(Diesen Artikel gibt es auch auf Deutsch)
Summary: The „General Data Protection Regulation“ (GDPR) goes into effect on May 25th 2018 and creates many obligations for any organisations handling data of EU citizens. The GDPR is sketchy, complex and bureaucratic and it remains completely unclear on how it will be interpreted. Therefore Purplemoon has no choice but to abandon the EU, because as a small organisation we cannot afford the associated risks.
Background about GDPR
On the 25th of May 2018 the new European Union law „General Data Protection Regulation“ (GDPR) goes into effect, which entails many new obligations for anyone who handles personal data. Not only companies are affected: Any organisation or private person who in any way handles/processes data of people residing in the EU can be subject to it, if the reason for processing has to do with trade or services which are available to people residing in the EU. Just having one person from the EU using your shop or services is usually enough for the GDPR to apply.
Personal data according to the rulings in the EU is defined in a very broad way. IP addresses, a handle, a nickname, an email address – all of these are seen as personal data according to the GDPR, as they might narrow down who you are.
In the media the GDPR has already been described as „Privacy with teeth“ because huge financial penalties are possible (up to 20 million euro or 4% of the annual global sales, whichever is higher) and the hope seems to be that companies will be forced to adopt better privacy measures – or suffer heavy penalties if they do not.
The GDPR itself is a long and complex legal document (over 250 A4 pages) which is not easy to understand and contains many bureaucratic rules.
The problem from my perspective is that the GDPR is sketchy and generic in terms of its requirements and obligations, and it creates a massive bureaucratic workload. It is entirely unclear how to adopt these rules in practice. There are already very different rules within the European Union, as every country can clarify how to adopt the GDPR – yet these rules are very different from country to country, and there is no consensus (for example Austria has made their own laws abolishing most penalties of the GDPR). Every interest group currently interprets the GDPR in their own way, which makes the statement „We follow the GDPR“ have hardly any meaning.
Both the high bureaucratic complexity as well as the tremendous legal risk is especially worrisome for small companies/organizations. Implementing all the bureacratic rules is a very high burden and the high financial penalties and possible trial costs can easily ruin their existence.
Every website with any kind of service can be affected by the GDPR – because the law applies to the whole world, not just the EU, and the EU did not clarify what constitutes as „service“. Is a blog a service? Is Wikipedia a service? This remains completely unclear and if you define „service“ in the broadest sense it applies to almost every website that currently exists in the whole world. It could also mean many private citizens with a website or blog could be affected. Online shops who do not cater to EU residents seem to be most safe, while every other website could be affected – or not, depending on who decides how the GDPR is interpreted.
It is not quite understandable to me why a sports club with 50 members has the exact same rules as a company with 50’000 employees. Almost all other laws are designed in a way that more sales, more employees and more data leads to more responsibility and a higher public interest in supervision. Yet the GDPR has no such distinguishing factors – everything applies to everybody.
When talking about the GDPR it is often seen as a weapon against large companies (like Facebook), to make them accountable. Yet in my personal opinion nobody profits more by the introduction of the GDPR than large companies. They can much easier afford the ongoing bureacratic overhead to adapt to the GDPR, they can select the EU country which least enforces the GDPR and acts most friendly towards them (Austria would currently be a good choice), and if they get a fine or are involved in a lawsuit they can weather that storm, prolong any court cases and afford any costs involved. Small companies lack all of these options, have less resources and can easily be weared down by ever-changing rules and overburdening bureaucractic regulations.
Idealistic projects like Purplemoon are especially in danger – as soon as a project has limited financial resources and is not planing on making a lot of money then the risks and costs involved can be prohibitive. Purplemoon has one part time employee, a few volunteers, does not even cover its costs and is mainly continued because we believe in Purplemoon as a positive project for its users. New bureaucractic rules with very unclear boundaries are therefore a serious problem for us.
Consequences for Purplemoon
Purplemoon always tried to have an exemplary privacy record. Our privacy policy is easy to understand, short and consumer-friendly. We do not appropriate the rights of our users content, as almost all social media platforms do. We have never shared our users data with other companies. We do not profile our users or try to accumulate additional data – we just use the data our users provide, and they decide what to share, when, and for how long. We have a secure infrastructure and follow best practices. One of our stated goals has always been to offer the best privacy options possible and act in the interests of our users.
Yet all of that does not help with the GDPR, because it is all about broad bureaucratic rules and not about the details of real-life good privacy. No company can ensure to be GDPR compliant, as nobody knows how to interpret the GDPR. For a small company the GDPR is like a ticking time bomb: anyone can get a fine or a lawsuit no matter how they prepare or what they do, in addition to the nightmare of having a ton of bureacratic regulations which seem nonsensical in many situations.
The fact that the company behind Purplemoon is situated in Switzerland (and all data is saved/processed in Switzerland) does not help us either – just the opposite, it creates even more legal uncertainty as it remains unclear which EU government agency would come after us or how they would operate. The different government agencies in the EU will clearly have different opinions about how an organisation can be GDPR compliant, and nobody knows what rules will prevail or how the GDPR will be enforced internationally.
The consequences for us, after much thought, are simple: We cannot continue to offer any services to people residing in the EU. This seems to be the only safe option for us to avoid any incalculable risk created by the GDPR. We therefore will start blocking the European Union, starting from May 25th. It will still be possible to open the Purplemoon website, but for anybody within the EU we will show a message that no services are available to anybody within the European Union because of the GDPR when users try to log in. We will only block the EU – Purplemoon will remain accessible from any other country in the world except the EU.
We are not the only ones who plan to abandon/block the EU. There are already multiple examples in many different sectors who will start to block any requests from the EU. We suspect these numbers will only increase and that many organsations will pull out of the EU – especially hobby projects, idealistic projects and small companies who cannot afford the immense bureaucratic effort and the legal (and financial) risk, as every government agency in the EU will have the power to destroy an organisation and/or interpret the GDPR in a way which creates unsurmountable bureaucratic obstacles and huge expenses. Some projects might block the EU, while others might just close down completely if they are mainly based in the EU.
Addendum on May 25th: Blocking the EU has also had an effect on users who are not within the European Union – it seems it is difficult to tell just from the IP if somebody is actually in the EU or not. Therefore it is now possible to skip the block if you confirm that you are not within the EU. We have also made it clear in our terms of services that we provide no services to anybody in the EU, and will adjust these technical measures if necessary.
Looking to the future
Personally I am disappointed by the European Union. The GDPR would have been a chance to define clear rules which anyone can understand and implement, and go after big companies and data intensive sectors first.
If the GDPR only targeted companies with at least 100 employees (and maybe some sectors which do a lot of profiling/tracking) the EU would have still been swamped with the effort of supervision and enforcement. In addition, these larger companies are in a better situation to handle the bureaucratic effort and legal uncertainty. Less than 2% of companies have more than 100 employees, yet they still number in the tens of thousands just in the EU, and hundreds of thousands world-wide – plenty to enforce and improve before small companies, clubs and private citizens become part of this experiment.
As it stands now we will see who gets to feel the consequences of the GDPR – and if the government agencies will go after big companies, or rather look at small organisations who can defend themselves a lot less. Small organisations are already the clear losers of this legislation because of the immense workload all these new regulations create.
All the new rules might even be bad for EU citizens, as they will likely be confronted with many more consent forms, more legal texts to agree to and more complex agreements – because many companies will just try to legally protect themselves no matter how nonsensical it might become, and the GDPR has so many bureaucratic rules in them that just being exposed to them as a citizen might become a nightmare.
The EU is already known for overburdening bureaucratic regulations which negatively affect everyone. A good example is the cookie legislation of 2009: it lead to many websites showing a banner to inform users that they are using cookies, leading to an additional „accept“ click on any website you might visit. There was no upside to this – it was just a hassle for users and more work for website operators.
If legal certainty about the GDPR is established we might make Purplemoon available again within the EU. Yet the amount of clarifications and the court cases which will determine legal precedence will probably take years or even decades. We will keep an eye on what happens next and react accordingly.
Pingback: Purplemoon & DSGVO (GDPR) | Purpleblog