Skip to Main Content

A Transatlantic POLITICO INvestigation

‘Digital privacy does not really exist’: A Q&A on data privacy around the world

Facebook Ireland headquarters

Facebook's European headquarters in Dublin. "When we go on the internet we leave a trail of data that is monetized whether we like it or not," says POLITICO reporter Nick Vinocur. | Niall Carson/PA Images via Getty Images

By Emily Goldberg

Our latest investigation found that the world’s chief enforcer of data privacy regulation has a history of catering to the companies it’s supposed to regulate — endangering the privacy of billions of people worldwide, including hundreds of millions in the U.S.

Reporter Nick Vinocur answered reader questions on Redditabout his findings and what they mean for data privacy around the world. One takeaway: You should be concerned.

We’ve reproduced some of the top Q&As below, edited slightly for brevity and clarity.

Question
Are you surprised by what you found in your investigation?
Answer
A lot of what came out in the reporting did surprise me — and notably as it regards Ireland’s 2011 audit of Facebook. It was the most thorough examination of the company’s privacy practices to date and it brought up matters that only came into perspective later. For example, the Irish regulator flagged that Facebook needed to do a better job screening apps, which we now know was a central issue in the Cambridge Analytica scandal. But then the regulator gave Facebook basically a clean bill of health less than a year later. ... What happened? It’s a big question. Then there was everything the regulator didn’t do: an investigation of Google, sending regulators to Facebook or issuing any enforcement action on known privacy breaches.

Question
How did the GDPR allow Facebook to start sharing the data of WhatsApp users again?
Answer
I agree that’s a pretty baffling one. Basically, when the GDPR came into force, it replaced any legal precedent on data privacy throughout the EU. So whichever bans were in place on specific issues like that, they became moot. Facebook then argued that it was obtaining “consent” for facial recognition on the site, but the way the consent was gathered was problematic. It was not an easy yes or no option. This allowed them to bring the tool back, with the tacit approval of the Irish regulator.

Question
The GDPR seems to be better than what the U.S. has. Have you investigated the need for privacy protection in the U.S.?
Answer
I definitely agree that GDPR is a lot better than what the U.S. has, because currently there is no federal privacy regulation. There is a law in California, and one in Washington state that is likely to get killed this weekend(!). In the latter case, we saw how Big Tech companies, namely Microsoft, got heavily involved in the writing of the bill, and basically scrubbed out the threat of any serious sanctions. At the same time, there is a Federal Trade Commission investigation into Facebook and the Cambridge Analytica scandal that may yield a big fine, but these companies are so big they can shrug off even a large fine. What really matters is changing the companies’ behavior, and that can only come with laws. P.S.: One big difference in the EU is that corporate lobbying is often less effective than in the U.S. — especially when the legislation is not going to affect a European company. The GDPR largely affects American ones.

Question
Does “digital privacy” still exist? Is there a way to protect ourselves, or are we already past the point of no return?
Answer
I’d be inclined to answer: no, digital privacy does not really exist, unless you cut yourself off from the internet and major apps totally. Basically, when we go on the internet we leave a trail of data that is monetized whether we like it or not. The GDPR tries to fix that by forcing the companies to obtain your explicit consent before taking your data. But the hard truth is that’s not applied in that way.

Question
What is the biggest problem in data privacy law now? How might it be fixed?
Answer
There are a lot, but for me it’s probably the use of facial recognition for mass surveillance. Basically, there are no laws now that stop authorities from collecting your biometric data and putting that into a central database where it can be used to track or, if necessary, stop you from traveling. This is basically a reality in Uighur regions of China already, but it’s on its way here [EU and U.S.]. Europe, for example, is developing a traveler database for non-EU people that will include biometric information. The U.S. already has one. Facebook has giant stores of biometric information from your photos. Imagine combining that with state surveillance capacities to track people.

Question
It seems to me that digital privacy is continually being eroded across the world. Would you agree with this?
Answer
I would have to agree. Just look at what is happening in China with mass surveillance and a social credit system — it’s worrying. In Europe, we have strong rules, but they are very unevenly, if not even at all, applied. There are also huge exemptions for law enforcement, which allows authorities to access, gather and process a great deal of data, even when rules like the GDPR in theory should stop them. Take a look at what the EU is preparing in terms of a traveler registry for non-EU citizens.

Question
Is there anything an average citizen can do about this?
Answer
For sure. If you care about the way your personal data is used, you can advocate for a federal privacy law (I am assuming you are based in the United States). As the saying goes, sign a petition or just call your congressman or congresswoman. On a personal level, you can start paying attention to consent-gathering pages on websites. You should have the opportunity to refuse to have your data collected and still visit the site. If not, that site is not compliant with EU data protection rules.