🗞️ EU Regulation, monetisation and GenAI (again)

Source: Pixabay

I like the philosophy stating that writing is thinking and that to write clearly, one must think clearly. I do neither. I’m neither a good writer nor a good thinker. What I do, though, is think about the big picture and piece together seemingly unrelated threads into a reasonably cohesive structure that holds up to a bit of scrutiny. Maybe not a peer review, but that’s not why I write here. I write to process my thoughts and flesh those out, sometimes in real-time as I’m writing. It’s not the most scientific of methods, but it favours my type of neurological quirkiness, and, to be fair, the email newsletter format is not the best forum for that type of research. Without this outlet to write about the topics that frustrate me so much, I’d be pretty bored. Consequently, I try to make complex topics seem a little simpler without shying away from the details, with as many supporting links and examples as necessary. For the other stuff I like to write about, this year saw me start (restart?) a new personal blog where I can express other personal thoughts on things that are not on topic here.

On to this newsletter edition. It’s one about regulation (don’t run away yet —it might be interesting 😉), specifically regulation that affects the internet and the coming wave of regulation that we haven’t quite got to grips with yet. The Internet is about to change radically. For better or for worse, I have no idea, and I wish I had a crystal ball and a bit of spare cash to make a huge bet. But I don’t. However, what seems patently clear is that the Internet is about to be regulated by the world’s largest economies. Some have already done so. States like China and Russia have, in all but name, created a walled-off, splintered Internet for themselves and their citizens. The EU has regulated several major issues that have, again in all but name, forced the entire world to fall into line. The United States has continued to shy away from regulation, thereby creating an environment for innovation (or so it tells us). I wanted to discuss some real-world leanings and the aftermath of the GDPR, trying to provide some context and the basis of a discussion topic if you’d like to discuss it. Disclaimer: I’m not a GDPR expert nor legally trained. I’m piecing together various facts and observations from the work I’ve been doing in Internet Governance and my on-the-ground experience with MSMEs.

I hope you enjoy the read. Ping me @virek@mastodon.socail.

The GDPR is dead. Long live the GDPR

They said GDPR was the end for small businesses, at least those that used and dealt with personal information in the EU. They said it would overly burden them and make it difficult for them to function. They said it would further entrench the monopolies. It was bad, bad, bad, as far as the eye could see.

Some wrote about how the “moats” of the big companies would protect them, and hence, regulation would only ensure that those businesses would thrive, having been helped by the regulation from the path-clearing and summary executions of small businesses thanks to the EU. They still write this stuff. They still believe it.

The thing is, they were right, but for all the wrong reasons. So what actually happened?

From my perspective, observing MSMEs in an admittedly small economy, virtually nothing changed. Rien. Nada. Nichts. Zilch. Nothing. Small businesses carried on as before, with no discernable change. There wasn’t a sudden decline in the number of MSMEs worldwide, especially in the EU. It has been pretty constant, with the usual ups and downs since the legislation was implemented. Though not a source, Statista has a visualisation that shows this. There is some discussion on the adverse effects of innovation in the EU as a result of the legislation, but these papers are finding it challenging to determine if any observed fluctuations are a direct result of the legislation or other external factors. From an anecdotal perspective, Europe doesn’t appear to be any less “innovative” than before.

It’s evident that small businesses didn’t sweat it. They knew full well they’d carry on as before, changing things progressively over time. No rush. No panic. There was no immediate rush to entirely change their businesses at the operational level, aside from a bit of thinking about this new risk and what it might mean to them over the coming months and years. Basically, It was business as usual.

How do I know this? For one, I am on the ground next to these small businesses and have been for most of my working life. I’ve seen them shrug at this legislation and tell me point-blank, “… we’ll wait and see”. And I’ve seen them do absolutely nothing. Not even a small audit to attempt to reveal exposure to the risks the regulation inevitably brings. And I know why. They cannot afford it as a capital outlay and don’t have the time to waste. You think large enterprise bosses are busy. Spend some time with MSMEs, and you’ll understand what busy is.

Secondly, as the legislation was being debated and passed from discussion to vote to implementation, there were many thousands of consultants with no experience (and limited knowledge) rubbing their hands together, hoping to make a killing off consultancy fees to help businesses comply with this legislation. Twenty million Euros or 4 per cent of global turnover was a sweet, sweet incentive, or so they thought. Small consultancies, too, thought they’d get in on the gravy train before it left the station. I myself was tempted, but I decided against it, feeling that it would be a hard sell to the tiny enterprises that constitute the French West Indies (who were directly in the firing line) and those in the wider Caribbean caught in the net, so to speak. Something felt off for me, so I didn’t pursue it seriously. Hindsight proves I was right not to invest too much time and energy, and businesses didn’t employ the consultants.

This all begs the question, “Where are we today with regard to GDPR?”

Status Quo. Nothing has substantially changed. The consultants and consultancies specialised have largely crawled back under their rocks, awaiting the next grift cycle, and the small businesses have all magically become compliant (mostly) without doing much.

“Magically” is doing a lot of heavy lifting in that phrase.

Gradually and then suddenly1, all the software, the tools, and the processes that businesses rely on to operate all got updates, patches, and replacements and became compliant. Businesses updated, patched, and replaced software through natural attrition and good governance cycles. The whole value chain became compliant, and therefore, so did MSMEs.

And then everyone carried on as though nothing had happened.

It’s just like the Year 2000 Bug. It was the literal end of the world for some commentators. The banks would collapse, there’d be food shortages, riots, and all sorts of apocalyptic scenarios were being described and subscribed to. I know I was there. I personally certified all the software we used in the company I was working with at the time and worked with the developers to amend any inconsistencies and errors during a six-month test and implementation project. (TLDR: it all worked fine). But just like GDPR, nothing happened. It all just sort of fell into place without issue.

So how did big business entrench its holding on the market? If the legislation’s critics were right but for the wrong reasons, what conclusion can we get from the GPDR since its introduction in 2016?

Some consider GDPR to be a failure, agreeing with the above, but it is because of non-enforcement, not because of a failure of policy.

One can argue on the merits or not of the specifics, but to do so is to ignore the spirit and the overarching aim of the GDPR, thereby completely misunderstanding why the GDPR was introduced. There are two elements to understand when discussing the GDPR and the EU. The GDPR is a blunt instrument to coax businesses into doing the right thing concerning personally identifiable data on individuals. It is explicit in the types of data it covers, but it is a set of principles to guide businesses that collect, process, store, and share that data. Encouraging them to do those things reasonably. “Reasonable”, defined as “don’t abuse the person concerned with your access to that data”. The second element is that the EU is more concerned about defending individual EU citizen liberties than it is in defending state or business liberties. It is often mischaracterised as the middle ground between the free-for-all of the US regulatory environment and the all-controlling of the Chinese model. That’s just too reductive. The EU was set up post-WWII with the explicit aim of regional economic integration that would promote, protect and ensure peace in Europe. Peace through deeply integrated trade. In Europe. Not elsewhere.2

But back to enforcement.

For as long as the GDPR has been in force, companies like Meta, Google, and many others have been abusing our trust and ignoring the GDPR, and to boot (paraphrasing William Gibson), enforcement is already here —it’s just not evenly distributed yet. These companies have set themselves up in European jurisdictions that are not motivated to press for full enforcement for many reasons (Hint: Economic). This has allowed them to continue doing business on the backs of our data, freedoms, and privacy without regard to the idea of the GDPR. And what a lucrative business it has been. Occasionally, the odd slap on the wrist happens, but this is brushed off as the “cost of doing business”.

As I was writing this, the EU announced a 1.8B€ fine for Apple’s anticompetitive practices in the EU’s music streaming business. If I remember rightly, this is a result of an investigation that started in 2019 and has nothing to do with the highly discussed Digital Markets Act (DMA). Apple made 1.05B$ per day in the year ended 31/12/2023.

The Digital Markets Act and the Digital Services Act enforced this week will likely be enforced differently and more aggressively. Apple’s insistence on removing PWAs (Progressive Web Apps) and bleating about having to comply with the regulation, its subsequent U-turn and the 404 I get when trying to open the Apple Newsroom page that shamelessly tried to defend their indefensible position are signs of the way the wind is blowing.

To paraphrase Game of Thrones (shamelessly): Enforcement is coming.

And, to be clear, I’m not championing any and all regulation as a good thing, and I do think there are aspects of the way the EU regulates that could be a bit more inclusive and less subject to the (literally) thousands of lobbyists employed by states, organisations and businesses, to have a chance at creating better legislation.

Monetisation and the death of the Internet (as we know it)

This is a bit of a rant. My apologies upfront.

Rampant monetisation has completely trashed the internet and been a driving force for a divided, divisive, and less interesting Internet. Just look at how the homogenisation of the design language of all the “social” apps has made them all look the same, ensuring that monetisation mechanisms are simplified and broken down into base elements. If their branding weren’t so visible, most would be hard-pressed to identify if it was Instagram, Bluesky or Twitter (X if you’re that way inclined, but the URL is twitter.com).

When I think of monetisation of the internet, I’m talking about how we, as humans, have been reduced to functional blocks of content creation and content consumption. Nothing more. There is little room on “big-Internet” for the small weird projects of social good, the oddball things that used to exist, and the life-changing discoveries that were easily found previously. And, of course, when I say no room, I mean there is no attention available because attention is being sucked away by the 30-second video clips of abject nonsense and awful or outright dangerous “content”.

This dehumanising of the internet visitor is one of the factors that help explain why the internet has become so polarised and so violent. If we’re not human any more, then we’re not hurting anyone when we’re violently threatening each other. But it’s not reality, and we know it. We feel it. But we cannot control it. Tech, as currently deployed, is dehumanising us, making unpaid productivity modules slotted into the platform’s impossible endless growth targets. These modules have broken us down so much into the basic elements of creation/consumption that they (we) are as expendable as toilet paper.

This is not the Internet I want. This is why I’m getting involved in Internet governance. I’ll keep you up to date.

I’m not the only one thinking about this. Watch this video from Taylor Lorenz, a journalist who recently released a book called Extremely Online.

Generative AI (again!)

I wanted to write about generative AI again, but at over two thousand words once more, I think I’ll bump it to the next newsletter. I’ll give you a little teaser, though. The following was the working premise for discussion:

Generative AI is simultaneously the most significant opportunity for small businesses to get a helping hand and the biggest shit-show we’ve seen since the invention of the Internet (arguably equalling Social Media’s continued destruction).

Until next time.

The Future is Digital Newsletter is an ongoing discussion. Please feel free to share it with others who may be interested.

Thanks for being a supporter. I wish you an excellent day.


  1. https://www.wired.com/story/plaintext-hemingway-gradually-suddenly-zeitgeist/ ↩︎

  2. Read this post for more information: https://www.baldurbjarnason.com/2024/facing-reality-in-the-eu-and-tech/ ↩︎

Matthew Cowen @matthewcowen