Privacy vs. Business: How changes in data rules affect the landscape

by Alanna Ostby

In March, news of an unprecedented Facebook scandal shook internet users across the nation.  The social networking site had breached its 2011 agreement with the US Federal Trade Commission, neglecting its duty to produce clear and informed consent before sharing users’ data beyond their chosen privacy settings.  In 2013, University of Cambridge professor Aleksandr Kogan developed an app called “thisisyourdigitallife” that determined participants’ personality types in exchange for extensive (and unspecified) access to their profiles.  The app even hijacked data from numerous others across their friend networks who had given no consent in the matter at all.  Although only about 270,000 people participated in the quiz, the app pervaded 87 million connected accounts.  Subsequently, Kogan sold their information (including items like interests, likes, locations, political affiliations, relationships, photos, and more) to British political consulting firm Cambridge Analytica for voter targeting and manipulation.  Recent exposure of this fraud has fueled resistance to third party data aggregation, and small businesses may have to pay the price. 

Worldwide, hackers compromised 1,946,181,599 private records last year.  This total surpasses the populations of China, Russia, and the United States combined.  More specifically, 71% of businesses reported a data breach, costing them on average $3.62 million each. 

Number of Personal Records Compromised in 2017
Percentage of businesses that reported a data breach in 2017
Average Amount a Data Breach Costs a Business Targeted by Hackers

With this in mind, not many will deny the need for more privacy protections, but to what extent?  Europe has initiated major reform in its General Data Protection Regulations (GDPR), requiring organizations to provide subject consent, anonymity, and data breach notifications among other rules.  This grants individuals total privacy and control over their own information, but many businesses lose efficiency because of it.  Only huge corporations like Google and Amazon possess the funds, technology, personnel, and connections to navigate the intricacies of the law unscathed.  In contrast, limited resources impede a smooth transition within smaller firms.  Austin McChord, CEO of Datto, explained that his “company provides data backup and disaster recovery solutions for small and midsized companies, and in recent months we’ve witnessed small businesses scramble to ensure compliance with a law many still don’t entirely understand.”  Locating and removing specific data points among countless, complicated sets involves meticulous labor that detracts from other tasks – voids felt especially among low-staffed firms with smaller budgets.  If the United States adopts this legislation, startups and budding businesses could similarly flounder in the midst of growing data and heightened regulation.

Either way, Americans must pay special attention to the GDPR or potentially face destructive backlash.  Currently, the law applies to any organization worldwide who obtains or stores data from EU residents.  Hotels, hospitals, banks, and more – all located in the US – could fall beneath its restrictions.  More than that, noncompliance could result in fines of up to 4% of annual sales or $25 million (whichever is higher).  Still, with only 37% of EU businesses understanding the application of the GDPR, and just 6% calling themselves “prepared” to meet its requirements, one can only imagine the ignorance of Americans to the new law. 

Application of EU GDPR

In regard to Facebook, though, the US has proposed some new security measures.  Users now receive a prompt to revise their profile information, select the data available to advertisers, and opt out of facial recognition technology.  However, Erasmus law professor Mireille Hildebrandt notes that “it seems [Facebook] has announced that they will still require consent for targeted advertising and refuse the service if one does not agree. This violates [GDPR] art. 7.4 jo recital 43.”  In other words, consumers could choose to withhold information from advertisers, but Facebook may deny them its normal features.  This directly contradicts one’s right to “withdraw consent without detriment” as stated in the GDPR.  Thus, although some claim the new data legislation wrongfully burdens entrepreneurs, others fear that corporations will trample it altogether.  Perhaps only time will tell if the US can strike the right balance between individual privacy and good business.

Alanna Ostby is a Client Success Manager at Data Orbital.  She is an avid writer and keenly interested in the intersection of data, politics and public policy.  

Data Orbital