Americans are getting a crash course in why the Brits chose Brexit. After driving the English away by dictating rules on everything from ferret imports to fruit juice labels to what kind of electric tea kettles they could buy, EU bureaucrats have now taken up regulating the internet.
The new GDPR impacts businesses everywhere, is likewise annoying and, more important, could be damaging to U.S. interests. Americans, like the Brits before them, may quickly tire of the EU’s unquenchable thirst for regulation.
As people everywhere click onto their favorite websites, they are greeted with pop-ups demanding attention and, worse, acquiescence, to unintelligible notices concerning new internet privacy policies and those mysterious “cookies.”
Visit the Financial Times (FT) online, for instance, and you are given a choice: “manage cookies” and “accept and continue.” Though accepting is clearly the path of least resistance, it seems spineless not to at least pretend to manage your own cookies, even if privately asking what the heck a cookie is.
Welcome to the regulation-happy EU, which on May 25 landed upon us the General Data Protection Regulation (GDPR), a law governing internet privacy and data use.
Because the new regime catches up any organization that reaches a single individual in the EU and because breaches of the rules carry the threat of draconian fines, nearly every store, museum, health insurer, educational institution, news outlet, government agency, entertainment venue and social media operation anywhere in the world must comply.
Some simply cannot sort it out. For instance, Los Angeles natives traveling in Europe who are addicted to their hometown paper will find themselves blocked out of the L.A. Times news site, because the paper’s managers haven’t figured out how to comply with the new rules.
Some companies have quit the EU, daunted by the complexity of compliance and possible fines. A single misstep could cost a company €20 million or 4 percent of revenues, whichever is greater. Every EU country is implementing the new rules independently, suggesting substantial opportunity for confusion.
U.S. ad tech firms Verve and Drawbridge have announced they will cease doing business in Europe, while numerous small firms and apps have put operations on hold.
Though organizations have had two years to work out compliance, many dragged their feet. It isn’t only businesses that are unprepared; numerous countries have apparently neglected to work out their oversight responsibilities, further muddying the compliance waters.
Max Schrems, a privacy advocate, told a reporter that many companies may be caught up in navigating GDPR even if they have no involvement in harvesting people’s data.
For that he blames the big tech companies, who, he says, lobbied to make the law as complex as possible. He also says those firms are interpreting the GDPR to suit themselves and accuses the big players of “violating the rules.”
In the wake of the most recent Facebook scandal, involving the misuse of personal data by Cambridge Analytica, many may appreciate greater privacy protections. However, as is often the case when governments issue massive new regulatory regimes, the outcome may not be entirely benign.
First, it is likely that the large firms will be able to navigate these new rules better than the kinds of small start-ups that have made the internet a vibrant and growing industry. According to one survey, the Fortune 500 will spend nearly $8 billion to comply with the new rules, or $16 million apiece, employing on average 10 full-time workers to oversee compliance.
Commerce Secretary Wilbur Ross highlighted this concern recently in an op-ed in the Financial Times. He noted that our “open and entrepreneurial society” has driven innovation and technological progress and that the GDPR “will exact significant cost, particularly for small and medium-sized enterprises…”.
He could have cited as a precedent the Dodd-Frank Act, the massively complicated banking regulations, which ended up hurting small banks and enabling the growth of large institutions that could afford the cost of meeting the rules.
Second, it has been reported that the new privacy warnings from the large tech companies like Google and Facebook have become more, not less, complicated. One of the main ambitions of GDPR was to provide increased transparency for consumers; not surprisingly, given the potential fines and fears of non-compliance, that appears to have failed.
Third, there is zero doubt that envy of U.S. tech exists in the EU. With enforcement of the new rules at the discretion of regulators, it will not be surprising if Google, Facebook and the like face more than their share of penalties.
Finally, as Ross notes in his piece, there are significant problems that may arise in worldwide efforts to combat deadly diseases or terrorism, since the sharing of personal data may no longer be possible.
Americans’ patience with the new oversight regime will depend on how important data protection really is to internet users. Pew reports that over 60 percent of the country is concerned about their privacy, and 64 percent would like to see greater restraints on online advertisers.
But, at the same time, most people are reluctant to give up online activity because it makes life more convenient. The ongoing growth in the number of Facebook participants, in spite of repeated data breaches, confirms that reality.
The GDPR allows customers to “opt in”; eventually, Americans may become eager to “opt out” of Brussels’ oversight, just like the Brits.
Published on The Hill