from the be-careful-what-you-wish-for dept
At a time when Russia and Russian oligarchs should be facing more scrutiny and careful work by investigative reporters, it is actually becoming that much more difficult to do so. And the main reason is that EU and UK “data protection” laws, passed in a flurry with promises of protecting your privacy from the greedy Silicon Valley Zuckerbergian overlords, is actually serving as a potent weapon in the hands of Russian oligarchs seeking to avoid scrutiny.
For many years now, we’ve been warning people to be careful what they wish for regarding so-called “privacy” laws. In fact, some of us specifically warned the EU not to kill free speech in the name of privacy with its GDPR. And the US is still exploring various privacy laws, with California leading the way with a rushed and messy CCPA law that is similar to the GDPR that was passed a few years ago, under the threat by a millionaire that if they didn’t pass that terrible law, he’d use the California referendum process to pass something even worse. Now, years after the CCPA became law, the state is finally trying to figure out what it actually means.
And California and others should look very closely at what is happening in the UK and how Russian oligarchs are massively abusing the UK’s data privacy law to silence journalists. (Just as a point of clarification in case people ask: post Brexit, the UK is no longer under the GDPR, but rather the UK Data Protection Act, which was passed to get the country into compliance with the GDPR — so it is effectively the same, just under the jurisdiction of the UK only, and not the wider EU. Also, some of the cases talked about below were brought prior to Brexit taking effect, meaning that they were using the GDPR.)
I first heard about one example of this a few weeks back, when Scott Stedman of Forensic News talked about how he was being sued in the UK for his reporting on a British-Israeli “security consultant” who has allegedly done work with a Russian oligarch, and was called to testify before the Senate Intelligence Committee. Despite being a US corporation, the lawsuit was filed in the UK, and had both libel and data privacy claims. The UK is well known for its ridiculous libel laws, that have opened it up to what’s known as libel tourism. While the country did tighten up those laws a bit nearly a decade ago, the UK is still a problem spot for libel cases that attack free speech.
But this case had an even more pernicious part: the GDPR claim. And while a lower court initially tossed that part, in December, an appeals court brought it back. The crux of the claim is that because the plaintiff in the case claims that Forensic News reported false information about him (which is the libel claim), it also means that the company is a “data processor” under the GDPR, and that requires some level of accuracy in the data it collects and processes. And so the judge effectively argues that basic acts of journalism — collecting data on a subject of interest and reporting on them — makes you subject to the GDPR.
Someone who uses the internet to collect information about the behaviour in the EU of an individual who is in the EU, and then assembles, analyses and orders that information for the purposes of writing and publishing an article about that behaviour in (among other places) the EU is thereby engaging in “… the monitoring of [the data subject’s] behaviour … within the Union” within Article 3(2)(b). The publication of personal data clearly is a form of “processing”. The preparatory activities are plainly integral to that processing. It follows that the GDPR applies in such a case on the footing that publication amounts to a “processing of personal data of [the data subject]” which is “related to” the monitoring.
For what are hopefully obvious reasons, this has every appearance of a SLAPP suit designed to intimidate reporters. While Stedman and Forensic News are making efforts to fight back in US courts, it seems like the SPEECH Act should hopefully protect them. That’s the important US law that says that foreign judgments that would not be legal in the US under the 1st Amendment cannot be enforced here. Though if California can somehow get approval for its local version of the GDPR… well… who knows what will happen.
But, at least in that case, it’s an American journalist who hopefully can use the powers of the 1st Amendment to protect himself. That’s not necessarily the case for reporters in the UK. Earlier this year it seemed that UK politicians finally woke up to the fact that Russian oligarchs were widely abusing data protection laws to stifle reporting on their activities and connections.
And more recently, Oliver Bullough wrote a thorough piece for the Economist looking at how Russian oligarchs are abusing data privacy laws to stifle reporting, noting that he is now “terrified” of the law that, in theory, is supposed to be protecting his privacy.
If you’re someone who digs into the sources of oligarchs’ money – as I am – a data-protection claim can hit you even if you don’t publish a word. It doesn’t matter where you are in the world. It doesn’t matter if the person you’re investigating has a reputation too sullied to tarnish. It doesn’t matter if your research is scrupulously careful and in good faith. You’re still vulnerable.
The idea of being sued for libel by a rich Russian scares me, but at least the battle lines would be clear – and if I had truth and the public interest on my side I’d be in with a fighting chance. By contrast, the prospect of being tied up for years in the Kafkaesque intricacies of a data-protection case seriously makes me consider quitting journalism.
But it appears to be happening to lots of people, in part because the drafters of privacy laws never ever seem to consider how those laws might be used to stifle speech.
When the rules were first published, we assumed that “data” would mean the algorithmic index of our habits, interests and families stored by the likes of Facebook. The actual law, however, described data far more broadly, as “any information relating to an identified or identifiable living individual”. That definition can – and, indeed, does – apply to almost anything. The rules governing what should happen to this information were also wide-ranging. That was because gdpr wasn’t just a response to concerns about Facebook, it also codified long-standing principles that data other people hold about you should be transparent, secure, lawfully collected and – crucially for oligarchs – accurate.
The abuse of the GDPR and equivalents can take many forms, but merely starting with a “data subject access request,” can be a hassle. And from there it only gets worse.
Merely complying with the law is exorbitant. If an angry oligarch sends you a Data Subject Access Request it can take weeks, even months, to go through every email or text message you have that might contain information relating to that person (big tech companies – the ones the law was intended to inconvenience – have automated this process).
Defending yourself in court is potentially bankrupting. Thanks to the adversarial nature of Britain’s legal system, proceedings cost far more in Britain than in most European countries. One Dutch media lawyer told me that if she loses a case, her client might have to pay €1,500 ($1,600) to meet the other side’s costs; a British lawyer said this figure could easily hit £100,000 ($125,000) before hearings even begin.
The impact can be catastrophic for free speech and reporting, especially at a time where I think most of us recognize that investigative reporting on the activities and sources of wealth of Russian billionaires is kind of important:
An early victim of this new use of data-protection laws was Catherine Belton, a British journalist who published a book on Russia’s kleptocratic class, “Putin’s People”, in 2020. The book alleged that two Russian businessmen, Pyotr Aven and Mikhail Fridman, had links to the kgb during the 1980s. They said this was inaccurate and thus breached their rights under gdpr. They brought their claim against Belton and her publisher, HarperCollins, at around the same time that Roman Abramovich and Rosneft, an oil company, also accused Belton of defaming them. Collectively the suits could have cost Belton and HarperCollins about £10m in legal fees. Instead, they settled the cases and agreed to make some changes to the book.
There are many more examples in the article and it’s pretty damn terrifying for anyone who believes in reporting and the value of free speech. In a recent interview on NPR, Bullough admits that even as the focus of his reporting is on the activity of Russian oligarchs, there are some that he just doesn’t even bother with because he doesn’t think he can handle the legal intimidation that would come with it.
You know, when Roman Abramovich, the oligarch who owns – still owns, I think, time of I’m talking, Chelsea Football Club, one of the wealthiest and most high-profile Russian oligarchs – when he was sanctioned by the British government, a number of editors got in touch with me and asked me to write about him. And I had to admit that I’d never done any research into him at all just because it had never occurred to me I’d ever be able to get anything published. Yeah. I’m a freelance journalist. I’m not going to just do, you know, research into someone for an article which I can never, you know, make any money out of, obviously. And that is a problem that affects sort of every calculation we make. If you can’t get an article published, then you’re never going to start the process of researching it, which means that there have been people with reputations for being extremely litigious who have been able to avoid any kind of scrutiny from journalists.
That, right there, is the very definition of “chilling effects” that are common to SLAPP suits, but in this case many of those chilling effects are not coming from old defamation laws, but rather the new fangled “privacy” and “data protection” laws that many people, including open internet and free speech supporters cheered on.
If we’re going to keep passing new privacy laws — and there are good reasons to do so — can we at least, maybe, possibly, take the time to carefully look at how these laws interact with speech and reporting? Because, otherwise, all we’re doing is handing yet another massive weapon to the rich and the powerful to punish anyone trying to provide some transparency and hold them to account.