To all appearances, the folks in charge of privacy regulation within the European Union are unfamiliar with that old cliché, “If it ain’t broke, don’t fix it.” Last week, the EU parliament passed a long-anticipated and much-dreaded privacy law known as the General Data Protection Regulation (GDPR), a lengthy and convoluted document that is replete with vague substantive commands accompanied by hefty penalties for violation. The implicit assumption behind the regulation is that all individuals are entitled to control data about themselves, so that various firms that acquire this information not only have to hold it secure against outsiders, but are also limited in how they can use the data, while granting individual users extensive rights to access, control, and remove their personal data. The GDPR regime is not content to let these important issues be resolved by private contract. But the new regulation fails a simple test: It does not identify any breakdown in the current institutional arrangements to justify its massive oversight in the way in which individual data is managed by all sorts of organizations and firms.
No fair-minded person thinks it’s appropriate to allow strangers to hack into databases, public or private, or to deliver hacked data to others who can then use that data to defraud or defame innocent people. Right now, a robust, multi-layered regime of legal, political, economic, and social enforcement within the EU targets firms who are perceived to violate these norms. Yet there is scant justification for piling an additional massive regulatory scheme on top of the current mix of public and private remedies. Consider the fate of Cambridge Analytica, a firm that misused for political purposes data that it had acquired under false pretenses from Facebook during the 2016 presidential campaign. Cambridge Analytica recently shut down, undone by a “siege of media coverage.” Facebook’s Mark Zuckerberg, meanwhile, has been hauled over the coals repeatedly in both the United States and in Europe because the systems Facebook had in place were insufficient to protect against misuse. Zuckerberg responded with more robust solutions to satisfy its huge customer base, lest Facebook lose its dominant market position and the billions in revenue its users generate.More