This month, the European Union will embark on an expansive effort to give people more control over their data online. Known as the General Data Protection Regulation, it’s ambitious, well-intentioned and largely wrongheaded. As it comes into force, Europe should be mindful of unintended consequences — and open to change when things go wrong.
No one could say the GDPR lacks purpose. At more than 260 pages long, it articulates dozens of goals in the service of “a strong and more coherent data protection framework”.
Meeting these ambitions will be the job of companies — wherever they’re located — that process the data of European citizens. Among other things, they’ll need to obtain consent from users; explain how their data will be used; allow people to see what’s been swooped up; and permit them, at any moment, to withdraw their consent or demand that their data be deleted.
Given the public backlash against data collection — and support for the GDPR’s stated goals — this approach might seem reasonable. But look more closely and the drawbacks are glaring.
Most obvious are the costs. By one estimate, big multinationals will spend US$7.8bn simply preparing for the GDPR. They’ll need to hire compliance staff, compile voluminous documentation, handsomely pay lawyers and consultants, and in many cases rethink their business models and retool their technologies. Failure to comply could result in fines of up to 4% of global revenue.
Surely Facebook and Google can afford such costs, you might say. Yet this, too, is a problem: the GDPR is likely to advantage big tech companies at the expense of smaller ones. Few small businesses will be able to fully comply with these rules, while many of them will suffer from having less effective advertising. Europe’s dearth of notable start-ups will hardly improve.
Worse, the rules could impede innovation. Many blockchain companies could be shut out entirely. Cloud computing may become substantially more complicated. Systems that rely on artificial intelligence could in many cases be incompatible with the GDPR’s mandates. It’s an ominous sign that Facebook has already started pulling some data projects from Europe.
Unintended consequences
Yet all this is more or less by design; there will also be unintended consequences. Although the GDPR aims to improve data security, for instance, its privacy rules may compromise a crucial tool used by security researchers, thereby increasing spam, phishing attacks and malware. Its compliance costs could inhibit cybersecurity investment. Its emphasis on obtaining consent for data collection is, in practice, likely to mean endless “click to proceed” boxes that leave customers little more informed — and significantly more irritated — than before.
For all these drawbacks, the EU deserves credit for illuminating — and attempting to resolve — a very real problem. European law enshrines a right to privacy. Yet the digital economy depends on invasive data collection. In forcing matters, the GDPR makes plain a worldwide tension: People have come to expect free online services as well as unencumbered privacy. Unfortunately, they can’t have both.
There are many ways to approach this dilemma, and no solution will be universal. But in general, the goals should be transparent pricing and more competition. The GDPR’s requirement that personal information be “portable” — that a user can take her data from one service to another that treats it more responsibly — is on the right track. It would be even better to encourage companies to explicitly charge for privacy, which would give users a better sense of what their data is worth and ensure that their consent is more informed.
As Europe leaps into the unknown on this issue, it must be alert to the many downsides of its approach, and prepared to rethink things that aren’t working. If it is, it could help the rest of the world think more clearly about a defining problem of the information age. — (c) 2018 Bloomberg LP