Compared to the alternatives, the GDPR is a good piece of legislation. It defines the ‘who’, ‘what’, and ‘why’ far more comprehensively than say, the Data Protection Directive that came before it, or 90% of the other data protection laws around the world. It offers some actual rights and importantly, imposes actual obligations. If you don’t believe me, go read a few privacy notices or 10-K filings and count up the times that the GDPR is mentioned relative to almost any other law, bar the CCPA.
Is it perfect? No. Does it make things far more complicated than they need to be? Absolutely. Is it frequently Goodharted to hell by the worst offenders? Yep! But, that makes it a flawed piece of legislation, not inherently bad or worthless. The failure modes of the GDPR come down to problems with the ‘how’:
1) still-unresolved ambiguities in interpretation (‘risk-based approach’ sounds lovely to a legislator, but having little guidance on the details make consistency hard. Everything in Chapter V, which covers cross-border transfers is a dogs’ breakfast of inconsistency);
2) poor, usually inconsistent guidance from regulatory bodies, or worse, ‘guidance’ that has no mandate, coherence, or enforcement teeth;
3) complete enforcement failures—the One Stop Shop is a failed experiment, and it should be abandoned. Let each member state sue for non-compliance, as the states already do in the US;
4) disproportionate impact: the law treats all-comers identically, whether you’re a small eCommerce company or Meta. The problem is compliance costs and knowledge and time needed to comply. In my ideal world, regulators would be more realistic about defining ‘risk’ for organizations. For example: if you’re selling medical devices that include lots of features that will phone home and share sensitive personal data broadly, yes, you should absolutely need to have your house in order. Ditto for other traditionally regulated industries.
But it’s less realistic to expect the same standard be met (documentation, policies, data transfer obligations, quick turn-arounds for DSRs, DPIAs, etc) by a tiny, low-risk provider. And enforcement should be aligned accordingly, instead of just going after the low-hanging fruit.
Sue the absolute **** out of Meta, X, Google, Microsoft, Palantir, OpenAI, Clearview—the folks that are in the news for being the worst offenders. Force them to disgorge data, or cease trading in Europe, or actually recouping the fines. Stop faffing about with wrist-slaps and hedgy BS. Concurrently, build out the tools and standards that will make compliance easy for everyone—think HTTPs, or the gradual improvement to payment card processing that has come through PCI-DSS standarization.
Attack the structure, don’t hang on the procedure. But that’s hard, and most regulators don’t have the political support or resources to do that. So, they go for the easy, stupid compliance-theatre stuff, and it makes the law look worthless.
Compared to the alternatives, the GDPR is a good piece of legislation. It defines the ‘who’, ‘what’, and ‘why’ far more comprehensively than say, the Data Protection Directive that came before it, or 90% of the other data protection laws around the world. It offers some actual rights and importantly, imposes actual obligations. If you don’t believe me, go read a few privacy notices or 10-K filings and count up the times that the GDPR is mentioned relative to almost any other law, bar the CCPA.
Is it perfect? No. Does it make things far more complicated than they need to be? Absolutely. Is it frequently Goodharted to hell by the worst offenders? Yep! But, that makes it a flawed piece of legislation, not inherently bad or worthless. The failure modes of the GDPR come down to problems with the ‘how’:
1) still-unresolved ambiguities in interpretation (‘risk-based approach’ sounds lovely to a legislator, but having little guidance on the details make consistency hard. Everything in Chapter V, which covers cross-border transfers is a dogs’ breakfast of inconsistency);
2) poor, usually inconsistent guidance from regulatory bodies, or worse, ‘guidance’ that has no mandate, coherence, or enforcement teeth;
3) complete enforcement failures—the One Stop Shop is a failed experiment, and it should be abandoned. Let each member state sue for non-compliance, as the states already do in the US;
4) disproportionate impact: the law treats all-comers identically, whether you’re a small eCommerce company or Meta. The problem is compliance costs and knowledge and time needed to comply. In my ideal world, regulators would be more realistic about defining ‘risk’ for organizations. For example: if you’re selling medical devices that include lots of features that will phone home and share sensitive personal data broadly, yes, you should absolutely need to have your house in order. Ditto for other traditionally regulated industries.
But it’s less realistic to expect the same standard be met (documentation, policies, data transfer obligations, quick turn-arounds for DSRs, DPIAs, etc) by a tiny, low-risk provider. And enforcement should be aligned accordingly, instead of just going after the low-hanging fruit.
Sue the absolute **** out of Meta, X, Google, Microsoft, Palantir, OpenAI, Clearview—the folks that are in the news for being the worst offenders. Force them to disgorge data, or cease trading in Europe, or actually recouping the fines. Stop faffing about with wrist-slaps and hedgy BS. Concurrently, build out the tools and standards that will make compliance easy for everyone—think HTTPs, or the gradual improvement to payment card processing that has come through PCI-DSS standarization.
Attack the structure, don’t hang on the procedure. But that’s hard, and most regulators don’t have the political support or resources to do that. So, they go for the easy, stupid compliance-theatre stuff, and it makes the law look worthless.