"GDPR Is an Enormous Regulatory Own Goal"

During the summer I was on Twitter when I saw a tweet from Benedict Evans. He is an Englishman (yeah!) who Andreessen-Horowitz (usually just called a16z) brought over to the US to be a partner. The tweet said that "it was a gift to Google and Facebook" and is an "enormous regulatory own goal".

So let's unpack that a little.

First, if you don't play football (what Americans call soccer), then you might not even know what an own goal is. It is when a member of the defending side puts the ball into the back of his (or her) own net. This counts as a goal for the attacking side. It can happen for all sorts of reasons. In the benign case, it is that the ball is going into the net anyway, and the defender tries to get a foot to the ball to kick it away, but merely kicks it into the goal instead. In the bad cases, the goalkeeper was going to catch the ball without any problem, but the defender manages to kick it around him. In really bad cases, a defender kicks the ball back to the goalkeeper so incompetently that the goalkeeper cannot reach it and it ends up in the net. If you want to see some own goals, then here is a collection from the World Cup earlier this year.

GDPR

The next question is what GDPR is. It stands for the General Data Protection Regulation. Despite the generic name, it is actually a European Union regulation and came into effect on May 25 of this year. For more details, see my post from that day GDPR Starts Today. Since GDPR is extra-territorial, covering all data held on Europeans even if it is in the USA (or anywhere else), most international companies have chosen to use GDPR rules globally, rather than having different rules for different regions. Other countries, such as Canada and Switzerland (which is in Europe geographically, but not in the EU) have introduced very similar regulations.

The ostensible reason for GDPR is that the European Union is cuddly and cares a lot about your privacy. Undoubtedly there is some of that. Europeans do seem to care more about privacy. Since, during the Second World War, some people were rounded up based on their identity cards, in Britain for one, there was strong resistance to having identity cards at all. There still are none today. Indeed, until 1998, driving licenses didn't even have a photograph, to stop them becoming an identity card by the backdoor, as they have in the US.

However, it is official (or at least semi-official) policy to reduce the dominance of Facebook, Amazon, and Google (and perhaps Netflix, Apple, and others). Defang the FANG. The EU even funded a "European" search engine called Qaero in 2008. It was about as successful as you would expect and was shut down at the end of 2013. It is hard to argue with the statement in IEEE Spectrum that:

Going head-to-head with Google with a project involving well-funded, energetic entrepreneurs would be foolish. Attempting the same with a multigovernment collaboration is beyond description.

Another comically bad attempt by Europe to regulate Google was changing the law so that Google News linking to news stories on European newspaper websites was a copyright violation and Google should pay. In fact, newspapers that didn't want Google "stealing" their headlines were already able to do so. They simply needed to edit their robots.txt file to tell Google not to index their site. The politicians thought that this was a great idea, but the newspapers realized what would happen. Google would simply stop linking, and their traffic would evaporate. That is what had happened in Germany, which had earlier introduced a similar law.

The reason it is an own goal is that Google and Facebook can get you to accept whatever terms they want. "Let us do whatever we want with your data, or leave Facebook" is going to cause very few people to leave Facebook. If you are a small European internet company then "Let us do whatever we want with your data" is more likely to produce "no way" as a response.

Regulation

All regulation tends to be relatively positive for large companies. The cost of compliance with a regulation is often a fixed cost, largely independent of the size of the company, so penalizes the small company as a percentage of revenue a lot more. Sarbanes-Oxley accounting requirements pretty much killed off the IPO market for small companies. For Amazon to keep track of the nearly 10,000 sales tax jurisdictions in the US is a minor irritant, it needs a team of a few people to do it. It is a huge barrier to a small retail company, which would need roughly the same-sized team, or have to outsource it to a third-party service and pay whatever their rate is. GDPR has little effect on big companies, but compliance is a headache for smaller companies. For an obvious starting point, they have to invest effort to find out what GDPR is and what they need to do about it, even before they actually do anything.

The latest Europe attempt to hobble the big internet companies is a proposed copyright directive:

The most important parts of this are Articles 11 and 13. Article 11 is intended to give publishers and papers a way to make money when companies like Google link to their stories, allowing them to demand paid licenses. Article 13 requires certain platforms like YouTube and Facebook stop users sharing unlicensed copyrighted material.

The first, known as the "link tax", worked so well last time that they seem to be trying again, and I don't see any way it will turn out well. As to the copyright issues, you would think that YouTube would be able to take it in its stride. But the scale of the challenge is enormous. There are over 2 weeks' worth of running time of video uploaded to YouTube every minute. The penalties for offending are draconian (as in GDPR, by the way).

Susan Wojcicki, the CEO of YouTube, in a blog post (which also appeared in the Financial Times) said:

The parliament’s approach is unrealistic in many cases because copyright owners often disagree over who owns what rights. If the owners cannot agree, it is impossible to expect the open platforms that host this content to make the correct rights decisions. Take the global music hit “Despacito”. This video contains multiple copyrights, ranging from sound recording to publishing rights. Although YouTube has agreements with multiple entities to license and pay for the video, some of the rights holders remain unknown. That uncertainty means we might have to block videos like this to avoid liability under article 13. Multiply that risk with the scale of YouTube, where more than 400 hours of video are uploaded every minute, and the potential liabilities could be so large that no company could take on such a financial risk.

The big risk is that the internet gets Balkanized. An excellent essay on this is Cory Doctorow's Not just Europe: EU Copyright Directive Will Censor the World's Internet. Here's the summary paragraph:

The result will either be a balkanized internet where services host special versions of their conversations for European consumption (much like the censored search engine Google wants to sell to China) or an internet where we race to the bottom, as defined by European copyright extremists.

No Penalty for Overcompliance

To my mind, the big risk with regulations like this (the US DMCA is the same) is that there is no penalty for over-enthusiastically taking legal content down. With DMCA, if someone complains, the easiest thing to do is to take the material down without bothering to investigate if it is offending. Of course, this also provides a sort of "heckler's veto": by complaining anyone can get something taken down. It doesn't always work as expected, of course. Ask Barbra Streisand who tried to restrict photos of her house on an aerial photographer's website—as a result, 420,000 visited the photographer's site in the following weeks despite only six having done so before she complained (the Streisand Effect even has its own Wikipedia page).

More recently, there have been occasions where social media have semi-automatically (unclear if it is algorithmic or a human) removed posts which contained quotes from the bill of rights or from federal laws, on the basis that they are insufficiently woke. If you think this is something that only affects extremists of some sort, and would never affect you, then this is a paragraph from this week's post by a guy leaving Facebook:

Black people are finding that their attempts to create "safe spaces" on Facebook for conversation among themselves are being derailed by the platform itself. Non-black people are reporting what are meant to be positive efforts as hate speech, despite them often not violating Facebook’s terms of service. Their content is removed without notice. Accounts are suspended indefinitely.

Of course, running something on the scale of Facebook is almost impossible. They are not regarded as a common carrier (AT&T has to put your call through no matter how obnoxious you are). Facebook is expected to magically remove "offending" material without a definition of offending. I think the modern definition that some people think appropriate, if anyone is offended it is offensive, is very dangerous. Of course, no matter how smart Facebook is, that is not something that can be automated. But this is how extracts from the bill of rights get deemed "offensive" and removed.

And those European rules. Don't think they won't affect you if you live elsewhere. One paragraph from Cory Doctorow's piece I referenced above:

To make this all the scarier, the EU rules provide for massive damages if a platform lets a copyrighted work slip through the cracks —so in the event that a platform isn't sure if a work is going to be shown to a European user, they'd be nuts to take a chance on it.

Investment Climate

The other problem with this attempt to tilt the European playing field is that it seems to have the opposite effect. GDPR makes small internet companies harder to get off the ground in Europe (compared to the US) and makes the returns from them smaller, and thus makes them less attractive investments. Exactly that effect is found in the recent (November 5) paper The Short-Run Effects of GDPR on Technology Venture Investment. The money quote in the abstract:

Our findings indicate negative post-GDPR effects on EU ventures, relative to their US counterparts. The negative effects manifest in the overall dollar amounts raised across funding deals, the number of deals, and the dollar amount raised per individual deal.

"Own goal" sounds like a good description.

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.