Europe’s new privacy law comes with teeth. Within hours of the General Data Protection Law (GDPR) coming into effect, an Austrian privacy campaigner used the new EU legislation to file a legal complaint against Facebook and Google. It’s too early to tell how the case will be resolved but companies that violate the law can be fined up to 4% of annual revenue. That means the two companies could be fined a total of €7.6 billion (£6.6 billion).
Yet, even as most internet users were dealing with a deluge of GDPR-related emails from companies trying to follow the law, it occurred to me that what is possibly the most strident attempt by lawmakers to protect people’s privacy still won’t be enough. Not even nearly. The problem is that the law doesn’t protect the data that is most precious to tech firms, the inferred data produced by algorithms and used by advertisers.
The basic premise of GDPR is that consumers must give their consent before a company such as Facebook can start to collect personal data. The company must explain why data is collected and how it’s used. The firm also isn’t allowed to use the data for a different reason later on.
All these rules naturally translated into consent boxes that “popped up online or in applications, often combined with a threat, that the service can no longer be used if user(s) do not consent”, observed Max Schrems, the campaigner who has filed the complaint against this “take it or leave it” approach.
Still, any new cases against Facebook and Google could go the way of the current enquiries into the Cambridge Analytica scandal. Addressing EU representatives during a parliamentary hearing, a suited-up Mark Zuckerberg was recently seen rehashing a familiar narrative, that he’s sorry and hasn’t “done enough to prevent harm”. “Whether it’s fake news, foreign interference in elections or developers misusing people’s information, we didn’t take a broad enough view of our responsibilities,” he said.