Let me start this by expressing my honest opinion on the soundness of the ideas behind GDPR. To take privacy and personal data protection a bit more serious. It’s great. As a citizen of this global economy that is watching what is going on in the US and even worse on the other side of the pacific, I am highly concerned with the treatment of personal information and it is almost an emotional issue. Just thinking about how facial recognition is allegedly used to monitor school children in class if they pay attention – I can’t think of anything more de-humanizing. Yes, I believe from a naive idealist point of view, GDPR is great.
But that’s it with nostalgic idea and idealism. Here are my thoughts on reality.
Welcome back, isolationism
It’s great that the EU adopted a policy that is as aggressive as traditional US law. Doesn’t matter where you are and what you do, if you handle EU citizen data, you are liable. For me as a semi-layment, that is news. I haven’t seen that strong formulation in European codicis yet. But hey, maybe I’m wrong. Good stuff if we head this way.
But again, it is as isolationist as the Trump era trade policies. Nobody else outside the EU currently cares. And that is a big issue. Why?
Well, first of all, it is an attack of the functioning of the market by over-regulation par excellance. You are creating a de facto comparative disadvantage. It is absolutely clear that under heavy competition in B2C markets – which includes eCommerce, Social Networks, crowd-enabled knowledge economy, the entire public domain IP domain, etc. – this is a threat. I mean, you have to understand how these markets work. You validate business models on segments. Segments are constructed on measurable and almost static or stable trait data which includes on the easiest level geolocational, gender, age, sex and social status. All of which can be constructed – this is highly relevant – as data items that can be used to identify an individual which then falls under presonal data definitions of GDPR. Going beyond that, political affiliation, possibly “ethnicity” (still don’t elieve in the concept, but people behave after it ater it was introduced and it becomes stronger and stronger under the identity politics regimes that are on the rise in the west), etc. And beyond that behavioural data. While it is statistically valid to argue that you can only infer segment, but not identity using most data items that are classified as personal data, we wil see later while the executive branch will see this differently (interest misalignment and likely incompetence). All those features imply similarity in habit, choice and consumer behaviour. Not being able to classify derive analytics on segment data means not being able to validate product-market fit hypothesis on markets. That is bad.
On top of not being able to collect segment data, you are also not able to act upon classical user or customer engagement channels without consent. Although it is clear that almost nobody likes to give consent to marketing and sales initiatives that are “just not there yet” and appear spammy. While the idea is noble to protect humans from advertising, content placement and promotions – and all that outbound and aggressive inbound crap -, this is what drives at least – talking subjectively here – 60% of modern companies and existing companies in our days. Withtout that, a lot of people lose jobs.
That makes the entire thing nonsensical. But it even gets absurd. Because the GDPR regulation includes reference to items that basically claim “oh, if it hurts the business world and the interest of keeping business survival in check with personal data protection interests, then it is fine and you do not need consent”.
Ouch. Let’s get back to isolationism later and talk about terrible drafting.
Terrible Drafting – It’s data protection, not data consent law, stupid
Now look at what I said just one paragraph before. You have to balance business/market interest with personal data protection interest. That is very simple. You are talking “data protection”. It is very easy. Data protection means in essence (a) don’t sell data for new purposes and uses – as allegedly (covering my ass here) in a well know Analytica case -, because you don’t protect your data; (b) install security measures that protect your organization from hacks – “Security”, and (c) protect your organizational data from insiders selling that data – which is in essence identity and access managment paired with data use policy and process within the organization. That is basically security and identity and access management. Totally get it. Good stuff.
If you look at these two things, it totally makes sense and you don’t really have the isolationism problem. Just protect the data you collect. Good. But collect it. Great.
The conflict of these two interests is the first weirdness in the GDPR. And it is underspecified, undercommented – by judicial indistances and the lawmaker – and it is simply weird at the moment. This is an uncertainty that just invites discrimatory application and it is a real threat to companies that cannot afford or do not have the capability to understand and implement GDPR regulation. Especially given the potentially draconic fines.
But let’s assume you can collect everything. And you secure everything. Then you still have an issue. Because there is this consent mechanism. But why is it there?
A. Because someone came up with the very good and noble idea that the people that use the services should govern the overshight over the protected use and collection of personal data. Yes, even if very permissable, it is somewhat terrible to collect medical data or very deep private conversations – such as Whatsapp does – without proper cause of doing so. If you are using speech recognition – Alexa, Siri, etc. – to profile individuals, you should have a (a) a ridiculously good reason and (b) a ridiculously good protection mechanism. But then again, does all that apply to someone spamming your on your email which you provided when signing up for a service?
B. And of course because someone thought about the noble right to be forgotten. Everybody that had email accounts spammed and abandoned them and forgot the password for it lost basically all ability to demand takedown of any account that is associated to that e-Mail. Anyone having had that experience knows how painful it is to request an account deletion or how hard it is to force a foreign nation actor to take down your personal data if you have no account control. But here the practicality issue is remains. GDPR doesn’t regulate proof of identity and right for deletion in such cases. You still can’t prove identity to either providers where you had accounts that you no longer can access or from third parties whom you never gave consent to use your data in he first place. So complete fail here.
The whole thing went overboard at some point. And now you have the regulation that says users must be able to grant fine granular consent. That is stupid. Either you choose to use a service or you don’t. By enforcing fine granular consent, you are admitting that people are adicted and reliable on strong services and you want to protect them from giving away more than you want to. In practice, users get slammed with standard policies and consent grant questions and they probably will simply accept all of them or suffer from the service quality offered. The cognitive capacity and the will to spend time on managing fine granular consents very likely is not there in the standard case. So no value add for the consumer.
Having strong monopolizing actors that provide highly addictive services is bad in the first place. Maybe it would be wiser to educate people that they have a choice and promote search for alternative options. Alternatively you could regulate those powerful market participants whose services nobody can resist – if they are evil. But that would be taking a one sided and discriminatory approach against market leaders. Maybe more of a monopoly and trust regulation issue. Not necessary data privacy. And because of this issue – probably those guys were the target apart from actual rogue actors that freely sell and broker personal information -, you are regulating everyone, even the small online shop owner that has now to wonder how he stores his customer list. Great! Well done.
Now if we see in reality that the judicial and academic debate focuses on the exactly the balance between business interest, relevance of regulation based on monopoly/bargaining power over users and we get to a consensus that we ignore SMBs and SMEs, all fine. But how realistic is that? That could lead to lawsuits. Why? Because it would be discriminatory reading of the regulation and would maybe hurt the US dominated B2C markets in their EU expansion, support EU companies in building a defensive market position and yes would be a kind of market interference that violates free market policies. So not going to happen.
But we all agree, data collection permissions isn’t really data protection. Unless you take the view of the individual who wants to protect his data. But hey, he is still free to chose to use the service. Untill he isn’t any more, because all young and weaker business modells died to to the market interference that is biased against companies that are young and not swimming in cash to run full scale data privacy initatives. And so the regulation could even increase the monopolization of basic technology services that everybody relies upon.
The Implementation Moronicism
Things get worse. Europe is still Europe. And such stuff as GDPR gets treated European style. It’s binding since today in entire Europe – that’s new, no ratification needed. But the enforcement/executive level activity is now going from EU level to national level to state level. Guess what. This is going to be a new business model for state budget improvements or state-level income generation. Some states hired hundres of GDPR folks to hunt down violations. Yes, this will be the speed limit regulation of the internet age. Where idiotic and underqualified executive branch officers will hunt weak SMBs and SMEs to get quota and ROI for the hiring, while state level regulators of course won’t be able to hunt global MNOs. Ouch.
And then again, that’s a good thing, right? Because what will happen if you hunt the MNOs? Yes, they will turn it around and hunt the SMBs and SMEs in Europea to counter-attack the entire policy. You reap what you sow. That will/could hurt the market again. But you have to apply equal justice to everyone. So any foreign company attacking violations of EU competitors has good cause to win these kind of disputes. Winning more lawsuits against competitors and settling using ones warchest to protect from the law applying to oneself also doesn’t look like the happy ending one would expect. But isn’t that likely to be what is going to happen? Simply by pushing executive responsibility to the lower levels, you ignore the big problems. Well done executive branch. (This was the continuance of the Isolationism view)
But if you are strict legally, that is an interference that is one sided and not legal, and the hunting down of small shops that will go out of business due to this is against the balancing concept. So you start capitalizing on people who can’t afford lawyers and go to the highest instance. So again, discriminatory. Well done,
All that could be okay if it is well commented, transparent and all that to the public. But one gets the feeling there was no time for academic discussions. Or nobody got the issue. But it seems rushed. And the uncertainty on the effectiveness of the regulation is visible directly by the rise of scam artists that sell based on GDPR fears. At the same time, noone responsible wants to go to jail or risk the company survival for being non-compliant under uncertainty on application of the law. Yet another sign this was rushed and is ill-executed.
And finally, even if well executed and all falling well into place, being well designed, what prevents the next generation of AI mixed with crawling/content aggregating engines to just run over the entire protection thing and ruin the whole show. Nothing. The idea is not only isolationist, it is also going against the reality of our world. W
Well done, once again, Europe. You created a discriminatory, soon over-run, ineffective and isolationist regulation that also increases G&A overhead and profitability of al SMBs, SMEs and everyonone basically. And it has no chance of saving the privacy.
Yes, for a noble cause that you can sell to voters and the world. But in essence, a terrible decision.