Europe’s privacy laws, the GDPR is in force. While you might think privacy advocates would be happy, reaction seems to be a bit more divided.
The GDPR (General Data Protection Regulation) is now in force. The laws establish boundaries on what companies can and cannot do with the personal information of European citizens. If you are a web developer, you’ll likely know all too well about the laws by now if you use well known third party services.
With a new set of privacy laws in place, you’d think privacy advocates would be celebrating all over. That apparently isn’t the case. US based blog Techdirt blasted the new laws as cumbersome without solving anything in terms of privacy:
Happy GDPR day! At least if you can manage to be happy about a cumbersome, punitive, unprecedentedly extraterritorial legal regime that hijacks the resources of businesses everywhere without actually delivering privacy protection commensurate with the enormous toll attempts to comply with it extract. It’s a regulatory response due significant criticism, including for how it poorly advances the important policy goals purportedly prompting it.
In terms of policy goals, there’s no quarrel that user privacy is important. And it’s not controversial to say that many providers of digital products and services to date may have been… let’s just say, insufficiently attentive to how those products and services handled user privacy. Data-handling is an important design consideration that should always be given serious attention. To the extent the GDPR encourages this sort of “privacy by design,” it is something to praise.
But that noble mission is overwhelmed by the rest of the regulatory structure not nearly so adeptly focused on achieving this end, which ultimately impugns the overall effort. Just because a regulatory response may be motivated by a worthwhile policy value, or even incorporate a few constructive requirements, it is not automatically a good regulatory response. Unless the goal is to ruin, rather than regulate, knotty policy problems need nuanced solutions, and when the costs of complying with a regulatory response drown out the intended benefit it can’t be considered a good, or even effective, policy response. Here, even if all the GDPR requirements were constructive ones – and while some are, some are quite troubling – as a regulatory regime it’s still exceptionally problematic, in particular given the enormous costs of compliance. Instead of encouraging entities to produce more privacy-protective products and services, it’s instead diverted their resources, forcing them to spend significant sums of money seeking advice or make their own guesses on how to act based on assumptions that may not be correct. These guesses themselves can be costly if it results in resources being spent needlessly, or for enormous sums to be put in jeopardy if the guesses turn out to be wrong.
Meanwhile, European based site EDRI has a much more positive outlook on the law. They say that the law ushers in a new era of respect for privacy:
The General Data Protection Regulation (GDPR) is going in effect tomorrow, on 25 May 2018, strengthening and harmonising individuals rights in regards to personal data. A much celebrated success for all privacy advocates, GDPR is more than just a law.
GDPR is a new philosophy that promotes a culture of trust and security and that enables an environment of Respect-by-Default
said Joe McNamee, Executive Director of European Digital Rights.
The Directive adopted in 1995 was characterised by a tendency towards bureaucratic compliance with little enforcement. The GDPR represents a recalibration of focus, establishing a new balance between companies, people and data. The framework does not only protect, but also changes, perceptions of personal data. On one hand, GDPR protects individuals from companies and governments abusing their personal data and promotes privacy as a standard. On the other, it gives businesses the chance to develop processes with privacy-by-default in mind, ensuring in this way both individuals’ trust and legal compliance . GDPR minimises the risk of some companies’ bad behaviour undermining trust in all actors.
The GDPR is capable of setting the highest regional standards for the protection of personal data; once well implemented, we need updated global rules
said Diego Naranjo, Senior Policy Advisor of European Digital Rights.
While not perfect, because no legislation is perfect, the GDPR is probably the best possible outcome in the current political context. We will now have to rely on each EU Member State’s Data Protection Authority (DPA) to do their jobs correctly and on governments to ensure enough resources have been allocated to allow this to happen.
So, even though everyone agrees to the importance of privacy, it seems that the reaction is divided. At this stage, we’ll have to see how well things shape out as this law gets on its feet. Enforcement of privacy is going to be something we’ll have to keep an eye on because that’s where the rubber meets the road when it comes to the power of laws. As such, we’ll keep an eye on this to see how well things turn out.
Drew Wilson on Twitter: @icecube85 and Google+.