LONDON — Europe has a problem with privacy.
Policymakers are eagerly awaiting a major revamp of the region’s data protection standards later this year. These new rules will give regulators the power to punish the misuse of online data — including social media posts, search queries and corporate payroll information — with fines of up to €20 million or 4 percent of a company’s global revenue, whichever is greater.
But if you ask the average European what he or she thinks about this overhaul (arguably the biggest change in privacy rules anywhere in the world in more than two decades), the response you’ll most likely get is a blank stare of confusion.
To be fair, data protection isn’t an easy subject to get your head around, even for those steeped in the topic. But this disconnect between privacy-conscious lawmakers and the average EU citizen will present regulators with a major headache when the rules — known as the General Data Protection Regulation, or GDPR — come into force in late May.
The law gives the Continent’s citizens a stable of new powers, including the ability to stop companies from collecting their online data, taking their personal information with them when they sign up for a rival’s digital service or being informed within three days if their accounts have been hacked.
But if the new standards are to have the effect that their drafters intended, people will need to start to care about their data. And right now, they don’t.
Under most circumstances, EU citizens have to file a case before regulators can act. That means if Europe’s policymakers are going to give their new online privacy rules real teeth, they will need to do a significantly better job of explaining what these changes offer to even the most luddite of EU voters.
Despite a growing discomfort with how the likes of Facebook, Google and Amazon use the reams of data they collect, few among us are willing to sacrifice the supposedly “free” services they offer in exchange.
Despite a growing discomfort with how the likes of Facebook, Google and Amazon use the reams of data they collect, few among us are willing to sacrifice the supposedly “free” services they offer in exchange. The result is a Faustian pact, in which our daily online footprints of social media activity and online searches are auctioned off to the highest (advertising) bidder while most of us feel powerless to do anything about it.
That’s not to say people aren’t worried about their privacy.
Roughly two-thirds of Europeans don’t think they have enough control over their online information, according to a recent survey by the European Commission. A similar percentage of respondents added that they don’t trust tech companies to protect digital data.
The same holds true in the United States, where almost 70 percent of people polled thought social media sites wouldn’t keep their online records safe, according to another survey by the Pew Research Center, a think tank.
The problem comes when it’s time to turn those deep-seated fears into meaningful action — a significant wrinkle that Europe’s new privacy standards do not address.
National data protection agencies like Ireland’s Office of the Data Protection Commissioner and France’s Commission Nationale de l’informatique et des libertés have tried to drum up awareness. They’ve held conferences with companies that will be affected, splashed cash on marketing campaigns to educate the general public and fined companies like Google for flaunting Europe’s existing standards.
It hasn’t worked. Roughly three out of five Europeans don’t even know there’s at least one national government agency in each member country dedicated solely to protecting their privacy rights, according to EU stats. When a company mishandles our digital information, most of us shrug, make sure we aren’t hit financially, and move on with our daily lives.
This disconnect is already playing out in the so-called EU-U.S. Privacy Shield, a transatlantic data-transfer agreement aimed at giving Europeans a greater say when their information is moved from Europe to the United States.
How credible can these beefed-up privacy standards be if almost no one is able (or willing) to actually use them?
The pact (whose name sounds more like a group of superheroes than a data protection agreement) took more than three years to finalize and put hundreds of billions of euros of global trade at risk. But it’s barely known outside of a few policy circles.
The grand result of this (well-meaning) effort to improve European data protection standards? Only a handful of EU citizens have ever filed complaints, according to EU and American authorities. Even Max Schrems, a well-known Austrian privacy campaigner who has spent years fighting Facebook in various EU courts over its alleged abuse of EU data standards, failed to file a case under the Privacy Shield statutes.
Companies worldwide are bitterly complaining that the EU’s pending data protection overhaul will make it more difficult for them to do business. But for most Europeans, the problem is a lot more basic — knowing that such privacy rights even exist in the first place.
That begs an important question as the days tick down to May 25, when Europe’s new rules come into full force: How credible can these beefed-up privacy standards be if almost no one is able (or willing) to actually use them?
Mark Scott is chief technology correspondent at POLITICO.