The European Union’s new rules on data protection and privacy — called the General Data Protection Regulation or GDPR — that take effect on May 25 promise to bring EU residents stronger protection of their personal information. U.S. residents would also get those protections from companies that have EU operations and extend their compliance with the new rules globally. But gray areas persist on how regulators may define such things as data breaches or confidentiality as well as determine how the new rules are to be implemented, according to experts.
GDPR rules impose strong restrictions on how businesses and governments could store, process, use, and monetize their personal information, and for how long they could retain such data. People would also have access to their personal data stored by other entities, and opt in or opt out of those databases. Another requirement is “privacy by design,” which means protections have to be integrated into the technology design of products and services.
“[GDPR] hinges on a robust notion of explaining what exactly goes on with [people’s] information,” said Andrea Matwyshyn, a professor of law and computer science at Northeastern University, as well as an affiliate scholar at the Center for Internet and Society at Stanford Law School. The GDPR replaces the EU’s Data Protection Directive that was implemented in 1998, and it “will nudge companies” to reconsider the way they have been presenting their processing of data to consumers in the last 20 years, she added.
For U.S. residents, the GDPR is a welcome development because it offers more protections than they currently have under U.S. laws, according to Sinan Aral, management professor at MIT who co-leads the university’s Initiative on the Digital Economy. But for U.S. companies that do business in Europe and therefore are covered by GDPR, the penalties for violations are stiff: up to 20 million euros or 4% of their global annual revenue, whichever is higher, plus other punishments ranging from limits to a total ban on their data collection, and audits of their data processes.
“To say that this law has teeth is an understatement,” Aral said. In the case of Amazon, for example, a fine equivalent to 4% of its global revenues would be about $7 billion, or about two years’ worth of profits, he added.
“To say that this law has teeth is an understatement.”–Sinan Aral
Matwyshyn and Aral delved into the implications of the GDPR regime for individuals and businesses on the Knowledge at Wharton show on SiriusXM channel 111. (Listen to the full podcast using the player at the top of this page.)
A New Era for Data Protections
Over the years, people have shared their personal details with retailers, social media platforms and government agencies, among others, in exchange for so-called “free” services such as a Facebook or Twitter account. They have also unwittingly allowed businesses to create detailed profiles of them often without their express permission. And they risk identity theft when there are data breaches.
All of these will be overhauled to adhere to the GDPR mission statement that “the processing of personal data should be designed to serve mankind.” The new rules would cover all manner of entities, including companies that collect data with business models that offer “free” services, said Matwyshyn. It would bring greater clarity to the specifics of consent that people may give for use of their data, so that they more clearly understand its implications.
Other benefits would also accrue. The U.S. government and its agencies would benefit indirectly from the overall approach that GDPR takes with respect to data security enforcement, Matwyshyn said. ”In fact, by imposing explicitly a requirement to consider the state of the art in the level of security of user information, the GDPR creates a floor of security,” she added.
As a consequence, companies that do not provide that minimum level of security for data will be adversely affected in their respective markets, Matwyshyn noted. She also highlighted that the GDPR extends its protections to people’s health and safety, as well as their human dignity.
The bar also has been set higher when it comes to companies reporting data breaches to regulators where the personal data of individuals has been compromised. They have to alert EU regulators within 72 hours of a breach. In the U.S., sometimes months go by before regulators are made aware of breaches, Aral noted.
Pressures of Compliance
Companies with global operations such as Facebook and Google have to find the most cost-effective and efficient way to meet the GDPR requirements in order to be able to conduct business in Europe. “What I’m hearing from inside these companies is that it is not efficient and in fact potentially not even possible to segregate consumers that are in Europe or sometimes in Europe, and then consumers that are outside of Europe,” said Aral.
“A large fraction of the changes that are going to be required of these companies to become compliant will need to apply to everyone,” Aral said. That would include a company’s back-end processes, IT and related infrastructure in terms of what type of access different levels of employees or others have to the data, how that data is stored and so forth, he said.
“If they robustly comply with GDPR, their U.S. privacy problems will substantially go away.”–Andrea Matwyshyn
It isn’t clear at this stage how smoothly the new data protection rules will be implemented, Aral said. He noted that for example, people may bring cases over “algorithmic transparency” — how their data is processed — or request portability of their data from one social network to another. Courts will get involved in settling those issues, he noted.
Matwyshyn saw a “silver lining of sorts” for U.S. companies that embrace the GDPR order. “If they robustly comply with GDPR, their U.S. privacy problems will substantially go away, in large part because this is a higher standard than the general approach that the U.S. takes,” she said. “The spillover effects of the EU compliance will [not only] benefit their operations, but also their U.S. customers will be pleased with this increased level of transparency.”
Some U.S. companies have resisted the EU’s earlier laws that gave people “the right to be forgotten,” or not have their data stored beyond a certain point. The GDPR incorporates that provision, but U.S. companies should appreciate that it is similar to other contracts they enter into, according to Matwyshyn. For instance, a customer who stops using a company’s product or service typically also stops paying for it.
“If you view data as a form of payment during the time that your customer is in a relationship with you, you get to use that information and process that information,” Matwyshyn said. “But at the point at which a customer is no longer your customer and they have severed, clearly, the relationship with you, it shouldn’t be too shocking to take that next step conceptually and say, ‘Well, maybe I don’t get to extract new forms of revenue from that data that the customer gave me a while back when they were really my customer.’”
Adjusting to GDPR
Matwyshyn added that companies must take algorithmic transparency and security to higher levels than conventional approaches. “If you are viewing security through obscurity processes, meaning hiding your code away and thinking you can prevent third party attackers from reverse engineering it, and if you’re viewing that as your prime security mechanism for your proprietary R&D or most sensitive corporate information, that’s not a good strategy,” she said.
“Consumers are more likely to say ‘yes’ to companies like Facebook and Google.”–Sinan Aral
Matwyshyn also stressed the need for companies to fully understand what their algorithms could potentially do. “If you don’t understand what your algorithms do and how they get there you should take a step back and ask yourself if you should be building that algorithm,” she said. “Bad things will happen with algorithms going awry and the consequences or the harms that can result from algorithms that we don’t understand being unleashed on society will bring liability, too. GDPR will be the least of your problems if your algorithm goes rogue and takes out an electrical grid or a nuclear power plant.”
Even as GDPR allows individuals the right to opt out of databases, it may be hard for them to do so because of so-called “network effects,” said Aral. In social media, for instance, “the greater number of users you have on your platform, the more difficult it is for those users to leave the platform because the value to them is so high,” he added.
As GDPR is implemented and companies go about requesting permission to access the data of their users or customers, “consumers are more likely to say ‘yes’ to companies like Facebook and Google because they have all of their data,” Aral said. However, those same customers are unlikely to grant those permissions to newer platforms “because their network effects are not as great,” he added.
The GDPR regime is not without its share of potential hurdles. Aral said that, for example, there could be disagreements over what constitutes a data breach. He referred to Facebook CEO Mark Zuckerberg’s recent Congressional testimony where he maintained that the Cambridge Analytica episode was not an instance of a data breach because a third party abused data protections.
Secondly, it isn’t clear what actions regulators would take after being notified of a data breach. “That’s where the rubber meets the road,” Aral said. “With this whole GDPR implementation, we all have to pay very close attention to unintended consequences.” Another potential problem is the requirement for algorithmic transparency, which may “increase the ability of hackers to get around or game their algorithm,” he added.
“The spirit of GDPR is a needed nudge … because we will all benefit as a society.”–Andrea Matwyshyn
Matwyshyn said the implementation of GDPR will depend on how regulators define what constitutes a data breach, and confidentiality and availability of information, among others. “The definitional implementation will really matter,” she said. “Regulators in not just in the EU, but also in the U.S., have not always specified with adequate precision the distinction between privacy and security. And it sometimes falls by the wayside.”
U.S. regulators would also need a lot of guidance and expert advice as they adjust to a post-GDPR world, Aral said. After watching Zuckerberg’s testimony, he realized that he “was not made very confident that our regulators are really prepared to enact legislation that they fully understand at this point.”
Matwyshyn encouraged U.S. regulators to goad American companies to embrace GDPR in order to have “reasonable” data care processes in place. “The spirit of GDPR is a needed nudge, and it’s one that our legislators, members of Congress and regulators will hopefully encourage serious compliance with, because we will all benefit as a society as well as the companies themselves.”
Matwyshyn saw it as a win-win to implement strong security methods and have robust processes in place. “Shareholder values increase and the rights of consumers are a side benefit when you are robustly defending your intellectual property assets,” she added.