A Busy Week for Data Privacy
There’s been quite a week for those keeping an eye on data privacy regulation. The Federal Trade Commission pushes to renew the Privacy Shield — a data transfer pact between the US and the EU. European lawmakers, however, are skeptical about it, arguing that some US-based companies aren’t fulfilling their obligations. Facebook is facing yet another wave of Cambridge Analytica repercussions: the UK fined the company for $644,000, while the EU Parliament members urged the company to agree to data protection audit. As a cherry on top, it’s worth noting, that since the introduction of the GDPR, Google has gained even more coverage in the EU, and smaller companies struggled. Here is a brief recap of the most notable cases.
The Privacy Shield
On October 24th, at a U.S. Chamber summit in Washington Andrew Smith, Director of the Federal Trade Commission’s Bureau of Consumer Protection, said that the renewal of the Privacy Shield, is the top priority for the FTC. The Privacy Shield is a pact entitling the compliant companies to transfer data between the US and the EU since 2016. The EU is now deciding whether to renew the pact as some Parliament members are concerned about the US’s ability to fulfill its obligations. In this case the FTC is responsible for the certified companies’ compliance with the framework.
“It’s an extremely important arrangement that Commerce and the [European Commission] have agreed to, and it supports hundreds of billions of dollars in transatlantic data flows. We at the FTC have an important role to play because we are the ones who are responsible for enforcing that Privacy Shield framework against companies that fail to adhere to it,” Smith said.
Mr. Smith also mentioned the FTC’s enforcement efforts against the companies that lied about their commitment to the Privacy Shield requirements. He also brought up five particular enforcement cases that took place within the last year and noted that they support the US argument for the renewal.
By now the EU has clearly shown that it takes data privacy seriously. The US-based companies, on the other hand, sometimes appear to be much less concerned.
Facebook Gets Another Fine And It’s Somewhat Lucky
The UK’s Information Commissioner’s Office fined Facebook under the now obsolete 1998 Data Protection Act for its misconduct in the Cambridge Analytica case. As the scandal occurred before the newer GDPR framework came into effect, the ICO imposed then maximum possible fine of £500,000 ($644,000). The regulator notes that the fine would be significantly higher, would the misconduct occur after May 2018.
“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR”, said the UK Information Commissioner Elizabeth Denham.
Meanwhile, on October 25th, the EU’s lawmakers urged Facebook to “allow EU bodies to carry out a full audit to assess data protection and security of users’ personal data, following the scandal in which the data of 87 million Facebook users was improperly obtained, and misused.” The European Parliament members highlighted the urgency of preventing any possible manipulation with the EU elections and creating a new legal framework corresponding to the “digital reality.”
“This is a global issue, which has already affected our referenda and our elections. This resolution sets out the measures that are needed, including an independent audit of Facebook, an update to our competition rules, and additional measures to protect our elections. Action must be taken now, not just to restore trust in online platforms, but to protect citizens’ privacy and restore trust and confidence in our democratic systems,” said Civil Liberties Chair Claude Moraes.
The EU urges Facebook to cooperate and allow the respective regulators to perform an exhaustive assessment of the company’s data protection measures and cybersecurity.
The GDPR Boosted Google’s Outreach in the EU
A research by the joint team from anti-tracking browser Cliqz and the tracker blocker tool Ghostery shows that the GDPR had a negative impact on adtech companies in the EU, leaving Google with less competition. Over the first months since the GDPR came into force the search giant’s website reach gained about 1%, while smaller companies lost 18–31%. The study included top 2 000 domains visited by the US or the EU residents.
“Google benefits indirectly from the effects of the GDPR, which led the online advertising market in Europe to become more concentrated, as the majority of advertisers lose market share. Google seems to have successfully taken advantage of the uncertainty around GDPR to further solidify its leading market position. On the other hand, many smaller competitors have been steadily losing market share since the GDPR came into effect,” reads the researchers’ blog post.
One wouldn’t be wrong calling this ironical. The legal framework adopted and praised in part because of the big tech corporations’, such as Google and Facebook, systemic misconduct is now weeding out their smaller competitors. Simply put, it is much easier for a large company to keep up with the costs of complying with all the requirements stated in the GDPR.
To sum up, the trend of stricting data privacy regulations and enforcement is getting stronger. The lawmakers react with more zeal to each subsequent evidence of noncompliance, especially since the Cambridge Analytica scandal revealed what an impact it can have on quite important things, such as presidential elections and nationwide referendums. However, the urge to enforce laws and restrictions for tech companies may as well lead to further market consolidation and giving the “big and evil” corporations unprecedented access to bigger data and thus bigger power.