The EU’s Online-Privacy Boondoggle

By Ryan Hagemann & Alec Stapp

Wednesday, June 27, 2018

‘We’ve updated our privacy policy.” If you’ve been online in the last two months, it’s likely that you’ve been inundated with notifications like this, whether through your email inbox, mobile apps, or social-media platforms. The deluge may have seemingly come out of nowhere, but in fact it was the direct result of a new European Union rule that went into effect last month: the General Data Protection Regulation (GDPR). The new rules’ purported goals are to protect the privacy and personal data rights of EU citizens — a laudable aim, and no doubt inspired by the best of intentions.

Unfortunately, the road to bureaucratic hell is paved with well-intentioned laws, and GDPR has already left a trail of not-so-creative destruction in its wake. A mere month into its existence, it has been nothing short of a disaster for the EU’s digital economy. Worst of all, the economic ruination now unfolding was entirely predictable.

In the weeks and days prior to GDPR’s effective date of implementation, the privacy notices became a running joke. Aaron Levie, the CEO of Box, dryly tweeted that “the future of email is just receiving GDPR privacy notices until your inbox fills up and you no longer have the will to use mail anymore.” Fred Wilson, a partner at Union Square Ventures, pointed out the irony “that GDPR, a regulation to protect our privacy, has resulted in the greatest deluge of spam into my inbox that i can recall.” Elsewhere on Twitter, one user did a particularly memorable job characterizing this new digital zeitgeist, expressing sardonic amazement that we’re not finding privacy-policy updates in every new box of breakfast cereal we open.

Meanwhile, across the Atlantic, the new rules were already beginning to wreak havoc. European online service providers, anticipating the coming GDPR storm, had already begun shuttering their doors in droves. In just the first few days after the new rules went into effect, Axios described the unfolding carnage with headers such as “News outlets have gone dark in Europe,” “New paywalls are launching in Europe,” and “Programmatic ad buying has plummeted.” Since then, things have only gotten worse for the European digital economy.

For example, digital publishers and advertisers are hemorrhaging revenue because the rules make it difficult and legally risky for the latter to target users with ads based on their previous online behavior. Since GDPR went into effect, European ad demand has plummeted — in some cases by as much as 25 to 40 percent. Many publishers aren’t entirely certain of how best to respond. In a desperate bid to stabilize revenue streams in the face of the data-protection mandate’s high compliance costs and vague requirements, many online publishers are still loading the third-party trackers that enable targeted advertising — even though such actions may run afoul of the new rules. Newspapers and magazines, which have been kept afloat by digital advertising and subscriptions since the Internet demolished their previous business model, may now face an existential crisis.

The root problem is GDPR itself. The rules are complicated and contradictory, while also managing to be consistently vague and occasionally technically infeasible. Indeed, the confusion is so pronounced that even the EU Parliament’s own website may not be in total compliance. If that weren’t bad enough, the ambiguity of the rules affords regulators a broad scope of discretionary authority that could be applied capriciously and arbitrarily.

That broad enforcement authority, coupled with vague statutory language and potentially crippling fines — up to 2 percent of an infringing company’s total worldwide revenue — suggests it may be easier for some online service providers to simply block Internet traffic to and from the EU entirely. A market for blocking tools is already blooming.

Perhaps most regrettably, these rules significantly diminish the continent’s prospects for a thriving innovation economy. Unclearly defined provisions such as the “right to erasure” and “right to explanation,” even if interpreted reasonably, are regulatory deathblows for investments in many emerging technologies. The potential commercial applications of technologies such as blockchain and artificial intelligence are fundamentally incompatible with the new rules, and serve only to cement the EU’s position as the technological backwater of the industrial world.

While ongoing implementation of GDPR is shaping up to be a nightmare for online service providers in the EU, there is a silver lining. As Alan McQuinn, a senior research analyst at the Information Technology and Innovation Foundation, aptly noted in recent commentary, the fiasco serves as “an opportunity for policymakers to discover the consequences of laws demanding privacy at any cost.”

Policymakers in the United States and elsewhere should take heed of the unfolding disaster in Europe. Otherwise, they’re likely to find themselves standing next to the EU looking into the economic abyss.