In a daring move, facing mortal peril and all sorts of tremendous adversity, my company will… send out a newsletter this week. (When you read this, it may already have happened.)
Judging from all the desperate e-mails I have received last week (and the swarm I am still receiving these days), sending newsletters seems the worst offense anyone can commit in the world of business. The hype was picked up by large corporations who also started asking for our consent to send e-mail, reinforcing the panic over love’s labour’s potential loss.
(I stand guilty as charged: my company had also sent exactly two of those e-mails.)
A law is best judged by its effect on society – rather than by the intention of its makers. Having spent over three months preparing my company for GDPR compliance, I can safely say that GDPR is harmful – it harms business, it damages public trust, and eventually it threatens democracy and the rule of law.
GDPR is the General Data Protection Regulation of the EU, originally intended to protect the personal data of the EU’s citizens and prevent the dishonest mining and processing of those data – but I have strong doubts if it will ever accomplish that. It has already accomplished other things, though.
GDPR has disrupted honest businesses that were forced to spend a lot of time and money to… set up obstacles to their own activities. In the most popular interpretation of the regulation, it will be (correction: it already is) all but illegal to collect contact details for businesses to communicate. As a result, smaller companies, who don’t have the complex infrastructure for that, will find it harder to grow and win new deals in general.
GDPR is threatening the rule of law because it makes everyone a potential offender. A lot of people I know – people who are anxious to abide by the law – feel as if they were violating GDPR, no matter how well they prepare. This is probably true: GDPR looks like a tax law in a corrupt country – in its present form, it ensures that everyone can get caught for something, so that authorities can make exceptions on a whim.
GDPR is threatening the rule of law indirectly because we can see no action or guidance from authorities. While the business world was in uproar, authorities – community and national – were mostly sitting silent… and so everyone was forced into massive guesswork about the interpretation of the law. In my country, there is not even local legislation yet. What happens next? Will governments come up with new interpretations next week or next month that force most companies to start preparing over again?
GDPR is threatening the equality before the law by applying the same measure to everyone, large and small, regardless of their respective power or their potential trespasses (with the exception of some nuances). Some data protection authorities (in the UK, for example) make half-hearted attempts at reassuring small enterprises that GDPR is not against or after them – but the actual law does not say that. And I don’t think that a newsletter sent by a small company is at the same level as the mass exploitation of sensitive data by a large corporation – or a government –, harvested from users’ contents without their knowledge.
GDPR is further damaging public trust and threatening the rule of law by exempting the government from the rules – yet I think our governments are the most potent entities to want and to abuse our sensitive data. Specifically, in paragraphs 6.(1) c) and e), GDPR makes any data processing lawful if it’s by “legal obligation” or by “official authority vested in the controller”. No checks, no balances. Not acceptable from a body that can install or change “legal obligations” or “official authorities”.
Less honest businesses in the meantime – well, they are still conducting business as if nothing happened. I still keep receiving e-mails from companies I have never contacted and who never provided me with value and never asked for my consent. Large corporations may have asked for my new consent to send e-mails, but they did not ask about using all the highly sensitive data they silently mine from my posts, messages, or uploaded content – often by some legal obligation that orders surveillance over us.
The only positive effect I see is that people are – perhaps, hopefully – becoming more conscious about sharing their data. That is, if the smokescreen of commercial e-mail does not hide other, potentially way more dangerous uses of data by entities far more powerful than the ones sending those poor e-mails. In that vein, last week I have refused to provide sensitive data about my son’s education to the government (no danger in that, it wasn’t mandatory – but I got to feel rebellious for a few minutes).
I think it still isn’t too late for authorities and governments to make a course correction about data protection and privacy – but will they have the wits and guts to do that?
Quo vadis, GDPR?