Facebook and other social networks face lawsuits under a new EU privacy law. If they lose, the consequences may be global, says an observer at NTU’s Wee Kim Wee School of Communication and Information.
SINGAPORE: In the last few weeks, online services sent emails or pop-up messages notifying us of updates to their privacy policies.
Why so many notifications at once? The European Union’s General Data Protection Regulation took effect on May 25. Any organisation doing business in the EU — like Facebook, Instagram, WhatsApp, and Google — must comply or face staggering fines of up to 4 per cent of global revenue.
Appearing to follow the law, online services tweaked policies and sent those notices to users everywhere. Most of us probably did what people around the world do to privacy notices: Ignore them, or check whatever box makes them disappear.
What do they have to do with Singapore users, after all?
Depending on what happens next, this EU law could end up changing the social networks’ business models, and their users’ experience, here in Singapore and around the world.
Three scenarios could bring greater data protection, if users demand it.
SCENARIO 1: EU REQUIRES NETWORKS TO ASK US TO CONSENT TO TARGETED ADS
Singapore is ahead of many nations in privacy protection. In 2012, Parliament presciently passed the comprehensive Personal Data Protection Act.
GDPR has some of the same requirements as PDPA. But GDPR is even tougher and covers more people.
GDPR requires an online service to ask users who are in the EU to take some action, like checking a box that is not already checked, to consent to each way that the service uses data. Consent must be “freely given, specific, informed and unambiguous”.
Because companies like Facebook and Google must operate in Europe to maintain their global market leadership, they must comply with the GDPR.
In the two years between adoption of the GDPR and its implementation in May, many tech companies chose a consistent, global approach to privacy, at least for now, rather than conduct business differently in Europe and elsewhere.
So, to follow EU law, online services sent those annoying messages asking users around the world, even in Singapore, for consent to their terms and conditions. In many cases, if you didn’t click yes, you couldn’t use the service.
But here’s the catch.
A privacy group that calls itself NOYB (for “none of your business”), headed by the young Austrian lawyer Max Schrems, filed lawsuits in several European jurisdictions. The group argued that when Facebook, Instagram, WhatsApp and Google force users to accept the terms of service or leave the network, they break the law that they appear to be trying to obey.
To comply with the GDPR, the plaintiffs argue, these social networks must get users’ explicit consent to process data in any ways that are not strictly necessary for the networks to operate. And they must allow users to use the network even if they do not consent to data handling practices that aren’t strictly necessary.
If your favourite social network specifically asked you to agree to advertising targeted to you based on your demographics, your likes and your online browsing history, what would you do?
If you didn’t have to click yes to continue using the network, would you consent? Social networks fear we’d say no, we don’t need creepy ads based on what algorithms think we’ll like.
Targeted advertising is not strictly necessary for the social networks to operate, but it’s how they make money. Billions of dollars are at stake.
If enough users opt out of targeted ads, social networks might change their business models. They might start operating differently in Europe than the rest of the world.
More relevant to us in Singapore, they might start serving ads that are not customised to the individual. Some might even start charging subscription fees for some services to make up for lost ad revenue, though Facebook long ago promised to remain free.
If the plaintiffs in these lawsuits fail, change from GDPR is less likely.
As long as platforms like Instagram are allowed to make us agree to all their terms and conditions in order to use the service, we’re likely to agree. After you invest time in building a profile and adding connections, it’s not easy to transfer your data to a new network and bring your friends along, even if you can find a new network.
For now, the GDPR’s potential to yield big change appears to rest on rulings in the NOYB cases, or cases asserting a similar basis for liability.
SCENARIO 2: VOTERS DEMAND CHANGE
If European authorities do not aggressively enforce the GDPR, reform could come through the ballot box.
This November in California, Silicon Valley’s home, voters will likely decide on a ballot initiative—which is similar to a referendum—that would give users a right to stop businesses from selling their data to advertisers or others.
In most places, however, until voters elect candidates because of their stands on privacy, the law won’t change.
Right now, privacy is probably secondary to economic concerns for voters everywhere. In the United States, some voters can be mobilised by immigration, gun control and reproductive rights, but not data protection.
The status quo leaves privacy advocates in the precarious position of hoping lawmakers will protect privacy, even though lawmakers know that few votes will change if they don’t.
SCENARIO 3: CONSUMERS DEMAND CHANGE
Absent legal reform, change could result if more consumers choose devices and online services based on data protection.
Google depends on data-driven advertising more than Apple, which has historically been mostly a device maker. Apple, less reliant on processing user data, has a stronger reputation for protecting privacy. But how many of us choose a phone based on such concerns?
Consumers now prioritise other features and price, more than privacy.
NEEDED: PUBLIC CONCERN, BEFORE THE NEXT SCANDAL
Under any scenario, change requires raising public consciousness about privacy.
Our online worlds are too enticing for “what ifs” about privacy risks to interfere.
It’s human nature to be poor at preparing for a remote, uncertain threat. Look at how difficult it is for most of us to exercise and maintain a healthy diet, despite the risks of not doing so.
Just months ago, it looked like Cambridge Analytica was the scandal that would focus attention on privacy risks. The British company allegedly used Facebook data to profile voters in America, the UK, and elsewhere, and feed them fake news tailored to their vulnerabilities.
Cambridge Analytica’s profiling may have helped get Donald Trump elected and get Brexit passed.
So, if Cambridge Analytica’s alleged voter manipulation through social media wasn’t enough to generate urgency about privacy, what might? Targeted advertising based on content of personal email? Gmail already did that up until this year. Charging different prices to shoppers based on browsing history? Some e-commerce sites already do it.
It might take an outrage like a scandal targeting children, or another vulnerable population, to mobilise the public.
There’s still a chance that European data protection authorities will aggressively enforce the GDPR and online services will comply in ways that give users everywhere more choices about privacy.
But even then, transformation depends on a critical mass of users around the world refusing to simply click “agree” to everything online services request.
Sustained global attention is a tall order in the absence of foreseeable harm. Until a crisis focuses our attention on privacy, most of us will simply swat away those privacy notifications and click through to the next distraction.
Dr Mark Cenite teaches communication law at the Wee Kim Wee School of Communication & Information, where he is Associate Chair (Academic).