GDPR has been in effect in the EU for one year, and regulators, consumers and businesses are facing its unintended consequences. Other countries can take those outcomes and do better with their own data protections.
On May 25, 2018, a new data privacy law went into effect in the European Union. This law — the General Data Protection Regulation (GDPR) — has been held up as a global standard for consumer data protection. It has also created momentum for lawmakers in the United States to introduce their own proposals for regulating data privacy. Yet one year later, consumers, businesses and regulators are all dealing with a variety of unintended consequences. Given that GDPR has fallen short of expectations, policymakers in other countries have an opportunity to do better, rather than repeat Europe’s mistakes.
One of the primary rationales for GDPR was to create “one continent, one law” so that companies could more easily do business in Europe. Yet in trying to copy the EU, many U.S. states are considering, or have already passed, their own privacy laws, which would create a fragmented market in the United States. Notably, some countries in the EU are still not compliant with GDPR. The U.S. should pursue a single federal data protection law to avoid re-creating these issues.
European consumers were worse off by many metrics after GDPR went into effect. Not only were consumers inundated with online cookie notifications, new corporate privacy policies and requests to re-join email lists, but they were also cut off from some websites. For example, one analysis found that more than 1,000 U.S. news sites blocked access in the EU to avoid compliance challenges. And to add insult to injury, according to a survey in March from the European Commission, nearly two-thirds of Europeans (63 percent) do not know exactly what GDPR is — not surprising given that the law is over 250 pages long. U.S. policymakers should remember that data protection laws have significant impact across businesses, large and small, in every sector, and should aim to create simple rules that consumers can understand.
GDPR makes it too difficult for businesses to collect and use data, particularly by requiring organizations to specify how they will use data at the outset and minimizing what they collect. This means that they cannot collect data without knowing specifically how it will be used and they cannot reuse data for novel purposes. In addition, GDPR limits automated decision-making by requiring companies to provide human review of significant decisions and information on the logic involved in those decisions. Combined, these restrictions make it particularly difficult for EU companies to use artificial intelligence. As the United States is attempting to remain a leader in AI, it should not create a regulatory environment that unnecessarily hampers its ambitions.
Implementing GDPR has been an expensive undertaking. The 500 largest global companies have so far spent more than $7.8 billion on initial compliance. For example, GDPR requires companies to appoint a data protection officer. Yet a recent survey found that for a majority of companies (52 percent), this position serves no valuable business function and instead is only for compliance. U.S. data protection efforts should avoid rules that force companies to focus on check-the-box compliance and instead encourage them to concentrate on investing in areas of their business that could meaningfully reduce the risk of consumer harm.
GDPR sets a high bar for reporting data breaches, with organizations obligated to report incidents within 72 hours of discovery. This tight timeline, coupled with fears about severe fines for non-compliance, has resulted in organizations over-reporting in an effort to be transparent. The multinational law firm DLA Piper has noted that “regulators are stretched and have a large backlog of notified breaches in their inboxes.”
Given the problems with GDPR, the United States should avoid repeating these mistakes and instead strive to create a national privacy framework that streamlines regulation, pre-empts state laws, establishes basic consumer data rights and minimizes the impact on innovation.