The EU’s GDPR: Lessons for U.S. Policymakers
Over the last couple months, your inbox has undoubtedly been inundated with notices from websites and apps informing you of their updated terms of service, privacy policies, and user agreements. Think of them as unsolicited invitations to a big party in Brussels taking place today, May 25—a party to celebrate the European Union’s General Data Protection Regulation (GDPR) going into effect.
The GDPR is an expansive European law meant to protect European individuals’ personal data and privacy through consistent rules across Europe. It applies to all companies that process personal data about individuals in the EU, regardless of where in the world the company is based. Processing is defined broadly and refers to anything related to personal data, including how a company handles and manages data, such as collecting, storing, using and deleting data.
At the heart of GDPR are three legal and business principles which any company seeking to gain or retain user trust should embrace—if it has not already done so: transparency (say what you do), user control (empower your customers), and accountability (do what you say). But how the law translates these common sense principles into specific legal obligations will determine its success.
While many of the GDPR’s principles build on prior EU data protection rules, the GDPR has a broader scope, more prescriptive standards, and substantial enforcement bite. For example, it requires a higher standard of consent for using some types of data, provides several legal bases for processing data, broadens the rights individuals have for accessing and transferring their information, and permits users the ability to request rectification and erasure of records. Failure to comply with the GDPR can result in significant fines—up to 4% of global annual revenue for certain violations.
The GDPR will have a significant impact on all companies that use data, large and small, with some positive consequences. Data controllers of all stripes (not just Internet companies) are having to develop, evaluate, and implement new privacy policies and user controls, as big data analysis and the Internet of Things have led to increased data use by industries not traditionally known for data-intensive products and services, and for whom data protection is a new consideration. Encouraging companies to be thoughtful about why they collect, use, retain, process, transfer, and delete data can reduce liability and increase user trust.
However, turning the GDPR’s rights and recitals into new user controls and compliance processes comes with legal and financial costs that will not be borne equally by all industry stakeholders. Larger, more data-savvy Internet and technology companies generally have and will be able to incorporate GDPR compliance into expanded versions of their existing privacy programs, and can consult outside counsel as necessary. Smaller companies and startups may not have the means to conduct the internal reviews and shifts in business and product planning required to satisfy Europe’s new data protection rules.
These disparate burdens could have implications for innovation in Europe. Studies have shown that while all companies experience some costs from privacy regulations, small and new firms suffer the most, especially in ad-supported industries. Regulatory burdens can also reduce market entry by startups and innovators. Professor Anja Lambrecht of the London Business School found that earlier privacy laws in the EU depressed relative venture capital investment, compared to the United States, by 58 to 75 percent annually in the years after the 2002 e-Privacy Directive. This trade-off between regulation and growth and investment might be acceptable in some countries but not in others.
That’s not to say that the GDPR is guaranteed to suppress innovation. It could encourage less data-dependent business models than the traditionally ad-supported apps and websites popular today. And at least one savvy company has found a way to profit from startups’ concerns about serving the European market following GDPR: the GDPR Shield offers its customers a tool to simply block European users from accessing their website and services (a step that major U.S. news outlets have also taken today). No European users means no European personal data, and therefore no GDPR compliance burden.
The GDPR is poised to shift how companies and users think about how data is collected and used online, with some positive consequences in terms of practice and transparency. But it could also have adverse impacts on innovation in online services and privacy controls, and lead to stark choices by small and new firms. As policymakers in the U.S. consider if, and how, privacy and data security should be regulated at the federal level, they ought to weigh the overall results of GDPR and other international data protection rules before importing similar requirements to the United States.