Ten days after the EU General Data Protection Regulation came into action, the SmallDataForum convened to provide initial assessments and perspectives. Are we witnessing comedy or drama? Much ado about nothing or the end of the world as we know it?
Clearly it is much too early to tell, and yet (of course) we found a lot to discuss, from varying levels of preparedness (not just on businesses’ side, but also among governments, regulators etc.), to impacts on the data-driven digital advertising business, to the next level of EU rule regarding electronic communication, the so-called ePrivacy Regulation.
Among the early legal cases, the most prominent so far is Austrian privacy activist Max Schrems’s challenge of Facebook, WhatsApp and Instagram (reported by the Irish Times). Sam points out that Schrems, the man behind the None of Your Business website (www.noyb.eu) may be politically motivated, but if his claim has merit, then it will be interesting to see whether the Irish regulator will be willing to see the case through. As bookies are offering odds on which company (or companies) might be hit with a fine first, we reserve judgment (although Sam sticks with an earlier prediction that Uber might be one of the first ones in trouble).
My own early experience is with the DSGVO, the hefty German acronym for the even heftier compound noun ‘Datenschutzgrundverordnung’. Working with an SME in the information business in Germany, I experienced the HR team and the nominated data protection officer grappling with the fine print of the regulation, both with regard to employee data, and with client data and websites. As an abstract political regulation is being filled with meaning through the interactions of the involved stakeholders, it appears that smaller businesses are more burdened by compliance, than the larger firms that the regulation is targeted at.
What is becoming clear is that everybody is underprepared: businesses, customers, regulators, enforcers: the interpretation and application of rules are co-evolving; data protection officers in companies and in government are learning the ropes just as legal counsel and IT consultants. And every stakeholder and representative has their organisation’s interests in mind first and foremost…
We might experience legal chain reactions where brands (advertisers) get sued, only to sue their agencies in turn. The only obvious beneficiary would be the legal profession. Already communication agencies are complaining that they are being forced by their clients to sign new MSAs (master service agreements) which stipulate them to accept responsibility for GDPR violations, for example where a brand’s website violates GDPR (this Digiday story has some detail).
Both Sam and Neville share their experiences with delving deeper into the privacy settings of their devices and the social platforms they’re using. After years and years of most of us almost sleepwalking into ever more generous, unwitting data sharing, finally we are getting more cognisant and cautious. Tech websites and users are sharing ways to improve security settings, such as this list of checks on iOS Gadget Hacks, and advice by The Verge on how to improve your online privacy. For Neville, the case is clear: he doesn’t trust Facebook, and regards Google as ‘less evil’.
We all noticed immediate improvements in the reduction of pointless marketing emails, and the flurry of desperate activities by digital marketers prior to the GDPR deadline (“please don’t leave us…”) was cause for much hilarity. Check out the GDPR Hall of Shame for some highlights.
Meanwhile, The Internet Society (where Neville works) offered a differentiated take on GDPR. It is focused on how Europe is putting itself in a position to achieve two things: first, provide some much-needed substance to the global debate on Internet privacy (which has long been a philosophical debate with few tangible results), and second, to position itself as a de facto global regulator for privacy. It will be interesting to see whether and how Europe will be able to enforce the GDPR regulation, not least in the light of pending international trade wobbles following the new trade tariffs imposed by the Trump administration. This Bloomberg opinion piece by the economist Tyler Cowen discusses the topics in context to each other.
GDPR might only be the first step, however. The next piece of EU rule is almost ready to launch: referring to a New York Times feature, Neville outlines how the planned ePrivacy Regulation regarding electronic communication might have a much more profound impact on the industry. Already there is a lot of hype and fear-mongering from tech firms, their supporters and representatives, about how data privacy legislation will chill and ultimately kill innovations.
Yet for all the lobbying and doom-saying, businesses are making sure they play by the (evolving) rules. Even Google, although their central role in digital advertising came under intense scrutiny as programmatic ad buying plummeted in Europe around GDPR day. According to Digiday, this was largely due to Google leaving it to the last minute to inform its ad platform partners that there would be “short-term disruption” until integration into the Interactive Advertising Bureau Europe and IAB Tech Lab’s GDPR Transparency & Consent Framework has been completed. According to a Google spokesperson, the company has “worked with our third-party exchange partners to develop an interim solution to minimize disruption while we finalize integration with the IAB framework.” GDPR didn’t exactly happen overnight. In fact it came into existence in 2016. For Google to now put interim solutions in place, for some observers that does have a whiff of arrogance to it.
It’s early days, and we will continue to monitor and analyse what’s happening in this space. In about a month’s time, we will get together again and share our latest findings and thoughts. As always, watch this space.
Listen to episode 19: