Likely Unintended Repercussions of GDPR

(Disclaimer – this is an observational opinion and does not constitute legal advice)

Unless you have been living under a rock in the last few weeks (May 2018) you have heard of GDPR in the IT sector, or as I am going to call it “GDPRmageddon”. In the light of other major forced internet changes like mobilegeddon (caused by Google declaring it will not show non-mobile friendly websites in search results on certain phones and devices) the internet largely complied and adapted. I see no reason why GDPR will not have mostly the same result, however there will likely be other consequences that may not have been intentional.

Currently as of the time of this particular post, the US Government, ICANN, the FCC and other oversight organizations have made no statements, even when prodded for one, about any potential shielding from GDPR fines and lawsuits related to privacy concerns from the EU or other countries for that matter. The result of which will be one of several possibilities:

  • Different websites for different territories –
    • So far we are already seeing this result. Major companies already had some of this in place due to currency or product offerings varying from region and territory.
    • This is likely to spread more as companies not wanting to deal with GDPR will make a simplistic website based on IP and collect no data, and then force EU users to either use the US based website (with its own custom compliance agreement they have to opt out of any legal rights to use)
    • Other examples of note include a US based Privacy Agreement and a separate EU based privacy agreement.
  • Non-compliance –
    • In the USA California tried to pass the (Do not track) law to prevent cookies or websites from tracking user browsing history and movements. Most company websites simply updated their privacy policy to read (Does not comply with the Do Not Track signal) and ignored the law.
    • The likely-hood of a broad acceptance and change to years of industry standards in the IT world is low, with some major companies early adoption of these changes is a good indicator that some if not all are taking it seriously. These larger companies are Google, Microsoft, Facebook since they have been hit with lawsuits in the past. (Google Lawsuit Link)
  • Blocking EU and other countries –
    • This is what I fear will be the most adopted option taken by US companies that are small to medium in size and just simply do not want to deal with the issue or prevent potential lawsuits from a country they are not an active part of – or do not trade with.
      • It should be an option with most web hosting companies to simply block countries that are not targeted by a company.
      • A mom and pop shop in a local neighborhood that has local food delivery on a small website that Jr put together for a class project, unfortunately has the very real potential to be a target for the EU law and n0n-compliance. We have no laws in the US to protect them, or prevent them from being sued for breach of GDPR by individuals. Private lawsuits were filed the moment GDPR became EU law, so the potential is real there for mis-use in the private and public sector for companies and individuals to sue based on the law. How those turn out – remains to be seen.
      • The internet is Global, but a broad law such as this may start isolating companies from even trying to broaden their reach.
    • The internet should be international – but this law may cause a great deal of issue with this ideal.

Software updates in major OS and Server packages will make that last item easier. cPanel has recently updated their software and one of the basic updates is a major request from many years ago; the ability to block certain countries. (cPanel link)

WordPress and GeoIP functionality also make these possible and will likely result in more websites simply blocking EU visitors to prevent future issues.
A small business that targets the US market primarily but that would be happy to grow internationally may hesitate due to new restrictions and laws such as these. Doing business and paying taxes where needed is one issue, needing to hire an international firm for legal advice on how to draft a privacy policy to prevent lawsuits is a new issue completely. (WordPress article link to block countries)

Privacy laws that vary by territory is going to be an issue in the coming days. Who has the right to sue for violations? The country or the individual?
In some cases both do.

Anyone that has used the common practice of using a throw-away email address to sign up for something or download something that you have no intention of ever wanting legitimate email from that website knows this. Personally I use a very old AOL email address for this purpose. myoldemail@aol.com is the target for tons and tons of spam that get through AOL.com extreme filter. Sign up for one download – get spammed for the rest of eternity. It has happened and no one is happy about it but the spammers. Change was needed. However what was standard practice to harvest potential sales targets is now getting the brunt of the attack and backlash for the legal issues now faced.

Change was needed but the GDPR seems broad sweeping and targeted at everyone everywhere. The US needs to protect US interests in these areas to prevent abuse on small to medium companies and organizations. There is nothing in place to do so. (Forbes Article – US will be affected with GDPR)

Organizations or companies that abuse privacy data, should have been the target for such legal changes, but there is little to no discrimination or flexibility in these terms expressed.

Granted some websites are in certain languages already and some separation occurs as a result. However at the moment living in Texas, I can access the website for the cell phone company in India and ask them to sell me a phone and chip because I may be traveling there soon. That is the nature of the internet. That all may be about to change.

Popups, spam emails, and our privacy policy terms and conditions have changed – Oh my!
The last few weeks have seen an uptick in spammy emails AND legit emails spamming their users with “please agree and resubscribe” emails. Panic to a certain extent has set in and as most feel, rightly so. It is a bit like facing down a shotgun barrel and being threatened if you so much as blink.

Data is big business and has been for years, a bit like how banks like debt more than money. Facebook does not charge for the bulk of their service. You are the product. Data mining and sales of your personal data, habits and conversations has been their money making source since they started. This is one of the main reasons why “there is no such thing as a free lunch” rule still applies today.

Will we see sweeping changes to the internet as a result to the GDPR? No. Spammers will still spam, big companies will still get sued, and the little guy has to work harder to keep from being hit by the broad sweeping sword of legal changes on a government side and private litigation side. The only winners here are the law firms and the abusers.
We will likely see isolation, blocking and separate sites for territories increase, and as I fear… a less international internet. 

Our advice? Get your website GDPR compliant and write a detailed GDPR compliant privacy policy and do not wait to be the target of someone trying to make a quick buck of this new law, no matter what country you are based in. Contact Sneaker today on how we can help you get started on GDPR compliance. 

 

Image used (public domain photo archive) 

Joseph Dispensa
Joseph Dispensa
Joseph has been working in Internet Technology in various aspects since 1994. He has traveled in Europe helping many organizations improve their technical reach and ability and still believes that technology can benefit any company when applied correctly.

Leave a Reply

Your email address will not be published. Required fields are marked *