Blindered by the GDPR
I usually don't like new tech regulations.
One reason is that technology changes so fast that new regulations tend to protect yesterday from last Thursday.
Another reason is that lawmakers tend to know little or nothing about tech. One former high U.S. government official once told a small group of us, roughly, "There are two things almost nobody in Congress understands. One is technology and the other is economics. So good luck."
Still, I had high hopes for the GDPR (the EU's General Data Protection Regulation), which famously went into effect one year ago. I suggested that we re-brand 25 May "Privmas Day" (hashtag #privmas), since I expected the GDPR would go far toward protecting personal privacy online, which prior to that date had been approximately nil. Back in 2017, I said (onstage, in front of thousands) the GDPR would be "an extinction event for adtech in Europe."
Here in Linux Journal, I put up an FUQ for the GDPR (the U meaning "Unanswered"), meant to provide guidance toward new developments that could give each of us many new forms of agency online, as well as some privacy. Because I really did expect the GDPR to encourage both.
Alas, mostly it hasn't. Worse, most of its early effects have been negative. For example,
- The Interactive Advertising Bureau (IAB) and the ad-supported tech giants are doing their best to preserve what Shoshana Zuboff calls surveillance capitalism and Brett Frischmann and Evan Selinger call re-engineering humanity. (For more on that last link see Engineers vs. Re-engineering in last August's Linux Journal.)
- Most GDPR-spurred developments have been toward reluctant, minimal and expensive compliance efforts by websites and services. The most obvious result of those developments are gates at the entries to websites, most of which ask that each of us consent to those sites doing exactly the kind of surveillance the GDPR was meant to outlaw. And getting away with it, as long as the GDPR remains mostly unenforced. (See Without enforcement, the GDPR is a fail. I posted that here last July.)
- From what I've seen so far (and I've done a lot of looking), all the major publications covering privacy issues online continue to direct attention toward Google and Facebook, and away from the third rail they deeply fear to grab: that they are just as guilty of participating in exactly the same surveillance business. I expect they will cover that story eventually, mostly because I've talked to a lot of their reporters about it. But so far we haven't seen much. (Credit where due: in You’re Not Alone When You’re on Google, Jennifer Senior of The New York Times notes in passing that "your newspaper" is among the guilty parties.)
- New regulations, inspired by or modeled on the GDPR, preserve or amplify some of its worst features. For example, the California Consumer Privacy Act, aka Assembly Bill 375, deals almost entirely with getting back or restricting use of personal data that is already harvested by others. It does almost nothing to support individuals saying no to having that data harvested in the first place. That's because, like the GDPR, the CCPA assumes that nearly all agency is on the data collector's side, and therefore puts the burden of responsibility for personal privacy on potential violators, rather than enabling individuals to create privacy for themselves.
And that's the pickle we're in now: if you want to talk privacy, ya gotta talk #GDPR. And that means assuming that personal privacy is entirely a grace of what others don't do to us, rather than what we can do for ourselves.. This is a very blindered view: one that locks everybody into thinking about how to protect 2015 from 2012.
Fortunately, we don't have to wear the GDPR's blinders.
For example, if you're not spying on people, don't bother with a cookie notice. They're all roughly the same as putting one of these on your house:
And start working on stuff that increases not only our privacy online, but our agency: the ability to get things done. New things. Better things. For example, terms that we can proffer and the sites and services of the world can agree to. (As we've promised to do here at Linux Journal.) There's a good list in An FUQ for the GDPR, and a continuously updated one in this punch list at ProjectVRM, which I run.
Meanwhile, we're not going to stop the lawmaking. So let's help lawmakers think and work outside the GDPR box. That means they should stop assuming that personal privacy is entirely the responsibility of potential violators. Here are four pieces that should help: