I have been watching the frenzy, confusion, and the millions of working hours wasted on GDPR-compliance and all I can think of is this quote:
Q: Do you admit that it is pretty difficult to guess the future practice 〈of the media law〉 because it’s very vague when and why the authority can issue fines?
Fellegi: “The media regulation, just like every kind of regulation, predominantly only gives us options. Options, that will be further defined in the – hitherto unknown – practice of enforcement. Let’s revisit this question in a year or so…”
— István Fellegi, minister under Orbán between 2010-11
What Fellegi meant to say is that the (then draft) Hungarian media law may look alarming, vague, and impossible to comply with, but don’t worry, enforcement will be selective. The authorities will have these ‘options’ to punish you, but they may look the other way…
And when do they look the other way, exactly? You would think that he meant to imply that they will look the other way when the regulation is clearly nonsensical. Many would no doubt be satisfied with this benevolent interpretation of his cryptic words – because it is soothing. It feels better to trust the powerful than facing the inconvenient fact that you cannot stop them from abusing their power.
But if you know the first thing about autocracies, you know that such a kind reassurance is not their kind of thing. It was a threat. And those in the crosshairs have heard it.
Selective enforcement is the definition of the abuse of power and the hotbed of corruption – whether it is positive or negative.
If I can just give to whomever I want, regardless of the law, I am a despot. If I can take whatever I want, regardless of the law, even a believer can see that I’m a despot. If I can issue fines, but I choose not to, that’s an abuse of power – just like it’s opposite, when I issue fines (take money) illegally. What if someone writes a regulation that breathing is now illegal – but promises to look the other way, don’t worry? That’s not a reassuring state of affairs. Selective enforcement is not a solution to a bad or unnecessary regulation.
I envy the first world minds who only have to worry about bureaucratic incompetence – not regulatory abuse. But selective enforcement, delayed fines, a probationary period are not an answer to a problem. And in the third world (coming to a country near you soon) it is willful abuse, never just incompetence.
The EU bureaucrats wanted to flex their muscles against Facebook – but kicked every single European enterprise in the face with the same regulatory maneuver (the GDPR). And now they try to soothe the victims promising selective enforcement, claiming we still need to sort out how to enforce this. And that’s not good enough.
- First of all, the burden of compliance is even heavier on small enterprises – Facebook will be fine, thank you very much, even after paying heavy fines.
- The giants that grew fat of the free and uncontrolled use of data (the new oil) will now never see competition growing out of nowhere. Starting a company with a data protection officer on board and navigating this regulatory mine field will put a lid on digital innovation for good.
- Enforcement will be left to local authorities (another national enforcement office, great) that will read and enforce the regulations differently – opening up an informal market of regulation-avoidance within the EU – and outside of it.
- Another layer of bureaucracy will be created. Not just in countries, but within companies, to fight back the regulatory attacks.
- A data commissar will come on top of the accountant, the lawyer, the health and safety commissar, and the union representative at every company – the Hungarian “christian” “democrats” even suggested a commissar to every company to send female employees home on time to get knocked up already. (Not a satire.)
- Data consulting “businesses” will grow out of the ground and
- …some dimwit economist will no doubt call it as a GDP-booster.
For dodgy regimes that wield the law as an assault weapon against their own citizens – GDPR is a godsend.
Autocrats also use the law as a shield against criticism – and here they will have the perfect shield: The EU will not like GDPR when gleeful illiberals start using it against the opposition, targeted companies, and NGOs. Just like they use accounting and party financing laws selectively, or write regulations that just happen to drive foreign owners into bankruptcy.
Autocrats love rules that make everyone punishable, but don’t worry, they will practice discretion – if they like you. And if you preemptively align with their perceived will to try to secure protection during the practice of enforcement – that’s not dictatorship, is it? You align voluntarily. Internalized compliance, right? Or as the EU’s Data commissioner put it:
“…we need to move from a mindset of compliance to a mindset of commitment: commitment to managing data sensitively and ethically.”
— Elizabeth Denham, on GDPR and accountability
Orbán couldn’t put it more eloquently. Actually, he did. In 2010, he celebrated his victory by making public institutions (and voluntary private ones) hang out his economic manifesto on the “System of National Cooperation”, which states that we are now all moving in one direction, the national direction, and you will agree with it. He didn’t even have to add “or else”.
The goal of GDPR might be more noble than Orbán’s goal with that manifesto (to grab all economic power in his country), but the principle is the same. Internalized compliance is just another name for voluntary submission, and once you practiced it on data protection, you will find it easier to fall into line on all sorts of upcoming regulations. And you will do so in your own interest – because you don’t want to be fined. That’s your interest, right?
So you may agree with the goals, but the tools can still be damaging. Data protection is important, but 1) vague rules and 2) huge fines are only good to 1) abuse regulatory power by selective enforcement and 2) revenue generation. Thank you, EU, for giving my government yet another excuse to fine dissenters out of their minds – if they so wish – and blame the GDPR for it. More responsible data management is necessary, but this will give you a lesson in the abuse of power, unwittingly enabled by naive central planners fixated on Facebook.
Because whenever a regulation generates revenue, it becomes a revenue device. And not just parking and speeding tickets.
“Last year we issued more than one million pounds in fines for breaches of the Data Protection Act, so it’s not a power we’re afraid to use.”
— Elizabeth Denham, on GDPR and accountability
At least she’s honest. I was worried they don’t have the courage to collect money but now my worries are all resolved.
As of the Hungarian media law, we didn’t have to wait for a year to find out how enforcement will spare the righteous. A few days after the minister’s soothing statement they used it to attack an independent radio station for reasons like not signing every page of the 20-thousand page paperwork they have to file to reapply for the usage of their frequency. In other words, the practice of enforcement started to define the law.
Follow us on Facebook or Twitter @_MwBp