Perhaps the smartest thinker on tech policy issues right now is a non-politician, non-regulator, and a non-lawyer. Here’s Ben Thompson’s missive this week on Mark Zuckerberg’s op-ed in the Washington Post and how it relates to the EU’s new copyright directive. I truly could not have said it better myself.
Here’s the original op-ed from Zuckerberg, for context.
From a PR perspective, Zuckerberg is in a no-win position right now. It seems the whole world has its goat up against the company. But anyone who knows corporate law knows that any CEO and board member has a fiduciary obligation to act in the best interest of the company’s stockholders. Unless Zuckerberg has a pre-meditated desire to get sued by his own stockholders, this op-ed must, by definition, be a purely self-serving act on behalf of Facebook. He’s providing a roadmap of what regulations are in Facebook’s best interests. I have to believe that regulators know this as well. As a person who has a fondness for strategy games, I’m puzzled by this move by Zuckerberg.
Somewhat related to Facebook: Singapore proposed a new law to stop “fake news.” The new law, according to the excellent Tech Law Dispatch, “aims to stem the communication of false statements of fact, enable the detection and control of information manipulation, and promote the transparency of online political advertisements.” How do we determine that? “Any person or organisation that spreads online falsehoods with malicious intent to harm the public interest in Singapore could face a fine of up to SGD 500,000 or, in the case of an individual, a five-year imprisonment term.”
Would an anti-Vaxxer qualify? How about an anti-GMO poster? Or maybe someone who holds a few controversial opinions about Lee Kuan Yew?
Slow week in terms of Tech Policy-related law review articles, so I’ve been going back and reading scholarly commentary on the GDPR. I’ve been struggling to comprehend how so many seemingly intelligent people continue to heap praise on the GDPR (including Zuckerberg in the above-mentioned op-ed), when I hate it so much, and so I’ve been doing some additional reading in hopes that I might see their perspective.
But the more I read about it, the more I dislike it.
Truly, GDPR strikes me as one of the most over-reaching, incomprehensible, and opaque laws I’ve ever seen.
What I hate most about the GDPR is that the law is so overwritten, so vague, and so overbearing, that it is impossible to be ascertain whether one is complying with the law or not. According to Hoofnagle et al (in an article paid for by the EU, no less): “a plain read of the GDPR suggests that we are all violating the GDPR, all the time…” The authors go on to explain that individuals are exempted from the GDPR, and so needn’t worry about non-compliance, but there is no de minimis exception for small to medium-sized businesses. Those businesses should indeed worry that they might be “violating the GDPR, all the time.”
According to the authors:
To make the electronic body inviolable, the GDPR covers an immense landscape of potential informational problems. The GDPR attempts to answer information questions ex ante. Even remote, edge-case hypotheticals about data can be answered in the GDPR framework, with varying degrees of satisfaction. Second, laws such as the EU’s GDPR differ in construction from most U.S. regulatory text. The GDPR’s text is vague in some places and speaks at the level of aspirational principle. Parts of the GDPR could be characterized as ‘principles-based regulation’. The GDPR’s provisions are supplemented with even more indeterminate ‘recitals.’ Such text flummoxes U.S. lawyers because of its lack of specificity. Third, the difference in construction leads to a practical consequence: whereas in the U.S., interactions with regulators typically mean that enforcement is afoot, in the E.U. context, colloquy with regulators is a routine rite in the compliance process. U.S. lawyers have fretted about perfect compliance, but in reality, European regulators rarely expect such compliance, nor will they impose 8-figure liability for small imperfections. As we explain below, massive liability will also be keyed to serious wrongdoing rather than accident or simple noncompliance.The European Union general data protection regulation: what it is and what it means by Chris Jay Hoofnagle, Bart van der Sloot & Frederik Zuiderveen Borgesius, 2019 (emphasis added)
I must confess that I am, indeed, flummoxed.
GDPR covers an immense landscape, almost all businesses are violating it all the time, perfect compliance is impossible, it has extraterritorial reach, and there’s 8-figure liability for getting it wrong. But don’t worry, because regulators probably won’t enforce it in the way it’s actually written.
What’s not to like?
GDPR is the data equivalent of setting the speed limit on every road in the world at 2 miles an hour and giving dozens of regulatory authorities complete discretion to enforce the law however they see fit, with maximum fines of €20 million and 4% of worldwide revenue.