One Year Into The GDPR: Can We Declare It A Total Failure Yet?

from the click-here-to-pretend-we-respect-your-privacy dept

Tomorrow will represent a full year since the GDPR went into effect. In the run-up to the GDPR, we called out many of the problems with the regulation which, while well-intended, did not seem to deal well with the nature of the internet, speech, or what privacy actually means. In the year since, we've posted numerous stories highlighting the negative consequences of this poorly considered law.

Whenever we do that, however, many of the law's defenders insist that these unintended consequences are a small price to pay for either protecting our privacy or reining in the internet giants. So, it does seem worth investigating whether or not the GDPR has done either of those things. And, so far, the evidence is sorely lacking. Indeed, on the question of dominance, we pointed out late last year that the early returns suggested that the GDPR had only made Google more dominant, which hardly seems like a way to punish the company.

And now that we have more results, it seems more and more people are realizing that the GDPR has been an utter failure. As CNBC notes in its evaluation of the law, it's hard to see how the GDPR has resulted in any benefits to the public. Instead, it's just created a big mess:

...one year later, GDPR hasn’t lived up to its potential.

Among some consumers, GDPR is perhaps best known as a bothersome series of rapid-fire, pop-up privacy notices. Those astronomical fines have failed to materialize. The law has created new bureaucracies within corporations, and with those, tension and confusion. And it’s unclear if the EU data authority that oversees the law is adequately staffed to handle its demands.

In short, from the user side especially, all the GDPR has done is made people constantly need to click on annoying privacy and cookie notices that they don't read and don't find useful at all. This shouldn't have been a surprise. We've pointed out for many years that the entire concept of a privacy policy is backwards. It creates a situation where no one actually reads it, and it doesn't do much to protect anyone's privacy. I head someone recently note that they should really be called "data exploitation policies," and that, at least, would be a bit more accurate. But still wouldn't get anyone to read them or better protect anyone's privacy.

And, as Politico has pointed out, it appears that not only has the GDPR made the big tech companies more dominant, it's now laid out the rules of the road by which they can introduce even more privacy-destroying offerings:

New forms of data collection, including Facebook’s reintroduction of its facial recognition technology in Europe and Google’s efforts to harvest information on third-party websites, have been given new leases on life under Europe’s General Data Protection Regulation, or GDPR.

Smaller firms — whose fortunes were of special concern to the framers of the region’s privacy revamp — also have suffered from the relatively high compliance costs and the perception, at least among some investors, that they can’t compete with Silicon Valley’s biggest names.

“Big companies like Facebook are 10 steps ahead of everyone else, and 100 steps ahead of regulators,” declared Paul-Olivier Dehaye, a privacy expert who helped uncover Facebook’s Cambridge Analytica scandal. “There are very big questions about what they’re doing.”

This entire approach is backwards and silly. If we want to have better control over our privacy we're not going to do it through demanding better privacy policies, or confusing data protection laws. We need to create the incentives to put the actual control of the data back into the hands of the users. And that doesn't just mean a right to download your info. It means that you have full control over your data and get to control what apps and services can access it and for what reasons. That's not the world we have today, and nothing in the GDPR gets us any closer to it.

And the answer is not "more enforcement." That just locks in the big companies even more and continues to present the roadmap to "follow" the rules, or to work the refs. Instead, if we moved to a system of protocols instead of platforms we could decouple the data from the service, putting real control of the data back in the hands of end users. Then things like privacy policies and GDPR enforces wouldn't matter so much, because we'd have direct control over our data.

Instead, all we have is a massive law that has harmed startups, entrentched big companies, failed to protect privacy and just served to annoy most users.

The reality is that many people, in order to save time, simply click “OK” on the never-ending stream of pop-ups and most everyone I spoke to confess that they just move on when unable to access the desired website. Or, as one Twitter user told expressed, “I read a lot fewer articles in US papers/magazines.”

And, sure, there have been a few fines of internet companies, but as recent GDPR complaints show, there does not appear to be any way to actually fully comply with the GDPR, which makes it a particularly useless law. If you can't actually comply, if it's not actually protecting privacy, and it's just annoying users and creating more bureaucracy, what good is it?

Meanwhile, Alec Stapp has collected a ton of stories and examples of the GDPR's negative impact. It notes much of the stuff above, but also highlights just how damaging it's been to innovation on the whole:

  • Startups: One study estimated that venture capital invested in EU startups fell by as much as 50 percent due to GDPR implementation. (NBER)
  • Mergers and acquisitions: “55% of respondents said they had worked on deals that fell apart because of concerns about a target company’s data protection policies and compliance with GDPR” (WSJ)
  • Scientific research: “[B]iomedical researchers fear that the EU’s new General Data Protection Regulation (GDPR) will make it harder to share information across borders or outside their original research context.” (POLITICO)
  • So now that we've had a year, can we admit that the GDPR has been a total failure by almost every possible measure? Supporters of the law will say to give it more time, or to say we need to "improve" the rules, but it should be obvious by now that the entire approach is the problem, not the implementation.

    Hide this

    Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

    Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

    While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

    –The Techdirt Team

    Filed Under: censorship, competition, compliance, data protection, dominance, eu, free speech, gdpr, privacy, tech


    Reader Comments

    Subscribe: RSS

    View by: Time | Thread


    • icon
      renato (profile), 24 May 2019 @ 8:36pm

      The reality is that many people, in order to save time, simply click “OK” on the never-ending stream of pop-ups and most everyone I spoke to confess that they just move on when unable to access the desired website. Or, as one Twitter user told expressed, “I read a lot fewer articles in US papers/magazines.”

      I just realized that I only saw those for a short time, and my adblock has been hiding them.
      I thought the websites were not required to continue warning users, but I was wrong.

      But, if I never clicked on those "OK" buttons consenting to be tracked, does it means that those sites accessed using an adblock are violating GDPR?
      Where can I report them?

      link to this | view in chronology ]

    • identicon
      Bobvious, 24 May 2019 @ 9:09pm

      GDPR

      Google's Dominance? Pyrrhic Result!

      link to this | view in chronology ]

      • icon
        frank87 (profile), 26 May 2019 @ 7:47am

        Re: GDPR

        I believe it's the law of Kamphuis: If the lawmakers keep failing, it's not because they are stupid, but because they have other goals.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 27 May 2019 @ 6:18pm

          Re: Re: GDPR

          Thank you for saving us tinhatters time with your general concensous about lawmakers other goals. I concur.

          link to this | view in chronology ]

    • icon
      TKnarr (profile), 24 May 2019 @ 9:22pm

      Eyeballs, not products

      The big problem is that the Internet platform companies aren't offering products to users, they're offering eyeballs (users) to advertisers either directly or indirectly. As long as that's the case, their incentives will always favor working around any privacy regulations strongly enough to offset any incentives to behave otherwise.

      If the carrot doesn't work, use the stick. Make it the law that personal information and data is owned by the user who generates it and the default is that no other entity has the right to collect or distribute it. Make statutory damages and legal costs and fees mandatory if a violation is proven. Then spike the guns of "privacy policies" and "terms of service" by setting a requirement that any collection or distribution of personal information requires the express consent of the user for that specific use, after having been clearly informed of the nature and extent of the data collected and it's use, and that any agreement that does not conform to this requirement is expressly contrary to public policy and not just void but flatly illegal.

      I don't see the politicians going along with that though, there's too much money involved.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 24 May 2019 @ 9:45pm

        Re: Eyeballs, not products

        Supporters of the law will say to give it more time, or to say we need to "improve" the rules, but it should be obvious by now that the entire approach is the problem, not the implementation.

        Way to be that guy...

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 May 2019 @ 6:28pm

        Re: Eyeballs, not products

        You take the privacy out of the hands of those seedy schmucks who sell it to much shadier billionaire bum corporations and there will be no incentive because advertising money will become disinterested. Seedy governments get our privacy for free and its funny how they never become disinterested in it.

        link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      Linda Rompe -- now there's a palindrome for ya, 24 May 2019 @ 9:55pm

      You always set up straw-men goals so you're "right".

      First sentence of good technical writing should state your premise. I can't skip over 3rd word. You go into your own "Red Queen" world in which words mean what you want them to:

      Tomorrow will represent a full year since the GDPR went into effect.

      Oy. In the real world, "represent" is academese for perhaps "make" or "mark", and is wrong usage.

      Similarly, rest of text is written to support your notions, particularly to blame "those" and "some", who are always wrong when you write.

      Now, let's look at results.

      1) Overall, it's not the meltdown that you predicted. So you're wrong on "the sky is falling". You have your usual three anecdotal data points. Even here, when's the last time anyone complained?

      2) Your premises and beliefs never admit of the possibility that GDPR actually is written to lock in the giants, because the EU is only a globalist front for the new soft fascism. That's clearly so. As a trained "economist" your duty is to flatter The Rich and their corporations; always write for two audiences, one of which doesn't understand that they're the suckers, so again has the celebratory HA, HA tone.

      3) The one area we might agree is your notion that GDPR is wrong-headed on its "opt out" basis... Since only "opt IN" can work and it'd wreck GOOGLE's whole "business model", I'm sure you don't go along on the obvious solution.

      4) "So now that we've had a year, can we admit that the GDPR has been a total failure by almost every possible measure?" -- No, you're still not right on #1 and tactitly excluding #2 for which it's adequate incrementalism and so a "success".

      5) And as always, for "solution" you have a yet more complex magic to suggest, which only academics grasp and to implement at all would take another decade, to REALLY allow the big criminals to entrench without any interference:

      Instead, if we moved to a system of protocols instead of platforms we could decouple the data from the service, putting real control of the data back in the hands of end users. Then things like privacy policies and GDPR enforces wouldn't matter so much, because we'd have direct control over our data.

      It's a false position because pure fantasy: "a system of protocols" is just academese meaning STALL FOR TIME.

      In sum, 1) you're WRONG that caused a collapse, 2) as always you're actually protecting Facebook / GOOGLE'S surveillance capitalism, and 3) claim that your fictional notion was way to go, making you "right all along", as ever.

      My way: take a meat ax to anything big, break up into tiny pieces and TAX at over 100 percent if necessary. Only valid theory and only way ever proven to work.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 24 May 2019 @ 10:20pm

        Re: You always set up straw-men goals so you're "right".

        Isn't GDPR protecting Facebook and Google? They're the only ones who can truly afford to comply with the law, right?

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 24 May 2019 @ 11:38pm

        Re:

        My way: take a meat ax to anything big, break up into tiny pieces and TAX at over 100 percent if necessary.

        I'll anticipate you using this approach for the RIAA.

        Just to spoiler a little, I won't be holding my breath for this.

        Also just because, Shiva Ayyadurai didn't invent email.

        link to this | view in chronology ]

      • identicon
        Bobvious, 25 May 2019 @ 12:30am

        Re: You always set up straw-men goals so you're "right"

        Linda Rompe -- now there's a n anagram of palindrome for ya

        link to this | view in chronology ]

      • identicon
        tex2us, 25 May 2019 @ 1:17am

        Re: You always set up straw-men goals so you're "right".

        It's a false position because pure fantasy: "a system of protocols" is just academese meaning STALL FOR TIME.

        So instead of stalling for time, trying to reach a solution to this problem, we should just go with a (at best) useless law, just because it does something.

        link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      Anonymous Coward, 25 May 2019 @ 2:42am

      FUD

      Sorry guys; speaking as someone who actually had (and has) to do this; a year on the positive column more than outweighs the negative. In my business the road to compliance has vastly improved not just the direct management of personal data but also business processes as a whole and greatly improved security awareness.

      Looking a number of the so-called negative points above clearly many of them are 'as expected' or actually good news. M&As failing with businesses over concerns of GDPR practices? Seems a sign that it's working well, not badly. Some people seem to have forgotten that in market economies some business need to fail; this is a good thing!

      I also like the take-away that “There are very big questions about what they’re doing.” Indeed. Clear proof that it IS working.

      link to this | view in chronology ]

      • icon
        Billly (profile), 25 May 2019 @ 1:41pm

        Re: FUD

        As a (reluctant and unwilling) privacy professional who doesn't need the work, you are spot on. The state of personal data management in almost every enterprise before GDPR was abysmal. Certainly firms that had to comply with COPPA had some practices in place, but there's a reason everyone who could ran screaming from COPPA compliance for the last decade.

        The very fact that businesses now have the procedures in place to even know what data they have and where it is going is a fundamental sea change and GDPR is responsible. I'll be the first one to say that it's horribly drafted, overbroad, and relies on a number of terrible premises and assumptions, but a total failure? It's doing exactly what it was intended to do (among many other things).

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 May 2019 @ 6:06pm

        Re: FUD

        It's also causing problems. Last year the main forum boards for Minecraft were sold to a larger company, and nearly 30% of the threads/posts had to be deleted. Why? Because GDPR requires that users opt-in to the transfer of their data when a company is sold, and between inactive users, people running adblock, and not responding to emails from the forums and very large chunk of game history has been flushed down the tubes.

        I'm not saying that there aren't good side effects of GDPR, because there are. And in some cases the direct effects are good too. But IMHO the regulations painted with far too broad of a brush, and we're only just beginning to see the unintended consequences of what many feel is a very poorly written set of regulations.

        link to this | view in chronology ]

        • identicon
          ryuugami, 26 May 2019 @ 8:17pm

          Re: Re: FUD

          I'm pretty sure that in the case you state it would have been perfectly fine to simply "anonymize" the posts.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 27 May 2019 @ 7:25pm

            Re: Re: Re: FUD

            Even if you didn't the posts were no more revealing of the person behind the keyboard than they are right here. Nobody posted their names, addresses, etc on those forums.

            This isn't a case of the GDPR going too far. It's a case of misunderstanding the GDPR.

            link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 May 2019 @ 9:49am

        Re: FUD

        ..greatly improved security awareness..

        That ain't the same thing as 'greatly improved security.'

        link to this | view in chronology ]

    • identicon
      ryuugami, 25 May 2019 @ 2:49am

      we pointed out late last year that the early returns suggested that the GDPR had only made Google more dominant, which hardly seems like a way to punish the company.

      *facepalm*
      Why do you Americans insist that all the EU wants is punish the US companies because they're more successful than European ones? Again, the point is NOT to "punish Google". The point is to allow us to have privacy. If it makes Google weaker, so be it. If it makes Google stronger, so fucking be it. As long as I get my privacy, any impact on Google's dominance is utterly irrelevant.

      all the GDPR has done is made people constantly need to click on annoying privacy and cookie notices that they don't read and don't find useful at all

      Like with the previous "cookie law" and "cookie notices", that's not a consequence of GDPR, that's a consequence of not following GDPR. GDPR has not done that to people, sites braking the law have done it to people. Eventually, either those sites will get fined and stop doing that, or there will be a new law, with even more teeth and less leeway.

      We've pointed out for many years that the entire concept of a privacy policy is backwards. It creates a situation where no one actually reads it, and it doesn't do much to protect anyone's privacy.

      FFS, Mike. https://gdpr-info.eu/recitals/no-32/ (emphasis mine):

      Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

      Oh my, that looks like if you blindly click through, you're protected by GDPR. It's literally the opposite of what you're complaining about!

      And that doesn't just mean a right to download your info. It means that you have full control over your data and get to control what apps and services can access it and for what reasons. That's not the world we have today, and nothing in the GDPR gets us any closer to it.

      https://gdpr-info.eu/art-7-gdpr/ :

      If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

      The data subject shall have the right to withdraw his or her consent at any time. [..] It shall be as easy to withdraw as to give consent.

      And so on, and so forth. You do make a few good points, but it seems to me that most of your arguments are inconsistent, and not based on what the law does but on what you think it does.

      You complain that potential fines could destroy companies, and you complain that no companies were destroyed for breaking the rules. The entire point was to for fines to start small, then if companies don't clean up their act, gradually ramp them up until they really start to hurt. In fact, I believe I read an article or two where you pointed out the uselessness of "slap on the wrist" fines (of course, you weren't talking about GDPR).

      You see companies doing things "to comply with GDPR", and you complain that GDPR is wrong and there is a better way. However, those companies are actually not in compliance and GDPR is really close to what you want.

      You're arguing about short-term negative economic impact without any attempt at looking for a positive impact. You could do a very similar analysis about, say, environmental regulations.

      You're arguing that since the entire Internet didn't become a privacy haven in one year, it means the GDPR failed. Aren't you underestimating both the inertia of 3+ decades of Internet free-for-all, as well as the molasses-like slowness of federal bureaucracy?

      I agree with a lot of your positions. On those I disagree with, I can usually at least see where you're coming from. But your reaction to GDPR has completely mystified me. Must be one of those European<>American cultural differences...

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 May 2019 @ 7:44am

        Re:

        I have to agree with [almost all of] this. The one point that seems a bit hyperbolic is this:

        Oh my, that looks like if you blindly click through, you're protected by GDPR. It's literally the opposite of what you're complaining about!

        If you scroll through a document without reading it and then click the "Accept" button at the bottom that is still an affirmative action declaring consent. The GDPR does not describe that act as non-consent.

        I'm an American but I work for an international company making software products for international companies and governments all over the world. Because our software is public-facing we had to implement GDPR in our products. I was the lead of the team responsible for doing so and, as such, have read the GDPR docs more times than I care to recount in order to ensure our updates would allow our customers to be compliant with the regulation. The whole way-too-long document can be boiled down to just a few points and the cost of this improvement in the products was really rather minimal. All of the changes even make sense for non-GDPR nations because why wouldn't you want to be able to choose how your data is used?

        Sure, the GDPR can be abused but what can't? With a little creativity you can abuse literally anything. I believe this regulation has done more good than harm, overall, and has forced the world to start thinking about protection for personal data in ways and at scale that other laws, such as HIPAA, have not. If that has some costs for implementation (which naturally hit startups harder than moneyed, established corporations) then so be it. This is known as progress and is a natural consequence of new technology becoming established technology.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 26 May 2019 @ 6:33pm

          Re: Re:

          Regarding this: how would a registry (like Robinson List) where you set out what and what not can be done with your data in general terms (tick a few boxes or even write a text), some kind of "Privacy Will" that would override anything you have clicked on a site/service?

          In the end, the point is that nobody reads those notices because you don't feel like reading legalese every time.

          What about only reading legalese once (with maybe counselors to guide you through that) where you set in stone your privacy settings?

          Of course, you can change them later on, but instead of having to tick every time, you tick once and it's now the service operator's job to check that registry and decide whether he wants to have you as his customer/visitor or not.

          And yes, if this makes startups harder or Google stronger, so-fucking-be-it. I want full control of my privacy and personal data, and if I say that you can't use my phone number for commercial purposes, you can't.

          No buts, ifs or whats.

          And of course, the effect is retroactive. If I realize that I don't want my phone for that, any previously given consent is null and void.

          Oh, and btw, I'm fine with destroying businesses for failing to protect my privacy or selling me out.

          Privacy is a fundamental right. If my data, choices or opinions end up in wrong hands, it might cost my job.

          Or worse, my life at a later date if the political situation in my country turns dire.

          I think we are mistaken if we think that protecting our privacy is only about not having ads or spam calls.

          link to this | view in chronology ]

      • icon
        Thad (profile), 28 May 2019 @ 8:23am

        Re:

        The point is to allow us to have privacy.

        And has the GDPR succeeded at this goal?

        You're arguing about short-term negative economic impact without any attempt at looking for a positive impact.

        Have you made an attempt at looking for a positive impact? Because I don't see any examples in your post.

        link to this | view in chronology ]

    • icon
      Bloof (profile), 25 May 2019 @ 3:57am

      Ah, something isn't a flawless panacea, therefore it should be written off as a failure. Good to know.

      Meanwhile I'll be over here enjoying the countless sites and services, big and small that have had no problem complying with the law.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 May 2019 @ 4:25am

      GDPR failure or success

      Dear Mike,

      As European citizen, I consider the GDPR a success:

      1. There is much more awareness -- worldwide -- about privacy. Partly because of the GDPR and it's 25 year old predecessor.

      2. Your remark that no companies have gone bankrupt has been debunked by your article [1] on the French regulator requiring Vectuary, a Real-Time bidding company to delete its complete database. Now the Irish DPA is starting an investigation into Google's RTB practises. [2]

      3. Some tinpot dictator silencing a journalist using the GDPR [3], although bad, is to be preferred over silencing with a gun. It's not a failure of the GDPR that a corrupt country abuses it against criticism.

      4. This article [4] makes the case that targeting advertising is bad for both the people as well as the advertisers. Returning to a topical model would bring back profitable advertising revenues to sites, publishers, etc, away from the data tracker. Perhaps that would have made a compelling argument against article 13 of the new copyright directive.

      5. Perhaps the biggest question: Who are the advertisers behind RTB? A broker has an impression to sell, provides data about the eyeball to the bidders who all receive the data, whether they win the bid or not. Who are the advertisers? Are they companies that want to enrich their data and purposefully bid low so they do receive data but don't win the bid?

      1: https://www.techdirt.com/articles/20181123/09014141092/new-gdpr-ruling-france-could-dramatically-re- shape-online-advertising.shtml
      2: https://brave.com/dpc-google/
      3: https://www.techdirt.com/articles/20181114/01491541047/yet-another-gdpr-disaster-journalists-ordered -to-hand-over-secret-sources-under-data-protection-law.shtml
      4: https://zgp.org/targeted-advertising-considered-harmful/

      link to this | view in chronology ]

      • identicon
        MathFox, 25 May 2019 @ 7:22am

        Re: GDPR failure or success

        Another small but significant example: the Dutch "Credit registration bureau" (BKR) was forced to offer free registration reports to all citizens.

        Companies are even more careful sharing data.

        And remember that the GDPR is just the next instance of EU privacy law, with many regulations that were already in effect (in a similar form) for decades.

        link to this | view in chronology ]

    • icon
      Max (profile), 25 May 2019 @ 5:24am

      Let me turn this around - what do you think would happen if, one year into someone's presidency, you would authoritatively declare it a failure...? You'd be laughed out of the room, because everyone is aware that whether or not one likes the direction he's taking, it would be ridiculous to assess anyone's true achievements one miserable year after taking office. And that's only even more true whenever litigation or legal matters are involved in any way. Yes, you can look at what GDPR did so far and not be terribly impressed - saying this is all it can/will ever do is laughable.

      And that companies are trying to dodge having to actually comply with it (which most of those pop-ups really do, instead of doing it properly) is hardly GDPR's failing; if anything, we need a handful of large booms going off to remind the smaller critters that this will not fly - but that will take some more time; NOYB filed complaints the minute GDPR went into effect (and continued to do so after); but those wheels turn hella slow, even though they're definitely turning.

      And finally things like "oh but actually asking is hard, I don't wanna do it" or "but that destroys my business case" are not actually valid excuses. I should be happy actually to see you go under, if your business model involved gobbling up my privacy not because I agreed with that but just because you could. Legitimate businesses will continue to be able to secure that consent just fine - in fact, GDPR is still siding WITH THEM AGAINST ME as soon as I had any actual dealing with anyone: once a financial transaction happened they are allowed to retain my data even if I would very much want them to no longer have it later for whatever other reason.

      So no, sorry. Whatever the reason for that chip on your shoulder about GDPR is, I'm not buying it. And neither do a number of others apparently, which tends to happen whenever a chip is speaking instead of the voice of reason.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 May 2019 @ 11:02am

        Re:

        How about after three years?

        link to this | view in chronology ]

      • icon
        Thad (profile), 28 May 2019 @ 8:25am

        Re:

        Let me turn this around - what do you think would happen if, one year into someone's presidency, you would authoritatively declare it a failure...?

        ...that's the analogy you decided to go with?

        You do know who the current president is, right?

        link to this | view in chronology ]

    • icon
      KJ (profile), 25 May 2019 @ 5:58am

      "If we want to have better control over our privacy we're not going to do it through demanding better privacy policies, or confusing data protection laws. We need to create the incentives to put the actual control of the data back into the hands of the users. And that doesn't just mean a right to download your info. It means that you have full control over your data and get to control what apps and services can access it and for what reasons. That's not the world we have today, and nothing in the GDPR gets us any closer to it."

      The GDPR absolutely gets us closer to that. The main objective of GPDR is to put control over data in the hands of the consumer, instead of the companies.

      I'm sorry, Mike, but you have completely missed the mark on GPDR, and I say that as a European citizen and consumer.

      link to this | view in chronology ]

    • icon
      JoeCool (profile), 25 May 2019 @ 6:27am

      Shill Harder

      The shills are really out in swarms on this one. :)

      Anywho, back to some real discussion.

      If you can't actually comply, if it's not actually protecting privacy, and it's just annoying users and creating more bureaucracy, what good is it?

      You just answered the question inside the question. The purpose was more government jobs for otherwise useless toadies. Got some worthless nephew who needs a "job" (tongue firmly in cheek), get him a position in "handling" the GDPR. He can play minesweeper all day while pretending to process GDPR complaints, and draw a sweet government check.

      link to this | view in chronology ]

      • identicon
        ryuugami, 25 May 2019 @ 8:26am

        Re: Shill Harder

        The shills are really out in swarms on this one. :)

        Is it that strange to you that some Europeans actually wanted GDPR and like it (so far at least)?

        Anywho, back to some real discussion.

        Yup, that's a great way to have a discussion -- first dismiss everyone who disagrees :/

        The word you're looking for is "circle-jerk".

        link to this | view in chronology ]

        • icon
          JoeCool (profile), 25 May 2019 @ 10:34am

          Re: Re: Shill Harder

          Why shouldn't I dismiss you? You dismissed all the bad that's been shown since the passage of the law. If you can dismiss all the negatives, I can safely dismiss your opinions on the matter.

          link to this | view in chronology ]

          • identicon
            ryuugami, 25 May 2019 @ 10:53am

            Re: Re: Re: Shill Harder

            I didn't dismiss anything. I argued that, in my opinion, positives outweigh the negatives. I even provided citations from the actual law that clearly refute parts of the article. Others also stated their opinions and experiences.

            You called everyone who disagrees with you "shills", and then had the gall to call the resulting echo-chamber "real discussion".

            link to this | view in chronology ]

            • identicon
              Anonymous Coward, 25 May 2019 @ 11:05am

              Re: Re: Re: Re: Shill Harder

              It is interesting to note that the positives outweigh the negatives ... for some people while the complete opposite is possible for others and yet it is proclaimed that, for you anyways, things are peachy keen.

              link to this | view in chronology ]

              • identicon
                Bro beans, 25 May 2019 @ 8:20pm

                Re: Re: Re: Re: Re: Shill Harder

                It’s almost as if...people somehow have their own gasp opinions. Crazy.

                link to this | view in chronology ]

          • identicon
            Anonymous Coward, 26 May 2019 @ 5:49pm

            Re: Re: Re: Shill Harder

            You dismissed all the bad that's been shown since the passage of the law.

            What "bad"? Can you be specific?

            If not then you're just trolling.

            link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 May 2019 @ 7:27am

      People want to use websites , and apps,
      they do not read user privacy notice,s they just click ,ok.
      gdpr is a waste of time, they would eb better off having rules
      re how websites share data, do they sell it,do they give it to advertisers and third partys ,
      is it well protected ,are data bases encrypted and well protected
      from hackers ,
      Even facebook did not have users info on instragram fully protected .
      There should be basic standards for protecting user data from hackers
      and how it is stored and encrypted .
      GDpr makes big websites like facebook stronger ,
      and makes it hard for small startups to grow.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 May 2019 @ 7:48am

        Re:

        Go read the GDPR or any of the countless crib notes for the regulation. It does not say what you think it does and it does say what you think it doesn't.

        link to this | view in chronology ]

        • icon
          Billly (profile), 25 May 2019 @ 1:45pm

          Re: Re:

          Seriously, it's like the OP went through GDPR, picked up the primary requirements already in the law, and then said "we should have something like that instead of GDPR."

          link to this | view in chronology ]

    • icon
      Sok Puppette (profile), 25 May 2019 @ 9:52am

      "Numerous articles", my ass

      Even most of the things you honestly think are "problems" don't seem to be real problems. It's not that we should accept them to get the good parts, it's that they are good parts. And that ignores the other stuff you tried to sneak in.

      1. Good outcome. Papparazzi add no value and knowing where Prince Whatzisname lives or vacations is of no public interest. Guy has ZERO power over the UK government.
      2. Good outcome. Trash should've been being shredded all along.
      3. OK, not actually a good outcome. The "right to be forgotten" actually predates the GDPR, but the GDPR does codify it. The GDPR should probably be fixed to stay out of the public sphere more.
      4. How is that not an INCREDIBLY GOOD outcome? You claim the GDPR is bad because it conflicts with a TOTALLY INSANE copyright rule? Obviously you didn't think anybody'd bother to check your links, and thought you could get away with using this to pad the list.
      5. Does not appear to be related to the GDPR at all. More weaksauce list inflation.
      6. Getting parental consent = good outcome. Returns issue = obvious misapplication of the regulations. In fact almost certainly an intentional and self-interested misapplication on the part of the retailers.
      7. Amazon shouldn't have 1700 audio recordings of anybody to begin with, and that goes double if Amazon is so fucked up it can't tell whose data are which. I don't know why anybody'd care about Spotify history, but if anybody does care, then Spotify shouldn't have the data either.
        The obvious solution here is not to collect the data to begin with. Which is what the GDPR is supposed to incent. OK, yes, the "platforms" are trying to evade the whole point of the rule, and that results in paradoxical outcomes. Looks like the GDPR should be tightened to prevent them from possessing the information at all.
        And if that means Amazon can't train Alexa, then tough... Alexa is not important.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 May 2019 @ 4:38pm

      Masnick, your continued rage against the GDPR reminds me of when Elon Musk continually flew off the handle trying to claim that his mini-sub was the best way to save the kids in the cave all while the professionals were doing the real work and succeeding.

      GDPR is producing tangible positive developments in the realm of privacy, but you’re too busy saying “No, it’ll never work! We should be using my ideas instead!” and then trot out your prized “protocols, not platforms” concept again for everyone to see. This narcissistic downplaying of real accomplishments is very unbecoming of you.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 May 2019 @ 12:09am

      Wow, look at all the dissenting opinions. I thought Techdirt was supposed to be an echo chamber or something...

      You mean blue was lying when he said that?

      I'm shocked, I tell you. Shocked!

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 May 2019 @ 5:51pm

        Re:

        Even blue agreed with the dissenters. The sky is truly falling.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 27 May 2019 @ 6:35am

          Re: Re:

          blue will agree with anyone who disagrees with Mike, even if it's someone just "agreeing" that breathing is bad for you. That's not exactly mind-blowing.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 27 May 2019 @ 5:50pm

            Re: Re: Re:

            Can Mike publish an article on the benefits of breathing, please?

            link to this | view in chronology ]

    • icon
      Coyne Tibbets (profile), 26 May 2019 @ 12:39am

      Mean to total failures

      I suppose I can see why you would want to call GDPR a total failure. But frankly I think that is unfair to total failures.

      link to this | view in chronology ]

    • identicon
      David, 26 May 2019 @ 8:52am

      Uh what?

      As CNBC notes in its evaluation of the law, it's hard to see how the GDPR has resulted in any benefits to the public.

      What do benefits to the public have to do with it? It's like imagining the purpose of elections to be giving politicians a chance at turning their election promises into reality.

      The election promises are the means to get elected, not the purpose. Confusing the justification of some law with its purpose is going to make politics look like absurd theatre.

      link to this | view in chronology ]

    • identicon
      toi hell with twitter, 26 May 2019 @ 9:14am

      WRONG mikey

      one example on youtube where the guy actually got guildwars 2 to bend over , and he got them using the gdpr and now there is a nice video showing everyone a COMPLETE HOWTO USE IT RIGHT

      and if you do this then you have a system that actually works now if the company pulls an epic games its is also liable

      but that wont happen too often we can hope.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 May 2019 @ 2:51pm

        Re: Punctuation, not just for PUNKS

        You’re supposed to use capitalisation at the beginning of a sentence. Not count up how many you should have used and make an entire sentence of them.

        link to this | view in chronology ]

    • icon
      Shel10 (profile), 26 May 2019 @ 10:17am

      GDPR

      Has anyone created a way to turn off the GDPR?

      link to this | view in chronology ]

      • identicon
        ryuugami, 26 May 2019 @ 8:21pm

        Re: GDPR

        Yup, many websites (strangely, particularly news websites) are doing it. It's called "not doing business in the EU", or, in the extreme, "block the EU".

        And if you are in the EU, the only way to turn GDPR off is to... move :)

        link to this | view in chronology ]

    • icon
      DerekCurrie (profile), 26 May 2019 @ 10:14pm

      As expected, the big catastrophe of the GDPR is WHOIS. Whoever thought that was a good idea is a fool. Now every evil Internet IP address is ANONYMOUS. Idiocracy in the EU.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 May 2019 @ 7:34pm

        Re:

        IP addresses don't have anything to do with WHOIS. I presume you meant to say "domain registrations" which are affected by WHOIS since WHOIS is a public tool for reporting the registrant of a domain name.

        Certainly the registrant information wasn't deleted. If it's no longer available on the net it will still be available to law enforcement, etc. Still, registration of a domain name has always included explicit consent to publishing your registrant details and should not have been affected by the GDPR. Registrants have always had the option of paying extra for domain privacy (which itself has always been somewhat questionable).

        link to this | view in chronology ]

        • icon
          DerekCurrie (profile), 28 May 2019 @ 10:33am

          Re: Re:

          You are quite wrong. Why the ignorant post? Do I have to teach you how to use WHOIS? You don't need any domain name and I most frequently end up using WHOIS without any access to a domain name. This happens when some process is attempting to access an Internet IP address, that call out is caught by a 'reverse firewall' such as Little Snitch on Mac, and I'm not going to allow the call out to occur until I know exactly WHOIS that IP address. Do you comprehend now?

          IASSOTS. Think before you post please.

          Equally obvious: Before GDPR, any friendly, helpful, kind, useful IP owner published who they are along with their IP address / Domain name. That meant that anyone could verify that the data being sent from their computer was going to an acceptable place.

          EXAMPLE: Via WHOIS anyone used to be able to learn that an IP address of 17.x.x.x meant an Apple owned IP address. On a Mac, of course it is fine for a process to send data to Apple.

          But when some entirely unknown IP address shows up, and there is nothing vie WHOIS or anytying else to tell the user who owns that IP address, of course you don't want your data being sent there!

          Thankfully, this detrimental nonsense, inflicted by the stupid GDPR, can be overcome in an application such as LittleSnitch by way of the application having created its own WHOIS listing of IP addresses willing to allow the world to know exactly who they are.

          And obviously my point is that ALL (every) IP address should have an identity associated with it, no opt-out, no GDPR nonsensical obfuscation over every IP address ever assigned.

          Do you get that as well, yet? Do stop being obtuse, please.

          link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 May 2019 @ 11:12pm

      Hello Mike,

      sorry for being late. To answer your question "One Year Into The GDPR: Can We Declare It A Total Failure Yet?": The short answer is "No". The long answer is: "Why should we?".

      What I find "funny" most of the time is your irrational "logic".

      • "made people constantly need to click on annoying privacy and cookie notices": not the GDPR makes it, it's web "designer" using cookies to sell my information to Google, Facebook, ... you name it.

      • "has the GDPR made the big tech companies more dominant": was it meant to decrease their dominance?

      • "if we moved to a system of protocols instead of platforms": move, Mike.

      • "Or, as one Twitter user told expressed, 'I read a lot fewer articles in US papers/magazines.'": the GDPR is not here to promote reading newspapers.

      • "Alec Stapp has collected a ton of stories and examples": you might want to check the linked page. I guess you mean something else.

      What I understand is that the GDPR is shit because it introduces compliance cost, hinders startup, make companies go out of the EU etc. The point is that the GDPR is not here to lower compliance cost, enable startups, make companies enter the EU. These things are fully out of scope of the GDPR.

      If you really want to argue that the GDRP is bad then bring some example where it does not protect personal information.

      Thank you for reading,
      Your favoutire GDPR troll.

      link to this | view in chronology ]

    • identicon
      Glenn, 27 May 2019 @ 3:41pm

      I still contend that the law was not "well-intended" to begin with. As with most laws the motive was to control others for the benefit of some (sometimes called "minority rule").

      link to this | view in chronology ]

    • identicon
      Peter, 27 May 2019 @ 4:03pm

      One good thing GDPR does

      When I get confronted by the "not allowed in your area" I now know that particular website wants to do dodgy things with my data.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 May 2019 @ 3:51pm

      The strings attached to your back become more visible with every one of these posts, Mike.

      link to this | view in chronology ]

    • identicon
      Biba, 27 Jan 2020 @ 10:12pm

      GDPR is only hypocrisy turned into idiocracy

      The situation is pretty bad as they pretend they care about us. It's all fake as always, they care only about their agenda. The truth is all this thing (and not only one that happens in the world today) is a brain-wash procedure for idiocracy to be. DHL for instance does not show in their database the address and phone number for parcels beneficiary - for their own protection :))) I used to work with DHL and I gave up, because the 1-2 days transit time of my parcels turned into a weeks, because I had to call DHL EVERY TIME to give them my info once again beside the sender did. Can you believe this? Why people refuse to wake up ?? Idiocracy is here and it's filled with terror :)))

      link to this | view in chronology ]


    Follow Techdirt
    Essential Reading
    Techdirt Deals
    Report this ad  |  Hide Techdirt ads
    Techdirt Insider Discord

    The latest chatter on the Techdirt Insider Discord channel...

    Loading...
    Recent Stories

    This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
    Close

    Email This

    This feature is only available to registered users. Register or sign in to use it.