(CN) — Europe has become ground zero in a major legal and regulatory tug-of-war over control of the personal data of internet users — the everyday clicks, finger swipes, browsing habits, “likes” and communications of people on the web, the very DNA of a future built around technology.
The Old Continent is witnessing a very modern conflict between those seeking to make the internet a regulated public space — some even talk about nationalizing parts of the internet, such as social media and e-commerce platforms — and others who argue that taming the use of personal data is undesirable and that doing so will stifle innovation and hurt consumers.
In this conflict, European regulators and privacy activists are pitted against the United States’ biggest tech titans — Google, Facebook, Apple and Amazon — and the business of striking it rich by selling and exploiting digital data, often called the “new oil.”
Concern about data protection is growing in an age of data exploitation — as companies gather vast amounts of information about people, and make fortunes off that data. Among a dizzying array of uses, data is being used to track people’s behavior; it’s used in advertising and in politics; it’s used to predict consumer trends, and even to determine someone’s income and creditworthiness.
At the same time, massive data breaches and the theft of personal data and questionable use of data growing threats. Concerns have been reinforced by a string of scandals such as a breach at Marriott hotels (hackers got information on 500 million guests) and the ongoing Cambridge Analytica revelations of data-mining for political purposes, including on behalf of Donald Trump in 2016.
“I think there is a global wake-up call that we need to better regulate our data,” said Estelle Massé, a senior policy analyst at Access Now, a digital rights group, in a telephone interview. “This needs to be done to protect the internet.”
Europe escalated the conflict in May when it began enforcing a new set of regulations designed to give internet users more protections and rights over how their data is stored, used and sold.
The rules, known as the General Data Protection Regulation, are vast. Supporters say they help to make the internet an open, free and secure place.
But critics contend the rules do little to change the way data is collected and used, force companies to waste billions of dollars to comply with the rules, are largely silent about remedies for people whose privacy has been compromised, hurt small startup companies unable to meet the rules’ demands, and restrict innovation, at a time when artificial intelligence is becoming the next frontier in technology.
“GDPR pushes companies away from using data to be more productive, just as many businesses are beginning to leverage technologies like data analytics and machine learning to increase productivity,” said Daniel Castro, director of the Washington, D.C.-based Center for Data Innovation, in an email.
Machine learning is a term used to describe a form of artificial intelligence in which computers improve themselves by processing data.
Castro dismissed claims that the regulations make the internet safer.
“In fact, the opposite may be true,” he said. He said the rules force “businesses to focus on check-the-box compliance rather than actually protecting user data.”
Here are some of what the rules call for:
● They allow people more say over how their personal data can be used and by whom.
● People can seek to have information about them removed from the internet.
● They can seek to have information about them corrected.
● They can ask companies to show what data they have about them.
● Internet companies are required to report data breaches within 72 hours and face hefty fines for failing to protect data. Fines can reach $22.5 million or 4 percent of global revenue, whichever is greater. Previously, there was no requirement to report breaches and fines were much smaller.
● A person can request to have data moved from one place to another, say from Facebook to another social media platform.
● Companies must demonstrate compliance with the data protection rules.
Europe already had some of the world’s strongest rules protecting privacy, an outgrowth of deep-seated distrust of government intrusion after the experience of Nazi-era surveillance.
The German state of Hessen passed the world’s first data protection law in 1970. By 1981, the Council of Europe, Europe’s chief human rights organization, approved Convention 108, the world’s first legally binding international data protection measure. EU regulations were updated in the 1990s.
“It is not a revolution,” Massé said about the new rules. “It’s a strengthening of those rules that there were already. But those previous rules were done before there was the internet.”
Privacy advocates see the rules as a gold standard for data protection.
“What it does is strengthen the rights of the individual,” said Diego Naranjo, a senior policy adviser with European Digital Rights, a Brussels-based advocacy group. “We have become a kind of role model. It’s a role model for other countries.”
Chris Pounder, a data protection expert and cofounder of Amberhawk, a British company that trains people in information law, said the regulation “evens up the playing field” between the internet user and online firms.
He said the rules are forcing “data protection by design default” by making firms take the rules seriously.
Companies are spending a lot of money to get into compliance, for instance, by hiring data protection specialists and attorneys. The 500 largest firms in the world have spent an estimated $7.8 billion to comply with the rules.
The rules have also led to legal challenges — often by privacy advocates seeking to get the courts to clarify key aspects.
In November, London-based Privacy International filed complaints against some of the world’s biggest data brokers, online advertising technology companies and two global credit reference firms, charging that they were violating the new privacy regulations by not obtaining lawful consent to use people’s data.
Another privacy group called None of Your Business-European Center for Digital Rights is challenging Google, Instagram, WhatsApp and Facebook over whether their methods for obtaining consent are lawful.
“They seem to have a concept of consent that we don’t believe the GDPR allows,” Naranjo said.
What it means to give a company consent to use personal data is becoming a crucial question. Since the rules went into effect, web sites in Europe are accompanied with consent pop-up windows: Some are vague, others crammed with legalese, others rather simple but offering no choice but to consent, while others allow people to not share their personal data.
In what may be a key first test case, in late October a French data protection authority issued a ruling forcing an online advertising firm to ensure it was obtaining “informed consent.” The agency said the company’s use of a common consent framework was flawed.
Mindaugas Kiškis, an attorney, privacy expert and professor at the Mykolas Romeris University in Lithuania, doubted that legal challenges by privacy advocates would have much effect.
“I don’t think these cases will be much more than PR stunts by some of the activists and groups,” he said in a telephone interview.
He said the legal challenges are legally flawed because they are contesting practices that have become obsolete as companies modify their behavior as the regulation is put into practice.
He said it will take a couple more years of implementation before there’s enough clarity about what the rules really prescribe before serious legal challenges can be mounted.
As a whole, Kiškis was critical of the rules, which he said were vague and change little compared to the old rules.
“To be honest, I haven’t seen any empirical research supporting this idea that we can regulate for better protection,” he said.
He added that the rules do not help the average internet user because they do not make it easier for Europeans to win damage awards for privacy breaches. By comparison, Americans are able to sue for large civil damages, and that serves as a good deterrent for companies, he said.
“The little guy doesn’t have any remedies to defend himself,” he said. “They don’t have anything to bite with. … Europe is well behind the United States in terms of personal remedies.”
He also faulted the rules for not protecting data against government agencies. Under the rules, government agencies are exempt when they are gathering data for policing and security reasons.
“This is part of the problem with GDPR, because it applies to nongovernment processing,” he said. “The government is hypocritical: They want everything about you.”
Nonetheless, the rules are a big deal and challenge for American firms.
Today, it is common, for instance, to find some U.S. news sites blocked for internet users browsing in Europe. “Unfortunately, our website is currently unavailable in most European countries,” pops up on pages such as that of the Hartford Courant newspaper.
“The American companies don’t like it obviously,” said Pounder, the data protection expert. “American companies right now say (personal data) is ours.”
Pounder said data protection rules have been around for a long time, but tech firms ignored them when they expanded globally.
“So what they are doing is bolting on data protection after the event,” he said.
There are no federal rules akin to Europe’s governing data protection in the United States. This year, though, California passed its own European-like data protection rules, to take effect in 2020. Congress is mulling nationwide data protection rules.
In Europe, it appears people are taking advantage of the rules.
The European Data Protection Board estimated that 59,900 complaints had been filed as of November and about 27,800 reports of data breaches were made.
“There has been a sharp increase in complaints,” Masse said. “People are more empowered.”
Giovanni Butarelli, the EU’s data protection supervisor, has said in recent interviews that enforcement actions are imminent.
So far, authorities in Austria and Portugal have imposed fines for data violations. In Austria, a sports betting cafe faces a $6,000 fine for allegedly running an outdoor security camera system and not deleting stored images quickly enough. And a Portuguese hospital faces a $454,000 fine for allegedly allowing patient information to be too widely available for hospital staff.
The data protection rules are just one aspect of a larger conflict between European regulators and global U.S. tech companies.
“It is clear that the GDPR set fines so high as a way to target some of the most successful tech companies,” Castro said.
European regulators are pressing antitrust and unfair business practices cases against Amazon, Apple, Google and Facebook. They are also considering new taxation on internet revenue and internet copyright laws. Regulators also are looking at measures to regulate the online tracking of users with an “e-privacy regulation.”
Those big American companies did not return messages from Courthouse News seeking comment.
Kiškis said the data protection rules are an outgrowth of this conflict between Europe and U.S. companies. Europeans, he said, were very concerned about big American corporations taking the personal data of Europeans, doing what they want with it and being beyond the scope of European laws.
He said the rules also were meant to help European tech companies compete against American firms. Europe, once a major player in computer technology, has few tech giants today.
“From the outset, these new privacy rules were designed to do things that have nothing to do with privacy,” he said, “but to solve the competition problems.”
(Courthouse News reporter Cain Burdeau is based in the European Union.)