Ah, Europe. The continent of gothic cathedrals, classical music, fine pastries, and the General Data Protection Regulation. The GDPR, as it is affectionately abbreviated, is the European Union's main mechanism for protecting online privacy. In theory, the GDPR was created to protect "fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data."
In practice, it means that nearly every website in Europe has a cookie notice at the bottom of its landing page. By continuing to view the site, you agree to accept its cookies. You don't have to click the "OK" button to accept the cookies. You don't have to actively opt-in in any way. As long as you access the site, you get the cookie. And they don't mean chocolate chip.
The big news about GDPR was supposed to be the European "right to be forgotten," which in implementation was codified into a "right to erasure." If you want a European website to delete the tracking cookies that it placed on your computer, all you have to do is ask, and within one month it must process your request and inform you about its decision. Or to save all that trouble, it can just set all its cookies to expire in 28 days.
Understandably, most European websites have chosen the second option. So although most American cookies have shelf lives of one or two years (or longer), European cookies are restricted to four weeks. When you visit The National Interest or just about any other American news site, the basic user token that saves your preferences is good through the year 2266. When you visit a European news website, it's likely to expire next month.
I probably won't be around in 246 years to enjoy my last remaining TNI cookie, but it's nice that I don't have to reset my site preferences every month. Most of us don't even realize that we have site preferences, because we've long since forgotten that we set them. For more sophisticated sites, like Google services, we may only have expressed them through our user behavior.
The GDPR operates as a dead-weight drag on the entire European internet. Sites are wasting anywhere from a 5% bar at the bottom to (in some cases) their entire front pages on a privacy notice that no one notices. Of course, there are also baked-in compliance costs that benefit no one but lawyers and consultants. And the standard "if you continue, you agree" paradigm is a waste of just about everyone's time.
Unfortunately, many international sites have simply given into the EU's regulatory overreach. The fact that the EU threatens fines of up to 4% of global revenue for serious GDPR infractions is enough to scare some websites into complying globally, even when they don't have to. Google has held out on this, but had to go to court to preserve its right to operate normally outside the EU. French prosecutors (of course) thought Google should be forced to comply with EU regulations even when a European used a virtual private network (VPN) to access the internet via an American server. In a rare burst of sanity, the European Court of Justice disagreed.
The proper approach to internet privacy is technology. Every browser on the market has an "incognito mode," "private mode," or "porn mode" that allows users to access the internet identity-free. Every browser has privacy settings that allow you to decline all cookies. And for a small fee, VPNs offer the near-total privacy of completely firewalled browsing.
Most of us don't use these tools, because the internet really does work much better when websites know who you are. Those who prefer the cloak of privacy to the convenience of cookies can just click a browser setting. It doesn't take a massive, continent-wide regulatory infrastructure to protect people's online data. All it takes is a little common sense.
Salvatore Babones is an adjunct scholar at the Centre for Independent Studies and an associate professor at the University of Sydney.