If Your Privacy Is in the Hands of Others Alone, You Don’t Have Any

privacy

If you think regulations are going to protect your privacy, you’re wrong. In fact they can make things worse, especially if they start with the assumption that your privacy is provided only by other parties, most of whom are incentivized to violate it.

Exhibit A for how much worse things can get is the EU’s GDPR (General Data Protection Regulation). As soon as the GDPR went into full effect last May, damn near every corporate entity on the Web put up a “cookie notice” requiring acceptance of terms and privacy policies that allow them to continue with business as usual, harvesting and sharing your personal data, and data about you.

For websites and services in that harvesting business (a population that rounds to the whole commercial web), these notices provide a one-click way to adhere to the letter of the GDPR while violating its spirit.

There’s also big business in the friction that produces. To see how big, look up GDPR+compliance on Google. You’ll get 190 million results (give or take a few dozen million).

None of those results are for you, even though you are who the GDPR is supposed to protect. See, to the GDPR, you are a mere “data subject” and not an independent and fully functional participant in the technical, social and economic ecosystem the internet supports by design. All privacy protections around your data are the burden of other parties.

Or at least that’s the interpretation that nearly every lawmaker, regulatory bureaucrat, lawyer and service provider goes by. (One exception is Elizabeth Renieris @hackylawyer. Her collection of Medium postings are required reading on the GDPR and much else.)  Same goes for those selling GDPR compliance services, comprising most of those 190 million GDPR+compliance search results.

The clients of those services include nearly every website and service on Earth that harvests personal data. These entities have no economic incentive to stop harvesting, sharing and selling personal data the usual ways, beyond fear that the GDPR might actually be enforced, which so far (with few exceptions), it hasn’t been. (See Without enforcement, the GDPR is a fail.)