1. The global nature of the Internet means there is instant extra-territoriality of decrees such as this. Several websites I use are nagging me to read their Privacy Policy and Cookie Policy. One explains that, since we don’t know who is European and actually don’t care, we have to be on the safe side with all users.

    And, corporations being corporations, several are using the excuse of a Big New European Regulation to change their software so their websites don’t work unless I enable cookies, enable Javascript, and pay-per-megabyte for everything that all their Trusted Marketing Partners want to show me. For most websites, this means sending me to Google and Twitter and Facebook to run their scripts too.

    And an increasing number of websites are changing their supported protocols so that old browsers can’t connect to them at all. Blame it on Brussels! Both modern browsers and modern operating systems are on the automatic-updates model, so any protection from invasion of privacy we think we have depends on no new versions of anything being stuck on our computers as we sleep. Did we approve of any of this? What do you mean, it doesn’t matter, we consented by accepting free information and goods at “below-market” prices?

  2. There’s also a load of Arthur Daley types talking up the problems, emphasizing the maximum fines, and in some cases pretending they have nonexistent “certification”, in an attempt to con businesses out of money for consultancy fees. This has led some people to get the totally wrong end of the stick. I’ve seen one guy who runs a one man hobby operation thinking he was required to hire a full time employee as his DPO, rather than simply being responsible for the data himself . The actual GDPR regulations are pretty sensible and merely codify what you should be doing with personal data anyway. The only real change is that there’s now a big stick to hit the most egregious offenders.

  3. Hmm. It’s Saturday afternoon, 26th May, The Day After, and I shall make a prediction.

    The Commission will announce significant enforcement proceedings under GDPR before the year is out.

    At the moment, I think that their first victim will be an EU subsidiary of a US firm, most likely an Italian subsidiary. Possibly around late summer, early autumn. Their next target, no later than February 2019, will be a UK firm, politically exposed, with significant operations within the EU. I’m kinda thinking about the likes of BAe.

    It’s possible that they might take a swipe at the Russians as well. Gazprom fits the bill, especially with the World Cup taking place in Russia this summer, and Gazprom being sponsors of the Champions League. Although that might count as being beastly to the Hun.