The Long Road to Data Privacy: How We Got HereJun 02, 2023
Most of us are familiar with the name Edward Snowden – he’s the whistleblower who leaked highly classified information from the National Security Agency (NSA) in 2013, when he was the agency’s employee and subcontractor.
But what you might not be as familiar with is one of the most striking impacts of Snowden’s leaks: the caution it created among European countries concerned about the ways in which the U.S. government can subpoena information from private companies about their audiences.
What Personal Information Can the U.S. Government Access?
At the time of Snowden’s leaks, the U.S. government was able to collect the phone records, email, Facebook posts, and instant messages of the American public, along with an undisclosed number of actual phone calls. In the years since, some of those telecommunication capabilities have been restricted with the expiration of the Patriot Act, though the government still regularly requests other information – such as email logs and social media account information – from private companies. For example, the NSA uses Facebook and other social media profiles to create maps of social connections – including those of American citizens.
Big Tech companies like Meta (nee Facebook), Google, and Apple were and are of particular concern to the EU, given how much data those entities ingest and, as Snowden exposed, can in turn pass to the U.S. government if requested.
For context, the U.S. government made 42,466 total requests for audience data in 2018 alone, according to Meta. These requests impacted 70,528 user accounts. And in the majority of cases, Meta was not authorized to tell the user about the government’s demands.
Meta is certainly not alone in receiving requests like these from the U.S. government.
Europe's Approach to Privacy
Europe has always been further along than the U.S. when it comes to pushing legislation that protects the individual’s rights to data privacy. This is in no small part because European countries have experienced literal terror as a result of surveillance abuses from perpetrators like the Stasi police and the Nazi regime.
After pursuing data protection reform since 1995, the EU signed the General Data Protection Regulation (GDPR) into law in 2016 and started enforcing it in 2018. GDPR gave individuals in the EU protected rights – such as the right to be informed as to how their data was being used by private companies, the right to opt out, and the right to demand deletion of their data from company records.
In turn, GDPR required businesses to put new practices in place to ensure they were adequately representing to individuals how their data was being collected and to collect data only in the spirit of necessity.
Notably, GDPR also prohibits businesses who collect data from EU residents to transfer that data outside of the EU. This provision is meant to ensure that governments whose surveillance practices the EU doesn’t agree with – such as the U.S. government – don’t have access to EU constituents’ personal information.
The Role Companies Play in Privacy
The U.S. government’s ability to demand audience information puts technology companies in a unique – and formerly unchecked – position: the position of having to decide when and how to solicit personal information from their users.
On one hand, Big Tech could change its practices around collecting audience information at all to avoid having to compromise user trust. And as a result of Snowden’s revelations, some tech companies did. Apple famously encrypted its user’s data so that when subpoenaed, which it often is even today, the data they handed over would remain in its protected state. (Though in more recent years, Apple also created the CSAM detection system, which came under fire for the ways in which it scans iPhones for illegal material and turns that information over to authorities.)
On the other hand, companies like Google and Meta would see a significant drop in revenue should they choose to stop accessing audience information -- Meta has already seen this drop, in fact, based on the loss of data it saw in 2021 (more below). This is because these companies use audience browsing insights to power the advertising options they offer to their customers. As such, they haven’t made the same proactive moves in the privacy space.
But herein lies the ethical question: to what extent are we as a public comfortable with our data being used in ways we may not realize, only to further the profit of private companies?
What Happens Now?
The data presents a telling story about how the public values its privacy. In 2019, Pew Research Center found that 81% of the public say that the potential risks they face because of data collection by companies outweigh the benefits, and 66% say the same about government data collection.
And in the years since 2013, Apple has also realized the brand gains possible in positioning itself as privacy-forward. In late 2021, the company rolled out an iOS 14.5 update that allowed users to mask their email activity through its Hide My Email feature and forced app developers to ask users for permission to track their activities. Somewhere between 75 to 89 percent of users declined to be tracked. In tandem with these updates, Apple made sure to promote its enhancements with robust marketing campaigns aimed at making the most of its stance.
The fallout for apps like Facebook and Instagram – who were newly without the audience data they depended on – was swift. Mark Zuckerberg estimates that Meta took a combined $10B revenue loss based on the change.
And in addition to tech companies, U.S. states have also begun adopting data privacy legislation with similar tenets to the EU’s GDPR. Nine states signed data privacy laws in 2022 and 2023, meaning that companies who serve audiences in those states will have to comply. Many other states are considering similar measures.
As business owners, the most important thing we can do at this moment is to ensure we’re in compliance with those required privacy measures. Take the time to research where your business falls in terms of what’s required and get legal and strategic advice to support your goals – while also respecting the privacy your audience deserves.
Take next steps to be prepared for the impact of privacy from both the legislative and tech response perspectives.