Data Protection Policy Analysis

General Data Protection Regulation (GDPR)

December 2018
81
/100 score
Clear Terms Specific Harms Helpful Processes Not Retroactive Not Harmful Free Speech Simple Consents International Commerce Fair Enforcement Small Enterprises 8/10 8/10 8/10 9/10 8/10 8/10 8/10 8/10 8/10 8/10

SUMMARY

The General Data Protection Act (“GDPR”), the European Union’s comprehensive data protection legislation, is an extraordinary accomplishment and a valuable model for other governments. Based on optimism that the EU is deeply committed to GDPR’s success, Data Catalyst scores GDPR 81/100 – though this could change significantly if implementation challenges are not resolved over time. Several current concerns about GDPR flow from its status as a “general” regulation that applies to multiple industries and enterprises of all sizes. Generalities create uncertainty, which leads to inconsistent compliance and enforcement (particularly when enforcement is both global and distributed across 28 governments). Uncertainty creates risk, which favors large companies that can fund compliance. Concerns over GDPR have motivated many smaller companies to withdraw from Europe and negatively affected investment in European startups has diminished since GDPR was enacted. In time, however, we anticipate that industry-specific compliance and enforcement will normalize; that risk will diminish; and that GDPR will fulfill its promise. But the first several years may be challenging, particularly for smaller enterprises.

CONCERNS

The GDPR, a product of Europe’s multi-year effort to modernize regulation of personal data use, is a formidable regulation with global reach. The law successfully increases individuals’ control over and transparency into how data about them is used. But there are concerns that compliance will be burdensome (especially for smaller enterprises), that enforcement will be both difficult and costly, and that uncertainty (and heightened business risk) will continue for many years.

Notice and recordkeeping obligations are admirably straightforward.  However, standards for “consent” – perhaps the most important issue for consumers – can be confusing. For “consent” to be valid, it must be “specific, informed and unambiguous” and identify all “controllers” by name. This could require presentation to consumers of painfully detailed information (perhaps many pages drafted by lawyers) and result in “consent fatigue” – when consumers absent-mindedly check all approval boxes as presented.  A more specific consent issue may be unfair to ad-supported media, which it seems are prohibited by GDPR from offering consumers a choice between paying for content by receiving behavioral advertising or paying a subscription fee. If this is the case, then a great deal of “free” online content could disappear, and particularly small media businesses would be harmed.

Some compliance and enforcement challenges relate to the law’s use of balancing tests and subjective concepts, such as what is “fair” or “reasonably expected,” or if a company has taken “utmost account” of a particular issue. Until enforcement authorities and perhaps courts define these terms, this uncertainty gives lawyers a greater say in a business and regulators an enormous amount of enforcement discretion.

A more specific uncertainty for some companies that collect and manage enormous amounts of data is the basic question of whether they are the “controller” that determines the purposes and means of processing personal data or the “processor” that handles data only as directed by a controller.  Sometimes, similarly situated companies are reaching opposite conclusions, which (until these issues are resolved) will create data-handling inconsistencies that could frustrate consumers and regulators.

For international businesses, including many small businesses that live online, GDPR makes it harder to export data from the EU to most other countries, and seems to apply globally to non-EU companies that are service providers to EU companies. These burdens may decrease over time as contracts are standardized – but at this point international agreements are being delayed and they are more costly. When transaction costs are high, newer and smaller companies suffer.

Two GDPR enforcement concerns apply to governments. First, data authorities may find it very costly to manage extraordinarily technical and complex oversight of global activity that changes dynamically and instantaneously. Second, multiple data authorities and judicial systems will be overseeing and making enforcement decisions, and different enforcement thresholds and substantive standards will be frustrating to all GDPR stakeholders. There is also greater business risk when one company – particularly smaller companies and startups – are subject to so many governments’ oversight and enforcement for the same activity.

Overall, GDPR promotes many important principles – transparency, choice and proper documentation. We will not know how successful the law is for several years, but we are optimistic that regulators will be flexible, coordinated, and appreciate the opportunities associated with innovation and data science.

Criteria

Clear Terms: Terminology should be clear to avoid confusion, inconsistency and disputes. [Score: 8/10]
Some important definitions, like “personal data,” are clear. “Specific, informed and unambiguous” consent likewise reads clearly -- but we anticipate that in practice its implementation will be challenging and require regulatory guidance and discretion. Additionally, there is early confusion about whether some (particularly ad-tech) companies are “controllers” or “processors” – categories that have very different rights and obligations.
Specific Harms: Legislation should focus on specific harms and outcomes. [Score: 8/10]
GDPR is correctly focused on harms associated with misuse of sensitive data, e.g., health data, and also on some necessary outcomes, such as consent being obtained. But in some places generic data is treated the same as more sensitive data, and in some places there is leeway for “legitimate interests” – a term that may vex regulators and courts for several years.
Helpful Processes: Required processes and notices should be clearly defined and helpful. [Score: 8/10]
Some GDPR processes (e.g., notice, recordkeeping, and certain types of contracting) are clearly defined, but others (e.g., regarding consent, rights to access data) are open to broad interpretation. Regulatory guidance has been helpful, but more is needed.
Not Retroactive: Legislation should not be retroactive – new rules should not apply to previously lawfully collected data. [Score: 9/10]
The two-year period between enactment and implementation helped many industry stakeholders implement in a timely way. However, large amounts of data collected legally before GDPR took effect had to be deleted, which may impact some data-collecting companies and may harm the results of some collectors’ and processors’ analytical work.
Not Harmful: Legislation should not inhibit beneficial data models and uses. [Score: 8/10]
Though perhaps unintended, there is already a concern that ad-supported media, including traditional news publications and many specialty websites, will be harmed by (a) the law’s prohibition against tying access to content to consumer data collection, and (b) the law’s consent requirements, which are hard to implement when data collection is indirect and when companies work with ad networks. We are optimistic that these challenges will be addressed so that mass media and media entrepreneurs are able to thrive.
Free Speech: Legislation should not inhibit freedom of expression or government transparency. [Score: 8/10]
There are many who believe that the “right to be forgotten” undermines government transparency and freedom of expression, which are valuable “rights” independent of privacy. Regulators and courts will be working on this challenge for many years.
Simple Consents: Consent standards should be clear for organizations and promote clarity for consumers. [Score: 8/10]
The requirement of “freely-given specific, informed and unambiguous” consent that identifies each individual company is reasonably clear on paper, but risks “consent fatigue” and user confusion about what they are consenting to. Government and industry will need to work together to simplify how specificity is presented to consumers.
International Commerce: International commerce and cooperation should not be inhibited. [Score: 8/10]
GDPR’s global reach imposes geo-filtering obligations and extra-territorial jurisdiction on non-EU companies that want to work with European residents or companies. Over time these challenges may become norms, but they remain potentially significant challenges -- particularly for smaller companies.
Fair Enforcement: Enforcement provisions should be responsible and trustworthy; not chilling or anti-competitive. [Score: 8/10]
There is great uncertainty when 28 member states are each separately empowered to enforce new rules, and private citizens are also authorized to sue. Additionally, the GDPR revenue-based fines, though neutral as written, may be punitive when assessed against young companies with low (or negative) margins. We are optimistic that regulators can mitigate these effects by coordinating their approaches and providing guidance about priorities.
Small Enterprises: Small organizations should not be prejudiced by impractical or anti-competitive burdens. [Score: 8/10]
Small organizations seem to be particularly challenged by GDPR, including by diminished investment. Over time, as definitional questions are resolved and compliance standards normalize, we are optimistic that small businesses will not be unduly affected.

“9-10” means the legislation thoughtfully accounts for the concern.

“7-8” means that, with adjustments, it can likely account for the concern.

“5-6” means it is neutral on the matter, or that any concerns can be readily cured or mitigated.

“3-4” means that causes confusion or concern, but not in as widespread a manner as a “1” rating.

“1-2” means that it is poorly drafted or considered, and likely generates more confusion or problems than it cures.