Just over two years ago, the European Union’s landmark General Data Protection Regulation (GDPR) came into force. Because the legislation applies to firms that interact or do business with EU citizens, it is global in scope impacting Chinese, US and any other non-EU company that does business with one of the 445 million EU citizens.
The EU’s main goal for the legislation was to increase accountability and innovation by ensuring that the sharing of personal data was based on trust and consent. Its objectives were three-fold: 1) protecting consumer’s rights to their data, 2) ensuring that data privacy laws keep up with the rapid advance of digital technology, and 3) harmonizing data laws across the EU with a unified and consistent law. It aimed to do this by requiring that companies that collect or process data must:
- Obtain the specific, active and affirmative consent from the individual
- Maintain detailed records of their stored data, including what data is being held, where it came from, how it was accessed, how it’s being processed and the purpose of holding the data
- Provide a clear and detailed record of the personal data it is holding on an individual within 30 days of request
- Delete or remove an individual’s data upon request and
- Correct inaccurate data upon request
After two years, the results and reviews have been decidedly mixed. On the one hand, the GDPR has changed the data landscape by underscoring that individuals have the right to govern their own personal data. By shining a spotlight on data protection, the GDPR has also prompted many countries and industries to address the issue. For example, California, home to the largest of the tech giants, enacted its own data protection act: the California Consumer Privacy Act (CCPA). While there are many differences with GDPR, the CCPA also begins with the proposition that personal data belongs to the individual, and its use requires consent. Today, most everyone agrees that these are steps in the right direction for data privacy and security.
On the other hand, the GDPR has not lived up to its promise of creating a free flow of data among the EU member states, nor has it adequately addressed the challenges to protecting personal data created by giant IT companies. Two years later, surveys indicate that a majority of EU citizens are still concerned about their data security. This could be because, by the EU’s own reckoning, only 28 percent of firms are in compliance with GDPR. By contrast, 62 percent of respondents in the UK, which has the highest rate of compliance, feel secure sharing their data.
For startups, there is a dividing line between those that started before GDPR came in effect, and those that started after. For those that came before, GDPR compliance has proved to be highly complex and expensive. One unintended consequence of the GDPR is the booming market for Data Protection Officers, who now earn on average about $120,000 per year, a jump of about 50 percent pre GDPR. Since 2018, the number of DPO job postings has risen by about 700 percent. But, for those startups that were established after GDPR came in effect, they are able to build a privacy by design foundation for compliance at the onset.
The Center for Data Innovation (CDI) takes that position that the GDPR has not produced its intended outcomes. Not only that, the Center believes that the law has resulted in a number of unintended consequences (in addition to creating a robust market for DPOs). Its 2019 study found that the GDPR is not being implemented consistently across the EU. A number of member countries (e.g., Greece and Portugal) have not even enacted required enabling legislation. As a result, it has not provided the uniformity the EU desired. The Center also found that it is also straining the resources of regulators. In France and the UK, officials reported being overwhelmed by companies reporting potential data breaches throughout 2019 because the companies feared the high penalties for failing to notify the data protection authority (DPA) within 72-hour reporting deadline.
In addition, the law is not well understood by consumers and so it has not yet increased trust among users. An EC survey that found that nearly two-thirds of Europeans do not know how the GDPR operates. Significantly, in Estonia, a country with high digital literacy, 71 percent of the population do not even know what the GDPR does. Because the GDPR is so complicated, only half of the companies surveyed believed they were in substantial compliance, and fully 20 percent believed that full compliance was impossible. Most reported that the GDPR has been an unnecessary drain on resources. The Global Fortune 500, according to Forbes, is likely to have spent an estimated US $8 billion in GDPR compliance costs. Of those companies that have appointed a DPO, 52 percent reported that the role is for compliance only and does not serve a valuable business function. More worrisome are the reports that GDPR is being weaponized against companies through online tools that overload businesses with GDPR-authorized data requests, which must be addressed within 30 days.
The GDPR has reduced the amount of investment in European tech startups. A study by Jian Jia, Ginger Zhe Jin, and Liad Wagner, found that the number of deals for EU ventures whose business activities are “more data-related” decreased by 30.7 percent between May 2018 and April 2019, and the monthly amount invested per member country decreased by US $4.3 million, whereas for “less data-related” firms the number of deals decreased by 15.5 percent, with no significant effect on their total dollar amount per month.
In a recent hearing by the U.S. Congress on competition within the tech sector, some lawmakers, such as Rep. Kelly Armstrong (R-North Dakota), noted that the GDPR, which was designed to rein in large European and transnational high-tech firms has ended up hurting their smaller competitors the most.
Most experts believe the GDPR has negatively affected the EU’s economy and its businesses. There is evidence to support this. The Merrill Corporation surveyed 500+ merger and acquisition professionals from Europe, Africa and the Middle East and found that 55 percent reported working on transactions that did not go through due to concerns about a companies’ GDPR compliance. In addition, 74 percent of respondents to the 2019 annual survey by Bitkom, the German digital trade association, said that data protection requirements are the main obstacle to the development of new technologies (compared to 63 percent in 2018, and 45 percent in 2017).
Although the GDPR has made a huge impact on IT businesses and organizations that collect user data (including non-profits that coordinate global networks), there remain many unanswered questions. As other countries and U.S. states (such as Massachusetts, Texas and Washington) grapple with the data protection laws of their own, policymakers, and those who advise them, must determine whether or data privacy laws are a good idea, and if so how should they should operate.
Secondly, because the GDPR has not been widely or thoroughly implemented, the first two years have been something of a grace period. If this changes, a crackdown on non-compliance is likely to affect big, medium and small companies and will require government agencies to increase staffing. A result is that companies will channel funds into data security sectors, fueling demand for data protection and data security officers, but also diverting funds away from other business units.
Lastly, marketers, who during the past 20 years have mined personal data from our internet practices will face new barriers gaining the permission they now need. Traditional marketing may be making a comeback. Connected to this is that many digital companies do not charge users to use their website. The business model of these freemium sites is based on selling the data they collect about their uses to advertisers. (A famous saying about Facebook is that its product is you.) But, if new data protection regimes prevent or disrupt this model, we are likely to see an increase in membership or subscription charges so that such companies can maintain their sites without the reams of free data.