For what it's worth, our numbers wouldn't support your theory. We do get decent returns on Facebook ads (and our Facebook metrics do support the theory that 18-24s don't spend much) but we also get decent returns running old-school untargeted ads or referral schemes through other websites or press relevant to our products and services. Facebook has the advantage of being huge and therefore scaling up where often websites for interests have well qualified but small audiences, but it's far from clear that all the profiling is making much of a difference to any metrics that actually matter compared to just advertising in places relevant to whatever interests you're catering for.
After all that’s where all of these companies derive their “value” from.
Interestingly, there seems to have been some evidence recently that running ads that are heavily personalised/targeted isn't necessarily much more effective than the traditional approach of running your ads in places where your target market are likely to be found. That is, do you really get better returns if you have $x to spend and run advertising on Facebook targeted by interest than if you just run ads on websites or other locations relevant to that interest?
I assume all of the big online companies would count that way. At least it's objective, and it's likely to give bigger numbers than any plausible alternatives I can think of.
I'm more interested in this:
While Reddit's value per user is much lower than its peers, it is betting its access to a valuable demographic will appeal to advertisers and potentially even draw their dollars from larger rivals like Facebook and Google. The company said half of its MAUs are between the ages of 18 and 24.
There is a reason that today's young adults are referred to as "Generation Me" in marketing circles and that the phrase "entitlement culture" is heard so often. As someone who has worked in this field, it's not particularly surprising to me that a business where so many of its users are young adults also has much lower revenue per user. If I were starting a new business today, the 18-24s would be literally the last age range I would want as my target market. They have little money, they tend to care more about experiences than possessions, and when they do spend they are heavily fashion-driven and quick to change. What is surprising is that Reddit reportedly thinks this is a valuable demographic.
Yes, that is essentially the concern here. The proposed way to avoid that responsibility in safe-harbour fashion is to implement various precautionary measures, which may or may not rely on technologies that do or do not exist and that may or may not be readily available to small organisations at viable cost or otherwise if they do. This, presumably, is what the politicians mean when they say they have been clear about things.
There is life outside the US, and there are more forms of useful insurance than US-style health insurance.
In the UK, for example, there is some controversy at the moment because travel insurance companies aren't very good at assessing the risk posed by a former cancer patient who has now fully recovered. Premiums can remain prohibitively high, or policies unavailable entirely, even when based on the best available scientific evidence and clinical judgement, someone is at no higher risk of future health problems due to that aspect of their medical history than anyone else.
Unfortunately, radical transparency is only a viable solution to the societal problems caused by reducing privacy if you live in a world where everyone who will ever make a decision that affects you is a reasonable, fair, trustworthy person.
Indeed. It is depressing how often European politicians comment, entirely unironically, about how the importance of boosting the tech sector here in Europe, in practically the next breath after introducing yet another measure that hammers all the small businesses. And then they wonder why the Googles and Facebooks and Apples of the world are all based somewhere else. As the saying goes, every successful large business was once a successful small business.
Are you sure you're considering the whole set of proposed reforms here? Any business that hosts a blog with visitor comments or a discussion forum and that has been online for more than three years would apparently be required to implement filtering technology that may or may not actually exist under the current proposals. These reforms aren't just about news sites extracting royalties from aggregators for reposting snippets (though any fledgling site with the popular news aggregator plus discussion format would potentially be caught by that aspect as well).
Oh, I agree the current proposals are still bad, particularly in that they will apply to small sites that have been going a while. Still, even those criteria are better than what was originally proposed, which had no such safeguards or exceptions at all.
I agree with the problem that the EU leadership just doesn't seem to get it when it comes to the tech and creative sectors.
Brexit is an interesting case. I have some businesses in those sectors that are based in the UK, and looking only from a professional standpoint and talking only about those specific businesses, Brexit is almost 100% win and the harder the better. The EU does almost nothing of direct value to any of those businesses, and many things such as these proposals that are/would be directly harmful.
The big problem here isn't killing off old media with obsolete business models. The problem is killing off new media with innovative business models as collateral damage.
(I assume you mean increased protections for small businesses rather than lowered them.)
This is a step in the right direction, but only if it makes it into the final version. This area is controversial, with a policy of having no exceptions still strongly backed by some of the parties, including big ones like France.
I'm not sure what you think I was saying, but I suspect you've completely misunderstood my previous comment. In particular, I wasn't defending anyone, and we should be worried about smaller businesses across the EU with this one as well.
OK, but what about the rest of the Internet? The proposals in question won't just affect Google. They also affect Slashdot, Reddit, and who knows how many other sites that follow a similar format of linking to some primary source with some sort of headline/caption/summary and then providing a forum for related discussion. And for the filtering part, they'll potentially affect any site with user-supplied content, whether or not based on any other primary source. At least there are now some moves to try to limit this to avoid wiping out smaller businesses, but even if those succeed, it's only a damage limitation exercise.
Google know full well how badly the news sites need them to drive traffic in their direction via search, so I fully expec them to just pull the plug as they did with Spain, wait for the publishers to start screaming and shouting about the lost traffic/revenue, and only then open negotiations on exemptions and workarounds. At that point they'll be doing so from a much stronger position and with an industry that's desperate for a quick solution, so a deal more favourable to Google is much more likely.
This seems an unwise strategy.
For comparison, it took the EU four years to do anything about the VAT mess on digital services. During that time some smaller businesses went under or stopped supplying the EU. That was a problem that was only recognised at a very late stage in the original legislative process, because by the admission of various senior officials involved, the EU basically didn't even realise that millions of very small businesses existed, so had made no effort to inform or consult with them earlier, when helpful changes might still have been possible. By the time the danger was starting to be understood, it was too late to stop the process or add extra safeguards. And being EU-based rules, the national governments who also recognised the danger too late couldn't then act at national level to mitigate the damage.
In this case, the potential damage has been clear from the start, and campaigners have been objecting to articles 11 and 13 throughout. If the EU passes them anyway, that's essentially game over. Adversely affected online businesses are going to be hurt, and there won't be much that either they or the sites that previously cited them can do about it.
This foolishness has to be stopped before it gets onto the EU statute books.
I could see that working in some places, sure. It's less practical if your Windows-only software involves high-end graphics of any kind, when you really need to be physically at the computer.
Even if you're still working on a PC on the desk in front of you, I consider the risk relatively low. It's not as if anyone's relying only on Windows updates or even those updates plus someone's antivirus software for IT security in almost any office environment. I'd be far more concerned about something like a browser or email software running out of updates than I would about the OS, as by their nature those typically expose a relatively large attack surface directly.
Except that Microsoft has always made most of its Windows revenues from volume licensing and preinstallation on new PCs anyway, and neither of those is particularly affected by the current version being stable because big organisations still want updates and new computers still need an OS. In my entire life, I think I've bought an off-the-shelf copy of Windows on physical media exactly once, and the staff looked at me all funny like.
We've been actively investigating alternatives since the point where you could no longer buy new machines with Windows 7 preinstalled. Running smaller businesses, you're typically on Pro rather than the enterprisey/volumey alternatives, so 10 doesn't look like a viable option and the paid ongoing support for 7 is of limited relevance. However, the need for everyone to run the exact same thing on every computer is also much less than organisations with hundreds or thousands of staff. Everything is customised to each user's needs anyway, so having people with newer machines running different software isn't necessarily a problem in this sort of environment.
Currently we're erring towards Linux but also keeping around some Windows 7 machines. We do use a few very expensive specialist packages that are either only available on Windows or expensive if we wanted to acquire further licences on other platforms, so retaining some Windows systems is important. However, based on watching what's happened in recent years, both in terms of actual behaviour of Windows and the strategy/attitude of the leadership at Microsoft, our judgement is that the risk of bad things happening to our businesses on Windows 7 even with no further security patches after this time next year is much lower than the risk due to Windows 10 compromising or breaking something.
Unless you're filming your own shows, whoever you're buying your entertainment from can, will, and must track what you're buying from them.
That's not an inevitability. Here in the UK, we get broadcast TV for the main channels, and we can buy DVDs or Blu-rays for movies, seasons of favourite shows that haven't been broadcast over here yet, etc.
It's not unreasonable to require by law that anything tracked by streaming services etc. is anonymised, so they can collect the kinds of usage metrics that are legitimately useful but without compromising the privacy of any given individual. It seems to me that this would be the modern equivalent of old laws that protected the privacy of people renting from a store.
I can only offer a similar principle to my earlier comments again here. In principle, it's fine to say organisations should be able to answer those questions. In practice, if you're dealing with a guy who does plumbing for a living but has a web site that was built for him three years ago by some freelancer or agency, it doesn't serve anyone's interests to provide a mechanism where someone who wasn't happy about something can legally tie that guy up in knots (or, realistically, cost him significant time and money getting professionals in again to deal with the issue). Even a small tech firm might need to take someone off real work for a few days and spend some money on a lawyer to figure out how to reply to a letter like that. If your startup only had two or three people doing everything in the first place, or maybe even just you working on your grand idea for the next Google out of your garage in your spare time, that's a disproportionate burden if you weren't actually doing anything shady in the first place and the request is vexatious.
I think it's worth remembering that almost all businesses are small businesses. Things that are merely a "cost of doing business" to a large firm with dedicated admin and IT and legal staff can be very expensive for the little guy. Indeed, the GDPR itself has a 4% cap on the fines in terms of global annual turnover for giants like Facebook and Google, yet if your business has annual turnover under €20M, the cap is effectively 100% of your revenue and the GDPR and regulators therefore pose an existential threat. Combined with the inherent ambiguities in the regulations themselves and the lack of binding requirements for due process, you can see why smaller businesses are wary here.
Ah, sorry, I misunderstood. One of the common arguments around the time of the GDPR's introduction was that because the European approach to these laws is to describe general principles and leave it to regulators and courts to resolve the finer details, businesses in doubt about whether they were going to be compliant could just ask whether their practices would be acceptable. But of course that was never going to scale, and so it proved in practice.
Naturally you can do almost anything you might reasonably want to with explicit consent, but relying on consent alone comes with additional obligations. Where you're doing processing that is legitimate and reasonably expected, the general advice was to try to avoid that particular minefield as much as possible.
That was partly because some of the record-keeping requirements were stricter under GDPR and would potentially disqualify even genuine consent freely given in the past. For example, maybe you didn't still have a copy of the exact wording from your web site a decade ago when someone signed up for your double opt-in mailing list.
To be fair, it was also partly a defence against troublemakers. For those of us in the UK, and possibly some other EU states, the GDPR removed the small but non-zero financial incentive not to make subject access requests as a legally-backed form of harassment of any organisation someone didn't like. There was even an infamous "nightmare letter" that someone wrote to demonstrate just how far someone wanting to disrupt a business could go by exploiting all of their new rights under the law for vexatious purposes. If you aren't relying on consent, some of the more onerous obligations disappear, and you don't end up wasting so much time doing things like telling fraudsters where to go when they're trying to get you to delete records that would show them up as such.
This is very different to recognising that the needle had moved too far and steps to protect individuals' privacy and provide reasonable rights accordingly were long overdue. As an individual, I totally respect that, and indeed I am a fierce advocate of better online privacy protections myself. But for much the same reason, my own businesses were never doing shady stuff with people's data anyway, and we still had to waste significant time and money on research and compliance even though we changed pretty much nothing about our actual data processing. Meanwhile, as you note yourself, the businesses these measures were really aimed at have not magically become perfect corporate citizens overnight.
That's a fair point, but I'm not sure it could be any other way because the law can't hope to enumerate every possible legitimate use of data.
Of course not. I'm just illustrating the problem, not claiming there was some sort of perfect alternative solution available. But if you're going to make laws, and those laws are going to cost a lot of organisations a lot of time and money, the laws you actually make matter a lot more than any noble intentions you might have had.
All they need to do to confirm that some use is legal is ask.
Again, that might be have been the intent, but unfortunately the reality was very different. I was there. So were many, many other people in my professional network. You could try to ask, but it was no guarantee of even getting a response, never mind a useful, definitive one. Of course, that was also inevitable, because if the law can't enumerate every possible legitimate use of data, it's hardly practical for understaffed regulators to review every organisation's operating procedures and business models for free and on demand and to give an official opinion on whether they are compliant or what needs fixing if not.
There were (and are) consultants charging £X,000 per day to fill this gap for larger organisations who could afford them, but as far as I can tell, those roles required no particular qualifications (e.g., they weren't necessarily legal experts) and had no particular authority (e.g., their opinions or interpretations were in no way binding on the regulators). They were just people who had tried to keep up with the often verbose and disorganised official guidance and listened for any informal remarks from regulators across the EU to search for any hint of how things would go. As with many external consultants, as much as anything they were probably there so senior management that did fall foul of the regulators later could point at spending significant money on professional advice and say "Well, we tried in good faith to be compliant".
OK, so one of the main uncertainties with GDPR is that you have to have a lawful basis for each type of processing you do. The acceptable bases are specifically enumerated, but one of them is the catch-all "legitimate interests". This is open to interpretation, and in practice that means organisations intending to perform data processing against their users' legitimate interests frequently continue to do so appealing to that basis for their legal authority. Perhaps in time the regulators will act on that more effectively, but their official guidance has generally been late and often quite unhelpful so far.
Meanwhile, the exact same provision creates significant uncertainty for better organisations that are trying to play by the rules and not interested in doing anything particularly unpleasant or risky in privacy terms, because it's not clear whether a lot of processing that many of us (including the affected data subjects) would probably consider fair and reasonable is actually covered.
This led to quasi-paradoxical behaviour like many organisations emailing people on their contact lists to ask them to re-confirm their consent. That one is ironic because those mails would themselves in many cases have fallen foul of even the previously existing rules had such consent not already been granted. But even that wasn't clear cut, because the new rules had more specific requirements for informed consent that weren't the common practice for a long time even among responsible organisations, which meant that for example even organisations sending only genuinely relevant emails to people who genuinely intended to receive them might not have been covered.
This is just one small example of the broader issue of uncertainty under the legitimate interests basis, and that basis in turn is just one example of the general problem with the GDPR of being well-intentioned but causing much uncertainty and overhead for organisations that weren't actually doing anything scummy in the first place while simultaneously leaving plenty of wriggle room for those that were. Given how many businesses that covers, not to mention all the charities, government departments, etc, it's likely that the UK economy alone has lost literally billions of pounds in productivity as a result of the GDPR, much of it spent on little more than legal fees, consultancy fees and compliance red tape by organisations that required little if anything to be changed about their actual data processing activities.
Slashdot Mirror
For what it's worth, our numbers wouldn't support your theory. We do get decent returns on Facebook ads (and our Facebook metrics do support the theory that 18-24s don't spend much) but we also get decent returns running old-school untargeted ads or referral schemes through other websites or press relevant to our products and services. Facebook has the advantage of being huge and therefore scaling up where often websites for interests have well qualified but small audiences, but it's far from clear that all the profiling is making much of a difference to any metrics that actually matter compared to just advertising in places relevant to whatever interests you're catering for.
You're confusing personal opinions with professional experience. That's another common trait of Generation Me.
After all that’s where all of these companies derive their “value” from.
Interestingly, there seems to have been some evidence recently that running ads that are heavily personalised/targeted isn't necessarily much more effective than the traditional approach of running your ads in places where your target market are likely to be found. That is, do you really get better returns if you have $x to spend and run advertising on Facebook targeted by interest than if you just run ads on websites or other locations relevant to that interest?
I assume all of the big online companies would count that way. At least it's objective, and it's likely to give bigger numbers than any plausible alternatives I can think of.
I'm more interested in this:
While Reddit's value per user is much lower than its peers, it is betting its access to a valuable demographic will appeal to advertisers and potentially even draw their dollars from larger rivals like Facebook and Google. The company said half of its MAUs are between the ages of 18 and 24.
There is a reason that today's young adults are referred to as "Generation Me" in marketing circles and that the phrase "entitlement culture" is heard so often. As someone who has worked in this field, it's not particularly surprising to me that a business where so many of its users are young adults also has much lower revenue per user. If I were starting a new business today, the 18-24s would be literally the last age range I would want as my target market. They have little money, they tend to care more about experiences than possessions, and when they do spend they are heavily fashion-driven and quick to change. What is surprising is that Reddit reportedly thinks this is a valuable demographic.
Yes, that is essentially the concern here. The proposed way to avoid that responsibility in safe-harbour fashion is to implement various precautionary measures, which may or may not rely on technologies that do or do not exist and that may or may not be readily available to small organisations at viable cost or otherwise if they do. This, presumably, is what the politicians mean when they say they have been clear about things.
There is life outside the US, and there are more forms of useful insurance than US-style health insurance.
In the UK, for example, there is some controversy at the moment because travel insurance companies aren't very good at assessing the risk posed by a former cancer patient who has now fully recovered. Premiums can remain prohibitively high, or policies unavailable entirely, even when based on the best available scientific evidence and clinical judgement, someone is at no higher risk of future health problems due to that aspect of their medical history than anyone else.
Unfortunately, radical transparency is only a viable solution to the societal problems caused by reducing privacy if you live in a world where everyone who will ever make a decision that affects you is a reasonable, fair, trustworthy person.
Indeed. It is depressing how often European politicians comment, entirely unironically, about how the importance of boosting the tech sector here in Europe, in practically the next breath after introducing yet another measure that hammers all the small businesses. And then they wonder why the Googles and Facebooks and Apples of the world are all based somewhere else. As the saying goes, every successful large business was once a successful small business.
Are you sure you're considering the whole set of proposed reforms here? Any business that hosts a blog with visitor comments or a discussion forum and that has been online for more than three years would apparently be required to implement filtering technology that may or may not actually exist under the current proposals. These reforms aren't just about news sites extracting royalties from aggregators for reposting snippets (though any fledgling site with the popular news aggregator plus discussion format would potentially be caught by that aspect as well).
Oh, I agree the current proposals are still bad, particularly in that they will apply to small sites that have been going a while. Still, even those criteria are better than what was originally proposed, which had no such safeguards or exceptions at all.
I agree with the problem that the EU leadership just doesn't seem to get it when it comes to the tech and creative sectors.
Brexit is an interesting case. I have some businesses in those sectors that are based in the UK, and looking only from a professional standpoint and talking only about those specific businesses, Brexit is almost 100% win and the harder the better. The EU does almost nothing of direct value to any of those businesses, and many things such as these proposals that are/would be directly harmful.
The big problem here isn't killing off old media with obsolete business models. The problem is killing off new media with innovative business models as collateral damage.
(I assume you mean increased protections for small businesses rather than lowered them.)
This is a step in the right direction, but only if it makes it into the final version. This area is controversial, with a policy of having no exceptions still strongly backed by some of the parties, including big ones like France.
I'm not sure what you think I was saying, but I suspect you've completely misunderstood my previous comment. In particular, I wasn't defending anyone, and we should be worried about smaller businesses across the EU with this one as well.
OK, but what about the rest of the Internet? The proposals in question won't just affect Google. They also affect Slashdot, Reddit, and who knows how many other sites that follow a similar format of linking to some primary source with some sort of headline/caption/summary and then providing a forum for related discussion. And for the filtering part, they'll potentially affect any site with user-supplied content, whether or not based on any other primary source. At least there are now some moves to try to limit this to avoid wiping out smaller businesses, but even if those succeed, it's only a damage limitation exercise.
Google know full well how badly the news sites need them to drive traffic in their direction via search, so I fully expec them to just pull the plug as they did with Spain, wait for the publishers to start screaming and shouting about the lost traffic/revenue, and only then open negotiations on exemptions and workarounds. At that point they'll be doing so from a much stronger position and with an industry that's desperate for a quick solution, so a deal more favourable to Google is much more likely.
This seems an unwise strategy.
For comparison, it took the EU four years to do anything about the VAT mess on digital services. During that time some smaller businesses went under or stopped supplying the EU. That was a problem that was only recognised at a very late stage in the original legislative process, because by the admission of various senior officials involved, the EU basically didn't even realise that millions of very small businesses existed, so had made no effort to inform or consult with them earlier, when helpful changes might still have been possible. By the time the danger was starting to be understood, it was too late to stop the process or add extra safeguards. And being EU-based rules, the national governments who also recognised the danger too late couldn't then act at national level to mitigate the damage.
In this case, the potential damage has been clear from the start, and campaigners have been objecting to articles 11 and 13 throughout. If the EU passes them anyway, that's essentially game over. Adversely affected online businesses are going to be hurt, and there won't be much that either they or the sites that previously cited them can do about it.
This foolishness has to be stopped before it gets onto the EU statute books.
I could see that working in some places, sure. It's less practical if your Windows-only software involves high-end graphics of any kind, when you really need to be physically at the computer.
Even if you're still working on a PC on the desk in front of you, I consider the risk relatively low. It's not as if anyone's relying only on Windows updates or even those updates plus someone's antivirus software for IT security in almost any office environment. I'd be far more concerned about something like a browser or email software running out of updates than I would about the OS, as by their nature those typically expose a relatively large attack surface directly.
Apparently leaving Windows world is considered a sin!
Except that Microsoft has always made most of its Windows revenues from volume licensing and preinstallation on new PCs anyway, and neither of those is particularly affected by the current version being stable because big organisations still want updates and new computers still need an OS. In my entire life, I think I've bought an off-the-shelf copy of Windows on physical media exactly once, and the staff looked at me all funny like.
We've been actively investigating alternatives since the point where you could no longer buy new machines with Windows 7 preinstalled. Running smaller businesses, you're typically on Pro rather than the enterprisey/volumey alternatives, so 10 doesn't look like a viable option and the paid ongoing support for 7 is of limited relevance. However, the need for everyone to run the exact same thing on every computer is also much less than organisations with hundreds or thousands of staff. Everything is customised to each user's needs anyway, so having people with newer machines running different software isn't necessarily a problem in this sort of environment.
Currently we're erring towards Linux but also keeping around some Windows 7 machines. We do use a few very expensive specialist packages that are either only available on Windows or expensive if we wanted to acquire further licences on other platforms, so retaining some Windows systems is important. However, based on watching what's happened in recent years, both in terms of actual behaviour of Windows and the strategy/attitude of the leadership at Microsoft, our judgement is that the risk of bad things happening to our businesses on Windows 7 even with no further security patches after this time next year is much lower than the risk due to Windows 10 compromising or breaking something.
Unless you're filming your own shows, whoever you're buying your entertainment from can, will, and must track what you're buying from them.
That's not an inevitability. Here in the UK, we get broadcast TV for the main channels, and we can buy DVDs or Blu-rays for movies, seasons of favourite shows that haven't been broadcast over here yet, etc.
It's not unreasonable to require by law that anything tracked by streaming services etc. is anonymised, so they can collect the kinds of usage metrics that are legitimately useful but without compromising the privacy of any given individual. It seems to me that this would be the modern equivalent of old laws that protected the privacy of people renting from a store.
I can only offer a similar principle to my earlier comments again here. In principle, it's fine to say organisations should be able to answer those questions. In practice, if you're dealing with a guy who does plumbing for a living but has a web site that was built for him three years ago by some freelancer or agency, it doesn't serve anyone's interests to provide a mechanism where someone who wasn't happy about something can legally tie that guy up in knots (or, realistically, cost him significant time and money getting professionals in again to deal with the issue). Even a small tech firm might need to take someone off real work for a few days and spend some money on a lawyer to figure out how to reply to a letter like that. If your startup only had two or three people doing everything in the first place, or maybe even just you working on your grand idea for the next Google out of your garage in your spare time, that's a disproportionate burden if you weren't actually doing anything shady in the first place and the request is vexatious.
I think it's worth remembering that almost all businesses are small businesses. Things that are merely a "cost of doing business" to a large firm with dedicated admin and IT and legal staff can be very expensive for the little guy. Indeed, the GDPR itself has a 4% cap on the fines in terms of global annual turnover for giants like Facebook and Google, yet if your business has annual turnover under €20M, the cap is effectively 100% of your revenue and the GDPR and regulators therefore pose an existential threat. Combined with the inherent ambiguities in the regulations themselves and the lack of binding requirements for due process, you can see why smaller businesses are wary here.
Ah, sorry, I misunderstood. One of the common arguments around the time of the GDPR's introduction was that because the European approach to these laws is to describe general principles and leave it to regulators and courts to resolve the finer details, businesses in doubt about whether they were going to be compliant could just ask whether their practices would be acceptable. But of course that was never going to scale, and so it proved in practice.
Naturally you can do almost anything you might reasonably want to with explicit consent, but relying on consent alone comes with additional obligations. Where you're doing processing that is legitimate and reasonably expected, the general advice was to try to avoid that particular minefield as much as possible.
That was partly because some of the record-keeping requirements were stricter under GDPR and would potentially disqualify even genuine consent freely given in the past. For example, maybe you didn't still have a copy of the exact wording from your web site a decade ago when someone signed up for your double opt-in mailing list.
To be fair, it was also partly a defence against troublemakers. For those of us in the UK, and possibly some other EU states, the GDPR removed the small but non-zero financial incentive not to make subject access requests as a legally-backed form of harassment of any organisation someone didn't like. There was even an infamous "nightmare letter" that someone wrote to demonstrate just how far someone wanting to disrupt a business could go by exploiting all of their new rights under the law for vexatious purposes. If you aren't relying on consent, some of the more onerous obligations disappear, and you don't end up wasting so much time doing things like telling fraudsters where to go when they're trying to get you to delete records that would show them up as such.
This is very different to recognising that the needle had moved too far and steps to protect individuals' privacy and provide reasonable rights accordingly were long overdue. As an individual, I totally respect that, and indeed I am a fierce advocate of better online privacy protections myself. But for much the same reason, my own businesses were never doing shady stuff with people's data anyway, and we still had to waste significant time and money on research and compliance even though we changed pretty much nothing about our actual data processing. Meanwhile, as you note yourself, the businesses these measures were really aimed at have not magically become perfect corporate citizens overnight.
That's a fair point, but I'm not sure it could be any other way because the law can't hope to enumerate every possible legitimate use of data.
Of course not. I'm just illustrating the problem, not claiming there was some sort of perfect alternative solution available. But if you're going to make laws, and those laws are going to cost a lot of organisations a lot of time and money, the laws you actually make matter a lot more than any noble intentions you might have had.
All they need to do to confirm that some use is legal is ask.
Again, that might be have been the intent, but unfortunately the reality was very different. I was there. So were many, many other people in my professional network. You could try to ask, but it was no guarantee of even getting a response, never mind a useful, definitive one. Of course, that was also inevitable, because if the law can't enumerate every possible legitimate use of data, it's hardly practical for understaffed regulators to review every organisation's operating procedures and business models for free and on demand and to give an official opinion on whether they are compliant or what needs fixing if not.
There were (and are) consultants charging £X,000 per day to fill this gap for larger organisations who could afford them, but as far as I can tell, those roles required no particular qualifications (e.g., they weren't necessarily legal experts) and had no particular authority (e.g., their opinions or interpretations were in no way binding on the regulators). They were just people who had tried to keep up with the often verbose and disorganised official guidance and listened for any informal remarks from regulators across the EU to search for any hint of how things would go. As with many external consultants, as much as anything they were probably there so senior management that did fall foul of the regulators later could point at spending significant money on professional advice and say "Well, we tried in good faith to be compliant".
OK, so one of the main uncertainties with GDPR is that you have to have a lawful basis for each type of processing you do. The acceptable bases are specifically enumerated, but one of them is the catch-all "legitimate interests". This is open to interpretation, and in practice that means organisations intending to perform data processing against their users' legitimate interests frequently continue to do so appealing to that basis for their legal authority. Perhaps in time the regulators will act on that more effectively, but their official guidance has generally been late and often quite unhelpful so far.
Meanwhile, the exact same provision creates significant uncertainty for better organisations that are trying to play by the rules and not interested in doing anything particularly unpleasant or risky in privacy terms, because it's not clear whether a lot of processing that many of us (including the affected data subjects) would probably consider fair and reasonable is actually covered.
This led to quasi-paradoxical behaviour like many organisations emailing people on their contact lists to ask them to re-confirm their consent. That one is ironic because those mails would themselves in many cases have fallen foul of even the previously existing rules had such consent not already been granted. But even that wasn't clear cut, because the new rules had more specific requirements for informed consent that weren't the common practice for a long time even among responsible organisations, which meant that for example even organisations sending only genuinely relevant emails to people who genuinely intended to receive them might not have been covered.
This is just one small example of the broader issue of uncertainty under the legitimate interests basis, and that basis in turn is just one example of the general problem with the GDPR of being well-intentioned but causing much uncertainty and overhead for organisations that weren't actually doing anything scummy in the first place while simultaneously leaving plenty of wriggle room for those that were. Given how many businesses that covers, not to mention all the charities, government departments, etc, it's likely that the UK economy alone has lost literally billions of pounds in productivity as a result of the GDPR, much of it spent on little more than legal fees, consultancy fees and compliance red tape by organisations that required little if anything to be changed about their actual data processing activities.