A License to Rewrite History

No doubt, GDPR has some well-intentioned if not entirely useful provisions

Senior Fellow and Director, Center for the Economics of the Internet

LONDON – Speak with a Londoner and the conversation is likely to devolve, after cautious glances to be sure no one is listening, into some garbled mutterings about GDPR, General Data Protection Regulation, a European Union regulation set for implementation on May 25, 2018. It replaces the much weaker 1995 European Data Protection Directive.

“GDPR?” you ask with betrayed ignorance. “Yes, GDPR” is the response in a hushed undertone, to be sure no one knows of the conversation.

No doubt, GDPR has some well-intentioned if not entirely useful provisions. For example, businesses are required to notify individuals of breaches of their personal data. That may slightly help individuals who have up-to-date contact information. It is of little solace to those who don’t.

But the real innovation of GDPR is the assignment by the European Union to individuals the property rights in any information about themselves. At first blush, giving individuals property rights has the making of more efficient markets. But there is a simple reason that giving individuals control of all information about themselves has never been done before: it does not work.

Throughout human history, if person A sees person B walking, that sight belongs to person A. By GDPR, any observation of person B belongs exclusively to B, and person B can deny that she ever walked or did anything within the observation of person A. Under GDPR, the right to have, to use, and to benefit from information about person B belongs exclusively to person B, no matter whether person A saw person B or not. GDPR is a license to rewrite history and deny reality.

GDPR creates certain “rights” for European residents:
* The right to be informed;
* The right to access;
* The right to rectification;
* The right to erasure;
* The right to restrict processing;
* The right to data portability;
* The right to object; and
* The right not to be subject to automated decision-making including profiling.

A European student who did not like receiving a “C” in high school math will have the right to “erase” the record and possibly even “rectify” the transcript. He can be sure that no one will ever know about the supposed “C.” It is part of an erased history.

Consider the doctor who says a patient needs to lose 40 pounds. The doctor, or says the patient, is wrong. The European patient insists he never weighed more than 150 pounds. The patient can insist on “erasing” the doctor’s inflated measurement. The patient may have difficulty “rectifying” the record to read “150 pounds,” but he can insist that the 200-pound measurement disappears.

There is little additional need for life, liberty, property, and the pursuit of happiness when equipped with these 21st century European GDPR “rights.” Thomas Jefferson and James Madison, the greatest minds of individual freedom, never dreamed of this set of “rights.”

These new “rights” are not paid for by individuals, but by the entities that store and process information. GDPR applies to practically every entity, except apparently parts of the government.

The real targets of GDPR are not small-time businesses and professionals, although they rightly worry about the enormous costs they will incur. The intended targets instead are large American companies such as Google, Amazon, and Facebook. A European can insist Google or any other company provide “access” to a complete catalog of all information about the individual held by Google and a catalog of every time part of that information has been processed or shared with others. A European can then insist on “erasing” unsatisfying information and “rectifying” mistakes and prohibiting any use of information except as specifically authorized by the person.

Of course, reasonable people would be troubled if Google or another company could, with the press of a button, produce such reports. Does Google or any one entity know how advertisers target individual customers, or what information advertisers glean from cookies or other interactions with individual customers? Certainly not.

It will take time and resources to produce reports required under GDPR, and the results will almost certainly be incomplete. But Google and other companies will be subject to penalties if they cannot, when requested, produce reports for Europeans. These companies will be subject to further penalties if they cannot comply with requests to erase and correct information, and with requests to limit distribution of information.

Never mind that most companies have little direct knowledge of whether an individual is a European resident or not. For example, hundreds of millions of people have g-mail accounts. Some are Europeans. Many are not. Businesses around the world will be put in an untenable situation of segregating between Europeans and non-Europeans for information policy. Can businesses, particularly based outside the European Union countries, have different information policies depending on the nationality of individuals?

GDPR strikes a blow against the traditional Internet business model in which consumer background information is used to provide consumers with targeted information for their benefit. Now the benefits of that business model will be substantially circumscribed at least for Europeans, and quite possibly for others if online businesses discover that they cannot meaningfully have different information policies for different individuals.

Worse, GDPR strikes a blow against those searching for truthful information. Since the beginning of recorded history, information has been recorded and used for various purposes. Some of that information has been truthful; some not. GDPR gives individuals the “rights” to review information and to change it as they see fit and to determine whether and how information will be used. Only certain government agencies are immune from the truth reviews. This is not a path to truth but to rewriting history.

Next year marks the 70th anniversary of George Orwell’s Nineteen Eighty-Four. Winston Smith, the protagonist, has a job of rewriting history by changing past newspaper articles. Smith’s job is difficult because he does not have the benefit of GDPR. Orwell did not write about a regulation like GDPR because it is so much worse than anything he could have imagined. This is the progress of seventy years, a lifetime.