There’s another reason for the regulation’s complexity and ambiguity: What are often framed as legal and technical questions are also questions of values. The European Union’s 28 member states have different historical experiences and contemporary attitudes about data collection. Germans, recalling the Nazis’ deadly efficient use of information, are suspicious of government or corporate collection of personal data; people in Nordic countries, on the other hand, link the collection and organization of data to the functioning of strong social welfare systems.
Thus, the regulation is intentionally ambiguous, representing a series of compromises. It promises to ease restrictions on data flows while allowing citizens to control their personal data, and to spur European economic growth while protecting the right to privacy. It skirts over possible differences between current and future technologies by using broad principles.
But those broad principles don’t always accord with current data practices. The regulation requires those who process personal data to demonstrate accountability in part by limiting data collection and processing to what is necessary for a specific purpose, forbidding other uses. That may sound good, but machine learning, for example — one of the most active areas of research in artificial intelligence, used for targeted advertising, self-driving cars and more — uses data to train computer systems to make decisions that cannot be specified in advance, derived from the original data or explained after the fact.
In 2017, the year after the regulation was approved, I interviewed scientists, data managers, legal scholars, lawyers, ethicists and activists in Sweden. I learned that many scientists and data managers who will be subject to the law find it incomprehensible. They doubted that absolute compliance was even possible.
One expert at Sweden’s national bioinformatics platform said: “We often wonder, like, what does the law say about this? Nobody knows.” Or as a scientist in charge of computing and storage facilities at a major university put it, the G.D.P.R. says, more or less, “that adequate safety should be in place, and so on. Right — what does that mean?”