EU privacy boom’s a business bust
In Stockholm, you can store your data in a refurbished nuclear bunker behind a 40-centimeter-thick steel door. In Berlin you can buy a spy-proof mobile phone that lets you fly under the radar of intelligence agencies across the world.
Welcome to the weird and the wonderful of Europe’s privacy market.
Europeans’ demand for privacy and data protection has spawned a collection of companies big and small promising to shield internet users from corporate and governmental surveillance. With incoming rules on what big data competitors can and can’t do with EU citizens’ data — the General Data Protection Regulation that takes effect in May — many of these companies want to go mainstream.
Those hoping for the emergence of a commercial giant of privacy may be in for disappointment: It isn’t entirely clear how privacy-friendly consumer products will make money. Companies that grew to become Silicon Valley’s giants, like Google and Facebook, have done so by harvesting huge swaths of data and repackaging and reselling this to advertisers. Advertising is still the dominant revenue source for consumer-focused internet businesses, although a niche privacy industry is taking shape in the business-to-business sector.
The EU’s GDPR law aims to put new limits on how companies build profiles of their customers or users and how they share that information with other companies. But rivals of Facebook and Google won’t likely take over the tech world just yet.
“These technologies are no longer something for criminals, illicit arms dealers or porn users. They are for the average Joe, too” — Bart Willemsen, Gartner
“Candidly, consumers like free stuff,” said Chris Babel, chief executive officer of TrustArc, a company specializing in technology that helps businesses comply with privacy regulation. “When it came to how you got paid as a business, you were either trying to get a consumer to pay you [or] monetize your data and take a cut of that.”
The GDPR took five years to wind through the legislative process and is known as the most heavily lobbied EU bill ever: It triggered 4,000 amendments in committee. The Commission and its allies wanted to safeguard a fundamental right to privacy in the online world. As part of its push, the Commission said raising the standard on privacy would help European startups blossom and compete with predominantly American, less privacy-friendly tech.
“We should not see privacy and data protection as holding back economic activities. They are, in fact, an essential competitive advantage,” Digital Vice President Andrus Ansip said when EU negotiators finally struck a deal on the bill in 2015.
And indeed, a growing number of internet users are turning to new applications and tools that prevent companies and governments from building up a profile of them.
Edward Snowden speaks during an interview in Hong Kong | The Guardian via Getty Images
End-to-end encrypted messages, a technology that hides messages for everyone except the sender and receiver, have become the norm for online messaging, driven by the rise of WhatsApp.Ad blockers, technology that stops advertising from loading on web pages, are used on over 600 million devices globally, according to recent report by PageFair. Use of “The Onion Router,” or “Tor” browser, which masks someone’s location and identity online, rose about 60 percent in the past year.
The revelations made by whistleblower Edward Snowden about how intelligence agencies have direct access to people’s messages, emails, browsing history and other online behavior created widespread awareness of surveillance practices — and boosted internet user interest, these figures show.
“These technologies are no longer something for criminals, illicit arms dealers or porn users. They are for the average Joe, too,” said Bart Willemsen, research director on privacy issues at Gartner, the technology research firm.
While venture capitalists jump on opportunities involving artificial intelligence, blockchain or autonomous vehicles — as illustrated in Gartner’s Hype Cycle for emerging technologies, few boast big investments in privacy-specific technologies or startups.
Some, like Threema, a Swiss secure-messaging app that boasts a couple million users, use a paid-for model, guessing that privacy-sensitive customers would pay a little to keep their data secure. Others, like the secure email service ProtonMail, tried crowdfunding campaigns to balance their budgets — ProtonMail raised €500,000 from some 10,000 users.
The odds are stacked against them, though.
Big Tech counts much of the world’s population among their loyal users: Facebook has over 2 billion monthly active users and Google executes about 90 percent of internet searches — billions of searches per day.
The struggle to break into the consumer tech market isn’t stopping privacy-focused companies from trying to make a splash in the business-to-business market, where a modest boom of privacy technology is taking place.
“On the consumer level, we need a little bit more time for people to become aware. But on the business level we’re there already” — Robert Knapp, co-founder of CyberGhost
The GDPR will introduce a series of requirements for companies using personal data. Companies will have to justify why they’re gathering and using large datasets that include personal data and won’t be able to use personal data for commercial purposes easily. Instead of linking to long legal terms and conditions, companies will actually have to make clear what users are agreeing to. Businesses will have to tell users what data they’re using and delete it at users’ request.
Companies around the world providing services to EU citizens could be fined up to 4 percent of global revenue if they fail to comply. For Microsoft or Google, this could mean billions of euros.
“This really moved those debates on compliance and privacy, and brought them straight up to the boardroom,” said Raegan MacDonald, senior policy manager for Mozilla, the not-for-profit behind the Firefox browser. The new privacy regulation affects businesses across the banking, health care, insurance and automotive sectors, among others.
A report published by the International Association of Privacy Professionals lists about 100 specialized privacy-compliance software companies globally. One of them, Aircloak, is a company that specializes in “anonymization,” a technique to hide personal data in large data sets so companies can use them without violating privacy rights. It launched two years ago and today counts companies including Cisco and Telefónica among its customers.
A technician connects a computer into a network server in a Washington building | Andrew Caballero-Reynolds/AFP via Getty Images
“On the consumer level, we need a little bit more time for people to become aware. But on the business level we’re there already,” said Robert Knapp, co-founder of CyberGhost, a VPN company based in Bucharest.
One new European business, Wire, has the financial backing of Janus Friis, the Danish entrepreneur who co-founded Skype. The company developed a highly regarded end-to-end encrypted call and messaging application and is targeting companies with a paid service so it can keep its consumer-targeted version free. In doing so, it is challenging Slack, the corporate chat program that in September raised $250 million (€211 million) and is valued at $5.1 billion (€4.3 billion).
“Tech giants are getting more and more worried,” Wire’s Chief Executive Officer Alan Duric said.
He is one of the entrepreneurs who firmly believes Europe’s policymakers, insistent on privacy rights, are on the right side of history.
This article is part of the spring policy primer.