Alec Stapp on GDPR

Here is just one segment of an excellent piece:

Compliance costs are astronomical

  • Prior to GDPR going into effect, it was estimated that total GDPR compliance costs for US firms with more than 500 employees “could reach $150 billion.” (Fortune)
  • Another estimate from the same time said 75,000 Data Protection Officers would need to be hired for compliance. (IAPP)
  • As of March 20, 2019, 1,129 US news sites are still unavailable in the EU due to GDPR. (Joseph O’Connor)
  • Microsoft had 1,600 engineers working on compliance. (Microsoft)
  • During a Senate hearing, Keith Enright, Google’s chief privacy officer, estimated that the company spent “hundreds of years of human time” to comply with the new privacy rules. (Quartz)
    • However, French authorities ultimately decided Google’s compliance efforts were insufficient: “France fines Google nearly $57 million for first major violation of new European privacy regime” (The Washington Post)
  • “About 220,000 name tags will be removed in Vienna by the end of [2018], the city’s housing authority said. Officials fear that they could otherwise be fined up to $23 million, or about $1,150 per name.” (The Washington Post)

And another part:

Unseen costs of foregone investment & research

  • Startups: One study estimated that venture capital invested in EU startups fell by as much as 50 percent due to GDPR implementation. (NBER)
  • Mergers and acquisitions: “55% of respondents said they had worked on deals that fell apart because of concerns about a target company’s data protection policies and compliance with GDPR” (WSJ)
  • Scientific research: “[B]iomedical researchers fear that the EU’s new General Data Protection Regulation (GDPR) will make it harder to share information across borders or outside their original research context.” (POLITICO)

Do read the whole thing.


It would be interesting to see the costs for the equivalent in China with their even more restrictive Great Firewall. Facebook and Google might complain about the GDPR but at least they are in the EU market. Can't say the same for China.

Naive question: what is the means of enforcement, given that EU does not have a Great Firewall? For example, if Google's servers were all outside the EU, then how would EU have jurisdiction or what could EU/France do if Google just refused to pay fine?

Google has both a legal and a physical presence all over Europe. If they refused to pay their fines, they can start by increasing fines, if that doesn't work then move to confiscating property, if the charges are serious enough they can move to imprison executives.

I don't think prison is in the cards, unfortunately. But massive fines, yes. And given how the GAFA use Europe to avoid US taxes, I'm sure they have plenty of money in EU-based bank accounts...

Do you have a spam issue on this site; I also am a blogger, and
I was wanting to know your situation; many of us have developed some nice
procedures and we are looking to exchange strategies with other folks, be
sure to shoot me an email if interested.

Not naive at all. This is of the essence. Despite all the predictable objections and dire predictions of grisly human suffering and general gnashing of teath, if a company wants in to a market bad enough, they seem to find a way to meet the requirements and make it work.

A big difference is that China has had that in place all the time. If GDPR existed for the past 20 years it would not cost an insane amount to retrofit in onto businesses built on the idea "we absorb all the data we can."

It would be fair to describe those costs as deferred maintenance. GDPR may be a bureaucratic mess, but tech companies are making an effort every to convince people that heavy regulation is needed.

In what way would that be fair?

We should be happy because tech titans have captured the regulators and now will have a regulatory monopoly?

+1 to Freddo, stating the obvious. The GDPR, which sounds obscene, is damn good PR for do-gooders who think they are doing good, and Big Companies love it for the same reason they loved the RCOT, it keeps out new entrants. (Wikipedia on RCOT: "The Railroad Commission of Texas (RRC; also sometimes called the Texas Railroad Commission, TRC) is the state agency that regulates the oil and gas industry, gas utilities, pipeline safety, safety in the liquefied petroleum gas industry, and surface coal and uranium mining. Despite its name, it ceased regulating railroads in 2005.[1]. Established by the Texas Legislature in 1891, it is the state's oldest regulatory agency and began as part of the Efficiency Movement of the Progressive Era. "

Bonus trivia: Conrad Black's kiss-and-tell-all book "A Matter of Principle" is amazingly good. I like his name dropping, it gives a window on how the 0.01% live.

How is this piece "excellent"? Random examples, questionable numbers, ignoring the benefits? I don't hear many EU consumers complaining about GDPR.

Speaking as a manager in a tech company, GDPR has forced us to think more clearly about what data we need to collect and what we tell customers. And that is a good thing.

I am an EU consumer, and I'm complaining. I think it's very, very stupid. If more consumers aren't complaining, it's probably because the compliance costs are hidden and the impacts are not obvious.

Here are some things that I am unhappy about.

Having a new click through on every single website, which makes no difference because nobody reads it.

Onerous data handling regulations that apply even when personally identifiable data is not being collected, so that any website that just uses basic cookies has huge compliance costs, and therefore many websites just block EU consumers rather than comply.

Restrictions on what sort of consent I as a consumer am allowed to give. I can't give general consent or perpetual consent even if I want to. I must consent to specific uses of my data for limited periods of time. This is quite harmful for research.

Are you blaming the right culprits? Those sound more like explicit decisions of the companies, not GDPR.

Many companies try to make indicating preferences as onerous and annoying as possible, in the hope you give up and click accept. Fair enough then: If they make the commercial calculation to be annoying, I simply don't visit them any more.

Likewise there is nothing stopping companies for asking your consent in better ways. I am surprised so few do this well. For instance, I have lost count of the number of ecommerce sites whose email marketing has just two settings: "as often as we like" and "unsubscribe". If they don't have an option like "one a week is fine", I hit "unsubscribe". And that's another customer lost.

I am an EU consumer, and I'm not complaining in the least. For example, this shows is an exceedingly desirable effect from my perspective - 'As of March 20, 2019, 1,129 US news sites are still unavailable in the EU due to GDPR.' That means 1,129 sites that cannot apparently function in a way that does not break the same laws that all EU news sites have no problems with.

'Having a new click through on every single website'

Odd how little I normally notice that - but then, I don't use javascript normally.

'so that any website that just uses basic cookies has huge compliance costs'

Not for the well designed ones.

'and therefore many websites just block EU consumers rather than comply'

Ah, you mean that because some companies are not competent in terms of data privacy, they should get a pass? Instead of actually bringing their infrastructure up to an acceptable level? After all, the next major data breach involving millions of users is as predictable as the sunrise.

"Ah, you mean that because some companies are not competent in terms of data privacy, they should get a pass? Instead of actually bringing their infrastructure up to an acceptable level? "

Shouldn't that be on me as a customer? Btw, if most sites leak my information, what would be the damage? On most

To address your points:
1) The click through is a validation of your consent. It absolutely makes a difference. An alternative is that consent is given when you load the site but that might be perhaps too soon or too optimistic. Websites could be more creative here but that is up to them, not the GDPR.
2) You might want to look into digital fingerprinting. Even without personally identifying information, you leave a trail of clues that leak your privacy bit by bit. Without disabling cookies or javascript, you can be tracked rather easily across the web. I do agree that websites blocking EU origins can be very inconvenient. I imagine those sites will at some point want to comply when the benefits of opening their viewership to a market of 500 million EU citizens outweighs the cost of compliance.
3) There are no time limited restrictions on consent. This is on the websites to update what options they can present to you.

'Without disabling cookies or javascript, you can be tracked rather easily across the web.'

Flash is equally important to disable, being a parallel method to cookies/javascript in terms of effectively tracking a user.

The other thing to do is ensure that http_referer is inactive. Oddly enough, that is not exactly easy to do in most browsers, though these days, it appears to be at least something handled individually through things like incognito mode (don't really care/know about other browsers - Seamonkey works fine in this area for me).

A basic introduction - Basically, this is the function that google used to create its ad network, though it is no longer as central to web tracking as 20 years ago.

'outweighs the cost of compliance'

Well, probably not any time soon, as apparently a part of their online revenue stream is dependent on the sort of privacy breaching behavior that the GDPR has made illegal.

There are ways to show ads without breaking privacy. It seems we need to relearn what used to be common and very possible.

I am an EU-consumer and I think the law has been a disaster. Just the time spent clicking that I give consent is a major annoyance.

Web designers should make it easier to give consent rather than just clicking. Good UI might be a competitive advantage to get right.

"Swat away an accept box as quickly as you can" sounds like the easiest it could ever be. Surely you don't have a passive pop-up to determine consent.

'Just the time spent clicking that I give consent is a major annoyance.'

Maybe you just need to find better places to visit? does not require extra clicking to use, for example. Neither does the web presence of SWR, the regional public brioadcaster.

Almost as if some companies are throwing a tantrum, and blaming the meanies that make them act like 2 year olds, instead of adults interested in making a profit without invading user privacy.

Seems like EU consumers don't care about GDPR either way, because they don't interact with it, though they hate the separate Article 13 regulation (because it would affect what they could do). I don't personally care that much other that it seems like regulation that should not lie in EU competency (but then I think that of virtually everything - harmonized rules and regulations no bueno, let a million flowers bloom).

What do you believe benefits are for consumers from GDPR relative to preceding data regulation? What are the meaningful additions "protections"?

>Seems like EU consumers don't care about GDPR either way, because they don't interact with it,

+1. Consumers don't care much because someone else is paying the (direct) cost. If they had to pay a GPDR fee on every website, I suspect things would be different.

same - as an admin in a uni/scientific institute it was of course a bit annoying to document the data flow/processing - but as we we had already been careful with user data before and were not blasting them into the open, it was merely reviewing and documenting the processes.

And as documentation is often lacking but gets at some point terribly missed, it was a good exercise - even when it was enforced.

Agreed. I am COO at a 25 person US startup and GDPR means we actually think about securing the privacy of our half a million users. The work to do it has fallen mostly on me so it’s a proper pain, but the mindset shift within the company has been really really positive.

You seem quite confident that you fully understand the requirements for compliance and have no company-threatening exposure to violations. I'm pleased for you.

Are you from the US? The European approach to assessing fines for non-compliance is very different from America's. No European company I know is remotely concerned about punitive fines.

Cheers! Between PrivacyShield compliance for user data disputes (all our data is stored in the US) and a proper ability to fully purge data when requested its not exactly rocket science. Our pre-GDPR lack of data security awareness was a far larger compnay threat (data breach at our size would cost us all our fortune100 clients) then this regulation. Again, I don't love reviewing DPAs every quarter, but as a data company its the same as coal plants following basic toxin regulations, its an acceptable cost of doing business.

It is striking how much of the listed facts are America centric. I wonder what the burden for 1&1 to comply with GDPR was (probably fairly minimal), or how much they whined about it (probably not a lot).

If the law leads to the collapse of the internet this will be a massive benefit.

Google and Facebook are deliberately with holding privacy technology from the user, they are to blame. No one gets any information from me unless my mouse reads my thumbprint and verifies my release conditions. My actions take a millisec, my mouse will protect me according to my security rules.

Simple technology, unavailable except in the lab. Withheld technology because Facebook and Google want my information. They have themselves to blame.

Good. Maybe this will motivate tech firms to adopt a business model that doesn't rely on surveillance of the firms' product.

Europe is a continent full of Elizabeth Warrens. A million Warrens might equal a full blooded native American.

Tyler thinks that the costs imposed on these companies is bad, but I think it's good. If these regulations drive these companies out of business that would be a net positive, if they cause the collapse of the internet that might just save humanity.

"foregone" should be forgone.

I love the spin that the problem is Google's "effort", rather than the decisions they willingly and knowingly made.

re "Unseen costs of foregone investment & research" in English would read, "Unseen costs of forgone investment & research."

Perhaps if so many firms were not socioapthic by design, by incentives, alleged legal duty, and track record, then we wouldn't need quite so many regulations.

Listening to them gripe about compliance is like listening to teenage boys whine about taking out the trash.

I know this is tacky to say in a blog that's devoted to writing love letters to Monsanto,Volkswagen, Union Carbide, Wells Fargo, and Mark the Zuck, but the only mystery is why there aren't more CEOs swinging from lampposts.

Perhaps the cost of GDPR and so many other regulations is a feature not a bug.

Every year, millions of young people graduate college expecting to get a white collar job that pays more than average. Many wind up being "under-employed". But "compliance officer" and similar jobs fit the bill. "A vote for more regulation is a vote for my son-in-laws income."

Well, if we want to talk self-licking ice cream cones, let's talk acamedic research....

Reality: Some existing staff member gets the compliance job, and it is not clear that the supposed $150 billion can be actually observed.

Let's be real, compliance jobs are for idiot sons in law and for annoying diversity hires that you will promptly send off to their desk in the boiler room and hope they quit.

Sure, there's a certain amount of paperwork and policies pushed around, but that's priced in immediately. These are yeronor jobs.

Yes, Your Honor, we do have a compliance department.

"Stop doing business in the EU" makes compliance a lot cheaper.

And yet, many many companies choose to do it anyway.

Almost makes one wonder if it's not as bad as they whine that it is....

But if it weren't for European data privacy laws, how would we know which web sites use cookies?

Any evidence that market cap for tech companies fell by $150B? I haven't seen endless ads for "certification to be a data privacy officer". Where's the boom in hiring? Biomedical researchers are worried about sharing data cross borders? Which data specifically? Are we talking about clinical trial data? That would be for some pretty late stage drug development and health information already had a lot more extreme privacy concerns than other type of information. If you're talking pre-clinical research, errr, well what would be the data concerns then?

Comments for this post are closed