Reason.com

Free Minds & Free Markets

Europe's New Data Privacy Rules Will Make Facebook and Google More Powerful

The EU’s GDPR should serve as a cautionary tale for Americans eager to reign in tech titans

Mark ZuckerbergStephen Lam/REUTERS/NewscomAmericans are mad as hell, and they can't take it anymore.

At least, this was the general thrust of last month's two-day media-brouhaha-cum-congressional-testimony of Mark Zuckerberg over Facebook's privacy and data policies. But when it came time for each policymaker to articulate exactly what they were upset about, the tech CEO's inquisitors mostly floundered. There was no clear and agreed-upon ill that our esteemed delegates called upon Zuckerberg to redress. Rather, there seemed to be a vague idea that Facebook and other internet platforms were out of control, and that Something Must Be Done about it.

That "something," more often than not, is new regulations. Opportunistic policymakers are already capitalizing on the public's souring mood against tech giants by suggesting "tough" new rules to supposedly reign in Facebook, Google, and the rest.

Yet these rules would almost undoubtedly only end up helping the titans they aim to topple. That is exactly what the European Union's impending data rules, called the General Data Protection Regulation (GDPR), appear to be doing.

The EU likes to think that it is a pretty tough cop on the data privacy beat. The supranational body has presented a unified front on data issues since adopted its European Data Protection Directive (EDPD) in 1995, well before the rise of the modern internet. It officially ratified the GDPR in 2016, and the policies are slated to fully take effect on May 25, 2018.

Despite the EU's marketing that the GDPR will "provide increased legal certainty" for tech companies and "greater protection for the individual in general," there's a lot of ambiguity over what the regulations actually do. The language holds "all companies processing the personal data of subjects residing in the Union" to specific breach notification, "right to be forgotten," data portability, and privacy and security policies.

These policy goals are nestled among a concoction of sprawling Eurocratic legalese in the 88-page GDPR. The rules employ a very broad definition of "personal data" that could ensnare basically any website with which EU citizens interact. Everyone from Mark Zuckerberg to the lowly administrator of a randomized dice service for tabletop gamers called rolz.org must now pore through arcane GDPR texts to determine how they must comply with the onerous regulations—and whether they can continue in the European market at all.

You may have noticed a flood of emails from online services informing you of their enhanced data policies. You almost surely clicked "accept" without really reading anything and moved on with your life. That new layer of policy jargon that you blindly accepted comes courtesy of the GDPR. Don't you feel so much safer now?

The GDPR's effects extend far beyond catalyzing yet another round of privacy policy notifications from online platforms. One false move, and online operators may find themselves subject to millions of dollars in EU penalties.

Facebook and Google and Microsoft have plenty of money to hire lawyers, bring in extra programmers to comply with the rules, and pay the fines if they do break them. Or they can just pass the buck. Google is already making waves in the publishing world for its creative interpretation of GDPR policies: The search giant is making publishers handle user consent headaches on Google's behalf, despite the fact that it's much easier for an established web presence like Google to coax users to agree to their technically-GDPR-compliant privacy policies.

Other small scale services will be forced to shutter themselves from the European market in response to the GDPR. Some of them will go under. Many will only be tangentially related to the ongoing data privacy conversation, if at all. It is unreasonable and unfair that they should be pushed to shut down because the GDPR is poorly written.

But some of these prematurely-stifled projects are the would-be giants of tomorrow, who could have risen above the fray to challenge current market leaders with better services and data policies. Because they lack dominant firms' deep pockets and brand power, they will be strangled in the crib before they get a chance to really show their stuff.

It is not controversial to argue that the GDPR will empower incumbents. The New York Times ran a story about how the GDPR will "strengthen Facebook's and Google's hegemony and extend their lead on the internet." The article goes on to discuss how the EU's "right to be forgotten" court ruling in 2014 merely cemented Google's grip on the continent.

In its story on how Facebook and Google will benefit from the GDPR, the Wall Street Journal presented an amusing anecdote about an EU regulator who visited Silicon Valley to discuss the rules. Believing herself to be the bane of the tech giants, the regulator expected to get "an earful" from a fearful tech elite. Instead, she found herself mostly ignored, since the companies' attorneys had long since assuaged them of any regulatory worries. "They were relaxed, and I became worried," she confessed to the Journal.

Yet somehow, the same media outlets that are exposing the anti-competitive effects of the GDPR also publish articles calling for U.S. regulations in the same vein. An opinion piece in the New York Times calls upon Congress to adopt "European-style data protection policies," while another commentary in the Wall Street Journal chides the FCC for "[neglecting] online privacy" regulations.

When will people learn that regulations can help the industries they are supposed to reign in?

The EU policymakers who drafted the GDPR certainly didn't believe they were doing Facebook and Google any favors. They are quite antagonistic to Silicon Valley, and thought they were really sticking it to the out-of-control tech fat cats. Facebook and Google probably would prefer that they didn't have to hire an army of lawyers to navigate the EU rules. But the end result is a new barrier to entry in the technology market that further bulwarks incumbents' positions.

You don't have to be an interventionist Luddite to be suspicious of some tech firms' shadowy but speculated data and advertising practices. On the contrary, I find that the more technologically-savvy one is, the more likely they are to scrutinize data collection practices. But tech-savvy folks usually don't draft privacy regulations. Rather, data rules are written by people like Senator Orrin Hatch, who did not realize that Facebook made money by selling ads. It is not surprising, then, that privacy regulations tend to merely benefit the companies they intend to restrain.

Those seeking transparency into online platforms' data and advertising policies would be wise to take a lesson from the European experience. For meaningful data reform, we should reject clumsy and counterproductive government regulation that benefits incumbents. Instead, strategies that coax online platforms to divulge more information about their hidden data practices will show us the true dimensions of the advertising ecosystem.

Photo Credit: Stephen Lam/REUTERS/Newscom

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  • Shirley Knott||

    These are the people who insist we need 'quality control' — because if we don't quality might get out of control.
    Yes, they are that stupid.
    It's about control, and being in control. But slavery is always wrong.

  • Quixote||

    On the contrary, some forms of control are entirely justified, given the evils they are designed to prevent. Facebook and Google are two of our last bastions against the scourge of rabble who are destroying the internet with the "free speech" baloney we keep hearing about. In fact, the distinguished directors of these companies should join us in issuing a public protest against the recent refusal of a so-called judge in New York to jail America's leading criminal "satirist." See the documentation at:

    https://raphaelgolbtrial.wordpress.com/

  • Longtobefree||

    "Everyone from Mark Zuckerberg to the lowly administrator of a randomized dice service for tabletop gamers called rolz.org must now pore through arcane GDPR texts to determine how they must comply with the onerous regulations—and whether they can continue in the European market at all."

    All they have to do is stop collecting personal data, and develop a product people are willing to pay a subscription fee to have. Simple. Not easy, but simple.

    Or, more likely, take a short term hit in the ad budget, and just stop serving Europe. Replace all screens sent to an European IP address with a banner saying that service will be restored when the EU votes in politicians that remove the 'impossible to comply with' regulation. Crude, but effective.
    It would be entertaining to watch the police states in the EU try to run a government without the internet.

  • Scarecrow Repair & Chippering||

    All they have to do is stop collecting personal data, and develop a product people are willing to pay a subscription fee to have. Simple. Not easy, but simple.

    These two things are contradictory. You can't collect payment without also collecting personal data.

    Also, "pay a subscription fee" is two-thirds redundant. You might want to work on that.

  • SQRLSY One||

    Your Facebook-addicted friends post all sorts of photos of you, when you attend a party of theirs? Do they say good things or bad things about you? Do they say true things or false things? If they say way-bad things about you that are not true, you have your remedy in court, you know, especially if it significantly hurts your reputation or your earnings. And you also have the options of asking them to NOT do that, or to spread gossip about their gossiping, or truths about their gossiping. What's good for the goose, is good for the gander.

    An analogy to the gossips of yore is apt, I have been thinking. Say Irma and Bertha and Bessy… Those were popular names in the late 1800s, I am told… Talk of each other. "I saw Bessy at the country store", is that OK? It is the verbal equivalent of posting Bessy's photo on Facebook, at that store. If Bessy starts running around telling people that they may NOT tell other people that she was at the country store, she will get a reputation as being a "Bossy Bessy", and people are free to gossip about that as well as to gossip about the gossipy ways of others. It's when the law starts showing up, that some of the worst abuses take place.

  • SQRLSY One||

    So then let's take the analogy a wee tad further… People get so sick and tired of Irma and Bertha and Bessy and their gossip, that they tell the owner of the country store, WITH THE FORCE OF LAWS, that he make not sell paper and pens to Irma and Bertha and Bessy, because they use this media to spread gossip! If country store owner sells them any paper and pens, he is responsible for making sure that Irma and Bertha and Bessy don't spread gossip!

    I don't think it is justified when people try and use the laws to tell Facebook, what Facebook can and cannot provide, in the way of tools, to gossips. The gossipers should be held accountable (by whoever, in whatever way), but we are all held accountable, in some way or another, for what we do. And if we over-apply the force and power of laws, that bad karma will somehow come back and bite us in the arse as well. In 1880, the local store shuts down, because they cannot afford all of the lawyers! The locals and their gossipers will have to travel 200 miles to a MUCH bigger store, which can afford all of the lawyers!

  • DamnDirtyApe||

    Just stay the fuck off social media.

  • Drave Robber||

    I live in Europe and can report that companies here are already using GDPR to demand more data from their customers. To keep your f-ing loyalty card from being canceled by the f-ing retailer, you need to tell them the maiden name of your grandmother... well, almost.

  • SQRLSY One||

    So then, you have to tell them all of your secrets... So that they can help you to keep them secret!?!? WTF?

  • Cynical Asshole||

    two-day media-brouhaha-cum-congressional-testimony

    Please, don't use "media" and "cum" in the same sentence.

  • Empress Trudy||

    Well it was conceived as a back door tax on large American social media firms. It's axiomatic that if it costs them billions it will also have the effect of driving smaller firms out of business. But the EU doesn't worry about that, they're interested in the billions it will shift TO the EU in the form of fines, regulatory expenses, compliance firms and lawyers.

  • Whorton||

    Leave it to Europe to screw up a good thing.

  • jdgalt1||

    The expression is "rein in". Not "reign in". "Reign" is not even a transitive verb.

  • SQRLSY One||

    Rudolf, the Red, knows reign, dear! So rain it in, baby!!!!

  • Sevo||

    Standing O!

  • jdgalt1||

    If the giants manage to get social media regulated, we will just have to create new ones illegally.

  • Mark22||

    The EU policymakers who drafted the GDPR certainly didn't believe they were doing Facebook and Google any favors.

    No, they thought they were doing European publishers and failing European tech companies a favor. They also thought they would be doing European intelligence agencies a favor by forcing Europeans to keep much of their data on European servers where they can spy on it

    The GDPR was about corporate cronyism and government violations of privacy. The one thing it was not about was data protection.

  • Tricks N Tech||

    Facebook have only 1% of data while Google have more than 90% of our data. It's like Google know more about us than our parents. These rules will not affects anything.

GET REASON MAGAZINE

Get Reason's print or digital edition before it’s posted online