On June 13, the European Commission is hosting an event to take stock of the first year of the General Data Protection Regulation (GDPR) and its application in the EU and beyond. The program includes three panels aiming to discuss whether enforcement has been “effective,” the extent to which data protection is “a business opportunity,” and the ways in which individuals have been using their new rights. While the Commission may want to paint a rosy picture about the GDPR, reality reflects a bleaker picture.
First, there is little to suggest effective enforcement of the GDPR across member states. Indeed, not all member states are in compliance with the law. Moreover, the GDPR has led to a significant increase in privacy complaints and data breach notifications, which national authorities, constrained by their budgets, have struggled to address. The uptick is likely unsustainable. Ill-equipped and understaffed, DPAs are overwhelmed with companies’ questions, many of which remain unanswered. As a result, they cannot provide efficient guidance, and without quick responses, businesses moving through rapid development cycles cannot effectively collaborate with regulators.
Second, the GDPR has been a source of legal uncertainty, compliance costs, and obstacles to innovation for businesses in Europe. Justice Commissioner Jourová recently compared the regulation to “a one-year-old baby with an appetite“—and in fact it is European businesses that are being eaten alive. Preparing for the GDPR already meant that many companies had to redirect budgets and investment to set up compliance systems and hire dedicated staff—which delayed other data initiatives and limited their investments in innovation. According to a recent survey by Bitkom, Germany’s digital trade association, many businesses believe that data protection requirements put their business operations at a disadvantage. Three-quarters of respondents see these requirements as the main obstacle to the development of new technologies. Small and medium enterprises have been particularly impacted as they have fewer resources to cope with the additional administrative burdens. Legal ambiguities prevent them from assessing the extent to which the changes they made to their data policies are sufficient to comply, or if they have invested enough in upgrading their processes and systems. In addition, EU member states do not have uniform interpretations and applications of the GDPR, making the law difficult for companies with customers in more than one country to navigate.
Third, the GDPR has not made life easier to consumers either. The Commission claims that by giving new rights to consumers, the GDPR empowers people to “gain more control over their personal data.” If perception is all that matters, the GDPR might be a success as it has arguably created the illusion of control through a consent policy which leads fatigued users to mechanically click through and agree with lengthy terms and conditions. EU policymakers proudly declared that “more than two-thirds of Europeans have heard about the regulation.” Yet the Eurobarometer survey they refer to should give them no reason to rejoice. The results reflect the fragmentation and even isolation of a number of member states that are much less informed than others. For instance, in France, Italy, and Belgium, respectively 55, 50, and 47 percent of the population surveyed has simply never heard of the GDPR. The survey reveals that just 57 percent of Europeans know that there is a public authority in their country in charge of protecting personal data. This lack of awareness does not bode well with the official argument that the GDPR has provided citizens with tangible control over their data.
The GDPR has led to other unintended side effects for users. For example, users now have reduced access to information, since thousands of U.S. news websites are no longer available in Europe, including multiple Pulitzer prize-winning Chicago Tribune. In addition, by limiting the collection of personal data necessary to develop accurate algorithms, the GDPR will decrease the quality of many products and services that Europeans use, such as personal assistants or Internet search queries.
At the upcoming European Commission event, it’s unlikely participants will hear this side of the story. EU policy officials will probably sing the praises of the GDPR—wrong in the belief that the law is working as intended. In reality, many stakeholders are voicing concerns over the ill effects of the law. Unfortunately, these voices are overlooked in the Brussels bubble—which at times resembles a parallel universe beyond which EU policymakers rarely seem to look.
Thankfully, all is not lost. Brussels still has time to make needed adjustments to the law. As for other nations that are looking to implement similar data protection rules, they would be wise to not copy-and-paste the GDPR if they want to avoid replicating its pitfalls. Far from a “very agile” framework, the GDPR as it stands is a bureaucratic exercise that is failing to improve users’ trust and control, damaging the online environment, burdening public administrations and companies, and stalling innovation. Aside from that, the Commission can tout the law as a success.
Image credits: Flickr user European Parliament