“We care about your data privacy and security. With this in mind, we’re updating our privacy policy by 25 May 2018 in compliance with the EU’s General Data Protection Regulation (GDPR). Click to learn more.”
You’ve probably seen messages like this filling your inbox and social media apps of late. What is it all about, and why should we be concerned?
Every time you post a photograph or a story on Facebook or Instagram, you leave a trail of personal information online, about you, your family and friends, what you like, where you travel, work, eat, and more. This intelligence is valuable to advertisers, who are the main source of income for companies like Facebook and Google. But as the data is about you, social media firms should seek your consent before sending it to someone else. This has become all the more sensitive since political advertisers have become involved, potentially affecting election and referendum outcomes.
To understand how serious all of this is, think back to the Facebook data-handling debacle that dominated the news in March and April of this year. The affair led to several questions about privacy in today’s rather open online world.
It exposed some of the unseen ways a person’s data can be mishandled and exchanged across the internet, without their knowledge or permission. Remarkably, it took as long as three years before some 87 million Facebook users discovered that their own data had been acquired by a consultancy firm, Cambridge Analytica, for use in political campaigns. Unlike in previous cases concerning Uber and Yahoo, in which hackers had reportedly stolen data, this was a normal commercial transaction involving data that had been compiled using an online quiz posted on Facebook, called “This is your digital life”.
But it was not a transaction those millions of Facebook users necessarily wanted. This not only rekindled a heated policy debate on personal data protection and privacy online, but touched a nerve that runs through the heart of today’s economy: How trustworthy is our digital world, and how regulated do we need, or want, the internet to be?
OECD roots
The timing of the Facebook issue could hardly have been more poignant, erupting just weeks before the EU’s new General Data Protection Regulation (GDPR) comes into force on 25 May.
The regulation, which replaces a 1995 directive, aims to harmonise data protection laws throughout the EU, and bring some coherence to the tangle of different national laws that have grown over the years. The GDPR’s spirit and much of its detail reflect the OECD privacy framework that was developed three decades ago and revised in 2013, notably upholding the importance of openness and promoting respect for privacy as a fundamental condition for the free flow of personal data across borders.
But the GDPR adds some new teeth too, like ensuring users have the right to transfer their data to other controllers without any hindrance — so-called portability — and making it mandatory that privacy breaches be notified to the local Data Protection Authority within 72 hours of their discovery, unless the breach is of no consequence to the data subjects.
Tough fines also feature €10 million ($12 million) or 2% of worldwide annual turnover, whichever is higher, for failing to notify a personal data breach; and as high as 4% of turnover or €20 million, depending on which is more, in those cases where the failure amounts to a breach of fundamental data protection principles. Compare it with the Federal Trade Commission (FTC) rules in the US, for instance, which can impose a fine of $40,000 per proven violation of its 2011 consent decree. Also, the risk of costly lawsuits in the US should normally act as a deterrent — except that in the case of Cambridge Analytica it didn’t.
The OECD framework also recommends adopting appropriate laws, data breach notification and adequate sanctions for failure to uphold privacy, and also emphasises organisational accountability and education, as well as national strategies and interoperability of systems.
Even if views in the US Congress appear divided on what to do next when examining the Facebook case, CEO and co-founder Mark Zuckerberg was less uncertain; for while he apologised for the incident, he also said his company would consider complying with the EU regulation on a worldwide basis. Facebook has since moved to tighten its data management, a point which Mr Zuckerberg emphasised again at a hearing in the European Parliament in late May.
But will other firms follow suit? Most people care about privacy, and many firms are coming to recognise that showing they care too is a business opportunity, but not all. In the absence of robust enforcement, it is all too easy for anyone to let their guard down, or behave in contradictory ways. This is one reason why policymakers around the world, and not just in the EU, need to take a hard look at their approaches to raising privacy awareness and enforcing privacy and data protection.
Open for (honest) business
A key question is how to assure both privacy and an open flow of data. Data, especially big data, has been called the capital of the digital age, and as with all capital, the freer the flow of data, the lower the costs. The internet’s openness has brought enormous benefits by overcoming barriers in the physical world. Breaches of trust jeopardise that progress.
But a completely open internet, however aspirational, does not exist in reality, with various controls imposed by different countries. Viewed in this light, the GDPR should, thanks to better data protection, improve trust among users and enable freer data flows throughout the EU’s own significant market. The rest of the world wishing to do business in that space will benefit fully as long as they comply with the GDPR. If they don’t, then a “border” will kick in for those suppliers.
But could this approach go too far and create unnecessary borders online? Some countries are concerned it might. It certainly means compliance costs for businesses, albeit for access to a lucrative market. However, some question whether all EU countries have the means and legal tools needed to police the new regulation.
The Facebook affair and the new EU data protection rules may have set markers for our digital futures. We must draw the right lessons, and through international co-operation which the OECD will continue to support, set the ground rules for a thriving, trustworthy digital world economy. In the meantime, the rest of us users must get to sorting out those consent notices in our in-trays.
References and further reading:
Originally published in ©OECD Observer May 2018
EU’s General Data Protection Regulation portal: https://www.eugdpr.org/
For more on the OECD Privacy Framework, including the Revised Guidelines on the Protection of Privacy and Transborder Flows of Personal Data2013, visit www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf
https://iapp.org/news/a/ftc-investigating-whether-facebook-violated-2011-consent-decree/
Constine, Josh (2018) “Zuckerberg says Facebook will offer GDPR privacy controls everywhere”
IAPP (2018), “FTC investigating whether Facebook violated 2011 consent decree,” on https://iapp.org, website of International Association of Privacy Professionals, March
McKinsey Global Institute (2016), “Digital globalization: The new era of global flows”
Romm, Tony (2018) “Facebook’s Zuckerberg just survived 10 hours of questioning by Congress” in The Washington Post, April
