Europe's New Data Privacy Rules Will Make Facebook and Google More Powerful

The EU's GDPR should serve as a cautionary tale for Americans eager to reign in tech titans


Mark Zuckerberg
Stephen Lam/REUTERS/Newscom

Americans are mad as hell, and they can't take it anymore.

At least, this was the general thrust of last month's two-day media-brouhaha-cum-congressional-testimony of Mark Zuckerberg over Facebook's privacy and data policies. But when it came time for each policymaker to articulate exactly what they were upset about, the tech CEO's inquisitors mostly floundered. There was no clear and agreed-upon ill that our esteemed delegates called upon Zuckerberg to redress. Rather, there seemed to be a vague idea that Facebook and other internet platforms were out of control, and that Something Must Be Done about it.

That "something," more often than not, is new regulations. Opportunistic policymakers are already capitalizing on the public's souring mood against tech giants by suggesting "tough" new rules to supposedly reign in Facebook, Google, and the rest.

Yet these rules would almost undoubtedly only end up helping the titans they aim to topple. That is exactly what the European Union's impending data rules, called the General Data Protection Regulation (GDPR), appear to be doing.

The EU likes to think that it is a pretty tough cop on the data privacy beat. The supranational body has presented a unified front on data issues since adopted its European Data Protection Directive (EDPD) in 1995, well before the rise of the modern internet. It officially ratified the GDPR in 2016, and the policies are slated to fully take effect on May 25, 2018.

Despite the EU's marketing that the GDPR will "provide increased legal certainty" for tech companies and "greater protection for the individual in general," there's a lot of ambiguity over what the regulations actually do. The language holds "all companies processing the personal data of subjects residing in the Union" to specific breach notification, "right to be forgotten," data portability, and privacy and security policies.

These policy goals are nestled among a concoction of sprawling Eurocratic legalese in the 88-page GDPR. The rules employ a very broad definition of "personal data" that could ensnare basically any website with which EU citizens interact. Everyone from Mark Zuckerberg to the lowly administrator of a randomized dice service for tabletop gamers called must now pore through arcane GDPR texts to determine how they must comply with the onerous regulations—and whether they can continue in the European market at all.

You may have noticed a flood of emails from online services informing you of their enhanced data policies. You almost surely clicked "accept" without really reading anything and moved on with your life. That new layer of policy jargon that you blindly accepted comes courtesy of the GDPR. Don't you feel so much safer now?

The GDPR's effects extend far beyond catalyzing yet another round of privacy policy notifications from online platforms. One false move, and online operators may find themselves subject to millions of dollars in EU penalties.

Facebook and Google and Microsoft have plenty of money to hire lawyers, bring in extra programmers to comply with the rules, and pay the fines if they do break them. Or they can just pass the buck. Google is already making waves in the publishing world for its creative interpretation of GDPR policies: The search giant is making publishers handle user consent headaches on Google's behalf, despite the fact that it's much easier for an established web presence like Google to coax users to agree to their technically-GDPR-compliant privacy policies.

Other small scale services will be forced to shutter themselves from the European market in response to the GDPR. Some of them will go under. Many will only be tangentially related to the ongoing data privacy conversation, if at all. It is unreasonable and unfair that they should be pushed to shut down because the GDPR is poorly written.

But some of these prematurely-stifled projects are the would-be giants of tomorrow, who could have risen above the fray to challenge current market leaders with better services and data policies. Because they lack dominant firms' deep pockets and brand power, they will be strangled in the crib before they get a chance to really show their stuff.

It is not controversial to argue that the GDPR will empower incumbents. The New York Times ran a story about how the GDPR will "strengthen Facebook's and Google's hegemony and extend their lead on the internet." The article goes on to discuss how the EU's "right to be forgotten" court ruling in 2014 merely cemented Google's grip on the continent.

In its story on how Facebook and Google will benefit from the GDPR, the Wall Street Journal presented an amusing anecdote about an EU regulator who visited Silicon Valley to discuss the rules. Believing herself to be the bane of the tech giants, the regulator expected to get "an earful" from a fearful tech elite. Instead, she found herself mostly ignored, since the companies' attorneys had long since assuaged them of any regulatory worries. "They were relaxed, and I became worried," she confessed to the Journal.

Yet somehow, the same media outlets that are exposing the anti-competitive effects of the GDPR also publish articles calling for U.S. regulations in the same vein. An opinion piece in the New York Times calls upon Congress to adopt "European-style data protection policies," while another commentary in the Wall Street Journal chides the FCC for "[neglecting] online privacy" regulations.

When will people learn that regulations can help the industries they are supposed to reign in?

The EU policymakers who drafted the GDPR certainly didn't believe they were doing Facebook and Google any favors. They are quite antagonistic to Silicon Valley, and thought they were really sticking it to the out-of-control tech fat cats. Facebook and Google probably would prefer that they didn't have to hire an army of lawyers to navigate the EU rules. But the end result is a new barrier to entry in the technology market that further bulwarks incumbents' positions.

You don't have to be an interventionist Luddite to be suspicious of some tech firms' shadowy but speculated data and advertising practices. On the contrary, I find that the more technologically-savvy one is, the more likely they are to scrutinize data collection practices. But tech-savvy folks usually don't draft privacy regulations. Rather, data rules are written by people like Senator Orrin Hatch, who did not realize that Facebook made money by selling ads. It is not surprising, then, that privacy regulations tend to merely benefit the companies they intend to restrain.

Those seeking transparency into online platforms' data and advertising policies would be wise to take a lesson from the European experience. For meaningful data reform, we should reject clumsy and counterproductive government regulation that benefits incumbents. Instead, strategies that coax online platforms to divulge more information about their hidden data practices will show us the true dimensions of the advertising ecosystem.