In just over two short months, a significant shift in EU regulation will begin to have ripple effects on digital publishing and dissemination across the globe.
On May 25, 2018, the General Data Protection Regulation (GDPR)—a comprehensive set of privacy regulations affecting any organization in the world that serves EU residents and, in the process, collects data about them—will enter enforcement. The new rules will be most transformative for social media and advertising companies that principally traffic in user data. But publications that host those ads and use the data from those platforms will be no less liable for compliance than the technology giants themselves. The penalties for violation are significant, too. Failing to meet GDPR requirements will mean fines of €20 million or 4 percent of a company’s annual global revenue, whichever is greater.
While the implications for both technology companies and publishers are potentially enormous, the regulation has seen little public discussion in the US. A new report from the Tow Center for Digital Journalism details how the GDPR will affect the publishing world. Below is what you need to know.
What is the GDPR?
The GDPR is an extensive regulation designed to bring uniformity to both the nature and enforcement of data privacy for residents of the European Union. The EU has a stronger history of privacy regulation than the US, going back to the 1995 Data Privacy Directive. The GDPR builds on and expands this prior legislation, offering greater clarity about who is subject to its privacy rules (in this case, any organization that collects data about EU residents, regardless of where in the world the organization is located) as well as how complaints are filed and resolved. In addition, because the GDPR is a regulation rather than a directive, interpretation and implementation is not left up to EU member states. Instead, the regulation applies immediately and uniformly across the EU.
How will this affect news organizations?
Although news publishers are arguably not the primary target of the GDPR, as organizations that use tools and host advertisements that collect data about readers, they are nonetheless required to comply.
News organizations will be responsible for obtaining specific, proactive consent from their users before collecting any data about them, either through advertisements or analytics scripts. Although opinions vary about what obtaining consent might look like, CNIL, the French Data Protection Authority, has articulated that this may require a splash page or pop-up that blocks new visitors from viewing pages where ads are hosted until consent has been obtained. As one editor from the French newspaper Le Monde told us: “No French editor wants to do this because . . . 15 or maybe 20 percent of your traffic will disappear.” As a result, the consent requirement may also hurt the most valuable advertising real estate that news sites have: their homepages and section fronts.
‘Right to Be Forgotten’
On the other hand, the GDPR is much less likely to affect typical news gathering. Though the GDPR grants individuals the right to have data that’s been collected about them erased, it does exempt from erasure data gathered or processed “solely for journalistic purposes,” “for exercising the right of freedom of expression and information,” and for documents in the “public interest.”
At the same time, some scholars are worried that the “Right to Be Forgotten” (RTBF)—which is already in practice in the EU, is baked into the GDPR but with a more definitive scope—may have a chilling effect on the dissemination of newsworthy information online, especially via social media. In a recent paper, Daphne Keller, director of Intermediary Liability at the Stanford Center for Internet and Society, points out that whether and how content hosts—such as social media companies—must honor RTBF requests under the GDPR is unclear. While current RTBF case law is largely limited to search engines like Google, what constitutes “search” and “listing” could include search results on platforms like Twitter and Facebook. Given that the regulation imposes stiff penalties for failure to remove personal data content in a timely way, Keller speculates that these hosts may simply remove material without first weighing the interests of readers alongside those of complainants. Though the European Commission’s advisory group on the GDPR specifically stipulates that RTBF complaints will not result in removing content on a publisher’s website, for example, the implications for content posted directly (and sometimes only) to social media sites is not yet apparent.
A silver lining for quality content
Though the GDPR will bring fundamental changes to the online publishing landscape—from consent to data collection and storage, to search—to industry experts the news isn’t all bad. Chris Pedigo, a senior vice president at the industry organization Digital Content Next, actually believes that the GDPR will strengthen the position of well-regarded news organizations within the online advertising ecosystem. Since quality publishers should be able to leverage their strong relationships with readers in order to get consent to collect data, media companies stand to reclaim some of their role as data intermediaries for advertisers. Platforms, by contrast, may struggle to obtain the consent they seek since, since as Pedigo puts it, “they’ll have to list out all the reasons that they want to track the consumer.”
For news organizations, the GDPR may actually prompt a return to first principles, where a focus on quality content beats adapting to the latest social media algorithm. And while it will take months (and, more likely, years) for the full ramifications of these regulations to be felt, there is little question that the era of “Wild West” online data collection is coming to a close.
For a more detailed analysis of the GDPR and its potential impact on news organizations, see the Tow Center’s recent report: “Understanding the General Data Protection Regulation: A Primer for Global Publishers.”