Friday, June 29, 2018

Nanny Super-State Blues

“We extricated ourselves from the British Empire only to accept unthinkingly the rule of the Roman Catholic Church and after that the EU.”
Irish Sunday Independent columnist Ruth Dudley Edwards, October 9, 2016
The other day my wife asked me to check whether a particular procedure was covered by our medical insurance. Finding the written policy overly complex and not very user-friendly, I decided to try the little chat window that always pops up on the insurance company’s web site. After waiting in a queue for several minutes, I was eventually informed that my wife would have to contact them directly. They could not converse with me about her coverage—even though we are married and it is all one policy—under Europe’s new General Data Protection Regulation (GDPR).

Unlike most policies/directives/edicts handed down by the crowd in Brussels, the GDPR is actually having a noticeable effect on my life. And I don’t just mean that my wife now has to get her own insurance-related questions answered. For instance, when I visit the web sites of many U.S. newspapers—including the one in Bakersfield which was the local daily paper I read growing up—all I get is a screen informing me that I cannot access the content because my IP address is in the European Union. Even more aggravatingly, one of the apps I use on multiple devices to save and read online articles (Instapaper) has stopped working for me. The web site explains that, in order to avoid any potential violation of European law, European users are being blocked until further notice while they study the law to see what they need to do in order to be in compliance. I suppose I could blame Instapaper. After all, anyone who was paying attention knew this was coming two years ago. On the other hand, I can understand why operators of a U.S.-based web site might put a low priority on something that, in theory, only affects users in other countries.

I mused on the possible effects of GDPR just as it was about to go into effect last month. To recap, this is a regulation handed down by the European Union which has the force of law in all EU countries even though no national parliament actually enacted it. It establishes very strict legal requirements for the storage and retention of individual citizens’ personal data as well as establishing sweeping legal rights for citizens to exert control over such data. In practice, as far as I have observed anyhow, the main practical effect is that for those of us in the EU there are many more legal agreements to review and agree to before we can do anything online. Of course, such agreements were common before GDPR, but now they are even longer and more complex and virtually ubiquitous. Past surveys have suggested that most people click on the “agree” button without bothering to read the agreement, and I have little reason to think it is any different now. As I understand it, I do now have the legal entitlement to contact any web site I have used and direct them to delete any or all of my data which they hold and/or to let me see it. Personally, I do not envision doing this, but who knows? Maybe a situation will arise in which I will be glad for this protection. In other words, I am not sure the benefit for me personally outweighs the inconvenience it has caused.

One U.S. publication that has not shut me out of its web site is The Wall Street Journal—probably because of the money I pay them. The paper’s tech columnist Joanna Stern notes that GDPR requires privacy policies to be “concise, easily accessible and easy to understand” and also written in “clear and plain language.” She adds, a bit mischievously, “Ironically, that’s found on page 11 of the 88-page official document.” As an example of the regulation’s effect, Twitter’s privacy policy has expanded from about 3,800 words to around 8,890.

According to two cybersecurity and privacy attorneys (Brian E. Finch and Steven P. Farmer of Washington and London, respectively) writing in The Journal last month, the main beneficiary of GDPR could well be cybercriminals. After all, the whole point of the regulation is to severely restrict sharing of individuals’ information. Apparently, this extends even to law enforcement.

“No government has ever before sought to impose such a sweeping privacy control,” observe Finch and Farmer, “perhaps because of the obviously deleterious effects on law enforcement.” Cybersecurity journalist Brian Krebs has written that European-based security companies have become “reluctant to share” internet-address information that could help identify cybercriminals.

Maybe you think it’s a good trade-off to make things easier for terrorists and criminals to communicate over the internet as long as it means that people won’t have Russian bots micro-targeting them to try to stir them up over populist issues. Me, I’m not only not sure it’s a good trade-off, I’m not sure that such internet mischief will be seriously curtailed.

Maybe I will be proved wrong, though, and I will see it differently over time. For now, however, this looks increasingly like what happens when you hand a problem to an army of bureaucrats who are not accountable to—indeed not even in the same country with most of—the vast swathes of people who will have to comply with their handiwork. To top it off, it may well actually make worse the problem they were supposed to solve.

Still, I will keep an open mind. In the meantime, if you come across any really interesting news from Bakersfield, please pass it on to me.