Will the Facebook scandal lead to a ‘hard’ GDPR?

null

The revelation that personal data from millions of Facebook profiles was harvested to target users with politically motivated ads, is continuing to feature in the news headlines. 

The scandal involving Global Scientific Research and Cambridge Analytica couldn’t have brought the collection and use of personal data to the attention of the wider public at a more pertinent moment. On May 25th, the General Data Protection Regulation (GDPR) comes into force, giving consumers more control over their information, introducing strict penalties for those who don’t comply. 

When a major player such as Facebook comes under scrutiny in this way, it inevitably has wider implications for the digital ecosystem. So will the recent revelations lead to stricter enforcement – a ‘hard’ GDPR instead of the much hoped for ‘soft’ version – and how can companies learn from the Facebook situation to ensure they don’t fall foul of the law? 

A changing privacy climate ahead of the GDPR 

Consumers are demanding greater control of personal data and ownership of their digital identity. And while the recent Facebook situation might not be a data breach in legal terms, it was certainly a breach of trust for its users. 

Consumers aren’t stupid. They know data is gathered, stored, and even shared when they use the internet, but they’re not willing to accept data being collected for one purpose and then used for another without their permission, and definitely not without their knowledge. In the Facebook situation, profile data was shared with Global Scientific Research for the purpose of a personality test but was then used for profiling users’ political views to inform targeted advertising. This eventuality will not be allowed under the terms of the GDPR, which requires businesses to have a legal basis for data collection and processing and to be transparent about its purpose. The fallout from the on-going Facebook story provides a sneak peek into a potential post-GDPR environment, indicating how authorities and consumers are likely to react. 

Major players in the industry have been revealing how they will deal with the arrival of the GDPR, and whether they will be taking a ‘hard’ or ‘soft’ approach. The IAB, for example, has set out its GDPR Transparency and Consent Framework, introducing consent management platforms (CMPs) with a ‘layered’ consent process. While publishing giants Axel Springer and Schibsted Media have adopted this framework, Digital Content Next (DCN) – which represents digital content companies – has criticised the approach as one that benefits only ad tech companies rather than the publishers they work with, and has called for it to be considered as a ‘non-starter’ by its members.   

Google has taken a tougher approach by launching its own consent tool, limiting the number of supply chain partners that can request consent. Any publisher that uses its default consent technology will only be allowed to share data with a maximum of 12 ad tech vendors. This approach is not surprising when you consider that the GDPR requires any tech provider to be named during the opt-in process. It also supports the view that publishers will drop ad tech vendors who can’t guarantee compliance, in a bid to simplify and secure their own data processes. 

Regulators will be disappointed that, in many cases, the driving force behind GDPR solutions is maintaining the established industry structure or existing competitive positions. The radical and transformative nature of the GDPR – the accountability principle and consumer centricity – is not going away, and will unleash new technology and innovation, and consumer empowerment. After all, it is these forces which have driven and shaped the internet up till now. 

Spotlight falls on enforcement 

The penalties for breaching the GDPR are severe – up to €20 million or 4% of annual, global turnover, whichever is higher. Some parts of the digital industry are counting on an informal extension of the two-year transition period for GDPR enforcement, but the active involvement of regulatory authorities in the Facebook saga makes this far less likely. 

The Irish Data Protection Commissioner, the lead regulatory authority for Facebook in Europe, was reported to be “following up” about third-party data users on the platform and said it would issue guidance about ads received via social media. The UK Information Commissioner’s Office (ICO) also waded into the Facebook enquiry, obtaining a court order to raid the London offices of Cambridge Analytica. Add to this equation increased pressure applied by privacy advocacy groups, and data regulators are unlikely to take a soft stance on post-May GDPR breaches. Whether this actually results in a harder enforcement of the regulation in an effort to set an example remains to be seen. 

While the GDPR itself is already set in stone, the accompanying ePrivacy Regulation – which extends the GDPR to cover the unique characteristics of the electronic communications market – is still in the critical final drafting stage. The Facebook scandal gives policy makers licence to ratchet up the provisions of the ePrivacy Regulation meaning this is likely to clamp down harder than expected on the practices of the digital industry. 

Another area of GDPR enforcement impacted by the Facebook scandal is the new right of data controllers to perform on-premise inspections and audits of data processors. Widespread scepticism over whether these inspections would realistically take place is being replaced with an expectation they will become the norm, following Facebook’s move to deploy a team of forensic data auditors to check whether Cambridge Analytica fulfilled its promise to delete data.

In addition to being under close scrutiny from regulators, governed by stricter provisions under the ePrivacy directive, and subject to inspections and audits, the digital industry may also be in for a tougher ride from consumers. The GDPR brings in specific provision for the use of class action suits by consumers against data controllers or processors who they believe have broken the law. A flurry of cases across Europe is to be expected as consumers test their new rights, particularly in light of the multiple class actions suits against Facebook in the US.    

Lessons from Facebook in a post-GDPR world   

One of the key messages to arise from the Facebook row is that aspects of the digital ecosystem and its culture are out of step with consumer and regulatory trends. One common argument against data regulation is that openness and the flow of data across the ecosystem, as the drivers of progress, are in conflict with privacy. This doesn’t have to be the case. The challenge for digital businesses is to understand the next wave of innovation will come from companies who can deliver technology that maintains the flow of data while providing privacy. 

Secondly, detractors of the GDPR focus on the legal and technical aspects of the situation without understanding that data privacy is an emotional issue for consumers. In the post-GDPR world digital businesses must be prepared to engage with consumers at this emotional level about the handling of their data. They need to offer greater transparency and finer granularity of controls, moving from simple tick-box exercises to a true understanding of how consumers feel about the use of their data for specific purposes. By sticking to clean, first-party, transparently acquired and consent-based sources of data, digital business can build trusting relationships with consumers.

The Facebook case also illuminates the need for comprehensive data supply-chain management within the digital sector. Data controllers must have visibility of what is happening with user data at every point in the process. The GDPR’s focus on end-to-end accountability will drive market demand for better data logistics, and digital businesses should consider adopting technology that will provide this visibility. 

A final lesson for digital businesses is to act immediately and without hesitation when a problem is identified. The GDPR enforces immediate action, for instance businesses must report a personal data breach within 72 hours, and expects businesses to have robust detection, investigation, and reporting procedures in place. The longer data protection problems are left unsolved, the more culpable businesses become. 

The Facebook case should act as a wake-up call for any business dealing with personal data, especially in light of the impending GDPR. By putting digital businesses under scrutiny, raising the alarm with regulators, and increasing consumer awareness of data privacy, the scandal may not result in a harder GDPR but it will certainly preclude the soft enforcement many are hoping for. Digital businesses must learn from the situation to ensure they are in a better place to gain consumer trust in a post GDPR-world.   

Chad Wollen, Chief Marketing Officer at Smartpipe 

Image Credit: Endermasali / Shutterstock