Inboxes around the world are clogging up with requests from businesses that you may barely remember ever using to store your personal data. Much of the time the response is: Lose my number.
This deluge of spam has been triggered by the European Union’s biggest change to data privacy law in 20 years.
The General Data Protection Regulation 2016 (GDPR) came into force on May 25 and bolstered EU residents’ rights to control their own data. At the same time it imposes a significant compliance burden on businesses as well as threatens to strip them of customers who do not hit the consent button in those pesky emails.
To be sure, GDPR primarily affects organisations operating within the EU, but it expands the territorial scope of the EU data protection laws around the world and serves as a model for other regulators to study and use as a blueprint.
“Asia Pacific-based companies with no presence in the EU will be caught by the GDPR if they either target offers of goods or services to, or monitor the behaviour of, individuals in the EU,” according to a briefing document by law firm Clifford Chance.
A breach could result in a fine of up to 4% of the company’s global annual turnover, or €20 million ($23.2 million) whichever is greater: potentially a company-ending event.
“GDPR will have significant impact on China’s enterprises that target the European market,” said Heffels Spiegeler attorneys in a briefing document.
Information collection and use post-GDPR and its legal progeny, look set to become more expensive.
“In practice, a non-EU business that trades online, has a website in English which allows EU customers to place orders, and ships products to any customers in the EU, risks falling within the GDPR’s scope, unless the business can still somehow show that it did not intend to offer goods or services to EU data subjects,” law firm Deacons said in a note to clients.
GDPR makes clear that “monitoring” the behaviour of EU residents means tracking people on the internet and includes using their data to profile people, to analyse or predict their preferences, behaviours and attitudes.
This should apply to the use of cookies, location tracking apps, or other types of web analytics tools, where the information collected renders an individual identifiable.
“Alibaba collects a huge amount of electronic data in the EU market through AliExpress, and transfers this data to other Alibaba Group related businesses in Alibaba’s e-commerce ecosystem in order to complete transactions or to conduct marketing research,” note the Heffels Spiegeler attorneys.
This is also true of course of Alibaba’s arch-rival Tencent.
A non-EU social network provider that allows users from within the EU to join, or a non-EU app developer that gathers location data of EU citizens from their smartphones, may also be required to comply with GDPR.
Tencent’s QQ messaging app is available for use in Europe.
China’s biggest internet platforms may be feeling complacent as GDPR comes into effect.
Controls on data increase barriers to entry, so that established players will still have the best search engines or targeted advertising.
Internet operators with everyday use case services have a higher likelihood of being able to secure the consumer's consent to use their data, whereas advertisers will struggle to win an opt-in and become more reliant on the platforms.
Big Tech may cry 'we aren’t causing any harm and we offer consumers the convenience of price discovery and rapid shipping on the e-commerce side'.
However, they may be missing the big picture.
Larry Downes wrote in the Harvard Bussiness Review that GDPR could herald the end of the internet’s grand bargain: the exchange of free or subsidised content for personalised advertising.
DATA SOVEREIGNTY
Yes Brussels is taking the lead, partly due to greater European scepticism about market mechanics and a lower threshold for proving dominance, but signs are data sovereignty looks set to spread, compounding the impact on Big Tech.
“We see GDPR as an evolution of the existing regulatory environment which likely becomes increasingly stringent in regards to breach prevention and the protection of personally identifiable information,” said equity analysts at RBC Capital Markets in a report.
In China, a Cybersecurity Law came into effect June 1, 2017. On February 22, Australia’s Privacy Amendment Act of 2017 became effective and applies to international companies who collect or hold the personal information of Australians.
Slightly ahead of the curve, Japan introduced amended privacy rules to the Japan Information Protection Act, which went into effect on May 30, 2017.
The US Congress appears divided on the best way to regulate Big Tech as it mulls news that the data of 87 million Facebook users was improperly shared with Cambridge Analytica, a firm associated with President Donald Trump's 2016 election campaign.
But even in big capital’s heartland, data protection is gaining ground. In December 2017, the Data Security and Breach Notification Act was introduced in the United State Senate, which would have created a federal law requiring companies to report a breach within thirty days.
For now, heavier data protection could speed up tech companies’ push into Southeast Asia where privacy laws are limited in comparison.
The road to regulating Big Tech
¬ Haymarket Media Limited. All rights reserved.
