Chris Middleton reports for H&C News on how the EU’s stance on data privacy may become a global force.
When the General Data Protection Regulation (GDPR) was first discussed in Europe, it was as a hedge against American technology dominance, and some in the US criticised European policymakers for trying to stifle innovation and success with red tape.
Fast forward to 2018, and many now see GDPR, which came into force on 25 May (in the UK under the Data Protection Act) as timely, prescient, and capturing the popular mood.
For many, Facebook CEO Mark Zuckerberg’s appearance before US Congress in April was the tipping point, an event that took a story about technology and data security into every American family’s home and made it relevant to them personally. The effects of the Cambridge Analytica scandal and other examples of compromised data privacy have been far-reaching indeed.
Zuckerberg’s apparent dismissal of UK requests to appear before MPs and his stage-managed appearance at the European Parliament, during which he was able to evade 90 percent of MEPs’ questions, underlined the point that this was an American CEO answering to Americans first, and not the poster boy for a global collaboration platform.
However, the challenge for many US technology companies is that worries over data privacy are now mainstream news – alongside fears of killer robots seizing jobs and the rise of malignant AI.
Amazon is one company that finds itself increasingly in the spotlight. Last week, it was revealed that an Alexa-powered Echo speaker had covertly recorded a family’s private conversation, and then emailed the audio file to a contact of theirs. The Seattle-based family only found out about it when the recipient contacted them and urged them to disconnect the device.
The story reinforced the point that, far from being speakers, the prime – or perhaps Prime – function of the Echo and Dot is to listen.
Amazon is adding Alexa to more and more hardware, including smart TV sticks and, rumours suggest, a domestic robot that may be due for release in 2019. Soon, people’s houses may be full of listening devices: to date, over 30 million Echo speakers have found their way into people’s homes and offices.
Amazon recently began rolling out Alexa updates in the US, which will allow the digital assistant to sustain conversations without users having to use the ‘Alexa’ trigger word, suggesting that incidents of privacy invasion are likely to snowball.
And Alexa isn’t the only product in the frame. Earlier this month, the American Civil Liberties Union (ACLU) challenged Amazon about two police forces’ use of its Rekognition real-time facial recognition system in officers’ body cameras. The ACLU is demanding that Amazon stop the sale of a technology that enables live citizen surveillance and data gathering.
There is certainly a sense of battle lines being drawn over citizens’ data privacy. As GDPR went live last week, reports emerged of some US websites ‘going dark’ to European readers, suggesting that rather than risk falling foul of the regulations and incurring hefty fines, some companies had decided to block Europe entirely.
But not every US company is adopting such a cavalier or self-serving attitude to privacy. Indeed, several US technology providers now believe that Europe’s stance is the right one. Some are rolling out GDPR compliance to customers globally, not just within the EU, while others believe that voluntary adoption and self-policing are not enough. GDPR-style legislation may be drawn up in the US, too, they say.
The first leader to put his head above the parapet was perhaps the least well known. Speaking earlier this year, SugarCRM CEO Larry Augustin told this journalist that he believed it was “inevitable” that the US would follow Europe’s lead with privacy legislation of its own.
He explained, “When you have the CEO of Facebook testifying on these issues in Congress, which makes all of the television and news, I’m not sure that self-regulation is going to be something that Congress will accept.
“Companies will certainly go down the self-regulation path, but I don’t think there’s a lot of trust for that right now. There have been too many incidents.”
In GDPR week, Microsoft and Apple added their much louder voices to the debate.
On 22 May, Microsoft corporate VP and deputy general counsel Julie Brill wrote a blog post saying, “As an EU regulation, GDPR creates important new rights specifically for individuals in the European Union. But we believe GDPR establishes important principles that are relevant globally.
“That’s why today we are announcing that we will extend the rights that are at the heart of GDPR to all of our consumer customers worldwide. Known as Data Subject Rights, they include the right to know what data we collect about you, to correct that data, to delete it, and even to take it somewhere else.”
“We believe privacy is a fundamental human right,” she added. “Privacy is also the foundation for trust. We know that people will only use technology that they trust. Ultimately, trust is created when people are confident that their personal data is safe and they have a clear understanding of how and why it is used.”
That too, was a timely message. An April survey by IBM of 10,000 consumers found that only 20 percent of respondents have faith that the businesses they interact with maintain the privacy of their data.
Meanwhile, a Capgemini survey found that customers will punish organisations that fail to protect their data, but will actively support ones that put their privacy first.
On GDPR enforcement day, Apple unveiled a new privacy portal allowing its customers to manage all of the data that they share with the company.
At present, the service is limited to users in the EU, Switzerland, Norway, Iceland, and Liechtenstein, but – like Microsoft – Apple says that it will be available worldwide in the coming months.
In this, the first week of GDPR enforcement, other leading US technology companies appear to have come onboard too. In an earnings call to analysts, Salesforce.com CEO Marc Benioff said, “We need a national privacy law here in the United States that probably looks a lot like GDPR.”
He added, “I think from the European perspective the way they look at data is data belongs to you, it’s your data. Now for us at Salesforce, we understand that. We’ve had that position from the beginning.
“I think the Europeans with GDPR have really flipped the coin, especially in advertising, but in another areas, saying, ‘Hey, this data belongs to the consumer or to the customers, you guys have to pivot back to the consumer, you have to pivot back to the customer’.”
Also this week, Aaron Levie, CEO of cloud collaboration provider Box, said, “It’s actually really important that the EU acted and the GDPR decision I think was quite timely.
“I do think we need to be thinking about this on a global basis, for two reasons. One is to ensure that we don’t get lots of conflicting data privacy laws that make it really, really hard for a global internet to be able to persist.
“And the second thing is to be able to revoke data, to know exactly how it’s being used, to ensure it’s not going to parties that you haven’t given express permission for.”
However, one man believes that GDPR doesn’t go nearly far enough, and thinks that some responses to it by US corporations have been inadequate.
Austrian privacy campaigner Max Schrems has launched multibillion-dollar lawsuits against Google ($4.3 billion) and Facebook ($4.6 billion) for non compliance – two companies that, alongside Amazon, see their customers as being their real products.
His action that has led some to suggest that, instead of hackers taking down servers, citizens will now use GDPR to launch multibillion-dollar governance campaigns against companies that fail to put their interests first.
“GDPR is the new DDoS attack,” said Adrian Bisaz, VP EMEA of Cyberproof. “Companies can become the target of millions of customers that want to make sure their new rights for privacy are met, and Facebook and Google as the most well-known tech giants are inevitably going to be in the crossfire when the lawsuits start rolling in.”
The analogy may not be wide of the mark. A report in The Times this week has suggested that GDPR will allow hackers to extort money out of firms by threatening to reveal the ways in which they have failed to protect consumer data.
If nothing else, the realisation that it may be cheaper to pay a blackmailer than an EU fine should persuade companies to take action – and soon.