The Facebook / Cambridge Analytica story has caused many to ask whether Facebook should be regulated. From our vantage point here in Europe, we can tell you that the question is not whether, or even when. The regulation is in place, and it goes into effect in May.
It’s called GDPR, and you’ve probably at least heard the term floating around in the acronym soup upon which the digital world loves to feast. It’s a European regulation governing how companies may use data they obtain about customers residing in the EU.
GDPR is complicated, but in a nutshell it will require companies to be much more transparent about how customer data is used; to get clear permission from customers for each specific way in which their data may be used; to only use it for the purposes agreed; and to respond to customer requests for access to their data or to limit its further use.
The financial penalty for misuse of customer data can be steep -- as much as four percent of a company’s total global turnover. With Facebook’s global revenue in 2018 likely to top $60 billion, a GDPR breach could cost the company $2.4 billion or more.
Although GDPR comes into effect soon, it’s still uncertain how regulators in each market will apply the regulation. Nevertheless, it’s clear that the practices described in the recent coverage of the Cambridge Analytica incident would fail any GDPR test.
It’s assumed that companies making a good-faith effort to comply with GDPR requirements will pass muster with regulators as the law comes online. But regulators will likely be looking to show they mean business by making an example of bad actors or clueless behemoths.
The Cambridge Analytica incident has made consumers more aware of the vulnerability of their data, and the responsibility companies have to protect it. This correlates precisely with the attitude of European regulators versus their historically more laissez-faire US counterparts. With even US officials now talking about regulating Facebook and others, European regulators are no doubt feeling justified in their approach.
US companies looking to conduct activities that touch EU consumers need to get their houses in order, and implement clear and transparent principles for data use. Business that rely on having access to third-party data will need to justify why they should even have such access. Companies need to be prepared to handle consumer requests regarding their data and how it is used.
The heightened awareness triggered by the Cambridge Analytica story means that we can expect GDPR to be enforced with vigour, and the big companies who previously felt impervious to now feel a bit more sheepish. Regulation is not hypothetical -- it’s imminent, and Europe is taking the lead.