Fallout from EU’s GDPR Continues

American companies are struggling to comply with the EU's new privacy regulation, with many outlets choosing to simply block access abroad.

American companies are struggling to comply with the EU’s new privacy regulation, with many outlets choosing to simply block access abroad.

NYT (“U.S. News Outlets Block European Readers Over New Privacy Rules“):

American news outlets including The Chicago Tribune, The Los Angeles Times and The Arizona Daily Star abruptly blocked access to their websites from Europe on Friday, choosing to black out readers rather than comply with a strict new data privacy law in the European Union that limits what information can be collected about people online.

The new rules, known as the General Data Protection Regulation, strike at a core element of businesses that offer free content online but that make money by collecting and sharing user data to sell targeted advertising. The shutdowns came as a surprise to readers of the publications, because companies had two years to prepare for the new regulations.

The most notable blackouts were by news organizations tied to the American media company Tronc. In addition to The Chicago Tribune and Los Angeles Times, newspapers including The New York Daily News, The Orlando Sentinel and The Baltimore Sun were also unavailable to readers in Europe.

[…]

The decision illustrated that some companies would prefer to lose European customers than risk being hit with the stiff penalties allowed under the new law: fines can reach 4 percent of global revenue.

[…]

News organizations were not alone in erecting barriers for European users. The American television broadcaster A&E Networks cut off the websites of its A&E, History and Lifetime channels. The digital advertising company Drawbridge, the social media tracker Klout and the save-it-for-later reading app Instapaper also stepped back.

Digiday (“GDPR mayhem: Programmatic ad buying plummets in Europe“):

The arrival of the General Data Protection Regulation’s enforcement May 25 has hurled the digital media and advertising industries into a tailspin.

Since the early hours of May 25, ad exchanges have seen European ad demand volumes plummet between 25 and 40 percent in some cases, according to sources. Ad tech vendors scrambled to inform clients that they predict steep drops in demand coming through their platforms from Google. Some U.S. publishers have halted all programmatic ads on their European sites.

Google contacted DoubleClick Bid Manager clients over the last few days to warn them that until it has completed its integration into the Interactive Advertising Bureau Europe and IAB Tech Lab’s GDPR Transparency & Consent Framework that publishers, ad tech vendor partners and advertisers should expect a “short-term disruption” in the delivery of their DoubleClick Bid Manager campaigns on third-party European inventory, starting May 25.

“Revenues and [ad demand] volumes [are] expected to fall dramatically across the board,” said one publishing executive, under condition of anonymity.

The concerns are not without merit.

Fortune (“Activists Are Already Targeting Google and Facebook Over Europe’s New Data Privacy Law That Went Live Today“):

Europe’s sweeping new data privacy regime came into effect this morning, and privacy activists are not wasting time in flexing their muscles. One organization has already made official data protection complaints about Google, Facebook, WhatsApp and Instagram, while another is going after the shadowy data brokers that trade people’s information behind the scenes.

The complaints about Google, Facebook and Facebook’s subsidiaries come from a group called None Of Your Business (NOYB)—a non-profit founded by the very successful serial Facebook litigant Max Schrems. Schrems, the Austrian lawyer who annihilated the U.S.-EU Safe Harbor data-sharing agreement a few years ago, formed the crowdfunded NOYB in order to take on big tech firms that break the EU’s new General Data Protection Regulation (GDPR.)

The new law only lets companies process people’s data if they have a valid legal basis for doing so. Several justifications are acceptable, and consent is one of the most frequently-chosen options. However, users have to be able to freely give their consent—the law says people can’t be forced into consenting to their data being processed, in order to use a service.

According to Schrems and his NOYB group, Google and Facebook are railroading users in this way.

“Facebook has even blocked accounts of users who have not given consent. In the end users only had the choice to delete the account or hit the ‘agree’ button-that’s not a free choice; it more reminds of a North Korean election process,” said Schrems in a statement. “Many users do not know yet that this annoying way of pushing people to consent is actually forbidden under GDPR in most cases.”

So NOYB has lodged complaints with a variety of European privacy regulators, “to enable European coordination.” One complaint, covering the consent requirements of Google’s Android, has been filed in France. The main Facebook complaint has been filed in Austria, while those for Instagram and WhatsApp are in the inboxes of the Belgian and Hamburg regulators respectively.

It’s not just outside lawyers; EU regulators are eager to start the crackdown.

BBC (“GDPR: US news sites unavailable to EU users under new rules“):

The new chairwoman of the European Data Protection Board, Andrea Jelinek, told the FT she expected cases to be filed “imminently”.

“If the complainants come, we will be ready,” she said.

Ireland’s data regulator Helen Dixon also spoke to the newspaper, saying the country was ready to use “the full toolkit” against non-compliant companies.

Both Facebook and Twitter have their EU headquarters in Ireland.

As noted in the NYT report cited earlier, Jelinek is unsympathetic to the plight of the companies:

Andrea Jelinek, chairwoman of the new European Data Protection Board, which will coordinate enforcement of the new law, criticized the blackout and said that companies had been given a long time to prepare. For weeks, businesses as varied as Uber, bike shops and restaurants have been sending notes to alert people to updated privacy policies as a result of the law, known as G.D.P.R.

“It didn’t just fall from heaven,” Ms. Jelinek said in a statement. “Everyone has had plenty of time to prepare.”

I’ve personally received dozens of emails from various companies, most of whom I have only a vague recollection, if that, of ever having done business with, over the last few days about changes to privacy policies because of GDPR.

For massive companies like Facebook and Google, one imagines there’s enough money to be made with EU customers to make it worthwhile to shift their business practices to comply. But, as I’ve argued before, that effectively allows the EU (and any country with enough economic clout to matter) to regulate businesses everywhere.  And, practically speaking, they’re regulating customers everywhere, in that it would seem impractical to deliver radically different sites to customers based on their country of origin.

Naturally, this actually benefits companies big and rich enough to invest in compliance. NYT:

Julia Shullman, the chief privacy counsel for the digital advertising firm AppNexus, said an “unintended consequence” of G.D.P.R. was that Google would become more powerful. To compete with the online search giant, publishers and advertisers have bought, sold and traded data with different sources, a bespoke approach that is now severely restricted under the European Union’s new rules. Many companies will now partner with the bigger company, Ms. Shullman said.

“At least in the short term, it pushes publishers to these large platforms that dominate the market already,” Ms. Shullman said in an interview.

According to Digiday, many are blaming Google for exploiting this fact:

The frustration for many has been directed at Google. The day before the deadline, buyers were warned also to not buy any inventory via Google on third-party exchanges, especially those using tracking and ad-verification pixels, as Google couldn’t verify whether those partners were compliant or not, according to sources. Some agency groups were alerted to this late on May 24, while others felt Google’s guidance had been nonexistent, according to agency sources.

“They [Google] are looking to solve it. So for now, we will suggest to our clients that we only use their [Google’s] tracking tools,” said a media buyer who spoke on condition of anonymity. Although this buyer wasn’t particularly flustered because the updates hadn’t yet affected the agency’s live campaigns too much, the situation is far from ideal. Others were more blunt in their criticism.

“It was arrogance,” said an ad tech vendor who agreed to speak anonymously. “They [Google] thought they could bully everyone into using their own [GDPR] system, and the industry has turned around and kneed them in the balls. They have had to do an embarrassing about turn to now integrate with the [IAB] framework. But this all puts Google into the spotlight of the regulators. I don’t think Google will be happy about this whole situation as it puts [GDPR regulator] attention on them. The irony is that in the short term, it will be Google that wins commercially [from AdX demand spiking] while everyone else suffers.”

“The timing of the message from Google — they told us yesterday afternoon [May 24],” an ad buyer said. “That’s not right because they would have known. It means we have no time to chance media-buying tactics or inform clients — and also, we’re forced to use AdX.”

A Google spokesperson said: “We worked with our third-party exchange partners to develop an interim solution to minimize disruption while we finalize integration with the IAB framework.” Google has promised that by early June it will enable personalized ad serving for publishers using the IAB’s framework, and by August, it will have integrated fully with the IAB framework so that publishers can serve personalized ads based on consent passed by a user, per vendor, or serve nonpersonalized ads.

“The GDPR is a big change for everyone,” said the Google spokesperson. “Over the last year, we’ve engaged with over 10,000 of our publishers, advertisers and agencies across nearly 60 countries through events, workshops and conversations around the changes we’re making to be compliant with the GDPR. We will continue to open our doors to our publisher partners to engage in these discussions on GDPR compliance.” Google is also working with the exchanges for alternative options for consent outside the IAB.

We’ll see what happens over the next few weeks and months as this shakes out. Given that most online business models are built on delivering content for “free” so that sites can mine user data and target advertising, I don’t expect we’ll see much in the way of the increased privacy that EU regulators are—quite laudably—seeking to achieve. Especially since people have spent the past quarter-century growing accustomed to reflexively agreeing to long, complicated terms of service without reading them. As always, though, there will certainly be a lot of costly litigation, enriching the lawyers.

FILED UNDER: Economics and Business, Europe, Law and the Courts, Science & Technology, , , , , , , , , , , , , , , , , , , , ,
James Joyner
About James Joyner
James Joyner is Professor and Department Head of Security Studies at Marine Corps University's Command and Staff College. He's a former Army officer and Desert Storm veteran. Views expressed here are his own. Follow James on Twitter @DrJJoyner.

Comments

  1. Kit says:

    I’m far from considering this an unalloyed good, but only Europe seems interested in standing up for consumer protection these days. The US once blazed the way, but that impulse died, along with so much else, over these past couple of generations.

    4
  2. James Joyner says:

    @Kit: With the possible exception of the UK, Europe has long had a much stronger regulatory instinct than America. As we’ve globalized, the “caveat emptor” mindset that long underpinned laissez-faire has made less sense; even those of us who are relatively well-educated simply lack the ability to make intelligent consumer choices. I’m much more attuned than most to the way Facebook, Google, Amazon, and others use information and yet don’t truly understand it.

    At the same time, though, they’re hardly hiding their business model. I’m willing to trade away a certain amount of privacy to those entities in exchange for the very valuable services they provide. I’m less sanguine about the fact that their TOS can change in ways that aren’t transparent and that third parties get access to their data.

    1
  3. Kit says:

    @James Joyner:

    At the same time, though, they’re hardly hiding their business model

    Yes and no. Even when companies don’t outright lie about their practices, understanding what’s going on, what’s changed and how to control it can be all but impossible without mining various forums. Companies with nothing to hide don’t act that way. And they hide because consumers tend to change their minds when their vague notions of trading privacy for free services is confronted with reality.

    2
  4. Tyrell says:

    This is just another problem in the long list of the EU. An example of how a one world government would work.

  5. PJ says:

    For massive companies like Facebook and Google, one imagines there’s enough money to be made with EU customers to make it worthwhile to shift their business practices to comply.

    Facebook decided to shift it’s non-EU user data outside the EU instead…

    The article above is from TechCrunch, owned by Oath, which also owns among other things Yahoo and Engadget. Oath really wants you to let it share data with a lot of other companies. Hundreds of companies.

    This is all very, very bad, it would have been better if the EU just let companies do whatever they want. Maybe let ISPs sell information about their customers?