US tech giants are under a new wave of regulatory scrutiny, with policymakers on both sides of the Atlantic raising concerns about data privacy. This attention will persist in the weeks ahead, as the European Union’s most far-reaching data privacy regulation yet — the General Data Protection Regulation (GDPR) — comes into force on May 25th. Goldman Sachs Research Strategist and Top of Mind Editor Allison Nathan recently sat down with European Media Analyst Lisa Yang to discuss the implications.
Allison Nathan: The GDPR has been a long time coming, approved well before the most recent data privacy controversy. What drove the creation of these new regulations, and what makes them more disruptive than prior versions?
Lisa Yang: GDPR was born out of a need to harmonize data privacy rules across Europe and adapt those rules to the digital age. The main objective is to enhance EU consumers’ rights and control over their personal data, which includes the right to access it, erase it and object to its use. The regulation does so by broadening the definition of personal data to include identifiable information such as device IDs, IP addresses, and browsing cookies, and also extending the scope of applicability to all organizations that handle such data on EU consumers, regardless of where they are based. The penalties for non-compliance are significantly more onerous, too.
AN: Practically speaking, what does this mean for organizations that seek to track their users?
LY: These organizations will need to have a legal basis for doing so — either explicit user consent or a legitimate interest in processing the data. In simpler terms, a pre-ticked box is no longer going to be considered sufficient permission for using EU consumer data.
AN: Which industries do you expect to be most affected?
LY: GDPR will have profound implications for a number of industries including technology, advertising, banking, and retail, reshaping how they operate and engage with consumers. We believe companies that have a trusted and direct relationship with consumers are more likely to gain the necessary user consent or meet the bar of demonstrating legitimate interest. We also think larger organizations will have an advantage over smaller ones given the cost of compliance and the complexity around GDPR implementation.
AN: So how much risk does this pose to the big tech companies?
LY: We believe the global tech giants are relatively well positioned to obtain consent given direct and trusted relationships with their users. Where third-party data is involved, they also should have enough bargaining power to renegotiate contract terms to ensure third-party publishers secure consent on their behalf.
Read this great Interview on BRIEFINGS from Goldman Sachs