EU Data Privacy Regulations: A Sign of Hope?

By Avneesh Chandra, Master of International Public Affairs student at the University of Wisconsin-Madison La Follette School of Public Affairs


Photo: MIT LIBRARIES


A few weeks ago, a video implying that Facebook was constantly listening to its users through its mobile app caused an internet uproar. The idea, which would be a disturbing extension of the already intrusive model through which Facebook applies user data to better target ads on its platform, was soon refuted and debunked. In the process, however, it once again brought up the debate over social media companies, privacy, and where and how we draw the line. How wide a window into people’s private worlds is tolerated in exchange for birthday reminders, or for new fitness trackers with same-day delivery? Do people know, on the other side of that window, how many unknown faces are peering through?


In the 2016 US election, “fake news” may have reached almost a third of the US electorate. Through a $100,000 ad-buy and using social media’s targeting models, a determined state actor was able to tailor a historic campaign of misinformation to millions. As part of an investigation into Russian interference, three major players in Silicon Valley—Facebook, Google, and Twitter—were asked to testify in front of the US Congress last October. Lawyers for each company, over the course of three hearings, tried to show they could own up to their mistakes and would dedicate significant resources to prevent future misuse of their platforms. However, underneath the smooth platitudes of Facebook’s General Counsel Colin Stretch—whose lines were quickly echoed by lawyers for Google and Twitter—was a clear undercurrent of desperation. These companies were vying to convince Congress that they could be trusted to self-regulate, to close the massive loopholes that had allowed such an egregious abuse of their users’ privacy and trust.


In many ways, the internet is still the (latest) final frontier. Though oddball HTML pages have given way to heavily-trafficked social media sites, users of the World Wide Web still enjoy a wilderness mostly free from oversight, regulation, or accountability. Though one can try to remain anonymous on the internet, it is not much harder for marketing firms and governments to track and monitor them than to do the same to those who allow themselves to be identified. Yet, the exponential growth in value and market share of these companies has not been matched by checks on the power they have over their users. Corporations controlling most online platforms have enjoyed years of relatively free reign — unthreatened by US legislators and regulatory agencies.


In contrast to the United States, the European Union (EU) has codified the right to privacy in its charter. Together with its most important court, the European Court of Justice (ECJ), the EU leads the world’s largest economies in consumer protection regulation. It also recognizes the right to be forgotten — wherein a citizen can request the removal of information about themselves from the public domain — under which Google has been made to comply with over 440,000 URL takedown requests. It has only done so, however, within country-specific domains: for example, any link taken down from google.co.uk is still visible on google.com. When a case from France based around this discrepancy was recently referred to the ECJ, an important question around digital jurisdiction was raised: does the right to be forgotten extend beyond Europe’s borders? The uncharted territory of regulation in a virtual, border-less, and global landscape is precisely where the EU’s regulatory leadership becomes crucial.


When global economies depend heavily on trade and how many consumers a producer can reach, markets and their regulators become increasingly powerful. The size and wealth of the single market — now at 500 million strong—gives the EU enough leverage to successfully regulate US companies. Additionally, there already exists a precedent for EU regulatory influence extending abroad: a spate of antitrust rulings and data protection efforts by the EU around the turn of the millennium led the US to agree to the Safe Harbor Privacy Principles, which require an “adequate level of protection” for the data of EU citizens should it ever cross borders. For American companies that have been happy to avoid the scrutiny of domestic regulators, a foreign authority with far-reaching influence (and no apparent interest in bowing to large corporations) must be an unnerving presence. A ruling on the French case by the ECJ, which will determine the scope of the control a citizen has on the data generated by him and on him, could fundamentally change the discussion around data and privacy regulation — and not a moment too soon.


As more eyes shift from television sets to cell phone screens, the juggernaut of online advertising continues to pick up speed. Business models that are wholly dependent on ads — like Twitter’s, which is just barely surviving on its ad revenue – will continue an unrelenting quest to hold their users’ attention for a second longer than their competitors. The race to the bottom in the look-at-this economy is already taking place, and it’s being held not just at the expense of a respect for consumer privacy, but in the complete absence of it.

This year, Twitter reached almost 330 million monthly users. Google crossed a billion, and Facebook amassed twice that many. These companies are growing at an unprecedented rate, have access to an unimaginable amount of data on real people, and are constantly acquiring more — identity, education, likes, dislikes, locations, relationships, health, finances. The utility of this information seems limitless, while an individual’s ability to control how it is used and by whom seems woefully limited. Preservation of public trust and worries about spooked investors are no longer working to keep this industry of online platforms acting in a transparent and accountable manner. These platforms provide incredible conveniences, but the monopolization of the Internet and control of troves of user data by a handful of profit-seeking actors is deeply troubling.


The obvious solution, the final stop-gap, remains the purview of the public sector. Strong legislation in the public interest, beginning to return control of an individual’s data back to the individual, will be a decisive step toward safeguarding privacy. For the US to successfully regulate its homegrown tech giants and their online fiefdoms, great political will and capital will be required. The need for it is evident. As US Senator John Kennedy from Louisiana remarked during the October hearings, “I think [these companies] do enormous good, but [their] power sometimes scares me.”


Hopefully, it scares the EU too—at least enough for it to leverage its regulatory authority to remain a global leader in bringing greater Internet protections to not just its own citizens, but also to more poorly-protected users elsewhere—such as those in the US.

  • Blogger Social Icon
  • Twitter Social Icon
  • Facebook Social Icon
  • LinkedIn Social Icon
  • Instagram Social Icon
euh.png