Overwhelmed by a deluge of GDPR-inspired privacy notices
I'm a big fan of the EU's strict electronic privacy laws, and while I haven't read the General Data Protection Regulation (GDPR) in detail, it's good that at least one of the major political entities in the world is trying to codify strong protections for the rights and dignity of individuals.
Contrast this to here in the US, where business has much more freedom to do what they want and little worry about penalties when things go wrong, as evidenced by scant punishment or negative effects of data breaches (even massive ones like Equifax's careless handling of our data) or outright abuse of people's trust (such as Facebook happily sharing all your info in ways a normal person wouldn't expect, and asserting it wasn't their fault partner companies didn't do the right thing). Even worse, contrast it to China's Social Credit System, a real-world manifestation of the dystopian ideas behind so much science fiction (from an episode of Black Mirror to uncountable numbers of novels and movies).
The GDPR has some lofty goals:
- This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
- This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
- The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
And as the deadline for compliance approaches, companies are starting to change their systems and send out updates to their policies. Some are going so far as to write up how they changed their systems to comply (MailerLite has a nice writeup on their blog, for example).
However, I write this with some irony. Even as someone who is willing to put in effort to be proactive in managing their online privacy, I'm getting exhausted with trying to keep up with all these emails and the work implicit in them. The (perhaps expected) side effect of the deadline is a deluge of email from many companies (I can't count the number I've received from Google alone!) with summaries of their new policies, links to updates in their systems, and instructions to go and update accounts and preferences to take advantage of these new options.
It's great that so many companies are updating their systems and policies to comply, and it's even better that the net result will be more openness and control of our data: hopefully many companies will change their systems to give GDPR-like control to everyone, not just EU residents, just to be safe (or, perhaps that's naive, who knows). But I'm starting to look forward to June, when my inbox returns to just being cluttered with the usual junk mail.
There should be a universal choice one can make to receive an abbreviated email saying "Company XYZ is now complying with the GDPR regulations." Even better, there could be a single alphabetized text file on the Web listing all organizations that claim to be compliant, with NO more emails sent. Since that file would be unreasonably long, it could be wrapped in a database--one would query it to find out if XYZ claims to be compliant. The burden should be borne by those who care to know, not by all customers of all companies in the world.