Facebook has now spent almost two years careening from public relations disaster to public relations disaster. Fake news, election meddling, radicalisation, and the relatively unknown mental health effects of using the social media network have all had their time in the media spotlight.
With Cambridge Analytica, the focus has now turned to data. But while the scandal has set off calls for additional privacy regulation both here and abroad, European Union rules already in train and set to come into force in May will have a huge effect on how the world’s data-fuelled tech giants do business.
The exchange of data and advertising for free access to services underpins tech firms such as Facebook and Google. Companies providing free access to goods or services that effectively monetise the user as a product have flourished; those that haven’t, such as traditional newspapers, have struggled. Despite prompts for Facebook to consider implementing a user-subscription model, CEO Mark Zuckerberg has doubled down on the advertising revenue model in post-scandal interviews.
One reason Zuckerberg is so attached to advertising is his commitment to Facebook eventually developing into a kind of universally accessible social infrastructure, a vision first outlined in a February 2017 manifesto. If this infrastructure is to be universal, the logic goes, it must be free of charge: “Having an advertising-supported model is the only rational model that can support building this service.”
Part of what makes advertising so effective on Facebook is how data accrued by the platform allows for relatively precise product targeting, both on the platform via user newsfeeds and off the platform via the “Facebook Audience Network”, which allows companies to show targeted advertisements to users browsing other websites.
The loophole that allowed Cambridge Analytica to make off with Facebook’s data has been closed for some time. But the scandal has nevertheless shattered the useful fiction that by using the service and agreeing to some nebulous terms, Facebook’s users consent for their data to be used as Facebook desires.
These users can only meaningfully agree to this deal if it’s possible for them to understand what it is they are giving away. But the reaction to news that a third party plied Donald Trump’s presidential campaign with Facebook’s data has revealed how opaque, inaccessible, and widely misunderstood Facebook’s use of data really is; a point not lost on Australian Competition and Consumer Commission head Rod Sims, who is currently engaged in an inquiry into digital platforms.
In November 2017 the Turnbull government announced it would legislate a Consumer Data Right, giving users of particular internet services open access and potentially even ownership over their transaction data. While this new right was initially framed as giving individuals better information with which to make traditional consumer choices, commentators have touted its applicability to “free” services, such as Facebook, in the wake of the Cambridge Analytica scandal.
But knowing what data a corporation holds is a far cry from knowing how it is being used. Take, for example, the boasting of Facebook’s Martin Barthel about the company closing in on the “holy grail” of advertising: incorporating phone geolocation and retailer customer loyalty programs or credit card information to map consumer journeys from digital ad to in-store purchase.
Under the European Union’s General Data Protection Regulation (GDPR), such advertising schemes may require much clearer consent from consumers. In force from 25 May, the regulation will set EU-wide standards for data collection and management, underpinned by the principle that individuals are the ultimate owners of their data. The regulation will give users the “right to erasure”, and companies must report data breaches within 72 hours of their occurrence.
The GDPR also sets new standards for how companies gain consent to gather and process data, which will affect not only how Facebook operates its various advertising tools but also how third parties integrate their data with these tools. There are potentially very high financial penalties for non-compliance.
It’s difficult to gauge what exactly will happen when the GDPR is finally rolled out. There are various estimations as to the compliance of US tech giants, and reports of operational and resourcing shortfalls within country-specific EU regulators. The Cambridge Analytica revelations may have shifted public indifference to digital privacy, but to what extent is unknown. For its part, Facebook plans to extend some but not all of the GDPR’s standards to non-European users, but is “still nailing down details”.
Depending on the results, Australian policymakers may be tempted to implement GDPR-like stipulations, cooperating with the EU to allow for regulatory uniformity. Insofar as companies based outside Europe are still subject to the GDPR if they maintain particular types of operations in the EU, many Australian companies will have prepared for its enforcement next month.
But the incentives for countries and companies to adopt EU standards on digital privacy hint at a broader narrative. The US Government’s efforts to encourage the spread of Silicon Valley tech dominance across the world has long been framed as a form of global norm-setting or, depending on your perspective, “ideological imperialism”. Similarly, the GDPR placing access to the European market at stake could be seen as yet another form of global norm-setting/ideological imperialism, with EU regulations creating strong incentives for their replication across the world.
Photo via mkhmarketing on Flickr.