Reason.com

Free Minds & Free Markets

The EU's New Privacy Rules Are Already Causing International Headaches

It’s not just email spam; GDPR has led companies to shut down access to sites and games.

Web censorshipM-sur / Dreamstime.comWell, that didn't take long. The European Union's long-awaited (and commercially dreaded) privacy regulations, known as the General Data Protection Regulation (GDPR), have already begun wreaking havoc online.

Before the rules took effect on May 25, commentators had warned that the GDPR would consolidate power in the hands of market titans while confusing businesses about what exactly the regulations require. Indeed, early signs show that Facebook and Google, despite the threat of fines, are the big regulatory market winners. And EU bureaucrats themselves don't seem to know what "compliance" really looks like.

But the GDPR has caused chaos in more unexpected ways also. Here are just a few of the head-scratching unintended consequences that the GDPR has wrought across the globe.

Email-a-palooza: Most people's familiarity with the GDPR begins and ends with the avalanche of consent emails they received in the weeks before the regulations took hold. Services that you may not have heard from for years were suddenly quite eager to extol their "updated privacy policies" and cajole you for your approval.

For some of us, this was good opportunity to de-list ourselves from long-forgotten apps and web sites with which we'd sooner not share our data. But for a lot of people, it was merely another exercise in clicking "agree" without reading a word of the fine print. This doesn't do a lot for improving data privacy, but it might protect some services from hefty GDPR fines.

Or not. Ironically, companies that sent out GDPR emails on good faith to ensure compliance may have ended up actually violating the GDPR. In a Kafkaesque kind of Eurocratic catch-22, some EU watchers argue that a company that lacks the consent for their current data practices could also lack the consent to email people to gain their consent. Have a headache yet? This is just one small sliver of the GDPR red tape nightmare.

Another irony unfolds in how consent practices have largely ended up helping the tech titans that EU regulators wished to rein in. A household name like Facebook or Google will have a much easier time getting consent from users than an unknown competing platform or ad vendor. The big guys effortlessly check the box, but the upstarts get lost among the piles of consent emails—all for nothing.

The Google Data Protection Regulation: While we're on the subject of Google, the publishing industry has taken to calling the GDPR the "Google Data Protection Regulation" for its market consolidating effect. Google already dominates the ad market, accounting for some 44% of online advertising revenues in 2017 (Facebook snags another 18%). In the EU, Google accounted for 50% of all ad spends before the GDPR. The first day after the rules took effect, Google vacuumed up an astounding 95% of EU ad money.

Google benefits in second-order ways as well. Any policies that Google sets for its vendors yields dramatic impacts. Ad tech vendors have reported dramatic drops in business following the GDPR, and Google had limited the number of approved vendors that can participate on its platform until recently. If the EU wanted to tame Google's online dominance, they have a funny way of showing it!

Now you see it, now EU don't: The GDPR is long and complicated. It is so dry and ambiguous and monotonous that a meditation app called "Calm" offers a soothing bedtime reading of the 88-page regulation to help the listener "lie back, wind down, and drift off to the sound of a new legal regulation."

Not everyone has the time to read and internalize such a dry and complicated document. Some U.S.-based websites and services opted to put off dealing with the GDPR altogether.

Instapaper, a bookmarking service owned by Pinterest, announced on May 24 that it would be unavailable to EU members because of GDPR uncertainty, adding that it intended to "restore access as soon as possible."

News-minded EU citizens found themselves locked out of American media platforms on the day that the GDPR took effect. European fans of the Los Angeles Times, Chicago Tribune, and other Tronc- and Lee Enterprises-owned news services were greeted with a message that the websites were unavailable until the publishers found a way to deal with GDPR compliance. A&E Networks, which includes A&E, Lifetime, and the History Channel, simply decided to pull down their websites from EU access. Needless to say, this cut off European audiences from significant sources of American news, all because some random regulator decided it was not in their best interest to access it.

Others took a segregating approach. The Gannett-owned USA Today directing those with an EU IP address to a stripped-down platform known as "the EU experience." NPR similarly directed readers who opted out of its cookie and tracking policy to a text-only website. The Washington Post charges for its version of a GDPR-compliant subscription package, which costs 50 percent more than a normal subscription.

Who knows? Maybe some platforms will decide that dealing with European users just isn't worth the hassle. EU citizens will have their own regulators to thank.

It's about data in gaming: Will gamers rise up against the GDPR? Some gaming platforms have been forced to close servers or shut down altogether over costs wrought by the EU regulations.

Some of the affected games include Loadout, Super Monday Night Combat, and Ragnarok Online. The CEO of Loadout, Rob Cohen, was pretty blunt in an interview with Motherboard about the changes: "There is a pretty lengthy list of changes required by GDPR. We'd have to update our client, server, database, and more. It's a pretty big amount of development work for a game that is no longer in development." Loadout fans enjoyed their last sad gaming session on May 24, the day before the rules took effect.

The situation was similar for Super Monday Night Combat, another online game. This long-running platform has struggled to keep its servers up in the past. Add in the major regulatory liability of the GDPR, and you've got a basically unworkable situation. SMNC's CEO Jeremy Ables told Engadget that they just couldn't afford to make the changes that the GDPR required. So the game shuttered its doors instead. Ragnarok Online, on the other hand, decided to simply shut off access to EU players. Only time will tell if this evasive maneuver is enough to keep the potential €20 million in GDPR fines at bay.

Photo Credit: M-sur / Dreamstime.com

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  • Incomprehensible Bitching||

    Fuck the GDPR. Back from Argentina. Terrorizing the populace with fear.

    Have we learned nothing from history?

  • Rat on a train||

    Euro Wars: Return of the Stasi.

  • Shirley Knott||

    Yes. We've learned to carefully control and craft the bits of history we teach.
    It's almost as if those who control the past control the future.

  • Nuwanda||

    Well said.

  • ||

    Given how much of an impact just losing WHOIS support will have on online security and the ability for the internet to inter-operate, a strong case can be made for simply cutting the EU off from the rest of the internet.

  • Cynical Asshole||

    a strong case can be made for simply cutting the EU off from the rest of the internet.

    Maybe France can provide Minatel to the rest of the continent.

  • BYODB||

    Or, hell, maybe China will let them use their intranet.

  • hello.||

    Thank god Reason is always here to stick up for the interests of the poor downtrodden left-wing tech billionaire. Truly the forgotten minority.

  • gormadoc||

    Those are the people who are benefiting most from GDPR and Reason is criticizing it. If you can't be arsed to read the article why are you arse enough to comment on it?

  • Cynical Asshole||

    If you can't be arsed to read the article why are you arse enough to comment on it?

    REEDING IZ 4 FAGGITS N CUCKZ!

  • Illocust||

    Mm, I ned to make sure to go on Google, and see if I can strip them off anyway to make money off me.

  • chemjeff radical individualist||

    In a Kafkaesque kind of Eurocratic catch-22, some EU watchers argue that a company that lacks the consent for their current data practices could also lack the consent to email people to gain their consent.

    Good Lord. This is absurd. People sending me letters in the mail don't need my consent first. Same with email.

  • Rockabilly||

    Gosh - I'm like shocked man.

    Call Central Committee!!!

  • gormadoc||

    "NPR similarly directed readers who opted out of its cookie and tracking policy to a text-only website."

    Please please please tell me it had a shitty font with tacky color on a tacky background and extremely obtrusive banner ads.

  • albo||

    It's hosted on Angelfire.

  • Diane Reynolds (Paul.)||

    What's GeoCities, chopped liver?

  • BYODB||

    Ah, that brings back memories. I loved GeoCities, it's where I first learned HTML.

  • Mark22||

    Cutting off foreign news sources, benefiting large corporations, and making data more easily accessible to European government spy agencies are the primary reasons for GDPR. Helping Europeans? Not an objective.

  • Diane Reynolds (Paul.)||

    I wish someone would figure this fucking GDPR thing out and explain it to my boss, because he won't listen to me and I have more important things to do.

  • Longtobefree||

    Dear Diane's boss:
    Shut up and do what Diane says. It's the law now.
    Besides, she needs more time to comment on Reason articles - - - - - -

  • Diane Reynolds (Paul.)||

    This rule is problematic enough on its own, but because of the vague way that the regulations are written, it is causing online platforms to react in odd ways.

    Feature, not bug.

    This has inadvertently caught random companies and brands in the snare of Twitter's wide net, who listed the "birthday" of the account as the day that the company was founded. It's annoying, and a little nonsensical, but this is the kind of contortions that online platforms are pushed to in a post-GDPR world.

    Remember when the internet became a thing and people thought it wasn't possible to regulate because it "didn't have borders, maaaan".

    Anyhoo, I happen to be in Europe this week on business and every fucking site makes me click 'accept' on their page before I can use it. Fun times, and it's the future. I strongly doubt this law will go away.

  • BYODB||


    Remember when the internet became a thing and people thought it wasn't possible to regulate because it "didn't have borders, maaaan".


    I 'member, and additionally I figured what would happen is that regulation would go to the country that regulates the most. It's basically the California Rule except now it's the EU Rule, I guess. Geo-fencing is possible, but plenty of content providers find it easier to just adopt the rules of whatever nation has the most regulations since it's often not technically against the rules anywhere else.

  • Lowdog||

    I guess the Europeans need to have tariffs to prop up the businesses that they cripple with regulations.

  • MJBinAL||

    LOL!

  • Rich||

    Ragnarok Online, on the other hand, decided to simply shut off access to EU players. Only time will tell if this evasive maneuver is enough to keep the potential €20 million in GDPR fines at bay.

    Oh, I expect *those* fines will be actualized.

    Only time will tell if this evasive maneuver will result in *additional* GDPR fines.

  • albo||

    Face it: If you have data online it's never going to be protected. No regulation can protect it. No security policy can. Act accordingly

  • Diane Reynolds (Paul.)||

    We can sure fine you if you fail to comply though.

  • Curt2004||

    On the plus side, EU data should sell at a premium on the dark web...

  • Cynical Asshole||

    It is so dry and ambiguous and monotonous that a meditation app called "Calm" offers a soothing bedtime reading of the 88-page regulation to help the listener "lie back, wind down, and drift off to the sound of a new legal regulation."

    Nice trolling. Doubt it will do any good as far as shaming the EU bureaucrats who came up with this turd, but still.

  • Cynical Asshole||

    Only time will tell if this evasive maneuver is enough to keep the potential €20 million in GDPR fines at bay.

    Not likely. The only thing the EU loves more than regulations are the fines they can levy on anyone who they can claim are in violation, even if they're really not.

  • MJBinAL||

    Don't be silly.

    This is aimed at the non-EU content and will be enforced in that way. This is just another trade barrier riding under an assumed name.

  • Magnitogorsk||

    The Internet, and computing in general, was one of the last refuges of freedom from overbearing government meddling. It was nice while it lasted I suppose

  • Scarecrow Repair & Chippering||

    What would happen is non-EU businesses with no corporate presence inside the EU simply ignore the GDPR and don't block visits from the EU or black sales to the EU? Is the EU going to block shipments from the companies?

    If I have a business in Fargo selling garden gnomes with "Keep ON the grass" signs, and someone from Paris buys one with a credit card and I ship it, and my web site has no GDPR compliance whatsoever, what can the EU do about it?

  • Rossami||

    The EU regulators assert that they have jurisdiction to try you (in absentia if necessary) and to fine you. And given the wording of the GDPR, they'll win easily and assess mind-boggling fines.

    The interesting question comes when they attempt to enforce that decision. Since your hypothetical includes no EU presence (facilities, employees, etc), there are no assets that they can attach. They can try to come to the US to enforce their decision but now you'd have to get a US court to agree that their decision in enforceable.

    In a just world, the US court would throw the case out on any of several grounds including First Amendment, consent to jurisdiction and contrary to public policy. In the real world, that would probably happen in most courts but you might get unlucky and draw a judge who believes in "data privacy" (without understanding what that really is) and wants to use your case to impose EU-style regulations on evil US companies.

    So in my opinion, there is some risk but probably not much. Keep your garden gnome business going. But country-level filtering isn't that hard to set up and could help make the case to your Parisian customers that they need to do something about their own government.

  • Scarecrow Repair & Chippering||

    There are laws forbidding enforcement of foreign judgments if those foreign courts do not enforce US sensibilities, but I do not know the details.

  • Slocum||

    Even if they couldn't enforce the judgement here, you'd have to hope you had no interest in traveling to Europe (or anywhere else with stronger enforcement agreements with the EU). You could end up like on of those online poker execs who made the mistake of traveling to the US.

    So I expect most small, non-European online vendors will simply cut off access to EU users.

  • Brandybuck||

    Just pull of stakes and leave Europe. Problem solved.

  • Diane Reynolds (Paul.)||

    Who's going to cover the pensions?

  • Diane Reynolds (Paul.)||

    Oh, shit, refugees. It's like I don't even watch the news.

  • BYODB||


    Needless to say, this cut off European audiences from significant sources of American news, all because some random regulator decided it was not in their best interest to access it.


    Well, obviously. Can't have people in the EU reading relatively unfiltered opinions! It might be hate speech!


    I think the author inadvertently discovered one of the actual intents of this massive bit of legislation, not to mention that running everything through Google makes surveillance and identification of government targets a snap!

  • BYODB||


    Exhibit A is Twitter's retroactive banning of users who they believe signed up when they were 13 or younger.


    I have it on good authority that this is illegal since these youths may one day visit Trump's twitter feed, and twitter banning these users is infringing on their ability to participate in a public government forum.


    I wish to god this was sarcasm, but it is the determination of the U.S. justice system.

  • Longtobefree||

    Cassius belli. USA .vs EU.
    And we can bet on it now - - - - - -

  • Longtobefree||

    So in a vein similar to the article, but focused on the US, I notice that the internet is still here.
    So much for the massive federal takeover of the internet called net neutrality.
    Take that, Al Gore!

  • Gary Trieste||

    What is Reason.com gonna do?

  • Longtobefree||

    Now is the time for international corporations to flex their muscle and show those politicians who is boss.

    Just shut down in the EU. Display a page saying you will be back after the voters turn out the evil mean nasty people who passed those unreasonable laws and vote in new guys who will repeal the law.
    And while you are at it, suspend all EU government accounts because you can't be sure who is really logged on. Without social media to monitor, they will have to do stuff like help their citizens and all that governing thing.

    Welcome to the revolution.

  • Wishes Magazine||

    It's important,we can't avoid this policy.
    Wishes Magazine

GET REASON MAGAZINE

Get Reason's print or digital edition before it’s posted online