The EU Sets Off an Online Privacy Revolution
Different branches of European Union have agreed on the shape of the EU's new data privacy law, which means it is likely to be passed early in 2016 and fully enacted within two years. This is not one of those arcane legal documents that have little effect on people's everyday lives. The new rules will drastically change how companies use people's data and perhaps reshape data-based businesses such as advertising and online retail.
The idea of the new regulation is to establish the same data privacy rules across the EU -- something the European Commission says will result in savings of 2.3 billion euros ($2.5 billion) a year for businesses -- but also to hand to users full control of their personal data, which the EU defines broadly as "any information relating to a data subject," or natural person. This means companies will have to explain exactly what information they are collecting, for what purposes and how long it will be retained.
They will be forced to disclose all collected information to the user -- something Austrian law student Max Schrems expended a lot of effort extracting from Facebook, which led to the overruling by the European Court of Justice, of the "safe harbor" data transfer deal between Europe and the U.S. in October. Companies will also have to erase data at the users' request if they have no legitimate reason for keeping it -- an extension of the difficult-to-enforce "right to be forgotten."
Perhaps more importantly, companies will have to comply with the principles of "privacy by design" and "privacy by default," meaning the default settings of any service must ensure that as few data as possible are collected and retained. How this will work exactly are left to the European Commission to spell out, but the very principles involved mean that tech firms will have to rethink their interaction with customers and perhaps their entire business models. Otherwise, they will face fines of up to 4 percent of their global sales.
U.S. internet giants will need to make adjustments if they want to keep operating in Europe. A 2013 paper by Ira Rubinstein and Nathaniel Good provides some examples of the kind of changes that may be required.
Gmail, Google's free email service, automatically scans users' messages for keywords provided by advertisers, which helps target ads to these specific users. To comply with "Privacy by Design," Rubinstein and Good wrote, it might have told users clearly (and not in some obscure passage of its rules) what information it would be collected, but that wouldn't have been enough: "Google might have considered a simultaneous release of both an ad-supported free web mail service and an ad-free paid version" to give users a choice. I know I would rather pay for Gmail than have Google scan my messages for any purpose, but I don't have that opportunity now. The new European regulation may force the company to provide it.
Similarly, Google and Facebook might be forced to give their users the right to opt out of data collection for advertising purposes. That goes beyond all the changes the companies made to their privacy policies in recent years, mostly bowing to regulatory pressures and trying to minimize legal costs. It also alters the premise on which these businesses are based: that if they provide a free service, they're entitled to whatever users say about themselves, and whatever their internet behavior says about them.
Some U.S. internet giants -- Amazon is an important example -- pride themselves on their ability to sell products based on a user's known preferences. But do users want to give companies this edge? According to a Eurobarometer survey taken in July, 2015, 53 percent of European internet users are uncomfortable with collection of their data to tailor advertisements. Once the new European rules transfer control of their information to users, these people are likely to limit their data disclosure. Google and Facebook, among other companies for which targeted advertising is the source of nearly all revenues, will have to make do with whatever they collect from the 42 percent of users who don't mind providing their data for the purpose.
This might actually be good for these tech firms and for their advertisers. Now, people trying to protect their privacy often lie on registration questionnaires, providing false names and addresses or creating special accounts for different purposes. I do that, too: Being honest with everyone who asks for personal data often means being pestered by annoying emails and ads "targeted" on the basis of products and brands mentioned in personal messages -- hardly an indication of a desire to buy something. The "big data" collected from unwilling users is thus often bad data. Clear, effective privacy rules could make the $16.6 billion spent on big data infrastructure, software and services last year more efficient.
The reduced targeting opportunities, however, might mean lower advertising prices for customers. If Internet companies were entirely honest with their paying clients, they would charge less even now.
Treating data about a person as that person's property is likely to complicate the work of journalists who are after data, say, on corrupt officials' offshore companies and property. Under the current draft of the EU regulation, it will be possible to withhold the data at least temporarily, while the company evaluates the "owner's" request to have it erased. With the threat of big fines hanging over them for withholding the "right to be forgotten" internet firms will be tempted to err on the side of caution.
Otherwise, the new rules push internet companies in the direction of greater honesty with their users and clients and ultimately with themselves. It's time the industry realized the limitations of the advertising model, which sustains some of its most visible players: It's often based on sleight of hand rather than honest data collection.
Besides, it makes perfect sense to curb official agencies' interest in the personal data people make available online. The U.S. Department of Homeland Security recently announced its intention to scan social network posts to aid visa decisions. While the motive is to keep out people who support terrorist causes, who knows what might trigger officials' suspicions or set off alarms in the software they may use. Social network users should have the right to ban such use of their data.
Once the new regulations are approved, tech companies will probably use their significant lobbying power to make specific rules, to be set by the European Commission, more lenient and less disruptive to their business. The less success they have the better, not just for Europeans but for all internet users.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
To contact the author of this story:
Leonid Bershidsky at firstname.lastname@example.org
To contact the editor responsible for this story:
Therese Raphael at email@example.com