Over the past few weeks, people have been bombarded by emails from social networks, airline loyalty programs, and all the organizations whose newsletters they never open. Companies sent messages with ominous subject lines likes “Important Updates to our Privacy Settings.” Why the sudden rush to protect privacy?
The answer lies in Europe rather than the U.S. Today, on Friday, May 25, the General Data Protection Regulation (GDPR) comes into force. The GDPR is the European Union’s new flagship regulation governing the collection, use and storage of consumer data. The compliance-induced flurry of emails may be annoying, but behind the scenes the GDPR is bolstering consumer rights across the globe, giving users more power.
What’s important to realize is that this nearly didn’t happen. If history had gone a little differently, people would still be getting lots of emails, but the privacy policies would have been much weaker, and given them far fewer rights. U.S. and European corporations originally had a lot of influence over the lawmaking process that led up to GDPR, and it seemed likely they would use it to strengthen their grip over your data. Ultimately, European consumer advocates pushed back and flipped the lobbying script. Their success relied on an unexpected foreign ally: Edward Snowden.
What is the GDPR?
The European Union passed its original consumer privacy rules back in 1995, long before the advent of Google, Facebook, machine learning, and the lucrative targeted-ads industry. The General Data Protection Regulation revamps those laws to give European consumers a host of new options to keep pace with these market changes. It formalizes the “right to be forgotten,” allowing individuals to choose what personal information can be found on the Internet. It ensures that consumers can transfer their data across different platforms or services, codifying “interoperability,” diminishing the ability of companies to lock you in, while massively increasing the fines companies pay for any violations.
The GDPR standardized rules across all of the E.U., preventing companies from exploiting national differences in European governments’ approaches to privacy. Ireland, which hosts the E.U. headquarters for companies like Apple, Dropbox and Facebook, had a lax attitude to privacy enforcement, which helped attract e-commerce companies.
The Regulation requires technology companies to have the active consent of customers before they collect and store personal data. These rules apply to any company doing business in the E.U. including U.S. information technology firms. They also apply to European data that is taken outside of Europe: data collected in Germany but then fed to a machine learning algorithm in the United States will still be governed by the GDPR. This is radically different from the U.S. system where firms abide by rules that they can mostly write themselves.
The regulation is a huge shift towards strengthening consumer rights, but it initially looked more like the GDPR would empower, rather than bind, business.
The GDPR gave business a chance to gut European privacy legislation
The first draft of the GDPR was released in early 2012, and virtually no one outside the tech world noticed. However, the stakes were high for those who did pay attention. Silicon Valley companies had long seen Europe’s data rules as an unnecessary burden, and wanted to take advantage of the legislative bargaining process (in the EU, the member states, the European Commission and the European Parliament all have a role in making new laws). They hired an army of former European officials to do their bidding, and started coordinating with influential business associations like the American Chamber of Commerce, to water down consumer protections.
Although European corporations generally saw the GDPR as modernizing privacy rules, American lobbying pushed them to view reform as an opportunity to chip away at laws that hurt their bottom lines. The emerging drafts of the regulation quickly began to mimic the recommendations of companies like Microsoft, Amazon, and Facebook, with members of the European Parliament literally copy-pasting corporate lobbying positions into the draft legislation as new amendments.
The firms fighting the GDPR were some of the wealthiest in the world. They enjoyed huge advantages in understanding the technologies at play, and the public wasn’t paying any attention. In other words, the negotiations met all the conditions that political scientists believe helps business to shape policy.
But Snowden changed everything
In June 2013, halfway through the GDPR negotiations, a National Security Agency contractor named Edward Snowden leaked documents on America’s global surveillance. The documents showed that the National Security Agency had backdoor deals with major Silicon Valley companies, allowing them to use consumer data as the basis of their counterintelligence operations.
The leaks catapulted the GDPR into the public spotlight. What had once been a complicated and boring seeming policy about data security and privacy became a story about U.S. spying that members of the E.U. and their national publics paid attention to. In political science jargon, it gained issue salience.
In our forthcoming article in the Journal of Common Market Studies, we demonstrate how issue salience allowed civil society to counteract business influence. E.U. officials and national politicians backed away from the previous drafts. Some, like German Chancellor Angela Merkel, openly called for the European privacy regime to be strengthened.
The story didn’t end there. Pro-consumer members of the European Parliament, like Jan Albrecht, capitalized on public attention by condemning the influence of foreign firms in the lobbying process. It’s a problem for European institutions to be captured by European business, but it’s a disaster to be seen as controlled by foreign corporations. Even European corporations were tainted by association – they were seen as having become allies, or even tools of big U.S. tech companies.
This meant that many of the old-business friendly amendments were abandoned and replaced by tougher rules. For example, many firms had wanted to get rid of the requirement to notify consumers of any data breaches – like the recent Facebook-Cambridge Analytica scandal. However, the final text provides strong rights, following the recommendations of longtime privacy advocates, European Digital Rights.
The GDPR is not a total win for privacy advocates – it still has many loopholes. But without the glaring spotlight of the Snowden revelations, it would be far weaker. Ultimately, there was no cultural guarantee for Europe to protect privacy. It took savvy consumer advocates to wage a political campaign against powerful business interests.
Now, the GDPR has implications outside of Europe. Facebook and Microsoft say that they are going to adopt some version of GDPR rights for all American consumers, and there are growing fears in Silicon Valley that Congress may act. The GDPR is going to be embedded in any new E.U. trade deals, guaranteeing that it will spread around the world. The emails that Americans – as well as Europeans – are getting, show how data security and privacy rights are on the global agenda. Equally important, the GDPR demonstrates the potential risks for global companies as they seek influence in a world where both business and scandal spill across borders.
Nikhil Kalyanpur is a PhD candidate in the department of government at Georgetown University.
Abraham Newman is a professor in the department of government and the School of Foreign Service at Georgetown University.