One Year Into The GDPR: Can We Declare It A Total Failure Yet?
Tomorrow will represent a full year since the GDPR went into effect. In the run-up to the GDPR, we called out many of the problems with the regulation which, while well-intended, did not seem to deal well with the nature of the internet, speech, or what privacy actually means. In the year since, we’ve posted numerous stories highlighting the negative consequences of this poorly considered law.
Whenever we do that, however, many of the law’s defenders insist that these unintended consequences are a small price to pay for either protecting our privacy or reining in the internet giants. So, it does seem worth investigating whether or not the GDPR has done either of those things. And, so far, the evidence is sorely lacking. Indeed, on the question of dominance, we pointed out late last year that the early returns suggested that the GDPR had only made Google more dominant, which hardly seems like a way to punish the company.
And now that we have more results, it seems more and more people are realizing that the GDPR has been an utter failure. As CNBC notes in its evaluation of the law, it’s hard to see how the GDPR has resulted in any benefits to the public. Instead, it’s just created a big mess:
…one year later, GDPR hasn’t lived up to its potential.
Among some consumers, GDPR is perhaps best known as a bothersome series of rapid-fire, pop-up privacy notices. Those astronomical fines have failed to materialize. The law has created new bureaucracies within corporations, and with those, tension and confusion. And it’s unclear if the EU data authority that oversees the law is adequately staffed to handle its demands.
And, as Politico has pointed out, it appears that not only has the GDPR made the big tech companies more dominant, it’s now laid out the rules of the road by which they can introduce even more privacy-destroying offerings:
New forms of data collection, including Facebook’s reintroduction of its facial recognition technology in Europe and Google’s efforts to harvest information on third-party websites, have been given new leases on life under Europe’s General Data Protection Regulation, or GDPR.
Smaller firms — whose fortunes were of special concern to the framers of the region’s privacy revamp — also have suffered from the relatively high compliance costs and the perception, at least among some investors, that they can’t compete with Silicon Valley’s biggest names.
“Big companies like Facebook are 10 steps ahead of everyone else, and 100 steps ahead of regulators,” declared Paul-Olivier Dehaye, a privacy expert who helped uncover Facebook’s Cambridge Analytica scandal. “There are very big questions about what they’re doing.”
This entire approach is backwards and silly. If we want to have better control over our privacy we’re not going to do it through demanding better privacy policies, or confusing data protection laws. We need to create the incentives to put the actual control of the data back into the hands of the users. And that doesn’t just mean a right to download your info. It means that you have full control over your data and get to control what apps and services can access it and for what reasons. That’s not the world we have today, and nothing in the GDPR gets us any closer to it.
And the answer is not “more enforcement.” That just locks in the big companies even more and continues to present the roadmap to “follow” the rules, or to work the refs. Instead, if we moved to a system of protocols instead of platforms we could decouple the data from the service, putting real control of the data back in the hands of end users. Then things like privacy policies and GDPR enforces wouldn’t matter so much, because we’d have direct control over our data.
Instead, all we have is a massive law that has harmed startups, entrentched big companies, failed to protect privacy and just served to annoy most users.
The reality is that many people, in order to save time, simply click “OK” on the never-ending stream of pop-ups and most everyone I spoke to confess that they just move on when unable to access the desired website. Or, as one Twitter user told expressed, “I read a lot fewer articles in US papers/magazines.”
And, sure, there have been a few fines of internet companies, but as recent GDPR complaints show, there does not appear to be any way to actually fully comply with the GDPR, which makes it a particularly useless law. If you can’t actually comply, if it’s not actually protecting privacy, and it’s just annoying users and creating more bureaucracy, what good is it?
Meanwhile, Alec Stapp has collected a ton of stories and examples of the GDPR’s negative impact. It notes much of the stuff above, but also highlights just how damaging it’s been to innovation on the whole:
Startups: One study estimated that venture capital invested in EU startups fell by as much as 50 percent due to GDPR implementation. (NBER) Mergers and acquisitions: “55% of respondents said they had worked on deals that fell apart because of concerns about a target company’s data protection policies and compliance with GDPR” (WSJ) Scientific research: “[B]iomedical researchers fear that the EU’s new General Data Protection Regulation (GDPR) will make it harder to share information across borders or outside their original research context.” (POLITICO)
So now that we’ve had a year, can we admit that the GDPR has been a total failure by almost every possible measure? Supporters of the law will say to give it more time, or to say we need to “improve” the rules, but it should be obvious by now that the entire approach is the problem, not the implementation.