Much has been said about the implications of the EU’s General Data Protection Regulation (GDPR) and whether businesses will be fit for compliance come the deadline in May.
Speculation abounds as to whether we will see big fines levied against large companies who fail to comply with the new regulations regarding the collection and management of personal data. A recent privacy ruling in Germany has now given a preview of another development in the pipeline in consumer-business relationships post-GDPR – empowered consumer action.
Earlier this month the Berlin Regional Court in Germany judged Facebook’s data consent policies to be invalid, in what was widely seen as a major victory for privacy rights campaigners. Under the Federal Data Protection Act in Germany, tech firms must be clear about the nature, scope, and purpose of using customers’ data in order to gain consent. In a case that has been rumbling on since 2015, German consumer group, VZBV, argued that Facebook did not obtain consent for collecting consumer information for advertising purposes and thereby failed to meet these rules.
For years, Germany has had a well-established reputation as a world leader for data privacy, with much tighter rules around what businesses can and cannot do with users’ personal information. Indeed, in recent years Facebook has faced repeated criticisms from Germany, as well as other European Regulators, over their use of data. With the GDPR around the corner, these kinds of cases are likely to become increasingly common; not just in Germany but in all corners of Europe.
How GDPR will empower the end user
The GDPR will undoubtedly strengthen the privacy rights of citizens across Europe, by requiring businesses to be much more transparent about how they are using customers’ data and by making consent fundamental to many of the uses of personal data that are currently taken for granted. Crucially, as well as asking users to give consent before their data can be processed or shared, businesses will also need to make it is as easy to withdraw consent as it was to give it.
Companies found to be in breach of GDPR could face substantial penalties, with the regulation stating that organisations can be fined up to €20 million or 4% of annual turnover, whichever is higher. However, equally significant will be the way in which GDPR can empower consumers to take action themselves. Once the new reality has had time to sink in, we can expect significant changes in the way consumers react to certain situations in the short term and in their long-term expectations towards the brands they do business with. As such, with GDPR implementation in May, this ruling by the German regional court should absolutely be seen as part of a wider international trend that will continue to see Consumer Organisations bring legal actions against companies based on Data Subject Rights.
Preparing for growing scrutiny from regulators and consumers
In the post-GDPR world, consumer trust will be more important for businesses than ever. Businesses across all industries, having focused years of effort building brand reputation, need to consider how their relationship with customers, both old and new, will shift once the public becomes more aware of their rights.
Businesses who are looking for an advantage over their competitors must treat privacy as part of their business strategy – from product inception to customer experience. Beyond compliance, there is additional value to be found in the shorter term through customer acquisition, and in the longer term through individuals who choose to trust companies that offer transparency and control over a greater amount of data – data that they in turn are happier to share. Those competitors that were quicker to consider customer data as a shared asset will be the ones driving the debate
Therefore, for businesses, it would be a mistake to think that GDPR is only about merely complying at surface-level with the new rules designed to give consumers more control. They must also begin to think about adapting to behavioural changes in society at large. This ruling against Facebook in Germany suggests that, in a post-GDPR world, trying to minimise consumer concerns by ‘hiding’ privacy settings or consent options is no longer viable. Every organisation, not just tech giants like Facebook, should be paying very close attention to their data and consent processes to make sure they will stand up to growing scrutiny from regulators and consumers alike.