THE VIEW FROM GOOGLE: PRIVACY, GDPR AND IRELAND AS A ONE STOP SHOP
In his address, Mr Enright, Google’s Chief Privacy Officer, shares his perspectives on Google’s experiences of GDPR, almost one year on. He discusses lessons learned along the way, as well as sharing perspectives on how Google approaches privacy and data protection, and the importance of Ireland as a One Stop Shop.
About the Speaker:
Mr Enright was appointed as Google’s Chief Privacy Officer last year. He joined Google in March 2011, with nearly 20 years of experience in creating and implementing programs for privacy, data stewardship and information risk management. Prior to joining Google, Mr Enright served as the most senior privacy executive at two Fortune 500 online and offline retail enterprises.
The IIEA is Ireland’s leading European & International Affairs think tank. We are an independent, not-for-profit organisation with charitable status.
Our role is to identify key European and international policy trends, which will inform the work of Ireland’s decision makers and business leaders, and enrich the public debate on Ireland’s role in the EU and on the global stage.
From concerns about data sharing to the hosting of harmful content, every week seems to bring more clamour for new laws to regulate the technology giants and make the internet “safer”. But what if our existing data protection laws, at least in Europe, could achieve most of the job?
Germany has already started introducing new legislation, enacting a law in 2018 that forces social media firms to remove hateful content. In the UK, the government has proposed a code of practice for social media companies to tackle “abusive content”. And health secretary Matt Hancock has now demanded laws regulating the removal of such content. Meanwhile, deputy opposition leader Tom Watson has suggested a legal duty of care for technology companies, in line with recent proposals by Carnegie UK Trust.
What’s notable about many of these proposals is how much they reference and recall the EU’s new General Data Protection Regulation (GDPR). Hancock, who led the UK’s introduction of this legislation (though he has also been accused of a limited understanding of it) referred to the control it gives people over the use of their data. Watson recalled the level of fines imposed by GDPR, hinting that similar penalties might apply for those who breach his proposed duty of care.
The Carnegie proposals, developed by former civil servant William Perrin and academic Lorna Woods, were inspired by GDPR’s approach of working out what protective measures are needed on an case-by-case basis. When a process involving data is likely to pose a high risk to people’s rights and freedoms, whoever’s in charge of the process must carry out what’s known as a data protection impact assessment (DPIA). This involves assessing the risks and working out what can be done to mitigate them.
The important thing to note here is that, while earlier data protection laws largely focused on people’s privacy, GDPR is concerned with their broader rights and freedoms. This includes things related to “social protection, public health and humanitarian purposes”. It also applies to anyone whose rights are threatened, not just the people whose data is being processed.
Existing rights and freedoms
Many of the problems we are worried about social media causing can be seen as infringements of rights and freedoms. And that means social media firms could arguably be forced to address these issues by completing data protection impact assessments under the existing GDPR legislation. This includes taking measures to mitigate the risks, such as making the data more secure.
For example, there is evidence that social media may increase the risk of suicide among vulnerable people, and that means social media may pose a risk to those people’s right to life, the first right protected by the European Convention of Human Rights (ECHR). If social networks use personal data to show people content that could increase this risk to their lives then, under GDPR, the network should reconsider its impact assessment and take appropriate steps to mitigate the risk.
The Cambridge Analytica scandal, where Facebook was found to have failed to protect data that was later used to target users in political campaigns, can also be viewed in terms of risk to rights. For example, Protocol 1, Article 3 of the ECHR protects the right to “free elections”.
As part of its investigation into the scandal, the UK’s Information Commissioner’s Office has asked political parties to carry out impact assessments, based on the concern that profiling people by their political views could violate their rights. But given Facebook’s role in processing the data involved, the company could arguably be asked to do the same to see what risks to free elections its practices pose.
Think about what you might break
From Facebook’s ongoing history of surprise and apology, you might think that the adverse effects of any new feature in social media are entirely unpredictable. But given that the firm’s motto was once “move fast and break things”, it doesn’t seem too much of a stretch to ask Facebook and the other tech giants to try to anticipate the problems their attempts to break things might cause.
Asking “what could possibly go wrong?” should prompt serious answers instead of being a flippant expression of optimism. It should involve looking not just at how technology is intended to work, but also how it could be abused, how it could go too far, and what might happen if it falls victim to a security breach. This is exactly what the social media companies have been doing too little of.
I would argue that the existing provisions of GDPR, if properly enforced, should be enough to compel tech firms to take action to address much of what’s wrong with the current situation. Using the existing, carefully planned and highly praised legislation is better and more efficient than trying to design, enact and enforce new laws that are likely to have their own problems or create the potential for abuse.
Applying impact assessments in this way would share the risk-based approach of enshrining technology firms with a duty of care. And in practice, it may not be too different but without some of the potential problems, which are many and complex. Using the law in this way would send a clear message: social media companies should own the internet safety risks they help create, and manage them in coordination with regulators.
The debate around the UK’s level of involvement in the EU single market after Brexit may lead to a significant u-turn in government policy. Having initially said it would not seek a customs union with the EU after Brexit (after leaving the full, existing customs union), it looks as though the UK government’s position is softening. Given the alternatives to the single market that are available to the UK, a potential u-turn is welcome.
Leaving the single market but agreeing to a customs union doesn’t rule out the UK making its own trade deals. However, it should be careful what it wishes for. Freedom comes at a price. A customs union only covers trade in goods, so the UK would need an umbrella agreement to cover its other arrangements with the EU.
The World Trade Organisation (WTO) sets out the basics in Article XXIV of the General Agreement of Tariffs and Trade (GATT). In essence, a customs union is where tariffs are removed between members of the union, and the tariffs charged on imports coming from outside the union are harmonised across members of the union. This definition seems straightforward but when you dig deeper into Article XXIV, you find that while these rules apply to trade in goods, they say nothing about services – which are of course very important for the UK.
The text is also quite vague about the products that should be covered by the customs union, stating only that “substantially all trade” should be included. Of course, as soon as you start excluding products from your customs union, then borders with frictions, such as border checks, start to emerge. Therefore, the issue of whether any agreed customs union would be complete needs careful consideration. However, it’s clear that the WTO rules are too vague for anyone to claim that the UK cannot create an incomplete customs union if the EU agrees.
What we know is that an incomplete customs union, where product coverage is less than 100% or trade policies are not fully harmonised, could give the UK more freedom to sign its own trade deals. Turkey, an example of a country in an incomplete customs union with the EU, has a number of Free Trade Agreements with non-EU countries. However, if the UK steps outside the EU Customs Union and creates an incomplete UK-EU Customs Union, then embarks on signing new trade deals, there would need to be rules agreed regarding the coexistence of trade agreements. In simple terms, when the clauses in different trade deals start to conflict with each other, there will need to be a way to resolve these disputes.
Freedom at a price
Is all this freedom a good thing? It would take the UK further away from the complete customs union, which is the desire of Brexit supporters. However, signing even very simple trade deals will require considerable capacity and time, with the potential for significant delays even between signing and implementation. The EU also already has a long list of arrangements in place. Those with Japan and Mexico are the most recent examples. The UK is likely to find it harder to make deals when outside a large trade block. Furthermore, signing free trade agreements with non-EU countries would not compensate for losses due to new trade barriers against the EU countries.
Staying close to the EU may also protect the UK from the US government’s trade wars in crucial markets such as metals, fuels and chemicals. As the EU demonstrated in the case of the steel dispute, it can successfully negotiate exemptions from the new protectionist US tariffs. The UK, acting alone, may not have enough economic and political weight to do the same.
An incomplete customs union with the EU will be a step towards minimising the losses of Brexit, while giving opportunities to negotiate new free trade agreements related to particular goods. UK manufacturers selling final goods (transport, electrical equipment, computers, for example) to the EU, depend on the supply of intermediate goods (components for that electrical equipment and computers) from the EU in the first place. If even moderate tariffs are imposed, the flow of intermediate goods from the EU may come to a halt. If agricultural goods are excluded from the new UK-EU customs union, it opens up further possibilities for negotiating new free trade agreements with non-EU countries.
And since the customs union option doesn’t cover services, one option would be to have a broader umbrella agreement, perhaps an economic integration agreement, to also cover services.
A customs union in itself, and certainly one that gives the UK the flexibility to sign its own trade deals with non-EU countries, would not automatically solve the Irish border issue – a complete customs union (going further than even the WTO definition) would be a prerequisite for that. The political compromises, which are being discussed within the Conservative party, suggest a complete customs union is most unlikely. Therefore, even if a u-turn is forthcoming, many other challenges remain.