When the EU Updates Regulatory Preferences, US Tech May Unsubscribe
MADRID—With fewer than 20 days to go for the EU’s General Data Protection Regulation (GDPR) to come into force, hints of its many intricacies are coming aplenty in the form of Inboxes jamming with opt-in signups to updated terms, a frenzied search for qualified privacy specialists, and the hastening of corporate compliance plans at the boardroom level.
Arguably the EU’s knottiest and widest-reaching piece of legislation ever produced, GDPR and its compliance fright is reaching across the pond, with nearly one in four US companies citing complexity as the nastiest compliance barrier through the rule’s official comment period. But how exactly will the EU’s new data privacy regime affect the US digital economy?
At its core, GDPR enforces a set of rights for all EU data subjects, whether the entities collecting and processing their data are based in the EU or not. The second they start offering goods or services online to EU residents, US companies will be just as liable for the GDPR’s privacy protections as their EU competitors.
These privacy protections are, namely:
- Right of access—the obligation to provide an electronic copy of all data held about a subject upon request, opening the door to exhausting cloud drilling when the data is not easily accessible.
- Right to be forgotten—the ban on continued use of private data beyond its original purpose or upon a request for erasure; and
- Data portability—the requirement for all data to be converted to a machine-readable format homogenous across all competitors, with all the programming language hurdles associated.
The latter, perhaps most familiar to Americans in the context of Facebook’s response to the Cambridge Analytica scandal, seems only indirectly linked to the privacy motive GDPR posits and more akin to a pro-competition measure. Often seen as the Holy Grail of tech trustbusters, portable data is in fact an area where the market is far ahead of regulators, with many social networks and cloud providers treating portability already as a functional requirement.
GDPR will also step up existing privacy controls through tighter internal record-keeping requirements. All entities whose core activity includes regular and systematic monitoring of personal data will be obliged to appoint a Data Protection Officer (DPO) reporting to the CEO—regardless of whether or not they’ve got their data house in order already.
The heavy-handedness of forcing one-size-fits-all privacy monitoring into the boardroom may seem distortionary enough as it is. But besides, the International Association of Privacy Professionals ( IAPP)—the worldwide trade group for privacy professionals—estimates GDPR will create 75,000 new Data Protection Officer vacancies globally, a shortage that even advocates of stricter rules are doubtful can be filled on time ahead of the May 25 EU deadline.
Though fewer than 40 percent of those jobs will go to the EU itself—with 9,000 to be created in the United States and over 7,500 in China–Europe is perhaps in the greatest lack of privacy expertise out of all advanced economies and thus least ready to comply with a core aspect of its own rules.
But that is not the only way the EU will be shooting itself in the foot. Arguably a world leader in artificial intelligence, the EU’s digital market will suffer from the diminished ability of European innovators to collect personal data on a large scale to take part in developing the next generation of AI technologies.
Compliance burdens can prove crippling elsewhere. too. The few lawful reasons for collecting and processing personal data will be stiffened. When the customer has not given explicit consent, the hazier, catch-all notion of “legitimate interest” will likely be aggressively litigated in the courts. Burdens will affect both parties of every data transfer.
Ensuring that your company’s external e-mail marketer or database manager doesn’t unduly disseminate your customers’ data is already taxing, but verifying that every single piece of data you manage was obtained lawfully up the supply chain when you’re on the other side of the bargain may prove outright prohibitive to many smaller start-ups.
Combined with Europe’s reaction to the Equifax breach and the Cambridge Analytica scandal, the rollout of GDPR throws light on two fundamentally different approaches to data privacy. While the US regime affords companies leeway to utilize their customers’ data to innovate and offer ever-better services, Europe conceives the collection of data online as the granting of a license by the consumer without forfeiting property and with a set of stringent conditions, further tightened by GDPR.
GDPR will no doubt raise hefty obstacles for US tech to expand in the growing integrated EU digital market. But leaving aside the threat of arbitrary fines—$24 million or 4 percent of annual global turnover, whichever is greater—echoing those fines slapped on US tech giants in past antitrust cases, the prime losers from GDPR will be EU online consumers themselves.
For a whopping digital space looking ever more like a unified market across 27 member states, the raising of external barriers through bloated privacy rules will likely leave EU customers behind on the major future benefits of the digital economy.
Jorge González-Gallarza Hernández is a policy associate at Economics21. Follow him on Twitter here.
Interested in real economic insights? Want to stay ahead of the competition? Each weekday morning, E21 delivers a short email that includes E21 exclusive commentaries and the latest market news and updates from Washington. Sign up for the E21 Morning Ebrief.