When Europe’s new data law, the General Data Protection Regulation (GDPR), went into force on May 25, it pushed a decades-long global debate over privacy and the proper regulatory guardrails for the commercial use of people’s information on the internet to the front pages of newspapers all over the world.
As a result of the regulation’s European origins, some members of both the industry and the media are still under the impression that GDPR is somehow a “Europe issue.” It is not. It is a global call for those of us who collect, use, or distribute people’s information to rethink how we engage with the end consumer. There are also other takeaways for all stakeholders – governments interested in passing their own legislation, data dependent companies and industries, website operators and publishers, and the internet’s users themselves.
1. It’s about alternative solutions that will work for everyone
The first of these lessons is not to conclude that Europe has an aggressive regulatory philosophy and therefore there is nothing to be gained from assessing how the GDPR was constructed. It’s actually in part about how those of us that were concerned about the legislation approached influencing the outcome. Legislators and regulators in the United States and other countries are free to make law — good, bad, and in between — and they will continue to do so. The first lesson from the GDPR experience should be that standing in opposition to regulatory action or ideas for consumer and privacy protection in the digital age without providing widely acceptable alternative solutions to the concerns of consumers will not work.
The GDPR was one idea for constructing rules of the road for the treatment of people’s data that would give them greater comfort. It is the result of political pressure from European consumer concerns with commercial data practices that they believe lack transparency or adequate governance and the sense on the part of European legislators that they had to act to protect fundamental rights. Now that it is law, we should work cooperatively and collaboratively with thought leaders in the region to implement the regulation in a tempered and reasonable manner.
As technology and data dependent industries, we must also listen and rise to the challenge to put the consumer and his/or her interests first, independent of GDPR and in anticipation of regulatory and legal proposals to come. We should not limit ourselves to “check-the-box” compliance with every law, nor should we engage in expensive jurisdiction-by-jurisdiction battles to beat back new data-restriction proposals. Instead, we should provide alternative constructs for consumer protection for the digital age that are more flexible and enabling of innovation than the GDPR is in parts while simultaneously doing as good or a better job of putting consumers in charge of their digital experiences and identity. We should do that through self-regulatory work, public-private cooperation, and an open approach to the modernization of existing law.
2. It’s about both give and take
To help construct this new social contract for the digital age, we should commit to creating an online marketplace in which the rights and needs of both digital market actors and consumers are respected. We don’t need government to force us to do this. We can do it by right-sizing the exchange of value in the ecosystem and making it much more transparent and explicit. We are asking for consumers’ attention and time, so in return we must offer ad experiences that respect people’s digital dignity and enrich, entertain, inform, and educate them.
3. It’s about understanding that the internet is global, not local
Countries from Brazil to Australia, as well as US states including California, are considering to copy GDPR, or writing similar legislation. Much of it could be better constructed and too much of it is premised on the idea that data sharing itself is bad. Nonetheless, this rise in policymaker concerns and proposals represents a powerful call for individual digital empowerment. Consumers across the globe are raising their voices and asking for a better deal online. The digital ecosystem had better answer their calls. Setting aside potential new laws and regulation, one needs only look at the rising tide of ad blocking to hear what consumers want. Global consumer behaviour, like the internet itself, is not dependent upon, nor confined to, any particular geographic regulatory schema.
4. It’s about the user and the consumer, not the country or company
To win the support of the public and their representatives for the continued development of a globally data-driven economy, we must all embrace a consumer-first ethos. We must engage in a transparent dialogue with users and treat their information in a manner that the average person can reasonably be expected to understand and embrace. That is a fair challenge, and it is the galvanizing spirit of the GDPR and other proposals.
In partial response to the call from Europe, and in accordance with GDPR, the IAB Europe has created a Transparency and Consent Framework that provides a viable way to respect GDPR without hindering digital commerce. This is an example of addressing consumer and policymaker concerns in good faith. We should urge all actors in the digital economy to embrace it. It creates a mechanism for website operators to make clear to consumers which other digital actors are involved in the protection of consumer data and for what purposes. It offers consumers the choice whether or not to distribute that data to those actors for those uses. Beyond that, securing the information we hold and enabling people to ask for their records to be deleted are also reasonable demands, with which we should comply without complaint.
5. Lessons on what not to do
But as we consider the future of digital commerce, there are some truly bad ideas that the call for consumer protection is leading some policymakers to embrace. For example, we should seriously consider – whether under the GDPR or any other law – if legislators should force companies to provide services for free that they now provide in exchange for people’s information. Barring that specific service being a human right or utility, that is a step too far.
Website publishers should not be made to provide access to the content on a news website or to a service like social networking for free when someone chooses not to engage in the value exchange of data for services. People should have the choice not to have their data used without their consent but not the choice to free ride off the information of others and access services for free. We don’t believe that is fair. We hope that those who interpret GDPR, or are considering similar laws in their own jurisdictions, will take this on board.
It is currently unclear in both the GDPR and the current draft of upcoming European ePrivacy rules whether or not companies will be able to charge people anything if they choose not to engage in the value exchange of data for services. The assertion is that consumers should be able to bar access to their data without penalty and many are interpreting charging for services in any way as a penalty. In the current draft of the California ballot initiative under consideration for November it explicitly states that companies have to allow those free use of their services by consumers that refuse to provide access to their data. The internet and the services it delivers are amazing and prolific, but they are not free. It is bad precedent and bad policy to mandate how a service can or cannot be monetized or how a person can or cannot compensate a service provider for that service. Companies need to monetize services to operate. And for people to continue accessing services on the internet without having to reach for their wallets each time, websites have to have the ability to negotiate for access to data in order to best finance currently cash payment free services.
There is no doubt that commerce on the internet under GDPR and other similar proposals will get more challenging. Some companies won’t be able to make the transition, and the companies that survive and adapt to new law and consumer demands will have to rise to a higher standard. But we cannot throw the baby out with the bath water – and nor do we think that is anybody’s intent. Using, analyzing and distributing people’s data to create, monetize, and deliver services has fueled the rise of a global digital economy with very low barriers to entry and participation. It has served as an incredible engine for the democratization of commerce and conversation. We can come to mutually agreed standards and processes for ensuring its continued progress and enabling its financing – through multiple mechanisms, including permissioned advertising – while also giving people more control over their own information and data.
The World Economic Forum is a great platform on which to have this dialogue. As is the OECD, think tanks like the German Marshall Fund, your national legislatures, regulatory bodies, and self-regulatory and multi-stakeholder organizations.
GDPR is not the end of the global and national discussions and deliberations over people’s privacy in the digital age nor is it a silver bullet solution that should be cut and pasted into other jurisdictions. It is one idea that European legislators and regulators have worked hard to construct. Those companies operating in Europe, including my own, should respect and comply with it. And we should all evaluate it, engage with its implementation, and think about what might work just as well or even better elsewhere in the world for the sake of protecting people and enabling innovation and commerce in our still developing information society.