GDPR Compliance: The Price of Privacy Protections

by on July 9, 2018 · 0 comments

In preparation for a Federalist Society teleforum call that I participated in today about the compliance costs of the EU’s General Data Protection Regulation (GDPR), I gathered together some helpful recent articles on the topic and put together some talking points. I thought I would post them here and try to update this list in coming months as I find new material. (My thanks to Andrea O’Sullivan for a major assist on coming up with all this.)

Key Points:

  • GDPR is no free lunch; compliance is very costly
      • All regulation entails trade-offs, no matter how well-intentioned rules are
      • $7.8 billion estimated compliance cost for U.S. firms already
      • Punitive fees can range from €20 million to 4 percent of global firm revenue
      • Vagueness of language leads to considerable regulatory uncertainty — no one knows what “compliance” looks like
      • Even EU member states do not know what compliance looks like: 17 of 24 regulatory bodies polled by Reuters said they were unprepared for GDPR
  • GDPR will hurt competition & innovation; favors big players over small
      • Google, Facebook & others beefing up compliance departments. (“ EU official, Vera Jourova: “They have the money, an army of lawyers, an army of technicians and so on.”)
      • Smaller firms exiting or dumping data that could be used to provide better, more tailored services
      • PwC survey found that 88% of companies surveyed spent more than $1 million on GDPR preparations, and 40% more than $10 million.
      • Before GDPR, half of all EU ad spend went to Google. The first day after it took effect, an astounding 95 percent went to Google.
      • In essence, with the GDPR, the EU is surrendering on the idea of competition being possible going forward
      • The law will actually benefit the same big companies that the EU has been going after on antitrust grounds. Meanwhile, the smaller innovators and innovations will suffer.

  • GDPR likely to raise costs to consumers, or diminish choice/quality
      • Consumers care about privacy, but they also care about choice, convenience, and low-cost services
      • The modern data-driven economy has given consumers access to an unparalleled cornucopia of information and services and it is remarkable how much of that content and how many of those services are offered to the public at no charge to them. That’s a real benefit.  
      • But if you take all the data out of the Data Economy, you won’t have much of an economy left
      • “Many organizations will pass these costs on to consumers either by erecting paywalls or forcing users to view more ads.”
      • Websites blacked out post GDPR: Instapaper, Los Angeles Times, Chicago Tribune (all Tronc- and Lee Enterprises-owned media platforms), A&E Networks websites.
      • “EU-only” web experience: stripped down websites without illustration or images. NPR and USA Today.
      • Washington Post is charging for a more expensive GDPR compliant subscription.
  • GDPR hurts global flow of information; worsens problem of data localization
    • Rules only allow data to move to jurisdictions that offer an adequate level of protection
    • Cloud computing? Cloud architects are building costly new infrastructure that can isolate and inspect EU data to ensure it is not “sent” to the wrong jurisdiction.
    • Another step toward a more “bordered” Internet
    • Likely to just create more walled gardens
    • Max Schrems: “Unfortunately data localization is probably the best solution right now. It’s not really a solution that appeals to me a lot, but I think we need data localization for other reasons anyways, like load times and so on.”
    • Roundabout way to impose tariffs? Data-based firms are largely external to EU.
  • GDPR doesn’t solve bigger problem of government access to data
    • EU Data Retention Directive: third parties must keep data for law enforcement for two years (passed after terrorist attacks).
    • EU member states often have no FISA-like body overseeing government wiretap requests. France and the UK have no court apparatus governing surveillance — instead issued directly by administrative bodies. In Germany, their FBI equivalent can install a “Federal Trojan” virus directly into third party platforms without their knowledge.
  • GDPR doesn’t really move the needle much in terms of real privacy protection
    • heavy-handed, top-down regulatory regimes don’t always accomplish their goals when it comes to privacy
    • what consumers need is new competitive options and privacy innovations
    • Unfortunately, the world won’t get the new choices we need if regulations like the GDPR essentially punish them with regulatory compliance costs that only the largest current incumbents can possibly absorb

Related Research & Articles:

Previous post:

Next post: