How Looming Privacy Regulations May Strengthen Facebook and Google
How Looming Privacy Regulations May Strengthen Facebook
and Google
April 23, 2018
SAN FRANCISCO — In Europe and the United States, the conventional
wisdom is that regulation is needed to force Silicon Valley’s digital giants to
respect people’s online privacy.
But new rules may instead serve to strengthen Facebook’s
and Google’s hegemony and extend their lead on the internet.
That could begin playing out next month, when Europe
enacts sweeping new regulations that prioritize people’s data privacy. The new
laws, which require tech companies to ask for users’ consent for their data,
are likely to hand Google and Facebook an advantage. That’s because wary
consumers are more prone to trust recognized names with their information than
unfamiliar newcomers. And the laws may deter start-ups that do not have the
resources to comply with the rules from competing with the big companies.
In recent years, other regulatory attempts at
strengthening online privacy rules have also had little effect at chipping away
at the power of the largest tech companies, ultimately aiding internet
incumbents rather than hurting them.
“Regulations help incumbents,” said Avi Goldfarb, a
marketing professor at the University of Toronto who has studied the effect of
privacy regulations on competition. Mr. Goldfarb was the co-author of a 2013
report that said privacy regulation could be anti-competitive because the cost
of getting permission from users for their data was typically much higher for a
younger company than for an established firm.
That Facebook and Google may emerge stronger from all of
this can seem like a distant prospect. The Silicon Valley companies have been
under scrutiny for months for how they collect and use people’s data, with
Facebook reeling from revelations that the political research firm Cambridge
Analytica harvested the personal information of up to 87 million of its users.
That led to Congress dragging Mark Zuckerberg, Facebook’s chief executive, to
Washington this month for a grilling.
Google, too, has grappled with questions about its online
video service YouTube as it tries to duck lawmakers who fear that the search
giant’s data-collection machinery is as robust as Facebook’s, if not more so.
At the same time, countries like Brazil and Argentina are
exploring European-style privacy regulations that will further test the
companies’ advertising-based business models. United States lawmakers also
showed more openness to regulating Silicon Valley during Mr. Zuckerberg’s
testimony this month.
Yet past attempts at privacy regulation have done little
to mitigate the power of tech firms. Consider what happened in Europe after
earlier attempts at checking the power of Facebook, Google and others.
In 2014, Europe’s highest court ruled that people had the
“right to be forgotten” online, meaning they could ask Google and other digital
companies to delete search results about them. Since then, Google has instead
become a chief arbiter of what information is kept online in Europe because the
company itself is responsible for determining the fate of each deletion
request.
Another 2011 European law requiring websites to alert
visitors to “cookie” trackers that collect data on browsing history has largely
turned into a distracting annoyance rather than changing how companies operate.
People often accept the tracking to get rid of the pop-up warning without
reading details about the tracking.
Today, the uproar over data privacy has also done little
to diminish the businesses or usage of Facebook and Google. Mr. Zuckerberg said
this month that the Cambridge Analytica scandal had no meaningful effect on
Facebook’s business, which is expected to show sales growth when the company
reports quarterly earnings this week. Alphabet, Google’s parent company, said
on Monday that its revenue rose 26 percent for its most recent quarter as its
ad business continued to grow.
Spokeswomen for Facebook and Google declined to comment.
In Europe, the coming data privacy laws are known as the
General Data Protection Regulation. These rules will restrict how tech
companies collect, store and use personal data from people across the region.
The laws, which take effect on May 25, require companies to explain how they
plan to use people’s personal information in simple, unambiguous language and
detail what other entities will gain access to that data. Companies can no
longer hide behind convoluted and often ignored user agreements, but must
obtain consent with a full understanding of the user where their data may go.
Lawyers, consultants and businesses preparing for the
privacy laws said that reining in the large technology companies was not the
primary goal of the European legislation.
Some privacy advocates also bristle at the idea that
these new restrictions would help already powerful internet companies, noting
that is a well-worn argument employed by tech giants to try to prevent future
regulation.
But Nicolas Colin, a co-founder and director at the
Family, a Paris-based start-up accelerator, argued that “people tend to give
that permission to companies they trust.” He said that “stricter rules
strengthen companies because they have that key asset that is trust.”
The European privacy laws may crimp targeted advertising
by limiting the flow of personal data, but firms like Google and Facebook still
have an advantage because advertisers are likely to turn to services with reach
and enormous audiences — akin to buying an ad during the Super Bowl. Facebook
has more than 2.2 billion monthly users, and Google’s YouTube has 1.5 billion
monthly users.
Giovanni Buttarelli, the European data protection
supervisor who was involved in the creation of privacy rules, said much of the
impact would be determined by regulators who enact the law and who will be up
against well-funded teams of lobbyists and lawyers. Google and Facebook will be
overseen by the Irish data authority because their European headquarters are in
Ireland. Mr. Buttarelli noted that Europe had staff of about 2,500 across all
the countries working on the issue.
“That’s peanuts compared to the lobbyists in Brussels and
Strasbourg,” he said, referring to the cities where the European Commission and
Parliament operate.
He said large technology companies had advantages but
would also be under a microscope. Enforcement of the law is skewed to companies
that handle the most personal data.
“There are pros and cons to being a tech giant,” he said.
“We want to treat small and medium-sized businesses differently.”
Yonatan Zunger, a former Google privacy engineer now
working at human resources start-up Humu, said Europe was holding Google and
Facebook to “a much higher bar” when it came to gaining consent from users.
These companies now cannot make data sharing a condition of using their
products because consent needs to be freely given, whereas smaller companies
are not held to that same standard, he said.
Still, there are already signs the big companies are
adjusting to the new privacy norms.
Facebook last week rolled out a new consent form asking
users globally — not just Europeans — to accept its targeted advertising and to
allow features like face recognition. It has also limited access to data
brokers such as Acxiom, in a concession to privacy advocates.
Google, which spent years preparing for the new rules,
has stopped scanning Gmail messages for keywords used to target advertising.
And it recently introduced a new marketing product for publishers that shows
ads based on the context of other articles or content on a website, instead of
relying on personal information.
In response, privacy critics have challenged Facebook’s
new consent forms, saying they are intended to continue encouraging users to
share information widely. And Google came under fire for an updated European
user consent policy that has open-ended language, which critics said violated a
tenet of European privacy rules that requires companies to ask for user consent
in specific and explicit ways.
“I’m worried that a lot of people have invested a lot of
hope in G.D.P.R., and I’m not sure it’s going to deliver,” said Ben Scott, a
senior adviser to the Open Technology Institute at New America, a think tank
based in Washington. “It will all depend on how it’s going to be enforced.”
Follow Daisuke Wakabayashi and Adam Satariano on Twitter:
@daiwaka and @satariano
Daisuke Wakabayashi reported from San Francisco, and Adam
Satariano from London.
Comments
Post a Comment