On September 11, 2017, the Spanish data protection authority (DPA), the AEPD, imposed a fine of €1.2bn ($1.4bn) on Facebook, which was found to use personal data for advertising purposes without obtaining adequate consent from users. This fine is the latest in a series of measures recently taken by regulators against privacy breaches. However, in the absence of other remedies, fines are unlikely to be effective. Regulators need to foster transparency and user awareness and look to tackle network effects if they want to encourage businesses to put privacy at the heart of their activity.
Fines alone will not address the issue of transparency and consumer awareness
Hardly a day goes by these days without seeing an EU regulator (either the European Commission itself or a national DPA) hitting out at an internet giant with a seemingly heavy fine. Privacy has taken center stage among the issues regulators are keen to address, and the upcoming General Data Protection Regulation (GDPR) in Europe is only likely to make this trend even more evident.
To this end, the AEDP’s decision to fine Facebook for €1.2bn is both reassuring and concerning at the same time. It is reassuring because it shows that regulators are taking users’ privacy seriously, and it is concerning because fines appear to be the only instrument they have to hand at the moment. Although a fine of €1.2bn could look large at a first glance, it has to be put in the context of Facebook’s revenues, which stood at around $28bn during 2016. In other words, a fine of that size causes little trouble to an internet giant, whereas smaller fines could have terminal consequences for a start-up.
More strikingly, issuing fines has so far had little to no impact on the larger internet companies’ ability to grow and attract users. As Ovum notes in its report How Regulators and Businesses are Preparing for Implementation of the GDPR, privacy breaches are not causing users to quit a service or switch to another one. With regard to OTT communications, this is particularly due to the power of network effects, whereby an increase in the amount of users is itself the cause for a further increase because it becomes easier to interact through a given platform. These effects are such that the perceived benefits for customers to use a certain service tend to outweigh the risk of privacy breaches.
As a result, the adoption of OTT communications services, such as Facebook and WhatsApp, continues to increase, as forecasted by Ovum’s OTT Communications Tracker: 4Q16. In particular, Facebook Messenger’s active users are poised to rise from 1.2 billion in 4Q16 to 1.8 billion in 4Q18. Similarly, it is predicted that WhatsApp’s global active users will grow from 1.5 billion in 4Q16 to around 2.5 billion in 4Q18.
In other words, fines are unlikely to have a significant impact on privacy practices if they are not used alongside other instruments, such as measures to increase transparency and user awareness and reduce the power of network effects. The arrival of the GDPR will go some way to forcing businesses to adopt better privacy practices; however, it will be crucial to ensure users care more about privacy than they currently do and to put users in the position to do something about it in order to avoid the GDPR turning into a pure and simple fines generator.
How Regulators and Businesses are Preparing for Implementation of the GDPR, TE0007-001170 (August 2017)
OTT Communications Tracker: 4Q16, TE0003-000986 (January 2017)
Luca Schiavoni, Senior Analyst, Regulation