By Larry Magid
Europe’s General Data Protection Regulation (GDPR) kicked in on Friday, May 25th, and its impact will be felt not just in Europe but around the world — especially in Silicon Valley, where many tech companies are based. That’s because the GDPR’s rules affect any company that touches data from European citizens, which is pretty much every tech company. It could also have a negative impact on some European teenagers.
Facebook CEO Mark Zuckerberg told European lawmakers last week that his company will be in compliance, but a study by Poneman Institute revealed that nearly half the companies it surveyed won’t meet the deadline.
Like most sweeping laws, the text of the GDPR is long and complex, but Microsoft Trust Center has published an excellent summary of its key components, which include:
- Giving individuals the right to access their personal data,
- Allowing users to correct errors in their personal data
- Requiring sites to erase users personal data on demand
- Allowing people to object to processing of their personal data
- Letting users export personal data
- Allowing users to turn face recognition on or off
Organizations that collect data from people living in Europe will need to “protect data using appropriate security, notify authorities of personal data breaches, obtain appropriate consents for processing data and keep records detailing data processing,” according to Microsoft’s summary.
A European Union website with extensive information about GDPR further states that European citizens may object to the processing of personal data for marketing purposes or on grounds relating to your particular situation and request the restriction of the processing of personal data in specific cases.
Microsoft is one of many companies that not only had to scramble to make sure it’s in compliance, but also provide advice for its own clients and customers. The GDPR has created a cottage industry of advisers to help businesses large and small figure out how to obey the new laws without having to abandon their core mission. Michael Priem, founder and CEO of Modern Impact, a technology and advertising firm based in Minneapolis, said by email that GDPR is “a good thing because it will help restore trust.” Instead of impeding progress, GDPR and other consumer protection regulations “reset the balance between advertiser and audience by giving consumers more control, directing technology be employed for more noble uses, and compelling marketers to interact with consumers in more meaningful ways that create positive sentiment and ultimately restore trust,” Priem said.
While not everyone in the technology and advertising worlds are as optimistic as Priem, any companies with the resources to comply are of course doing what they must. And, while the task for the behemoths like Microsoft, Google, Facebook and Amazon might be enormous, they have both the will and the resources to make it work. What I always worry about when new regulations come into play is how they will impact small companies as well as startups that may never be able to open their doors due to the burden of the regulations. That’s not to say I don’t think regulations are important, but just to point out that they can have unintended consequences.
Negative consequences
For example, when the U.S. Congress passed the Children’s Online Privacy Protection Act (COPPA) in 1998, its intention was to protect the privacy rights of children under 13 by not allowing companies to collect their personal information without verified parental consent. Large children’s programming companies like Disney invested in the mechanisms to comply, but I heard stories from a lot of smaller companies that couldn’t afford the expensive processes for obtaining consent, including some startups that never launched products because of the regulation. Even large companies like Facebook and Google chose to restrict their services to people over 13 and it wasn’t until very recently that Google launched its YouTube Kids and Family Link and Facebook launched Messenger Kids, both aimed at pre-teens with both companies going to great effort to make sure they are COPPA compliant.
GDPR will ban some teens from social media
And speaking of COPPA, Europe’s new GDPR rule has similar provisions, only — unless overridden by legislation in individual countries — they kick in at 16. This provision could have a devastating impact on teens’ use of social media because it requires parental information before they can provide any type of personal information – which is essentially everything one does on social media.
Janice Richardson, an international adviser with the European educational empowerment organization Insight, argues that this provision in GDPR “will have a big impact on the use of the internet on schools, especially for children from different cultural backgrounds who won’t be able to get permission.” She called it “another step to widen the digital divide.” Richardson is properly concerned about parents who, for a variety of reasons including language, immigration status and lack of technical know-how, may not be able or willing to give their children permission to access social media even if they have no strong objections to their doing so. And as I wrote in an op-ed for the Guardian when the rule was being debated in 2015, it’s essentially in violation of articles 13 and 15 of the United Nations Convention on the Rights of the Child, which was ratified by every European nation. The convention guarantees “the right to freedom of expression,” including the “freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print.” And there is nothing in that convention that requires parents to sign off on those rights.
But don’t take my word for why this is an issue; instead, listen to the kids. Richardson has helped edit a scrapbook that not only explains the issue but showcases youth voices around why this provision does more harm than good when it comes to youth engagement, activism and free speech.