The EU's New Privacy Rules Are Already Causing International Headaches

Well, that didn't take long. The European Union's long-awaited (and commercially dreaded) privacy regulations, known as the General Data Protection Regulation (GDPR), have already begun wreaking havoc online.

Before the rules took effect on May 25, commentators had warned that the GDPR would consolidate power in the hands of market titans while confusing businesses about what exactly the regulations require. Indeed, early signs show that Facebook and Google, despite the threat of fines, are the big regulatory market winners. And EU bureaucrats themselves don't seem to know what "compliance" really looks like.

But the GDPR has caused chaos in more unexpected ways also. Here are just a few of the head-scratching unintended consequences that the GDPR has wrought across the globe.

Email-a-palooza: Most people's familiarity with the GDPR begins and ends with the avalanche of consent emails they received in the weeks before the regulations took hold. Services that you may not have heard from for years were suddenly quite eager to extol their "updated privacy policies" and cajole you for your approval.

For some of us, this was good opportunity to de-list ourselves from long-forgotten apps and web sites with which we'd sooner not share our data. But for a lot of people, it was merely another exercise in clicking "agree" without reading a word of the fine print. This doesn't do a lot for improving data privacy, but it might protect some services from hefty GDPR fines.

Or not. Ironically, companies that sent out GDPR emails on good faith to ensure compliance may have ended up actually violating the GDPR. In a Kafkaesque kind of Eurocratic catch-22, some EU watchers argue that a company that lacks the consent for their current data practices could also lack the consent to email people to gain their consent. Have a headache yet? This is just one small sliver of the GDPR red tape nightmare.

Another irony unfolds in how consent practices have largely ended up helping the tech titans that EU regulators wished to rein in. A household name like Facebook or Google will have a much easier time getting consent from users than an unknown competing platform or ad vendor. The big guys effortlessly check the box, but the upstarts get lost among the piles of consent emails—all for nothing.

The Google Data Protection Regulation: While we're on the subject of Google, the publishing industry has taken to calling the GDPR the "Google Data Protection Regulation" for its market consolidating effect. Google already dominates the ad market, accounting for some 44% of online advertising revenues in 2017 (Facebook snags another 18%). In the EU, Google accounted for 50% of all ad spends before the GDPR. The first day after the rules took effect, Google vacuumed up an astounding 95% of EU ad money.

Google benefits in second-order ways as well. Any policies that Google sets for its vendors yields dramatic impacts. Ad tech vendors have reported dramatic drops in business following the GDPR, and Google had limited the number of approved vendors that can participate on its platform until recently. If the EU wanted to tame Google's online dominance, they have a funny way of showing it!

Now you see it, now EU don't: The GDPR is long and complicated. It is so dry and ambiguous and monotonous that a meditation app called "Calm" offers a soothing bedtime reading of the 88-page regulation to help the listener "lie back, wind down, and drift off to the sound of a new legal regulation."

Not everyone has the time to read and internalize such a dry and complicated document. Some U.S.-based websites and services opted to put off dealing with the GDPR altogether.

Instapaper, a bookmarking service owned by Pinterest, announced on May 24 that it would be unavailable to EU members because of GDPR uncertainty, adding that it intended to "restore access as soon as possible."

News-minded EU citizens found themselves locked out of American media platforms on the day that the GDPR took effect. European fans of the Los Angeles Times, Chicago Tribune, and other Tronc- and Lee Enterprises-owned news services were greeted with a message that the websites were unavailable until the publishers found a way to deal with GDPR compliance. A&E Networks, which includes A&E, Lifetime, and the History Channel, simply decided to pull down their websites from EU access. Needless to say, this cut off European audiences from significant sources of American news, all because some random regulator decided it was not in their best interest to access it.

Others took a segregating approach. The Gannett-owned USA Today directing those with an EU IP address to a stripped-down platform known as "the EU experience." NPR similarly directed readers who opted out of its cookie and tracking policy to a text-only website. The Washington Post charges for its version of a GDPR-compliant subscription package, which costs 50 percent more than a normal subscription.

Who knows? Maybe some platforms will decide that dealing with European users just isn't worth the hassle. EU citizens will have their own regulators to thank.

It's about data in gaming: Will gamers rise up against the GDPR? Some gaming platforms have been forced to close servers or shut down altogether over costs wrought by the EU regulations.

Some of the affected games include Loadout, Super Monday Night Combat, and Ragnarok Online. The CEO of Loadout, Rob Cohen, was pretty blunt in an interview with Motherboard about the changes: "There is a pretty lengthy list of changes required by GDPR. We'd have to update our client, server, database, and more. It's a pretty big amount of development work for a game that is no longer in development." Loadout fans enjoyed their last sad gaming session on May 24, the day before the rules took effect.

The situation was similar for Super Monday Night Combat, another online game. This long-running platform has struggled to keep its servers up in the past. Add in the major regulatory liability of the GDPR, and you've got a basically unworkable situation. SMNC's CEO Jeremy Ables told Engadget that they just couldn't afford to make the changes that the GDPR required. So the game shuttered its doors instead. Ragnarok Online, on the other hand, decided to simply shut off access to EU players. Only time will tell if this evasive maneuver is enough to keep the potential €20 million in GDPR fines at bay.

Supporters of the GDPR will argue that platforms that cannot comply with the GDPR simply do not deserve to stay in business. "Well, what kind of data shenanigans were they up to, then?" is their smug reply to news of the small ventures that the GDPR forces to go under. But it's hard to argue that indie gaming ventures that operate as passion projects for their small legion of dedicated gamers really constitute the biggest data problems facing society. Many of these are simply small projects which barely have the resources to keep their servers online without the pressure of millions in potential EU fines. But to the interventionist-minded, the death of indie games are a small price to pay for the achievement of a new regulatory tool.

Hey, Twitter! Leave those kids alone! The EU apparently feels like it has some kind of parental authority over its youths. The GDPR is heavy on rules surrounding data consent, and it draws an arbitrary line that a person must be 13 years old to give full consent. This rule is problematic enough on its own, but because of the vague way that the regulations are written, it is causing online platforms to react in odd ways.

Exhibit A is Twitter's retroactive banning of users who they believe signed up when they were 13 or younger. Many of these users are well over the age of 13, with some of them in their early twenties. But depending on how the EU decides to interpret its rules, any content that was generated by anyone under the age of 13 could be illegal, even if that person is now a legal adult. To be safe, Twitter has apparently been deleting the content of anyone they believe was under the arbitrary limit when it was posted.

This has inadvertently caught random companies and brands in the snare of Twitter's wide net, who listed the "birthday" of the account as the day that the company was founded. It's annoying, and a little nonsensical, but this is the kind of contortions that online platforms are pushed to in a post-GDPR world.

"Knock, knock." "WHOIS there?" "Um, not anymore.": Journalists, security professionals, and amateur internet sleuths alike rely on a protocol called WHOIS to investigate websites to determine provenance and registration data. Many free WHOIS services display the contact information for individuals and entities that set up websites so that the public can discern, well, "who is" behind specific web addresses.

Obviously, much of this information would be radioactive under the GDPR, so internet infrastructure services have had to scramble to determine how they will handle WHOIS services in the new regulatory environment. ICANN, the international organization that manages top level domain registrations, is dealing with the law by redacting important parts of WHOIS lookups, at least for the time being. While services existed in the past to redact WHOIS information for free or a fee, these changes would compel such censorship largely across the board.

As commentators have pointed out, this change bodes poorly for the future of cybersecurity research and investigations, which rely on WHOIS data to track the source of scams and attacks. And journalists and citizens alike will now lack one more tool to sniff out the sources of propaganda campaigns and other hijinks.

And this is just a snapshot of the world that the GDPR has created. Some of the effects have been odd and irritating, others will have dramatic negative effects on the dynamism and security of the global internet infrastructure. It's hard to tell exactly what the end impact of the GDPR will be on the overall landscape of the internet, but you can bet on one thing: the EU bureaucrats who shaped these policies will almost certainly never admit what they did wrong.