The European Union’s new rules on data protection and privacy took effect last week. While the General Data Protection Regulation (GDPR) is designed to protect EU residents, its impact is being felt globally. Netizens everywhere have been receiving email informing them of the new regulations as companies that engage those customers must now manage data in new ways. The GDPR is no panacea — much depends on its interpretation and implementation — but it is an important step in the protection of privacy and rebalancing the relationship between firms and customers.
Digital foot- and fingerprints are large and growing. Every time you visit a website or input information into a browser, a record is made and stored, often in your computer — the ubiquitous “cookie” — and more often on the server of the company you visited or the entity that hosted that website. Those records quickly accumulate and together they yield an extraordinarily detailed profile of each user. Traditionally, that data belongs to those companies and the user has no right to it, and often no knowledge that it even exists.
In theory, that profile helps improve the user’s experience in cyberspace. Search for an item and suddenly ads on web pages relate to that search. For many users that is convenient; for others, it is creepy. When that data is used to create personality profiles that enable “psychographic microtargeting” — identifying the best ads to “punch buttons” and manipulate readers, as Cambridge Analytica purported to do — then it gets sinister.
Most users do not understand that the creation of that data is a — if not the — key purpose of free web services. Data generation allows a website to be free: The data is monetized to subsidize the service. The use and abuse of such information is not new. Most governments have promulgated data protection rules and regulations. The EU’s Data Protection Directive was established in 1998, but digital technologies have changed so rapidly in recent years that all such efforts need to be updated. The GDPR requires companies to post clear notices and get users’ “unambiguous” consent to collect personal data; no longer can they bury customer approval in lengthy and incomprehensible “terms and conditions.” Customers now have access to all their personal data and can control how it is used by third parties. No data can be collected on children under the age of 16 without parental consent. Also, users have a “right to be forgotten”: Old or illegally gained data must be removed.
In addition, companies must inform EU regulators of a data breach within 72 hours. Failure to comply can result in fines up to 4 percent of annual worldwide revenue. While the GDPR is designed to protect EU citizens, any website that they access is subject to the new regulations. Thus, U.S. and Japanese firms are subject to its mandates.
Since the GDPR goes much further than existing regulations, consumers should be pleased, even as they wade through email asking for permission to store their personal information. In theory, customers should be able to monetize their data, profiting from deals that were once struck between firms that bought and sold their personal information. At a minimum, there is an acknowledgement of the right of privacy and the setting of minimum standards of security, which were lacking.
Companies are worried, however. Some fear that they will incur liability despite having no intent to market in the EU. Others note that compliance will not be cheap: Ensuring compliance with the regulations will take money and personnel. There is concern that the standards favor large companies with the bureaucracy and staff to accommodate the new regulations; small companies may not be able to compete. Some analysts say it is precisely the lighter U.S. regulatory touch that produced the innovation for which Silicon Valley is famous.
Japan’s leadership has been aware of the importance of this legislation and the need to ensure a convergence of the two regulatory frameworks. Japan’s reformed privacy law went into effect May 30, 2017, a year after promulgation of the GDPR and a year before it went into full effect. Prime Minister Shinzo Abe and European Commission President Jean-Claude Juncker agreed in July 2017 to work toward convergence of the two systems and have made progress, particularly regarding cross-border transfer of personal data between Japan and the EU. Still, significant differences remain, such as in definitions of sensitive data, scope of rights on data usage, data protection officer requirements, security breach notification, profiling, data portability, and other areas.
Still, with the continuing growth of data bases and the almost weekly reports of breaches, new standards for corporate responsibility are welcome. Customers must step up, however, and demand accountability and compliance. They may even have to pay for services that they have assumed will be free. Privacy has a price.