In the aftermath of the Cambridge Analytica incident, Facebook moved more than 1.5 billon user accounts out of the reach of EU data privacy regulators. Presumably worried about unnecessarily exposing themselves to the risk of incurring a hefty fine that could be levied under the European General Data Protection Regulation (GDPR) from 25th May, this effectively divides the Facebook population into two groups: users who are protected according to the GDPR and users who are protected in the US which has a very different privacy regime.
The mobile industry takes a different approach. It contends that consumers around the world increasingly demand and deserve a consistent level of protection. Rather than creating an environment in which companies are bound by different rules, individuals receive different treatment and barriers are erected, the mobile industry is pushing for greater alignment and consistency on data-handling rules. In this world, data is more likely to be allowed to flow across borders, benefiting companies, economies and, most importantly, individuals.
The mobile industry has built its trusted reputation on the bedrock of keeping communications and personal data secure and confidential. It provides the platform not just for calls, messaging and internet services, but for innovations such as Mobile Connect, driverless cars, drones, IoT, big data and AI. With such a diverse range of technologies and business models leveraging data to produce benefits for individuals and society, the GDPR provides useful clarity for consumers and businesses.
Beyond Europe’s shores, the GDPR is stimulating efforts to find a common ground for data privacy. It provides the key ingredients of smart privacy regulation for policymakers around the world to consider:
- GDPR is ‘horizontal’ meaning that it applies to all processing of personal data rather than focusing on just one technology or sector. This reduces the need for sectoral rules such as the European ePrivacy Directive or operator licences that subject network operators to an additional set of competing privacy obligations.
- GDPR is ‘principles-based’ allowing innovation to thrive without having to reinvent the rules every time new technologies or business methods are introduced.
- GDPR is ‘risk-based’ encouraging companies to focus on preventing harm. For example, rather than being faced with a rule that biometric data is or is not allowed, a company that wants to use biometric data can design privacy into its product to avoid or mitigate the specific privacy risks. Another example of the risk-based approach in the GDPR is the threshold it sets for when a company should report a data breach. Rather than reporting all breaches, which would overwhelm regulators and end up being ignored by individuals, companies are forced to think about the level of risk to individuals.
- GDPR is based on the idea of ‘accountability’, holding companies to account, but allowing them to innovate and comply in a way that makes sense for their business and rewarding those that embed a culture of privacy in their organisations.
These ideas are rapidly finding their way into laws and regional frameworks around the world from Latin America to Africa (where data privacy laws and coordination between data privacy regulators is really picking up pace) and to Asia. Of course, the direction is not being set solely by Europe; it was the US, for example, that invented the data breach reporting duty which has been embraced so widely elsewhere. The fact that the GDPR is so hotly debated around the world indicates that governments and people are hungry for the same sort of protection regardless of where their data is. Indeed, this trend for equivalent standards will enable data to flow without sacrificing privacy and will help to slow the competing trend for localisation measures that are increasingly imposed to prevent data leaving national boundaries.
There are many wrinkles in the GDPR that have yet to be ironed out: how will the power to impose fines of 4% of annual turnover be wielded? How should the right to data portability work in relation to phone records? Will data analytics be helped by the recognition in the GDPR of pseudonymous data or will it be hindered by the broad definition of profiling? But as we head towards ‘GDPR Day’ – the day when the GDPR starts to apply – the mobile industry is urging policymakers everywhere to take note of the positive aspects of the GDPR as a reflection of an emerging global consensus on data privacy.
The week after the GDPR goes into effect, the GSMA will be hosting its annual Mobile 360 – Privacy & Security event in The Hague on 30-31 May. The event boasts a fantastic line up of speakers and experts, with sessions on everything from big data to blockchain. The GDPR will no doubt be discussed both on the podium and in the coffee breaks. If you have not yet booked your place, there is still time to register. You can find more information on the event here.