Article

Why GDPR fails

4 April 2019 | By Dirk Volman

Or how the EU can create better digital legislation.

Viviane Reding on GDPR: “It will make life easier for business and strengthen the protection of our citizens.”

At the initiation of the General Data Protection Regulation, its architect, Viviane Reding, told the press:

“This reform is a necessity and now it is irreversible. It will make life easier for business and strengthen the protection of our citizens.”

Last year, GDPR became law. And ever since, I can’t help wondering what Viviane's expectations were negotiating the law. How does the former Justice Commissioner feel now that she can experience her law in action? Does it really do what she intended? Does it make our lives easier? Does it protect us EU citizens?

How does the former Justice Commissioner feel now that she can experience her law in action?

I expect she is horrified by the outcome. Or at least she should be. Because now that GDPR has been introduced, half a billion EU citizens are bullied every time, everywhere they go online. And if you haven't noticed it yourself by now, then just have a quick browse through the GDPR hall of shame on twitter, to give you an idea.

Imagine having to navigate all these settings every time Google updates its terms & conditions.

In short, corporations misinterpret or misuse the law, practically tricking or harassing people into waiving all sorts of privacy rights. At some point any mortal is simply going to give up and just click ‘accept’.

At some point any mortal is simply going to give up and just click ‘accept’.

And the thing is, we have seen this before. Digital laws that start from good intentions but miss the mark completely in practice. The prime example of this was the predecessor to GDPR, the infamous 'cookie legislation' — based upon the EU Data Protection Directive 95/46/EG — that was introduced in all EU countries earlier this decennium. But we see the same problems with the more recent introduction of EU copyright laws, for example.

All these laws start with the best of intentions. And we Europeans can truly count ourselves lucky we have a government that is trying to make a fist for its citizens when it comes to data and privacy rights. Just look at the US, where net neutrality was virtually handed to lobbyists on a silver plate, no questions asked. We should be thankful for legislators like Viviane that fight for our rights. But if it isn't the intention, why then do these laws fail so horribly in practice?

Audi does not even let you manage your privacy settings. They blatantly refer you to your browser settings.

It is because the nature of politics and the nature of digital design are quite different. Hear me out.

Lawmakers have to go for compromise. And in politics, that is a good thing. (Need I remind anyone of the ridiculously polarized political situation in the US?) For digital technology however, compromise equals inconsistent design requirements and consequently a crappy user experience. And that, as you can imagine is a bad thing.

We should be thankful for legislators like Viviane that fight for our rights.

So what seems to be going wrong in the creation of digital legislation for the EU is not the intention. The intention of our EU legislators is more often than not of a very noble kind. It is that this intention is lost in translation. The intention is lost in the actual law, the design requirements if you will. Therefore the legislation is deprived of clarity and coherence when it eventually dictates the online user experience for EU citizens. In short: good intentions are lost in digital legislation because it tells companies what they should do, but not how.

Good intentions are lost in digital legislation because it tells companies what they should do, but not how.

Often visitors have to navigate through loads of screens to manually set their cookies.

So how can legislators like Viviane create better digital legislation in the future? They should separate intention and requirements. This means lawmakers should find compromise on the intention of a legislation first  -the politics part. And only then turn to the requirements. This can be done by prototyping the online experience and turning a successful prototype into clear and coherent design requirements for corporations  -i.e. law.

Now I hear you asking: who will prototype the actual online experience? Well, here we can borrow from our friends across the pond.

In the US, Obama launched the US Digital Service in 2014. A governmental department that provides consultation and design services to federal agencies. We can simply create the European equivalent. The EU Digital Service could impartially prototype and test online experience and their effectiveness. This way, legislators will learn what works and what doesn’t and can then decide to set, change or scrap requirements in a bill before it is voted into law.

Scotch & Soda offers a simple 'Agreed' or 'Not agreed'. What if this was the mandatory interaction?

For EU citizens such a process might very well have resulted in a simple, coherent, non-repetitive user experience. The same for every website; maybe centralised; or even invisible. GDPR would have given the EU citizen full control of their data and privacy, making sure we really are protected.

How would this have changed Viviane’s experience going online? I think she would feel proud of what she accomplished, for herself, and for half a billion of her fellow citizens.