Initially Facebook was simply ready to roll out GDPR for its European territories, but then the Camrbidge Analytica revelations were injected into the jugular of public discourse. Facebook were initially reticent to view GDPR as a solution to its data woes, but one gets the impression this response was a knee-jerk reaction to the thought of regulation. A couple of days later – perhaps once someone at Facebook had read the GDPR – Mark Zuckerberg announced that they would offer GDPR as an customer option across the globe. Zuckerberg stipulated that implementing the regulation globally might clash in certain places with some local laws, so it wouldn’t be perfect everywhere. Off the back of his comment consumer groups have requested that the social media giant implements the rules as the global default.
GDPR focuses on a few key areas :
- The legislation applies to anyone operating in the EU, so companies cannot consider themselves exempt on the basis of the location of their HQ.
- Failure to comply will result in a fine of up to 4% of annual global turnover or $20 million, whichever is greater.
- Consent must be must be clear, easily accessible, distinguishable from other matters and easily withdrawn.
- All users have the right to be made aware of a data breach within 72 hours of the company having first become aware of the breach.
- All users have the right to demand a free electronic copy of all data held on them, where it’s being held and for what purpose.
- All users have the right to be forgotten. At the drop of a hat, companies holding data on someone will have to delete it all upon a simple request.
- All users have the right to a portable version of their data should they wish to switch services without losing anything previously stored, in order to promote competition.
- All companies must design their systems as secure and in keeping with GDPR from the ground up, rather than add on security measures later. Part of this means adhering to data minimalisation principles, so the only data captured and processed is that which is absolutely necessary to the task at hand.
- All companies must employ an EU data protection office.
This regulation is broad and nothing like it exists anywhere else in the world. It was initially something interesting the Europeans were doing, who had a different take on business regulation to the US, for example. But since GDPR has become a core part of the discussion in the Zuckermath of the Cambridge Analytica stories, it has taken on new height and significance. Given the gridlock US Congress is so famous for, it’s unlikely that such broad and sweeping regulation could be passed through the US political system. As it stands the Europeans are leading the charge on how to regulate tech, and how to navigate the treacherous waters of personal data and privacy.
It would be entirely unsurprising if Google and Twitter were to also take up the regulation at some point over the next year or so. in 2010 then Google CEO Eric Schmidt said Google’s goal was to “get right up to the creepy line and not cross it” but – leaving aside how creepy that sentence is in and of itself – and as we’ve seen of late, knowing where that line is is very difficult. Rather than getting bogged down in the difficulties of regulating privacy and data, the EU have now provided the world the first example of how to tackle something everyone else thought was too tricky.
Part of the reason Facebook are devoid of excuses or reasonable explanations is specifically because an understanding of how to deal with people’s personal data already existed. The Russia election interference and Cambridge Analytica incidents were probably too esoteric to have predicted outright, but a simple and ethical approach to how people’s data should be used would have granted Facebook access to thinking already being thunk in Europe. And the kind of thinking already perfectly obvious to the late Steve Jobs…