Reuters
From a European perspective, the scandal around Cambridge Analytica’s alleged misuse of Facebook FB, -2.56% data could scarcely come at a more apt moment, little more than two months before the European Union introduces a comprehensive update to its privacy laws.
The General Data Protection Regulation (GDPR) will explicitly ban companies from soliciting personal data for one reason and then using it for another. It will slap potentially stratospheric fines on those who sell people’s information without those people’s consent and place strict limitations on companies that want to create and use profiles of individuals. These activities are at the core of the current furor, and Europe — so often seen as anti-innovation on such issues — suddenly seems ahead of the curve.
Market Pulse: Cambridge Analytica says it has suspended CEO Nix in wake of Facebook personal data furor
But why is it that Europe seems to be more advanced than the U.S. when it comes to privacy protections?
From a legal standpoint, everything that EU lawmakers do on this front, GDPR included, is based on the bloc’s Charter of Fundamental Rights. This document includes rights to privacy and the protection of personal data, neither of which is explicitly protected under the U.S. Constitution. But that’s largely down to Europe’s past experiences.
“With some of the European countries, particularly the Germans, there is the memory of the Stasi and, before that, the memory of the Nazis,” said Paul Bernal, a technology law lecturer at the University of East Anglia’s School of Law.
Like its patrons in the Soviet Union, the Stasi — East Germany’s secret police during the Cold War era — was notorious for exerting control over people with, of course, no regard for privacy. More than 250,000 people were either employees of or informants for the organization.
The Nazis, too, had every reason to stop people from keeping their personal information to themselves. In the occupied Netherlands, for example, they exploited official registers of Dutch citizens in order to identify Jews for “deportation” to death camps. “This is still something in the consciousness of the Dutch and Germans,” said Bernal.
With those collective memories, it is hardly surprising that Europeans, particularly those northern and eastern regions, take privacy and data protection so seriously. The world’s first data-protection law emerged almost half a century ago in the German state of Hessen, and German and Dutch lawmakers were among the prime movers behind the GDPR.
But the new law, which updates and harmonizes an EU data-protection regime that dates back to 1995, isn’t just a product of history. It’s also a response to a very current situation: the dominance of American technology firms. And this isn’t just because the likes of Facebook and Google GOOG, -0.20% GOOGL, -0.35% have track records of flouting European privacy laws; it’s also partly about geopolitical competition.
“The authorities like to stick it to Facebook, Google and others, and have been looking for ways to rein in their power,” said Bernal. “If you listened to some of the European politicians during the debate around the GDPR, there was a sense that it was about getting to those companies that seem unreachable in other ways.”
The GDPR differs from the EU’s older Data Protection Directive in many ways, but two stand out. Firstly, the new regulation explicitly asserts EU jurisdiction over any company that operates on its turf by serving European users. So, even if a company has no physical presence in the region, it will have to bend to the EU’s rules if it wants to retain access to that market.
Secondly, the GDPR hugely increases the ceiling for the fines that can be levied on transgressors. While the older law allowed EU countries to set their own fines, generally at levels that could be laughed off by U.S. companies with deep pockets, its successor sets a blanket limit of either €20 million ($24.5 million) or 4% of global annual revenue, whichever is higher. Even the Facebooks of this world would balk at losing that much cash.
However, while the Americans have generally given corporations a much easier time on the privacy front, they are not without their own methods for dealing with abuses. “Sometimes I’m not as certain that the European protections are as far forward of the Americans as they seem. They just have different techniques,” said Bernal.
For example, the U.S.’s Federal Trade Commission has from time to time wielded its authority over companies such as Facebook and Google, on the basis of deceptive acts and practices. The agency’s crackdowns have resulted in some fairly hefty fines, such as Google’s $22.5 million penalty in 2012 for tracking users of the Apple AAPL, -0.03% browser Safari by employing cookies, even when those users had opted out of being tracked.
Facebook settled with the FTC in 2011 over charges relating to users’ inability to keep their information private. Now, according to a Bloomberg report, the FTC is looking into whether Cambridge Analytica’s alleged misuse of Facebook users’ data violated the terms of that settlement. If Facebook is found to have slipped up, it could face millions of dollars in fines.
Nonetheless, it remains to be seen whether U.S. lawmakers see this kind of regulatory force as sufficient, when dealing with companies that are increasingly dominant in their markets, and that seemingly wield ever more power over consumers. A recent Axios/SurveyMonkey poll suggested the American public is getting hungrier for a crackdown on Big Tech. It may well turn out that inspiration lies across the Atlantic.
David Meyer is a Berlin-based technology writer and privacy consultant. He is the author of the book “Control Shift: How Technology Affects You and Your Rights.”