No, GDPR Can’t Be Blamed For Everything

For the past few months I’ve had an article opened on my phone that claims how detrimental GDPR has been to businesses and consumers alike.

And I wanted to debunk most of what’s inside. But I couldn’t go and debunk the individual facts —they are mostly correct. However, they are either not a consequence of GDPR, or a consequence of data privacy rights, or a consequence of companies not caring about personal data for years.

I won’t claim that GDPR has been a smooth sail, as it has been pushed rather optimistically without a push for a wider understanding of data protection in general. It was as if suddenly (and 3–4 years is “suddenly” in EU-wide legislative context) there was a regulation that every citizen should bombproof their house, and the legislation used bomb expert slang. It was inevitable that following the letter of the law will turn into a high cost task, often meaningless for smaller organizations. And I’ve written about that sin of GDPR before. I’ve also been highly critical of how consent evolved to be a useless mechanism.

So I’m not the ardent GDPR defender that one might assume. But I want it properly criticized, rather than collecting stories and blaming them all no GDPR. Because they won’t help things get better — legislators need to know where the actual weaknesses are in order to fix them.

But let’s get to the point. You’ve probably already opened the original article so I’ll just list the mentioned issues and explain why it’s not a GDPR problem per se.

• “Amazon sent 1,700 Alexa voice recordings to the wrong user following data request” — the allusion here is that GDPR is bad because it forced a company to make a mistake. But the right to access your own data is something that there’s consensus about — it is your data, and you have the right to see it. To blame GDPR for implementation bugs or process errors is too far fetched. This feature could easily exist without GDPR (and it did exist for many companies).
• If they hack your account, they can access your data. Well, yeah. Again, the claim here is that GDPR is bad for giving consumer rights which companies can’t implement properly (because hacking an account where collected data is sensitive is primarily the company’s fault). And that’s a hard argument to make —that we should not give people rights because things might go wrong when they use them. An extreme and probably not so relevant example would be to say that women’s suffrage was bad because a husband could coerce his wife to vote a certain way. I’m sure it was an argument back then, but it’s a bad argument.
• “Since 2016, newspapers in Belgium and Italy have removed articles from their archives under [GDPR]. Google was also ordered last year to stop listing some search results, including information from 2014 about a Dutch doctor who The Guardian reported was suspended for poor care of a patient”. Then there are more stories about scammers having news articles deleted thanks to GDPR — the right to be forgotten with regard to media publication is indeed a hard issue. GDPR is at fault here for leaving it to member states to put the boundary, but I wold say that these examples are rare and the newspapers don’t have to comply with all such request. In some cases it is not so obvious, though. A person who committed a crime and served his time in prison, is considered rehabilitated, especially in Western Europe. The point of criminal justice is to twofold — make an example, and reeducate the wrongdoer. And if you are not going to commit crimes, don’t you have the right to not be followed by your criminal record for the rest of your life, because on the internet nothing is deleted? Do we want all people who served time in jail to be Jean Valjeans who need to present their criminal record to every employer and get rejected again and again? My point is — the right to be forgotten is well thought and balanced and quoting random example without going in depth is no argument against GDPR.
• Right to portability presents additional attack surface, and the Cambridge Analytica scandal was an example of that. Well, no. This point has two parts — the first one we already discussed in “the right to access” (which, in my view, should have been the same as right to portability, as portability of data is just an edge case of being able to access your data). The second one, about Cambridge Analytica, is just wrong. No, it was not an issue with data portability, it was an issue with horrendous implementation of API access control. GDPR gives you the right to export your data, not the data of all of your unsuspecting friends.
• Data portability benefits the big players — this argument is made twice. And may seem like legitimate concern. But competitor social networks don’t appear not because you can freely move off them — they don’t appear because of the lack of sufficient network effect. For other types of services it is functionality, not data, that would be a competitive advantage. Did Facebook destroy MySpace because you could easily move your data? Of course not. I’m rather unconvinced that the right to portability will have any positive effect on Facebook — and we’ll easily see that in a few years, when literally no data will be imported in Facebook (or other tech incumbent). And once again, this is the argument that we shouldn’t give consumers the right to something because of some hypothetical consequences.
• “By restricting companies from limiting services or increasing prices for consumers who opt-out of sharing personal data, these frameworks enable free riders — individuals that opt out but still expect the same services and price — and undercut access to free content and services”. That is probably the hardest things to argue about. It is about how companies currently use your data in a rather opaque way to make profit, and GDPR could, in theory, destroy those models. It then boils down to the question, which I think giants will eventually have to pose —does a personal-data driven service need personal data in order to operate, and thus can it use the data as its legitimate interest, rather than based on consent. I don’t have an answer, but I’d like to point out that consent is just one legal ground for processing data. And it’s the least preferred, as it should be used only about uses of the data that are not required to provide the service. The fact that consent is overused and overrepresented doesn’t mean it’s needed. But are freeriders those who don’t want their entire online behaviour to be collected in order to have ads targeted at them, I don’t know.
• Compliance costs are astronomical —if for decades you have totally neglected personal data and data governance in general, then yes, the cost can be big. Whether you have to care about personal data if the market allows you not to care is a good question. If you are a libertarian, no, you should not. If you are not, then yes. I’ll use an extreme example again — the market didn’t force companies not to use child labor. Legislation did. Whether disregarding personal data is on the same level of negative effects to society as child labor is another question. I won’t argue about it, as it needs a separate article, but I’ll get to the point of compliance costs — if you’ve had sensible security and data protection policies in the first place, compliance would have been quite cheap (I am a GDPR consultant and I’ve had (small) customers where instead of doing a long project, we had a 1.5h meeting where I un-scared them and recommended a few simple steps for compliance)
• 500,000 data protection officers were appointed, which is costly. First, appointing a DPO does not mean a new person was hired. In some cases it can be another employee promoted to DPO. And the rest of this argument goes to the previous point — if you are a data-heavy company with 1000 people and process personal data, and so far you didn’t have a person to oversee data processing, then something was probably wrong. More extreme and semi-relevant examples coming: it’s like operating a nuclear power plant without a nuclear physicist, and complaining that the law made you hire one.
• Consolidation of the ad space — yes, that’s an issue. I blame regulators for that. Facebook and Google are not GDPR compliant, and I’m regularly pinging regulators on doing something about it. They may be perceived as more compliant than their competitors, which could lead to them getting more ad revenue, as customers fear that competitors are less compliant, but that doesn’t make them better. And if regulators applied GDPR as it was intended (and what it was created for in the first place), Facebook and Google’s ad business would suffer.
• Startup investments and M&As dropped in the EU due to GDPR. Yes, that’s an issue, and that’s exactly the issue that I have addressed in the “GDPR sin” article. You can’t expect everyone on the market to be a GDPR expert on day one, and making it so threatening without properly preparing for it certainly scared many people, including investors and acquirers. But we have to look in more detail here — did GDPR kill entire business models, or was it just perceived increase in risk that lead to dropped investments? Were M&As cancelled because the acquired company had too poor data protection practices, or was it again just limiting risk and exposure due to the scary fines?
• Product graveyard — many projects were allegedly killed because of GDPR. From that few that I’ve analyzed, GDPR was just an excuse. Compliance was next to trivial and was not the actual reason. Take Klout, for example. It was a strategic decision to shut it down, and as one spokesperson said “the upcoming deadline for GDPR implementation simply expedited our plans to sunset Klout”. There is indeed no point in doing any compliance work on a service you plan to kill anyway. Take unroll.me — it gains access to your email inbox to handle your subscriptions. Allegedly, it anonymizes data and doesn’t just read your entire email. Allegedly. Shutting down in the EU makes you doubt that. If they were truly anonymizing data and not reading your entire email, they were already GDPR compliant. So, I wouldn’t blame GDPR for most of the projects declared dead because of GDPR. They are dead either because of strategic business decisions or because they were not being honest about their model; yes, GDPR exposed that, but better informed customers is good for the market, right?

Overall, I agree GDPR did lead to changes, and it did have a negative effect in some areas. Whether that’s bad, I’m not sure we can say now. It introduced consumer rights and that’s not bad. It drove huge and often unnecessary spending, which is bad. What’s the net effect requires a deeper analysis.

But just throwing random examples and quotes around and blaming it all on GDPR is not helping. I’ll join any criticism that addresses core issues of GDPR and its implementation and messaging. And I’ll even try to propose solutions to the consent crisis, and to better communication of further data protection legislation. GDPR is a bit of an overregulation, yes. But we all made it a bigger issue than it actually is. And the European Commission didn’t do anything to stop the growing concerns.