Back to top

Image: Bigstock

How the EU's New Privacy Law Will Impact Big Tech in 2018

Read MoreHide Full Article

The digital age has created the possibility of doing the same old things in new ways. But every time we do any of these things, we put a piece of ourselves on the information grid where big companies fight to access it, all for the noble purpose of “serving us better.” Of course, they also try to capture the information for leverage against each other, because that’s what brings in profits, thus kind of defeating the purpose.

But whatever be the current situation, it’s true that the information age is evolving, so the rules designed to protect our interest also need to evolve. The European General Data Protection Regulation (GDPR), which was accepted on May 25, 2016 to go into effect on May 25, 2018 was framed for this purpose. GDPR essentially defines and strengthens the rights that data subjects residing in the European Union have regarding personal data relating to them and attempts to unify data protection laws across Europe, regardless of where that data is processed.

On the face of it, the regulation makes a reality tech companies’ worst fears:

Personal data: The definition of personal data has been expanded to any information relating to an identified or identifiable natural person. So IP addresses, application user IDs, Global Positioning System (GPS) data, cookies, media access control (MAC) addresses, unique mobile device identifiers (UDID) and International Mobile Equipment IDs (IMEI) among other things are now included in the definition.

Sensitive personal data: The current law from 1995 treats health records, religious affiliations, racial/ethnic origin, political opinion, trade union membership, physical/mental health, sexual preferences and offenses/convictions as sensitive personal data. GDPR adds genetic and biometric data to the list. Organizations can only request this kind of data in the framework of legal procedures and only if they safeguard the individual’s vital interests.

Explicit consent: No information can be collected from any individual for whatever purpose without their explicit consent regarding the nature of data being collected and the purpose for which it will be used. The data is also required to be removed on request if it was collected to facilitate the provision of services that are no longer required. Individuals and organizations also have the right to be forgotten, so people can have their information scrubbed from the public domain if they so choose.

Access to data: The earlier rules required companies to furnish the information they held on consumers after payment of fees. Requesting data has now become free. Companies will have to tell their patrons/users what personal data is held on them, also where, for what purpose and how it is being processed.

Privacy by design: Systems should be designed in a way that companies only hold and process data when absolutely necessary, they shouldn’t be storing data incidental to the services they offer for processing later on, so privacy must exist by default. Moreover, their systems should have controls and mechanisms for the protection of data held and/or processed.

Breach notification: Hackers are getting smarter by the day, leading to data breaches at retailers, media and technology companies. Since these businesses have huge data pools, each breach could affect millions of people. At times, companies (like Yahoo) haven’t informed users when their data was compromised, thus increasing the risk of identity theft and making users wary. GDPR mandates that a person has to be informed within 72 hours when his/her data has been breached.

Data protection officers: Data processing companies with over 250 employees are required to appoint a data protection officer (DPO), who will be responsible for the management and protection of data within the company and the systems processing it. The DPO will be somebody conversant with data protection law, will be the point of contact for regulatory enquiry or data requests and will report to the highest level of management. So both data controllers (entities that decide the purpose and manner in which personal data is used, or will be used) and processors (persons or groups that process data on behalf of the controller, including the functions of obtaining, recording, adapting or holding of personal data) may need to employ a DPO.     

Data portability: Companies are required to move personal data pertaining to any individual to another company/controller/online platform if so directed by the individual concerned. For this purpose, they may receive a copy of their personal data in a commonly used machine-readable format for transfer from one controller to another or have the data transferred directly to another controller.

Huge fines: With the GDPR implementation, companies will be liable to pay huge fines for noncompliance with any of the above. For smaller offenses, a company may be fined up to €10 million or 2% of its global turnover, whichever is greater. More serious or continuing noncompliance can lead to fines of up to €20 million or 4% of global turnover, again whichever is greater.

Effect on Technology Companies

The GDPR might seem like a bad deal for big technology companies, but in fact, having well-defined rules that are up to speed with new technological trends like cloud-based delivery of services, IoT, machine learning and social networks actually helps them to frame company policies and build adequate systems around them. Since they don’t have the monetary constraints that smaller companies do, they are better equipped to be in compliance when the GDPR becomes enforceable. Alphabet’s (GOOGL - Free Report) Google, Microsoft (MSFT - Free Report) and Amazon (AMZN - Free Report) have already said that their Cloud, Azure and AWS services, respectively are on track to be in compliance when the rules go into effect.

But the GDPR gets trickier when individuals are involved, with advertising technology companies impacted the most. Not all of them are directly connected with the user, so obtaining permissions can be difficult. Also, targeted advertising involves several processes such as collecting user data, holding, matching, analyzing and on the basis of these operations, offering some products and services to users. So profiling is important for targeted advertising in a way that data mining for machine learning purposes may not be.

Advertisers generally use unique mobile device identifiers (much like cookies) to determine if they have already served an ad to a specific user, to retarget them and also to determine the frequency at which they should be targeted. The identifier tracks the user’s behavior across apps and the web, becoming central to the profiling process. The problem arises when an app obtains permission to use data that is linked to the device ID because it may also be linked to a database that contains other information on the same device ID. Thus a simple online purchase can result in sensitive information becoming identifiable with a person’s name, address or phone number.

Companies like Google and Facebook, that collect user data for targeted advertising, are required to obtain explicit permissions. Since they have direct connections with users, they are in a position to ask for them. If the permissions can be linked to benefits, users may be more willing to share.

The GDPR says, “A purpose that is vague or general, such as for instance ‘improving users’ experience,’ ‘marketing purposes’ or ‘future research’ will – without further detail – usually not meet the criteria of being ‘specific.’” So the companies can no longer ask for broad and sweeping permissions covering all their services. They have to offer either an opt-in for the tracking, or give users the details related to their data along with a chance to opt out. This is a blessing because at least some users some of the time, don’t read through permissions or may not be inclined to act to opt out of something.

Technology companies building apps that are widely in use or those operating an app ecosystem like Apple (AAPL - Free Report) , Amazon or Google, may be required to check data flows to ensure that no permission passes inadvertently. Particularly because apps generally don’t have any restrictions on sharing information between each other, a flaw that can be exploited by malicious apps to steal information or break into a device.

Conclusion

There are two aspects to privacy that the GDPR attempts to address. The first is with respect to ownership of personal data that remains with data subjects (whether individuals or organizations), so anybody wishing to use this data is required to obtain necessary permissions. The second is with respect to responsible use of the data by implementing adequate security measures to prevent data or identity theft after explicit permission has been obtained.

While adhering to the new rules will be both difficult and expensive, it appears that the larger technology companies will play an even greater role in the data flow process, necessarily remaining as gate keepers to the web. That’s because they possess the kind of resources that will be required for the most sophisticated security systems and are also in direct contact with the end customer.

Wall Street’s Next Amazon

Zacks EVP Kevin Matras believes this familiar stock has only just begun its climb to become one of the greatest investments of all time. It’s a once-in-a-generation opportunity to invest in pure genius.

Click for details >>