News
& Views.

Return to list

Gafa Police Squad - do we need a new data regulator with GDPR about to land?

Written by Dominic Weeks, Head of Technology.

It’s hard to take a breath from the events of last week with staggering revelations relating to Facebook and Cambridge Analytica dominating the front pages. There has been some fantastic reporting from the Observer/Guardian team, the Times, Channel 4 News and a host of other leading tech and political journalists in uncovering an array of hugely important angles. It feels like the fourth estate, operating on overdrive, has blown wide open the public debate on privacy and the state of our democracy (with the significant caveat that social scientists have scoffed at the claims of prowess espoused by Cambridge Analytica).

So what to say about it all from a communications perspective? There’s a lot that could (and has, and will) be said about the handling of the media storm by the major protagonists here. What interests me more than recriminations over how the crisis was handled by these individual players though, is where the tech industry goes from here in rebuilding public trust and positive sentiment? I mean, good lord, things were rocky as it was.

A New Sheriff in Town?

One key strand of the debate on “what next” has been calls for a new global digital regulator or some form of vast regulatory intervention. The Guardian’s editorial last week stated that “the challenge goes beyond the application of existing rules” in ensuring that the power of Gafa - Google, Amazon,  Facebook and Apple (sometimes I feel for Microsoft, it’s like the Pete Best of the tech scene at the moment) - is contained to prevent consumer harm.

The danger here might be the conflation of two different threats – one of the growing monopolies and network effects of large tech players (which we have seen the EU attempt to curtail under the auspices of antitrust rulings) and the other that relates to consumer data protection. 

That’s not so say that the two aren’t related. It’s inarguable at this point that existing regulation and/or enforcement of such has not protected consumers, and those network effects that have continually strengthened the large tech players have enabled them to act with a degree of nonchalance to the packaging and sale of our data. However, this scandal, related mainly to lax protection of our data, perhaps needs to be considered in the light of what we already have in place in terms of regulation, before we rush to add more.  

While I am not a lawyer, from what I can tell the spirit and indeed the specifics of GDPR serve to address many of the data privacy concerns we have seen over the last seven days, provided the regulation has teeth and capacity for enforcement. There are already suggestions that the British-body charged with enforcing the regulation, the ICO, should be allowed to perform dawn raids as opposed to having to obtain a warrant (it took them nearly a week to do so in relation to Cambridge Analytica).

Unity Behind Better Data Privacy

Key tenets of GDPR are that organizations must obtain informed consent from users for specific uses of their data and that they must inform them if, for any reason, their data is compromised. Clearly the whole sorry tail unfolding last week would have been in serious breach of these GDPR provisions, notably because the users in question have still not been officially informed that their data was compromised. Under GDPR, Facebook would have faced a 4% fine from the EU on annual turnover, amounting to $1.6 billion based on Facebook’s 2017 revenue. That would create a lot of shareholder pressure not to be in breach.

Without these regulations at present and thanks to great investigative journalism, investors can now see the writing on the wall for some of the lucrative data sharing practices, and many are voting with their feet. Facebook’s share price down around 13 percent, wiping well over $50 billion off the company’s market capitalization since this time last week. But we can’t always rely on the muckrackers – perhaps ironically, Facebook has hurt digital media’s monetization efforts, contributing to strapped resources. So we’re going to need these existing regulations to be sharp and for companies to be audited by the bodies responsible.

The EU is also in the process of introducing ePrivacy, so there is already more regulation on the way designed to protect consumer’s data privacy in areas like unsolicited marketing. Amir Malik, digital marketing lead for Accenture was quoted in Digiday today saying “GDPR and ePrivacy will gain more momentum and credibility in the wake of this scandal.”

There’s 58 days until GDPR comes into effect. The wider tech industry, not just Gafa, could benefit from taking stock and lending public support to the aims of GDPR. It might restore public faith and prevent reactionary doubling up of regulation and enforcement that weakens, rather than strengthens, data protections. Rallying around GDPR publicly as a workable framework by large American tech companies with which to comply may also set a global standard that is followed, perhaps encouraging even the U.S. to implement more consumer protections.

Starting new efforts now could hurt both consumers, large companies and nascent startups.

A Voice (Not) Crying Out in the Desert

All of that said, it may be naïve to expect the tech industry to speak up in support of the existing and pending EU legislation as frameworks that can prevent the worst excesses of data monetization. Individual firms may be hesitant and, as we’ll see from my next blog post detailing the findings from Madano’s study of how industries have vocalized opinions on Brexit, the tech industry in Europe seemingly does not have a unified voice from industry bodies telling its side of the story (more on that later in the week). Can it find that voice on data privacy measures?  

Madano supports technology companies deliver their business objectives in highly competitive and disruptive markets.