Less than a month before tough new European privacy rules take effect, there are growing concerns from regulators, publishers, and privacy watchdogs about the ways that two internet giants—Google and Facebook—plan to implement the regulations.
The critics say the companies are squelching the promise of the new rules, and will leave European internet users no better off.
In a blog post Monday, a top EU regulator warned of “attempts to game the system,” which could lead to a “travesty of at least the spirit of the new regulation, which aims to restore a sense of trust and control over what happens to our online lives.”
Giovanni Buttarelli, who as supervisor of the European data protection authority is the continent’s top data-protection watchdog, said companies’ “take-it-or-leave it” propositions, which come with “a hint of menace” violate “at least the spirit of the new regulation.”
Buttarelli called data-hungry online platforms “digital sweat factories” that “[farm] people for their attention, ideas and data in exchange for so called ‘free’ services.” He does not name any specific companies, but says that the lesson of “the Facebook/Cambridge Analytica case” is that the “old approach is broken and unsustainable.” He says European data-protection authorities have formed a new social-media group that will meet for the first time in mid-May.
The new rules, formally known as the General Data Protection Regulation, were supposed to hit the reset button on rampant data-collection practices. Regulators are empowered to levy heavy fines of up to 4 percent of revenue, which should have changed the economic incentives and return some power back to users, whose consent had to be informed and freely given.
Buttarelli is far from the only critic of the tech giants. On Monday, four trade groups representing about 4,000 publishers and media companies, including Bloomberg, the Guardian, Hearst, and Conde Nast (WIRED’s parent company), wrote a scathing letter to Google CEO Sundar Pichai decrying GDPR-related changes that Google announced in late March.
The group said it was troubled by Google’s insistence that publishers obtain consent for collecting, sharing, and processing data from users who visit their media sites. Google wants access to this data, but will not be transparent about how Google plans to use it, which increases publishers’ liability, letter says. But if media companies don’t like Google’s proposal, they get shut out of the company’s dominant advertising network.
“Your proposal severely falls short on many levels and seems to lay out a framework more concerned with protecting your existing business model in a manner that would undermine the fundamental purposes of the GDPR and the efforts of publishers to comply with the letter and spirit of the law,” the publishers wrote.
A Google spokesperson told WIRED, “As announced, we’re not asking publishers to get consent for our users. We’re asking them to get consent from their users, on their sites, for use of adtech on their sites—which could be one of our advertising products, or someone else’s.”
Frederike Kaltheuner, data program lead at the nonprofit Privacy International, says that because of their size, Facebook and Google “have particular responsibilities, especially when it comes to asking users for consent” under the new rules. But their market dominance warps the idea of permission. “So the question is: what does freely given consent mean in a context where users often have little or no alternatives?” Kaltheuner asks.
Kaltheuner says Facebook’s and Google’s plans do not look like a “true commitment to user privacy.” She says Facebook is already involved in several cases for allegedly violating existing, weaker data protection standards, including fines for misleading information over WhatsApp, a ruling by Berlin regional court that Facebook’s default privacy settings violate German consumer law, as well as a court order in February that Facebook stop tracking users who do not have a Facebook account. “Half hearted changes of policies will not wash with regulators,” Kaltheuner says.
Earlier this month, in a move to reduce its legal burden, Facebook changed its terms of service to move users in Asia, Africa, and Latin America under Facebook Inc. in Menlo Park, rather than Facebook Ireland, where they may have been able to enjoy protections under GDPR.
In a statement to WIRED about the change, Stephen Deadman, Facebook’s deputy chief global privacy officer, said, “The GDPR and EU consumer law set out specific rules for terms and data policies which we have incorporated for EU users. We have been clear that we are offering everyone who uses Facebook the same privacy protections, controls and settings, no matter where they live. These updates do not change that.”
Sandra Wachter, a research fellow at the Oxford Internet Institute, says “a lot of people are very, very disappointed” with Facebook’s move, particularly on the heels of Cambridge Analytica. Facebook CEO Mark Zuckerberg earlier told Reuters that he wanted to extend GDPR “in spirit” to Facebook users around the globe. “Two weeks after, he’s basically taking away individual rights,” Wachter says. She says the last-minute change was surprising because companies had two years to comply with the new rules.
“Everyone around the world was hoping, or is still hoping, that Europeans would have a new found a new way” to safeguard consumers, including a higher standard of protection and enforceability, says Wachter.
While interpretations of the law are still up for debate, and may only be settled in court years from now, privacy advocates seem unconvinced that Google and Facebook are meeting even the spirit of the law.
Buttrarelli echoed that sentiment. Users and regulators expect a “change of culture,” from GDPR, he wrote. “Brilliant lawyers will always be able to fashion ingenious arguments to justify almost any practice. But with personal data processing we need to move to a different model.”