On May 25th, GDPR regulation comes into power and starting from then, you may be fined up to 20 million Euros or 5% of your global turnover (whichever is higher) for not being compliant. This affects almost every one of us, even if you are not located in Europe. If you provide any kind of services to European citizens, you are potentially in danger of being fined.
GDPR requires you to follow these main principles:
- Right to be forgotten. You must completely wipe out all personally identifiable data that you have collected on a user from everywhere – even backups when they request it.
- You need consent to store and process personally identifiable user data.
- You have to explain how are you using all that data.
- You must not transfer any data of EU citizens outside of EU countries and countries approved by EU.
- Users must be able to download all data you are storing on them in machine readable format, like json.
- You can’t use AI to make any serious decisions about your users without being able to explain the decision.
- You must notify EU authorities about data breaches within 72 hours
This is just a tip of the iceberg. There are special provisions about underage users, requirement to appoint data protection officer if you are a big company, list goes on. Even if you simply run a tiny website as a private person and collect email addresses or allow users to log in, you need to go through the long and gruesome procedure to become fully compliant. This may sound ridiculous, but even a random kid that creates a simple website with a registration form as a school project needs to go through formal procedures and do a big amount of work to become compliant.
I am not going to discuss if these regulations are good or bad for the industry or consumers here. Some of them make sense to me, some don’t. But, as most of us know too well, the road to hell is paved with good intentions and the consequences can be dire. This is just my humble prediction about what is going to happen if these regulations are enforced on a large scale.
Most of the companies in the world are blissfully unaware of upcoming regulations or have learned about them recently and are not ready. Even ICANN organization, the thing that makes the DNS system function, is currently not yet compliant.
I did my best to educate myself and become GDPR compliant with own my projects, but I am just one person with little previous knowledge of how the international laws work, so I could have missed something. And there is still so much vagueness and uncertainty, regulations are so broad that it will probably cause me many more sleepless nights worrying about it and re-reading the laws for 100th time.
What happens if EU gets serious about enforcing this regulation?
This regulation will be a serious hit to a lot of blockchain based services. Since they are immutable, it will be illegal to use those that store any personal data to serve EU citizens. EU can’t impose a fine a blockchain, but they sure can fine companies that use it.
Are you using any kind of “black box“ AI to make any important decisions about users? Well, you can’t do that anymore. You must be able to explain how exactly you have arrived at the decision.
After the life ruining fines are imposed on hundreds of companies (or private people running small websites), the world that is currently ignorant of the regulation will surely learn all about it.
There will be a widespread panic among website owners and online service providers. Some of them will try to become compliant, but most will simply pull the plug and ban all European IP addresses. This will likely become hot and widely advertised feature on all major hosting services. European market is big, but not big enough to justify constant fear of your life getting destroyed and spending weeks or even months of your life educating yourself on the regulation and working on becoming compliant.
It will be used by corporations to hurt and destroy smaller competitors and there will probably be a lot of blackmailers roaming around the internet and looking for victims. They will demand huge ransoms for not reporting website owners to the authorities, even if a violation is not actually there by abusing the ignorance and fear of the website owners, and further exacerbate the impact on small and medium businesses.
Don’t think that you are safe if you don’t live in EU – international law and legal cooperation between EU and most of the developed world is strong. You may be extradited and delivered to EU court of law if you are fined and avoid paying the fine.
As companies and services pull out from EU one by one, more and more European citizens will begin to use VPN services to access them. There will be a thriving market of VPN service providers in countries geographically located near EU – Switzerland, Ukraine, Russia, Serbia, Turkey, etc. Online payment systems that offer indirect money transfers that do not show the real country of purchase and offer plausible deniability to service providers will be booming and will become almost universally integrated. If EU manages to chase some major tech giants out of Europe, we can be sure that the amount of real European IPs accessing the websites will rapidly drop to a tiny fraction of the real number of EU users. I will not stop watching YouTube, I will stop using European IP address.
Will EU crack down on the internet and what approach will they use?
If cookie law, that resulted in thousands of annoying and useless popups for every European user in the last few years, but almost no fines is anything to go by, then the brutal nature of this law will probably be compensated by the lack of enforcement. It is entirely possible that EU will only enforce this regulation in a reactionary way, following up media scandals with fines. If the whole thing results in nothing much except occasional legal battles between European bureaucrats and tech giants like Google and Facebook and a few smashed small guys who were in the wrong place at the wrong time, we can consider ourselves lucky and the internet will remain safe and united for now. But after several recent major scandals involving leaked personal data, public demand for blood will be high, so we should expect something more serious.
EU regulators could take a soft approach and be more of a consultant than a punisher for those who didn’t know about GDPR regulation or have misinterpreted some of its aspects. If they can contact and provide simple, actionable instructions to website owners, inform and work with those who are willing to cooperate, rather than destroy unsuspecting businesses, the collapse of European internet and tech industry can be avoided. But I doubt that the regulators have enough people with online entrepreneurship and software development experience on staff to offer any practical help.
Many other countries are also looking to follow the EU example and enact similar regulations. There is a very real possibility that EU regulators could insidiously wait and hold off the full assault on the internet until regulations in other countries come into force, so that businesses have nowhere to run. That will result in a bleak future where only multi-million dollar corporations can afford to hire enough lawyers to comply and launch a new project, and the international, open internet we have today, where anyone can create something useful and put it online for the whole world to use and enjoy, will likely no longer exist. But if I learned anything about the internet, it is that where there is a will, there is a way, and the internet as we know it could survive by moving underground, for example, into the Tor network. It is anonymous and hides your real country, offering a plausible deniability to online businesses. Together with cryptocurrencies and services that hide real country of delivery for physical goods, this might be the future of the online economy.
From now on, almost anyone with a website has to know some international law and go through corporate scale audits or risk getting financially destroyed. I am not that worried about myself – in fact, as someone who now has an experience working with these regulations, I am at a huge advantage compared to those who don’t, and this can only mean positive things for me. But it makes me sad to think that if this regulation was written 10 years ago, I would have probably not bothered to start any of my projects in the face of overwhelming challenge of making sense of it all, without (then) even understanding English that well and having no practical access to most interpretations and advices. “Going your own way” road will close almost entirely for the future generations of software developers, offering a choice between working as a cog in a corporate machine or being unemployed.
Either way, I will be monitoring the news and paying close attention to what kinds of infractions are punished and what kinds of companies are targeted. I will probably be slowly adjusting implementation of regulations on my services as case law develops, but if the bureaucrats go full out and start destroying businesses for technicalities and non-obvious reasons on a large scale, I, and, undoubtedly, almost everyone else will be pulling a ripcord and quitting from offering services to EU.