Tweets like this one set me off:
Okay, hold on, dude. You just passed more regulation which startups have to comply with, making it harder and more costly to build and launch AI products in the EU, and now you call that a “launchpad for EU startups”?
Historic!
Let’s do a thought experiment and go back in time. Imagine the dude had posted something like this about GDPR in 2018:
Historic!
The EU becomes the very first continent to set clear rules for the use of personal data πͺπΊ
The #GDPR is much more than a rulebook β it’s a launchpad for EU startups and researchers to lead the global data race.
The best is yet to come! π
Because, remember, in 2018, GDPR came into effect.
So, let’s see.. what do we have now? Where are all the EU startups and researchers leading the global data race? Last I checked, the startups and especially researchers continued to go to the US (maybe increasingly so). Instead, we mostly got cookie banners.
While there certainly have been effects on actual data privacy, those are hard to measure. Let’s look at another one first: Lost productivity in the shape of time spent dealing with cookie banners.
You might think that there’d be quite a few studies on this topic by now. But I couldn’t find any at all! Crazy. Anyway, let’s do our own approximation:
- 450 million people in the EU
- 91% internet users
- We assume each person visits 20 websites per day on average (probably more)
- We assume 50% of websites trigger a cookie banner (probably more)
- We assume 5 seconds of time are spent on each cookie banner (probably more, not sure. non-tech-savvy people take forever, tech-savvy people have browser extensions)
So the estimation of total time spent each day with cookie banners equals:
450 million people * 0.91 * 20 * 0.5 * 5 seconds
β 649 person-years
Assuming the average EU life expectancy of around 80 years, those equal around 8 lifetimes lost dealing with cookie banners every day.
Per year, we’re looking at 8 * 365 = 2,920 lifetimes lost spending time with cookie banners.
That’s a lot of lives.
Let’s take this thought experiment one step further. Assuming we’re “losing” 2,920 lives wrestling with cookie banners every year – are we actually “saving” lives elsewhere which might offset these lives lost?
Let’s see. Here are some ideas:
Prevented suicides due to less data breaches. The historic data breach at Ashley Madison (yeah, that, um, “dating site”) supposedly lead to one suicide.
Less stress and less chronic diseases. In theory, receiving less annoying newsletters, text messages, etc., might contribute to better mental health and longer life expectancy. You might sleep better at night, knowing that your data is being treated with respect. Yeah, this sounds ridiculous, let’s forget it.
And that’s it. I’m out of ideas.
Let’s recap: Even the Ashley Madison breach which can be considered something of a worst case scenario lead to only one suicide. One!
I don’t want to downplay suicides here (seek help). On the contrary!
Because, well, we could bash in our heads and start a philosophical discussion on whether 2,920 lives spent wrestling with cookie banners might be worth it to save one “real” life. But instead, we could look at the more important point first: Would GDPR have prevented an Ashley Madison – style data breach in the first place?
If you’re a software person like I am, I guess you already know the answer: Nope.
Sigh.
The one thing which prevents data breaches is building good software.
It is very, very tricky to “force” software to be good. It’s so tricky that it’s an unsolved problem. Besides regulations, we have tools like agile development, test-driven development, pen testing, etc., all of which are merely pieces of a large puzzle towards good software. The reality is that we’re still surrounded by crappy software every day and that GDPR has done nothing to solve this.
It gets even worse, because the number of 2,920 lifetimes is only a lower bound of the total productivity lost. There’s more:
- Data privacy officers. This job didn’t exist beforehand. Many companies need one now. You don’t need any prior qualification besides a specific course which costs 3-5kβ¬ (shady – I did it). I’d say 99% of them don’t have technical experience. Imagine all the productive work these people could do instead of being data privacy officers: Collecting garbage, repairing houses, hair cuts, etc.
- Lawyers. Companies seemingly love to hire lawyers to write up an assessment on whether activity X is covered by the GDPR (spoiler: it mostly depends on who paid the lawyer’s bill). We could just funnel this money to people in need and probably solve world poverty, or a big part of it.
- Useless discussions. I’ve attended more useless discussions than I ever wanted inside and outside of companies. Many humans are bad at prioritising, and GDPR just pours fuel into this fire: Let’s discuss again whether our data is anonymised and whether we can process it under the GDPR, shall we?
Maybe GDPR has some good sides, too. I don’t know which ones though.
Regardless, a better solution would be an emphasis on making decisions in a data-driven way: How would we need to change the GDPR? How much productivity are we truly losing with it, and is it saving more than 2,920 lives per year?
What we get instead is is no data at all and bureaucrats who are completely disconnected from reality. They think new regulation represents a “launchpad for startups”. Instead, Apple decided to not launch Apple Intelligence in the EU. Ben Thompson might be right: “a launchpad without a rocket is just a burned out piece of concrete”.
The best is yet to come! π
Leave a Reply