We’re less than a month away from GDPR coming into full force
So, it feels like a good moment to question the way data protection laws have worked so far and how this is all about to change. Recent scandals, such as Facebook’s unethically sharing the data of more than 50 million users with Cambridge Analytica
, have shown us – yet again – that social networks are way more powerful than we are accustomed to thinking about them. Just take into consideration the fact that Facebook is the second most powerful advertising platform in the world
– only behind Google
– covering about ⅓ of the world population.
So, in what ways do the largest Internet companies (Google, Microsoft, Facebook) managed to sidestep previous regulative rules and how much they will have to change once GDPR takes effect?
Join us to find out.
There have been various data protection issues over the last decade that were openly admitted by Google. For instance, back in 2009, “Wired” discovered
that a Google Documents design flaw allowed uncertified users access to private documents. Three years later, Google had to pay 22.5M dollars fine to the Federal Trade Commission over Safari tracking
. Later, in 2013, the company was fined 1.2M euro by the Spanish government for breaking data law (as was Facebook 4 years later: see below).
In 2012, there was another issue, related to Google bypassing user privacy settings on Safari (and IE too
) using cookies. Now, cookies have always been a popular reason for concern even among less educated IT users; but, over the years, we discovered that this is only a drop in the ocean.
"If I look at enough of your messaging and your location, and use artificial intelligence, we can predict where you are going to go”, said Eric Schmidt
, former Executive Chairman of Google. “Show us 14 photos of yourself and we can identify who you are. You think you don't have 14 photos of yourself on the Internet? You've got Facebook photos!"
In 2013, Microsoft attacked Google via an infamous “Scroogled” ad campaign
, supposedly aiming to “open users’ eyes” at the way Gmail works. The main issue: Google scans users’ emails to get info for targeted advertising.
The Internet giant managed to refute Microsoft’s accusations. But, even so, in the meantime, it became widely known that Google collects an immense amount of data through its services like Google Analytics, which, in fact, makes cross-domain web tracking via users IPs possible. This means that Google creates a user profile linked to each IP address, and, moreover, that this information is accessible via Google API.
When it comes to fines, Microsoft was one of the pioneers, being perhaps the first major company to be penalized by EU.
"Microsoft was the first company in 50 years of EU competition policy that the Commission has had to fine for failure to comply with an antitrust decision,” said
Neelie Kroes, the Competition Commissioner, back in 2008, when Microsoft was charged with a record 1B fine."
The public was alarmed once again after Microsoft launched Windows 10. Soon, it became apparent that the operating system acquired the use of features
which could potentially become a privacy threat for users. On June 30th, 2016, Microsoft got a formal notice from the French National Data Protection Commission, according to which the multinational corporation had 3 months to fix Windows 10
and get compliant with the French Data Protection Act to avoid being punished.
And then there was a completely different kind of problem. Namely, three years before this, Microsoft was asked by the U. S. government to hand over emails of a drug trafficking suspect; the problem was – the mails were stored on servers located in Dublin, so Microsoft refused to share the data. The case resulted in the CLOUD act
, which is believed to be a significant step forward when it comes to data protection regulation.
“We believe that people’s privacy rights should be protected by the laws of their own countries and we believe that information stored in the cloud should have the same protections as paper stored in your desk. Therefore, Congress needs to modernise the law and address these fundamental issues,” wrote a year ago
in a blog post Brad Smith, Microsoft's CLO."
The question of whether to cooperate or resist
becomes more and more relevant since companies like Google, Microsoft and Facebook collect more and more information about their users. Thus, inadvertently, they have become major players on the scene of international law and national security.
According to the latest Microsoft transparency report
, just during the second half of last year (July 2017 – December 2017), Microsoft received 22,939 requests for customer information, mainly coming from four countries: U.S., UK, France, and Germany. Just for comparison, across companies, the response rate to requests of this kind usually revolves around 80 percent.
Due to the recent events, Facebook is the obvious star of the show here. But, this doesn’t mean that its data protection issues don’t have quite a history.
For example, in 2017, the company was fined 1.2 million euros by Spanish data watchdogs
for violating data protection rules. That same year, Facebook had to pay another fine (of 122 million dollars) for giving misleading information to data protection regulators during the acquisition of WhatsApp in 2014.
However, the most recent case
– the data leak of over 50 million users which was used to impact the U.S. elections – may reach an unprecedented scale when it comes to the amount of the fine. According to Bloomberg, in theory, FTC’s fine for Facebook may be in the realm of trillions ($40,000 per violation per day)!
“Depending on how all the facts shake out, Facebook's actions could violate any or all of these provisions, to the tune of many millions of dollars in penalties. They could also constitute violations of both US and EU laws,” said
Jessica Rich, the vice president for advocacy at Consumer Reports. Facebook can look forward to multiple investigations and potentially a whole lot of liability here.”
GDPR and the "What If…"?
Of course, GDPR isn’t aimed at global-scale corporations and companies exclusively. It will affect every company that uses personal data of EU citizens no matter whether it’s located in EU or beyond its borders. So, what if a company refuses to follow new rules or isn’t aware of the violations? With a two-tiered sanction regime, “light” cases will be subjected to a fine of either 10M euro or 2% of company’s global turnover, while more severe cases will get a fine of either 20M euro or 4% of company’s global turnover.
Google, Facebook and Microsoft have an undeniably massive impact on the lives of their users and the world in general. During the past decade, we’ve learned that the effect may be much more colossal that we ever realized. With the tools for collecting and processing data becoming more and more powerful, it’s only a matter of time before we look back at the general data protection regulation as a landmark moment in the history of human privacy.