May 25, 2018

Data Privacy at a Price: The GDPR Just Isn't Worth It

Anne Hobson

Program Manager, Academic & Student Programs

Alice Calder

MA Fellow

Lately, the internet is awash with emails and pop-up messages about privacy, data policies or subscriptions. These emails herald the long-dreaded arrival of the expansive new regulations under the EU’s General Data Protection Regulation (GDPR) that go into effect today. The GDPR is a wolf in sheep’s clothing. The obligations to comply with the numerous and vague rules are harming innovation and experimentation and are disproportionately burdensome to smaller businesses, while providing only minimal gains in privacy and control over your data.

The GDPR defines and aims to protect the rights of individuals with regards to their data. As well as keeping data safe, companies that hold individual’s data are also obliged to keep data collection to a minimum and acquire clear affirmative consent to collect data. This last point is one of the trickiest parts of the GDPR and is why you may have received emails asking you to re-subscribe to certain mailing lists. The new regulations require valid, freely given, specific, informed and active consent which is hard to determine in practice. The GDPR also gives individuals the right to erasure, to remove themselves from certain search engine results, and the right to access data which has been collected concerning them.

Although it is an EU rule, the global nature of the Internet means that it will affect both companies and individuals worldwide. One survey suggested that 52 percent of US companies possess data on EU citizens which makes them liable for implementing the required privacy practices. It also applies to any company no matter the size or scope of their operation, including self-employed entrepreneurs, charities and research firms. Given that the fine for non-compliance is €20 million or 4% of global revenue, whichever is highest, businesses globally are scrambling to put plans in place that meet the guidelines.

Data protection is undeniably important, but the regulations introduced in the GDPR are so onerous, expansive and vague that the compliance costs far outweigh the potential gains to privacy. Those who are hardest hit are small businesses without the resources to ensure they meet the new rules. A recent PwC survey found that 88% of companies surveyed spent more than $1 million on GDPR preparations, and 40% more than $10 million. As well as the financial costs involved small businesses face a myriad of other problemsbigger companies can avoid.

Without trained legal teams entrepreneurs struggle to even understand what they need to do to comply with GDPR, and must dedicate huge amounts of time to combing through the information available which is confusing and contradictory. So confusing that members of the government of the UK, who were able to attend training sessions on the issues, are unclear on their responsibilities. Add to this the fact that even the regulators in charge of ensuring compliance are not ready to fulfill their duties, and the task of understanding the new rules seems like an impossible task.

Already, companies are responding negatively to the risk of operating under the guidelines, either because of the costs of compliance, or over fear that despite their best efforts they still might face the crippling fines. Many have chosen instead to shut downwithdraw from European markets, or block access to individuals in the EU. London-based website Streetlend, which permitted users to borrow and lend tools at no fee, shut down because of the added cost of GDPR compliance. For those sites that did not shut down, compliance costs are likely to come in the form of higher transaction fees for users.

Whilst small businesses are buckling under the pressure, large companies are able to mobalize company legal teams and come up with largescale solutions. Facebook changed their terms of service and transferred 1.5 billion users from the jurisdiction of their Irish HQ to the U.S. so as to avoid changing data practices in line with GDPR.

Businesses exiting the market and the billions of dollars spent on compliance are the visible costs of the new regulation, but just as important are the unseen consequences. GDPR makes experimentation costly, companies in the cybersecurity industry have already expressed concerns that the obligations will make exploring new technologies, such as cloud-based apps, too risky. Unseen outcomes of the GDPR include the reduced ability of small businesses to compete with large firms as well as potential innovations that are never realised because entrepreneurs are dissuaded from taking on the risk of compliance tasks and fines.

Data privacy comes at a price. The costs that the GDPR will bring upon both companies and individuals are substantial, and the regulatory environment it will generate will suppress innovation. For the internet, an industry characterized by growth and entrepreneurship, this is a bad omen.