The EU’s New Privacy Rules Are Only a First Step
By Vera Franz
The European Union’s new General Data Protection Regulation (GDPR) should be celebrated. I’ve helped build the European privacy movement over these past 15 years, and it’s taken many years of hard campaigning to enshrine strong controls over our data—and huge fines for violating those controls—in the law.
But the tech companies have been fighting hard, too.
In Brussels, they are holding up a key law designed to complement GDPR, the ePrivacy Regulation. Across the EU, the big data monopolies seem to be set at undermining core GDPR principles. Facebook and other tech companies, for example, are forcing users to consent to all data processing in return for the use of its service. Should that fail, they will likely use loopholes that allow data to be collected without consent. In the Global South, Facebook has already announced that its 1.5 billion users will not be protected by the same regulations as in Europe.
All of this makes clear that the tech giants aren’t planning to change their business model. They’re committed to the surveillance economy. That means it’s up to governments, advocates, and innovators around the world to offer citizens protection.
Before GDPR, most people weren’t aware that every time they visited a website, their digital profile—their browsing history, the apps they used, and all kinds of behaviors and characteristics which were measured digitally and used to predict their age, race, income, and so on—was, within milliseconds, being auctioned to between 20 and 50 automated bidders.
The highest bidder would get access to the user’s data and their attention, usually in the form of an ad for a product, a service, or a political message. A user’s data profile would be recorded by the website with the help of cookies for next time. And the bidder would often keep it, too. The bidders would then get to work gathering and storing millions of users’ data profiles, using specialist software to match a user profile to characteristics selected by the next advertiser.
The social media giants play a powerful role in this market, but they are just the tip of the iceberg. Thousands of companies are trading data while monitoring, analyzing, and trying to affect the behavior of billions of people—that is the service they offer to their prospective clients.
The most famous example of how this market can be abused is likely Facebook’s Cambridge Analytica scandal—but there have been plenty of others. For example, real-time data on the locations and movements of millions of people is being shared between countless companies. Last month, the prosecution of a Missouri sheriff accused of using a mobile phone tracking service without a warrant revealed how telecoms companies sell user data to marketing firms (who then sell the data to security intelligence firms that sell the data to law enforcement officials).
Since GDPR took effect on May 25, there have been changes in the way you can be tracked online. This is primarily for two reasons: because companies outside the EU that monitor behavior of individuals online are now subject to GDPR, and because GDPR strengthens the definition of consent in current ePrivacy laws.
It is now clear that silence, preticked boxes, or inactivity do not constitute consent. This means tracking must be limited by default, but in practice visitors are often presented by a stark choice: they can either give consent to use their data, or they can be denied access to the service altogether.
Without the ePrivacy Regulation, the protections of digital communications and terminal equipment (such as tracking with cookies) are not strong or effective enough. This is why it’s so important that the EU adopt a strong ePrivacy Regulation, one that aligns with and strengthens the protections in GDPR.
Personal information is used for consequential decisions in finance, insurance, health care, and employment. Financial service institutions often provide offers to consumers based on data-driven calculations of what rates will contribute most to their bottom line. Service providers calculate the lifetime value of every customer to determine how to treat them. Political websites can tailor their offerings to the users visiting them, altering the message a visitor sees to render it as agreeable to their viewpoint as possible.
This surveillance economy is damaging our democracies and facilitating secret discrimination across the internet. It must be confronted. The GDPR is a critical starting point that other countries should emulate. But Brussels needs to act and adopt a strong ePrivacy Regulation. Data protection authorities need to prevent the use of loopholes by the tech and the digital ad industry relying on pervasive tracking and data sharing. Competition authorities need to start challenging data monopolies.
Finally, small websites and blogs often depend on data gathering industry services embedded on their sites, from embedded videos and social media widgets to commenting and newsletter services. The EU should support those small data controllers with better information, but also dedicate financial resources for the development of privacy-friendly services. It’s government inertia over the past 15 years that has allowed surveillance capitalism to dominate the web. Now it’s time to give the alternatives a chance.
Vera Franz is division director of Expression for Global Programs at the Open Society Foundations.