How Germany took on the titans of social media – and won
The office of Dr Johannes Caspar is nothing much to look at. Parked on the sixth floor of a drab, anonymous government building in Hamburg, it is a far cry from the sweet dispensers and mini golf course of Google’s HQ nearby. Yet this office, with its small budget and 20 staff, has issued orders and fines that have made American tech giants sit up and take notice. In Britain, we often hear that regulating social media is impossible or prohibitively difficult, and that any attempt would risk driving companies abroad.
Germany, however, has already implemented protection against online abuse and under age access – and tech companies, far from fleeing, are staying and complying. So as MPS mull the impact of fake news and The Daily Telegraph campaigns to make the internet safer for young people, what can Britain learn?
“We have different cultural habits on enforcing the law in Germany,” says Dr Caspar, Hamburg’s data protection commissioner. “When you look at colleagues outside continental Europe, we are more regulating and enforcing laws and they are more negotiating and trying to get answers by communication.” A former law professor, Dr Caspar has repeatedly taken on the big tech companies with headquarters in his jurisdiction. In 2013, he fined Google for illegally collecting data from open Wi-fi networks with its Street View camera vans; in 2017 he ordered Facebook not to transfer user data from Whatsapp.
Ulrich Kühn, his deputy, says: “My impression is that [tech firms] don’t care about privacy. If you compare privacy to the business models of these companies, they are diametrically opposed. I don’t know any of them that didn’t grow by breaching privacy principles.”
Therefore, says Dr Caspar, financial pressure is required: “If they don’t have the threat of higher fines, they won’t do anything.” Until recently, neither Britain nor Germany had this power: Google’s fine in 2013 was around £120million, while Facebook paid only £500,000 in Britain – less than 0.01 per cent of its revenue – for the Cambridge Analytica data breach. Now the EU’S General Data Protection Regulation (GDPR) gives states the power to levy fines of up to 4 per cent of revenue, and the British government plans to keep that after Brexit. Still, Dr Caspar believes this will be purely theoretical unless regulators wield it.
An example of Germany’s ferocity is the Network Enforcement Act, or Netzdg. Passed in a hurry last year amid fears that the 2017 federal election would be flooded with fake news, after two years of fruitless discussions with tech companies, it aimed to enforce Germany’s laws against hate speech, threats and incitement to crime online. Under it, social networks must block illegal content within a week and “obviously illegal” content within 24 hours; failure to do so can result in a fine of 50million euros. “Facebook had said to German legislators that for them German law is basically irrelevant, and it’s only EU standards that apply,” says Tankred Schipanski, digital spokesman for the ruling CDU party. “A newspaper is liable and responsible for when it violates someone’s rights. The same should be applied to social media companies.”
The law is controversial: far-right populists call it an establishment stitch-up, proclaiming “the end of free speech”, while human rights groups warn it will turn private companies into risk-averse censors that “overblock” to avoid fines.
Judith Steinbrecher, of Bitkom, representing German tech firms including Facebook, says it “infringes freedom of expression” and might even “intensify populism” by suppressing debate. High-profile early deletions include two joke tweets from the satirical magazine Titanic. But the evidence six months in shows little sign of “overblocking”. Statistics released by Facebook, Twitter and Youtube did indeed show that hundreds of thousands of posts and videos were reported. Only a small amount, however – between 11 and 27 per cent – led to action. The vast majority were closed within 24 hours, indicating the companies themselves regarded them as clear-cut. In murkier cases, they consulted lawyers.
Mr Schipanski admits there is more work to be done. Facebook has been criticised for making its Netzdg reporting system too complicated, and Germany is considering changing the law so users can challenge wrongful deletions. But, he said, the principle can be extended to other countries.
The EU is considering legislation on similar principles, while France, Israel, Italy and Canada have all contacted the German government for guidance.
Less controversial are Germany’s systems for protecting children. In Britain, plans to make all pornographic websites verify their users’ age or be blocked by internet service providers have been pushed back due to privacy fears and technical issues. But in Germany, age verification has been widely used and accepted since 2003.
Users can register themselves at the post office, to a postman on their doorstep, at the bank or to call centre staff on a webcam, and subsequently log in with a pin number, an ID code or SIM card. Ironically, Germany lacks the power to enforce regulations on foreign firms due to opposition from civil libertarians. But Britain has been blocking child porn and pirated music since 2013 – something Mr Schipanski thinks Germany could adopt.
Germany also has stricter protections for children’s data. GDPR allows member states to set an “age of consent” below which companies may not process someone’s personal data without permission from parents. By default, this age is 16 – but Britain has it set at 13, the age cited in most US tech firms’ terms of service.
Germany has kept it at 16, with the result that social media companies have had to change the system for users below that age. On Facebook, for example, you cannot display “sensitive” personal data, such as religious views and sexual orientation, on your profile without parental consent. Advertising is only targeted based on age, location and gender, never on anything “liked” or posted. The problem with all such systems is the lack of serious age verification. Most social networks simply ask users to enter a birth date when they sign up, and accept what is declared. Facebook’s parental consent system can be easily fooled.
According to Dr Caspar, this may be unavoidable: asking children to verify their age would paradoxically require asking for even more personal data.
But Mr Kühn also believes there are other options. “It’s interesting that the tech industry, with all its imagination and financial resources, has never come up with anything else,” he says. “I’m not sure why the industry is so reluctant.”
Jan Albrecht, a German MEP who helped guide GDPR through the European Parliament, agrees, saying a system that automatically scanned ID cards and only checked name and birth date could avoid collecting more data than is already taken. In response to an undercover investigation, which found moderators deliberately ignoring clear signs of under age use, Facebook pledged to proactively ban users who seemed under age. Can Britain really copy all this? And more to the point, should we? Damian Collins, chairman of the Commons digital, culture, media and sport committee, wrote in this newspaper that Britain must find a similar way of making tech firms liable, while Norman Lamb, chairman of the science and technology committee, said Britain risks being “behind the curve” and should be looking at Germany “very closely”.
Characteristically, most Germans believe that only Europe-wide rules can tame the tech titans. “This is not amenable to national solutions,” says Mr Schipanski. Dr Caspar is likewise keen to stress the EU’S role. But German laws such as Netzdg go beyond what the EU requires, and he thinks it would be “too pessimistic” to say tech cannot be regulated.
“They are not aliens,” he says. “They are companies offering services for people living in Europe, and if they are in this playground, they have to play by our rules.”
American firms could have deserted Hamburg for one of Germany’s 15 other states, but they have not.
Mr Kühn puts it more bluntly: “The idea of a company moving out of a country because the data privacy regulator pushes too hard is farfetched.” How closely Britain should actually follow Germany’s example is a question for voters and MPS. Some ideas would be fiercely debated.
What is clear is that social media does not exist in some other dimension unreachable by judges and politicians.
We have the power to change it, if we wish to.
‘They are offering services for people living in Europe, and if they are in this playground, they have to play by our rules’