It has been six years since Edward Snowden blew the lid off the National Security Agency (NSA) when he copied and leaked highly classified information, before fleeing the U.S.
So, what has changed? Where lawmakers failed to reform, the tech industry stepped up.
Europe’s data protection legislation is still missing the point and will remain a ‘paper tiger’ until internet giants are hit with big fines, according to NSA-contractor turned whistleblower and privacy campaigner Edward Snowden.
The General Data Protection Regulation (GDPR) came into force across the European Union on 25 May 2018 and is designed to give EU citizens more control over their personal data. Most notably it introduces potentially huge fines for organisations that are deemed not to have protected the data of their customers. And while GDPR has been seen by many as a significant boost to data protection and has prompted calls for similar legislation elsewhere, Snowden seems underwhelmed.
Snowden told the Web Summit tech conference in Lisbon:
This is a good piece of legislation in terms of the effort they are trying to do. Is GDPR the correct solution? I think no and I think the mistake it makes is actually in the name; the General Data Protection Regulation misplaces the problem, …The problem isn’t data protection, the problem is data collection,
Snowden was speaking via a video link from Russia, where he is now living after leaking details of secret US government surveillance programmes to reporters back in 2013.
Regulating the protection of data presumes that the collection of data in the first place was proper, was appropriate, that it doesn’t represent a threat or a danger, that it’s ok to spy on everyone all the time whether they are your customers or your citizens — so long as it never leaks, so long as only you are in control of what it is that you’ve stolen from everybody,
Snowden said that while GDPR is a “good first effort” that the bar was set pretty low before: “What I’m saying is that it’s not the solution, it’s not the good internet that we want.”
One of the most significant features of GDPR is that organisations can face a maximum fine of 20 million euros or four percent of worldwide turnover — whichever is greater. While some large GDPR fines have already landed, Snowden said: “Until we see those fines being applied every single year to the internet giants, until they reform their behaviour and begin complying not just with the letter but with the spirit of the law, it is a paper tiger that actually gives us a false sense of reassurance,” he said.
For Snowden the bigger issue is that collection of personal data through websites, apps and more has become a dominant business model for the internet.
“We have legalised the abuse of the person, through the personal. We have entrenched a system that makes the population vulnerable for the benefit of the privileged,” he said.
“Data isn’t harmless. Data isn’t abstract when it’s about people. It’s not data that’s being exploited, it’s people that are being exploited. It is not data and networks that are being influenced and manipulated, it is you.”
Further reading: Encryption: The Data Privacy ‘Theatre of War’