Tech Law Policy Blog Tracking the Most Important Research and Developments in Tech Law & Policy

GDPR Turns 1! 8 Reasons GDPR is a Horrible Law

G

The GDPR officially went into effect one year ago on May 25th. Since that time, the EU has issued at least €55 million worth of fines and set into motions many billions of euros (and dollars, pesos, yen, yuan, and pounds) worth of compliance efforts.

The GDPR has seen its fair share of praise on this side of the Atlantic, with an increasing number of high profile commentaries from tech executives at huge companies who have been required to comply with it. But notably absent from those offering praise have been smaller and mid-sized businesses, for whom the burden has hit hardest.

On behalf of those businesses, here is a retort to Tim Cook, Mark Zuckerberg, and Microsoft: Eight reasons why GDPR is a horrible law.

1) Compliance is Impossible

Perfect compliance with the GDPR is impossible. But don’t take my word for it, ask the people who wrote it.

According to scholar and GDPR expert Chris Jay Hoofnagle, in a paper commissioned by the EU, “a plain read of the GDPR suggests that we are all violating the GDPR, all the time…. It’s apparent that most companies will never be in perfect compliance with the GDPR.”

The GDPR is, in effect, the data and privacy equivalent of setting the speed limit at 3 miles per hour on every road, street, and highway. To do anything and go anywhere, everyone will have no choice but to violate the speed limit all of the time. Most of the time, law enforcement will ignore these infractions, because it would be unpopular and tiresome to enforce the law all of the time. Every so often, when regulatory agencies see something they don’t like, for whatever reason, they will impose a fine or enforce the law. Since everyone’s violating the law all of the time, it won’t be hard to find an infraction.

To use one colorful example of how ubiquitous noncompliance is: one study showed that nearly 90% of EU government websites were in flagrant violation of some its most basic principles. As another example, EU parliament’s own website violates the GDPR. But rather than amending its laws to make them more practical, these governmental bodies have simply exempted themselves from compliance.

The GDPR is, in effect, the data and privacy equivalent of setting the speed limit at 3 miles per hour on every road, street, and highway. To do anything and go anywhere, everyone will have no choice but to violate the speed limit all of the time. Most of the time, law enforcement will ignore these infractions, because it would be unpopular and tiresome to enforce the law all of the time. Every so often, when regulatory agencies see something they don’t like, for whatever reason, they will impose a fine or enforce the law. Since everyone’s violating the law all of the time, it won’t be hard to find an infraction.

To use one colorful example of how ubiquitous noncompliance is: one study showed that nearly 90% of EU government websites were in flagrant violation of some its most basic principles. As another example, EU parliament’s own website violates the GDPR. But rather than amending its laws to make them more practical, these governmental bodies have simply exempted themselves from compliance.

Hoofnagle and his fellow scholars further explain that, “The GDPR’s text is vague in some places and speaks at the level of aspirational principle…. U.S. lawyers have fretted about perfect compliance, but in reality, European regulators rarely expect such compliance, nor will they impose 8-figure liability for small imperfections…massive liability will also be keyed to serious wrongdoing rather than accident [sic] or simple noncompliance.”

Most attorneys are indeed flummoxed by the law, because we can’t provide a clear and simple explanation to our clients about whether or not they are in compliance. It isn’t very comforting to hear your lawyer say, “you’re probably not in perfect compliance with this law, but don’t worry, you probably won’t get an 8-figure fine for accidental or simple noncompliance, or so we’re told.”

What most companies want is a simple explanation of what they need to do to comply with a law, and then to move on with their business. When most well-intentioned companies are in constant violation of a law, as is the case with GDPR, that is very compelling evidence that what you have is a very bad law.

2) Extraterritoriality

Imagine you’re Australian living in Antarctica. You’ve never even been to Europe. Heck, you’ve never even met a flesh and blood European.

In addition to whatever you do for your day job, you also have a WordPress site about adorable penguins. You take pictures of penguins and post them online. You don’t make much money from the site, perhaps a few hundred Australian dollars a month, but the site is relatively popular, because, well, who doesn’t like penguins?

You have people who’ve found your site from 100 different countries, including Iceland, Ireland, Spain, France, Poland, Denmark, and Germany. Like many people who use WordPress, you also have a Google Analytics plugin installed to see which posts get the most hits and from where.

Even though you’re more than 10,000 miles from Europe, and you barely even have a commercial website, because Europeans like penguins, too, all 88 pages of the GDPR apply to you! Not only that, but because both WordPress and Google Analytics use cookies, you’re considered high risk!

It’s not enough that the EU wants to set the privacy and data speed limit at 3 miles per hour in Europe, they insist on setting it at that speed for everyone else in the world, too.

This extraterritoriality is the reason why I, a lawyer living high in the mountains of Colorado, have to deal with the GDPR. It’s the reason why your business might have a theoretical obligation to comply with it, too. Again, most of the time, data authorities in the EU probably will not enforce the law against me, you, or against the guy posting penguin pictures.

But their law says that they can. Which is, on its face, totally crazy.

3) No Exemptions for Smaller Businesses

Many laws that impose high compliance burdens have some kind of minimum threshold, where if you’re a small company, you don’t have to comply. Or, in many cases, the compliance burdens are not as severe.

For example, Title VII of the Civil Rights Act and the Americans with Disabilities Act don’t apply to private companies that employ 15 or fewer individuals. In the context of privacy, California’s new privacy law, set to go live in 202o, doesn’t apply to companies that (a) have less than $25 million in gross revenues; or (b) receive or disclose the personal information of fewer than 50,000 California residents, (c) or derive less than 50 percent or more of their annual revenues from selling California residents’ personal information.

No such exemption exists with the GDPR. It applies to every business that processes the data of persons in the EU, period. The only exemption is for those who use data for “purely personal or household activity.” So, thankfully, a French child texting to her Mom to tell her that she and her brother are going to be late for dinner does not have to endure the full compliance burdens of the GDPR. But that’s not the case for every business that touches the data of anyone in the EU.

If you have a pizza restaurant and you deliver (regardless of whether you even have a website), if you have a website for a laundromat, or if you have a website about penguins in Antarctica, the GDPR applies to you, as long as you “process the data” of even a single person in the EU.

4) It Entrenches the Tech Behemoths

You know who does like the GDPR? Mark Zuckerberg!

Why would he, the founder of the company that is arguably the worst purveyor of data privacy violations in the history of humankind, be such a fan of the GDPR?

Because he can pay a thousand lawyers a quarter of a million dollars a year to deal with this crap, and not have it hurt his bottom line. And more importantly, you and I can’t afford to do that. So it increases Facebook’s relative market position.

You know who else loves the GDPR? Microsoft! Because it gives them an opportunity to develop and sell tools to small businesses. Also, Apple!

For a deeply entrenched firm, the GDPR is a cost of doing business. So, too, are the fines and the penalties and the litigation. For an upstart business with fewer resources, the burdens of the GDPR, and the fear of massive fines, becomes a barrier to doing business. With fewer competitors, the deeply entrenched firms become more deeply entrenched.

The tech behemoths know this better than anyone. That’s why they’re all writing op-eds begging for more regulations. And every time a tech behemoth executive writes one of these op-eds, an entrepreneurial angel falls from the sky.

In the first few months after GDPR’s arrival, the data came back showing that EU advertisers started abandoning smaller AdTech vendors in droves. The most likely reason was that smaller AdTech vendors struggled to demonstrate compliance, and rather than risk massive fines, advertisers sought protection and safety in numbers by working with the biggest names in the industry.

According to the brilliant Ben Thompson of Stratechery (who predicted this in 2017):

There is lot of excitement about how this regulation will limit Google and Facebook in particular, by, for example, limiting the use of personal data and enforcing data portability (and not just a PDF of your data — services will be required to build API access for easy export).
The reality, though, is that given that Google and Facebook make most of their money on their own sites, they will be hurt far less than competitive ad networks that work across multiple sites; that means that even more digital advertising money—which will continue to grow, regardless of regulation—will flow to Google and Facebook. Similarly, given that the data portability provisions explicitly exclude your social network—exporting your friends requires explicit approval from your friends—it will be that much harder to bootstrap a competitor….

GDPR will be a pain for Google and Facebook, but it will be lethal for many of their competitors, which means digital ad revenue post-GDPR…will go to Facebook and Google… it’s not like they need the help in building a moat, but they will get it none the less. Meanwhile, the inexorable shift of users to digital services and away from traditional advertising venues—which will result in the shift in advertising dollars to digital—is not going to slow down.

5) It Breaks Up the Internet

The internet is beginning to diverge, where the reality of what people can and do find online becomes very different depending on where they live. This has been true for years in China, but the GDPR will likely serve as the wedge driving apart the European internet from the rest of the world.

The goal of the GDPR is to raise the standards for internet privacy worldwide. The reality is that it creates a less unified internet. By changing the standards for what content can be placed and can remain online, EU’s regulators have essentially determined by fiat that the reality of its citizens’ internet will be different from the internet reality for other countries.

Most specifically, what will impact what Europeans see is the GDPR’s “right to be forgotten,” whereby any person wishing to remove something they don’t like from the internet has a rebuttable presumption to be able to get any old information scrubbed from search engines.

According to legal commentator Jeffrey Rosen:

The [GDPR] treats takedown requests for truthful information posted by others identically to takedown requests for photos I’ve posted myself that have then been copied by others: both are included in the definition of personal data as “any information relating” to me, regardless of its source. I can demand takedown and the burden, once again, is on the third party to prove that it falls within the exception for journalistic, artistic, or literary exception. This could transform Google, for example, into a censor-in-chief for the European Union, rather than a neutral platform. And because this is a role Google won’t want to play, it may instead produce blank pages whenever a European user types in the name of someone who has objected to a nasty blog post or status update.

Similarly, in some instances, it has led to sites simply going offline for all Europeans.

Last summer, I went back to Ireland for a cousin’s wedding. A few days after I arrived, I decided to log in to my small, hometown newspaper’s website (to which I have a subscription) to see what was happening at home. Turns out, even with a subscription, I couldn’t get in. Rather than dealing with GDPR compliance, the Mountain Mail from Salida, Colorado opted to simply block all persons trying to visit the site from the EU.

As GDPR and similar regulations continue to expand in their breadth and scope, the internet in the EU becomes increasingly different from what it is elsewhere. When the main source of our information fragments and disintegrates, the basics of how we perceive reality does, too. That can’t be a good thing.

6) It Requires Every Business to Use Plain Language, yet the Law Itself Is Totally Incomprehensible

Let’s play a game. Pick a number between 1 and 88. Got it?

Ok, now click on this link, which is a link to the 88-page full text of the GDPR, find your number, and then start reading.

Here’s a highlight from p. 1.

The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.

Got that? Understand what we’re trying to accomplish here?

The GDPR requires anyone who processes the data of EU citizens to provide clear notices related to what they’re doing in plain language that anyone can understand.

That’s a great idea. Who wouldn’t agree with that?

But the GDPR itself, the law that tells us what we can and cannot do with people’s data, is written in the most opaque, incomprehensible, bureaucrat-ese I have ever read. The more you read it, the less clear you are about what you can and cannot do.

7) The Costs Far Outweigh the Benefits

Some estimate that businesses have spent around $150 billion in compliance efforts, and that was just before GDPR went into effect. That’s not taking into consideration the 75,000 full-time privacy officers hired to comply with the law’s ongoing obligations. That’s an enormous expenditure—money that’s not being invested in research and development, money that’s not being taxed and spent in other ways.

That’s enough money, according to the folks at effective altruism, if spent effectively on the best charities, to save about 20 million lives.

But of course, we’re not saving lives. And I’m not suggesting that had compliance efforts not gone into the GDPR, they would have gone to effective altruistic charities.

But at a price tag of well over $300 per citizen of the EU, there are many more cost-effective ways of spending that kind of time and money. Somehow, if you took a vote and asked citizens themselves whether they’d be willing to pay that much to put the GDPR into effect, the law would never have happened.

8) It’s a Bad Model for Other Nations to Follow

As Microsoft’s executives pointed out in their most recent op-ed, in a vacuum of privacy law leadership, the GDPR has become the model for many other countries to follow.

For all the reasons discussed above, that’s not a good thing.

The United States is long overdue for its own federal privacy law. But we can do better than the GDPR. It is possible to draft a law that creates clear distinctions between what constitutes compliance and non-compliance. To make compliance burdens easier for small businesses so as not to further entrench the tech behemoths. To punish offenders of privacy violations without burdening or putting pressure on well-intentioned businesses engaged in normal business practices.

And if we want to do all of that, the last thing we want to do is to follow the GDPR.

Add comment

Tech Law Policy Blog Tracking the Most Important Research and Developments in Tech Law & Policy

Recent Posts

Recent Comments

Categories