Data protection:why?

Until recently the conventional explanation for Europe’s data protection laws was that they were a response to the surveillance societies which had benighted Europe during the Twentieth Century. Within Germany the horrors of the Nazis were replaced by the totalitarian control of the Stasi, the security service of East Germany (the DDR)  The Stasi was modelled upon and subject to the Soviet KGB.  Its legacy is a long-standing German distrust of the state:

In Germany we had the experience with the Nazi regime, we had the experience with the German Democratic Republic, and we have a big reluctance concerning the gathering of data for discrimination or suppression or persecutionFor almost 40 years people were under surveillance and it’s obvious that this makes people very nervous when it comes to privacy

East Germany relied on informers to monitor the lives of its citizens.  The Stasi employed some 170,000 of these directly, many, many thousands more indirectly.  This surveillance was deeply damaging; take Ulrich Mühe who played Stasi Hauptmann Gerd Wiesler in The Lives of Others.  He alleged that his wife had informed on him to the Stasi (allegations that she denied).  In the words of one historian: “The stories are always in the back of my head whether I’m lying in bed or out in social situations. I find it hard to trust people.”

The East German experience is a stark warning of the dangers of the surveillance state. However the relevance of that State to the modern experience is open to question.  The Stasi processed a billion pages of records, but did so by hand.  East Germany had few computers and limited phone tapping capabilities.  Participation in the DDR’s surveillance state was compulsory and unavoidable; today we upload vast quantities of personal data to social media companies.   But we do so voluntarily, relying upon privacy and data protection policies that we do not read.   The consequences of that sharing are quite different; over the years the DDR jailed 250,000 political prisoners, many of whom were subjected to beatings and psychological torture.  Social media companies are not the Stasi; they don’t really care what you do, so long as they can monetise your data to sell you service and stuff.

The threats to our privacy today are very different from those posed by the Stasi and the DDR and so the relevance of the German DR as a justification for EU data protection rules may be questioned.  The internet is a global network, afteral, whilst East Germany was a closed society.  And this allows us to observe the USA and the EU are undertaking a massive experiment in data protection.   To a great extent the same information technology companies are present in both the USA and the EU; the only difference is the regulatory regimes under which they operate.  Comparing how personal data is processed on similar platforms in the USA and EU allows us to understand whether the EU regulatory regime offers EU citizens any benefits.

A longstanding example of where US citizens are at a substantial disadvantage to their EU counterparts is that of credit histories and identity theft.  A good credit score is valuable; it can determine whether you get a loan, a job or a date.  As a result, identity theft has become an endemic problem in the USA.   A criminal will adopt the identity of someone with a good credit score, and use that score to obtain loans and other forms of credit before disappearing.  And so the credit score of the blameless victim will be destroyed.  Rebuilding that score typically takes 200 hours of work spread over six months.  This is because the USA lacks a data protection law which obliges controllers to process personal data that is “accurate and up to date” and provides subjects with a right of rectification if not.

On the other hand, it is not unreasonable to believe that the compliance obligations imposed by EU data protection law have made the EU a less attractive location to start-up.  This is a point made by some who have succeeded in the USA: “Well-designed regulation can unlock new opportunities and help small businesses and industries to scale,” …“Poorly designed regulation can do the oppositeEurope is positioned to lead, with highly developed knowledge economies and a world-class research community. It also has the ability to move as a large, single market. When Europe makes innovation a priority, it can capitalise

The EU’s failure to develop a world-class information technology industry is surprising.  Many forget that the World Wide Web was invented in Europe, at a research facility part funded by the EU.  The failure of Europe, not just the EU, to develop information technology companies as easily as the USA must have complex causes.  The compliance burden imposed by EU data protection laws may be one of those causes.  That said, the Israeli experience suggests otherwise.  Israel has one of the World’s most vibrant start-up sectors.  It also has the same data protection laws as the EU.  This strongly suggests that EU data protection laws do not, in fact, impose a burden that prevents the emergence of a more vibrant start-up sector. If the Israelis can do it, why can’t Europeans?

Some, such as the EU Commission, argue that in future strong data protection laws will help, rather than hinder the development of a vibrant IT sector with the EU: “With solid common standards for data protection, people can be sure they are in control of their personal information…. We should not see privacy and data protection as holding back economic activities. They are, in fact, an essential competitive advantage” 

A good example of how EU data protection laws can improve trust is offered by the recent US Presidential election.  For many years Cambridge Analytica, a UK firm, “…has been using Facebook as a tool to build psychological profiles that represent some 230 million adult Americans”   What it has been doing is “…seeding the social network with personality quizzes”.  It combines the results from these tests with other data to build a profile of individual Americans: “Cambridge Analytica says it has as many as 3,000 to 5,000 data points on each [American], be it voting histories or full-spectrum demographics — age, income, debt, hobbies, criminal histories, purchase histories, religious leanings, health concerns, gun ownership, car ownership, homeownership — from consumer-data giants”  Such processing enabled the Trump campaign to hone its message: “…the Trump campaign sent ads reminding certain selected black voters of Hillary Clinton’s infamous “super predator” line. It targeted Miami’s Little Haiti neighborhood with messages about the Clinton Foundation’s troubles in Haiti after the 2010 earthquake”.

As the New York Times acknowledges the processing undertaken by  Cambridge Analytica would not be possible in the EU: “Because the United States lacks European-style restrictions on second- or thirdhand use of our data… our lives are open books even without social media or personality quizzes”  Subjects would have to be informed, at the very least, who the controller of their data would be, why it was being processed .  Since the data in question was sensitive (falling into the categories of political opinion, health) the explicit consent of subjects would have to be obtained.   Even if that were done it could be argued that such an invasive processing operation was contrary to the principle of data minimisation as it was unlimited and unnecessary.   And subjects would gain an explicit right to object to such profiling, once the GDPR applies form 25th May 2018.

And it is this profiling that allows a real comparison to be drawn between the surveillance systems to be found in modern democracies and the Stasi.  Much of the surveillance undertaken by the Stasi was directed at building a profile of the DDR’s citizens, to the advantage of those perceived as loyal and the disadvantage of those who were not. The Stasi: “… compiled reports on secondary school students, which were then used when it came time to assign jobs and spots at university”   This is why the Stasi: “…kept track of the country’s citizens from kindergarten, throughout their working lives and even into retirement… Files were even kept on schoolchildren: “Wears Western clothes,” “exhibits affinity for punk music,” “demonstrates pacifist attitudes.”

The consequences of such processing damaged both individual East Germans and the society of which they were apart.  Saying the wrong thing in the DDR could have a detrimental impact upon your career; in much the same way as liking the wrong thing could impact upon your ability to find a job in future.  EU data protection law allows Europeans to manage their own data and avoid such outcomes; this is why we need data protection today.

Data proteciton is not a complete answer: it has both advantages and disadvantages.  The justifications for data protection law are discussed in further in Chapter 23 of Privacy and Data protection Law in Ireland.