Not many pieces of EU legislation are accompanied by their own movie. Yet cameras followed Jan Philipp Albrecht, a charismatic young Green MEP for northern Germany, for nearly two years allowing viewers to watch the slow gestation of the General Data Protection Regulation in tasteful monochrome.
Mr Albrecht’s turn on screen in Democracy, which came out late last year, demonstrated how data protection has gone from an arcane topic to front-page news as the companies that have built businesses on user information, such as Google and Facebook, have grown into some of the world’s largest businesses.
Data — the pictures, payslips and personal items that make up life online — have sparked a scramble among companies to hoard, analyse and ultimately make money from it. How to regulate this growing industry, both now and in the future, has become one of the most important tasks facing regulators.
After four years of negotiations, the EU tightened its rules on data protection, updating legislation devised in 1995, when Netscape was the world’s most popular browser and three years before Google was founded in a garage.
The new rules were designed to fill cracks in the EU’s data protection regime, which left companies facing different — sometimes conflicting — guidelines. In exchange for tighter regulation and higher sanctions, businesses would benefit from less bureaucracy and greater legal certainty.
Or at least that was the plan. In reality, the sanctions have got bigger — jumping to fines of 4 per cent of global turnover for egregious breaches, or enough to wipe out the annual profits of a typical retailer. Companies are now also required to report data breaches within three days.
But the longed-for single data protection regime, giving businesses a lone regulator to deal with, failed to materialise. Although companies have one lead data protection authority, other regulators can muscle in if they feel aggrieved. “What remains is the stick, but not the carrot,” says Monika Kuschewsky of Covington & Burling, a law firm.
Bubbling underneath the entire negotiations was a broader point: the EU wants to set standards online, making its regulatory footprint as big as possible. The new rules are unashamedly global in nature. Companies will be fined based on their worldwide turnover, not just their European sales.
Likewise, the rules — and punishments — will apply to any company that does business in the bloc, whether or not they are established in the EU. Even companies that just monitor EU citizens are covered by the legislation.
Critics say that, in practice, this changes little as most companies affected already did some business in the EU. But it is a demonstration of intent, as Eduardo Ustaran, a partner at law firm Hogan Lovells, points out. “It is clear that European policymakers and public authorities are keen to make their powers extraterritorial. In many respects, it is a reflection of our globalised economy and society — Europe does not want to lose its reach,” he says.
Until now, the US — both its companies and regulatory norms — has tended to dominate the internet. But this hegemony has come under pressure in recent years.
A series of rulings from the European Court of Justice have introduced fundamental shifts for privacy online. In a momentous ruling in 2014, judges in Luxembourg declared that European citizens had the right to remove outdated, inaccurate or incomplete information about themselves from search engine results. This, they argued, should apply globally, even to websites not based in the EU, such as results on Google.
A year later, the same judges struck down “safe harbour” — a crucial agreement between the US and the EU that allowed companies to transfer data across the Atlantic without having to set up a complicated legal structure. These rulings have demonstrated a fundamental split in the way US and EU authorities see data protection.
“There’s a recognition that the US has privacy — we just do it differently,” says Penny Pritzker, the US commerce secretary who is overseeing the negotiations for the US. “Europe has a different approach to privacy.”
Unfortunately, equal but different is a principle that does not work effectively for instant global transfers of information, argues Mr Ustaran “In the context of data there is an urgent need to appreciate that, in the real world, information flows are not subject to geographic or jurisdictional boundaries,” he says.
As a result, attempts by legislators to introduce measures in the 21st century that restrict data to defined geographical areas are “ludicrous”, he says
Such contradictions may explain why the deal took so long to agree. This delay left a rather large flaw in Democracy: the documentary ended in the spring of 2014 — more than a year before the law was finished. Perhaps they will make a sequel.
Teenage angst: Clash over rule change that could block under-16s’ access to social media
Late last year, the EU agreed rules to strike terror into any smartphone-addicted teenager.
Buried in the almost 200-page regulation on data protection was a last-minute tweak that would make it illegal for companies to handle personal data of people below the age of 16 without parental consent. It would potentially have torpedoed businesses such as Instagram and Snapchat, which trumpet to advertisers their ability to attract younger uses.
But after a few days of lobbying, and often hysterical press coverage, a deal was reached. Although 16 will still be the norm across Europe, governments can, if they wish, reduce this age to 13, which has been the de facto age of consent among internet groups.
This leaves big internet groups with a lot of lobbying to do at a national level to keep to the lower age limit. Technology groups argue that teenagers are more than capable of handling themselves online and that the ban was devised by “people who have not spent any time with 15-year-olds”, as one tech policy adviser put it. But if the lobbying fails, Facebook and Snapchat et al face the task of verifying the age of people online in the EU.
Get alerts on Internet privacy when a new story is published