As tech companies across the globe scramble to adapt to the EUs new digital privacy law, they have one person they should thank. The regulation is the brainchild of one of the most controversial officials in Brussels: the European Commissions recently appointed secretary-general, Martin Selmayr.
When the General Data Protection Regulation (GDPR) comes into effect on May 25, it will be the most radical update of privacy protections in more than a generation. Companies will have to allow EU consumers to migrate their information to rival services or withdraw their data at any time. They will also have to alert privacy authorities within three days if their data is hacked. Failure to comply could result in fines of €20 million or 4 percent of global revenue, whichever is higher.
The impact will be global, as companies craft their policies to avoid being shut out of a market of 500 million rich consumers. Already, Facebook has announced it intends to apply the EUs standards across the globe.
Experts agree the law will impact the global digital landscape for decades to come. The Harvard Business Review has called it a “radical” law for its impact on any company across the world that handles European users data. Thats the kind version. “People thought we were loony,” admits one EU official involved in drafting the law, for proposing to replace the puny fines once applied to data breaches with multibillion-euro wallops.
The EUs new privacy regulation, like many of Selmayrs creations, was born of missionary zeal, and subject to both love and hate from its conception.
While the European Commission claims GDPR could boost business activity across the EU by €2.3 billion per year, Goldman Sachs predicts it could slash more than that off Facebooks annual revenue alone. Selmayr himself insists the new privacy rules will grow markets by simplifying the legal regimes companies deal with in Europe and driving trust — a commodity in short supply in Silicon Valley — across the Continents digital single market.
GDPR, I am your father
The EUs new privacy regulation, like many of Selmayrs creations, was born of missionary zeal, and subject to both love and hate from its conception. While many can claim to be the midwives and doting parents of GDPR — from corporate lobbyists to Green members of the European Parliament — only one person can claim to be its father: Selmayr.
As a German, Selmayr shares his countrys conservative approach to privacy. His grandfather Josef Selmayr headed West Germanys military counterintelligence service from 1955 to 1964, during the rise of the East German Stasi, which ran against its citizens one of the most invasive state surveillance operations in history, infiltrating nearly every aspect of life in the German Democratic Republic.
His first public foray into data protection came in 2009, when the European Commission acted on complaints about U.K. telecoms provider BT contracting a company called Phorm in 2006 and 2007 to conduct secret trials of behavioral advertising on customers without their consent.
Selmayr was then spokesperson for European Information Society and Media Commissioner Viviane Reding, who shared his privacy concerns. Reding had clear and practical principles she wanted applied: Europeans should be able to sit at a computer and be certain their privacy was protected, without too much hassle and effort. Selmayr had a strategic vision to implement those principles. (Full disclosure: From 2011-2014, I served as European Commission digital spokesperson, doing the job Selmayr once did.)
Former European Information Society and Media Commissioner Viviane Reding | Patrick Seeger/EPA
They got the ball rolling with a Commission consultation on how to manage data protection in mid-2009, and by taking the U.K. government to court for failing to uphold EU data laws in the Phorm case.
Selmayrs interest in the relatively low-profile Phorm case took many by surprise. Junior Commission officials — including current deputy Commission spokesperson Mina Andreeva — maintained a regularly updated set of “lines to take” on various aspects of the case.
Selmayrs passion for the case was clear, according to a political consultant who represented Phorm at the time. The consultant, who requested anonymity, recalled phoning the Commission spokespersons service to register a concern that Commissioner Reding had been quoted referring to Phorm by name, when the companys identity was supposed have been protected at such an early stage of the investigation.
“Martin Selmayr gets on the phone and starts screaming at me,” the consultant said. “He said I will have you written up for harassment, because I was a non-journalist questioning the Commissions approach. I was 24. I got off the phone and I was crying. I had no idea what was going on.”
When POLITICO put the allegation to the European Commission, a spokesperson said, “The story is invented. It is false.”
As the Phorm case moved forward, Reding and Selmayr were working to introduce personal data protection into a Commission overhaul of telecoms regulations. To do that, Selmayr deployed tactics more frequently seen in political campaigns than in the Commissions gray corridors — like extensive opinion polls and telephone banks — to get the message out that consumers were being exploited and the EU was arriving to save them.
The law, passed in 2009, introduced “mandatory notifications for personal data breaches,” legal protection against spam and the EUs infamous cookies law, which requires internet users to say whether they agree to their activity being tracked while using a given website.
Selmayrs efforts coincided with a larger wave of privacy concerns, most evident in the EUs Lisbon Treaty, which when it came into effect at the end of 2009, cemented privacy as a fundamental right in European law.
“Theres a lot of people who can call this their baby” — Jan Philipp Albrecht, MEP and future minister in the German state of Schleswig-Holstein
Europes existing data protection laws had been agreed in 1995, at a time when less than 1 percent of Europeans used the internet. Selmayr saw a political opportunity.
By 2010, Reding had become the Commission vice president in charge of EU fundamental rights, and Selmayr had been promoted to be her chief of staff.
Selmayr set about promoting data privacy as one of those fundamental rights. With the support of a special data protection team in the Commissions justice department, the legislation that would eventually become GDPR was born.
Testifying in 2010, Selmayr set of policy preferences that can later be turned into regulation — calling for a “comprehensive approach” to data protection that at the same time strengthened the EUs single market.
The Commission also carried out a Eurobarometer survey of 28,000 Europeans that produced a statistic Selmayr has often since cited: 70 percent of respondents said they worried that companies would use data for purposes other than those for which it was collected.
Some of Selmayrs colleagues noted at the time that the survey had been carried out only after the Commission released its policy preferences, joking that the process was an example of “policy-based evidence-making.”
Mina Andreeva, a Commission spokesperson, said: “The European Commission uses [Eurobarometer surveys] to take the pulse of citizens on various topics. Since we want to act in areas where the EU can have an added value and not regulate areas that are best left to member states and that people perceive as unnecessary interference in their daily lives, they are indeed a helpful tool in guiding our policymaking.”
Jan Philipp Albrecht, Green Member of the European Parliament | Laurent Dubrule/EPA
The Commission ploughed ahead with EU action even though the survey revealed that while 44 percent of respondents wanted the EU to act, a similar 40 percent preferred national protections, highlighting the publics wariness of granting Brussels greater sway over their privacy rights.
By the time the results were published in June 2011, internal preparations on GDPR were underway. It fell to Paul Nemitz, a long-time official in the Commissions justice department who became principal adviser to its director general last year, to wrestle the principles and prose into a serviceable legal text.
Redings fellow commissioners approved the GDPR proposal in January 2012, sending it onto Parliament, where it was subject to nearly 4,000 amendments.
Jan Philipp Albrecht, who as an MEP steered the regulation through four years of parliamentary amendments and negotiations with national governments, said that GDPR is the result of “intense in-depth work on every word and every paragraph.”
“Theres a lot of people who can call this their baby,” added Albrecht, who is leaving the European Parliament to become a minister in the north German state of Schleswig-Holstein. Selmayr, he said, largely chose not to get involved in the details.
As GDPR rolls into action, theres no reason to believe that Selmayr will let up on his push for privacy.
What Selmayr excelled at, said an official from the Commissions justice department, was knitting together a web of supportive activists, MEPs and data regulators to support the cause. “Our goal was always to raise the boardrooms attention to data protection,” rather than simply push through a set of technical rules, the official said.
A Western European diplomat said that Selmayr showed a ruthless understanding of the theater of politics. “He knows who not to irritate. There are aggressive jabs, and strategic leaks, but he is humble around leaders and uses charm and friendliness to keep the show together.”
Unlike successive U.S. administrations, which tried and failed twice to deliver privacy legislation, Selmayr “built a bridge of trust between EPP and Greens, between Commission, Parliament and Council, and in cooperation with about 20 key activists,” the justice department official said.
Selmayr sat at the top of the chain. “On every specific issues we made a detailed discussion paper that went up to him,” Nemitz recalled. “Martin in this way was deeply engaged in the work and provided the political orientations which paved the way for the successful adoption of the regulation.”
Meanwhile, Selmayr missed no opportunity to promote the effort. After Edward Snowdens whistleblowing revealed the extent of U.S. data collection in 2013, Reding embarked on a media tour to describe the revelations as a “wake-up call” that showed the need for tougher data protection laws.
A pro-Edward Snowden sticker on a lamppost in Dresden, Germany | Sean Gallup/Getty Images
“Snowden made a huge difference in the dynamic of the negotiations,” said Nemitz, helping to win the support of MEPs in early 2014.
That year, Selmayr found an even more useful vehicle for his digital ambitions, leaving Reding to become the campaign manager of the favored candidate for Commission President: Jean-Claude Juncker.
Juncker was infamous for his digital ignorance, preferring old Nokias and newspapers over smartphones and social networks. And yet, within weeks of Selmayrs arrival, Juncker officially declared that building a digital single market, with strong data protection as its hallmark, was his No. 1 priority.
Selmayrs zeal has persisted even after GDPR was finally sealed into EU law in 2016. One example: he co-wrote a 1,200-page academic commentary on the law in June 2017 while serving as chief of staff to Commission President Juncker. Selmayr, through a spokesperson, declined to provide comment for this article, but referred POLITICO to the document for his views.
Even as Selmayr promoted the upcoming privacy rules, lobbyists tried to sway national data authorities over how they would work in practice. In September 2017, Selmayr took to the stage at a conference in Brussels to rail against those predicting “end-of-the-world scenarios” over new rules that would complement the GDPR and warned opponents against years of “huge lobbying” over a battle they had already lost.
As GDPR rolls into action, theres no reason to believe that Selmayr — whose surprise appointment as the Commissions top civil servant in February angered many in Brussels — will let up on his push for privacy.
European Commission President Jean Claude Juncker | John Thys/AFP via Getty Images
In 2017, Selmayr blocked an effort by free-trade advocates to include data flows in future trade agreements. “For the EU, privacy is not a commodity to be traded,” Commission spokesperson Andreeva said at the time. “Data protection is a fundamental right in the EU.”
After months of wrangling, Selmayr reached an agreement with the rest of the commission on including data in trade deals. Once the Parliament and national governments back his proposal, the EU will begin insisting on his vision on data protection in free-trade deal negotiations.
Already, Selmayr has put privacy at the center of the U.K.-EU Brexit negotiations. In a January 2018 letter, the Commission warned “all stakeholders processing personal data” operating in the U.K. that they would be subject to the EUs privacy rules in any dealings with the bloc.
It need not have bothered. For months, British government officials and watchdog bodies have made clear that they like the way the EU deals with the protection of online privacy. Indeed, GDPR has already served as the basis for a new British data protection law.
Other countries are taking similar actions. Since breaking commercial ties with the worlds largest trading bloc is unthinkable, legislators worldwide are scrambling to update their domestic legislation to bend to Europes privacy rules. When it comes to making sure European privacy is protected, Selmayr has only begun.
Laurens Cerulus contributed reporting.