In the last several weeks, you likely received a slew of emails from U.S. internet companies updating privacy policies in response to the Europe’s General Data Protection Regulation privacy rules coming into effect.
Seeing these updates has left me with a nagging question: Why are all these U.S.-domiciled companies choosing to update their services to comply with laws that might not even apply to them from a jurisdictional perspective?
The seemingly obvious answer is that with global reach—or at least global ambitions—most of these companies feel compelled to default to the globally lowest common denominator—the most restrictive terms—when it comes to following data regulation.
But what is going on is actually far more complicated, and frankly more problematic.
Trust in American internet companies is at a low point, and the most complete answer to why they are choosing to comply with GDPR is that there is no competing U.S. framework for companies to stand behind.
This wouldn’t necessarily be a bad thing if the GDPR framework were a good set of laws; however, I worry that many of the ideas that underpin the framework are extremely dangerous to the long-term health and security of democracy, and against American ideals.
It would have been nice if the internet had been able to stay free and open, but as it has become more powerful, it was only a matter of time before regulation started to come into play.
The reality is that if we need to deal with a fractured and regionalized internet, the U.S. needs to assert a version of internet data law, rather than allow the Europeans to become America’s de facto regulator through a strange quirk of history.
Why The U.S. Shouldn’t Accept the European Way of Privacy
Creating a competing U.S. privacy framework wouldn’t perhaps be so pressing if the GDPR represented a set of good regulations. But sadly, there are several deeply questionable elements of the European regulation. Here are four of the key issues:
1. Bad Laws
First among the challenges with the GDPR is that it contains some simply bad laws. Chief among the bad ideas is the “Right to Be Forgotten.”
The right to remember is, in many ways, even more fundamental than the right to free speech. I should have a fundamental right to save and use the correspondence, photos and data to which I have been granted access, just as I have the right to remember anything I have seen or learned in the real world. The only reason that the right to free memory isn’t in the Constitution is that it would have never occurred to the Founding Fathers that the right to memory was a possibly practical issue.
The European way implies that I as an individual have some sort of ownership or claim over all the information about me in the world.
This isn’t how reality works. We interact with other people and businesses who build memories, opinions and perspectives about us, and who use that to make informed decisions about how they would like to interact with us in the future.
Even beyond philosophy it is worth considering the human side of memory. Most of my memories of myself are rooted in conversations and interactions with others. It is impossible for me as an individual to “forget” someone else without simultaneously losing a part of myself.
Thus, the right to remember, or the right to memory, is perhaps the most deeply critical human right if you want to have a functioning society where we can trust and interact with each other well over time.
I respect and understand how Europeans came to believe in something like the Right to Be Forgotten. In Europe, the memory of the Holocaust is strong and visceral, and it seems to lead people to a different place in terms of things like Freedom of Speech and Freedom of Memory.
But their approach isn’t in keeping with the American perspective.
I am convinced that the Right to Be Forgotten, along with related GDPR articles including the Right to Rectification (based on whose truth?), and Right to Data Portability (define “your” data?) are going to be very dangerous when you look at a historical scale.
2. Unenforceability
The second among many challenges with GDPR is that it is impossible to enforce technically. Take, for instance, blockchain technologies. As I have written about before, they are fundamentally incompatible with GDPR. The whole idea of a blockchain is that it is a platform for permanent irrevocable memory. When you contrast that with a legal regime that asks for data to be delete-able, you quickly reach an impasse.
This isn’t just a future-looking issue. There also are massive issues with GDPR in terms of how auditing and enforcement can work today.
When you make assertions about what I can and can’t store on a hard drive or remember, you have to be able to then validate what I as an individual or service do or don’t know. Those types of requirements pose interesting questions about what powers we want to give over to governments to monitor our activities and our privacy from the government.
I would argue that the implications of GDPR run up against American concepts like the Fourth Amendment, which prohibits unreasonable searches and seizures.
3. Complexity
The third issue I would call out about the GDPR is simply its complexity. The regulation alone is 88 pages. The interpretations by various parties run orders of magnitude longer.
To deal with all the complexity, ironically, data services are already cropping up to mediate between data warehouses and end-user services, allowing the end-user services to comply with GDPR by offloading the legal and policy complexity of warehousing data to other firms.
So, there is a world where, ironically, what GDPR actually ends up doing is empowering certain data custodians and warehouses more, not less, as firms that used to manage data on their own are forced to outsource to third parties for compliance reasons.
Good laws are simple laws that are meaningful and enforceable. With GDPR, we instead have a series of weak and confusing guidelines that will be hard for any company to reasonably keep up with from a principles-first perspective.
4. Regulatory Capture and Competitive Calcification
It should be lost on no one that GDPR is great for the large internet companies. They are best able to comply and have had open regulations and road to grow on for years, if not decades.
In fact, it has been quite interesting to watch companies like Apple and Facebook taking this moment and using it to further extend how they limit and lock down data in and around their platforms. Apple changed its terms of service to prevent many scenarios in which user data used to be central to how developers used their APIs. Facebook just added new agreements around the use of custom audiences. This is all happening as the companies look to build on the moment to their advantage.
Throwing up new barriers and making managing user data more expensive and harder simply entrenches large internet companies more and makes it harder for newer companies to compete.
So, ironically, GDPR makes data that providers already have used more valuable.
This is classic regulatory capture. As with environmental discussions in which smaller countries like to point out how many years the now-developed world had free rein to pollute the world as they grew, only to now block developing nations from following the same course, GDPR entrenches large internet companies and makes life more difficult for the next player coming up.
The American Way
Of course, it is easy to criticize other people’s law or rules, and far more difficult to come up with better counter-proposals. That said, let me try to outline a few things I think could underpin a U.S. privacy framework.
1. The Right to Remember
All individuals and companies should have the right to remember their interactions with others and their history.
There is an argument that, in the digital age, the right to remember needs to be further enforced than it once was, granting extra protection to individuals over their private photos, videos and writing. That might mean personal papers should get new levels of freedom and protection, so that they couldn’t be used to incriminate their authors, for example, in a world where everything is written down and recorded.
Your personal records—which are extensions of your own mind—should be your property, and they shouldn’t be able to be used against you.
2. The Right to Know Your Audience
In the real world, you say things in the context of physical and social spaces. We have as humans thousands of years of experience choosing what we want to say and how we want to present ourselves in different situations to different people.
One of the real challenges of the internet is that it is very difficult to think of it as a “space” and to think about whom you are speaking to and what spaces you are occupying when you post on a social network, fill out a form on a website, etc.
Many internet services have benefitted from this for a long time, making people feel comfortable broadcasting to large audiences from their homes in seemingly intimate digital spaces.
I think that internet service providers should be forced to tell users when they post to whom the post will be visible. It also is reasonable that web services should disclose in plain language what data they, and their agents, are collecting from you as you use their systems.
3. The Right to Message Delivery
One of the most innovative ideas during the formation of the U.S. government was the postal system. In order to foster a healthy society, the idea was developed that the post office would deliver a message from anyone to anyone else, and you could have complete faith that the transmission wouldn’t be tampered with or halted.
This used to be the model of the internet as well. You couldn’t stop an email from being delivered if sent, and clients could sort the mail they received into what they viewed as important and what they considered “junk.”
Over the last 20 years, as the number of internet service providers has consolidated, that open nature of the web and messaging is evaporating. There are now layers of service providers sitting in the middle of all messaging mediums and deciding which messages to pass through and which to block.
This comes from a good place—an attempt to limit spam and scams. But the ability to block certain people from sending messages to other people leaves the world in a dangerous place.
A good internet framework should focus on the unimpeded transmission of messages, so that internet messaging can maintain the same fundamental trust as the U.S. Postal Service over the long term.
4. The Right to Anonymous Access
One of the most famous early internet cartoons was the New Yorker’s iconic picture of dogs using the internet, where one dog says to the other, “On the internet, no one knows you’re a dog.”
This has dramatically changed over the last 20 years. Now, everyone not only knows what dog you are, but exactly which breed.
To protect privacy, we need a law in the U.S. that guarantees that you can sign up for any service using a simple username and password, versus being forced to choose a more data-rich login option like Google or Facebook open authorization.
This doesn’t mean that the service needs to provide the same degree of access for users who haven’t connected other services or are “less trusted” users in the system. It is clear that companies should be able to encourage or require certain types of validations or information in order to access certain features.
But services shouldn’t be able to unduly discriminate against my usage if I refuse to log in with a data-rich profile. Any functionality that can be reasonably provided without connecting a third-party service should be accessible without that access.
5. The Right of Records of Agreements
When you use the internet, you agree to all sorts of terms and conditions. I propose we establish some sort of right to make sure these agreements are transparent and simple. Put simply, you have a right to know exactly what you signed.
You as a user should always have the right to all agreements you consent to in order to use the internet in an auditable way.
In practical terms, this would mean that with every agreement you click “OK” to or agree to in order to use a website, you should receive an email with the exact copy so that it can be audited at a later date.
6. The Right to One-Click Cancellation
As the world moves more toward subscription services, there is more of an incentive to make it difficult to try to unsubscribe from services you are paying for.
For instance, I dare you to try to figure out how to unsubscribe from the New York Times online.
At the extreme, some internet services even make you call a physical phone line to cancel their service and stop being billed. This is clearly bad.
I would be in favor of regulation requiring that you as an individual need to be able to unsubscribe from any service online in no more than three clicks, though one would be ideal. If you make it easy for me to pay, you need to make it easy for me to stop paying.
The Path Forward
At Fin, the AI-powered digital assistant company I co-founded, we for years have had in our terms of service that Europeans aren’t allowed to register for our services, in anticipation of GDPR.
More recently, we have blocked European IP addresses, and made it clear in all communications that we only ever offer services in the U.S. to Americans.
We aren’t alone in this approach. Several newspapers, retailers and other organizations have made the same decision. Europeans are now simply too high risk and too high complexity to serve.
Intellectually, I find it fascinating. I can’t wait for an American company not operating in Europe but serving people in Europe to be fined, and for the world to have to sort out the associated jurisdictional issues (my bet is that the Europeans won’t ever be able to collect).
Practically, I find it a bit sad. I wish we could keep the internet open, and I wish that Europe weren’t cutting itself off from so much innovation.
Optimistically, I hope that this is the opening for the U.S. to outline a real set of rules and values for U.S. companies that would update and clarify some much-needed points of law for the digital age.