Europe now has arguably the world’s toughest #privacy rules. But a year in, Big Tech has been the major winner — and lobbying worldwide has framed Europe’s rules are overly cumbersome politi.co/2HugJs5 w/ @laurenscerulus & @StevenOverly

<<cue Twitter rant>>

So let’s start w/ the good news. One year in, 150k privacy complaints have been made under Europe’s #privacy rules, a marked increase vs previous years. But (and it’s a big but) very few companies have been fined, most notably @google in France w/ its €50m penalty

That doesn’t mean fines = success. It’s fair to say that companies now take data protection more seriously, and that national EU regulators *are* building cases against potential abuse.

But this is where it gets tricky. Big Tech lobbying says smaller companies don’t have regulatory resources to comply. And, mostly, that has turned out to be true, leaving the likes of @Facebook & @Google to push ahead with aggressive data collection, all now legal under the rules

Let’s start w/ FB: Last year, it restarted its facial recognition tech in Europe, a service that had previously been banned. Why? Cos under Europe’s new rules, FB could offer the tech again, as people were given the chance to opt into using it. More here: politi.co/2IAbGnP

What FB has done isn’t illegal — it now has cover from Ireland’s regulator to use facial recognition. But it does raise the question why Europe’s new #privacy standards now allow something that had previously been banned. Answers on a postcard, please.

The social media giant also restarted sharing some data btwn @WhatsApp & FB, something the German authority had said was a no go. How did it do this? ‘Cos the Irish regulator now said that such practices were OK, and under EU’s new rules, what the Irish said now goes.

Now, @Google: ahead of the privacy revamp last year, it told publishers they would now have to collect user data on its behalf, potentially using such info in ways websites would have no control over. More here: on.wsj.com/2GICSEs

This gets super tricky, but in essence, Google had to get people’s consent to show them online ads. But by getting publishers to do it for them, it also allowed them to take greater control over that data — all because of Europe’s new #privacy laws

To be fair, Google says they did this because it was required under Europe’s new rules, and that they’re not using the data for any other business purpose — something that publishers say isn’t true.

(Oh, the joys of policymaking)

So what we have here are examples of FB & Google acting completely legally to expand their data collection under Europe’s new #privacy standards — something that was not intended by those who wrote the rules.

<<cough>> unintended consequences <<cough>>

Now for the double whammy — lobbying. Europe’s #privacy standards are now synonymous w/ a growing pushback worldwide against companies’ collection, storing and use of our data. “GDPR” (the name of the rules) is something people now bat around in general conversation — yes, weird

This was Europe’s intention — to create the global standard, something that has pretty much worked as countries from Colombia to Japan now all model their privacy standards of those set in Brussels. For more on this, see here: politi.co/2Ebo9Qn

But here’s the rub: Europe has succeeded in exporting its rules. But it’s also succeeded in exporting the industry lobbying that worked hard to weaken those same laws — and for evidence of that, you just have to look to the US

Now, I’m skeptical of any federal privacy rules passing anytime soon. But on the Hill, the ‘don’t do what Europe did’ message is out and about, warning US officials that Europe’s privacy standards are overly cumbersome, and hurt smaller companies

I’m no EU fanboy. I also think it’s legit to say the region’s #privacy rules make things overly complicated, particularly for smaller companies. But in a land where there’s no updated comprehensive privacy legislation (Fourth Amendment is a little old, imho), that’s a little much

Side note: yes, I get that there are some pretty good US privacy rules when you look at specific sectors, notably healthcare. But I digress.

So in the US, Europe’s #privacy rules are being used as a pseudo bogeyman, reminding US officials that potential limits on data collection *could* hamper innovation, etc. “Don’t be like Europe,” is the name of the game — even while Big Tech now calls for privacy rules

Confused? Yeah, me too. But let’s not get bogged down in this too much.

So w/ federal privacy rules stalled, state efforts, notably those in California, are the name of the game. And even there, lobbying is hard at work to reduce that legislation’s scope, notably axing the right to sue companies for misuse of data

But what I find the most fascinating is what happened in Washington State. There, rules that specifically name-checked Europe’s #privacy stance narrowly failed to pass in late April, despite heavy lobbying by industry (@microsoft, ahem) in favor of them

US tech companies in favor of European-style privacy rules? I hear you ask. Well, yes. But it’s more complicated — and shows both how Europe’s standards are both now global and the straw man used to hobble other privacy efforts

Whereas in Europe, ppl are automatically opted out of their data being collected unless they give consent, the Washington State rules, by default, gave companies the right to collect such digital information — remember, these rules supposedly were copied from those of the EU

Why did lawmakers do this? Something that pretty much is the opposite of what is offered under Europe’s #privacy rules? Well, because it could ‘hurt innovation,’ according to lawmaker who co-sponsored the bill.

So welcome to life after one year under Europe’s #privacy rules — complaints are up, fines are non-existent, Big Tech has used rules to its advantage & global lobbying is through the roof.

And what I’m still unclear of (and I should know this) is: are we better off as citizens?

PS: if you want to know more about what happened in Washington State, more here: politi.co/2HzRbdv

Rant over. Thoughts appreciated.

Thanks for all the feedback, very valid points all around. To be clear, I’m not saying Europe’s rules aren’t worth it (they are), just that a year in, there’s a lot still to be done

That’s particularly true w/ national privacy regulators — most of which don’t have the resources or legal chops to really take on the worst data offenders. Also, lack of cross-border cooperation isn’t helping, no matter what ppl say about DPAs now playing nice

And while it’s true that Silicon Valley has been major winner *so far* that’s likely to start changing as a base of legal precedents start forming — but that’s gonna take 5+ years to happen, if not longer

And when it comes to global adoption of Europe’s #privacy rules, it’s interesting to see how jurisdictions are tweaking them to fit their national contexts

But what concerns me is how this *may* disadvantage emerging markets, many of which don’t have the resources or expertise to copy Europe (yet). Yes capacity is getting better, but things like 72 hour breach notification is tough when you’re still dealing with basic privacy issues

So my view on GDPR is simple: yes, it’s a good start. But for it to really work, it’s going to take years — and greater interest by average citizens in how they manage/control their data