As email inboxes around the world are flooded with updated privacy policy notifications, the European Union’s new privacy law, the General Data Protection Regulation(GDPR), takes effect on May 25.

The first significant regulatory policy enhancement to E.U. data protection regulations in more than 20 years, the GDPR requires companies to ask consumers whether they can collect their data, answer promptly if asked what it’ll be used for and disclose significant data breaches within 72 hours. Failure to fully comply could result in fines of up to €20 million (more than $23 million) or 4% of the company’s worldwide annual revenueof the prior financial year. In other words, breaking the law could come with some serious consequences. 

The seriousness of the penalties reflects a European approach to privacy that can be traced back, in large part, to German history — and to specific experiences with personal data being used for the most heinous purposes.

“There this misperception that it’s a protectionist response, but the roots are much deeper. We trace them back to World War II and the atrocities of the Nazis, who systematically abused private data to identify Jews and other minority groups,” says Anu Bradford, professor of law and director of the European Legal Studies Center at Columbia Law School.

As the Nazi regime rose to power, state control of businesses brought with it state control of information technology.

In 1930s Germany, census workers went door to door filling out punch cards that indicated residents’ nationalities, native language, religion and profession. The cards were counted by the early data processorsknown as Hollerith machines, manufactured by IBM’s German subsidiary at the time, Deutsche Hollerith Maschinen GmbH (Dehomag). This history became more widely known after the publication of the 2001 book IBM and the Holocaust: The Strategic Alliance Between Nazi Germany and America’s Most Powerful Corporation, which argued that those Hollerith machines not only identified Jews, but also ran the trains that transported them to concentration camps. Some historiansdispute the book’s claims that IBM supported the use of its machines to carry out genocide and argue that the Nazis also used other methods, as simple as pen and paper,to round up victims just as effectively; the company hasn’t deniedthat its machines were used during the Holocaust, but claims “most” documents about the operations have been “lost.”

But, regardless of the company’s direct involvement, or lack thereof, it became clear how — while census data can also be usedto keep a government running — the collection of citizens’ personal information could lead to direct harm for those people.