The GDPR ruling against Google has huge implications for us all but perhaps not in the way you might think.
Last week’s record £44m (€50m) fine levied on Google is seen by many as evidence that European regulators are now starting to sharpen their knives and will be much more proactive in how they prosecute companies breaching GDPR going forward.
This may well be true and it’s hardly a secret that regulators have allowed an effective grace period after the regulations came in, indeed the UK’s ICO virtually put that on public record. They understood the significant complexity facing many businesses as they tried to comply but now their patience it would seem is running out.
However the ruling has bigger implications. Google may have been top of the list for regulators for many reasons, not least its arrogance:
“Google seems to believe that it is sufficient to simply “interpret the law differently” than the regulators. This refusal to even make a good faith effort to comply with the GDPR could well have contributed to the record fine.”
– Max Schrems of NOYB.
However looking at the summary of its findings in detail shows just where the regulator stands on key issues, ones that will surely be applied across all local regulators and therefore to all companies in time.
Lessons learned from the Google ruling
In summary there are 3 key clarifications from the ruling:
1. Transparency – Google had failed to be transparent or even close. For example “The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent.”
2 Clarity – Google has not been unambiguous. GDPR requires an unambiguous and “clear affirmative action” from an individual to indicate consent, which precludes the use of pre-ticked settings for example.
3. Specificity – Google still wraps up multiple “consents” into its privacy policy and other hard-to-access documents. Such a general request violates the GDPR’s requirement for separate consent requests for each specific processing purpose. If Google proposes, say, 20 different purposes, the user must be able to give or deny consent for each.
Now these would appear obvious to anyone who has read the GDPR rulings or even listened to the general conversation around it. But what Google and others have done is assume that “needing” this data to carry out their business would be accepted, at least in the short term. The regulator does not concur.
The implications for any technology company that uses data to drive its value proposition (personalisation for example, which is almost every Adtech and Martech company out there) is profound. The regulator cannot rule one way for Google and another for other companies regardless of their size.
While a very large number this fine is insignificant to Google who make somewhere in the order of $300m a “day” from these data driven services. The regulator will no doubt ramp up these fines if no progress is made by Google, but even so if anyone can afford it, Google can. That cannot be said for the majority of other companies. Start-ups for example, with no spare cash for fines, cannot realistically pitch an idea to VC’s today based on monetising data in the same way as others have before them.
This is not just a European thing
I saw some, although limited, reaction in the US that was outraged that regulators should get involved and be fining US companies. However most agreed that Google, and others, have shown total contempt of the laws relating to data, not just in Europe but in the US. California has already introduced many aspects of GDPR and national legislation is surely only a matter of time, likely based on the core concepts of GDPR.
Legislators in the US are coming to the same conclusion that the European regulators have that data has huge commercial value as well as a raft of wider societal implications. Commercially it can be considered monopolistic but also, and there is obviously a degree of self-interest here, powerful in terms of social control and political choices.
Use and abuse: Data as a global powerplay
The technology giants of the digital age have largely made their money from using (and abusing) the data given to them by their customers. Some have other key pillars to their business model, such as logistics, but data lies at the heart of all their business models.
This isn’t new as such – data has been a part of most businesses DNA for decades – but never has so much data been put in the hands of just a few companies. This data monopoly that the top tech companies have is not good for individual consumers and it’s not good for the wider business community.
For example it means consumers face monopolistic trading which never leads to long term value for them. What is different from previous large businesses is that the leading tech companies effectively stop other businesses getting access to data as they have to disintermediate themselves to get access to the customers the big tech firms control.
It can be argued with some conviction that you simply cannot grow an online business today without using Google, Facebook, eBay, Amazon (and perhaps a few dozen others) to do so. I won’t even begin to discuss the other, non-data related practices (illegal even under current laws) that are becoming increasingly prevalent and which in my view are effectively destroying real competition online.
Even some of the tech companies themselves are wading in, asking for tougher legislation, with Apple’s CEO Tim Cook accusing some companies of “weaponizing” data. Obviously one has to be cognizant of his motives here.
However there is another side to the argument. Several in fact:
- Consumers want the online experience that only data can provide.
Research by Professor Alessandro Acquisiti from Carnegie Mellon University who studied 10,000 online campaigns post-GDPR showed that intent to purchase was diminished as campaigns lost their ability to target consumers so effectively. Is this bad? Probably depends on your perspective. But if there was no data driving what people see on the web it would become a much less attractive place and a much more difficult one to navigate.
- Tech companies are a key driver of economic growth.
Over the last 20 years, tech companies have driven economic growth while other industries have declined. Restrictions could cost jobs. But many argue that breaking up monopolistic dominance historically drives innovation and growth instead.
- Unilateral adoption is difficult to coordinate potentially giving some companies an advantage.
This isn’t a reason not to make changes but legislators need to be cognisant to creating a level playing field for all. Crucially this means ensuring smaller enterprises get equal opportunity. Legislators, often directed by powerful lobbyist groups, have in the past created systems that only larger companies with matching resources can navigate.
What to do about China, the other data powerhouse?
Many Silicon-Valley-inspired Western companies do only one thing and leave any particulars surrounding their core business to others. Take Uber. It connects people with a ride, but the business isn’t concerned about things like car maintenance and gas.
The Chinese equivalent to Uber, DiDi, on the other hand, also owns the gas stations and repair shops that keep their cars running. This approach is popular in China as it makes it harder for competing companies to outdo one another.
Now consider Tencent, the company behind the immensely popular Chinese WeChat service. By using small apps within the service, its users can not only use it to chat, but buy groceries, arrange flights, book a doctor’s appointment and much more.
Its users’ data is then a veritable goldmine for Tencent, who can use it to develop sophisticated services and products in a way many Western companies could only dream of.
And this could be a problem, especially if we regulate and/or break up our home grown companies. Sure Chinese companies could be made to follow European or US legislation to trade in these regions but at home they would have no such limitations. Trying to draw lines in a virtual ecosystem has proven to be virtually impossible so far. (Although, as we will discuss later, smart people are working on it.)
We must still try, however, because the industry won’t regulate itself. Those in positions of corporate power simply bat away personal responsibility with the classic playground power-play: “We won’t unless they do too.”
Solutions are possible. Should TenCent be allowed to access the open data available in the west without the same rights existing in their home market? I would argue no.
Takeovers by state-funded “pseudo companies’ would be reduced as they would lose “data access” because of their “non-compliant ownership.” This would safeguard the competitive position of companies based in countries that had endorsed and signed up to this data accord.
Moving forward: Is it time for a separation of powers in the data sphere?
For example knowing your personal views on the “big issues” and then changing the version you get of the internet based on algorithmic assumptions, surely lies at odds with the individual freedoms at the core of most democratic constitutions. Cambridge Analytic may only be the tip of the iceberg if we carry on down the same path.
One way being touted as an option is to separate Personal Data from the services they run. To get real transparency and fairness back many argue they must be detached from each other and offer full independent control and value back to the individuals whose data it is.
Why, many data experts ask, do companies get to make money out of our data when surely they should be rewarding us for access instead? This would mean breaking the likes of Amazon, Facebook and Google up, a solution that seems to be gathering wider and wider support.
There are a raft of companies looking at innovative data solutions that aim to address this issue although one has to question if moving data from one private company, albeit one that is entirely separated from the delivery of services is the answer.
We could perhaps draw on the systems most democracies have in place to circumvent the abuse of power in any one branch of government (separation into three branches is typical) and have a triumvirate of data companies.
The data triumvirate might be structured as follows:
- Private companies that provide data services but focused on the rights of the individual and with their best interests written into their articles
- Private companies that offer safe haven data processing between the consumer-focused data services above and commercial companies wanting to access that data. This allows for data innovation but without locking it into one monopolistic business.
- A Government regulator to oversee the above
However as we have learned over the last few years from the various abuses and breaches, this still only works if there is a transparent, open, decentralised infrastructure to enable it.
Although there are many organisations touting possible solutions, one of the most interesting in my view is the collaboration between Tim Berners-Lee, the father of the internet, and MIT. Projects such as this should be given the resources needed to deliver viable, scalable services.
A brighter future lies ahead
Finally, lest the above seems too negative, we shouldn’t be too down on the current situation – whenever there has been a significant technology breakthrough that fundamentally changes the status quo that pre-existed it, there has been time needed to readjust, to understand and legislate.
Some of this is personal – how much time should we spend online for example? But some of the issues have global consequences. Who has access to, and control of, data is probably one of the defining issues of our generation. Hyperbole? I personally don’t think so.
Forget the commercial use of data to sell things for a moment, although that too is important, and widen the net. With more and more devices “connected” to the global data stream there is a wealth of opportunity to make breakthroughs on some of the biggest issues we face as a species.
Open data from the health readings of billions of people (through their connected devices) would surely lead to improved health outcomes for us all. But only if all health companies have equal access.
Data pouring in from hundreds of millions of connected devices could tell us about pollution or even global warming. Again only if access is open to all.
The global data stream will present many, many opportunities for those able to mine it. They can only do so if the system that defines that stream is effectively open source. Thousands of different approaches to extracting the value will inevitably see more positive outcomes vs the data staying in a series of propriety ecosystems that can’t be accessed by anyone on the outside.
By making the global data stream open, accessible and sharable we will see benefits for all. By giving individuals rights to control their own data and choose where and when it is shared you are protecting the rights of the individual and strengthening our democratic systems.
What do you think? What is the future for privacy and data? Will legislation force change or will technology deliver freedom of choice?
We discuss these and other issues at our 1/2 day quarterly Data Briefing in London on 26th March. https://www.eventbrite.co.uk/e/data-briefing-q1-registration-55034910900 Book with Code Craig50 and get 50% off (So just £45 to cover venue, refreshment and a light lunch)
Deliver your data strategy by signing up for our data strategy workshop https://www.eventbrite.co.uk/e/the-data-strategy-workshop-feb-registration-53248585954