The General Data Protection Regulation (GDPR) is the world’s most comprehensive and intrusive data privacy law. It applies to all enterprises in the European Union (EU) that handle consumer data from EU residents, regardless of their size, industry, or place of origin. This legislation has been included in all local privacy laws throughout the EU and the European Economic Area (EEA).
The GDPR entered into force in 2016 after passing European Parliament, and in May 2018, the European Union began enforcing it. Its rules cover practically every data a business may gather from any online platform that could be used to identify a person. It also includes information frequently requested by websites, such as IP addresses, email addresses, and physical device information. Fines for non-compliance or privacy breaches could range from 20 million euros to 4% of a firm’s turnover, depending on criteria such as the size of the company and whether the regulatory body believes the company made a good faith effort to secure its data.
The top-down regulation approach to data privacy is gaining ground around the world. Today, 17 countries outside the EU, such as China, India, Japan, and Brazil, have drawn inspiration from GDPR when enacting their digital privacy ruling.
Regardless of one’s stance on digital privacy, there are reasons to question whether top-down regulation is the best solution to perceived privacy issues.
The unintended consequences of top-down regulation
Data protection is clearly vital, but the GDPR’s standards are so burdensome, complex, and ambiguous that the costs of compliance considerably outweigh the privacy benefits and have multiple unintended consequences. Because GDPR compliance was too expensive, many businesses from different sectors have shut down their operations in the EU.
The GDPR has reinforced the largest players, with Google, Facebook, and Amazon increasing their market share in the EU since its adoption[1]. Small and medium-sized enterprises (SMEs) suffered the most. According to one survey, since the implementation of GDPR, SMEs and tech companies have lost up to one-third of their market share[2].
It comes as no surprise to those who examine the practical effects of top-down regulation. Larger companies love government regulation and may even embrace the GDPR since it will protect them from the competition.
Furthermore, the GDPR has effectively stifled free speech and expression. Over 1,000 news sites in the EU have gone offline since its implementation[3].
The greater privacy may be worth it for customers, but are European consumers genuinely safer with the GDPR?
They aren’t, in fact. The GDPR creates risks for identity theft and online fraud. It claims to provide people control over their data by streamlining user requests. However, because there is no provision for user identification, they allow hackers and identity thieves the chance to steal data. It made it more challenging to monitor and catch cyber criminals. Details from web domain registrations, such as the domain owner’s name, address, and phone number, have been crucial in linking malicious sites to hackers. Unfortunately, this was unanticipated because the regulation focused more on protecting consumer data than addressing criminal activities online. Companies are now required to establish data pools to respond to customer requests, creating a target-rich environment for cybercriminals.
A Bottom-up approach: The Role of Privacy Enhancing Technologies and Education in Promoting Online Privacy
Data protection regulation aims to shape the market to produce preset outcomes and necessitates government intervention to ensure compliance. On the other hand, innovation can create better techniques that never jeopardize customer privacy. According to a growing body of evidence, a flexible, innovation-based strategy delivers better-designed software and systems that safeguard data and privacy and empower businesses to utilize data protection as a competitive parameter[4]. According to a survey of 800 companies conducted by the International Association of Privacy Professionals, traditionally less-regulated industries have more developed privacy policies than highly regulated companies that solely follow legislative requirements[5].
Regulating software technology has the disadvantage of freezing the status quo rather than encouraging innovation that can lead to better, more consumer-centric solutions.
Moreover, digital privacy should not be primarily the responsibility of tech corporations. Users control their online presence in the same way they do with their physical presence in reality. Any reasonable data collection solution must take this into account. Unfortunately, the same people who complain about digital corporations gathering and utilizing their data are the ones who click the ‘accept’ button without thinking. People have begun seeking regulation to ban data gathering in various parts of the world rather than making an effort to examine the services they use.
For example, in the Cambridge Analytica case, Facebook argued that Cambridge Analytica had only taken information that users authorized to provide by signing Facebook’s user agreement. That was a classic case of citizens and legislators attempting to penalize a private corporation whose terms and conditions they had failed to read.
Education, rather than regulation, must play a central role in assisting users in protecting their data. Although it has become almost integral to our society, a digital presence is not mandatory. However, by mindlessly accepting the terms and conditions, users state that the benefits of a digital tool outweigh the potential loss of privacy. Before blindly accepting to collect their data, users skeptical about data mining should consider the role they have to play in protecting their information. People shouldn’t complain if they choose voluntarily to put their privacy at risk. Consumer education, such as health education and financial literacy, can help people consume products and services safely and intelligently. We require the same level of commitment for our online lives.
The GDPR fails to consider the importance of privacy-enhancing innovation and customer education in data protection. Without substantial provisions to foster education or innovation, the GDPR maintains the status quo: it rewards the largest players, harms SMEs and deceives people into believing they have more privacy when they actually have less[6]. To sum up, the bureaucratization of data protection does not create a natural right to privacy. Increasing the number of authorities and regulations governing data does not make a person safer.
Photo: Fabian Kurz.
[1] Mark Scott, Laurens Cerulus, and Laura Kayali, “Six Months in, Europe’s Privacy Revolution Favors Google, Facebook,” Politico, November 27, 2018, https://www.politico.eu/article/gdpr-facebook-google-privacy-data-6- months-in-europes-privacy-revolution-favors-google-facebook/.
[2] Björn Grelf, “Study: Google Is the Biggest Beneficiary of the GDPR,” Cliqz, October 10, 2018, https://cliqz.com/en/magazine/study-google-is-the-biggest-beneficiary-of-the-gdpr
[3] Jeff South, “More Than 1,000 U.S. News Sites Are Still Unavailable in Europe, Two Months After GDPR Took Effect,” Nieman Lab, August 7, 2018, http://www.niemanlab.org/2018/08/more-than-1000-u-s-news-sites-are-stillunavailable-in-europe-two-months-after-gdpr-took-effect/.
[4] Kenneth A. Bamberger and Deirdre K. Mulligan, “Privacy on the Ground: Driving Corporate Behavior in the United States and Europe,” 2015.
[5] International Association of Privacy Professionals, “IAPP-EY Annual Privacy Governance Report 2015,” 2015, https://iapp.org/resources/article/iapp-ey-annual-privacy-governance-report-2015-2/.
[6] The 10 Problems of the GDPR The US can learn from the EU’s mistakes and leapfrog its policy Roslyn Layton – American Enterprise Institute, March 2019 https://www.judiciary.senate.gov/imo/media/doc/Layton%20Testimony1.pdf
