Think about your interaction with Facebook as a relationship. Now, imagine being at dinner with someone new and they say they are recording the conversation, taking your fingerprints, tracking your movements and they are going to share all of that data with everyone—without your knowledge or consent.
According to Matt Erickson, executive director at the Digital Privacy Alliance, that unpleasant scenario is what his colleagues are working against and what Europe’s sweeping new privacy regulations taking effect on May 25 are meant to help prevent.
During his recent Capitol Hill testimony, Facebook CEO Mark Zuckerberg said his company already has controls in place to comply with Europe’s General Data Protection Regulation (GDPR) and told lawmakers they’d likely extend some of those protections to its 2.2 billion users globally. As with anything, the hard part is in the details.
Despite the coming crackdown—the GDPR includes the right to be forgotten, the ability to easily change privacy settings without sifting through legalese and the provision that users must give affirmative consent to share their data—the new regulations may not be enough to prevent another Cambridge Analytica data scandal, or something even more pernicious, in the future.
The GDPR is backed up by potential penalties of up to 4 percent of annual revenue for tech companies that don't comply with the rules.
“The real soul of GDPR is that people should be able to have a say over the use of their private data and they should have an understanding of where that data goes and what it’s being used for,” Erickson, who is also director of client services and technology at SpiderOak, said.
Zuckerberg’s company announced a recent series of revisions to its privacy settings to help it comply with the GDPR. However, the updated settings still require users to click through cumbersome screens and specifically click small links to opt out of giving your data to Facebook.
“You should not have to dig into apps and preferences in order to opt out of these features. With GDPR, it should be privacy by default,” Diego Naranjo, senior policy adviser at European Digital Rights (EDRi), told Fox News. The EDRi is an association of civil and human rights organizations focused on digital privacy and rights.
Erickson said the GDPR is a “reaction toward the tech industry not taking responsibility to be upstanding partners in a relationship with their users."
Privacy experts are divided over whether the new regulations will do enough to protect the massive amount of data that tech firms continue to collect and monetize.
“A lot of Americans just don’t like to be tracked. Whether it’s left or right, you have people who can voice exactly why they don’t want to be tracked by major corporations,” said Erickson. “We’re going to start seeing increased popular support for first world-grade privacy protections.”
Some of those stringent privacy protections are already in place, depending on where you live.
Residents of Illinois have been protected under the Biometric Information Privacy Act, which is one of the strictest laws of any state regarding consent, notice and disclosure procedures that private entities must follow when they collect, store or use residents’ biometric data, such as fingerprints, facial images or iris scans. Violators face fines of $1,000 to $5,000 per violation depending on intent.
“In an elevator, you don’t opt out of security. The elevator is safe by default and it should be the same for hardware and software,” Naranjo said.
Others have argued that Facebook, Google and other tech firms are missing out on a chance to make privacy the center of what they do.
“Data protection could be at the forefront of their business to say ‘we are using GDPR to protect you,’” said Naranjo. “The law is quite strong. It’s a bad strategy, going against your customers, when you can use [the privacy regulations] to your benefit.”
“We’re saying [the GDPR] can actually encourage new, more innovative companies to move into spaces that Facebook and Google have been ignoring.”
Erickson told Fox News that the backlash over online surveillance is starting to hurt online businesses—as consumers increasingly say they don’t trust big tech with their data—and industry innovation is being stifled.
“Right now, the whole startup market is, ‘I create something cool so that Google will purchase me,’ which is weird,” said Erickson. “We’re saying [the GDPR] can actually encourage new, more innovative companies to move into spaces that Facebook and Google have been ignoring.”
"Data should be machine readable and it should allow you to move to a different service," Naranjo said.
Nevertheless, even after the GDPR takes effect, the courts may have the final word.
Facebook was ordered in February to stop collecting data on users—ruling that it had broken privacy laws by tracking people on third-party sites—or face daily finds of up to 100 million euros. The long-running battle between the Belgian Commission for the Protection of Privacy and Zuckerberg's company started back in 2015.