As Europe has been on a regulatory binge over the last few years, debating a vast array of new internet and data-related legislation, it is important to remember that one of its most signature data-related pieces of legislation, GDPR, has actually substantially weakened privacy protections for European Union citizens. It turns out that US companies are also exploiting another provision within GDPR: the fact that it does not apply to US companies that don’t have a direct business connection to the EU, enabling them to mass harvest, repackage and resell the data of EU citizens who visit the US.
While touted as a major privacy breakthrough, the reality is that GDPR has backfired quite spectacularly, rolling back many of the most sacrosanct privacy protections that European citizens previously enjoyed.
Most famously, after years of previous regulations prohibiting facial recognition, GDPR finally granted Facebook the right to roll out its facial recognition algorithms across the entire EU. Previous laws prohibited Facebook from deploying its vaunted facial recognition systems in the EU, but GDPR rolled back all of these protections, allowing the company to finally deploy its tools unfettered across the EU.
GDPR also granted companies wide latitude to interpret its few real protections to their own business needs. Facebook took advantage of these provisions last year to interpret GDPR’s 72-hour notification rule as only applying after the company decides to begin the countdown. Thus, instead of notifying its customers three days after identifying a major breach, the company waited more than two months before deciding that the 72-hour rule finally applied.
In researching how US companies manage the data of their customers over the past year, an interesting trend has emerged with respect to GDPR compliance. When asked how they handle the intimate private data of EU citizens visiting the US, every company interviewed to date that is US based and has no offices, advertising or direct business interests in the EU has noted that GDPR does not apply to them.
For example, Comcast noted that biometric data like voice recordings of calls to its customer service phone numbers by EU citizens in the US were not subject to GDPR, since the company does not offer services in the EU. Similarly, Target noted that EU citizens shopping in Target stores across the US were stripped all of the protections offered by GDPR, since it does not apply to Target.
In Target’s case, the company retains a vast wealth of data about its customers, including every purchase they have made both in store and online, data purchased from data brokers and data gathered from customer interactions with its website. All of this data is shared by the company with third parties, though the company declined to provide a list of all of the companies it shares customer data with, citing proprietary business secrets. Asked whether EU citizens had any rights to either inspect or constrain this collection, the company noted GDPR does not apply to it as a US-based company without EU business interests.
US companies without an EU presence that build and deploy facial recognition have similarly noted that EU citizens visiting the US can have all of their biometrics harvested, repackaged and sold without any rights or recourse due to GDPR not applying to them.
An EU citizen visiting the US is likely to interact or be captured by a vast array of businesses that are not subject to GDPR, from small local stores to massive nationwide conglomerates. All of these companies are free to harvest anything they like from those EU citizens while they are here in the US, from harvesting their biometrics to building vast psychological and behavioral profiles on them. All of this data can be freely shared and resold for perpetuity just like it can for any American.
Putting this all together, GDPR is often wrongly portrayed as a kind of privacy shield protecting EU citizens. In reality, GDPR does not offer any protections to EU citizens themselves directly. Instead, it merely applies a set of data management regulations to businesses that have a connection to the EU and interact with EU citizens. Thus, businesses without an EU connection are free to harvest, mine, manipulate and monetize EU citizens to their heart’s content.
As European Union citizens travel throughout the world, they may not be fully aware that by doing so they may lose the protections of GDPR when interacting with businesses that don’t have a connection back to the EU. While this might be readily apparent with small local businesses, the fact that even some of the nation’s biggest retailers and telecommunications firms are unencumbered by GDPR reminds us just how limited it really is in practice.
In the end, over time European Union citizens will find themselves just as harvested, mined, manipulated and monetized as the rest of the world as GDPR’s empty promises collide with the global reality of the modern world.
