Online-Privacy Laws Come With a Downside

Updated at 12:09 p.m. ET on June 5, 2019.

It was the kind of call a journalist dreams about. Last fall, a tipster contacted the Bucharest-based Rise Project to offer the investigative-journalism outfit a suitcase full of evidence that, the anonymous source assured, implicated a high-powered Romanian politician in a massive fraud. The reporters pounced.

In November, they published their initial findings on Rise’s Facebook page. The detailed report on an alleged scam involving Liviu Dragnea, then the president of Romania’s ruling Social Democratic Party, included photos, videos, screenshots of email exchanges, and other documents that Rise obtained through the clandestine suitcase exchange. Their report added to a swirl of allegations against Dragnea—whom Romania’s highest court ordered to prison last week in connection with a separate case—and further endangered his party’s grip on the country.

“The story went viral immediately,” recalled Raluca Radu, head of the journalism department at the University of Bucharest. Romania’s national media, which get middling to poor grades for independence, initially stayed away from the explosive revelations. The Rise report forced their hand. In countries where press freedoms are under strain, some of the most aggressive investigative journalism has been coming from small, digitally savvy start-ups such as Rise.

Which makes what happened next all the more alarming. Within days of publication, Romania’s Data Protection Authority, a regulator that previously played a small role in matters involving press complaints, stepped into the fray, ruling that the journalists had broken the country’s strict data-protection law in publishing their big scoop. The Romanian data-protection law is no authoritarian dictum designed to silence pesky journalists who fail to toe the party line. It’s based on the European Union’s General Data Protection Regulation, or GDPR, which had become the law of the land in Europe six months prior.

GDPR was the first major effort by lawmakers with any global clout to limit Silicon Valley’s ability to mine and monetize the personal data of unwitting internet users. Ironically, compliance with the complex law has arguably proved easier for cash-rich tech firms than for other companies—including bootstrapping media outlets with limited engineering know-how. Moreover, the deployment of GDPR against Rise reveals another significant downside: Broadly defined privacy laws can be creatively enforced, particularly in weak democracies, to conceal wrongdoing and take revenge on journalists who expose it in the public interest.

“We never expected this kind of attack, this kind of threat,” said Paul Radu (no relation to the journalism professor), a co-founder of the nonprofit Rise and a board member of the Global Investigative Journalism Network. “It created a huge stir. This was the first time that GDPR was used against journalists in Europe.”

In its enforcement letter, the Romanian authorities said that Rise journalists had violated GDPR in publishing the videos, photos, and documents—in essence, the private data of Romanian citizens—to support the reporters’ allegations against Dragnea. The letter directed them to turn over the identity of the tipster. It also ordered them to explain how they had obtained the information, how they stored it—this was the data-protection authority, after all—and whether they had in their possession further private details on Dragnea and his associates. The big blow was the penalty: a fine of up to 20 million euros ($22 million), the maximum that can be applied against a small publisher in a GDPR case, if the reporters failed to fully comply.

The Rise team had been subject to official intimidation before. The previous year, authorities opened an investigation into the group’s finances shortly after it had published a story alleging wrongdoing by public officials.

The GDPR order was a blatant attempt to “muzzle” the media, Paul Radu’s team shot back, and doing so under the new EU data-protection law was nothing more than a “serious misuse of the GDPR by self-interested politicians seeking to protect themselves.” The Rise team, Radu said, has about 10 people and an annual budget of perhaps 150,000 euros. It had few options but to call the government’s bluff and hope for the best.

When it went into effect last May, GDPR was hailed as the most significant data-protection law ever enacted. Casual internet users in the United States know GDPR as the law that, around this time last year, introduced a new layer of red tape to web surfing. If it seems that an annoyingly persistent pop-up window or disclaimer bar detailing how a site uses tracking cookies is following you around the web, it’s not your imagination. It’s probably GDPR. It’s more obnoxiously pervasive in Europe, where the law has serious teeth. European lawmakers pushed for the heightened digital protections because they believed that, in this age of hack attacks and unscrupulous data collection, the average user was due some added data and privacy protections that the marketplace had failed to deliver.

The law grants EU citizens the right to be informed about how their personal data are being used, the right to have any misuses rectified, the right to data erasure, the right to be forgotten (an EU favorite), and the right to data portability. Provisions restrict the ability of employers, law-enforcement agencies, and other entities to make life-changing decisions by computer algorithm. There are even limits on the collection of biometric data, an issue roiling several U.S. cities. Under GDPR, for example, no state or private entity can collect facial-recognition data without consent. And even then they cannot use it in bulk for the purpose of criminal profiling. GDPR, or at least portions of it, continue to influence the writing and rewriting of data-privacy laws from California to Japan that will ultimately transform our daily digital interactions. And if you want to do business in the EU, and access its 500 million consumers, you have no choice but to comply. The potential fines for violations are staggering.

In some cases, the law has clearly given average people more leverage against the tech giants. Uber drivers in Great Britain cited the data-protection law when threatening legal action against the ride-hailing company this spring; they wanted Uber to disclose the data it had on them, as a way to double-check that they weren’t being shortchanged.* And German authorities wielded GDPR to force Facebook to dial back its data-collection practice on Germans.

Nevertheless, the year-old law has played out somewhat differently in practice than its architects intended. Even though nearly 100,000 GDPR complaints have been filed so far, critics say enforcement is weak and sporadic in most countries. The Romanian government’s moves against Rise come despite GDPR provisions meant to protect free speech and the public’s right to know.

The Rise journalists remain in limbo. European parliamentarians in Brussels have criticized the case against the Rise Project and disputed the Romanian interpretation of GDPR enforcement. But, Rise’s Radu and various civil-society groups complain, no EU authority has formally intervened on the journalists’ behalf. The impasse has heightened fears that governments hostile to the press will weaponize GDPR and similar measures around the world.

“At first, the GDPR was seen as a gift to investigative journalists” in Romania, said Raluca Radu, the Romanian journalism professor, but now there are doubts. “If the authorities, the politicians, think they can use GDPR when other legislation cannot help them personally,” this will have a chilling effect on the media. “I mean, 20 million euros. That’s a lot!”

Yet even when vengeful officials aren’t targeting media companies under the guise of privacy, laws like GDPR still impose a burden. European small businesses with any kind of web presence grumble about the expense of adding further measures to protect the data of customers, employees, and even any visitors that happen to venture onto their websites. (A small, Rome-based NGO with no customers whatsoever had to shell out 15,000 euros to become GDPR-compliant last year. “But it’s done with,” the director told me. “We’re up to date now.”)

But ad networks and the publishers who collect revenue from them are among those most put off by the EU law. As GDPR went into effect a year ago—on May 25, 2018—hundreds of American news outlets, including the Chicago Tribune and others owned by Tribune Publishing, decided that rather than go GDPR-complaint, they would simply block anyone coming to their sites from Europe. It stands as one of the largest-ever news blackouts in the Western world, and it’s still going on a year later. For Cubs and Bears fans marooned in Europe, the data-privacy rule has made it far more difficult to get decent back-home coverage of their beloved teams. When news outlets as large and as storied as the Tribune and its corporate siblings, such as The Baltimore Sun and the New York Daily News, feel obliged to bar European visitors from their websites, it’s evidence of how ambitious data-privacy rules could reshape the news industry if they spread.

To the extent that Americans come across as more laissez-faire on electronic privacy, that may have as much to do with give-away-the-keys convenience as it does with any particular zeal for the First Amendment. But in the wake of the Cambridge Analytica–Facebook data-breach scandal and other revelations about the tech industry’s collection of users’ personal information, a patchwork of data-protection laws is cropping up. The most significant is the California Consumer Privacy Act, which was born out of a ballot initiative last year. Scheduled to go into effect next year, the act borrows elements from GDPR, such as the right to have your personal data deleted and the right to know how it’s being used. It’s viewed as a fundamental transformation—a more European one, even—in America’s policy on privacy protection.

“From a practical standpoint, the California law will become the law of the land,” predicts Joseph Jerome, a privacy-policy counsel for the Center for Democracy & Technology, a digital-rights advocacy group. For a company with an online presence, “it doesn’t make a whole lot of sense to provide [protections] just to California residents. And I think you’d have some really horrible PR messaging for those companies that don’t want to offer those rights outside of California.” (To wit, a Tribune Publishing spokeswoman said the company intends to fully comply with the California measure from day one; the company is no closer to easing its GDPR blackout, however.)

No matter how much news executives might fret about the burdens of GDPR, laws like it are steadily becoming the new global standard—not because lawmakers are pushing it, but, as Jerome notes, because consumers are. “Take back control of your personal information,” supporters of the ballot initiative urged California voters in the successful campaign.

Radu at Rise applauds such a people-first sentiment, as long as it doesn’t interfere with his job. “We work with a lot of programmers. Privacy, to us, is something that has to be upheld. It’s too important. But exposing wrongdoing is equally important,” he says. “There needs to be a balance there.” How best to strike that balance between privacy protection and free speech remains the enduring question.

* An earlier version of this article incorrectly described the status of British drivers’ dispute with Uber. They sent a pre-action legal letter, but a formal lawsuit has not been filed.