Three ways European data rules are impacting on consumers and businesses across the world
Ahead of the Consumers International Summit 2019 sessions 'Data Reimagined’ and ‘Privacy Warriors vs the Privacy Police’, our Digital Expert Xanthe Couture explores what’s happened since the introduction of GDPR and what it might mean for the future.
At the Consumers International Summit 2019 we will be exploring how consumers across the world can get more value from their data now, and in the future. The impact of new European rules on data protection will of course be part of this conversation.
We will be exploring how consumer data can be managed differently by companies at our Summit session, Data Reimagined, and how we can gain more control and security right now at the session Privacy Warriors vs the Privacy Police. Delegates will also get a first look at a new data portability sandbox initiative in the UK.
We are coming up to the one-year anniversary of the EU General Data Protection Regulation (GDPR). And alongside this, we have seen increasing numbers of class actions from members, hefty fines from regulators and growing awareness of consumer data issues.
We summarise three ways GDPR is supporting the efforts of consumer organisations and ask how its reach goes beyond Europe.
1. Empowering consumer organisations
On 30 May 2018, four of our European member organisations launched coordinated class actions against Facebook. Test-Aankoop/Test-Achats (Belgium), OCU (Spain), Altroconsumo (Italy) and Deco-Proteste (Portugal) argued that Facebook infringed consumers’ data rights by collecting large volumes of data and sharing it with third parties without users being fully aware of how their data is being used. The collective action also deals with alleged unfair contract terms and unfair commercial practices, which is enforced by separate EU consumer rights legislation.
The collective action is calling for users to be in control of their own data and compensated if it is misused. They are promoting their call to action with a campaign and the hashtags #NotYourPuppets and #MyDataIsMine.
Our member Altroconsumo’s class action against Facebook led the Italian Competition Authority (AGCM) to impose a fine of €10 million euros on Facebook for unfair commercial data practices in November 2018. The Italian competition authority said Facebook wrongly emphasised the free nature of the service without informing users of the fact that their data would be used to generate a profit. The competition authority also criticised Facebook for discouraging users from trying to limit how the company shared their personal information.
2. Imposing stronger penalties
GDPR signaled a significant change by introducing fines of up to €20 million euros (or up to 4% of global annual turnover, whichever is greater) for data breaches - a huge increase from previous fines.
Using the powers established under GDPR, the French data protection agency, CNIL, fined Google a record €50 million euros for failing to provide users with transparent and understandable information on its data use policies.
CNIL brought the case because they found that Google made it too difficult for people to find essential information, including how their data was being processed, how long it was being stored and how their consent was being used to personalise ads. That lack of clarity meant that consumers were effectively unable to exercise their right to opt out of data-processing for personalisation of ads.
3. Making companies accountable for data protection and consent
Several cases brought by European consumer protection authorities are raising the awareness of consumers’ right to privacy and consent.
In March 2018, the Berlin Regional Court in Germany ruled that Facebook’s data consent policies were invalid. This was in response to a case led by our German member, VZBV, who argued that since 2015, Facebook did not obtain consent for collecting consumer information for advertising purposes.
While in France, consumer organisation UFC-Que Choisir also won €30,000 euros in damages, after waging a five-year legal battle against Google for "abusive" practices in its service conditions.
The court of Paris judged that a number of terms that form part of Google’s general terms and privacy conditions were unfair. The Court said that it was particularly unfair to present the use of data only in order to improve the service whereas the real goal is a commercial use of these data - especially for targeted advertising. The ruling follows one in a similar case brought by UFC-Que Choisir against Twitter. A case against Facebook by UFC-Que Choisir is still underway.
The cases above show how a piece of regulation can galvanise action and raise the profile of long-standing problems for consumers with digital services. But what about the rest of the world?
The GDPR is strengthening the data protection rights of citizens across Europe, and responsibility of companies anywhere in the world who access their users’ data. Businesses outside of Europe are affected too, if they are dealing with the data of European citizens – an innovative approach within the regulation. Businesses are required to be much more transparent about how they are using customers’ data and to make consent fundamental to many of uses of personal data. This growing tide is not only reaching European consumers, it’s also reaching the USA. A federal privacy is being debated and California has already passed laws which strikes the same tone as GDPR.
But the journey has only just begun. Governments around the world are trying to modernise their data protection regulation and put the right regulatory standards in place to protect their citizens against data breaches.
For example, some countries like Andorra and Morocco are leading the way by converging their domestic laws to universally recognised standards such as OECD’s Guidelines for GDPR. Others have laws in place, which aren’t as robust as they could be but provide a good starting ground for improvements to be made.
Despite genuine and tangible concerns around our collective digital futures, there are signs that we can take control of our digital destinies to create safe online environments and accountability. But government, regulators, and strong consumer voices are key to making this happen - alongside companies who want to do the right thing.
Data protection at the Summit
The use and control of consumer data is a central theme at the Consumers International Summit 2019, from artificial intelligence, to FinTech, to e-commerce and the internet of things. We will also be devoting time specifically to consumer data possibilities and pitfalls in several sessions. The Summit is an opportunity for civil society, governments and the tech industry to tackle how we can build-in privacy and protection to protect all our data and how we give consumers the tools to protect themselves.