Since the introduction of GDPR, the relationship between Big Tech companies – such as Facebook and Google – and the EU has always been difficult.
Simply put, the most critical point is that, on the one hand, these companies have their headquarters in the US, where authorities can easily access the data they collect. On the other hand, the EU seeks to protect its citizens’ information from surveillance by a foreign government.
In any case, what are the biggest challenges that Big Tech companies face in managing privacy while doing business in the EU?
Big Tech and GDPR
The first challenge is, of course, GDPR compliance.
Since the regulation came into effect in 2018, Big Tech companies have been struggling to meet all the requirements. In particular, they have to deal with the issue of data minimization – that is, collecting only the absolutely necessary data for their business purposes. This is a difficult task for Big Tech companies, which rely heavily on data collection and processing for their revenue. For this, Google has been fined several times for violating GDPR, including a record-breaking €50 million penalty in 2019.
Furthermore, GDPR requires companies to be transparent about their data collection practices but Big Tech find it difficult to provide clear and concise information to users about their rights.
Consider that the issue of privacy does not only concern the collection of data but also their cancellation and the right to be forgotten, as indicated by art.17 of the GDPR.
Another request of GDPR is privacy by design. This principle requires that privacy must be built into the very core of products and services from the start. This is another area where Big Tech companies have been struggling, as privacy is often not considered during the development process.
Finally, as said before, Big Tech companies have problems in storing and processing data about EU citizens in accordance with the GDPR, since the US government can request access to this data at any time.
A scattered privacy regulation
Another challenge that Big Tech companies face is the fact that privacy regulation in the EU is not as homogeneous as one might think. In fact, EU members must follow GDPR, but each state has its own privacy laws, which can vary significantly. For example, Germany and France have very strict privacy laws, while other countries, such as Bulgaria and Romania, have much less stringent regulations. To make matters worse, common privacy laws are often interpreted differently in different countries.
This makes it very difficult for companies to comply with all the different requirements. Often, they must try to tailor their products and services to the most restrictive privacy laws in the EU, but it is very costly and time-consuming.
Moreover, the legal landscape in the EU privacy law is constantly evolving, new laws and regulations are being introduced all the time, and it can be difficult to keep up with all the changes.
An example of this degree of complexity is the recent decision of the European Union Court of Justice. The Court ruled that now any data protection authority in the EU can sue Big Tech, under certain conditions. Previously, only the main regulator (Ireland’s Data Protection Commission) could challenge them on data privacy.
The verdict satisfied the European Consumer Organization (BEUC), which considers the decision a further step toward the protection of personal data. However, a tech lobbying group noted that it can make compliance with EU privacy regulations “more inconsistent, fragmented and uncertain”.
Is there any solution?
In light of all these privacy challenges, what is the way forward for Big Tech companies?
The most obvious solution would be for these companies to move their headquarters to the EU. This would allow them to store and process data about EU citizens in compliance with GDPR. However, this is not a realistic option for Big Tech companies, which are deeply rooted in the US.
A more realistic solution would be for Big Tech companies to develop privacy-friendly products and services that comply with GDPR. This would require a fundamental change in the way these companies do business. However, it is not impossible, as we have seen with the recent launch of privacy-focused products such as Google’s privacy Sandbox.
The problem is that, as long as the US government can access this data, it will be very difficult for the EU to protect its citizens’ privacy. In fact, many experts have said that GDPR may not be enough to protect Europeans from US surveillance.
So far, the EU has been trying to negotiate with these companies to find a solution that would allow them to continue operating in the EU while also protecting its citizens’ privacy. However, it seems that these negotiations have not been very successful yet.
It is still unclear what will happen in the future, but one thing is certain: Big Tech companies will still have to face many challenges when it comes to privacy in the EU.