The issue is the collateral damage. The EU doesn't have a thriving web/tech sector to begin with when compared to the US or China. These kinds of things likely make it worse.
I see this argument every so often but I'm wondering, what did we actually lose?
Nasty social media that makes their money on outrage and exposing people to scam ads? That's about the only thing I can think of, and I don't think it's a big loss. The legal environment of the EU might actually pave the way for better social media, if the market wasn't already monopolized by the current incumbents.
As a counter-argument, Europe and especially the UK has a thriving fintech scene that produces solutions light-years ahead of what's currently in the US, despite the stronger consumer protection laws that we have.
I see this argument every so often but I'm wondering, what did we actually lose?
As many of us pointed out two years ago: time and money.
The collateral damage aspect is all the businesses that weren't doing dodgy things in the first place but still had to spend that time and money, because documentation had to be rewritten according to new formats, and policies had to be expressed in terms of the new sets of acceptable X, Y and Z, and so on.
I was not happy back then to find that despite having run businesses that were scrupulously respectful of privacy and security, we still ended up wasting weeks just on figuring out what we had to change (spoiler: nothing of substance, it was all red tape) and for a small business that is a nasty blow.
If you assume, probably rather naively, that all small businesses here in the UK had a similar minimum cost to ours just to review everything and dot the i's and cross the t's to ensure compliance with the new letter of the law, that alone would represent a cost of billions of pounds for little if any benefit to anyone in many of those cases.
The fact that the typical response from many posters on HN was to dismiss that cost as being somehow necessary or justified, with no regard at all for the very direct effects it would have on many small, bootstrapped businesses, showed an astonishing lack of perspective. The number of people in various forums around that time who just straight-up accused me of lying about my businesses being privacy-conscious already, for no other reason than that I run tech businesses and they treated all tech businesses as the enemies of privacy, was also pretty disappointing. There was very little objectivity in the discussions then, the much-lauded benefits to individuals faced with privacy intrusions by certain big players have almost entirely failed to materialise, and the costs and legal ambiguities for everyone are still there two years later.
We didn't lose that much because I suspect big business in Europe is largely ignoring the more difficult parts of the GDPR. I work for a large bank that is totally non-compliant with GDPR and does not really even have a strategy for getting there. My impression is that we (the bank) looked at the draconian requirements of the bill, realized that, with the total mess that the IT of the bank is in, implementing GDPR would cost billions, and just sort of gave up. It looks like we wait for the regulators to fine us and hope that it won't be a nine figure fine.
Normally it's hard enough to ensure that you have retained an authoritative copy of data, but now it's even harder to ensure that you have destroyed every incidental copy throughout the org on short notice. Then there's the bureaucratic "prior consultation" that will delay launches by months …
1. Deletion/rectification of all copies (that includes backups!) of personal data on demand. We currently are not sure where (in which systems) we store all that data, not to mention adding features to delete/update all data on request in each of those systems.
2. The requirement to complete description of all processes within the bank which touch personal data. That involves creating a fuckton of documentation, a lot of it for systems where required knowledge is missing (i.e. no one is quite sure how they actually work).
> Last I checked Facebook and friends still exist.
Last I checked there are studies that suggest the current social-media solutions have a negative effect on mental health, and those effects are likely because of the platforms' efforts to drive up "engagement" levels. Regarding the ads, I have first-hand experience of my non-technical friends falling for outright scams (requiring a chargeback), dubious snake-oil being advertised or malware on major online ad networks (not an issue anymore thanks to an ad blocker).
> Many europeans lost access to various publishing sites (another win for the big guys)
This doesn't seem to significantly impact me or anyone in my network. If this was a big problem we'd notice it and/or a EU-based, compliant competitor will step in to fill the void.
> Collectively who knows how many millions went to lawyers to reverse engineer the vague GDPR standards
Somewhat agreed but this seems to be a side-effect of companies trying to lawyer their way out of the law, and the reason this works is because of the lack of enforcement. If it was enforced it would be a clear message that these efforts don't work and should be stopped.
Somewhat agreed but this seems to be a side-effect of companies trying to lawyer their way out of the law
Not necessarily. One of the main criticisms of the GDPR was that it was vague and ambiguous on several very important points, and in theory deferred to more concrete guidance from the national regulators, which in turn was then either inconsistent or absent in some of the most important areas anyway.
The GDPR penalty regime was also heavily stacked against smaller businesses: for a large business, the costs are capped at the 4% level, but for any business earning less than half a billion each year, the absolute cap takes precedence and means that a regulator can literally threaten the very existence of any business earning less than probably 100M.
In that environment, you need proper legal advice on interpretation and possibly, as absurd as it seems, just to show that you have made a serious, good faith attempt at compliance, as a preemptive defence if a regulator does subsequently take a different view to yours.
My entire point of my facebook comment is that GDPR gave us nothing, and people paid by losing news site and lawyer salaries.
I don't care if you aren't personally affected by this. That isn't the argument you should be trying to make. How did GDPR improve your life? AFAICT Facebook may still have your shadow profile
People are more aware of privacy violations and even though companies don't fully comply with the regulation, many are at least trying.
I've personally had success in getting multiple EU-based businesses to delete my data and/or fix issues with their marketing infrastructure sending me spam despite not opting into it.
Facebook still has a shadow profile for me but between Facebook having it or Facebook plus a hundred more bad actors having it too I'd still prefer if it was only Facebook.
>This doesn't seem to significantly impact me or anyone in my network. If this was a big problem we'd notice it and/or a EU-based, compliant competitor will step in to fill the void.
Access to fewer news sites is access to fewer news. The new site isn't going to replace the old. Also, we're not getting replacements for them in the EU because the business model for these sites doesn't work with GDPR. Making their life financially more difficult just pushes them more into clickbait and yellow journalism.
> Making their life financially more difficult just pushes them more into clickbait and yellow journalism.
Clickbait is explicitly caused by advertising - it's right there in the name, it's there to drive clicks, the content itself is secondary.
If advertising becomes unsustainable then other business models will take over. At the moment subscribing to news websites is too expensive because 1) we don't have an easy to use micropayment system and 2) they are greedy and charge way more than what they would get in ad revenue.
Nasty social media that makes their money on outrage and exposing people to scam ads? That's about the only thing I can think of, and I don't think it's a big loss. The legal environment of the EU might actually pave the way for better social media, if the market wasn't already monopolized by the current incumbents.
As a counter-argument, Europe and especially the UK has a thriving fintech scene that produces solutions light-years ahead of what's currently in the US, despite the stronger consumer protection laws that we have.