On May 25th, 2018, one of the most sweeping changes to the regulation of the internet, the European Union’s General Data Protection Regulation (GDPR), came into effect. While it has been only a few weeks since the new privacy policies have been enacted, there are already noticeable changes to the online lives of European citizens, which can only be expected to get more complicated as regulators begin to crackdown on non-compliant firms.
The over 261 page regulation, which contains 99 articles, presents significant compliance costs that have already impacted companies both domestically and internationally, as any company that carries data on EU users must be fully compliant. Technology and financial services firms have been the hardest hit, as their business models require access to and use of consumer data. Nonetheless, firms in other sectors, even those that have limited use of consumer data, were heavily affected. This is as a result of the GDPR increasing the scope of what is considered “personal data”. Anything identifiable, including email and IP addresses, as well as location data, now counts as personal data, which makes the compliance burden fall on smaller firms that engage in activities such as email marketing or who collect cookies. Given the high cost of non-compliance, with fines of up to €20m or 4 percent of a company’s global revenue, whichever is greater, even the smallest of organisations have dedicated significant resources into ensuring they were ready for the new rules.
Fortune 500 spent the most on average to comply with the new regulations, at an estimated $16 million per firm. The high compliance cost of serving EU-based users has understandably deterred some companies from operating in European markets altogether, reducing overall consumer choice. Ahead of the launch of GDPR, a new product was released, called GDPR Shield, a simple Javascript code which, when embedded into a site, would prevent its use by any user whose IP was EU-based. On launch day, numerous US news sites, including the LA Times and the Chicago Tribune, stopped their online service for European users. Companies such as the Washington Post have tried to offset the high cost of GDPR by raising subscription prices for EU users. Efforts such as these, rational from the perspective of companies, are however harmful to EU consumers and restrict the ease with which digital markets are effectively globalised.
The European Commission has justified the high costs associated with the GDPR on the grounds that they increase the privacy of users, by introducing “privacy by default” in addition to mandated “privacy by design” into the policies of companies. The new “digital rights” created by the GDPR, it is claimed, will increase user control over their data, giving them real ownership. These include the right to data portability, which ensures that all the data held by companies on a specific user can be provided to them in machine-readable format, as well as the right to erasure, which ensures that companies are able to delete all individual user data upon request. The arguments made by the Commission would be more defensible were it not for their own compliance hypocrisy.
A few days before the GDPR went into effect, it was discovered that the EU Parliament’s website was not compliant with the new privacy guidelines. Only a few days after May 25th, a data leak on the European Commission’s website compromised the personal data of European citizens. The response by the Commission was to claim that they are not subject to the new data protection law, in what signalled a clear double standard in the concern for user data.
The “digital rights” introduced also come into conflict with the concern for privacy that was meant to be the heart of the regulation. Data Portability, one of the most talked about provisions of the GDPR, while meant to increase user control, may in turn risk user privacy. By making companies ensure that data is available to users in machine readable format so that it may be transferred to competitors, the risk of breach significantly increases. In order to provide this data to users at a reasonable cost, user data would have to be stored in such a way that easy export was possible, which makes it much easier for hackers to interpret the data if it were stolen. This increases the incentive to attempt to steal that data, thereby increasing the magnitude of privacy risks to which users are exposed. The BBC has reported that identifying hackers has become more difficult as a result of GDPR, given that popular cybersecurity firms now have reduced access to information. This compounds the privacy risks that the regulation creates.
The right to erasure that the regulation introduced similarly reduces the privacy options of EU citizens as blockchain technology is currently in a state of limbo due to GDPR. Blockchain, a distributed ledger technology designed to have a high degree of transparency and immutability, is the foundation of cryptocurrencies such as Bitcoin and Ethereum, and has long been regarded as a cornerstone of increasing digital privacy. The immutability that acts as a selling point of blockchain, however, goes against the right to erasure, as blockchains, which necessarily contain user data, such as transaction records and digital wallet IDs, cannot be deleted. The operation of firms experimenting with this innovative technology in the EU is now at risk, despite their potential for increasing privacy, a supposed aim of the GDPR.
In the short period of time since the GDPR has come into effect, its negative consequences are already readily apparent. These harms, however, can only be expected to compound as enforcement penalises innovative companies and technologies, and further scares away foreign firms from operating in European markets. The double standards that the Commission has displayed with respect to compliance indicate that despite the high costs imposed, increased privacy cannot be expected, as they are unwilling to score the swathes of data that they themselves hold on EU citizens.