In May the European Union’s General Data Protection Regulation goes into effect, two years after passage by the European Parliament. This radical new privacy law, which covers any business that processes information about EU residents, will dramatically affect the way data is collected, stored, and used, including for U.S. companies doing business abroad.
In the U.S., lawmakers are now circling waters bloodied by revelations regarding potential abuse of Facebook’s social media data, with CEO Mark Zuckerberg scheduled to testify on Capitol Hill this week about the “use and protection of user data.” Facebook’s woes, following continued reports of major data breaches at other leading companies, have amplified calls for GDPR-like legislation in the U.S.
A Refresher on GDPR
For now, GDPR, which replaces previous EU mandates on data collection and use, differs significantly from U.S. law, pushing the two regions further apart in their approaches to regulating the digital economy.
What Is GDPR?
Data collection for European users, for example will require frequent and explicit consent (“opt-in”), which can be withdrawn at any time “without detriment.” Consumers have been granted a new right to take with them data deemed personal, with the costs borne by the entity that collected it. Security breaches, broadly defined, must be immediately disclosed, even if the entity is unaware the breach has occurred.
The new rules also include an extended version of the so-called right to be forgotten (or “right to erasure,” as it’s now being called). The person to whom any information refers can demand removal of that data under a variety of conditions, including that the subject “objects” to further processing. It’s possible this could lead to even more search results and news stories reporting true facts being effectively unwritten.
Europe’s expanded privacy regime has already been the subject of a great deal of criticism, including from privacy advocates. GDPR’s definitions are broad and vague (personal data means “any information relating to an individual, whether it relates to his or her private, professional or public life”); its penalties are astronomic (€20 million or 4% of annual revenue, whichever is greater, for violations of most provisions). Data collectors can be held responsible for violations by third-party users.
Though the new law was intended to unify and simplify European data practices, moreover, the minimum cost of compliance for anyone doing business with any EU resident is estimated by one survey at $1 million just for changes to IT systems, not to mention the costs of a newly designated data protection officer.
GDPR also bears more than a hint of the kind of protectionism that has featured prominently in EU technology policy since the 2015 release of the plan for a “Digital Single Market,” including recent announcements of new taxes for U.S.-based internet companies and continued antitrust complaints by EU regulators. While European data may still be legally stored outside of the EU, for example, it’s much easier to comply with GDPR if data remains within the borders — a boon to a fledgling European cloud services industry.
The End of Industry Self-Regulation
A worsening information cold war aside, the U.S-based content industry largely has itself to blame for the EU’s draconian new rules, as well as those now being reconsidered at home.
Internet companies have had over a decade to integrate basic data collection and use safeguards into their operations, including limiting the data they collect and adopting international information security standards. These efforts have mostly failed. Today nearly 40% of all cybersecurity incidents involve insiders, not hackers.
Until now, a fast-spreading epidemic of data misuse incidents has been largely overlooked by lawmakers, including breaches and data misuse at Yahoo, Facebook, Target, Equifax, and Under Armour. Though each incident generates its own round of hearings and regulatory fines, basic privacy law has remained unchanged.
But at least in Europe, and perhaps soon in the U.S., industry self-regulation appears to be ending. That’s bad news, and not just for companies increasingly reliant for revenue on data collection, analysis and intelligence. While GDPR is certain to improve choice, control, and transparency for EU consumers, these new powers come with new responsibilities and new costs for users, not least of which are ballooning budgets for data management and enforcement bureaucracies worldwide.
And governments are hardly the experts on data security. There have been even bigger breaches of sensitive data controlled by U.S. and EU governments themselves. Yet many government violations of GDPR are notably exempted from the regulation.
More directly, users will be barraged with interruptions to the flow of their online lives, forced to review, decide, and reconsider each element of information they enter. In economic terms, every new mandatory disclosure, user control, and privacy “dashboard” introduces transaction costs into interactions that previously didn’t have them.
Transaction costs are already abundant in our digital lives. The increasingly granular and configurable privacy controls offered by large internet platforms including Google and Facebook, for example, are already impenetrable for most consumers.
At some point, perhaps very quickly, disclosed information becomes TMI — too much information. As anyone who has ever bought a home can appreciate, the transparency that comes with hundreds of pages of mandatory disclosures from lenders, sellers, and government agencies often means that the important information — the questions that actually matter — get lost.
With even more transparency and mandatory choices, online users may just accept, or reject, everything — the opposite result of what advocates claim to be promoting.
Whither the Internet’s Grand Bargain?
Whether these new user burdens are offset by personal benefits will, of course, depend entirely on the particular consumer, the product or service involved, shifting and often paradoxical attitudes toward use of information, or perhaps just the time of day. After all, users will be faced with what may be hundreds or even thousands of such choices that must be made with as many smartphone apps, interactions, and websites.
For companies that collect and use customer data, however, the cost of new systems and the infrastructure necessary to support, enforce, and audit them will directly translate to added expense. Those costs, coupled with an unmanageable risk of company-ending fines, imposed by bureaucrats who may be motivated more by politics than pragmatics, could transform the nature of digital interaction.
How? GDPR, and calls for similar regulation in the U.S., may lead to the end of what has long been the internet’s grand bargain: the exchange of free or subsidized content for personalized advertising.
The grand bargain has been the fuel of digital growth for over two decades. But search engines, social media providers, and e-commerce platforms, along with user forums, news sites, and emerging internet-of-things service providers large and small, may rationally conclude that the new costs and potential penalties associated with collecting, analyzing, and marketing user-provided information have become unsustainable, requiring a new business model altogether.
That may also mean the end of customized recommendations from Amazon, streamlined searches from Google, tailored music from Pandora, and other services that use “private” information to give each user a personalized online experience. Again, the risks of collecting such information may be too great for services providers to stomach, despite the obvious value to users.
The age of the free and open internet may come to an end, and quickly. That may have been the true goal of many calling for “regulation” of tech companies in the first place. If so, the unintended impact on average consumers will be severe and, perhaps for many, decidedly worse than today’s admittedly messy and often leaky online experience.
New Business Models, Old Strategies
If the grand bargain unravels, entrepreneurs will no doubt innovate new ways to make money and continue developing disruptive products and services. The easiest solutions, which have evolved in parallel with the free internet, include subscription-based access behind paywalls, supplemented by generic advertising. That’s been part of the longstanding business model of print newspapers, of course, and it’s increasingly favored by their online equivalents.
We may also see more tiered pricing, with teaser or particular kinds of content available for free or for a limited period, or, as with most cloud-based software, free access to a basic product with premium features available only to paying customers — the approach of companies as varied as Dropbox, Spotify, and Harvard Business Review.
With improved efficiency in payment technology, especially mobile payments, microtransactions may play a bigger role. One could speculate that users may be asked to pay each time they search for something or play music, the way they pay for each latte at Starbucks.
Speaking earlier this week about Facebook’s woes, Apple CEO Tim Cook seemed to embrace a shift to a paid internet. He noted that Apple, which does little in the way of customer data analysis, could always “make a ton of money if we monetized our customer — if our customer was our product. We’ve elected not to do that.”
That, of course, was a choice of business strategy. Rather than subsidizing hardware and software through advertising and other indirect sources, Apple built its digital business by cultivating a premium brand that offers products with equivalent functionality at significantly higher prices. Apple’s success has proven that, at least for market segments of more-affluent consumers, the model can succeed fantastically, even in the age of the free internet.
As information collection and use become more expensive through GDPR and its progeny, however, it may be a strategy that nearly every digital enterprise finds itself forced to embrace.
If so, inevitably consumers will pay the price, directly and otherwise. The transition will be chaotic and even traumatic for users weaned on free stuff, many of whom will be unable to pay for services that are no longer ad-supported and are less personalized. Our great global conversation may become both quieter and more insular.
For those who can afford it, the EU’s new deal for data will make interactions feel more private and less, well, creepy. The question EU regulators and their supporters abroad never seem to ask, however, is this: What about the rest of us?
from HBR.org https://ift.tt/2IFiCA8
