Will General Data Protection Regulation rules that go in effect on Friday impact the privacy of U.S. citizens? It depends who you ask, but the odds-on-favorite answer is “not by much.”
The Facebook Cambridge Analytica scandal in March led to a firehose of rebuke against social media platforms, advertisers and data brokers over how they use consumer information they collect and how they sell it. U.S. consumers are hungry for change.
Privacy experts say, despite the outrage, not much has or will immediately change when it comes to how companies that profit from trading in consumer data do business. Existing U.S. privacy laws, experts say, haven’t been effective enough to protect privacy and the current gridlock in Washington D.C. makes the prospect of new tougher proposed federal privacy laws unlikely to pass anytime soon.
The glimmer of hope for many is a spillover effect of the European Union’s GDPR law aimed at protecting the EU members. It’s true that US citizens don’t directly benefit from the rules, but in the weeks leading up the introduction of GDPR there have been some promising signs that U.S. companies’ adoption of some GDPR requirements will also have an impact on U.S. consumer privacy.
“Strangely what may end up benefiting Americans concerned about their privacy is regulation being implemented in Europe,” said Alexander Abdo, senior staff attorney at the Knight First Amendment Institute. “The GDPR is going into effect very soon and… it may have spillover for us on this side of the pond.”
Under the GDPR law, EU citizens will have a right to know what’s being done with their data, and a right to access it. GDPR requires any company doing business in the EU that interacts with and processes data of people in the EU to get explicit consent from users for every possible use to their data. Users will have a right to be “forgotten;” as in being able to request that a company delete their data, stop sharing it and force third-party firms from using it as well.
There are also data portability rules allowing users to take their data from one service and give it to another. A breach notification rule requires firms to notify customers within 72 hours of an incident. Lastly, firms will need to have “data protection officers” that can demonstrate compliance with GDPR and transparency.
Companies that don’t comply face fines of up to 4 percent of their global profits.
Some Positive Impacts
Abdo said there are no parallel privacy rules that share the same goals as GDPR here in the U.S. But, he said, the fallout of the Facebook Cambridge Analytica scandal, coupled with the introduction of GDPR in Europe, is pushing into place some new privacy safeguards for U.S. citizens. It makes sense to implement new privacy rules globally, rather than to adopt a patchwork of privacy rules for each country, experts point out.
GDPR is credited for several changes to data-collecting practices by Microsoft, Google, Facebook and other firms. Google said it plans to commit to the Interactive Advertising Bureau’s GDPR approach. Earlier this week, Microsoft said it would extend GDPR protections to all its customers, not just those in EU countries. Facebook CEO Mark Zuckerberg said his firm would apply the “spirit” of the legislation globally.
In January, Facebook said it would revamp its privacy dashboard to be more user-friendly. In the weeks proceeding the Cambridge Analytica fallout, it also announced a new privacy control called “Clear History” that lets users flush their history so that it is no longer stored with their account.
Twitter joined Facebook and others and has been sending emails to users urging them to review how they apply data to target them with ads, and how public the profile information shared is in order to comply with GDPR disclosure requirements.
At the same time big tech companies have been quickly adopting GDPR rules, they have also been devising ways to reduce its impact on their business.
In April, The Guardian pointed out that Facebook shifted the responsibility of managing 1.5 billion user accounts located outside the U.S., Canada and the EU from its international headquarters in Ireland to its U.S. offices. The move is seen as an attempt to avoid GDPR rules impacting Ireland and placing the user data out of reach of EU law.
Earlier this week, Apple rolled out data and privacy tools for European customers that allowed them to download the data that Apple has collected about them and the devices they own. But here in the U.S., Apple has only promised to broaden the availability of the tools.
Google has also come under fire recently after Oracle alleged it receives information about people’s internet searches and user locations if they have a phone running Android. The web giant is under investigation currently by the Australian government.
Google didn’t responded to a request for comment from Threatpost on their commitment to handling and securing private data.
If GDPR Can’t Save Us, What Can?
The U.S. government can play a big role in holding platforms like Facebook, LinkedIn, and Twitter accountable for how they protect data privacy – but overarching challenges remain in the political landscape.
“There has been a change in the way that government – and in particular Congress – has looked at tech companies and their role in society and the democratic system,” Michelle De Mooy, director of the Privacy and Data Project at the Center for Democracy and Technology, told Threatpost.
She said the Cambridge Analytica scandal has caused regulators to look at core issues around data transparency and protection in the U.S. The incident has also forced politicians to acknowledge just how far the U.S. is behind the rest of the world when it comes to regulations around data – namely GDPR.
“For a long time these companies weren’t regulated, and they’ve avoided a fair amount of scrutiny… but Cambridge Analytica has been the apex of what’s occurred,” said De Mooy. “I’ve seen a more intense and greater call for regulation.”
In the U.S., there is no single, comprehensive federal law that regulates the collection and use of personal data. “The regulatory environment in the U.S. is fairly weak… we’ve had laws that follow data in a different kind of context, like health, but nothing as a baseline of protection for personal data,” said De Mooy. “When there is any accountability for companies related to data privacy, it’s handled through the FTC, but that’s an agency with limited authority and resources.”
Currently, a Federal Trade Commission consent decree from 2011 requires the social network to receive explicit permission from users in regards to sharing their data with third parties.
Making the prospect of regulation more challenging, the U.S. technology industry thus far has been widely self-regulated – and the current U.S. government administration favors self-generated regulatory actions.
That political divide was highlighted during Zuckerberg’s Congressional Hearing in April. Some senators, like Sen. Susan Collins (R-ME), argued that Facebook didn’t need regulations at all, while others like Sen. Dan Sullivan (R-AK) worried that “regulations can also cement the dominant power.”
“You look at what happened with [The Dodd–Frank Wall Street Reform and Consumer Protection Act],” he said. “That was supposed to be aimed at the big banks. The regulations ended up empowering the big banks in keeping the small banks down.”
Regardless, privacy advocates like the Electronic Frontier Foundation think that data privacy regulations should be high up on the national agenda.
“As the details continue to emerge regarding Facebook’s failure to protect its users’ data from third-party misuse, a growing chorus is calling for new regulations… it’s crucial that we ensure that privacy protections for social media users reinforce, rather than undermine, equally important values like free speech and innovation,” said Corynne McSherry with EFF in a post.
Pinning Hopes on Future Crackdown
Even beyond the complex political landscape, new data regulations provoke difficult questions about the role of social media platforms and who inherently owns and can have control over data online.
There have been a multitude of bills surrounding data introduced in the past year, including the Honest Ads Act, which aims to provide more transparency for online political advertisements; and the Browser Act of 2017, which authorizes the FTC to enforce information privacy protections allowing users to opt out of the use of their user information depending on the sensitivity of the information.
After Zuckerberg’s hearing, meanwhile, senators also rolled out the CONSENT (Customer Online Notification for Stopping Edge-Provider Network Transgressions) Act, which would place restrictions on data collection by “edge providers” like Facebook and Google.
While the CONSENT Act comes closest to instilling GDPR-like policies, De Mooy said U.S. regulators need to take laws like GDPR one step further by looking at how they can “complement GDPR” – in particular by better outlining the risks and benefits of data sharing for end users.
An array of consent management tools available for online companies to check in on their compliance gap monitoring and policy management do exist – including PrivacyCheq and NGData.
But many, including John Callahan, CTO of security firm Veridium, have lost trust that Facebook and other online platforms would use these tools: “Time and time again we will continue to see private and sensitive information misused, improperly stored and stolen,” he told Threatpost.
States Fight For Their Own Privacy
Whether we’ll see regulation addressing data policies is dependent on several factors, said De Mooy – but one big factor is the Nov. 6 2018 midterm elections, when privacy initiatives are expected to appear on ballots across the country.
That could include decisions about the Honest Ads Act, as well as the CONSENT Act. California is also touting its California Consumer Privacy Act, another data regulation that could apply to Facebook and social media privacy. If approved, the act would enforce more transparency around data that is being stored by companies, as well as enable consumers to opt out of companies selling their data.
“For the time being we’ve gotten calls from both sides of the aisle in Congress, and there’s clear concern around data policies from both Republicans and Democrats,” De Mooy said. “No one wants to be heavy handed and knock these companies to the ground when it comes to regulations. But we want something that respects our ability to go online and have an expectation of privacy.”
For the time being, however, social media platform users need to be aware of the lack of data privacy.
“It is important that users understand there is no free service,” said Ilia Kolochenko, CEO of High Tech Bridge. “If you’re using a platform for free, it will monitor your data and preferences. When you’re sending something online you need to assume it will be shared. We hope eventually there will be a positive shift toward customers data protection.”