While China continues to pursue radical data policies reflecting its managed capitalistic economy and lack of democracy, the EU and US could pursue radically different approaches as well.
The EU’s General Data Protection Regulation has set a very high standard for particularly around individual privacy rights. At one year old – and subject to many national interpretations, it is still bedding in. Its scope is also being tested by consumer and privacy campaigners with several national data regulators.
The big tech companies in the US certainly know that they don’t like the GDPR and have begun a well-resourced lobbying campaign to create something radically different albeit with one striking similarity – that it would create a single piece of legislation to scoop up existing US state regulation.
Regulation in Big Tech’s back yard
Other legislative moves in Big Tech’s locale are also concentrating minds in Silicon Valley.
A new law will come into force in 2020 in California granting consumers the right to know what information companies are collecting about them, why they are collecting that data and who they are sharing it with.
It also gives consumers the right to tell companies to delete their information as well as allowing consumers to instruct tech platforms not sell or share their data.
Businesses must still give consumers who opt out the same quality of service. The law also makes it more difficult to share or sell data about children younger than 16.
Intriguingly Californian legislators, who are often understandably very tech friendly, rushed a bill into law last year to stave off the risk of the Californian public obligating the State government to get even tougher. Campaigners were promoting a proposition calling for a tough new law to be put to the public in a state-wide ballot.
Google, Facebook, Verizon, Comcast and AT&T each contributed $200,000 to the Committee to Protect Californian Jobs opposing the proposed ballot measure, while the New York Times reported that lobbyists had estimated that businesses would spend $100 million to campaign against it before last November’s election.
The new law has seen the withdrawal of the proposition, but this has sent a warning to tech firms that some members of the public are getting rather exercised about the use of their data – with some dubbing it the techlash!
However, that small but crucial victory has not satisfied Big Tech which is now advocating for all-encompassing Federal legislation.
Personal date and sensitive personal data
The Information Technology Industry Council, backed by most tech firms is campaigning for the ‘Framework to Advance Interoperable Rules (FAIR) on Privacy’. Although the ITIC says the US should draw inspiration from the GDPR, the distinction it makes about types of privacy illustrate that it may want a different emphasis.
In this framework, “personal data” is any data that is reasonably linkable to or associated with, either directly or indirectly, a specific natural individual. “Sensitive personal data” is personal data consisting of ethnic origin, political affiliation, religious or philosophical belief, trade union membership, genetic data, biometric data, health data, sexual orientation, certain data of known minors, and precise geolocation data. Data that is anonymized, pseudonymized and protected, or otherwise publicly available is not personal data. Publicly available data means information that is lawfully made available in federal, state, or local government records, or that is lawfully made available to the general public.”
GDPR’s steep price
Another tech thinktank has been rather more bullish styling a set of demands as a grand bargain with Federal legislators. The Internet Technology and Innovation Foundation supported by Google, Amazon and Facebook, made it clear it does not like the European legislation directly.
It says: “If Congress passes data privacy legislation, its key task will not be to maximize consumer privacy, but rather to balance competing goals such as consumer privacy, free speech, productivity, U.S. economic competitiveness, and innovation.
“It is relatively easy to pass legislation to maximize consumer privacy. Indeed, the Europe Union did just that when it created the General Data Protection Regulation (GDPR)—a set of strict data protection rules for EU member states—which went into effect in May 2018. But this regulation came at a steep price: high compliance costs that were passed on to consumers; reduced choice in the digital economy as some firms choose not to provide services; and limited innovation as it becomes much more difficult for organizations, including non-profits, to use data to innovate and improve services.”
It also argues that legislation must not damage US digital competitiveness.
“Crafting privacy legislation that balances key goals is more difficult, both conceptually and politically, but it is essential if policymakers do not want to derail the continued success of the U.S. digital economy. Crafting such legislation requires a thorough understanding of the direct and indirect implications of various data protection policies. Policymakers who ignore the complexity of complying with privacy laws or the hidden costs of these regulations risk creating rules that undermine the digital economy by restricting the overall digital ecosystem and the benefits it provides consumers.
“The goal of data privacy legislation should therefore not be to myopically maximize consumer privacy, but to maximize consumer welfare. In other words, consumer welfare involves privacy. It also involves lower prices (or free products and services) and the development of new products and services. This approach requires finding the optimal level of regulation for the digital economy, with rules that are neither too weak nor too strong.”
Tech consultant Ian McKenna, from the London-based Finance and Technology Research Centre says: “The reality is that there is no such things as a European-based global technology business. They just don’t make them. The ten largest technology enterprises are either US or Chinese.
“You will have spheres or islands of regulation. I do think the EU is going to too far.”
Of course, the tech lobby is certainly not without its opponents in Congress, and arguably more so since Democrat advances in the mid-terms.
Connecticut Senator Richard Blumenthal has said recently: “If Big Tech thinks this is a reasonable framework for privacy legislation, they should be embarrassed. This proposal would protect no one – it is only a grand bargain for the companies who regularly exploit consumer data for private gain and seek to evade transparency and accountability.”
“Big tech cannot be trusted to write its own rules – a reality this proposal only underscores. I look forward to rolling out bipartisan privacy legislation that does in fact ‘maximize consumer privacy and puts consumers first.”
Much has been made of the scandals which have dogged platforms and driven the techlash. Politics particularly populism may have been the driver but it may have exposed more about the platforms’ models too.
Shocked by the bad guys
San Francisco-based Allianz technology trust fund manager Walter Price says: “It’s been a big problem for Facebook over the last year. I think they were shocked that some of the extremist parties and indeed the Russians were taking advantage of their platform. I think Twitter was shocked by the same thing – concerned at how good these groups were at manipulating their platform. Their response was to take them off and to self-govern that process. But it also exposed how much data they have on people and how powerful they really are. Advertisers have known that for a long time and that is why they really love Facebook and Google also the bad guys figured it out too.”
Yet while Congress mulls legislation, events in Europe may also be causing Big Tech some alarm.
Facebook was fined £500,000 by the UK’s Information Commissioner’s Office for data breaches relating to the UK’s referendum on leaving the European Union but the ICO’s chief executive Elizabeth Denham made clear it could have been up to 4% of turnover or in other words £1.2bn had the GDPR rules already come into effect.
Transparency and privacy campaigners are also testing the efficacy of the GDPR coordinating complaints to regulators in Ireland, Poland and the UK alleging that platforms are holding ad auctions which unlawfully profile Internet users’ religious beliefs, ethnicities, diseases, disabilities, and sexual orientation.
The ICO is also asking questions about programmatic advertising cutting to the heart of many platform advertising models.
In a recent blog, Simon McDougall, executive director for technology policy and innovation wrote: “Programmatic advertising depends on the rapid sharing of website or app users’ personal data, with varying levels of detail in the information being associated with the space for sale. This data may be shared very widely and quickly amongst hundreds of organisations. We are interested in how organisations can have confidence and provide assurances that any onward transfers of data will be secure.
“Our focus is on the challenges where personal data may be processed, and where we have regulatory oversight, that they comply GDPR and the Data Protection Act.”
Of course, the emollient language often used in Europe is rather different to that of China. The Chinese approach raises all manner of challenges – China will screen out sensitive political information which can prove controversial for western businesses if they adapt their systems to allow censorship with search engine Bing most recently in the firing line. In addition, there are strong suspicions that the Great Firewall can also be used in a standard protectionist way to favour Chinese internet businesses.
It does open up the prospect of spheres of interest though perhaps China with its massive home market provides a model for other states, rather than an alternative eco-system as the EU and the US may.
Price adds: “I think there will be privacy legislation in the US following the pattern of GDPR, which includes things like the right to be forgotten and the right to control your data, but I don’t think it is going to go as far as the European standards because fundamentally the Europeans are not as excited about Google, Facebook and Amazon being as successful as the US governing groups. They will try to be a little more ‘friendly’ to those companies. China is the least friendly, the US is in the middle.”
Use my data but don’t sell it on
However, Price also suggests that long-term, the GDPR has actually helped Facebook and Google to get more powerful on the basis that people still by and large trust them. “People seem to be okay with allowing those groups to use that data to present effective advertising to them. I think it is a trade-off most people will make. That would apply to Amazon too. I think the big problem for most people is where the data is shared outside the platform with the Government or other platforms. If it benefits them when they are on a particular platform, they are okay with that.”
McKenna believes that there may need to be more significant cooperation.
“The US and EU can’t do it on their own. We are going to need to a world trade organisation for everything. It is difficult to control a digital economy. You can choose where you do it easiest. At the same time, tech companies do need to come forward and say we are going to start paying some tax. If you want to contribute and influence a discussion about what is the best way to regulate you, you are going to have to start making a contribution to society.”