Last month, TACD hosted a half-day workshop in Washington, DC—Ensuring Privacy Rights for All—that brought together industry, privacy and consumer advocates, and relevant government authorities to examine how US-based companies can best follow the new rules to access the European market under the General Data Protection Regulation (GDPR). Participants from the US and Europe also discussed how US companies can extend the GDPR privacy rights to US citizens and not discriminate against US consumer in terms of privacy protections.
The well-attended event kicked off with a discussion of what is really new for consumers and citizens in the General Data Protection Regulation, compared to the existing data-protection regime. Our colleagues from the EU Commission suggested that we are dealing with an “evolution” of individual rights under the regulation, where the existing individual rights are strengthened and enhanced. For example, the requirements for meaningful consent are stronger. Also, the territorial scope of the regulation is broader and better for individuals: if a company offers products or targets individuals who reside in Europe with advertising, that company is subject to GDPR, regardless of its location. The GDPR also emphasizes transparency of data practices, and strengthens the remedies and redress rights of consumers. In addition to these enhancements, the GDPR also features a new right to data portability, which includes the right to erase personal data and the right to transfer data from one processor to another. Furthermore, civil society organizations can now take action on behalf of citizens, who are often unaware of violations and lack the means to take action, but are often the most vulnerable and most affected.
Company representatives at the workshop characterized the regulation differently. They contended that it is a “law like no other” and, rather than being an evolution, represents a revolution. The impact of the regulation will be felt around the world, they claimed, and not just in Europe, but critically in Silicon Valley as well. As such, the regulation represents a cultural shift that poses many challenges for companies. For example, the additional right of data portability begs the question of which data (such as transaction data) belongs to the customer, and which belongs to the company. Similarly, rights of data deletion and correction may pose challenges both to data controllers and processors, especially for companies with old legacy data systems. Individual rights with regard to automated profiling are also challenging, and differ from related US laws such as those regulating the use of credit information and credit reports. In fact, the new obligations of data processors, such as cloud providers, are “revolutionary,” as are penalty fines of 4 percent of global revenue. Perhaps the deepest cultural shift is necessitated by the privacy-by-design requirement, a concept that requires companies to think about privacy risks at the beginning of the design-and-development process, in an effort to prevent privacy violations at the outset rather than after they have occurred. Privacy impact assessments, similarly, challenge companies to consider the necessity and proportionality of the processing of personal data.
Some of the companies also pointed to the breach-notification requirements as a significant challenge to them, especially the requirement to notify Data Protection Authorities (DPAs) within 72 hours; they questioned the wisdom of this requirements, wondering if it will lead to over-reporting. They also suggested that European companies, compared to US companies, will be less prepared to address all the security requirements of the GDPR.
Several corporate representatives agreed, on the other hand, that complying with the GDPR is an opportunity for some companies to position themselves in the market as pro-privacy and pro-consumer. One of the unforeseen consequences, in fact, might be that the GDPR further empowers large companies, who are in a better position to distinguish themselves compared to medium and smaller companies Thus the GDPR might unwittingly contribute to their continued dominance in the marketplace. Furthermore, one panelist pointed out, the GDPR might already be outdated in terms of addressing some of the more complex social issues that derive from data extraction generally, such as discrimination and increased social inequities, which go beyond a focus on personal data regulation.
One basic question remained unanswered by the companies participating in the workshop: how will US companies reconcile their current business models—centered around more and more data collection, tracking, processing, and extracting the highest value from this data—with the more stringent requirements of the GDPR? The representative of the EU Commission reminded all present of the intent of the legislation: companies need to justify their data practices, their data collection, and uses to which they put that data. It is now an imperative for companies to consider the principle of necessity and proportionality. This privacy-as-a-fundamental-right perspective must be a guiding principle for all companies involved in data collection and processing after May 2018.
“One basic question remained unanswered by the companies participating in the workshop: how will US companies reconcile their current business models—centered around more and more data collection, tracking, processing, and extracting the highest value from this data—with the more stringent requirements of the GDPR?”
As the workshop transitioned into the second panel, an audience member asked what would happen to US law once large US companies are in compliance with GDPR. Consumer groups present called on US companies to “do the right thing” by extending the GDPR privacy rights to US citizens as well. First, however, they made it clear that the US consumers presently have very little to no privacy rights at all. US companies should not continue to treat privacy as a commodity up for negotiation, and consumers, in turn, should ask themselves: do businesses serve us, or are we subservient to business interests? As technology becomes more and more intrusive, this becomes increasingly urgent—and also a moral imperative.
Other advocates pointed out that only if the European Data Protection Authorities consistently enforce the GDPR will there be an incentive for US companies to comply. In the absence of such enforcement, advocates will not have a lot of leverage in seeking US companies’ compliance. Thus advocates must harness the GDPR to bring more awareness to European and US consumers, using the GDPR to expose unfair practices and to raise standards across the Atlantic.
Company representatives, perhaps predictably, argued that the US approach of sectoral laws is a good way to regulate privacy, and that it is too soon to tell if the GDPR will be a better alternative. Lots of questions remain unanswered before we can extend the European approach to the US, they said. A representative of the FTC agreed, warning that it is premature to look to the GDPR as a model. In the short-term, that regulator believed, we should stay focused on enforcement of existing US laws and regulations, and only then should we begin to assess the GDPR’s comparative effects on privacy and to evaluate its overall costs and benefits.
In response, advocates admonished the FTC that it does not currently have the authority, the resources, or the political will to protect the privacy of US consumers. It is precisely this lack of commitment that has produced the flourishing of the dominant business model, which is entirely dependent on secondary uses of data and intense data extraction. In that sense, it is the FTC and the US Congress that are responsible for current problems around the world.
A company representative tried to suggest that EU and US consumers have different sensitivities and interests in privacy, with European consumers being more concerned than their American counterparts. So perhaps our policy should be different in the US. Advocates argued that this impression is premature, the result of a decades-long lopsided policy debate. In the US, the public discourse has been dominated by an approach that sees individual privacy self-management as the solution, with corporate interests succeeding in their suggestion that no harm results from consumers trading their personal data for “free products” or other enticements. NGOs must help to frame the debate in broader terms of benefits and risks to individuals, groups, and society at large; we need to talk about who is winning and who is losing in these various data transactions. The most recent debate about Russia’s ability to manipulate the electorate via personalized digital marketing and the unrestricted use of consumer information for political targeting might help raise the awareness of these issues. Other workshop participants agreed, pointing out that it is important to develop new standards for consumers to evaluate products and services on a routine basis. Currently they cannot make such evaluations, and have no way to distinguish good data practices from bad. There is a clear need to change our privacy norms and expectations.
“NGOs must help to frame the debate in broader terms of benefits and risks to individuals, groups, and society at large; we need to talk about who is winning and who is losing in these various data transactions.”
The participants raised other GDPR provisions that US companies should implement. It appeared that there was some consensus among companies and advocates that a privacy-by-design approach, as a process, although difficult to implement, would be an important step forward. It seemed the companies embraced the idea of this concept as a method to deploy, but seemed less eager to implement the specific GDPR rights via this method, as indicated above. Advocates agreed that it is important to have a privacy-by-design process in place and to develop privacy impact assessments. The right culture and infrastructure has to exist to implement strong rights. Still, advocates cautioned, firm rules and strong privacy rights as a foundation to be implemented via a privacy-by-design process are necessary to make this meaningful.
It is clear that US companies play a critical role around the world and at home in the struggle to develop a fair, equitable, and just 21st century data society. It is not enough for companies to adhere to the GDPR in Europe and merely to attempt to limit harm to consumers, in the US, advocates warned. These companies have a responsibility to shape values proactively in the public interest. At this time, it is not clear what the endgame for the US will look like: will there be an additional sectoral law, for example, focused on “Internet of Things”? Will an abundance of confusion and overlap among these approaches ultimately lead to a call for comprehensive privacy legislation in the US as well?
Perhaps one cautionary insight from the history of the GDPR story is that consumers must be able to trust their business counterparts. An economy without that vital ingredient may collapse. Consumer advocates in the US will continue to play their part to guard against that, as they have successfully done in Europe.
So, with these weighty thoughts, the first in a series of TACD dialogues concluded. Judging from the lively discussions during the break and after the event, this important conversation will continue.
TACD has also produced a companion fact-sheet designed to compare the incoming EU GDPR to Privacy Shield. Click here to view the fact-sheet.
This event operated under Chatham House Rules to promote an open and frank dialogue.