The GDPR is why Brexit must happen

The EU’s General Data Protection Regulation (GDPR), which comes into force today, has managed to irritate the entire British population. Companies have had to change their data practices and the rest of us have been bombarded with newsletters from publications, companies and retailers, begging us to stay on their lists. Since the Beast from the East slung its Siberian hook, the GDPR has taken its place as the ubiquitous pub moan of Britain, uniting everyone from Land’s End to Llandudno in their rage at its arcane demands. Not bad for a supposedly divided nation.

My own hope is that this anti-GDPR feeling might persuade a few more people (particularly those Remain-voting young professionals currently sulking their way through their umpteenth data-protection seminar) to direct their anger at the thing which put us here in the first place: the European Union. For if there’s one piece of legislation which embodies the worst of Brussels policymaking – legalistic, moralising and shamelessly impractical – it has to be the GDPR.

The GDPR is the quintessential EU law. For years, EU mandarins have championed it as a flagship policy for the European Commission, the overpaid and underworked civil service which churns out the majority of Brussels’ ceaseless regulations. Earlier this year, the Commission called the legislation ‘a major step forward’ in a press release signed by Vĕra Jourová, otherwise known as the EU’s commissioner for justice, consumers and gender equality. So remember that when you’re deleting two dozen emails from that coffee shop you tapped for free wifi in Lisbon five years ago.

Like many of the most beastly regulations, the GDPR has its roots in moral outrage and that dangerous decree that something must be done. In this case, the catalyst was the 2013 Snowden leaks which revealed that European citizens may have been caught up in the illiberal data-harvesting activities of US intelligence services. While many were rightly horrified at the US authorities’ invasion of web-users’ privacy, there was something typically absurd in the EU’s response: the answer to government overreach wasn’t to limit government – it was to hand officials and regulators a whole new suite of powers.

All of this was, of course, packaged in typically progressive and humanitarian language, with promises to protect citizens’ freedoms and privacy. Interesting, isn’t it, that use of freedom. In the words of Ann Dowd’s villainous matriarch in The Handmaid’s Tale, there is freedom to and freedom from. Brussels – in case you hadn’t guessed – tends to prefer the latter.

None of this would be so bad if the rules mandated by the GDPR weren’t so absolutely bloody terrible. The GDPR doesn’t just tighten existing data-protection rules (which have been perfectly sufficient for, say, compensating HIV patients whose details were carelessly leaked when a clinic administrator included all of their names in a round-robin email); it takes them to absurd extremes.

From this Friday, companies have to maintain lists of all the different types of data (such as blood-type, age, sexuality) they process. Consumers will have the power to request a copy of all data that a company holds on them (the administrative burden from which will do wonders for the UK’s anemic productivity levels). In the university department where I’m currently temping, we’ve been told that we can no longer contact anyone unless we have a record that they once gave explicit consent to receive our emails.

It’s a common principle of British commercial law that smaller companies and charities receive extra leeway when complying with burdensome rules. But the GDPR extends its reach over any organisation or entity – hence why small charities are being diverted from providing essential services in order to attend to painstaking administrative hurdles.

Of course, the really big dogs won’t mind too much. With their armies of lawyers and corporate bureaucrats, the likes of Microsoft and Amazon will have spent years preparing for this. Others – like Facebook – will have the resources and political muscle to take advantage of crafty loopholes to escape the regulators’ net. It will be small and medium enterprises (the same firms that the UK government assures us are crucial to our economic success) that have to swallow the bitter pill.

GDPR shows us why Brexit (and a good, solid, clean Brexit at that) can’t come soon enough. Once the UK has freed its legal system from the tentacles of EU regulation, we can revert to sensible data-protection laws – ones which safeguard individual freedom, enable British companies to stay competitive, and ensure that church groups and disability charities aren’t threatened with whopping fines for failing to produce tea-stained sign-up lists from a raffle four years ago.

Henry Jacobson is a writer.

Picture by: Pixabay