Ironic, isn’t it. The GDPR, the legislation that was supposed to give us control of our personal data so that people wouldn’t spam us indiscriminately, has resulted in our inboxes being swamped with privacy notices and resubscription requests. My personal GDPR statistics look something like this: number of emails received: 200, number deleted without opening: 180, number of privacy policies actually read: zero. I imagine others have had similar experiences.
Why, you might ask, has this miasma been dumped onto us? Who thought it was a good idea? Trust me, by the way: having to deal with compliance for Bachtrack has been anything but a picnic – legal fees plus four weeks of my time so far, with more to come. I shudder to think of the total compliance costs for every business across the world who deals with or in Europe.
The problem, it seems to me, is this: legislation is drafted by lawyers (duh) and lawyers have a, shall we say, tilted view of the value of the verbiage that is their output. In the fantasy world of the people drafting the GDPR, here is what I imagine happened: businesses would read the GDPR. They would change their ways to impose self-restraint in the use of personal data, ensuring that it was used only where essential and protected with the utmost vigilance, and they would draft clear, straightforward notices, which their customers would read and be appreciative of how virtuous they had been.
What actually happened was this: when businesses became aware of the GDPR, they phoned their lawyers to ask the following question: how can we become compliant with this horrendous thing and achieve the minimum risk of being sued or prosecuted with the minimum of effort, cost and disruption to our business? The good ones might have modified that last bit to “disruption to our business and our customers”.
And the lawyers’ response goes like this: take every provision of the law and produce documentary evidence that you have made the required efforts to obey it. And since a lot of the GDPR is about giving information to the people whose data you hold, make absolutely sure that they cannot legitimately claim that you have used their data in ways they didn’t know about. If you’re not involved in compliance, the first part of that answer won’t have been visible to you. But everyone has now seen the second part in action, with its flood of multi-thousand word privacy policies and the emails that accompany them. (At Bachtrack, by the way, we didn’t go for the emails, preferring a cookie-suppressable warning in prime position on the website: still annoying, but less so, in our judgement).
Part of the problem is that lawyers survive on a diet of case law: that’s what tells them what works in practice. Since the GDPR is new, there isn’t any case law. Without that sustenance, in order to be reasonably sure of keeping their clients out of trouble, the lawyers go for triple-strength kevlar when creating their clients’ arse-covering trousers, which, translates into thousands of words of legal wording…
...which no-one will read. Except, of course, other lawyers and whatever unfortunates get lumbered with compliance in businesses like Bachtrack – businesses, that is, who are too professional to just ignore the law and too small to be able to afford to farm out the process to specialists.
And here’s the real problem: legislators, I presume, believe that people actually read this stuff. And we’ve been here before. Let me ask you a question: how many thousand words of contract terms have you agreed to without reading them, because you were forced to tick an “I agree to the terms and conditions” box in order to be permitted to use your shiny new phone, computer or app? Did you know, for example, that if you use Apple News on an iPhone, you’re not allowed to share a screenshot, according to section 5c of the iOS 11.2 Licence Agreement? And some of these terms matter: for example, when you bought CDs or vinyl in the past, you could sell them or give them away as presents. Can you do the same for downloads? If they're from iTunes, you have to look half way down the 6,800 word “Apple Media Services Terms and Conditions” to discover the answer in the words “nontransferable license”.
The problem gets worse when you get into the tangled subject of financial services. We recently fell foul of section 4.8.3 of HSBC’s Business Banking Terms and Conditions (a snip at 24,700 words), when someone forged our signatures to withdraw money at a branch and HSBC refused to refund the money until they had completed a full investigation. I seriously question what percentage of the population is remotely equipped to understand the average set of terms and conditions of a pension plan, and of those, how many actually take the time to go through them. The rich have lawyers, accountants and financial advisers to do this kind of thing for them; the rest of the world shuts its eyes, signs and hopes that nothing bad will happen.
So here’s my suggestion, lawmakers:
(1) When you make laws giving consumers rights, make those rights inviolable, regardless of anything they sign.
(2) When a document is published by a business (or other large organisation) to apply to a consumer, make it invalid either if it is above a certain length (let’s say 800 words) or if a reasonable person would deem that a typical 16 year old would not be able to understand it. And by the way, judges, when you adjudicate this, remember that the education level of a typical 16 year old is a lot lower than yours was at 16.
(3) And while you’re there, once the sales transaction has taken place for a product, make all further agreements required by the vendor invalid.
It’s a lot more complex than that, of course. We need a whole bunch of model agreements as defaults for complicated transactions – a step in the right direction is the standardisation of terms and conditions for house purchases, so that individual transactions only need to specify the variations from the norm. But it really is time to give up the fantasy that the problems of the world can be solved by giving consumers thousands of words of legal verbiage to read.
