(English) Tomorrow and Yesterday: A Tale of Two Laws
On May 25, a global revolution will begin in the digital world. That day, the EU’s General Data Protection Regulation (GDPR) will start to be enforced. Under the new rules, consent to data processing of personal information will need to be clear, and provided in an intelligible form – no more incomprehensible terms and conditions running to tens of thousands of words. It must be as easy to withdraw consent as to grant it, and the purpose of the processing must be explicit. The GDPR enshrines two important rights. The right to “access”, which means people are able to find out from an organisation whether or not personal data concerning them is being processed, where and for what purpose, and to obtain a copy of their personal data. There is also a right to data erasure, more commonly known as a “right to be forgotten”, which applies to data that is no longer relevant to the original purposes for processing, or where people have withdrawn their consent.
Those are all important aspects of the GDPR, but the real revolution is the following, taken from the EU’s main FAQ on the new regulation: “The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.” In other words, the reach of the GDPR is global.
To enforce that worldwide reach, the GDPR has teeth. Companies that fail to comply with the new regulation can be fined up to 4% of their total turnover, wherever they are based. For example, Google’s turnover last year was $110 billion, which means that non-compliance with the GDPR could cost it up to $4.4 billion. No wonder, then, that according to a report in the Financial Times, the top 500 companies in the US alone will spend $7.8 billion in order to meet the new rules (paywall).
Recently, top Internet companies have been informing users how they plan to comply with the GDPR. Some companies have announced that they would extend the protections and rights provided by the GDPR to their users worldwide. On its page explaining its approach to privacy, Apple says: “We look forward to providing these updates [offering new GDPR-compliant privacy management tools] for customers not just in the EU, but around the world.”
Others have reacted in a less praiseworthy manner to the imminent GDPR rules. For example, Facebook is moving the personal data of 1.5 billion users in Africa, Asia, Australia and Latin America out of its data processing facilities in Ireland, where they are covered by EU law, to the US, with its weaker privacy regulations. The move to downgrade the future protections of its users outside the EU and US will allow Facebook to reduce the risk of being hit by a huge EU fine for non-compliance with the GDPR in those regions. The games company Gravity Interactive is taking even more extreme action as a result of the GDPR coming into force in May. It has announced that “Due to the changes of our company’s service policy for the European regions, we are saddened to bring you news that, all games and WarpPortal services to the European regions listed below will be terminated on May 25th, 2018.”
Whether enhancing or reducing privacy protections, what’s noteworthy here is the way in which some of the biggest companies in the world are being forced by EU legislation to change dramatically how they conduct business online. GDPR’s global reach is real, not just wishful thinking, which means that an EU regulation, passed in accordance with EU values, is having a significant impact on how the entire Internet industry will protect personal data everywhere.
Contrast this trailblazing law with another piece of EU legislation, the Copyright Directive supposedly designed to bring copyright into the digital age, just as the GDPR updates privacy in the light of today’s Internet. As CopyBuzz has reported, the Copyright Directive will have harmful effects on just about every aspect of online life in the EU. Article 11‘s ancillary copyright will make linking to journalistic material a legal minefield that will doubtless put many off from even trying. That is, it undermines the very fabric of the Web – the hyperlink. Its requirement that media companies must charge when someone wishes to link to their material will severely undermine the use of Creative Commons licences in the EU since they do not require payment. Article 13‘s upload filters will introduce both surveillance and censorship for the Internet, and will have a chilling effect on digital creativity.
In an extraordinary act of self-harm, the deep flaws of the Copyright Directive will impact EU companies and startups the most. Their rivals in the US or Asia will not be subject to these ill-thought-out rules in their home markets, and so will be in an even stronger position to flourish online as EU startups are forced to struggle with costly and hard-to-implement requirements like upload filters, or the unrealistic limitations on text and data mining in Article 3 of the Directive. The GDPR, on the other hand, provides EU-based companies with a powerful selling point against other services: that they will respect the privacy rights of users everywhere as a matter of course.
Nor is the excellence of the GDPR a one-off. The European Commission has just announced its proposals for a new law protecting whistleblowers. It will shield whistleblowers against dismissal, demotion and other forms of retaliation. Although by no means perfect, it has been welcomed by a wide range of groups, including political parties, trade unions and NGOs.
So what has gone wrong in the case of the dire Copyright Directive? The fact that entrepreneurs, technologists, academics, and digital rights organisations are united in their criticism of its key elements is an indication that this is an unbalanced and biased proposal that will benefit a tiny market segment – essentially, publishers and recording companies – to the detriment of the wider European economy and society. It shows the extent to which the EU’s political machine has been captured by lobbyists. They are unconcerned about the massive collateral damage the proposals will cause to everyone else, provided the copyright ratchet is jacked up a few notches in the industry’s favour.
The GDPR demonstrates that the EU is eminently capable of drawing up influential and well-balanced laws, which are already re-shaping the future of the Internet globally. The parochial Copyright Directive, by contrast, shows that the EU is still in thrall to a sector of the economy that hankers for the past, and wants to block copyright being made fit for the digital age. It is high time for the European Commission to ask itself, which is better: shambling back to yesterday, or striding forward to tomorrow?
Featured image by Pete Linforth.