12 months, the reality is that there is no consensus or clear harmonization for how data should be processed,” said Ahmed Baladi, co-chair of the privacy, cybersecurity and consumer protection unit at Gibson Dunn, a law firm in Paris. “We still need more guidance from national authorities.”
Facebook and Google
Into this void has stepped Big Tech.
Ahead of Europes privacy overhaul, Facebook spent months preparing to restart its facial recognition service in the region — technology that the company believes now meets the regions beefed-up standards. Irelands data protection agency, which oversees the social media giants activities in the EU, has yet to take a position on the matter.
Despite the previous ban, Facebooks facial recognition technology is now permitted in Europe because users are actively given the choice to opt into the service. The social networking giant also restarted the sharing of some data between WhatsApp, its popular messaging service, and Facebook – a practice that had similarly been outlawed in some states in the 28-country bloc.
A Facebook logo on a stand during the VivaTech startups and innovation fair, in Paris, France, May 16, 2019. | Julien de Rosa/EPA-EFE
Even now, some privacy regulators arent convinced that people understand how their data may be used and that others could still have their digital information collected without consent. Facebook denies it stores data on individuals who have not chosen to use its facial recognition technology.
“Processing of biometric data such as in automatic facial recognition comes with substantial risks,” Johannes Caspar, head of the Hamburg privacy regulator, said in an email. “Facial recognition must be strictly limited to those users who have opted in to that technology.”
Google also moved quickly to cement its position in the data economy.
Weeks before Europes new rules became law, the search giant contacted all websites, both inside the EU and elsewhere, that relied on the companys dominant advertising services, informing these publishers that they would now have to solicit peoples consent to collect data on Googles behalf.
Under Europes new privacy standards, the tech giant must get peoples permission to target them with digital advertising. But by forcing publishers to do this work for Google — the search giant said if websites did not comply, they would not be able to use the companys advertising services — it added an additional line to the companys revamped privacy settings, which allowed Google to take ownership of peoples data from publishers that it then could use for its own undefined purposes.
In response, the tech giant said these changes were necessary under Europes new data protection rules, and that it had not taken greater control over data collected by publishers worldwide.
Yet in a sign of potential future privacy woes for Google, an investigation into the legality of such practices is expected to be announced in the coming weeks, according to an industry executive with knowledge of the matter.
For Jason Kint, chief executive of Digital Content Next, a trade body for publishers including the New York Times and the Guardian (Axel Springer, which co-owns the European edition of POLITICO, is also a member), Googles request represents a land grab for lucrativeRead More – Source