Have you returned to the office from your holiday weekend to find your email inbox flooded with privacy policy updates from every company you’ve ever crossed paths with? Well, you can thank an avalanche of new rules from the European Union for that. But the harms imposed by the EU’s new General Data Protection Regulation (GDPR) go far beyond annoying emails.

The Convenience of the Facebook Scandal

With the Cambridge Analytica "scandal" in the news, the EU would have you believe the GDPR is a reaction to public concerns over the use of personal data. However, the GDPR (regulation 2016/679) was initiated long before the current scandal broke. The fact that both events coincide accidentally is an advantage for EU lawmakers, who have managed to water down any criticism by citing "Facebook's irresponsible breach of trust."

The GDPR's changes expand beyond the European Union (and its associated European partners), and affects companies around the globe.

The GDPR updates existing privacy rules from 1995 by expanding the definition of personal data to, "any information relating to an identified or identifiable natural person." Moreover, the regulation applies to any person residing in the European Union—but regardless of where the company or organization he or she interacts with is located. This means that the GDPR's changes expand beyond the European Union (and its associated European partners), and affects companies around the globe. If you have EU customers (and you likely do if you operate online), then these changes impact you, too.

For instance, the GDPR requires companies to "forget" customers by erasing their data on demand; to obtain the consent of users before handing data to third parties, and; to export their data in a file whenever they desire. Furthermore, all consenting agreements need to contain understandable language that describes how the data will be used.

This may sound reasonable, but its implementation is having sweeping negative consequences. The GDPR's nearly 100 articles have brought massive confusion all across the business-landscape: nobody knows how exactly the rules will be implemented. Unsure whether or not consent given prior to the GDPR still applies post-GDPR, companies are sending out emails to consumers, asking for their renewed consent to receive newsletters, producing a wave of policy updates in people's inboxes: spam in the name of preventing spam.

Consumers Will Suffer

According to Forbes, the GDPR has already cost U.S. Fortune 500 companies $7.8 billion in compliance costs prior to its implementation.

Unless you believe that advertising is evil (and some strange people do seem to believe that these days), it's hard to argue that there is much wrong with targeted ads on Facebook or an email newsletter from a company. Advertising can help you find things you were actually looking for, and nobody obligates you to buy the product. However, if data access becomes completely unpredictable—in part due to lack of customer data tracking consent—then data usage will decrease in value. This affects both your YouTube content-creator who benefits from targeted ads, as well as your local start-up trying to make a name for itself.

According to Forbes, the GDPR has already cost U.S. Fortune 500 companies $7.8 billion in compliance costs prior to its implementation. For mid-sized firms, the average of spending on compliance in those two years was $550,000. One specific group of people is therefore likely to tell you that the regulation is just wonderful: legal advisors and consulting firms.

Beyond this crony-like benefit, data policy is on its way to a drastic—and probably counter-productive—transformation: Facebook and Google alone have racked up $8.8 billion in lawsuits from just one day of GDPR. Those lawsuits will set new legal precedents, which will then again change the data policy landscape. The GDPR is a set-up for decades of data policy amendments by lawmakers.

If, as a business, you can't afford the hassle of going through with this legal gauntlet, you'll probably just turn your back on EU users, hence culling quite a cornerstone in many markets. This has already occurred on a number of U.S. websites, who simply exclude EU users from their websites. Since I am located in Europe, this is the message I receive when I'm trying to access the website of the Chicago Tribune:

EU lawmakers are very good at protecting me from... information, it seems.

The Takeaway

With all the unnecessary emails, warnings and blocks, what are we supposed to take away from the GDPR experience? When reading left-wing broadsheets such as The Guardian, I'm told that this is a wonderful EU crackdown on predatory business behavior. Yet strangely enough, The Guardian's own message telling me that it updated its own privacy policy is taking up half my reading screen. I suppose the predators are just everywhere…

The GDPR is an attempt to make consumers feel more secure in the handling of their data. However, the fact that the regulation does not account for the problems of specific industries, compliance costs, and the fact that users themselves have no idea how they are supposed to deal with cookies and user agreements says a lot about the competence of lawmakers. The GDPR will reinforce market concentration because small business will face very high compliance costs they cannot handle, while consumers will actually get fewer choices in the marketplace.