Main content

Can the GDPR protect non-Europeans’ data, too?

By Mark Surman, Executive Director of the Mozilla Foundation

New legislation affecting personal data across the EU is likely to have worldwide repercussions, Mozilla Foundation's Mark Surman says.

The EU’s landmark privacy legislation takes effect 25 May, and will likely transcend borders.

A series of ongoing headlines — starting with Cambridge Analytica and continuing with Mark Zuckerberg's congressional testimony — has revealed how little control internet users have over their personal data.

First, 50 million users were affected by the Facebook breach. Then 87 million. And then we learned “far more” were impacted.

Facebook’s practice of collecting and monetizing internet users’ data isn’t the exception online — it’s the rule.

When Mark Zuckerberg told Congress ‘Senator, we run ads,’ he might as well have been talking about the whole of the internet.

There’s nothing inherently wrong with advertising. But the internet’s current model goes to extremes, vacuuming up vast amounts of intimate data — our contacts, our photos, our location, our search histories — with limited consent and transparency.

Most of us don’t even know this is happening, at least not at this scale.

The result is an internet where the big, advertising-driven platforms define the rules of the road, where companies control individuals’ data, where fraud and abuse are commonplace, and where privacy is hard to come by.

In the EU this spring, the tides of personal data may well shift dramatically. The sweeping General Data Protection Regulation (GDPR) takes effect on 25 May, with the aim of putting users back in control of their data.

It’s good news for EU residents. Can the GDPR benefit internet users on other continents, as well?

First, a bit about the GDPR. The regulation replaces the EU’s 1995 Data Protection Directive, from a time when just one percent of Europeans were online. (Today, about 80 percent of Europeans are online.)

The new rules aim to ‘strengthen individual rights,’ as BBC Radio 4 puts it, and ‘will give you the right to ask companies what data they are holding on you, and how it's being used.’

How 'likeable' will GDPR turn out to be?

The GDPR stresses ‘data minimization’ — it requires businesses to limit and justify the data they collect about customers. (Why does a smart toothbrush need to know your location?)

It also stresses ‘data portability,’ meaning users can take their data from one platform — Facebook photos, FitBit metrics — and bring it over to another.

Several other user protections are housed in the GDPR, including a right to erasure (or, ‘right to be forgotten’) and a mandate that companies report data breaches within three days.

The penalties for not complying with the GDPR are steep: up to four percent of worldwide revenue, or €20 million.

While data-driven businesses may be scrambling to comply, the GDPR is almost certainly good news for individual internet users in the EU.

It could also be heartening news for internet users elsewhere across the globe. The world’s biggest data companies — Facebook, Google, Amazon, Apple — may be based on America’s West Coast, but millions of their users live in the EU.

And already, we’ve seen the GDPR push them in a new direction: “We're going to make all the same controls and settings available everywhere, not just in Europe,” Zuckerberg told reporters in April 2018.

Microsoft and Google have made similar statements. Why? These companies may be reluctant to build different systems for EU users and non-EU users.

The UK government's Data Protection Bill will ensure that GDPR rules continue to apply after the UK leaves the EU

Further: When international consumers see their European counterparts no longer dealing with invasive tracking or indecipherable terms of service, they’ll likely pressure regional governments and businesses for the same.

In India, the GDPR is often cited as a touchstone for the country’s nascent data protection law. In Kenya, the GDPR may give reason to revive a stalled data protection bill.

The GDPR also has the potential for longterm change abroad. The ripple effect of EU-compliant privacy standards deployed globally by the big platforms could pressure other countries to follow the EU’s lead.

The GDPR might be an indirect boon to competition in the internet industry, too. Encouraging more data portability and less data hoarding has the potential to make it easier for startups with new products to compete against the big platforms.

The GDPR may not only help us avoid the next Cambridge Analytica scandal, but also open up the market that is currently controlled by a tiny handful of U.S. platforms.

The GDPR isn’t a panacea for fixing all the problems stemming from the internet’s data-hungry, advertising-driven business model.

Some parts of the regulation are vague, and others difficult to enforce. But the GDPR is a major step forward, in no small part because of its potential for international impact.

It’s a much-needed acknowledgment that our data belongs to us, that privacy is worth protecting, and that the internet is at its best when it’s controlled by many, not few.

Mark Surman is the executive director of the Mozilla Foundation.