Valley Public Radio - Live Audio

Europe's New Online Privacy Rules Could Protect U.S. Users Too

Apr 16, 2018
Originally published on April 17, 2018 11:40 am

The European Union is preparing to implement sweeping privacy rules next month, but these new protections of individuals' information may set a new standard around the world — including in the U.S.

Beginning May 25, under the new General Data Protection Regulation, companies that collect or mine personal data must ask users for consent. No longer will firms be able to bury disclosures about pervasive tracking in hard-to-read legal disclaimers.

"We're not entirely satisfied with that's in there," says Estelle Massé, an analyst with the digital advocacy group Access Now, tells NPR's Ari Shapiro. "However, it's a great improvement from the previous law and it's also a great basis for the use of data in the digital age."

What counts as "personal" won't just be attributes like race, height, weight and religion, but also an individual's IP address or browsing history.

Rayna Stamboliyska, a data protection specialist based in Paris, says that under the new rules, the Internet is a place where no means no. She compares digital consent to sexual consent.

"Before you even put your cookie on my computer, or in my mobile device, you have to make sure I consent to being followed," she explains.

A cookie is a small piece of data a website might slip into your smartphone or laptop to keep track of what you're doing online. Right now, without clearly asking your permission, she says, many sites are watching your every move. Under Europe's new directive, that's not OK. Consent must be given, and it can be taken away.

Stamboliyska gives a simple example. Say you want to buy a new pair of shoes. You're fine with marketers slipping a Zappos ad into your morning news feed. But then later, you're done shopping. Under GDPR, you must have a way to say: "Look, I'm fed up of your shoes. Now just stop profiling me, and stop following me. And please do remove the data you have of me because I no longer want you to keep it."

Europe didn't create Internet giants like Google or Facebook, but now it's engineering a legal way to control them. Companies that violate the new rules face penalties of up to 4 percent of their global annual revenue or 20 million euros (about $25 million), whichever is higher.

Stamboliyska says that for too long, American companies have gotten away with too little oversight. In a recent scandal, Facebook lost control over the data of 87 million users.

CEO Mark Zuckerberg said he was sorry, but Stamboliyska says: "We don't need your apology. We need you to be respectful."

Last week, the Facebook chief told Congress he plans "to make all the same controls and settings available everywhere, not just in Europe." Tech giants Microsoft and Google have indicated they are also extending Europe's privacy rights to users around the world.

Michael Cohen, a lawyer based in Minneapolis, advises American media and Internet companies that operate in Europe. How exactly U.S. firms deal with new rules on the collection and storage of personal data is a work in progress. The GDPR is, he says, "aspirational, meaning that of course we would like to strive for what's considered the gold standard."

If users in Europe start to see really simple language and get truly easy-to-follow prompts, he says, Americans might want what the Europeans have.

Internet users will start to see notices from their news, music, gaming and other apps in the coming days and weeks.

Copyright 2018 NPR. To see more, visit http://www.npr.org/.

AILSA CHANG, HOST:

While the laws are changing in Europe, digital norms are changing around the world. Many experts say people are coming to expect more transparency in terms of what data is collected about them and how it is used. Here's NPR's tech correspondent Aarti Shahani.

AARTI SHAHANI, BYLINE: Ahead of the change in European law set for May, there's a lot of forecasting going on. According to data privacy experts like Rayna Stamboliyska, who's based in Paris, the Internet is going to change in a big way. It's going to become a place where no means no.

RAYNA STAMBOLIYSKA: Before you even, you know, put your cookie on my computer or on my mobile device, you have to make sure I consent to being followed.

SHAHANI: A cookie is a small piece of data a website might slip into your smartphone or laptop to keep track of what you're doing online. Right now, without clearly asking your permission, she says, many sites are watching your every move. Under Europe's new directive, that's not OK. Consent must be given, and it can be taken away.

STAMBOLIYSKA: Consent, just like sexual consent, is dynamic.

SHAHANI: Stamboliyska gives this simple example. Say you want to buy a new pair of heels. You're fine with marketers slipping a Zappos ad into your morning feed. But then later you're done shopping.

STAMBOLIYSKA: Fine. If tomorrow I decide that I've had enough of shoes, I must have the ways to withdraw my consent and say, look; I'm fed up with your shoes. Now, just stop profiling me and stop following me. And please do remove the data you have of me because I no longer want you to keep it.

SHAHANI: Europe, a continent that has not created Internet giants like Google or Facebook, is now engineering a legal way to control them. If you capture or mine personal data like height, weight, race, religion, browsing habits, you've got new obligations. Stamboliyska says for too long American companies have gotten away with too little oversight. In a recent scandal, Facebook lost control over the data of 87 million users. While CEO Mark Zuckerberg said sorry, she says...

STAMBOLIYSKA: You know, we don't need your apology. We need you to be respectful.

MICHAEL COHEN: It's aspirational, aspirational meaning that of course we would like to strive for what's considered the gold standard.

SHAHANI: Michael Cohen is a lawyer who advises American media and Internet companies that operate across the Atlantic. Europe's directive is sprawling, 99 articles long. How U.S. companies deal with new rules on the collection and storage of personal data - it's a work in progress. Internet users will start to see little notices from their news and music and gaming apps in the coming days and weeks. Cohen has a little confession.

COHEN: I'm going to be real honest with you. I'm an attorney that writes those privacy notices that 99 percent of the people, you know, never bother to read anyway.

SHAHANI: But if users in Europe start to see really simple language, get truly easy-to-follow prompts, Americans might want what the Europeans have. Last week Facebook's chief told Congress that he plans to make all the same controls and settings available everywhere, not just in Europe. Tech giants Microsoft and Google have indicated they'll also extend Europe's privacy rights to users around the world. Aarti Shahani, NPR News, San Francisco. Transcript provided by NPR, Copyright NPR.