The fallout at Facebook continues to grow after it was revealed that millions of Facebook users’ data was used by the consulting firm Cambridge Analytica, in violation of Facebook’s policies. While reactions have been varied, we’re beginning to hear loud calls for European-style privacy regulations to be imposed on companies like Facebook. This would deliver a stunning setback to a largely free, innovative, and prosperous tech sector in the United States.
The General Data Protection Regulation, or GDPR, is a new set of European Union rules that apply to any company or organization that handles personal data of its members or customers. GDPR regulations are touted as a way for people to have more control over their personal data and to hold organizations accountable for misuse of data, including breaches. In reality, these regulations attempt to fix a problem that market forces can better address, and add layers of red tape and compliance costs that will put an enormous burden on businesses as large as Facebook and as small as coffee shops. The European Union has a history of punishing large, successful American tech firms, and it’s quite possible that EU regulation is the reason why Europe has none of its own. If you like the service and entertainment that companies like Uber and Netflix provide than you should oppose GDPR-style regulations being implemented in the United States.
First, these regulations enforce harsh punitive measures against organizations that experience data breaches. While the fines and fees vary, Reuters business reporters recently estimated that if the Cambridge Analytica incident had happened after GDPR regulations took effect, it would have cost Facebook up to 4% of their global revenue. Many tech companies operate their first 5-10 years on investment money with a net revenue loss. Would a fledgling Dropbox, Amazon, or eBay have been able to recover from a fine that big?
We’ve seen what market forces can do to a company that misuses or fails to secure the privacy of its users’ data.
Target saw its profit drop by 46% after the breach of millions of customers’ personal data, including credit card numbers (which, by the way, are quite a bit more consequential than your Facebook likes). And several of the company’s top executives, including its CEO, were pushed out in the wake of the breach. Target has since implemented EMV chip technology into its payment processors and will be forced to pay $18.5 million in a multi-state settlement.
GDPR regulations weren’t needed for Facebook to respond to and fix the problem associated with data consent in the Cambridge Analytica incident. In 2015, Facebook discovered that app developers (not just the one associated with Cambridge Analytica) were using an available app tool that allowed access to not only the user who opted in, but also some of their friends’ data, in an unauthorized manner. Facebook subsequently removed the feature entirely to give their users more control.
Second, while GDPR regulations promise more control over your data, they actually restrict the types of data consent and privacy agreements organizations can make with their users.
Under new guidelines, data consent agreements must be written in plain language anyone can understand and also be easy to withdraw from. Translation: government regulators will decide and enforce what constitutes “plain language” and adequate data consent between the company and consumer. This means higher compliance costs that are passed onto consumers and less latitude for organizations to craft data consent agreements that deliver the best service to their users.
As with Facebook and many companies before it, we’re watching in real-time as market forces correct a problem with how a company manages their users’ data. The last thing we need is a European-style regulatory overreach that prevents a new Apple, Uber, or Facebook from becoming the next great American success story.