Protecting privacy in a data-driven world

On October 6, 2015 the European Court of Justice struck down the US-EU Safe Harbor framework that set the privacy rules for the transfer of personal data between the European Union and the United States. The EU-US Privacy Shield was negotiated to take its place. American companies hosting European data have to comply with the new agreement, which follows the rules established in the data protection regulation for European individuals known as the General Data Protection Regulation (GDPR).

The GDPR, created by the European Parliament, the Council of the European Union, and the European Commission, comes with new rules and financial penalties for running afoul of the EU’s directives; it takes effect on May 25, 2018. The new liability can escalate to up to 4% of the total worldwide annual revenue of any entity that transfers, stores, or processes data incorrectly on a European individual regardless of where the parent company or its subsidiary may reside.

The GDPR may be a wake-up call for the digital advertising ecosystem that uses massive amounts of data as the fundamental base for their business model. Take for example, Oath, Verizon’s recently created subsidiary that houses the combined properties of AOL and Yahoo. Oath is designed to be a media and advertising arm of the communications company and expects to integrate their product offerings so both their customers and advertisers will benefit from the combined relationship.

This is a perfect example of a large organization that will want to update its terms of service to ensure its customers and the parent company are protected from any European citizens who may have legacy AOL or Yahoo accounts as these relationships migrate to Verizon. The point of the merger is to combine the businesses to allow advertisers to target ads across sites with information including customers’ usage of apps, location data, demographic details, and search results. To allow them to do this, their customers must individually agree to a much wider use of their data than the Europeans find palatable.

However, Verizon is just one example. Google and Facebook have flourished in recent years thanks to this type of crossover data analytics capability.

The need to comply with the EU’s new data protection regulation is a wake-up call for any company that creates, stores, manages, and transfers data on its clients. Gathering data should be through consent, and processing personal information should be transparent under the GDPR guidelines.

It’s imperative for corporations to take a serious look at the data they capture and how they request and manage a consumer’s consent. We will most likely see a rise in new anonymization technologies that will help give advertisers and marketers the ability to take individual identities out of their information flow while still allowing highly specific, targeted advertising based on demographics. We will also see a rise in legal language in the “I agree” click through contracts that allow consumers access to apps and website information. We may also see more instances of apps not functioning in geographic areas where data protection laws are restrictive of data sharing. Certain apps may become unprofitable as companies whose business model is to collect and distribute consumer data to third party marketing and advertising firms will seek to avoid liability for major fines.

As The Economist stated recently, “the world’s most valuable resource is no longer oil, but data.” Moving forward, there will have to be a major overhaul of the laws and regulations that govern online privacy if we want to keep the information and services flowing that enable the digital economy to continue delivering innovative advances and producing record profits. Extracting data with a purpose is the foundation to cutting-edge technologies like artificial intelligence and virtual experiences that we expect to drive the next chapter of the technology economy. Keeping data flowing is key, and collecting data in a cost-effective and legal manner will be a challenge of 2018 and beyond. Policymakers and lawyers will have to find the right balance to protect consumers while keeping valuable data sailing free and unfettered around legally troubled waters.

 
Shane Tews is a visiting fellow at the American Enterprise Institute (AEI), where she works primarily on cybersecurity and internet governance issues. She is also president of Logan Circle Strategies, where she focuses on information and communication technology and cybersecurity policy issues.