The EU’s new data protection rules that enter into force later this month are having an impact around the world as firms, including in the United States and China, move to comply.
While all firms globally are required to comply with the provisions of the General Data Protection Regulation (GDPR) when it comes to the data of Europeans, the rules may have a wider impact if firms decide to extend the protections to all users.
Major US platforms such as Facebook, Twitter, Instagram and Airbnb have begun to notify their users in Europe of modifications of their user terms in order to comply with the new EU rules.
Under GDPR firms user consent for use of their personal data must be freely “given, specific, informed and unambiguous”.
Facebook has recently begun asking its European users that they approve the use of their data in order provide them with more pertinent advertisements as well as permission for facial recognition.
But it is still not clear which US firms will apply GDPR to all their users and which will do so only for Europe.
“We intend to make all the same controls and settings available everywhere, not only in Europe,” Facebook’s chief executive Mark Zuckerberg told reporters last month as the crisis exploded over the use of user data for political purposes by the firm Cambridge Analytica.
“Is it going to be exactly the same format? Probably not,” he added.
For Sam Pfeifle, content director at the International Association of Privacy Professionals (IAPP), some US firms will have no other choice but to extend European protections to all users.
“For some companies being able to discern where their customers are coming from and segregate the data is very difficult and perhaps too difficult to make it worth it,” he said.
Some companies are transforming this pragmatic decision into a marketing advantage, telling their US clients they are offering European-level data protection, said Pfeifle.
Other companies are taking the opposite approach — deciding they would rather part ways with European users entirely rather than go through the effort of complying with the GDPR.
This is what the online role-playing game Ragnarok decided to do, sparking indignant reactions from European users who will find themselves cut off from May 25.
In China, there are fewer sensitivities about privacy, and the EU regulation will certainly be viewed more as a constraint than a marketing advantage.
“Of course we will respect the GDPR for our European clients,” said a European working for a major Chinese internet firm on condition of anonymity.
But for Chinese users, the application of such privacy guards is likely for another day.
Impact on China
The Chinese “don’t have any reticence handing over their personal data if they see they are of some value” such as in new services or discounts, said the European executive, speaking on condition of anonymity.
Chinese internet titans are currently testing a system that assigns every citizen a social credit system that goes beyond a regular credit rating of a person’s finances and payment history by evaluating their behaviour and preferences as well as their personal relationships.
But it isn’t impossible that the European effort to codify and organise the respect for privacy will have an influence even in China, where internet users have occasionally lashed out.
At the beginning of the year Beijing said it had reprimanded several Chinese tech firms for inadequate protection of user data following a controversy implicating Alipay, the top Chinese payments platform linked to online commerce giant Alibaba.
Users reacted angrily after discovering the platform had been set up to automatically share user data with a credit rating service.
Alipay’s parent company Ant Financial apologised and redesigned the service so users had to opt in to use it.