Behind the recent flurry of e-mails asking customers to opt into new privacy rules is a European law that many are calling the most significant change to digital privacy since the internet was invented.
Data-privacy advocates have hailed the European Union’s General Data Protection Regulation (GDPR), which comes into effect on Friday, as a watershed for the digital economy. They say a complex set of laws that are designed to give users more control over their personal information will curb the power of Big Tech to track users across the web.
But others warn that the rules, whose effects will extend far beyond the 28 EU member states, instead risk helping social-media giants Facebook and Google consolidate their digital power even further.
The GDPR makes it harder for companies to collect a broad array of personal data, from names and e-mail addresses, to browser cookies, IP addresses and location information. The rules also give Europeans the right to demand that firms delete their information. Companies must also notify authorities of a data breach within 72 hours.
The most important aspect for many privacy critics is the GDPR’s requirement that companies get consent from users to harvest their data and explain in plain language what they plan to do with that information.
The new law comes with new powers for national regulators, who can fine companies up to 4 per cent of global revenues, or €20-million ($30-million), for the most serious privacy breaches.
“There is no doubt for us that the GDPR is a game-changer, and that it will require companies to change their mindset and put the privacy of their users first,” said David Martin Ruiz, senior legal officer for the European Consumer Organisation, an umbrella group of consumer watchdogs.
While the GDPR only applies in the 28 EU member states, the laws have implications for any company that collects data on European residents, even if they are headquartered abroad. Foreign companies that offer services or collect data on users in the EU who don’t comply with the new laws could potentially face the same steep financial penalties as businesses based in Europe.
In the past month, Kirsten Thompson, a lawyer with McCarthy Tétrault who specializes in data issues, has been inundated with calls from Canadians clients scrambling to understand what the rules mean for them.
Much of the public attention has focused on tech companies, but the law applies to a wide array of firms that operate in Europe. “I have everything from regulated professional colleges, right through to construction companies,” Ms. Thompson said. Some Canadian firms that assumed they were outside the reach of the European laws may be in for a surprise, she warned.
Although Canada’s existing federal privacy laws are already in line with some aspects of the GDPR, the federal government may eventually have to look at overhauling its legislation or risk seeing Canadian firms blocked from accessing customers in Europe. “One of the criticisms of GDPR is it imposes another state’s laws outside its own borders,” Ms. Thompson said. “I expect there will be litigation around that.”
Meanwhile, investors are closely watching what the rules will mean for digital advertising powerhouses Google and Facebook. Both companies have unveiled changes aimed at complying with the new law and have promised to offer many of them, such as privacy features, to users outside of Europe as well.
Last month, Facebook chief financial officer Dave Wehner said he expected Facebook’s European user base to flatline or even decline after the GDPR comes into effect. Financial analysts estimate both firms could risk losing billions in advertising income if enough users deny permission to access their data.
But the biggest risk may come from regulators and activists who are keen to make big tech companies a test case for the new rules. Google and Facebook, which last year captured more than 80 per cent of the growth in digital advertising, “are surely going to be on everyone’s list,” Mr. Martin said.
U.S. privacy activists are planning to work with their European counterparts to focus attention on U.S. companies operating across the EU, said Jeff Chester, executive director of the Center for Digital Democracy, a Washington-based non-profit.
Tech companies “think they can get away with their business model without changing their practices,” he said. “This is going to be a serious war that will soon ensue.”
Others worry that rather than cripple the power of Big Tech, GDPR will allow social-media giants to extend their dominance over the digital-advertising market by favouring its own data-gathering capabilities. “Facebook has just become the biggest data broker in the history of humanity,” John Battelle, a digital advertising executive and co-founder of Wired Magazine, wrote on his blog. “It just doesn’t want you to know that.”
Google rolled out new restrictions on the ability of advertisers to export some user data needed to measure the effectiveness of ad campaigns across multiple platforms – while still allowing marketers to use that same data in Google’s own in-house ad measurement tools.
Analysts with Credit Suisse predicted the new law would make advertisers “more reliant on the larger internet services operators.”
A separate battle is brewing between tech companies and media companies. Google told publishers it was changing its policies around user consent for Google’s advertising services. The company will now require publishers to get consent on Google’s behalf, but reserves the right to use that data for other purposes.
Several groups representing major media brands complained the changes seemed designed to shift legal liability onto publishers while handing too much control to Google. Yet publishers have little choice but to try to work with Google, since the company controls so much of the online-advertising business.
“They literally have dominance over the entire supply chain in a way that you don’t see in other unregulated markets,” said Jason Kint, CEO of one of the trade organizations, Digital Content Next.
Tamsin McMahon