It’s a premise of arguments for privacy legislation that such legislation would protect hapless consumers against the depredations of “Big Tech.” There’s more to the story. In Europe, often characterized as “ahead” of the United States thanks to the General Data Protection Regulation (GDPR), privacy enforcements fall with notable regularity on the little guy. In a recent law review article, University of Washington School of Law Professor Mary D. Fan highlights the consistency with which privacy enforcement actions are directed at relatively weak parties, particularly minority small businesspeople.
It’s not an unstated premise that privacy regulation is for the little guy. It’s stated all the dang time. When the House Commerce Committee reported legislation to the floor at midyear, a bipartisan press release sang out, “This will rein in Big Tech’s power and establish clear, robust protections for people, especially children.”
Personal information is all over the place, and it’s used for all kinds of things. That makes legislatures’ path of least resistance even wider: Write something vague, and let the regulators and enforcers figure out the details.
In Europe, the details under GDPR include a high rate of enforcement actions brought against individuals and small businesses, apparently with vindictiveness as a routine motivation. “The most prevalent complaining party who launched a privacy penalty proceeding against an individual was a neighbor (35.29%),” writes Fan in “The Hidden Harms of Privacy Penalties.” “More than half of all privacy penalty cases against individuals were launched by another individual or neighbor (55.88%).”
Fan enlisted a multilingual team to collect privacy penalty decisions from 20 European Union member states. The team could read decisions in the original English, French, German, and Spanish, and they sought translations of other decisions. The team coded the decisions for a number of variables, including the identity or role of the complainant (neighbor, customer, police, or government inspector), the defendant type (individual, small business, or large business), who brought actions against whom, and other variables.
The results show that, with remarkable regularity, GDPR enforcements go against Davids, not Goliaths. “In the more than three years since the GDPR has taken full effect,” Fan writes,
small businesses such as snack stands, convenience shops and laundromats, comprise 15.5% of the targets for penalties. . . . Individual targets comprise nearly 6% of the targets—and nearly half of the individual-target cases involved disputes against a neighbor.
She notes that more than 20 percent of privacy penalty cases against individuals and more than 25 percent of cases against small businesses were designated as criminal.
To bring the import of these dynamics home, Fan offers a number of individual stories. There’s the Turkish proprietor of a döner kebab stand in Austria whose attempt to stop police harassment resulted instead in that owner paying privacy penalties under the GDPR. A low-income Hungarian in Austria was penalized €300, a third of his monthly salary, for having a dashcam on his car, because it records others without their consent.
According to the internet—which is always accurate—it was a German field marshal known as Moltke the Elder who said, “No plan of operations extends with certainty beyond the first encounter with the enemy’s main strength.” Mike Tyson said, “Everybody has a plan until they get punched in the mouth.” You might think that your legislation is going to do something like rebalance power in society, but it takes real caution and care to write legislation well.
Advocates of making the United States more like Europe or California might want to scale down their ambitions lest they give more power to Goliaths or more stones for Davids to sling at each other.
The post Would Privacy Legislation Help David or Goliath? appeared first on American Enterprise Institute – AEI.