BERLIN — When European visitors go to an American newspaper website, they often play a little guessing game. “Which category will the site fall into?” they wonder …
- Will the site be so small that its publishers have never heard of the European Union’s General Data Protection Regulation and continue to collect users’ data?
- Will the site be large enough that the publisher knows about GDPR but can’t afford to comply and will put content behind a wall, blocking off stories from European readers’ eyes?
- Or will the publisher be so big and well-heeled as to afford a dedicated data protection officer, along with the other best practices that make a site adhere to the GDPR?
As time has ticked away since the 2018 enactment of the European privacy law, more and more American newspapers have moved into category three — nine out of the top 10 by circulation, in fact. That leaves just Newsday as a holdout in category two. Visitors from Europe who try to see stories from Long Island’s newspaper of record get this message:
This site is not available in your region
It appears that you are trying to access our website from a location in the European Union, which enforces the General Data Protection Regulation (GDPR). Unfortunately, because of this regulation we cannot provide access at this time. We appreciate your understanding.
That could be for a number of reasons. Newsday did not respond to a request for comment from Poynter, but a source from another publisher said that while his employer worked to be in compliance with the GDPR, the company did not believe that it had a legal duty to do so since it is based in the United States and does not have a European subsidiary which could be penalized. He was not authorized to speak on behalf of the company, so he is not being quoted by name.
There is reason for publishers to be skeptical of any governing group — including the EU — that attempts to exert global jurisdiction over the flow of information online.
Whether it’s China’s moves to silence Canadian pro-democracy activists through its recent national security law or the United States’ assertion of jurisdiction over the actions of Julian Assange — an Australian acting in Europe who revealed potential war crimes, and who the CIA considered assassinating before he could be brought before a British court for a failed extradition attempt — there is a dangerous precedent that can be set when a superpower says that its laws must be followed outside of its borders.
Among others, Lee Casey and David Rivkin Jr. have made this point in their Hoover Institution publication, The Dangerous Myth of Universal Jurisdiction.
Attempts at universal jurisdiction can be especially awkward when applied to speech, even with the best of intentions, as the powerful often use information-regulating laws to stifle dissent.
A recent example of this type of suppression can be found in Turkey where, following the legal recognition of a “right to be forgotten” — a right that the EU has also recognized — reporting critical of President Recep Tayyip Erdoğan has been heavily suppressed, as written about by Özgür Öğret of the Committee to Protect Journalists.
While Turkey does not have the economic or military heft to do what the US and China have attempted on the global stage, Turkey’s actions may provide a window into what the future could look like, should laws governing the flow of information be increasingly applied around the world.
Even as at least one publisher rejects universal jurisdiction exerted by the EU, there are other reasons — outside of guidelines that may or may not have legal consequences — that a newspaper company might choose to work on being in compliance with the GDPR.
“GDPR has definitely set the bar, and it has established a foundation for many privacy regulations that were passed at a later date, such as the (the California Consumer Privacy Act),” said Lark-Marie Anton, senior vice president for corporate communications at Gannett, via email.
“Complying with GDPR means complying with the strictest standards for data privacy and enables a company to also comply with most global privacy regulations, with small regional variations, such as the CCPA.”
Companies that have a careless attitude towards privacy risk alienating their readers, she argue. Availability within Europe is one way — along with the possible use of privacy-protecting vendors like OneTrust, Osano or Cookiebot — to show that the company takes readers’ privacy seriously.
“If the company cannot be trusted to handle a person’s information in a good faith and respectful way to the best of its ability given technology and resource limitations,” she asks, “how can it expect to be respected and trusted by the person whose loyalty it wants to gain?
According to Anton, steps Gannett has taken toward being more privacy-focused include:
- Creating a privacy team and an overall privacy program for the company
- Implementing an enterprise software solution that drives accountability and compliant processes across all of the company’s sites, including cookie consent banners, vendor risk management tools to assess vendors’ compliance, data mapping capabilities, etc.
- Establishing a data subject rights portal for EU readers and processes for responding to data privacy requests
- Appointing an external data protection officer and an EU (and now UK) representative to comply with specific GDPR requirements
- Updating privacy and cookie policies to meet GDPR requirements
Beyond just doing the basics to adhere to GDPR, Anton says, publishers should make privacy part of their core decision-making process.
“Media companies can integrate Privacy by Design into their operations, so that data privacy is not an afterthought, but is rather part of the company’s culture, and is considered right at the start as new projects and technology are being architected.”