Why oligarchs love European data-protection laws

By Oliver Bullough

When websites first started asking me to accept their cookies, I used to read the options and try to make a considered choice. That now feels like ancient history. To research this article I must have clicked without thinking on a hundred of these “accept cookies” buttons – they’ve become a simple annoyance.

In theory I should be grateful rather than annoyed. The incessant pop-ups are the result of regulation introduced by the European Union in 2018 to protect the privacy of citizens online. The clunkily named General Data Protection Regulation (GDPR) was hailed by privacy advocates as an “incredible breakthrough” for ordinary people in the face of predatory tech giants.

After learning how GDPR is used in practice, however, I am neither grateful nor annoyed: I’m terrified. Over the past four years resourceful London lawyers have sharpened the legislation into a weapon against journalists and anyone else who wants to subject their rich clients to scrutiny.

If you’re someone who digs into the sources of oligarchs’ money – as I am – a data-protection claim can hit you even if you don’t publish a word. It doesn’t matter where you are in the world. It doesn’t matter if the person you’re investigating has a reputation too sullied to tarnish. It doesn’t matter if your research is scrupulously careful and in good faith. You’re still vulnerable.

Resourceful London lawyers have sharpened GDPR into a weapon against journalists

The idea of being sued for libel by a rich Russian scares me, but at least the battle lines would be clear – and if I had truth and the public interest on my side I’d be in with a fighting chance. By contrast, the prospect of being tied up for years in the Kafkaesque intricacies of a data-protection case seriously makes me consider quitting journalism.

Powerful claimants are increasingly aware of the power of GDPR. In 2021 nearly 300 cases against the media were brought in British courts under data-protection rules – more than half the total number of media-law claims that year. That was double the number brought under data-protection laws the year before, and far more than the number of defamation cases. Lawyers say this is just the start. A seismic shift in press freedom is under way. Few have even noticed, let alone understood the implications.

So what has your average publicity-shy oligarch got to do with me having to click on all those dialogue boxes? Both of us, it turns out, are enjoying the right to control our data. These data-protection regulations were an attempt by the EU to ensure tech companies didn’t exploit people’s digital footprints for nefarious purposes. (Though Britain had already voted to leave the EU by 2018, it was still formally a member.)

When the rules were first published, we assumed that “data” would mean the algorithmic index of our habits, interests and families stored by the likes of Facebook. The actual law, however, described data far more broadly, as “any information relating to an identified or identifiable living individual”. That definition can – and, indeed, does – apply to almost anything. The rules governing what should happen to this information were also wide-ranging. That was because GDPR wasn’t just a response to concerns about Facebook, it also codified long-standing principles that data other people hold about you should be transparent, secure, lawfully collected and – crucially for oligarchs – accurate.

The law drew attention to a little-used right that had existed in Britain for decades: the ability to access your own data. As defamation lawyers quickly realised, this meant that you could demand copies of any information anyone might conceivably have about you – so-called Data Subject Access Requests; if any of that information turns out to be inaccurate, you can sue.

Merely complying with the law is exorbitant. If an angry oligarch sends you a Data Subject Access Request it can take weeks, even months, to go through every email or text message you have that might contain information relating to that person (big tech companies – the ones the law was intended to inconvenience – have automated this process).

Defending yourself in court is potentially bankrupting. Thanks to the adversarial nature of Britain’s legal system, proceedings cost far more in Britain than in most European countries. One Dutch media lawyer told me that if she loses a case, her client might have to pay €1,500 ($1,600) to meet the other side’s costs; a British lawyer said this figure could easily hit £100,000 ($125,000) before hearings even begin.

An early victim of this new use of data-protection laws was Catherine Belton, a British journalist who published a book on Russia’s kleptocratic class, “Putin’s People”, in 2020. The book alleged that two Russian businessmen, Pyotr Aven and Mikhail Fridman, had links to the KGB during the 1980s. They said this was inaccurate and thus breached their rights under GDPR. They brought their claim against Belton and her publisher, HarperCollins, at around the same time that Roman Abramovich and Rosneft, an oil company, also accused Belton of defaming them. Collectively the suits could have cost Belton and HarperCollins about £10m in legal fees. Instead, they settled the cases and agreed to make some changes to the book.

“We only have so much money. We can’t afford to spend it all battling people so rich they don’t care if they lose”

This problem doesn’t apply only to the British media. In 2019 Scott Stedman, a 26-year-old American journalist, set up Forensic News, a site dedicated to investigative journalism and registered in his home state of California. He’d never set foot in Britain and never imagined he’d have to worry about letters from lawyers in London.

Then, in December last year, a court in London decided that a British-Israeli businessman called Walter Soriano could sue Stedman in Britain for misusing his personal data. Stedman had published several articles after Soriano was asked to testify to a congressional inquiry in 2019 about possible links between Russia and the Trump administration. Soriano said these articles were inaccurate and contained private photographs stolen from social-media accounts.

Soriano argued that, since Stedman solicited donations to his website in European currencies as well as in dollars, the data he processed were covered by European law. Only six people had ever paid Stedman in European currencies. But the judge agreed that Stedman had to answer a GDPR claim. “The decision today is of historic importance to all US media,” Soriano’s lawyer said after the finding. Stedman has already spent tens of thousands of dollars on the case. He is now awaiting a trial date.

This isn’t the first time that journalists and researchers who have nothing to do with Britain have found themselves dragged through the country’s courts. British defamation law says that claims can be brought in Britain if the offending articles or books are accessible there; the rise of the internet in the 1990s meant that this criteria suddenly applied to all kinds of things written for different audiences. In 2000 Boris Berezovsky, a Russian businessman, was allowed to sue Forbes magazine in British courts, though less than 1% of the publication’s readers were based in Britain. A Saudi businessman, Khalid bin Mahfouz, sued an American author in 2004 over a reference to him in her book on terrorist financing: just 23 copies had been distributed in Britain.

Defamation laws were reformed in 2013 to make it harder to bring this kind of case in Britain – claimants now had to show, among other things, that the offence in question had caused them “serious harm”. But the 2018 data-protection regulations could mean Britain is becoming a destination for legal tourism once again. It’s not that easy to win a claim under GDPR, and the awards are much smaller than those typically granted in defamation cases. But other aspects of these regulations are advantageous to the claimant: they have six years to bring a case, instead of the one allowed under defamation law. More importantly, claimants have a right to see everything their opponent has written about them even if it hasn’t been published; they do not need to prove that this information has caused them “serious harm”, merely that it’s inaccurate.

In theory, journalists shouldn’t have to worry about GDPR because the law grants them an exemption. In practice, people are already censoring themselves to steer clear of it. Media organisations have to respond to Data Subject Access Requests before they can demand the exemption, which means they have as much expense to deal with as anyone in a non-exempt profession. The Belton case is already affecting what type of books publishers commission. “We only have so much money and so much time,” one publisher in London told me. “We just can’t afford to spend it all battling people so rich they don’t care if they lose.”

The first case to show the sinister potential of GDPR involved the two oligarchs who sued Belton and a former British spy called Christopher Steele. Steele’s company was hired by the Democrats in 2016 to do research that could be used in the campaign against Donald Trump as the Republican presidential candidate. The dossier famously explored Trump’s links with Russia. In the process it accused a company co-owned by Aven and Fridman of handling illicit money. In 2020 the businessmen sued Steele’s company under data-protection rules.

Claimants have a right to see everything their opponents have written about them, even if it hasn’t been published

Steele was in private intelligence, he wasn’t a journalist. But the judge’s finding has chilling implications for anyone who processes “data”. Lawyers for Steele’s company said that the privately circulated dossier did not constitute “data” at all, but opinions. The judge ruled that the so-called opinions were facts.

The implications of this ruling are staggering for corporate accountability. It means that if someone is hired by a bank or another firm to do due diligence on a company, they could potentially be answerable in court for anything cited in internal reports. “We see our job as to scour the information that exists, to find as much relevant information and to present it in a way that is as truthful and accurate as we can determine, so our client can make a decision,” said one person I spoke to, who does research for big firms. “You are going to end up with all sorts of information being airbrushed out of people’s history, and their money getting laundered, because everyone is too scared to risk publishing any negative information about them.”

A GDPR claim, even an unsuccessful one, runs the risk of exposing sources as well as ensnaring the defendant in a complex and expensive dialogue. Charlotte Leslie, a former MP, runs an organisation called the Conservative Middle East Council, which educates parliamentarians about the region. In 2020 Leslie became concerned about donations to the Conservative Party by Mohamed Amersi, a businessman with extensive links to Russia (Amersi and his girlfriend gave a total of £750,000 to the party). Leslie wrote some internal reports for senior figures in the party laying out what she knew about the origin of Amersi’s wealth.

Amersi issued her with a Data Subject Access Request. For months she pushed back, trying to prevent his lawyers gaining access to records of her confidential conversations. That cost her thousands of pounds. “Amersi has used his wealth and influence to try to bully Charlotte Leslie into silence,” David Davis, a former Tory minister, said in a parliamentary debate in January. “If she has to meet the costs of all of this, [she] will probably have to sell her home and lose all her savings, and that is what an ordinary person faces in this context.” Eventually, Amersi withdrew his GDPR complaint – but by then Leslie had already complied with some of his requests and a number of her sources may have been exposed (Amersi has since sued Leslie for libel).

Leslie was not a journalist. But journalists could find themselves in the same position as her. We try to protect sources, download encrypted-messaging apps such as Signal and fret about state actors hacking our phones. All the while, GDPR is quietly undermining the principle of anonymity. It will take more than an app to get it back.

Since the Russian invasion of Ukraine in February, British and American politicians have become more inclined to side against oligarchs. The British government has applied sanctions against Aven and Fridman. A Tennessee senator has even asked the American government to ban their lawyers, and those of Walter Soriano, from entering the country.

“All sorts of information will be airbrushed out of people’s history because everyone is too scared to publish negative information”

Measures against individuals won’t be enough to mitigate the risk that data-protection rules pose to press freedom. Ban one set of lawyers and an oligarch will find another. GDPR was the fruit of years of delicate negotiations between European member states, industry and privacy advocates. Trying to unravel the harmful elements from it could take as long as putting it together did. Lawsuits creating precedents for particular interpretations of its principles will continue to pile up in the meanwhile.

There are still things to be done. Parliament could pass a law forcing people to take their GDPR claims to the Information Commissioner’s Office in the first instance, rather than go straight to court, which would keep costs down and make the process fairer. Politicians could also stipulate that GDPR cases be subject to a public-interest test, just as defamation cases are. But they need to act quickly.

In the meantime I find myself wondering what I can do to protect myself. I could go back to keeping my notes on paper, but I suspect it wouldn’t take an oligarch’s lawyer long to argue that this, too, was “data”. In the new world of legally enforced privacy for the rich, it’s not clear what place there is for investigative journalists. Perhaps I should content myself with finding out what the oligarchs have on me. ■

Oliver Bullough is the author of “Butler to the World”

ILLUSTRATIONS: NOMA BAR

This article has been updated to correct some inaccurate terminology for data-protection law introduced in the editing process