Google’s first privacy fine post-GDPR sounds substantial. $57 million could certainly buy a first-class infosec infrastructure for a medium-sized company and keep many payrolls rolling out for years to come.
But bear in mind that relative to Google’s earnings it amounts to a very modest cost of doing business. Roughly calculated it’s 0.64% of its parent company’s quarterly net profit and less than 0.19% of the annual.
Those figures mean your data is more valuable than your trust, and many companies have accurately determined that a majority of their users don’t expect privacy. And if they do, it’s not reason enough to stop them from using nosy services. That is, to many, convenience trumps respect.
This is not a universal phenomenon.
Some companies and countries choose differently.
Privacy as a Brand: Companies Working to Protect Privacy
For decades, Apple’s brand centered on innovation, stylish design, and customer service. Now it’s expanding its customer service approach to include privacy. These days it presents itself as a responsible alternative. They market themselves as the company that respects customers’ privacy, does not track them and is less susceptible to the seduction of big data profits. Its business model does not rely on it.
From a security perspective, Apple makes a decent case. If one also considers that traditionally more malware targets other operating systems it strengthens that case. Of course threat actors are chiseling away at Apple’s advantage day by day; it’s still a chisel though, not a jackhammer.
To be sure, some smaller companies pride themselves on similar privacy practices, but for the moment, Apple is the only tech giant literally erecting billboards to advertise its privacy position.
The GDPR operates on a much larger scale than one company’s ethos.
Privacy as Policy: The General Data Protection Regulation
More than the reason popups greet you at so many websites, the GDPR seeks to restore explicit consent in the commercial realm. Ethical business once practiced this kind of consent as a matter of course, but that level of customer consideration seems optional these days.
After the digital paradigm shift that is opt-out, it’s currently all-but-nonexistent in the US. Once one had to select ‘features’ like tracking and data collection, which purportedly ‘improve your experience’. Now sites thrust them upon users. Even when folks work out the labyrinth of privacy settings to toggle on and off, it’s soon clear that actual control is limited, and ultimately contrived (Sorry, Virginia, the phone is still tracking you even when GPS is turned off.) For an example of this, look no further than this piece detailing more than 60 ways to try to attain privacy on Facebook.
The bottom line: If you want to preserve any privacy, you’ll have to work for it, and you still won’t be nearly as protected as you might think.
The GDPR is the European Union’s answer to that morass.
The Gist of the GDPR
Less than a year old (enacted May 28, 2018), the GDPR’s 99 legal articles articulate what user information can and cannot be collected, legally. Central to its tenets is the rebirth of opting in. Each user owns her/his own data and has the right to be forgotten. One must agree to each step further into a site’s environment and big-data-collecting mechanisms. Google earned its fine for not complying with the GDPR.
We’ll see if such costs deter online privacy violations. For big companies today, the data surreptitiously collected adds much more to the bottom line than current fines might take away from it.
But at least the EU has drawn a line. More than that, they’ve sided with users over the companies that profit from user data. That’s a significant disruption to the big-data economy.
Current conventional wisdom defines globalization within economic terms, so one may wonder how the restoration of privacy may affect the globalized economy.
One way of gauging that? Discerning if privacy is spreading as quickly as the technology that took it away.
Online Privacy Laws Outside the EU
Along with the EU, Canada and China have national laws in place to help protect their citizens’ privacy. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) originally passed in 2000. The Data Privacy Act amended it years later. Both are based on 10 principles, including: accountability, limiting collection, consent, and safeguards. Though it predates GDPR, PIPEDA takes a comprehensive, if less aggressive approach.
PIPEDA doesn’t have the same teeth as its European counterpart. Canadians can report violations and challenge a company’s compliance but violations carry much lower fines (currently, up to $100,000).
Though not known for consumer-centric or robust privacy laws, in 2017 China’s Cybersecurity Law went into effect. A lot of press focuses on its requirement that businesses in critical sectors allow crime investigators access to their networks and technical support for the investigators’ efforts. One can draw their own conclusions as to how it’s used and to whose benefit. As it’s been in effect for a relatively short period of time, conclusions will be fully supported soon enough. In the meantime, the law’s required data security measures like mandatory virus protection merit further consideration.
The rest of the world runs the gamut from working toward national laws to absolute inaction on the issue. The US lies somewhere in the middle.
One of the biggest economies in the world, the US suffers from a piecemeal approach to online privacy rights. A lot depends on exactly where one lives. Folks in California are better off than those in Tennessee and credit cardholders in one state will receive notification of a breach sooner than residents of another.
American privacy advocates have supported a more robust, federal approach basically since the dawn of the Internet. Yet, that level of online privacy can’t be found in the States.
International Data Privacy Day is January 28th. Let’s hope by its next observance, more companies and countries can count themselves amongst the protected.
