Skip to content

GDPR and the End of the Internet’s Grand Bargain

The following is an excerpt of an article published by Harvard Business Review on April 9, 2018.

“For now, GDPR, which replaces previous EU mandates on data collection and use, differs significantly from U.S. law, pushing the two regions further apart in their approaches to regulating the digital economy.

“The EU’s General Data Protection Regulation will take effect on May 25 and create new rules around how users consent to provide their data online and how that data is stored.

“Data collection for European users, for example will require frequent and explicit consent (‘opt-in’), which can be withdrawn at any time ‘without detriment.’ Consumers have been granted a new right to take with them data deemed personal, with the costs borne by the entity that collected it. Security breaches, broadly defined, must be immediately disclosed, even if the entity is unaware the breach has occurred.

“The new rules also include an extended version of the so-called right to be forgotten (or ‘right to erasure,’ as it’s now being called). The person to whom any information refers can demand removal of that data under a variety of conditions, including that the subject ‘objects’ to further processing. It’s possible this could lead to even more search results and news stories reporting true facts being effectively unwritten when they disappear from search and other platforms.

“Europe’s expanded privacy regime has already been the subject of a great deal of criticism, including from privacy advocates. GDPR’s definitions are broad and vague (personal data means ‘any information relating to an individual, whether it relates to his or her private, professional or public life’); its penalties are astronomic (€20 million or 4% of annual revenue, whichever is greater, for violations of most provisions). Data collectors can be held responsible for violations by third-party users.

“In Europe, and perhaps soon in the U.S., industry self-regulation appears to be ending. While GDPR is certain to improve choice, control, and transparency for EU consumers, these new powers come with new responsibilities and new costs for users, not least of which are ballooning budgets for government data management and enforcement bureaucracies worldwide.

“And governments are hardly the experts on data security. There have been even bigger breaches of sensitive data controlled by U.S. and EU governments themselves. Yet many government violations of GDPR are notably exempted from the regulation.

“More directly, users will be barraged with interruptions to the flow of their online lives, forced to review, decide, and reconsider each element of information they enter. In economic terms, every new mandatory disclosure, user control, and privacy ‘dashboard’ introduces transaction costs into interactions that previously didn’t have them.

“Transaction costs are already abundant in our digital lives. The increasingly granular and configurable privacy controls offered by large internet platforms including Google and Facebook, for example, are already impenetrable for most consumers.

“At some point, perhaps very quickly, disclosed information becomes TMI — too much information. As anyone who has ever bought a home can appreciate, the transparency that comes with hundreds of pages of mandatory disclosures from lenders, sellers, and government agencies often means that the important information — the questions that actually matter — get lost.

“With even more transparency and mandatory choices, online users may just accept, or reject, everything — the opposite result of what advocates claim to be promoting.

“The age of the free and open internet may come to an end, and quickly. That may have been the true goal of many calling for ‘regulation’ of tech companies in the first place. If so, the unintended impact on average consumers will be severe and, perhaps for many, decidedly worse than today’s admittedly messy and often leaky online experience.

“For those who can afford it, the EU’s new deal for data will make interactions feel more private and less, well, creepy. The question EU regulators and their supporters abroad never seem to ask, however, is this: What about the rest of us?”

Learn more about GDPR and sign up to receive updates at

Image by Wil Stewart via Unsplash (CC BY 2.0)