The EU’s General Data Protection Regulation (GDPR) has been a mixed bag, but at its core is an exemplary and indisputable principle: you can’t give informed consent for activities you don’t understand.
Since the dawn of online commercial surveillance, ad-tech sector maintained the obvious fiction that we agreed to allow it to nonconsensually suck in our private information, either by clicking “I Agree” on a garbage novella of unreadable legalese, or just by using a service.
GDPR exposes this “consent theater” for a sham. It says, “Look, if you think users are cool with all this surveillance and data-processing, you’ve got to ask them. Lay out each use of data you want to make, one at a time, and get consent for it.”
That means that if you’re Google and you’re thinking of using the data you ingest in 800 different ways, you’ve got to show your users 800 yes/no questions, defaulting to “no,” to see if they consent to it, and you have to give them a “no to all” box to opt out of everything.
It won’t shock you to learn that virtually no one consents to this. It’s a lesson we learned again when Apple updated Ios to let users install apps but opt out of their data-collection – and to opt out of being asked whether they want any app to collect their data.
That said, there are some problems with the GDPR; some are structural (the “right to be forgotten” is a poorly thought-through dumpster fire that lets rich sociopaths erase the records of their crimes from the internet) and some are technical.
The principle technical problem with the GDPR is that EU prosecutors just haven’t enforced it vigorously enough. In particular, they lack the resources to take on the biggest names in ad-tech, Facebook and Google, who have them substantially outgunned.
However, the GDPR has a saving grace in this regard: it includes a “private right of action,” that allows everyday Europeans to seek enforcement of the law, even if prosecutors are too timid to take up the case.
Private rights of action are key, but political conservatives hate them because they don’t want businesses to be held accountable by the public. The omission of a private right of action from the US ACCESS Act is its most significant flaw,
GDPR’s private right of action has allowed dedicated individuals to use the law to wage asymmetrical warfare against giant, seemingly all-powerful corporations. The pioneer here is Max Schrems, who made history with his private case against Facebook:
After Schrems brought cases against Google and Facebook over GDPR violations, the EU’s highest court ordered the companies to stop moving Europeans’ data to their US servers:
Facebook has (laughably) threatened to leave Europe over this. It was a hollow and idiotic threat and they never made good on it and I will bet you a testicle* that they never will.
*Not one of mine
Schrems isn’t the only individual who hopes to enforce the GDPR against Big Tech. Johnny Ryan and the Irish Council for Civil Liberties have lodged a case in a German court against the IAB, the ad-tech industry association that maintains its “audience taxonomy” codes.
When you land on a webpage, your identity is boiled down to a set of these codes, such as 383 (interested in hair-loss treatments) and 60 (household income of <$10k/year), and these are passed to dozens or hundreds of ad-tech bidders to see if they'll pay to show you an ad.
Ryan and the ICCL say that no one ever consented to this, and thus the entire ad-tech industry is in violation of the GDPR. By targeting the IAB and its taxonomy, they might be able to yank the foundation out from beneath the targeted advertising industry.
Ryan has filed similar complaints in many EU nations, including Ireland, the tax-haven where many tech giants have planted their flags of convenience. The Irish case has languished for three years now.
There are 27 EU nations, and the ad-tech industry violates the GDPR in every single one of them. Ryan is betting that he will eventually find a jurisdiction where the courts will actually enforce the law.
It's a neat illustration of the power and peril of a private right of action: on the one hand, it lets individuals take up cases that prosecutors ignore; on the other hand, these cases are subject to the whims of judges who might delay them indefinitely.
But with 27 courts to choose from, the odds of enforcement tilt towards the public interest.