Privacy law is a great idea. It can navigate nuances, like the fact that privacy is collective, not individual - for example, it can intervene when your family members give their (your) DNA to a scam like 23andme, or when a friend posts photos of you online:

jacobin.com/2021/05/cory-docto…

But privacy law gets a bad rap. In the EU, they've had the GDPR - a big, muscular privacy law - for nine years, and all it's really done is drown the continent in cookie-consent pop-ups.

20/

Novelist Cory Doctorow on the Problem With Intellectual Property

Patents were once seen as a temporary reward for inventors. Now, as novelist Cory Doctorow tells Jacobin, they've become supposedly inviolable "intellectual property" rights that simply enrich people like Bill Gates.

^jacobin.com

But that's not because the GDPR is flawed, it's because Ireland is a tax-haven that has lured in the world's worst corporate privacy-violators, and to keep them from moving to another tax haven (like Malta or Cyprus or Luxembourg), it has to turn itself into a crime-haven. So for the entire life of the GDPR, all the important privacy cases in Europe have gone to Ireland, and died there:

pluralistic.net/2025/12/01/eri…

21/

Again, this isn't a complicated technical question that is hard to resolve through regulation. It's just boring old corruption. I'm not saying that corruption is *easy* to solve, but I *am* saying that it's not *complicated*. Irish politicians made the country's economy dependent on the Irish state facilitating criminal activity by American firms. The EU doesn't want to provoke a constitutional crisis by forcing Ireland (and the EU's other crime-havens) to halt this behavior.

22/

That's a hard thing to do! It's just not a *complicated* thing to do. The routine violations of EU privacy law by American tech companies isn't the result of "tech racing ahead of the law." It's just corruption. You can't fix corruption by passing more laws; they'll just be corruptly enforced, too.

23/

But thanks to a mix of bad incentives - politicians wanting to be seen to do something without actually upsetting the apple-cart; AI critics wanting to inflate their importance by claiming that they're fighting something novel and complex, as opposed to something that's merely boring and hard - we get policy proposals that will likely *worsen* the problem.

Take Denmark's decision to fight deepfakes by creating a new copyright over your likeness:

theguardian.com/technology/202…

24/

Denmark to tackle deepfakes by giving people copyright to their own features

Amendment to law will strengthen protection against digital imitations of people’s identities, government says

^{Miranda Bryant (The Guardian)}

Copyright - a property right - is an incredibly bad way to deal with human rights like privacy. For one thing, it makes privacy into a luxury good that only the wealthy can afford (remember, a discount for clicking through a waiver of your privacy right is the same thing as an extra charge for *not* waiving your privacy rights). For another, property rights are *very* poorly suited to managing things that have joint ownership, such as private information.

25/

As soon as you turn private information into private property, you have to answer questions like, "Which twin owns the right to their face" and "Who owns the right to the fact that your abusive mother is your mother - you, or her? And if it's her, does she get to stop you from publishing a memoir about the abuse?"

Copyright - a state-backed transferable monopoly over expression - is really hard to get right.

26/

Legislatures and courts have struggled to balance free expression and copyright for centuries, and there's a complex web of "limitations and exceptions" to copyright. Privacy is *also* incredibly complex, and has its own limitations and exceptions, and they are *very different* from copyright's limits. I mean, they have to be: privacy rules defend your human right to a personal zone of autonomy; copyright is intended to create economic incentives to produce new creative works.

27/

It would be very weird if the same rules served both ends.

I can't believe that Denmark's legislators failed to consider privacy as the solution to deepfakes. If they did, they are very, very stupid. Rather, they decided that fighting the corruption that keeps privacy law from being enforced in the EU was too hard, so they just did something performative, creating a raft of new problems, without solving the old one.

28/

Here in the USA, there's lots of lawmakers who are falling into this trap. Take the response to chatbots that give harmful advice to children and teens. The answer that many American politicians (as well as lawmakers abroad, in Australia, Canada, the UK and elsewhere) have come up with is to force AI companies to identify who is and is not a child and treat them differently.

29/

This boils down to a requirement for AI companies to collect *much more* information on their users (to establish their age), which means that all the AI harms that stem from privacy violations (AI algorithms that steal wages, hike prices, discriminate in hiring and lending and policing, etc) are now even *harder* to stop.

30/

A simple alternative to this would be updating privacy law to limit how AI companies can gather and use *everyone's* data - which would mean that you could protect kids from privacy invasions without (paradoxically) requiring them (and you) to disclose all kinds of private information to determine how old they are.

31/

The insistence - by AI critics *and* AI boosters - that AI is *so different* from other technologies that you can't address it by limiting the collection, retention and processing of private information is a way in which AI critics and AI hucksters end up colluding to promote a view of AI as an exceptional technology. It's not. AI is a normal technology:

aisnakeoil.com/p/ai-as-normal-…

Sometimes this argument descends into grimly hilarious parody.

32/

AI as Normal Technology

A new paper that we will expand into our next book

^{Arvind Narayanan (AI as Normal Technology)}

Argue for limits on AI companies' collection, retention and processing of private information and AI boosters will tell you that this would require so much labor-intensive discernment about training data that it would make it impossible to continue training AI until it becomes intelligent enough to solve all our problems.

33/

But also, when you press they issue, they'll sometimes say that AI is *already* so "intelligent" that it can *derive* (that is, guess) private information about you without needing your data, so a new privacy law won't help.

In other words, applying privacy limitations to AI means we'll never get a "superintelligence,"; and also, we already *have* a superintelligence so there's no point in applying privacy limitations to AI.

34/

It's true that technology *can* give rise to novel regulatory challenges, but it's also true that claiming that a technology is so novel that existing regulation can't resolve its problems is just a way of buying time to commit more crimes before the regulators finally realize that your flashy new technology is just a boring old scam.

35/

I'm and the end of my tour for my new book, the international bestseller *Enshittification*!

My last two events are CCC in #Hamburg, Dec 27-30:
events.ccc.de/congress/2025/in…

and the Tattered Cover in #Denver, Jan 22:
eventbrite.com/e/cory-doctorow…

I hope you can make it!

eof/