They’re curious messengers, these ants in your in-box. “We’ve updated our privacy policy!” they cheerily proclaim, offering links that promise clearer information and better control over how your personal data will be used. Orderly and well-mannered, they hail from the far reaches of the Internet—some from companies you know, most from ones you don’t. A few mention the cause of the sudden influx: the General Data Protection Regulation, a European Union law that goes into effect on May 25th.
The G.D.P.R. is the most contested law in the E.U.’s history, the product of years of intense negotiation and thousands of proposed amendments, despite its building blocks having been present in European law for decades. It vaunts two fundamental changes to the legislation that preceded it, the 1995 Data Protection Directive. The first, ostensibly, is universality: a common set of rules and practices that apply across the Continent and, it is hoped, the world. The second is enforcement: the capacity for regulators to fine any company in breach of the G.D.P.R. as much as four per cent of its total worldwide sales. Both are headlines only, of course. The law leaves a good deal of wiggle room for implementation and interpretation; although the fines far exceed anything that data-protection authorities have wielded before, they are likely to be levelled sparingly.
The G.D.P.R. was initiated, in 2012, by the European parliamentarian Viviane Reding, then the vice-president of the European Commission. Speaking to me from Brussels, she explained that she had been concerned about “the big companies, like the American GAFA”—the French coinage for Google, Amazon, Facebook, and Apple. “They just ignored the old law,” Reding said. “The Facebook Cambridge Analytica scandal, if it had happened on May 26th, this year, would have cost billions of euros to Facebook, among others. You cannot hand over the personal data of citizens without having asked if the citizens agree that you hand it over. And you cannot steal it and just tell them after. That is not possible anymore, according to the new law. If you do, then the penalties will be very, very severe.”
This sparring rhetoric has galvanized a whole industry of data-protection lawyers, advisers, and consultants. While they are not necessarily responsible for the ants in your in-box—except, perhaps, for the few clumsy follow-up chirps of “We updated our privacy policy again!”—they are certainly busy insulating their clients against the risk of enforcement. “In twenty years of doing data protection, I’ve never seen this level of anxiety,” Eduardo Ustaran, who handles privacy and cybersecurity issues at the law firm Hogan Lovells, told me. His counterpart at D.L.A. Piper, Jim Halpert, said much the same. “For large multinationals, the staffing can be three hundred to five hundred people working on G.D.P.R. compliance,” he told me. “The effort and expense is huge—big companies are easily spending over fifty million dollars in preparation.” Like all the other practitioners I spoke with, Halpert considers companies such as Google and Facebook easily capable of absorbing the law’s requirements. “It favors companies that are organized and capable of great expenditure,” he said.
For Reding, however, and for her fellow-parliamentarian and G.D.P.R. facilitator Jan Philipp Albrecht, the law fundamentally challenges businesses that trade in personal data. “For the last ten years, there was no chance to be on an eye level with the big Internet companies from Silicon Valley,” Albrecht told me. “With G.D.P.R., this will change.” He added, rather optimistically, “The power of consumers has not really started.”
One person who will be at the center of realizing the G.D.P.R.’s ambitions is Helen Dixon, the data-protection commissioner of Ireland, where many multinationals have their European headquarters. In preparation for the law, her office has been hiring at a quick clip, amassing a staff of a hundred people, with forty more on the way. “We’ve brought in lots of lawyers, communications staff, investigators—some from criminal-law backgrounds, some from regulatory backgrounds—and we’ve brought in business analysts, systems analysts,” she said. The vision that Dixon painted of the Irish D.P.C. today is a far cry from the thirty-person team she inherited, in 2014. The main question now, she told me, “is how many simultaneous investigations can we take on.”
Albrecht and Dixon’s enthusiasm contrasts markedly with the pervasive low-level cynicism that many data-protection experts seem to bring to their craft. Even Halpert and Ustaran, who are more positive than most, struggled to say how G.D.P.R. compliance will improve the lives of average citizens. The law promises gains in over-all information hygiene: it will now be difficult for any large data operation not to know what data it has, where it is held, and what it’s doing with it. But, at the individual level, the gains are less obvious. By and large, companies have simply written longer privacy policies—an excess of caution that precisely inverts the lawmakers’ intent. As the law rolls out, independent experts and activists are hoping for more meaningful interventions. Mireille Hildebrandt, a professor at Free University Brussels, said that the G.D.P.R. could be especially useful for rooting out algorithmic bias and other instances of machines getting things wrong. “Automated decisions that have a significant effect can be challenged and will have to be meaningfully explained,” she told me.
Data protection is sold to Europeans as a tool for balance, equality, and autonomy in the digital world. But it is also a highly individualized regime; the actions of any one person are unlikely to effect change, and so it is comparatively easy for us, as a collective, to yield certain concessions out of convenience, ignorance, or resignation. One feature of the G.D.P.R., Article 80, seeks to address this by inscribing—for the first time in European law—the possibility of class-action lawsuits. There is no automatic right to sue for damages, but the G.D.P.R. permits injunctions to stop data processing. The provision is carefully safeguarded, because, as Reding notes, “what we do not want in Europe is an American-type class action, which merely creates business for lawyers.” Article 80 instead allows civil-liberties or consumer-protection representatives to advocate on behalf of the community or public interest.
These N.G.O.s and other institutions, Albrecht explained, will look out not only for “the one individual who has the time to care about his own data but for all those who do not have the time, who do not think about the risk, who are not a hundred per cent into these technologies, laws, and provisions.” But, even with these various actors, there is a circumspect note to the law’s aspirations. “No data-protection law protects us from ourselves,” Albrecht said.
