It’s an interesting time in politics, as recent European elections share the spotlight with the first anniversary of Europe’s landmark General Data Protection Regulation (GDPR). As we digest the results of the election across the Union, privacy and data protection efforts are being ramped up again by MEPs following concerns over the havoc disinformation and data leaks could pose to the democratic process. The rules that new MEPs will debate and fine-tuning now will have long lasting and far reaching effects and despite all the hoopla around the UK’s impending departure from the European Union, commitments from both sides of the divide have ensured that European rules will continue to inform tech policy on both sides of the channel for the foreseeable future. With that in mind let’s take a closer look at a few key tech policy trends in Europe that firms will likely need to contend with in light of the European elections and other changes taking place.
In defence of democracy
A top concern heading into the European elections was the impact disinformation and data breaches might have on the electoral process. Recent cases like the Cambridge Analytica scandal, have shown just how fragile corporate data protection systems are and how they could be misused to subvert elections and political debate. The alarm these scandals set off have led to mounting oversight and fines by regulators worldwide. European lawmakers in particular are increasingly convinced that enterprises like Facebook and Google need stronger rules on privacy and online advertising to protect consumers and guard against disinformation. New rules which could seriously impact the core of these firm’s data-driven business models.
Several initiatives were born out of these concerns including the Code of Practice against Disinformation, launched in October 2018. The code outlined a wide range of voluntarily commitments that firms could pledge to uphold. They included commitments such as to closing fake accounts, giving prominence to reliable sources of news, and disclosing issue-based advertising. Facebook, Google and Twitter, looking to show that they could indeed play by the rules became the Code of Practice’s first signatories and committed to reporting monthly on their actions ahead of European Parliamentary elections.
The latest Code of Practice against Disinformation report, published last April, sees all firms improve on ad transparency and fact checking, but companies are still struggling to satisfy the EU’s persistent demands and stay in its good graces. With the EU commission stating Facebook, Twitter and Google needed to do more when it comes to allowing third-party experts and fact-checkers to carry out independent evaluations on fake accounts. This is concerning news for big tech. Despite enormous investment in the area, such as Google’s new privacy engineering centre in Munich and Facebook’s election monitoring ‘war room’ in Dublin, tech firms will need to commit even more resources towards meeting increasingly stringent privacy requirements, while balancing against their need for open data on which their revenue model is reliant upon. The improvements will be worth it in the end because ultimately everyone benefits – democracies will be strengthened, people will be protected, and brand reputations will be preserved. All eyes will be on the new Commission!
A new era in privacy
Gone are the days of enterprises collecting information indiscriminately and shying away from being held responsible for what happens on their platforms. GDPR marked the end of that era, forcing enterprises to think much more carefully about how they collected data, the types of data they collected, and how they store and use it. The GDPR passed sweeping changes to how data was processed in the EU and with non-member states. Its goal was to ensure users understood and could consent to the data being collected about them and gave users the legal entitlement to control how much of their information tech enterprise could store.
It replaced outdated laws that didn’t cover new technologies like big data, social media, and mobile computing and introduced entirely new privacy concepts like ‘the right to be forgotten’ and ‘client consent’. Under the GDPR, the consequences for breaches became much steeper, up to 20 million euros or 4 per cent of global turnover, and also required firms to evidence compliance at every step of their processes.
Since it’s passing, costs of non-compliance with the law quickly racked up forcing many enterprises to adopt new privacy cultures and practices across their organisations. Yet work on the compliance front is still not done. There is still uncertainty around some aspects of the text and with new privacy regulations on the horizon enterprises would be wise to invest in privacy experts and to continually reassess their IT infrastructure to ensure and maintain compliance.
Prepare for what’s next
The challenge businesses will have in accessing and transferring data will likely become more difficult for UK data processers post-Brexit. The GDPR set new standards to ensure a high level of personal data protection across the EU as well as with nations outside the EEA, also known as third countries. Under the GDPR, data transfers to third countries is restricted unless they are deemed to have an equivalent level of data protection, in what’s known as an adequacy decision.
Data mobility is particularly important for the UK. According to techUK, digitally intensive sectors account for 16 per cent of domestic output and 24 per cent of total UK exports. Digital sectors also contribute disproportionately to UK exports with 75 per cent of the nation’s cross-border data flows going to the EU according to Frontier Economics. The UK government has stressed that “there will be no immediate change in the UK’s own data protection standards” and that any “Withdrawal Act would incorporate the GDPR into UK law to sit alongside it”, but there is no guarantee that the UK would automatically be granted adequacy as a former EU Member state. In fact, the ECJ has previously ruled that some UK regulations were inconsistent with EU law due to a lack of sufficient safeguards for when handling personal data.
So, a potential hard Brexit and being labeled a third country is very real indeed and would affect a host of service industries. Under such circumstances, service providers such as broadcaster, online financial services, on-demand content platforms and internet sales would lose their rights to serve EU markets and customers. Gaining back their rights would mean moving operations to and acquiring licenses in the EU27. It is a costly proposition but with Brexit largely still in parliamentary deadlock and with no clear indication of what form it will take, preparing for the worst is likely the best firms can do to ready themselves.
It looks like 2019 will be an extraordinary year of change for the European Union with new appointments in the European Institutions and a new Commission nominated over the coming months, and of course the UK setting a path for its own future. This is a major year of change across Europe, the May 2019 election of a new EU parliament sets this process of transition in motion. Changes on this scale makes it more important than ever for enterprises to keep pace with regulatory developments in both the UK and EU. Only by keeping abreast of the political and regulatory landscape and these rapidly accelerating changes can enterprises ensure that they are in the right places at the right times –to make their voices heard and shape the important tech policy discussions to come.