Happy GDPR day! At least if you can manage to be happy about a cumbersome, punitive, unprecedentedly extraterritorial legal regime that hijacks the resources of businesses everywhere without actually delivering privacy protection commensurate with the enormous toll attempts to comply with it extract. It’s a regulatory response due significant criticism, including for how it poorly advances the important policy goals purportedly prompting it.

In terms of policy goals, there’s no quarrel that user privacy is important. And it’s not controversial to say that many providers of digital products and services to date may have been… let’s just say, insufficiently attentive to how those products and services handled user privacy. Data-handling is an important design consideration that should always be given serious attention. To the extent the GDPR encourages this sort of “privacy by design,” it is something to praise.

But that noble mission is overwhelmed by the rest of the regulatory structure not nearly so adeptly focused on achieving this end, which ultimately impugns the overall effort. Just because a regulatory response may be motivated by a worthwhile policy value, or even incorporate a few constructive requirements, it is not automatically a good regulatory response. Unless the goal is to ruin, rather than regulate, knotty policy problems need nuanced solutions, and when the costs of complying with a regulatory response drown out the intended benefit it can’t be considered a good, or even effective, policy response. Here, even if all the GDPR requirements were constructive ones – and while some are, some are quite troubling – as a regulatory regime it’s still exceptionally problematic, in particular given the enormous costs of compliance. Instead of encouraging entities to produce more privacy-protective products and services, it’s instead diverted their resources, forcing them to spend significant sums of money seeking advice or make their own guesses on how to act based on assumptions that may not be correct. These guesses themselves can be costly if it results in resources being spent needlessly, or for enormous sums to be put in jeopardy if the guesses turn out to be wrong.

The rational panic we see in the flurry of emails we’ve all been getting, with subject lines of varying degrees of grief, and often with plaintive appeals to re-join previously vibrant subscriber communities now being split apart by regulatory pressure, reveals fundamental defects in the regulation’s implementation. As does the blocking of EU users by terrified entities afraid that doing so is the only way to cope with the GDPR’s troubling scope.

The GDPR’s list of infirmities is long, ranging from its complexity and corresponding ambiguity, to some notably expensive requirements, to the lack of harmonization among crucial aspects of member states’ local implementations, to the failure of many of these member states to produce these local regulations at any point usefully in advance of today, and to the GDPR’s untested global reach. And they fairly raise the concern that the GDPR is poorly tailored to its overall policy purpose. A sound regulatory structure, especially one trying to advance something as important as user privacy, should not be this hard to comport with, and the consequences for not doing so should not be so dire for the Internet remaining the vibrant tool for community and communication that many people – in Europe and elsewhere – wish it to remain being.

Permalink | Comments | Email This Story

Techdirt.