The law that lets Europeans take back their data from big tech companies
Editor's Note: On Monday, January 21, Europe issued its first major fine against a U.S. tech company for violating the General Data Protection Regulation. The French data protection commission fined Google 50 million euros ($57 million) for failing to inform users how it collects data for personalized ads. France's action was a result of complaints filed at the end of May by privacy advocates, including Max Schrems and his group, "None of Your Business." Steve Kroft sat down with Schrems in November for the below story about Europe's sweeping new privacy law.
This has not been a great year for big tech; on Wall Street or in Washington. For decades, companies like Google, Facebook, and Amazon have made vast sums monetizing the personal information of their users with almost no oversight or regulation. They are still making vast sums of money, but public attitudes about their size and power and their ability, or willingness, to police themselves are being called into question. A consensus is developing that something has to change and once again the impetus is coming from Europe which is becoming the world's leader in internet privacy and data protection. With a 31-year-old lawyer as the catalyst, the European Parliament has enacted a tough new law that has Silicon Valley scrambling to comply, and pressuring lawmakers here to do something about protecting your data.
Seven times this year big tech has been called on the carpet to answer for data breaches, fake news, political meddling on the internet, and the endless amounts of personal information being gathered on Americans.
Sen. John Kennedy: I don't want to vote to have to regulate Facebook, but by God I will.
Sen. Mark Warner: The era of the Wild West in social media is coming to an end.
Sen. John Thune: The question is no longer whether we need a federal law to protect consumers' privacy, the question is what shape will that law take?
In Europe, they already have a law in place. After levying multi-billion dollar fines against Google for anti-competitive behavior, the European Union enacted the world's most ambitious internet privacy law, even winning support from the CEO of the biggest tech company in America, Apple's Tim Cook.
Tim Cook: This is surveillance. And these stockpiles of personal data serve only to enrich the companies that collect them.
Speaking in Brussels, Cook did not say which companies he was talking about but Apple wasn't one of them. Its business model is making and selling phones and computers, not marketing personal information for advertising like Google and Facebook.
Tim Cook: Our own information from the everyday to the deeply personal, is being weaponized against us with military efficiency. It is time for the rest of the world, including my home country, to follow your lead.
"Americans have no control today about the information that's collected about them every second of their lives."
Most people would agree that the point man in Europe has been a spikey-haired 31-year-old Viennese lawyer named Max Schrems who has been inflicting misery in Silicon Valley for the past seven years. He not only brought international attention to the issue of data privacy, he brought big tech lawyers into court. In the information age, he says data is the most important commodity. The question is who does it belong to.
Steve Kroft: Who owns your data?
Max Schrems: The legislation here says it's you that your data belongs to.
Steve Kroft: You should have control over it.
Max Schrems: You should have control over that. However, in an environment where there is no such law, basically, whoever factually has the power over it, which is usually the big tech company, owns it, in that sense.
Max Schrems was a major force in drafting the General Data Protection Regulation or GDPR. It became law in May, after a long battle with big tech, and every company that does business in Europe, including the most powerful ones in America, must comply. It was designed specifically to ensure that consumers, not tech companies, have control over the collection and use of their own personal information.
Steve Kroft: What kind of new rights does this law give European citizens that people in the United States might not have?
Max Schrems: The default under the European system is you're not allowed to use someone else's data unless you have a justification. And the result of that is that you have rights, like a right that-- you walk up to a company and say, "Delete everything you have about me." You have a right to access. So you can say, "I want to have a copy of everything you have about me." And all of these little elements in the law, overall, are meant to give you that power over your data that in an information society we should probably have.
And right now in the United States you have none of those legal rights.
Jeffrey Chester: Americans have no control today about the information that's collected about them every second of their lives.
Jeff Chester is the executive director of the Center for Digital Democracy. He has been a major voice on digital privacy for two decades, and says the only Americans guaranteed privacy on the internet are children under 13. He says there are some limitations on some specific medical and financial information, but the internet has rendered them obsolete.
Jeffrey Chester: There are no rules, there's not a government agency really protecting them. Any-- the companies can do whatever they want in terms of gathering our information and using it in any way they see fit.
Steve Kroft: How did the big tech companies come to collect all this information?
Jeffrey Chester: No one ever told them they couldn't collect it all. There've been no limits at all ever established.
Steve Kroft: And that's what's going on with GDPR, somebody saying, "You can't?"
Jeffrey Chester: That's exactly right. GDPR says you can't collect it without permission.
The big tech companies have always argued that consumers have given them permission to take their personal data in exchange for using the product. It's buried in the fine print on those long impenetrable online privacy agreements that you have to click on. Max Schrems says it's not free choice but constitutes coercion under the new European law.
On the day it was enacted Schrems' nonprofit group "None of Your Business" took action against Facebook and Google for allegedly violating European privacy laws.
Max Schrems: It's this take it or leave it approach. You know it whenever you open an app it says, "agree, or don't use the app" and your choice is basically not existent because either you go offline – or you have to agree.
Schrems cited the example of Google's Android operating system, the software which runs up to 80% of the world's smartphones. But to use one, you must first activate it and give Google consent to collect your personal data on all of its products.
Max Schrems: You paid $1,000 right now and you're not allowed to use your $1,000 phone unless you agree that all the data goes to someone else. And that is basically forced consent.
Steve Kroft: The tech companies say, "Look, you, the user, you gave us permission to take this information to use it the way we wanted to. You agreed to it."
Max Schrems: And that--
Steve Kroft: "You signed on. You made the deal."
Max Schrems: The individual doesn't have the power, the time, the legal expertise to understand any of that. And then you're sitting at home at your desk and have the option to only say yes. This is not what any reasonable person would consider a fair deal.
Schrems has been waging this battle since 2011 when he spent a semester in California at Santa Clara University School of Law. A lawyer from Facebook told his class that big tech didn't pay any attention to European privacy laws because they were rarely enforced and that the fines were very small.
Max Schrems: it was obviously the case that ignoring European privacy laws was the much cheaper option. The maximum penalty, for example, in Austria was 20,000 euros. So just a lawyer telling you how to comply with the law was more expensive than breaking it.
At the time most people had no idea how much personal information was being collected on them, so when the 23-year-old Schrems returned to Austria he decided to ask Facebook if he could see what they had collected on him. By mistake or miracle, someone at Facebook sent him this stack of information, lifting the veil on the extent of the company's interest in him.
Max Schrems: And after a while I got a PDF file with 1,200 pages after using Facebook for three years and I'm not a heavy user or anything like that.
Facebook had created a dossier of max's life. That included his location history, events he attended, all of his contact information and his private Facebook messages, even the ones he thought he had deleted.
Steve Kroft: So these were personal conversations you had that you thought were between yourself and the other person?
Max Schrems: Yeah.
Steve Kroft: And they're all here?
Max Schrems: They're all here, and they're basically undeletable.
It created a huge stir at the time, but it's nothing compared to what's being gathered now. Today, Facebook collects information on people who don't even have an account. Google's Android software knows whether the user is walking, running, or riding in a car. And Amazon has patented algorithms that could be used on its Echo smart speaker to listen in on continuous conversations, and even read the mood of people in the room.
Max Schrems: The reality is that this industry is so fast-moving right now, even if you have perfect enforcement mechanisms, usually they will get away with it. Unless there is a serious penalty.
Today, if one of the big tech companies chooses to ignore Europe's new data protection law it could cost them 4 percent of their global revenues, which for the biggest companies would mean billions of dollars.
Those decisions will likely be made here in Dublin, the busiest of Europe's 28 data protection centers, and the place where most American tech companies have their European headquarters. They flocked here years ago because of Ireland's low corporate taxes and its reputation for relaxed regulation.
Ireland's data protection commissioner Helen Dixon says it's not going to be business as usual.
Helen Dixon: U.S. internet companies have no doubt that this law is serious, it has serious bite And all of them are eager to avoid any engagement with that.
Steve Kroft: How would you describe your relationship with these companies right now? Is the relationship cooperative or contentious?
Helen Dixon: It's all of those things in any one week.
Dixon says tech companies are spending tens of millions of dollars hiring lawyers, compliance officers and engineers to make sure they are operating within the law. The data protection authorities have only a few thousand employees in Europe to police some of the most powerful companies in the world, but they have subpoena power, can conduct raids, and even shut down operations.
Steve Kroft: You think the big tech companies, the people in Silicon Valley are taking this seriously?
Eoin O'Dell: I think they have to.
Eoin O'Dell is a law professor at Trinity College in Dublin and a leading expert on European privacy law. He says Europe has now established an international standard for internet privacy, and companies like Facebook, Google and Amazon are not about to retreat from a $17 trillion market.
Eoin O'Dell: We have safety standards in cars, but that hasn't stopped us driving cars. We have emissions standards for – for the gas in the cars but that hasn't stopped us using the gas in the cars . The data companies are – going to comply in the same way as the – car companies have complied
Steve Kroft: To stay in business.
Eoin O'Dell: To stay in business.
Since the European privacy law was passed, at least ten other countries have adopted similar rules. So has the state of California.
Perhaps sensing the inevitable, Facebook, Twitter, Google and Amazon are now saying they could support a U.S. privacy law if they were given considerable input. The Internet Association, which lobbies for big tech, and its president Michael Beckerman say they would support giving Americans reasonable access to their information and some privacy rights now enjoyed by the Europeans.
Steve Kroft: From your point of view, who owns the data that's collected?
Michael Beckerman: I think individuals should have complete control over their information. You should have access to it, both how you're giving it in the online world and offline world, and full transparency on who has the information and what you're getting for it.
Steve Kroft: But who owns it?
Michael Beckerman: People should have control over it. I don't view it as an ownership, you know, the way you're-- the way you're asking. But I think the individual--
Steve Kroft: The Europeans do, the Europeans says it's a right. You own your information. You have a right--
Michael Beckerman: We have--
Steve Kroft: --to go to the companies and say, "I want this information."
Michael Beckerman: Under the law that we're pushing, and the rules that we're pushing, and what our companies already do, people can download the information-- their personal information that they've shared with the sites, and delete it if they want, and cancel their accounts.
Privacy advocate Jeff Chester says the industry wants people to believe that it's cooperating and open to change, but that it won't do anything until it's forced to by law.
Jeffrey Chester: This is simply a bait and switch in terms of protecting privacy in America today. The companies have no intention of supporting a privacy law that actually would stop them from collecting our information and give Americans the same rights the Europeans now have.
Produced by Maria Gavrilovic. Associate producer, Alex Ortiz.