The European Union’s GDPR (General Data Protection Regulation) suite took effect yesterday, May 25, 2018. We look at what it might mean to Scientology, and how activists might use it as an avenue to bring about positive change in the organization, or, if Scientology is not serious about complying with the rules, how they might be hamstrung (but not shut down) by the GDPR.
I did extensive work on the potential impact of the GDPR on US-based companies in 2016 and early 2017, and this discussion is based on that work as well as other research about earlier investigations by European regulators into Scientology’s privacy practices.
Scientology’s antiquated paper-based recordkeeping practices, mandated by founder L. Ron Hubbard’s holy writ, cannot ever hope to comply with the GDPR. The cult’s belief that it’s inherently above “wog” law means that it probably won’t make a meaningful attempt to comply. That exposes Scientology to the highest level of penalties, a minimum fine of €20 million, reserved for chronic violation of the rules and for not taking them seriously. But while Scientology is exposed, we think regulators will have much larger fish to fry in the early days following GDPR enactment to pay attention to the cult. We discuss the specifics of what will happen when the regulators do turn their eyes onto Scientology’s privacy practices in the future.
Some commenters have suggested that GDPR could be a mortal blow to the Scientology organization, either globally or broadly across the European part of the operation. We strongly disagree. We do believe that the cult can be significantly hobbled in Europe but even the assessment of the maximum penalties and a high degree of oversight by regulators will not cause Scientology to shutter its doors. We discuss how activists against Scientology can use GDPR to hamstring the organization, even if it will not be driven entirely out of business.
What is the GDPR?
The General Data Protection Regulation is a suite of rules enacted in 2016 to replace earlier regulatory efforts to ensure appropriate privacy of consumer data. They took effect yesterday after a two-year preparation period.
The need for the GDPR comes from a) inconsistent privacy regulations among EU member states, and b) a major disconnect between EU regulations and those in the US, which US-based companies had been using as the basis for their interactions with EU customers. For this discussion, we’ll focus on the differences between EU and US law and in privacy principles, because that’s what affects Scientology.
Fundamentally, the EU and the US have very different notions about the right to privacy. In the US, data collected about a person belongs to the company that collected it, because they paid for the computer systems to capture and store the information. It becomes a corporate asset like any other, which can be monetized through things like indiscriminate selling of mailing list data to third parties, through data mining to understand customer behaviors and predict potential sales offers, etc. Once personal data is collected under US law, the consumer has no idea where it may end up being used. Some US companies voluntarily enact a privacy policy, though this may be tossed overboard in some circumstances, such as if the company is sold. And US law is also notoriously bad at dealing with data breaches, such as the theft of the Experian credit bureau’s files of sensitive information on nearly all US consumers.
The EU’s approach is almost diametrically opposed to the US model. In the EU, data belongs to the consumer, and the company that collected it is merely the custodian of that data. It must be deleted appropriately, and the consumer must give explicit and knowing consent to specific uses of that data (which forbids resales of data to an endless string of third parties, for instance). The EU also takes data breaches seriously, and requires aggressive notice of consumers when a breach occurs, where US companies are able to hide disclosure of breaches until it’s discovered by the broader world.
GDPR applies to any organization collecting data on EU citizens, so US-based companies doing even a small percentage of business with Europeans are as subject to it as a company headquartered in Munich. And the Europeans are serious about enforcement: penalties for significant, sustained and intentional violations of the law carry a minimum fine of the greater of €20,000,000 or 4% of global revenue. In the case of Google, which did $110.8 billion in worldwide revenue in 2017, that could mean a $4.4 billion fine if they were sanctioned. Of course, the maximum penalty comes only after the company willfully fails to cure violations in a lengthy process of regulatory oversight.
It’s important to point out that the EU regulators don’t have the ability to close the doors of non-compliant businesses, whether they’re located in the US or overseas. They can investigate, demand changes to business processes, review compliance and levy fines, but they can’t revoke the right of an entity to do business in the EU.
The Real Focus of the GDPR
In our view, the main focus of the GDPR is to rein in giant Internet companies such as Facebook, Google, Amazon and Microsoft, who are either opaque about privacy, or in the case of recent Facebook disclosures, completely cavalier about their use of private data, as the recent Cambridge Analytica breach showed. In view of Facebook founder Mark Zuckerberg’s recent refusal to testify personally to the UK parliament, it was the first target of a race to the courthouse to file suits only minutes after the law took effect.
The cynical Global Capitalism HQ financial analyst in me thinks there’s more than a hint of using regulatory frameworks to erect a barrier to competition of foreign firms in the EU, by forcing them to make expensive changes in their systems and by slowing them down. Protectionism, particularly in the form of import duties, is rarely effective in today’s globalized economy, and it usually backfires on the governments launching a trade war due to unanticipated consequences. However, regulatory pressure that has broad popular support (as the GDPR does) that has the benefit of giving local producers an innate advantage tends to be more effective over the longer term.
We believe that the EU is right to implement GDPR, as it will have real benefits for its citizens. We’ve often wished that the US would adopt similar regulations for its own citizens. So we’re not opposed to the GDPR because of the secondary trade war effects. We’re simply pointing out that these effects are part of the package, for the benefit of observers new to looking at the mechanics of international trade.
Scientology: Inherently Unable to Respect Data Privacy
There are two different factors that determine whether Scientology can comply with GDPR. First, are Scientology’s processes for processing personal information compliant with the rules? And second, does Scientology actually follow those processes consistently?
When companies use computers to run their businesses, it’s pretty easy for most of them to answer the second question as a “yes.” Computers process all data of a similar type in the same way. The only time a computer will process the same information differently is if the software changes. It’s thus pretty straightforward to determine whether a computer system has executed the processes it’s been designed to do. You just have to make sure that that process is compliant at the outset.
Unfortunately, Scientology can’t do that. It will never be compliant with GDPR, because the processes for tracking customer information are Hubbard’s holy writ and can’t be changed. And because they’re administered manually, there’s no way to say that the correct process was followed in the processing of any given record for any of the cult’s customers.
This manual process creates many toxic side effects as abundantly documented by many ex’s who have described the laborious process of updating paper folders with more pieces of paper even in the year 2018. Given that Scientology’s organizational culture was designed in the image of the WWII Navy, hardly a model of efficiency, Scientology tends to collect as much information as possible and keep it forever. That’s why so many people report getting letters from Scientology 30 years after they last took an entry-level course to try to get them to come back for more. Staff members desperate for a “stat” will track down someone who moved 10 times in 35 years and send them a not-at-all-creepy letter to offer more classes.
The information collected to be processed with unpredictable processes includes not only ordinary business documents such as invoices for services, but also extraordinarily sensitive personal information, such as a member’s innermost secrets, extracted and recorded in auditing sessions. That’s written by hand in a folder that is stored in each individual org, with no clear access controls to prevent any individuals in the organization lacking the need-to-know from accessing sensitive information.
Scientology’s collection and processing of member information is so egregiously unable to meet even a few of the standards mandated by GDPR that it will never withstand a close examination by regulators. And because this sloppy process is holy writ, the problems can never be cured. Scientology is caught between a rock and a hard place.
What’s Not Going to Happen With Scientology vs. GDPR
Before looking at how Scientology activists can have an impact by using Scientology’s GDPR non-compliance, it’s important to rule out several actions that will not happen.
First, GDPR is not a magic bullet that will extinguish the cult, either globally or just within the EU. The regulators don’t have the ability to shut down a non-compliant organization, even one that is certain to be as egregiously non-compliant to Scientology.
Second, even the maximum fine of €20 million or 4% of worldwide revenue, whichever is greater, will not deter Scientology. Though €20 million ($23.5 million at current exchange rates) is a significant portion of the cult’s revenues, it is a negligible portion of the global reserves, which we estimate to be somewhere between $1.5 billion-$2 billion. It is important to note that imposition of such a fine is a long way down the road, only after Scientology has failed to work with regulators to correct the violations of regulations.
Third, it is unlikely that GDPR regulations will cause anyone currently in Scientology to wake up and say “I don’t know how I could’ve been involved with such a lawless organization. I am storming out of here, leaving tens of thousands of euros worth of deposits untouched because I simply cannot abide the gross violation of my privacy that my church’s willful violation of privacy laws has engendered.” There is zero chance that a GDPR fiasco can have the impact of Debbie Cook’s letter on New Year’s Day 2012, which excoriated the church for its constant fundraising and caused many to depart.
We’ve seen the Jehovhah’s Witnesses, another high-control group, require their members to sign a statement essentially waiving their GDPR rights. While we aren’t lawyers with experience in litigating EU privacy cases, we strongly suspect that the EU courts would reject attempts to waive privacy rights generally, as these agreements attempt to do. We suspect that Scientology is likely to attempt the same tactic with its members, and we believe this will be unsuccessful when tested in court. After all, a major principle of the GDPR is that customers must give specific consent, not under duress, for each specific use of their data. They can’t be forced on pain of being denied an essential service to sign an overly broad release. So if the organization threatens to withhold your guaranteed ticket to heaven if you don’t sign (in the case of the JW’s) or takes away your OT super powers (in the case of Scientology), that would likely be considered coercive.
We suspect that Scientology is likely to implement a broad waiver of GDPR rights like the JW example. We suspect Scientology management to explain that Hubbard’s non-compliant records management policies are holy writ and Hubbard policy is superior to “wog” law. There’s also a mighty stick: members are sufficiently concerned about running afoul of “command intention” that few, if any, will refuse to sign. Such a waiver would likely forestall complaints filed by current members, but that’s only a small part of the exposure that Scientology faces. The cult can’t get former members to sign such a waiver, and there are far more of those than there are active culties.
Most importantly, what’s not going to happen is that Scientology won’t be able to wiggle out from GDPR rules. Commenter “PickAnotherID” found a front group headed by a Scientologist that’s trying to suggest that religions are exempt from the rules, but that’s explicitly not the case. The increasingly secular EU countries have never had the absolute freedom of religion that the US has, so it’s naïve for the cult to assume that US-style freedoms apply in Europe.
What Can Happen with GDPR and Scientology
While GDPR will not be a magic bullet to extinguish Scientology in Europe, it can be used to slow the organization down and make it difficult for the cult to do business there. How best to proceed:
First, the large body of ex-Scientologists is core to successful GDPR action. As we all know, Scientology has a unique gift of being able to turn former members into active enemies rather easily. There are a large number of former members who have simply given up on getting off of cult mailing lists, as well as others who continue to have other contact with Scientology that they don’t want. When large numbers of members, particularly those who have not been involved in Scientology for decades file complaints, they will have to be taken seriously. A large number of complaints against a relatively small organization will ultimately catch the eye of regulators and increase the odds that they decide to take action.
Second, Scientology’s highly fragmented corporate structure will be a major liability in the context of GDPR compliance investigations. The GDPR package has provisions for simplifying the process for an organization to demonstrate EU-wide compliance with the rules. In normal cases, a company such as Google would be assigned to interact with the regulators in the country that is its principal place of business within the EU, and they would coordinate with regulators in all the countries where Google does business. However, since Scientology makes a point of claiming independence of each of its local units from central control when it is convenient for the cult to do so, that argument will come back to bite it as people filing complaints in one country can make the case that there complaints are unique and distinct to the local Scientology office, and are not simply collected and dealt with at a single regulatory interface.
Third, understaffed local orgs will have a difficult time meeting a key GDPR requirement that’s required of churches of all sizes: commenter on this site PickAnotherID discovered that they must have a designated Data Protection Officer (DPO). The regulations clearly state that this individual can’t be in a chain-of-command that has conflicts of interest, such as reporting to people they will have to regulate, such as IT or HR departments. That’s not a problem in a large organization, but in a small Ideal Org with a handful of staff, this will be impossible to achieve. If the EU conducts an audit, the lack of a DPO is just one of many statutory violations that Scientology will have to deal with. If they don’t appoint a credible DPO who actually performs the functions required, regulators are allowed to appoint a DPO for any organization failing to comply. It’s pretty amusing to imagine just how Scientology would react when an outsider arrives and demands to take over the paper files.
What Activists Can Do Using GDPR
Because of the disastrous flaws in Scientology’s outmoded practices, a key strategy for activists should be to file complaints in all the countries where Scientology does business, and work to ensure that regulators do not consolidate them at either St. Hill or at the European headquarters location in Copenhagen. If each failing and understaffed org is forced to deal with its own GDPR issues, it will quickly bring businesses in those works to a grinding halt. The oars will have to punt to Miscavige, and he will quickly become overloaded trying to deal with dozens of individual country level investigations. That will hamstring the famously micromanaging Miscavige even more than usual, bringing other strategic initiatives such as the Ideal Org strategy to near-paralysis.
This raises the larger point that the goal of Scientology activism should not be to find a magic bullet to cause the organization to shut its doors globally, but to find highly leveraged points that can cause the maximum disruption of operations with the minimum amount of effort on the part of activists. We feel that focusing on GDPR complaints, a campaign that will take a long time to bring to fruition, well beyond simply filing an initial form and walking away, is one such tactic. This is likely to be much more fruitful than, say, filing a class-action suit for refunds of donations, which it is uncertain that the plaintiffs would win, and it would easily take a decade or more to pursue.
The idea of maximizing the effectiveness on a narrow leverage point is what we, along with many other critics, have said for a while: pick manageable fights. An example: trying to revoke the tax exemption could take decades and depends heavily on a hard-to-read and even harder-to-change political environment. Instead, fight for an investigation into Scientology’s pervasive abuse of the R-1 religious worker visa program. Though such a campaign would not have the broad impact of the tax exemption, it would be much easier to achieve, and it would cripple the ability of the cult to operate the Flag complex in Clearwater, one of its biggest money makers and shining “prove” of the success of Scientology. Turning flag into a ghost town that is unable to provide the broad range of hotel and resort services that it promises members would surely cause members to question the cult’s success, and that carefully cultivated illusion of success (the reason for hundreds of millions of dollars in spending on building empty Ideal Orgs) is a key attractor for many members.
Hungary: Prototype of an Investigation
In October 2017, historian Chris Owen published an article on Tony Ortega’s blog detailing the investigation of Scientology by the Hungarian government. This investigation details the line of attack that other regulators may take in investigating Scientology. We strongly recommend that you read Owen’s piece again to understand just how flat Scientology falls in its attempt to comply with the rules, and how thoroughly the regulators in a small country have pierced through the nonsense that Scientology is attempting to sell.
The approximately $80,000 fine levied is trivial, but the laundry list of fatal defects in Scientology’s information handling practices is the real gold mine. Other regulators will be able to use this report as a template to build their own cases against the cult. Virtually every single source of member information is savaged in the report. Some examples:
- Documentation from the Purification Rundown, forbidden because it’s quackery, thus a fraudulent pretext to collect data;
- Document from the OCA, again forbidden because there’s no scientific basis for its accuracy;
- Knowledge reports, because they’re written without the subject’s consent, by definition, thus crippling “ethics” handling processes;
- Auditing information involving a third person, since information would be gathered without their consent, directly contradicting the mandate that the auditor capture everything, and
- Sec checking of staff that asks questions more invasive than what any other employer would ask.
The list goes on seemingly forever. And none of it is good news for the cult. And the biggest risk is not information that Scientology collects on members but what it has on former members and on others who it perceives as enemies. Those are people who certainly would never give consent to the cult’s data collection activities; they simply can’t be coerced. No browbeating to sign overbroad (and potentially illegal) blanket consent is going to work. So if regulators ever hit the OSA files that Scientology maintains, it will be a gold mine.
Owen circled back in March of this year with the denouement of the Hungarian government’s investigation and deeper analysis of the original report based on an improved translation.
One important finding is that much of the information the cult collects from members related to auditing is medical information, which is subject to the most stringent controls, which Scientology cannot hope to comply with. The Hungarian investigation used Scientology’s own words against it in establishing this.
Peter Bonyai, an ex-member turned activist in Budapest, suggests that the lengthy government report is designed to hold up in court in future litigation, so there may well be more to the story, particularly now that GDPR is the law of the land, with much higher fines. It is entirely possible that Hungarian regulators, once they uncovered the cesspool of privacy violations and realized that they had a nearly endless stream of violations to investigate, shelved their investigation for a few months until GDPR took effect, which raised the fines from €80,000 to €20,000,000 or more for a chronic and willful scofflaw like Scientology.
