Ink-stained tech journalists and CDOs alike often view “we take your privacy very seriously” as the 21st century equivalent of “the check is in the mail.” But Margrethe Vestager, executive vice president for the European Commission (the executive arm of the E.U.), takes data privacy seriously.
Speaking at the International Competition Network conference in Berlin earlier this month, Vestager said “The DMA (Digital Markets Act) will enter into force next spring and we are getting ready for enforcement as soon as the first notifications come in.” The DMA was announced in late 2020 and was set to become law in October of this year, but it appears the timetable is accelerated.
“The DMA targets specifically Big Tech companies,” according to Wikipedia. It intends to “classify certain platforms, according to their number of users, capitalization, market power or turnover, probably including Apple, Google, Facebook and Amazon as 'Gatekeepers' and 'aims at preventing large companies to abuse their market power and to allow smaller and new players to enter the market'.”
This sounds ambitious, but let's recall that the linchpin legislation here is the E.U.'s General Data Protection Regulation (GDPR) and that regulation is a reaction to perceived data privacy transgressions. The GDPR was adopted in 2016 and became enforceable in May of 2018. Violators of the regulation may be fined up to EUR20 million (USD20.8 million), or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.
While headlines related to GDPR judgements typically feature “Gatekeeper” firms, enforcement isn't limited by market cap. For example, in September 2019 an unnamed Belgian retailer was fined EUR10,000 for “demanding an electronic identity card to create a customer loyalty card.”
The E.U. and countries within it have consistently sought and won fines from large tech corporations for violations of users' privacy, and penalties are ramping up. In January, French regulators fined Google and Facebook over EUR200 million (USD226 million).
GDPR enforcement isn't limited by market cap
Reaction from the tech giants as published by the BBC was predictable. “Google, which was fined 150m euros, said: 'People trust us to respect their right to privacy and keep them safe. We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in [the] light of this decision.'
"Facebook, now owned by Meta, said it was 'reviewing' the decision to fine it EUR60 million euros. 'Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram, where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls,' it said.”
Digital sovereignty affirmations
Meta has hinted that it may curtail services in the EU zone. “In a 10-K annual filing with the U.S. Securities and Exchange Commission, the company warned investors that failure of the U.S. and E.U. to reach a new agreement on data transfers could result in Meta deciding to shut down its core operations in the region,” said an article on Fortune.
Is this a passive-aggressive broadside against E.U. measures to protect users' data privacy? Regardless, a pair of European officials felt a response was warranted.
"'After being hacked, I've lived without Facebook and Twitter for four years, and life has been fantastic,' German Economy Minister Robert Habeck said at a press conference in Paris,” read a report on Business Insider.
Are EU regulators fighting a rear-guard action?
French Finance Minister Bruno Le Maire, who spoke alongside Habeck, said: “I can confirm that life is very good without Facebook and that we would live very well without Facebook...digital giants must understand that the European continent will resist and affirm its sovereignty.”
It's fine for European ministers to conduct their business without a specific platform, but there's a lesson here for all CDOs. What level of data privacy are you expected to provide for your users?
As is typical with tech products, the answer is on a case-by-case basis. But when The Facebook was cooked up in a Harvard dorm room back in the 90s, run-ins with European commissions weren't considered a problem. Now we have regulators fighting what many privacy advocates might term a rear-guard action.
The bottom line: CDOs need to be aware that E.U. regulations make privacy strategies essential for firms that deal with E.U. citizens. After all, no one wants to be the next unnamed Belgian retailer.
Stefan Hammond is a contributing editor to CDOTrends. Best practices, the IOT, payment gateways, robotics and the ongoing battle against cyberpirates pique his interest. You can reach him at [email protected].
Image credit: iStockphoto/Oleksandr Shchus