Overhauling Digital Privacy In The EU

Download Audio
The Facebook logo circa 2012. (Matt Rourke/AP)
The Facebook logo circa 2012. (Matt Rourke/AP)

With Meghna Chakrabarti

The European Union is getting ready to enact sweeping new digital privacy laws. Facebook says it’s going comply. Is what’s good for Europe good for the U.S.?


Alex Hern, tech reporter for the Guardian UK. (@alexhern)

Tom Wheeler, former chairman of the Federal Communications Commission from 2013 to 2017 under President Obama. Veteran telecom entrepreneur and fellow at the Harvard Kennedy School. (@tewheels)

Scott Shackelford, associate professor of business law and ethics at Indiana University's Kelley School of Business. (@sjshacke)

Highlights From The Hour

GDPR 101: Understanding the EU's General Data Protection Regulation

Tom Wheeler: "They're gonna do something that is a first. And you can consider it crossing the Rubicon, I guess, maybe crossing the digital Rubicon. The effect of it will be, for the first time, to reorient what is happening online around the consumer and the consumer's information rather than around the company. There are two principal issues here, I think. One is that developers tend to build first and then think, 'What are the consequences?' later. And businesspeople seize on that to say, 'Well, the more data that we can collect, the greater the targeting that we can sell.' And so what GDPR tries to do is to go at both of those by first saying you have to have privacy by design. It has to be a forethought, not an afterthought. And then, you need to make the collection of the information fit the usage, because right now what we have going on is, how can you siphon off as much information as possible, even though it really isn't necessary to the delivery of this particular service?"

On the paradigm shift that the GDPR represents

TW: "The key concept here is that it's the consumer's information, and the consumer has the right to provide informed consent about what's being collected and how it's being used. So they need to opt in before the information can be collected. They can't be coerced into, 'Well, if you don't say we can have this information, then we won't give you the service.' It can't be hidden in paragraph 87 of the legal fine print. And, one of the hidden things here is the concept of portability, where your information remains your information even if it's on somebody else's server, and you can take it with you, because it's yours, not theirs.

"It's gonna force companies to think about privacy first, rather than scramble to catch up. ... The ethos has tended to be, 'Well, let's see if we can build' — you know, fill in the blank — 'and then we'll deal with the consequences later on.' "

On what's preventing similar laws from being passed in the U.S.

TW: "We tried to do this when I was chairman of the FCC, insofar as the networks that connect you to the internet. We've spent a lot of time in the last couple of weeks focusing on Facebook, but Facebook is one website, or several websites. The networks that take you there — AT&T or Comcast or whoever — they see all the websites you go to. They see everything you're doing. So we put in place rules that were very similar in concept, an opt-in concept in the transparency of what information's being collected, that applied to the networks. We couldn't apply them to the platforms like Facebook and Google because the FCC doesn't have jurisdiction. But we applied it where we had jurisdiction. And 67 days after the Trump Republican Congress came in, Congress passed a law repealing it, and went so far as to pass a law that said the FCC could never again have those kind of privacy rules.

"So we have a basic underpinning issue in the United States where there needs to be a willingness of our elected officials to step up and say, 'No. I represent the consumers whose information privacy is being violated,' and that hasn't been the orientation of the Congress to this point."

On the timing of GDPR and the Cambridge Analytica scandal

Alex Hern: "It's only really been four or five months that anyone except the extreme specialists have been paying attention. And I think just as the lobbying effort might have kicked into top gear, just as the public was starting to become aware of GDPR, the Facebook scandal broke and completely changed the tenor of the conversation. I don't think right now you would get much leeway if you tried to argue that there isn't a serious institutional problem with the way that data is handled across the world."

On "the right to be forgotten"

AH: "The right to be forgotten isn't a new right in the European Union. It was established as a corollary of the right to privacy a few years back. And, so far, until the introduction of GDPR, it has been interpreted as allowing individuals to demand the removal of outdated or misleading information about them. It's largely been applied, almost entirely, really, in the public sphere, through requests made to Google to remove search entries about individuals. ... Following GDPR, it's been made much more explicit. It introduces a right for individuals to have personal data erased. They can make a request, they have to get a response within one month. But GDPR is also very explicit that the right is not absolute. It only applies in situations — if the personal data is no longer necessary for the purpose it was gathered, or it specifically has stronger implications for data gathered around children. There are checks and balances built into this, just as there were before, but they are different, I think, from the checks and balances that the U.S. would settle for on its own."

On the legal challenges of the right to be forgotten

Scott Shackelford: "It's not even absolute in the EU. So this has to be balanced against free expression there. But ... the balancing act and how that would play out in the U.S. is gonna be pretty different. The U.S. and European Union, for some time now, have actually been diverging on how we think of privacy rights. What counts as news? What are the privacy rights even of public figures? And that divergence is really coming into play when we think about how these EU concepts, like GDPR and the right to be forgotten, are gonna be applied in U.S. courtrooms. Because, as I'm sure is gonna be no surprise to your listeners, we have a really robust tradition of free speech and free expression here, which could run pretty headlong against this idea."

From The Reading List:

The New York TimesCan Europe Lead on Privacy? -- "It is nice to see Facebook taking some responsibility for the exploitation of the personal information of 50 million of its users in the service of a political campaign. But Mr. Zuckerberg’s comments suggest he still doesn’t get it: What matters is not whether internet companies “deserve” our private information but why we as consumers do not have meaningful ways to protect that data from being siphoned for sale in the first place."

The European Union is about to enact a sweeping new digital privacy law. It will give consumers control of their data, including the right to be forgotten, and fine companies if they fail to comply. Facebook says it will comply with the "spirit" of the law, but it’s also made a quiet move that could put 1.5 billion users out of reach of the EU’s new rules. And here in the U.S., some are asking, why can’t Americans have just as much control over their data? One answer — the EU’s rules could be unconstitutional here.

This hour, On Point: The EU, digital privacy and free speech. Plus, we'll take a closer look at Palantir, another major player in data mining.

-- Meghna Chakrabarti

This article was originally published on April 24, 2018.

This program aired on April 24, 2018.



More from On Point

Listen Live