Four years after the implementation of the GDPR, we see the pillars of internet activity destroyed. In light of two new EU rulings affecting practical data management, all companies collecting consumer data in the EU are reassessing their business models and will soon consider sweeping changes.

On the one hand, the GDPR is creating the world its drafters envisioned – a world where personal data is less of a commodity exploited and traded by businesses. On the other hand, GDPR enforcement has taken the form of a wrecking ball, leading to the localization of data in Europe and the substitution of government interference for consumer choice.

For years, we’ve watched courts and enforcement agencies across the EU apply GDPR text to real-life cases, wondering if legal enforcement would be more of a pinch-and-tap operation on e-commerce or something more bloody and brutal. In 2022, we have received our answer, and the bodies are falling.

In January, Austrian courts ruled that companies cannot use Google Analytics to study their own site’s web traffic. The same conclusion was drawn last week by French regulators. Although Google does not report statistics on product usage, website tracker BuiltWith published that 29.3 million websites use Google Analytics, including 69.5% of Quantcast’s top 10,000 sites, and it is more than ten times the second most popular option. A large number of companies operating in Europe will therefore have to change their platform analysis provider – if the Eurocrats allow them to use site analysis.

But those decisions weren’t based on the functionality of Google Analytics, a tool that doesn’t even capture personally identifiable information — no names, no home or work addresses, no phone numbers. Instead, these rulings that will harm thousands of businesses result from the Schrems II ruling, which found fault in the transfer of such non-identifiable data to a US-based company. The problem here for European policymakers is that US law enforcement may have access to this data if the courts allow it. I’ve written about this illogical conclusion before, and I won’t repeat the many arguments here, other than to say that EU law enforcement behaves the same way.

The effects of this decision will be felt far beyond Google Analytics’ huge customer base. The logic of this decision effectively means that companies that collect data from EU citizens can no longer use US-based cloud services like Amazon Web Services, IBM, Google, Oracle or Microsoft. I predict huge cloud player Alibaba Cloud could face the same ban if Europe’s privacy panjandrums decide that China’s privacy is as threatening as that of the United States.

The Austrians argued that all the fancy steps Google took to encrypt analytics data meant nothing, because if Google could decipher it, so could the US government. By this logic, no US cloud provider – the world’s leading corporate data carrier network – could “safely” hold EU data. Which means the Eurocrats are preparing to fine any EU company that uses a US cloud provider. Max Schrems saw this decision in stark terms, saying: “Ultimately, businesses can no longer use US cloud services in Europe.

The move will ultimately support the Eurocrats’ data localization goal as companies attempt to organize local storage/processing solutions to avoid fines. Readers of this blog have seen coverage of the EU’s tilt towards data localization (eg, here and here) and away from the open internet that European politicians once saw as the ideal. Eurocrats are taking serious steps to force localized data processing and exclude US companies from the e-commerce ecosystem. Google Analytics’ decision will likely be seen as a turning point for years to come.

In a second major practical decision on online privacy, the Belgian Data Protection Authority decided earlier this month that the Interactive Advertising Bureau Europe’s Transparency and Consent Framework (TCF), a standard widely used technique designed for publishers, advertisers and technology providers to obtain information about users’ consent to data processing, is not GDPR compliant. The TCF allows users to opt in or out of cookie-based advertising, relieving websites of the need to create their own costly technical solutions and creating a consistent experience for consumers. Now, TCF is considered illegal on its own under EU privacy rules, prompting thousands of companies to research or design their own alternatives and removing online choices for EU residents.

The Belgian privacy authority came to this conclusion by considering that the Interactive Advertising Bureau was a “controller” of all data managed under the proposed framework. As the Center for Data Innovation points out, this decision implies that “any good faith effort to implement a common data protection protocol by an umbrella organization that wishes to enforce GDPR makes that organization responsible for the data processing that takes place under this protocol. “No industry group will want to put themselves in this position, leaving businesses to fend for themselves and making e-commerce data collection much less consistent and much more expensive – even if that data collection is necessary to meet the demands of consumers. consumers.

For years, companies thought informed consumer consent would be a way to personalize messaging and reduce online costs for consumers, but the EU has challenged all online consent regimes. EU regulators have effectively ruled that people cannot make their own decisions about whether to collect data. If the TCF – the consent system used by 80% of Europe’s internet and a system designed specifically to meet GDPR requirements – is now illegal, then, for the second time in a month, all consumer e-commerce is thrown into confusion. Thousands of people operated websites with TCF and Google Analytics, believing they were following the letter of the law. This trust has been broken.

We finally see the practical effects of the GDPR beyond its mere usefulness in imposing fines on American technology companies. These effects lead to an Internet with closed borders throughout Europe and to a more expensive and less customizable Internet for EU citizens. The EU is clearly hurting businesses around the world and making its internet cramped. I struggle to see the logic and benefits of these decisions, but GDPR was written to shake the system, and privacy benefits may emerge.