fwd: Happy birthday, GDPR
Europe is tough on companies. It should be equally tough on itself.
Five years ago this week, Europe’s ambitious privacy regulation GDPR went into effect.
Four capital letters that still give IT or marketing managers a visceral reaction. Let’s take stock of its impact.
With GDPR, Europe became the de facto Western tech regulator. By setting the rules for the largest economy in the world, Europe effectively set the rules for platforms. Especially with the US itself slow to take up the mantle. It is a role that the EU hopes to solidify, by the way, with the upcoming Digital Services Act and Digital Market Acts, aiming to curtail big gatekeepers. And then there’s also the nascent Artificial Intelligence Act.
If Europe is really keen on being the Big Tech police, it will need to step up its game when it comes to enforcement. This hefty task is left to the member states that are typically understaffed and lack domain expertise, which means we’re only now seeing infringements being punished.
"Let me be frank: GDPR doesn’t really increase our sense of privacy. But it did decrease the usability of nearly the entire internet. And that’s no small feat."
And let’s face it. Although Meta was just now handed a record €1.3 billion fine: for a company making dozens of billions of revenue each quarter, that’s a bump in the road. A speeding ticket Zuckerberg will gladly pay as he continues to cruise through the data industrial complex.
Which brings us to what matters most: what did GDPR change for users? Do we feel like we own our data? That our privacy is being respected? Writing this, it’s hard to get a smirk from my face. Let me think about that for a moment as I click away my 100th opt-in banner of the day. Oh, “you value my privacy”, and “would I like a cookie”? No thank you. But a manual to find the “only necessary cookies” would be appreciated.
Let me be frank: GDPR doesn’t really increase our sense of privacy. But it did decrease the usability of nearly the entire internet. And that’s no small feat.
The reason why is clear. Most companies don’t really buy into the whole privacy-by-design thing. More like privacy-window-dressing. Legal departments are instructed to find the lowest bar to clear, as the companies gladly continue to squeeze every drop of data from consumers.
Business as usual. With the usual business model.
Admittedly, shifting to new, truly privacy-respecting business strategies takes time. But that change can only happen when companies change their mindset. So they mean it when they say they respect their customers.
Until then, I’d like to address our beloved EU government officials: do you mean it when you say that privacy is a fundamental right?
Because if so, you might want to speak to three-thirds of your member states, who came out plainly against end-to-end encryption of chat messages.
"All this talk about going after the big bad tech wolf made the EU believe in fairy tales: one where they want security and privacy, but only for the good guys."
Under the auspices of child protection (CSAM), a proposed law would effectively ban encrypted messages (where no one except the sender and receiver knows its contents). Or give governments a backdoor, effectively voiding encryption. Some countries even suggest scanning every message before it’s encrypted, which defeats the purpose, doesn’t it?
You can’t be against protecting our children. But there is no evidence that supports scanning private messages would fix child abuse. On the contrary, there is evidence that indicates the safety of our young would be threatened, were the privacy of their messages to disappear.
All this talk about going after the big bad tech wolf made the EU believe in fairy tales: one where they want security and privacy, but only for the good guys.
Sure, criminals use chat apps, and this would be a trove of intel for the police. But criminals also talk behind closed doors. So should we all just live with our doors open from now on?
If the EU wants to be tough on data-hungry tech companies, it should be equally tough on itself. Because, wasn’t that the promise of GDPR? To protect and respect the data of Europeans?
Here’s hoping for a less grim message, when we look back in another five years.