Issue link: https://cp.revolio.com/i/964464
4 | THE DATA CENTER JOURNAL www.datacenterjournal.com T he threat of regulations has come and (largely) gone in some areas: for instance, the possibility of a carbon tax or cap-and-trade scheme once loomed but later dissipated in the wake of the Great Recession. Such programs could have directly affected data center operators through higher costs, a greater compliance burden or both. Today, the chief regulatory concerns for data centers include the EU's General Data Protection Regula- tion (GDPR) and net neutrality, which intersect with the Internet and data privacy. Most individuals and organizations pay lip service to privacy. Few, however, live up to their words: just look at how many people advertise their lives on Facebook, and how many companies (such as Facebook) harvest user data for sale or trade with other companies. Moreover, the governments that supposedly want to remedy the situation are the biggest privacy violators, as Edward Snowden showed us half a decade ago. But the growing number of data breaches and privacy-related scandals begs for some kind of solution. On top of this convoluted situation is the net-neutrality debate. e loudest voices are clamoring for FCC-imposed regulations to maintain a "free and open Internet" despite the fact that the Internet started, grew and prospered into the mammoth technology it is now without any such regulation. So what can data center operators expect on the regulatory front? PRIVACY International schizophrenia over privacy has created a difficult situation. On the one hand, keeping data private from hackers and other cyber-miscreants is critical to protecting consumers from the, fraud, extortion and other nastiness. On the other hand, for many IT companies—including giants such as Facebook and Google—personal data is the currency of business. e main reason why so many popular online services are "free" (and why many devices are so inexpensive) is they give companies access to data that advertisers crave. e EU has attempted to address the situation by imposing the GDPR, a forthcoming regulation that affects organizations worldwide. e GDPR imposes penalties even on non-EU companies that fail to take certain precautions and meet certain standards with regard to protecting the personal data of EU citizens. Whether it will improve anything related to privacy remains uncertain; regulations almost invariably run headlong into the law of unintended consequences. What is certain, however, is that it will increase the work data center operators must do to offer their services and, as a natural result, increase costs to consumers of those services. And, in the process, it'll find the EU a new source of revenue to toss down the black hole of government spending. Companies in the U.S. and other non-EU nations have two options (assuming they want to avoid fines): comply with the GDPR or stop doing business with EU citizens. For large multinational companies, the former is the only option. A fair resolution, however, might be to charge EU consumers higher prices to cover the costs associated with their government's interference. For small companies, however, the cost and hassle of implementing such a system may be prohibitive. at difficulty, combined with the dubious idea of governments regulating and effectively taxing citizens of other nations with no physical presence, could accelerate fractioning of the Internet along national boundaries. Making the situation more irksome is that the GDPR isn't simply about protecting consumers from cybercrime. For example, it imposes the so-called right to be forgotten—which, in today's data- driven Internet economy, is the equivalent of demanding money back from the grocery store aer you've eaten the food. Apart from having no foundation whatsoever in any cogent theory of rights, the right to be forgotten is a fairytale in light of the way information spreads on the Internet. But one shouldn't expect rationality from government regulators, who operate in a world full of perverse incentives. But simply dumping EU customers is a lousy option for some companies; in such cases, the only alternative is GDPR compliance, however onerous. It may be the best option for others, though. And beyond the immediate consequences of this particular regulatory scheme is whether it sets a precedent for additional regulations effectively imposed by one nation on another. Moreover, the reliance on regula- tions rather than the court system to address privacy creates a number of secondary problems. First, it increases cost without necessarily increasing consumer protection—just ask (as if ) the tens of thousands of people who die each year from FDA-approved drugs. Second, it creates a kind of double jeopardy in which a company or individual is liable to the regulatory agency for administrative violations and then, potentially, liable to the aggrieved party or the state proper for civil and/or criminal violations. A common-law approach that avoids regulations would reduce both gov- ernment and compliance costs while keeping the focus on actual rights violations, not the sort of technical (and oen meaningless) violations as- sociated with regulations. So, beyond the immediate GDPR-compliance concerns that face data center operators are the precedents that this regulation cre- ates. Obeying the tens of thousands