You’re not the boss of me (GDPR edition)

I love so many things about the Euro­pean Union—the history, the people, the cheese, the capital Eszett. Also the EU’s commit­ment to protecting its citi­zens from the depre­da­tions of Big Tech. For instance, via mean­ingful antitrust inves­ti­ga­tions.

Or via the GDPR, the EU’s new data-privacy law. If you didn’t hear about it in 2016 when it was enacted, you surely have in the weeks before May 25, during which we all received a welter of messages announcing updated, GDPR-compliant privacy poli­cies.

​You won’t be getting one of these messages from me, however. (What follows is a summary of my thinking about the GDPR. But I am not your lawyer. This is not legal advice.)

As written, the GDPR claims enor­mous scope: it wants to regu­late “the processing of personal data” collected from EU citi­zens even when the processor of that data is “not estab­lished” in the EU. Much of the commen­tary about the GDPR has taken this claim at face value—e.g., the “GDPR applies to any site that collects user data”.

Oh really? Certainly, the EU can regu­late busi­nesses within its borders (or foreign busi­nesses with a pres­ence in the EU). But busi­nesses entirely outside the EU? I’m not persuaded. In general, inter­na­tional law doesn’t apply to people in the US absent an explicit treaty—for instance, the Geneva Conven­tions or NAFTA. There is no US / EU treaty covering the GDPR. Indeed, the GDPR itself concedes this is so, and there­fore contem­plates the creation of “inter­na­tional coop­er­a­tion mech­a­nisms” to enforce the GDPR. But as long as those mech­a­nisms are missing, so is the possi­bility of enforce­ment outside the EU.

To plug this hole, the GDPR demands that I, as a “data collector” outside the EU, “desig­nate ... a repre­sen­ta­tive” in the EU, thereby bringing myself under its juris­dic­tion. But what happens if I don’t? Osten­sibly, that refusal would itself become a GDPR viola­tion—except that the GDPR is still unen­force­able against me. So AFAICT, the cheapest & safest way for me to “comply” with the GDPR is to totally ignore it.

That doesn’t mean I don’t take data privacy seri­ously. On the contrary, unlike just about everyone else on the internet, my websites have never had any adver­tising, surveil­lance, or tracking (other than basic Google Analytics, which I use for tech­nical trou­bleshooting). I collect the minimum amount of personal infor­ma­tion for any sales trans­ac­tion. I’ve never shared or sold any customer infor­ma­tion, and never will.

I didn’t adopt these poli­cies because I had to. Rather, I sincerely—though maybe quixot­i­cally—believe that there’s still some future for the internet that isn’t entirely premised on surveil­lance and adver­tising. Of course, I’m always inter­ested in gener­ating more sales. Call me a Luddite, but I want to do it the old-fash­ioned way: a volun­tary exchange of money for goods & services. Regard­less of who you are or where you are.

Rise and Kill First by Ronen Bergman

I thought a 750-page book about Israel’s covert assas­si­na­tion programs would exceed my appetite for the subject. Or at best would be gener­ously padded.

Wrong on both counts. Jour­nalist Ronen Bergman’s book (trans­lated from the orig­inal Hebrew) is metic­u­lously researched and reported, in many cases based on his own inter­views with the orig­inal partic­i­pants. The pace of the action is relent­less—Bergman has collected so much good mate­rial that he can afford only three pages for the famous 1976 hostage rescue at Entebbe airport.

In one sense, the book is a history of Israel, as told through its targeted-killing programs. But it’s also a story of the costs and conse­quences of warfare conducted primarily via covert methods (including torture and drone strikes). Bergman depicts an Israeli govern­ment that, although largely successful in defending the nation, is increas­ingly corroded by its accu­mu­lated moral lapses. At turns exciting, heart­breaking, infu­ri­ating, and chilling. This is one of the best books I’ve read in a long time.

(The inte­rior typog­raphy is atro­cious, per the low type­set­ting stan­dards of Amer­ican publishers. But I can’t hold that against Bergman.)