This week, France’s data protection regulator demanded that Google pay a record fine for violating Europe’s expansive new privacy rules. The tab? About US$57-million. The purpose? Hmm.
In its ruling, the regulator alleged that Google fails to adequately explain how it collects data to offer personalised advertising. Some information is “excessively disseminated” across different documents. Some requires more than one click to find. Some consent boxes are pre-ticked, thereby discouraging careful study. In sum, a user’s consent — even when freely given — is insufficiently “specific” and “unambiguous”.
If all this sounds ridiculous, welcome to the General Data Protection Regulation, or GDPR. Put aside for now that these rules are all but impossible to fully comply with. Ignore, too, that they’re impeding innovation, harming small businesses, inhibiting growth, imposing needless costs, annoying consumers and accomplishing nothing. Instead, ask what the regulators are actually trying to do. There are two plausible answers.
One is that they merely want to make an example of Google, as opposed to announcing that crushing fines are on the way for every company that can’t adequately comply with the GDPR. That might minimise the damage. But it would also suggest that Europe intends to wield these rules — as it does so many others — to punish Silicon Valley giants and protect local rivals.
Another possibility is that the ruling portends a broader crackdown on digital advertising. Companies collect so much personal information not out of prurience but to reach the customers most likely to buy their products. To do so, firms constantly mix and match data to find correlations and make inferences. Demanding that they stop at each step to once again get users’ consent — as this ruling implies they must — could make their services difficult or impossible to use.
And whose interests would that serve? In Europe, the digital advertising market reached almost $55-billion in 2017. Fully a quarter of all EU businesses market themselves online, and 78% of those use “contextual ads” that require data collection. Making this model more expensive and less effective would burden companies and reduce growth, while leaving users with worse services and unending aggravation.
More to the point, if consumers object to data collection, they’ve shown little inclination to change their behaviour. Perhaps that’s because they aren’t given enough boxes to tick or privacy policies to reflect on, as Europe’s officials suspect. Or perhaps consumers think all the free and easily accessed services they get are a fair exchange for their anonymised data. In any event, few are clamouring to cede the choice to bureaucrats.
A better approach would be a certification regime, on the model of the “information fiduciary” standard that has gained adherents in the US. Companies would agree to a set of best practices — using data for limited purposes, vetting third parties, and so on — in return for a regulatory stamp of approval or other incentives. Consumers would know when their data is in good hands without being expected to peruse opaque privacy statements or offer meaningless assertions of consent. If they wanted to take their chances with less scrupulous services, their choice would be informed.
Such a system would obviate the GDPR’s endless rules and arbitrary enforcement. It would respect the choices of users who may have very different preferences about the data-for-services trade-off. It would allow new businesses to grow unencumbered by rules they could never hope to comply with. And regulators would have less to do — which is usually a good thing. — (c) 2019 Bloomberg LP