General Data Protection Regulation (GDPR)December 2018
The General Data Protection Act (“GDPR”), the European Union’s comprehensive data protection legislation, is an extraordinary accomplishment and a valuable model for other governments. Based on optimism that the EU is deeply committed to GDPR’s success, Data Catalyst scores GDPR 81/100 – though this could change significantly if implementation challenges are not resolved over time. Several current concerns about GDPR flow from its status as a “general” regulation that applies to multiple industries and enterprises of all sizes. Generalities create uncertainty, which leads to inconsistent compliance and enforcement (particularly when enforcement is both global and distributed across 28 governments). Uncertainty creates risk, which favors large companies that can fund compliance. Concerns over GDPR have motivated many smaller companies to withdraw from Europe and negatively affected investment in European startups has diminished since GDPR was enacted. In time, however, we anticipate that industry-specific compliance and enforcement will normalize; that risk will diminish; and that GDPR will fulfill its promise. But the first several years may be challenging, particularly for smaller enterprises.
The GDPR, a product of Europe’s multi-year effort to modernize regulation of personal data use, is a formidable regulation with global reach. The law successfully increases individuals’ control over and transparency into how data about them is used. But there are concerns that compliance will be burdensome (especially for smaller enterprises), that enforcement will be both difficult and costly, and that uncertainty (and heightened business risk) will continue for many years.
Notice and recordkeeping obligations are admirably straightforward. However, standards for “consent” – perhaps the most important issue for consumers – can be confusing. For “consent” to be valid, it must be “specific, informed and unambiguous” and identify all “controllers” by name. This could require presentation to consumers of painfully detailed information (perhaps many pages drafted by lawyers) and result in “consent fatigue” – when consumers absent-mindedly check all approval boxes as presented. A more specific consent issue may be unfair to ad-supported media, which it seems are prohibited by GDPR from offering consumers a choice between paying for content by receiving behavioral advertising or paying a subscription fee. If this is the case, then a great deal of “free” online content could disappear, and particularly small media businesses would be harmed.
Some compliance and enforcement challenges relate to the law’s use of balancing tests and subjective concepts, such as what is “fair” or “reasonably expected,” or if a company has taken “utmost account” of a particular issue. Until enforcement authorities and perhaps courts define these terms, this uncertainty gives lawyers a greater say in a business and regulators an enormous amount of enforcement discretion.
A more specific uncertainty for some companies that collect and manage enormous amounts of data is the basic question of whether they are the “controller” that determines the purposes and means of processing personal data or the “processor” that handles data only as directed by a controller. Sometimes, similarly situated companies are reaching opposite conclusions, which (until these issues are resolved) will create data-handling inconsistencies that could frustrate consumers and regulators.
For international businesses, including many small businesses that live online, GDPR makes it harder to export data from the EU to most other countries, and seems to apply globally to non-EU companies that are service providers to EU companies. These burdens may decrease over time as contracts are standardized – but at this point international agreements are being delayed and they are more costly. When transaction costs are high, newer and smaller companies suffer.
Two GDPR enforcement concerns apply to governments. First, data authorities may find it very costly to manage extraordinarily technical and complex oversight of global activity that changes dynamically and instantaneously. Second, multiple data authorities and judicial systems will be overseeing and making enforcement decisions, and different enforcement thresholds and substantive standards will be frustrating to all GDPR stakeholders. There is also greater business risk when one company – particularly smaller companies and startups – are subject to so many governments’ oversight and enforcement for the same activity.
Overall, GDPR promotes many important principles – transparency, choice and proper documentation. We will not know how successful the law is for several years, but we are optimistic that regulators will be flexible, coordinated, and appreciate the opportunities associated with innovation and data science.
Clear Terms: Terminology should be clear to avoid confusion, inconsistency and disputes. [Score: 8/10]
Specific Harms: Legislation should focus on specific harms and outcomes. [Score: 8/10]
Helpful Processes: Required processes and notices should be clearly defined and helpful. [Score: 8/10]
Not Retroactive: Legislation should not be retroactive – new rules should not apply to previously lawfully collected data. [Score: 9/10]
Not Harmful: Legislation should not inhibit beneficial data models and uses. [Score: 8/10]
Free Speech: Legislation should not inhibit freedom of expression or government transparency. [Score: 8/10]
Simple Consents: Consent standards should be clear for organizations and promote clarity for consumers. [Score: 8/10]
International Commerce: International commerce and cooperation should not be inhibited. [Score: 8/10]
Fair Enforcement: Enforcement provisions should be responsible and trustworthy; not chilling or anti-competitive. [Score: 8/10]
Small Enterprises: Small organizations should not be prejudiced by impractical or anti-competitive burdens. [Score: 8/10]
“9-10” means the legislation thoughtfully accounts for the concern.
“7-8” means that, with adjustments, it can likely account for the concern.
“5-6” means it is neutral on the matter, or that any concerns can be readily cured or mitigated.
“3-4” means that causes confusion or concern, but not in as widespread a manner as a “1” rating.
“1-2” means that it is poorly drafted or considered, and likely generates more confusion or problems than it cures.