How did the GDPR come to be? And what do a film maker and two NGOs think about it?

Sebastian Greger

Brief notes from a public screening of “Democracy”, an award-winning documentary about how the new European data protection law came to be, followed by a podium discussion with the director and representatives of privacy NGOs.

If you are a German-speaker, you can watch the film on the website of the Bundeszentrale für politische Bildung; the English subtitles appear to only be available on the iTunes or DVD version.I’ve praised and recommended this film before: “Democracy - Im Rausch der Daten”. Even watching it again, at an event that was part of the first Privacy Week Berlin (hosted by the Europe Direct Informationszentrum Berlin

bei der Landeszentrale für politische Bildung Berlin), it has not lost any of the fascination that comes with being able to peek into democracy in action up close.

The screening gathered a sizable audience, who followed the debate with great interest.

Afterwards, the film’s director, David Bernet, along with Elke Steven of NGO DigitaleGesellschaft, and Jonas Vollmer of NGO Selbstbestimmt.Digital e.V. engaged in an insightful discussion on stage. Here are the four themes I found most noteworthy from that debate:

Behind the film’s scenes

Bernet provided some insight into how the film was made. After having contacts within the Brussels EU circles from an earlier film on conference translators (note to self: find and watch), he wanted to research the question how lawmaking in Brussels works, how democratic it is.

2011, two years before the Snowden revelations, choosing data protection law as the object of a film may not have sounded appealing - and he got some concerned feedback on that choice - but Benett was always sure “at some point this will explode”. And that would make for a great story. So it happened.

Just as the GDPR appeared stuck in a dead-end it would likely never raise from, Snowden happened. And within record time, the EU parliament finalized and - this is a little known fact, but an important detail to consider for those who keep criticising the law - 95% of the parliamentarians, across party borders, approved the final text.

Lobbying and lawmaking processes

One of the points raised by the film is how the heavy lobbying around the GDPR changed the way laws are made. It has likely been the biggest lobbying effort ever seen in Brussels - though we’ll see is the ePrivacy regulation going to even exceed that.

In the discussion, the panelists highlighted how the understanding of lobbyism has changed, and unanimously stressed how it is, per se, today generally considered an important part of the democratic process. The problem, however, is that this important transfer of knowledge, from society to decision makers, comes closely entangled with often opaque interests.

And as civil society has neither the resources nor the capacities for similar 365/24/7 lobbying as the big corporations and associations can afford, there is a lack of civil society’s representation. This is not something parliamentarians would not be aware of: there is a noticable thirst for more input from organisations representing citizens’ interests. Only very few, like EDRi, have recently been able to gather resources for more persistent lobbying.

Bernet also highlighted a key obstacle he observed in EU lawmaking that was not so visible from the documentary. Since laws have to be approved not only by the parliament (the representatives of the people), but by the European Council as well (the representatives of all member states’ governments), the current model where the Council’s lead negotiators are replaced every 6 months along with the rotating EU presidency is a major obstacle. In his view, the parliament would need a reliable, long-term negotiation partner on the Council’s side to speed up processes.

Isn’t consent broken?

Another round of discussion hovered around the question of the effectiveness of “consent”. This, too, is brought up in the film (and is subject of long standing academic debates as well; more on that in a future blog post). Bernet told how the instrument of consent was always considered utterly important, in order to ensure citizens self-determination. Yet, even the parliamentarians pondered over its effectiveness. “Maybe”, Bernet quoted voices he heard, “we need something like a traffic light to express choice: red, yellow, green” - levels of protections for citizens to choose.

Steven highlighted how the GDPR has led to new designs of privacy controls, and how the difficult instrument of consent is complemented by a privacy-by-default requirement (and, quoting the film, I would add: the obligation to inform). Yet, her and Vollmer agreed, citizens have to take responsibility. The GDPR is a tool, but unless people are educated to make use of it - this is the field where both NGOs are active - it cannot unfold its full potential. That is why privacy literacy, and its promotion in schools and society at large, is so important.

What’s next?

The GDPR, Vollmer reminded, was intended to inspire a new “data culture”; a European data-awareness. He highlighted how, now that the legal framework is in force, he is curious to see how the law will unfold in practice: its interpretation, court decisions etc. Also Steven underlined the new attention for data that the GDPR has brought along. Data protection is not about protecting data, but about protecting freedom. Hence, questions of privacy are, at their core, questions of democracy - closely entangled with freedom.

He further mentioned other data legislation currently under way; not only the, currently stuck, ePrivacy regulation, but also new anti-terror legislation to be finalised before the 2019 EP elections, and of course the ongoing copyright reform with its upload filters and so on.

Bernet, too, expressed that he is now waiting for data protection authorities to make use of their new competences. “We can’t protect ourselves”, he said, “we are reliant on authorities to take control”. He further told that he is currently in the research phase for a new documentary on “solidarity” - I am sure, another film to look forward to.

I'm Sebastian, Sociologist and Interaction Designer. This journal is mostly about bringing toge­ther social science and design for inclusive, privacy-focused, and sustainable "human-first" digital strategies. I also tend to a "digital garden" with carefully curated resources.

My occasionally sent email newsletter has all of the above, and there is of course also an RSS feed or my Mastodon/Fediverse profile.