A landmark European privacy law is making waves worldwide a year after it came into force, fundamentally changing the way data are handled as Facebook, Apple and Google face increasingly frequent complaints.
Adopted on May 25 last year, the General Data Protection Regulation (GDPR) aims to protect all EU citizens from privacy and data breaches, regardless of which part of the world the data handler is in.
The new regulation has forced global companies to reconsider their own rules, inspiring territories from Brazil to China and India to California to develop their own privacy and security regulations based on a de facto GDPR benchmark.
“GDPR has fundamentally changed Facebook as a company,” the world’s biggest social network said in an emailed statement, citing a range of improvements to users’ privacy controls it had implemented, along with additions to its compliance team.
In the wake of heightened awareness of data privacy, fueled by Facebook’s Cambridge Analytica scandal in which personal data were harvested from millions of users without their consent, financial penalties and legal tests will now follow.
“It’s going to be a year where we see and test how the rules get interpreted,” said Cristina Cabella, IBM’s chief privacy officer, who oversees a team of dozens of lawyers worldwide for the technology multinational.
The Cambridge Analytica scandal, which erupted just before GDPR came into force, resulted in a paltry 500,000 pound ($632,000) fine in Britain – the maximum amount possible at the time.
But GDPR grants new powers to privacy enforcers to impose fines of up to 4 percent of global revenue or 20 million euros ($22 million), whichever is higher.
The biggest penalty so far, 50 million euros, has gone to Google for failing to properly secure users’ consent for personalized ads in France.
More may be on the way, with more than 95,000 complaints filed to national data enforcers, triggering 225 investigations.
Facebook, the target of seven investigations by the Irish data protection watchdog, could face its first sanction this summer. Its WhatsApp and Instagram subsidiaries are the focus of separate probes by Dublin.
Ireland, the lead regulator for the tech giants because their European headquarters are located there, is also investigating Twitter, Microsoft’s LinkedIn and Apple, with decisions in all the cases expected this year.
GDPR has succeeded in raising awareness of personal data among individuals and companies and how to protect it, said Benoit Van Asbroeck, a partner at law firm Bird & Bird.
“Everywhere people realize that data is a key asset,” he said.
The new rules can force companies to clean house, meaning they will be more effective in data retrieval and analytics as well as building consumer confidence, said IBM’s Cabella.
“Individuals can have more trust in the companies that process their data transparently, and that is a competitive advantage,” she told Reuters.
Impeding Artificial Intelligence
There is a risk however that the rules could hamper Europe’s bid to lead in artificial intelligence, putting it at a disadvantage compared with the United States and Asia where the legal threshold is lower, Van Asbroeck said.
“Protection for people is too high. It will backfire for the development of artificial intelligence in the EU. To develop AI, you need to train algorithms with data. Some of this is personal data which needs to be compliant with GDPR, making it difficult for some companies,” he said.
Google, Facebook and Apple with their massive troves of user data and contractual consent to use it would not face any problem but the same cannot be said of other companies without the same access to volumes of information, he said.
U.S. think tank Information Technology and Innovation Foundation said there was a case for modifying GDPR.
“If the EU wants to thrive in the algorithmic economy, it needs to reform the GDPR, such as by expanding authorized uses of AI in the public interest, allowing re-purposing of data that poses only minimal risk, not penalizing automated decision-making,” it said.
VZBV, the federal umbrella for Germany’s consumer protection movement, said the right to data portability – which allows individuals to obtain and reuse their personal data for their own purposes across different services – should be clarified.
“We need industry-specific codes of conduct for data portability. Here companies have to agree on standards with data protection authorities and civil society,” said VZBV chief Klaus Mueller.