In the previous episode of this series on the history of the internet, we covered the story of former CIA and NSA employee Edward Snowden, who leaked large amounts of highly classified information on mass surveillance conducted by the NSA and its British counterpart, GCHQ.
In this episode we will see how this influenced the creation of new data protection legislation and examine some of the effects that this has had both on businesses and on consumer rights.
Repercussions Following the Snowden Revelations
The first stories based on secret documents provided by Snowden were published in June 2013. Two journalists, Laura Poitras and Glenn Greenwald retained the full set of documents and continued to work with major news organizations to reveal further scandals.
By July, these spying revelations were beginning to strain diplomatic relations between the United States and some of its European and Asian allies. The French president told the press, “We cannot accept this kind of behavior between partners and allies,” and the chairman of the European Parliament’s foreign affairs committee, Elmar Brok, alleged that the United States had “lost all balance—George Orwell is nothing by comparison.”
On Oct. 21, 2013, Le Monde revealed that the NSA had been spying on French citizens on a massive scale, with almost 7 million daily intercepts at the peak of its operations. French Foreign Minister Laurent Fabius responded by summoning the U.S. ambassador to the foreign ministry.
Ahead of a meeting between Fabius and U.S. Secretary of State John Kerry, Fabius told the media, “We had already been alerted in June and we reacted strongly but obviously we need to go further. This sort of practice between partners that invades privacy is totally unacceptable, and we have to make sure, very quickly, that this no longer happens.”
President Barack Obama soon called President François Hollande to discuss the matter, and the White House quickly released a statement noting “The president and President Hollande discussed recent disclosures in the press – some of which have distorted our activities, and some of which raise legitimate questions for our friends and allies about how these capabilities are employed.”
A Call for a European-Wide Privacy Agreement
In the European Union, officials had been discussing an early draft of a new data protection law since early 2012. A number of lobbyists were working to make the case that this legislation would serve as an unnecessary burden on Silicon Valley companies, a burden that would interfere with their business models.
By Oct. 2013, these continuing disclosures had an impact on the thinking of German Chancellor Angela Merkel. Mr. Snowden had claimed that Germany was the most spied-upon country in Europe—viewed by American intelligence as equally important to China.
Angela Merkel came under pressure from German opposition parties to take a stand against spying on German citizens, and a poll by infratest dimap found 78% of Germans believed Merkel should put more pressure on the Obama administration.
Germany already had some of the strongest data protection rules in Europe, but Merkel now argued for new European-wide rules: “That has to be part of such a data privacy agreement because we have great regulation for Germany, but if Facebook is registered in Ireland, then it falls under Irish jurisdiction,” she said. “Consequently we need a common European agreement.”
Many different civil and human rights organizations, including Electronic Freedom Frontier (EFF), Free Software Foundation Europe (FSFE) and Electronic Privacy Information Center (EPIC) became members of the Brussels-based European Digital Rights association, which was founded in 2003.
In June 2013, shortly after the first Snowden leaks were published, European Digital Rights argued that the cloud computing industry was set to grow massively and that there were huge financial opportunities for “countries and regions that can show themselves to be trustworthy for the processing of both personal and business data.”
It criticized EU Member States for having weak positions on data protection, accusing them of “falling over themselves to ensure that the EU does not maintain its strategic advantage over the U.S.”
European Digital Rights called for “comprehensive reform in order to ensure the protection of its citizens’ personal data and privacy.”
The Birth of GDPR
Three years and 10 months after the package was launched, the General Data Protection Regulation (GDPR) was completed. It was formally adopted on April 14, 2016, and became enforceable beginning May 25, 2018.
Shortly after GDPR came into effect, the head of privacy lobby group noyb (None of Your Business) Max Schrems, filed a lawsuit in Ireland against Google and Facebook for coercing their users into accepting their data collection policies.
GDPR gives EU citizens a collection of digital rights. The “right to be forgotten” allows citizens to demand deletion of their own personal data. Citizens also gain the right to be notified of data breaches that affect them.
The EU legislation also influenced the California Consumer Privacy Act (CCPA), which was adopted on June 28, 2018, and became a model for national laws in Chile, Japan, Brazil, South Korea, Argentina, and Kenya.
“This is a good bit of legislation in terms of the effort that they’re trying to do. Is GDPR the correct solution? I think no, and I think the mistake that it makes is actually in the name: General Data Protection Regulation, misplaces the problem.
The problem isn’t data protection, the problem is data collection. Regulating the protection of data presumes that the collection of data in the first place was proper, that it was appropriate, that it doesn’t represent a threat or a danger, that it’s okay to spy on everybody all the time, whether they’re your customers or whether they’re your citizens, so long as it never leaks.”
Snowden went on to describe GDPR as “a good first effort” and something that “is meaningful.”
For further information on GDPR see Nathan Sykes’ article Why Programmers Need to Know About General Data Protection Regulation (GDPR).