A Year After GDPR, Google and Facebook Are Less Impacted Than Smaller Companies politico.eu

Mark Scott, Laurens Cerulus, and Steven Overly, Politico:

Big fines and sweeping enforcement actions have been largely absent, as under-resourced European regulators struggle to define their mission — and take time to build investigations that will likely end up in court.

New forms of data collection, including Facebook’s reintroduction of its facial recognition technology in Europe and Google’s efforts to harvest information on third-party websites, have been given new leases on life under Europe’s General Data Protection Regulation, or GDPR.

Smaller firms — whose fortunes were of special concern to the framers of the region’s privacy revamp — also have suffered from the relatively high compliance costs and the perception, at least among some investors, that they can’t compete with Silicon Valley’s biggest names.

I’m not surprised by this, and I don’t view this as an indication that GDPR is unsuccessful. For one thing, establishing cases against larger and more complex tech firms is necessarily going to take more time. For another, it isn’t a bad thing that smaller companies are collecting less data as a result of compliance costs. Just because they’re not Google or Facebook, that doesn’t mean that a smaller company should be collecting huge data profiles on individuals. It is, of course, worrying that the side effect of this is to concentrate data collection with the biggest and most influential players; but, then, we circle back to the first point that it takes more time to build cases against bigger players.

The most alarming aspect of GDPR is, weirdly enough, the effect it’s having in the United States. Mark Scott on Twitter:

But what I find the most fascinating is what happened in Washington State. There, rules that specifically name-checked Europe’s [privacy] stance narrowly failed to pass in late April, despite heavy lobbying by industry (@microsoft, ahem) in favor of them.

US tech companies in favor of European-style privacy rules? I hear you ask. Well, yes. But it’s more complicated — and shows both how Europe’s standards are both now global and the straw man used to hobble other privacy efforts.

Whereas in Europe, [people] are automatically opted out of their data being collected unless they give consent, the Washington State rules, by default, gave companies the right to collect such digital information — remember, these rules supposedly were copied from those of the EU.

This isn’t the fault of GDPR rules, but the way that they have been manipulated by tech companies wary of other governments mandating opt-in consent. By that metric, then, GDPR has been quite effective: the idea that it could be a worldwide model scares the shit out of big industry players, and they’re doing everything they can to combat opt-in requirements.