DATA PROTECTION POLICY ANALYSIS
General Data Protection Regulation (GDPR)
The GDPR, a product of Europe’s multi-year effort to modernize regulation of personal data use, is a formidable regulation with global reach. The law successfully increases individuals’ control over and transparency into how data about them is used. But there are concerns that compliance will be burdensome (especially for smaller enterprises), that enforcement will be both difficult and costly, and that uncertainty (and heightened business risk) will continue for many years.
Notice and recordkeeping obligations are admirably straightforward. However, standards for “consent” – perhaps the most important issue for consumers – can be confusing. For “consent” to be valid, it must be “specific, informed and unambiguous” and identify all “controllers” by name. This could require presentation to consumers of painfully detailed information (perhaps many pages drafted by lawyers) and result in “consent fatigue” – when consumers absent-mindedly check all approval boxes as presented. A more specific consent issue may be unfair to ad-supported media, which it seems are prohibited by GDPR from offering consumers a choice between paying for content by receiving behavioral advertising or paying a subscription fee. If this is the case, then a great deal of “free” online content could disappear, and particularly small media businesses would be harmed.
Some compliance and enforcement challenges relate to the law’s use of balancing tests and subjective concepts, such as what is “fair” or “reasonably expected,” or if a company has taken “utmost account” of a particular issue. Until enforcement authorities and perhaps courts define these terms, this uncertainty gives lawyers a greater say in a business and regulators an enormous amount of enforcement discretion.
A more specific uncertainty for some companies that collect and manage enormous amounts of data is the basic question of whether they are the “controller” that determines the purposes and means of processing personal data or the “processor” that handles data only as directed by a controller. Sometimes, similarly situated companies are reaching opposite conclusions, which (until these issues are resolved) will create data-handling inconsistencies that could frustrate consumers and regulators.
For international businesses, including many small businesses that live online, GDPR makes it harder to export data from the EU to most other countries, and seems to apply globally to non-EU companies that are service providers to EU companies. These burdens may decrease over time as contracts are standardized – but at this point international agreements are being delayed and they are more costly. When transaction costs are high, newer and smaller companies suffer.
Two GDPR enforcement concerns apply to governments. First, data authorities may find it very costly to manage extraordinarily technical and complex oversight of global activity that changes dynamically and instantaneously. Second, multiple data authorities and judicial systems will be overseeing and making enforcement decisions, and different enforcement thresholds and substantive standards will be frustrating to all GDPR stakeholders. There is also greater business risk when one company – particularly smaller companies and startups – are subject to so many governments’ oversight and enforcement for the same activity.
Overall, GDPR promotes many important principles – transparency, choice and proper documentation. We will not know how successful the law is for several years, but we are optimistic that regulators will be flexible, coordinated, and appreciate the opportunities associated with innovation and data science.