Why Privacy Regulations Don’t Always Do What They’re Meant To

First, California passed major privacy legislation in June. Then in late September, the Trump administration published official principles for a single national privacy standard. Not to be left out, House Democrats previewed their own Internet “Bill of Rights” earlier this month.

Sweeping privacy regulations, in short, are likely coming to the United States. That should be welcome news, given the sad, arguably nonexistent state of our modern right to privacy. But there are serious dangers in any new move to regulate data. Such regulations could backfire — for example, by entrenching already dominant technology companies or by failing to help consumers actually control the data we generate (presumably the major goal of any new legislation).

That’s where Brent Ozar comes in.

Ozar runs a small technology consulting company in California that provides training and troubleshooting for a database management system called Microsoft SQL Server. With a team of four people, Ozar’s company is by all means modest in scope, but it has a small international client base. Or at least it did, until European regulators in May began to enforce a privacy law called the General Data Protection Regulation (GDPR), which can carry fines of up to 4% of global revenue.

A few months before the GDPR began to be enforced, Ozar announced that it had forced his company to, in his words, “stop selling stuff to Europe.” As a consumer, Ozar wrote, he loved the regulations; but as a business, he simply couldn’t afford the costs of compliance or the risks of getting it wrong.

And Ozar wasn’t alone. Even larger international organizations like the Los Angeles Times and the Chicago Tribune — along with over 1,000 other news outlets — simply blocked any user accessing their sites with a European IP address rather than confront the costs of the GDPR.

So why should this story play a central role in the push to enact new privacy regulations here in the United States?