As the one year anniversary of the implementation of the General Data Protection Regulation (GDPR) in the European Union (EU) approaches, the transition year is coming to a close. Analysts, lawmakers, internet users, investors, researchers, and companies alike fear the blunt force of regulatory enforcement and heavy fines. For those in the United States, this is a unique opportunity to assess the consequences of the GDPR and learn from the mistakes of those abroad as we discuss the need for a federal law for privacy and data protection. Here is an overview of the GDPR’s ten biggest side-effects:
Consent fatigue and the tyranny of choice
Bombarding users with privacy pop-ups is creating a paradox of consent fatigue, making users discouraged and complacent with policies. Consumers value their data and interpret data useage differently, and the scale is broad and context-dependent. When companies are filling email inboxes with new terms and conditions updates as they attempt to air on the side of caution in their interpretation of GDPR regulations, it is becoming more difficult to determine consumer preferences
Opt-in and opt-out requirements favor big businesses
For big businesses, opt-out policies have little effect on their data and marketing tactics, while small businesses with legitimate interest rely considerably on meaningful and personalized impressions with users. Ironically, usersare more willing to allow companies and large platforms such as Facebook that have a “take it or leave it” approach to data privacy to harvest their data, but are typically unwilling to give access unknown start-ups.
Decline in access to information and free services
Strict requirements could mean that users lose access to the free services that increase workflow and save money; for example, email, news sites, business intelligence platforms, social platforms, and more. These services rely on business models that are driven by user data. With limited or no access to these services, consumers and businesses lose profits, have less information, and struggle to find competitive advantages in the marketplace.
There exists a privacy paradox where the average user prefers a pragmatic approach to privacy and is open to sharing basic information for an enhanced experience. This is highlighted in a 2016 study where when asked if they would be willing to pay for data protection online, 65% of participants were unwilling to pay anything at all. As these policies hurt small businesses and platforms the most, big businesses and large platforms have the opportunity to offer low-quality and exploitative content without proper competition in the market.
Increased red tape and compliance costs
Companies, small and large, were unprepared to quickly comply with the demanding and costly new transparency and data use rules. A survey showed that 40% of respondent companies, including American companies with data presence in the EU, spent over $10 million budgeting for GDPR regulations. Companies are struggling to meet requirements such as hiring a data protection officer resolving technical issues before the 72-hour notification deadline.
Stifled innovation and entrepreneurship
Small businesses cannot compete in a regulatory environment that provides no support apparatus to new or small companies, and businesses tend to migrate to more favorable markets. In just the past year, venture capital investment has decreased by $3 million. Small-to-medium businesses lack the capacity to cut spending, train employees, and hire data consultants. Many have voiced company concerns over the ability to full GDPR requirements and to become compliant. The daunting message that the GDPR sends stifles innovation that entrepreneurs bring to the market and increases the dominance of large companies.
Slowdown of government operations
Companies have been so risk averse to GDPR regulations and large fines that they have overwhelmed regulatory agencies with any sort of suspected breach or data abuse. The U.K. Commissioner’s office issued a statement last September that their office was completely underprepared for and overoccupied with breach and non-compliance notifications.
Especially in the transitioning year, companies are more at-risk to cyber threats targeting their noncompliance in the form of ransomware. In this case, companies would be more willing to pay hackers fine as opposed to facing the larger GDPR fines and public scrutiny. Additionally, there are unintended consequences of protecting user data that limit the ability to track cyber criminals by not having access to web domain information through the WHOIS database.
Implications for emerging technologies
The GDPR greatly limits the functionality of technologies that rely on blockchain and cloud computing by interrupting algorithms. The GDPR gives users the right to view without delay, edit, and delete their data which easily distorts and disrupts the efficiency of distributed ledger technologies. Such operational inefficiencies increase costs and decrease the accuracy of data, ultimately giving other countries such as the U.S. and China a competitive advantage.
Collateral damage unknown in scope
The full effects of the GDPR have yet to be analyzed as its tentacles extend deep into industries where the sharing of data is critical for development that yields societal benefit. Sectors that include such as healthcare, clinical trials, research, and even photography are subject to the extreme costs of compliance and face delays when it comes to sharing data for the benefit of the individual and society.
Reactions to the GDPR in the past year have signaled how unprepared businesses in the EU were for the heavy regulations. Now, with full enforcement and heavy fines on the horizon, the effects on small businesses could be financially devastating and create inefficiencies in companies trying to maneuver bureaucratic red tape.