It is rare that anyone ever feels much sympathy towards the behemoths of the internet, Facebook and Google. But spare a thought for these giants when it comes to them implementing the upcoming General Data Protection Regulation (GDPR). Due to become law for all organisations handling the data of EU citizens from 25th May 2018, the GDPR’s reach extends much wider than Europe itself, meaning that in spite of the fact that US data protection laws are significantly less onerous, global companies will be compelled to fall into line. With the capacity to impose fines of up to £17m or 4 per cent of global turnover (whichever is higher) even Facebook and Google are having to sit up and take notice. Yet the two companies are currently handling the issue of data protection very differently.
One of the main principles of GDPR is the ‘right to be forgotten’. Under GDPR people must give explicit consent for their personal information to be collected online, meaning that ‘opt out’ boxes will be replaced with ‘opt in’. Individuals will also be able to ask for any personal data held by companies to be deleted and details of any information held must be easily available and at no cost.
Google has publicly stated that it will be ready. Two Google executives blogged in May that “Our users can count on the fact that Google is committed to GDPR compliance across G Suite and Google Cloud Platform service when the GDPR takes effect on May 25, 2018… We’re working to make additional operational changes in light of the new legislation, and will collaborate closely with our customers, partners and regulatory authorities throughout this process”. Given the scope of Google’s business this commitment will require detailed process and a significant investment but it will no doubt have a beneficial impact on the organisation’s worldwide reputation.
Facebook has made no such promises. Having already dropped into hot water when the European Commission fined it £95m for providing misleading information when they purchased WhatsApp in 2014, it was also fined £129,000 by French authorities in May 2017. This was because of its questionable data sharing and user tracking. In Italy, its new acquisition WhatsApp was recently fined 3 million Euros for making users agree to share personal data with Facebook. In addition, Facebook is also being investigated by authorities in Belgium, the Netherlands, Germany and Spain for data privacy violations around the tracking of users and non-users and the use of their data for advertising. This is all before GDPR becomes law.
Facebook’s seemingly cavalier attitude toward data protection is perhaps better understood in the context of the new American administration. On 3rd April 2017 President Trump signed a new law making more personal data legally available. Overturning the previous legislation, Internet Service Providers in the United States are now able to access and use all but the most sensitive personal information. Much of this personal data is likely to be harvested and sold to digital advertisers. Yet as long as its reach is global, Facebook is still bound to the legislation in Europe, just like the rest of us. Mark Zuckerberg would be wise to embrace the change rather than fight it, because the cost of non-compliance will be immense.