The EU’s GDPR: A Balancing Act Between Privacy And Prosperity
European Union rules aimed to protect personal data and force companies to increase online privacy measures — known as the General Data Protection Regulation (GDPR) — are already affecting those based beyond its jurisdiction, as most websites operate with those around the world in mind.
The set of regulations, described by many as lengthy but also ambiguous, are engulfing companies based in the U.S. and elsewhere. Initial costs to prepare and eventually comply with GDPR, which officially took effect May 25, are already significant, or at least projected to be.
Some studies estimate Fortune 500 companies will end up spending a combined $7.8 billion to avoid triggering the ire of European regulators, equaling an average cost of almost $16 million each.
“EU privacy laws have a history of being costly to the economy as a whole,” said Will Rinehart and Allison Edwards of the American Action Forum. “When the E.U. adopted the e-Privacy Directive in 2002, venture capital investment in online news, online advertising, and cloud computing dropped by between 58 to 75 percent.”
The increased expenses are at least partially due to hiring extra staff to legally decipher all the stipulations and to ensure they are being followed to the best of their ability.
While 82 percent of 302 C-level security executives surveyed by Netsparker, a web application security firm, said their respective companies have a data privacy officer (DPO), 77 percent expect to hire a new one to help with corporate GDPR compliance. Roughly 19 percent have felt the need to hire at least 10 DPOs.
But is complete compliance even possible?
“No. Full stop,” Ryan Hagemann, director of public policy at the Niskanen Center, told The Daily Caller News Foundation. “It also is not possible to be in compliance with GDPR given the competing and contradicting statutes at member-state levels within the EU, to say nothing of compliance with the laws of non-EU countries.”
Hagemann said counsels at big tech firms are probably really confused, like “everyone else,” and that “the only winners from GDPR are going to be the privacy lawyers.”
Several others TheDCNF spoke to agree, such as Ryan Radia of the conservative Competitive Enterprise Institute.
“GDPR is the latest example of an overbearing, unnecessary regulation from the European Union,” he said. “Even if GDPR modestly increases consumers’ perception of privacy by restricting innocuous forms of information sharing, consumers may still end up with less privacy if they respond to GDPR by sharing more sensitive data online based on the false notion that new regulations will meaningfully protect that data.”
Not everyone is so pessimistic. Both the Center for Democracy Technology (CDT) and the Electronic Frontier Foundation (EFF) — which tend to be allies in the policy arena — are fairly supportive, with the latter less so.
“It’s a thoughtful, detailed
While the EFF has a somewhat mixed assessment with an overall positive outlook and some caveats, the CDT’s leader describes it as “an important advance in privacy.”
Hagemann, like O’Brien, said it was concocted in good faith, but he substantially differs on his general viewpoint, particularly that unwitting consequences will surely be the result.
“I think it’s a well-intentioned proposal that will utterly fail to achieve any of its intended outcomes. The rules are vague and unworkable, implementation is basically impossible, and enforcement mechanisms are difficult to imagine,” said Hagemann. “The Europeans have long-prided themselves as leaders in promoting strong privacy protections for their citizens, but GDPR imposes such an extraordinary set of costs on online service providers, that one wonders if their valuation of privacy is so high as to completely ignore the benefits of economic growth stemming from innovation.”
As noted by Rinehart and Edwards, one study shows that GDPR “will have a negative impact on the development and use of artificial intelligence in Europe” — highly important technology that will increasingly have considerable influence on economic output both individually and collectively.
Harming the bottom line of those affected — both nation states and companies — is just part of the potential GDPR saga. Google is pulling even more digital advertising dollars — an area of revenue so fast growing that it already dominates — since GDPR officially took effect, according to The Wall Street Journal. Because of the tech giant’s apparent attempts to stringently conform to the regulations, Google is reportedly pushing itself to purchase more ad inventory through its own sponsorship exchange, rather than with others where gaining users’ consent is not as certain.
Adam Thierer, senior research fellow at the Mercatus Center and author of “Permissionless Innovation,” essentially saw this situation coming.
He recounted an excerpt from another WSJ article in which during a visit to California, the EU’s justice commissioner became pleasantly surprised that Google and Facebook weren’t too upset about the regulations because they “have the money, an army of lawyers, an army of technicians and so on,” in a blog post titled “How Well-Intentioned Privacy Regulation Could Boost Market Power of Facebook & Google.”
Both the WSJ authors (as well as ones for The New York Times) and Thierer appear prescient, but perhaps not in a totally impressive way since so many have argued the notion over the years that “growth in regulation has also played into the hands of powerful incumbents.”
“That means that they [Google, Facebook, large corporations] are better positioned to absorb the significant costs of compliance that will be associated with the new GDPR rules, which are somewhat ambiguous and will require a great deal of ongoing interpretation and legal wrangling,” said Thierer. “Ask yourself how many other smaller existing or new firms would be in a position to do the same thing.”
Microsoft proudly announced in May that it hired 1,600 engineers to work on “GDPR projects.”
Companies are only willing to comply, or at least try to, because they must if they want to cater to EU users, which make up a huge portion of internet users, said Radia.
Privacy in general is an ideal that Americans have cherished for decades. Encoded in the nation’s Bill of Rights, the overall right to be left alone is fundamental. But since the advent of the internet, more and more people have become willing to give up some information about their traits and digital tendencies to content providers in return for free services.
“In practice, I think consumers are much happier to read news online, use social media, and download all sorts of different applications for free, simply in exchange for sharing some personal data and/or viewing some targeted advertising,” Thomas Struble, technology policy manager with R Street, told TheDCNF. “Europeans have already been blocked from several prominent U.S. news sites because the costs of complying with GDPR outweigh the benefits those sites get from serving European users.” (RELATED: Europe Vs. Silicon Valley: How The Continent Is Responding To Big Tech’s Growing Power)
Facebook, Google and even startups have been able to achieve success technically free of charge by monetizing users’ information, but GDPR may upend that agreement, at least as it’s been known.
If firms don’t abide by the GDPR rules — some of which include giving people a chance to see their data and specify how it is used — they could face steep fines up to 4 percent of their annual global revenue or 20 million euros, whichever is greater.
But if American users aren’t encompassed in the application of these regulations, and American companies are, then it could just undermine U.S. businesses who are trying to serve both domestically and abroad.
“GDPR will give stronger privacy protections to European users at the expense of added compliance costs to industry,” Struble said. “It will be particularly burdensome for the tech sector and Internet ecosystem. I think both of those predictions are fair, but whether the privacy benefits will outweigh the economic harms is unclear — it depends on how much value one places on privacy.”
Send tips to firstname.lastname@example.org.