Is GDPR EU’s Frankenstein Monster?

Two hundred years ago, the world was introduced to Dr. Victor Frankenstein.

Mary Shelley’s book “Frankenstein” was published in January 1818 and told the story of a genius scientist, Victor Frankenstein, and his work to create the perfect creature from the flesh of corpses.

Frankenstein’s creation turned out to be not so perfect. His massive size and looks scared people to death, so he was forced into hiding. That wasn’t exactly the lifestyle this so-called perfect creature had in mind, so things deteriorated rather quickly.

The straw that broke the creature’s back, in this case, was Frankenstein’s refusal to create a female mate for him, out of fear of perpetuating a whole species of incredibly large, strong and not so very attractive-looking creatures who Frankenstein believed could bring great evil into the world.

In a fit of revenge, the creature killed Frankenstein’s wife on their wedding night and fled into the darkness. In a fit of rage, Frankenstein went after the creature with the intention to kill him, fell into the Arctic Ocean, got rescued, got sick and ultimately died. The creature, upon discovering the death of his creator, vowed to kill himself, before walking off into the darkness — leaving readers to presume that is what he did.

It was not what we might call a happy ending.

Tragic as it is, the story line is, I’m sure, quite familiar.

What may not be as familiar is its potential relevance to the regulations put in place by the European Union (EU), which forces its idea, from Brussels, of a perfect regulatory environment on the rest of the world.

The actions of the EU over the last several years — the European Commission through decisions and fines and via regulatory fiat in the form of GDPR last week, PSD2 next fall and ePrivacy waiting in the wings — are attempts to create the perfect set of operating rules for businesses, with ample punishments for those who don’t comply. This is all done under the guise of protecting consumers from the actions of companies the regulators have decided aren’t in the consumers’ best interests.

Thanks to the proliferation of mobile devices, internet connectivity and the platforms that make it easy for businesses and people to find each other regardless of where they live, that’s now every business on behalf of every consumer it interacts with anywhere in the world.

 

Only I Know What’s Best for Consumers — All of Them

Frankenstein was written by Shelley to make the point that it’s dangerous to have one person think they know what’s good for everyone and take action on those beliefs. Her message was those sorts of actions, driven by hubris, will ultimately destroy a person and many of the things they care about.

Frankenstein was motivated to create the world’s most perfect creature to improve the state of humankind. He believed that only he was gifted enough to know what perfect should look like and how to create it.

When he did, a chain reaction of unintended consequences was set in motion, and things spiraled out of control — all because the less-than-perfect creature to whom he had given life was suddenly forced to live a less-than-perfect life.

It wasn’t until Frankenstein personally felt the impact of the creature’s rage and revenge that he realized the serious — and deadly — consequences of his actions, driven by, in Frankenstein’s own words, a desire that “far exceeded moderation” and, later, filled his “heart with disgust.”

At that point, it was too late to save either the creature or its creator.

 

EU Regulators and a Backwards View of Who’s Being Harmed

EU regulators have long waved the “what’s best for the consumer” flag as part of its many actions against “Big Tech” to create the perfect business framework for the 28 countries operating within it — even if it wasn’t always clear that consumers had been harmed or were the ones complaining.

Take Google.

The saga that is Google versus the EU over these last eight years is well-documented, so I’ll spare you the lengthy narrative. The Cliff Notes version is that a bunch of tiny websites convinced the Commission that Google’s Shopping product put them at a disadvantage when consumers were searching for products. Google Shopping is that carousel of product images that consumers see at the top of Google’s search results page and for which marketers pay to be there.

In 2010, the tiny websites making those allegations had some big-time help through Microsoft.

The tiny websites, egged on by Microsoft, managed to convince the Commission in 2010 that Google was manipulating its search algorithms to provide favored placement via Google Shopping — all for the sake of making more money. Tiny merchants without the budget to pay for such a favored position on Google, the claim alleged, never had a shot at getting anyone’s attention — and that was a very bad thing for these small sites, since the only other option for search was an otherwise unpopular Bing.

Since European consumers weren’t using Bing to search for much of anything, Bing generated little traffic for these smaller sites. And since these smaller sites didn’t have enough of a consumer following to generate enough clicks to move up the ranks in Google search, nor the budget to buy ads to drive clicks, they claimed their business was more or less hosed.

That, in the eyes of the EU Commission, harmed consumers.

Arguments over many years to convince regulators that Google’s so-called “dominance” was the result of consumers using Google more because they found it to be a better option, and that Google’s practices were driven by giving consumers what they wanted, fell on deaf ears.

Arguments that stated limiting the search market to Google and Bing is like saying that grocery store competition is the domain of Kroger and Stop & Shop were also ignored. Consumers use Facebook and Amazon and vertical aggregators like Houzz and Expedia and others like them increasingly to search for what they need — and are among Google’s biggest threats.

In a decision that highlighted that the EU’s appreciation of the dynamics of platform businesses and commerce ecosystems is circa 1995, Google was fined $2.7 billion in 2017. EU Commissioner Margrethe Vestager said at the time that their actions were “illegal under EU antitrust rules” and harmed consumers by “denying them choice and the full benefits of innovation.”

Of course, it wasn’t the consumer that was egging on the Commission.

As they say, the beat goes on.

Yelp re-upped its antitrust complaint last week and took to “60 Minutes” to describe its version of Google’s alleged wrongdoings. The media is lapping it up, and everyone is piling on to the idea that Big Tech, especially Google, is doing bad things to hurt — well, you name it.

All this only further fuels the big-equals-bad narrative promulgated by EU regulators who believe that one firm getting big means others gets smaller — which must mean consumers are getting hurt.

In most of the world, that’s considered a competitive, free market, where consumers have a lot of choices.

 

How 28 Countries Ended Up Regulating the World

The latest regulatory salvo to fix all of what Brussels believes is harmful to consumers is GDPR — General Data Protection Regulation — which took effect last Friday, May 25. GDPR now governs how every single business in the world interacts with consumers and uses their data, regardless of where those businesses are domiciled, so long as Europeans are interacting with them.

The regulation, which all of you know quite well from the privacy emails filling up your inboxes, requires companies to provide more transparency over how consumer data is used and protection to keep that data secure. Consumers must acknowledge they understand the new terms of service related to how their data is used, and companies must offer them the right to have their data removed from those databases upon request. Businesses have a month to acknowledge those requests and comply.

Noncompliance is not only expensive; it can destroy a business.

Fines range from $12 million, or 2 percent of annual gross revenue, whichever is greater for lower-level infractions to ~$24 million, or 4 percent of annual gross revenue, whichever is greater for higher-level transgressions.

Surveys of businesses in the U.S. suggest many firms aren’t ready — and even those that are ready aren’t entirely sure they’re fully compliant. It’s been estimated that companies have spent millions on efforts to become compliant to a regulation that they claim is vague and overly broad.

For example, consumer requests to be forgotten are more complicated to execute than it may first seem, since consumer data stored one place may also be stored downstream on multiple servers that were given access to that data to enhance their own. It’s not clear who’s responsible, who’s liable and what’s required to comply in a timely fashion.

Consumer requests to be forgotten can also be made by bad guys who have taken over the identity of a legitimate consumer after committing fraud. Merchants say they lack clarity about the rules associated with keeping consumer data on hand in the event of a chargeback. Both situations put consumers and relying parties at great risk of being harmed.

At the same time that Brussels is taking a no-nonsense approach to enforcement, many regulators say they lack the tools and the people to do the actual enforcing.

None of this has stopped activists from claiming violations, criticizing the methods businesses use to advise consumers of their rights and slapping big companies with deep pockets with lawsuits.

In what is likely to become a full-time job for lawyers everywhere, the same day GDPR went into effect, Google and Facebook were hit with lawsuits claiming $8.8 billion in damages, collectively.

That’s surely just the tip of the iceberg — we’ve not even gotten through the first week.

GDPR advocates say the regulation passed in 2016 was necessary to keep consumers from having their data stored, used, monetized and potentially put at risk by companies without their knowledge and consent. They cite the Equifax breach of nearly every adult’s personal data in the U.S. last year and Facebook’s data issues related to Cambridge Analytica as Exhibits A and B of what happens when companies play fast and loose with consumer data.

GDPR, they say, was prescient in its effort to anticipate and right the inevitable wrongs that can hurt consumers.

Of course, consumers should have the absolute right to expect that their data is kept secure, kept private and is used appropriately. And when it isn’t, there should be consequences.

There already are.

Depending on who you are in the ecosystem, those consequences are severe. Card networks write the rules for how business is done using their rails and enforce them. Acquirers can and do shut businesses down if they don’t comply, and card networks can and do prevent violators from connecting. A bevy of regulators take a dim view of companies that have proven to mislead consumers and enforce penalties. That’s on top of the dozens of regulations and regulators that financial institutions and payments players must comply with to even get and stay in business.

But there’s also a difference between a company like Equifax that keeps consumer data that they can’t control and that can be used to harm them and platforms that ask consumers to complete a user profile in exchange for getting access to services they want from that platform.

In the case of Equifax, consumers don’t have any idea how credit bureau data is obtained nor how it is updated, nor how the black box formulas work that ultimately decide whether they are creditworthy.

They also have no say.

They know that it’s hard and time-consuming to correct inaccuracies and that credit bureau information can prevent them from getting a personal loan, a car or a mortgage and even a job. Since the breach, all of that now comes with the extra sting of having that data shared with criminals via the Dark Web and the looming threat that it will be used to harm them.

Consumers do, however, understand quite well the quid pro quo when asked to establish a profile in return for access to a platform or a website and the services they want to receive from them.

They not only willingly do this, they spend a lot of their time on those platforms getting content and services.

In 2016, it was estimated that consumers spent 437 billion hours consuming content from ad-supported media platforms. In exchange for that time, they received value — and continued to use those platforms for that reason.

These ad-supported business models also made it possible for those consumers to access that content free of charge and even to get other benefits, including discounts on purchases and advance access to special deals. Just like the publisher business models in the days of “Mad Men,” advertisers pay those platforms for access to those eyeballs. Today, instead of magazines and newspapers, they are digital platforms of all shapes and sizes.

Consumers also don’t seem to mind the trade-off that comes with the exchange of information for putting up with advertising and are fully aware of the choices they’re making. And consumers are smart enough all on their own to know when they don’t get value from those platforms and vote with their thumbs when they don’t.

Consumers were given the option to delete their Facebook profiles in the aftermath of the Cambridge Analytica incident, but only 9 percent did. Since then, 65 percent of people say they use the social media platform as much or more than they ever have.

Of course, any business, especially platform businesses operating in a competitive market, know this too and understand the threat to their business if they lose consumers. They fully understand the dynamics of the platforms they have built and that the eyeballs and their revenue streams can easily move to other platforms if the balance of advertising versus content gets out of whack or too many ads interfere with the content consumers want to access.

Most platforms work hard to strike a healthy balance because they don’t want to lose those consumers to a competitor that delivers more value.

 

GDPR’s Unintended Consequences — and Harm to Consumers

The EU regulators weren’t wrong to take steps to ensure that citizens living in the 28 countries in the EU have the appropriate levels of control over the privacy and security of their data. Nor was it wrong to expect that all consumers should be afforded that right and for companies to work hard to make sure they do.

Where they went wrong is imposing their views on how that should happen and a set of regulations that reflect those beliefs on the entire world — in the absence of a clear understanding of how modern, global, digital markets work.

The world is much larger than the 28 countries that make up the EU.

Forcing compliance to their definition of what’s best for consumers absent that understanding will trigger a series of unintended consequences.

Some of which we are already seeing.

Some media sites have shut off access to people living in the EU. The risk of noncompliance and the huge fines associated with it aren’t worth it for the readership in those countries. Some gaming sites have shut off access to EU citizens too, citing a lack of clarity over acceptable terms and conditions.

So what, you might say, if people living in Germany can’t get The LA Times or those living in Spain can’t play video games? Big deal. But those consumers used to, and now they don’t and maybe they never will, depending. Regardless, the EU regulators have denied them that choice.

It’s also possible that larger companies are having some of the same conversations with their investors and boards.

The cost of doing business in the EU with any business model that uses data as a monetization strategy just rose by $10 million — at a minimum. That buys a lot of people and technology and expansion opportunities in economies with an appetite for innovators and platform innovation, market competition and expansion like India, Africa and LATAM.

Countries that understand that consumers willingly give up their data in exchange for value, which often includes access to services for free or highly discounted fees, will have an advantage.

Startups that use data to monetize and subsidize services to consumers — and many of them do — may think twice about setting up or expanding in the EU. Even if they don’t, investors may force their hand, weighing those opportunities with the $10 million overhang they might have to cough up in the event of the slightest infraction.

At the same time, the EU has announced it is seeking investors to fund tech startups to compete with the U.S. and China.

Good luck with that.

So far, GDPR has delivered the ultimate consumer “benefit”: friction. Friction in the form of more spam emails than anyone has ever seen flood their inboxes — ever. And friction in the form of the neverending wave of pop-up boxes on websites requesting an acknowledgement of new terms that no one reads because all anyone wants to do is click the “X” in the corner and get on with what they planned to do on that website.

Yet, thanks to EU regulators, all consumers in the entire world are now subject to regulations made by a central government presiding over 28 different countries that collectively represent less than a quarter of the world’s purchasing power.

This could mean, in the end, one of two things.

One, that innovation comes to a screeching halt in the EU.

Companies may decide that risk of operating there will outweigh the returns of being there. Speaking out on ePrivacy — GDPR on steroids and potentially the next shoe to drop — a British member of the European Parliament warns that the EU “will become a digital backwater,” citing conversations with tech players with concerns about GDPR and outright opposition to the ePrivacy regulations.

If you were an ad-supported startup (like Spotify was when it began) and had to pick a place to commence operations, it’s hard imagine you would pick the EU, where the regulations are oppressive. Almost anywhere else in the world would be better.

Or, second, that the EU is left with only the largest of global players to serve the needs of its citizens, which is precisely the type of company EU regulators seem to loathe.

Becoming compliant and staying compliant with vague regulations, plus paying an army of lawyers on standby to fight back against the lawsuits that are certain to pave the GDPR path, can only be supported by gigantic players with gigantic checkbooks. For as long as they are willing to stomach it.

It makes you wonder what would happen if Google and Facebook pulled a Howard Beale (the character in the movie “Network” who decried that he was “mad as hell and not going to take it anymore”) and shut off access to consumers in the EU?

Or how much further Big Tech can be pushed before they do.

Whether GDPR is, in fact, EU’s Frankenstein, will be determined by how willing regulators are to recognize that their view of perfection should reflect what consumers want by watching what consumers do.

Whether it’s already too late — only time will tell.