Growth, Tech, Media
Contributor Since 2018
Jeffrey Carr is the founder and managing director of Reel Holdings, LLC, a data analytics and film finance company registered in the State of Wyoming in 2018. He is also the organizer of the Suits and Spooks anti-conference, a boutique forum for the discussion of hard challenges in the national security space.
The General Data Protection Regulation (GDPR), in effect since May 25, 2018, provides consumers who reside in the E.U. with a set of eight rights:
Any company found to be in non-compliance faces steep penalties of up to €20 million or 4 percent of annual global turnover (net profit). Facebook, for example, is facing a fine of up to €1.63B over a data breach affecting E.U. citizens.
Although companies have been preparing for this law to go into effect for many months, there is ample evidence to suggest that few companies are ready for it. One of the more interesting analyses was done by the Law department of the European University Institute (.pdf) in Italy who used an artificial intelligence computer program named Claudette to scan the privacy policies (over 80,000 words in total) from Google, Facebook, Instagram, Amazon, Apple, Microsoft, WhatsApp, Twitter, Uber, Airbnb, Booking.com, Skyscanner and Netflix.
All of them failed, including Netflix, for a variety of reasons, some more than others. One of several issues in Netflix’s case was the use of a phrase that the company has relied upon as a standard approach to its customers who may not like something about Netflix’s policies. It should have been a teaching moment to the company’s privacy department that this phrase was picked up by the EUI’s GDPR project, but it remains in the company’s current policy as of this writing.
From the EUI's assessment:
Privacy concerns could limit our ability to collect and leverage our membership data and disclosure of membership data could adversely impact our business and reputation. In the ordinary course of business and in particular in connection with content acquisition and merchandising our service to our members, we collect and utilize data supplied by our members. We currently face certain legal obligations regarding the manner in which we treat such information. Other businesses have been criticized by privacy groups and governmental bodies for attempts to link personal identities and other information to data collected on the internet regarding users' browsing and other habits. Increased regulation of data utilization practices, including self-regulation or findings under existing laws that limit our ability to collect, transfer and use data, could have an adverse effect on our business. In addition, if we were to disclose data about our members in a manner that was objectionable to them, our business reputation could be adversely affected, and we could face potential legal claims that could impact our operating results. Internationally, we may become subject to additional and/or more stringent legal obligations concerning our treatment of customer and other personal information, such as laws regarding data localization and/or restrictions on data export. Failure to comply with these obligations could subject us to liability, and to the extent that we need to alter our business model or practices to adapt to these obligations, we could incur additional expenses.
Directly speaking to this concern, the New York Times reported last week that between 2012 and 2015 Facebook had sold access to its API and Messenger API to favor certain companies (like Netflix, Airbnb, and Lyft) and punish others. This raised serious questions with U.S. lawmakers:
“Americans’ data belongs to them, not Facebook,” said Senator Edward J. Markey, a Democrat of Massachusetts. “Any evidence of a pay-for-data model would fly in the face of the statements Facebook has made to Congress and the public.”
Just one year before, in 2011, Netflix and Facebook were lobbying Congress and simultanously its subscribers via its blog (later deleted) to repeal or revise the Video Privacy Protection Act so its customers could use the Netflix app to share what they were watching on Facebook without having to get consent each time. Netflix set up a Political Action Committee, spent about one million dollars, and was successful. The bill was changed on Dec 21, 2011.
Publicly owned companies like Facebook, Netflix, Google, Apple, Disney, Warner, and Microsoft who are dependent upon subscriptions and personal data for business growth must anticipate an increasingly activist subscriber base who will demand transparency in how their data is used, monetized, accessed, and who to hold accountable.
This is the beginning of a very long war over not just personal data, but the information that's derived from that data and its ownership as well.
Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours.