Jun 9, 2021

Axios Login

Today's Login is a special edition devoted to privacy — looking at how three years of living with GDPR, the landmark European data privacy law, has shaped the online world far beyond the EU's borders.

Today's newsletter is 1,354 words, a 5-minute read.

1 big thing: How the U.S. got boxed in on privacy

Illustration: Annelise Capossela/Axios

The federal government's failure to craft a national privacy law has left it to be squeezed on the issue by the EU on one side and California on the other, Axios' Margaret Harding McGill and Kim Hart report.

Why it matters: Companies are stuck trying to navigate the maze of EU and state laws, while legislators in Washington have no choice but to use those laws as de facto standards.

The big picture: Three years after the EU's GDPR (the General Data Protection Regulation) law went into effect and six months after California's strict privacy statute (the California Privacy Rights Act) became official, the U.S. is still nowhere close to passing nationwide privacy rules.

Yes, but: Any U.S. law would largely be shaped by rules set by the EU and California.

  • Businesses have already spent big to comply with these laws, and Congress would be hard pressed to pass rules that are a weaker than those the industry is already following.
  • "It lowers the required energy to pass a federal privacy law in the United States because global companies have already done most of the heavy lifting," Future of Privacy Forum senior counsel Stacey Gray told Axios. "But it also means there's a narrower world of what legislation could look like."

What's happening: California and Virginia have both passed consumer privacy laws, with Colorado's state legislature approving its own privacy bill Tuesday and sending it to the governor's desk.

  • California's law gives consumers the right to access, delete and opt out of the sale of data.
  • "Being able to opt out of sale is a uniquely California spin, and you can see the influence, it's now turning up in bills across the United States and may become part of a federal privacy law," Gray told Axios.

Meanwhile, in Congress, momentum for action on privacy has stalled, despite the pile-up of state and global regulations.

  • The pandemic and the new administration's proposals for addressing its fallout have taken priority.
  • Even within the tech policy world, other issues — including Senate Majority Leader Chuck Schumer's China competition bill, antitrust and misinformation — have drawn lawmakers' focus.

What to watch: House consumer protection subcommittee Chairwoman Jan Schakowsky (D-Ill.) has said she intends to host privacy roundtables with her Republican counterpart and interested stakeholders to try to hammer out the sticking points on legislation, with a goal of passing a bill by 2022.

2. The EU privacy law's track record

Illustration: Aïda Amer/Axios

Today, most users know the EU's General Data Protection Regulation chiefly through the pain of having to click a box about cookie policies on every new website they visit.

Yes, but: Privacy experts say the EU's rules governing how corporations manage people's online data have had deeper impacts in three areas: company behavior, people's expectations and knowledge of how their data will be treated, and adoption by other nations and regions, Axios' Ashley Gold reports.

1. GDPR has changed the way businesses think about and handle user data.

  • GDPR has spread the message that companies need to map, inventory and account for their customer data, with processes in place to manage and store it.
  • American companies adopted GDPR as their standard "in order to have one single compliance program worldwide," said Cameron Kerry, distinguished fellow at the Brookings Institution Center for Technology Innovation.

2. Consumers in the U.S. now have higher expectations about online privacy, as American companies adopted GDPR standards.

  • Americans have noticed that Europeans have privacy rights they do not. But they don't necessarily feel more protected with GDPR in the world.
  • The Pew Research Center found in 2019 that six in 10 U.S. adults feel like they're being tracked constantly.

3. GDPR inspired copycat legislation and bills both globally in countries like Brazil, India and China and in U.S. states including California and Washington.

  • It also caused new headaches for companies that must exchange data across borders.

The big picture: "From a policy impact perspective, GDPR succeeded in becoming sort of the lingua franca of privacy and data protection around the world," said Omer Tene, vice president of the International Association of Privacy Professionals.

The other side: Critics have viewed GDPR as an exercise in compliance and "box-checking," with not enough focus on outcomes. Small business in Europe are struggling to comply with it. And it may already be outdated, thanks to changes in how companies track users.

3. Privacy tech industry explodes

Illustration: Eniola Odetunde/Axios

Businesses forced to comply with a patchwork of state and global privacy rules have turned what was once a cottage industry focused on data and privacy into a multi-billion-dollar sector, Kim reports.

Why it matters: As COVID-19 drove consumers online in droves, companies — from Fortune 500 firms to the corner coffee shop — had to grapple with how to legally handle personal data. The privacy-tech companies who know how to do it have been raking in the cash.

"Data is on its way to becoming a fairly regulated business, even though we don't have a national law yet," said Jules Polonetsky, CEO of the Future of Privacy Forum. "If you're a restaurant or even a school — and all of a sudden you're covered by one of these laws — you now have to assess and document that you're in compliance."

By the numbers: Consumers are more connected than ever, causing data flows to a wide variety of companies to grow exponentially.

  • The average American household now has 25 connected devices, ranging from laptops, smartphones and smart TVs to gaming consoles, smart home devices and connected fitness machines, according to a Deloitte connectivity survey out today.
  • 70% of those who began shopping on their smartphones thanks to the pandemic plan to continue.

What's happening: The companies that help other companies process, maintain, and legally maximize use of consumer data are in high demand, according to a Future of Privacy Forum report shared first with Axios.

  • Some of the largest players — such as BigID and OneTrust — have multi-billion-dollar market caps on their own.
  • Venture capital investment remains high: According to TechCrunch, about 207 privacy startups have together raised more than $3.5 billion in funding.

These companies are increasingly becoming "platforms for risk management," per Polonetsky.

  • The legal and reputational risks posed by data leaks and inappropriate uses of data are so great that they've become a board-level issue. And purchasing power has moved up the corporate ladder to chief technology officers and chief marketing officers — who control the biggest budgets.
4. Senate passes China bill with chip subsidies

The Senate voted 68-32 on Tuesday to approve a sweeping $200+ billion China-focused global competition bill that includes $50 billion to boost domestic semiconductor production.

Why it matters: A global chip shortage has slowed production of everything from cars to computers, while global rivalries have raised American concerns about U.S. dependence on tech manufacturing in China.

The big picture: The U.S. Innovation and Competition Act authorizes new funding for the National Science Foundation and establish a new technology directorate.

  • The bill has the backing of President Biden, and now goes to the House.

Details: The centerpiece of the legislation is $50 billion in emergency funding for the Commerce Department to boost domestic semiconductor production, in light of the global chip shortage.

  • It also includes billions in extra funding for research and development at the Energy Department, the Pentagon and NASA, including in the areas of artificial intelligence, quantum computing, robotics and 5G.
  • The bill would provide $10 billion over five years to Commerce Department to create regional tech hub programs, and require federally funded infrastructure projects to use certain materials manufactured in the U.S.
5. Take note

On Tap

Trading Places

  • A number of Magic Leap's top executives are leaving, per Insider, in the biggest shakeup since former Microsoft and Qualcomm CEO Peggy Johnson took over as CEO.


6. After you Login

In case you need something wholesome to start your day, you know, even more wholesome than a tech newsletter, read this thread.