The European Union’s (EU) new General Data Protection Regulation (GDPR) was sold as critical motion to implement data privacyprotections for consumers. People are justifiably concerned about protecting their data in an age when it serves as a currency. And, as technology comes to permeate ever more aspects of our lives, those concerns will become more pressing. Unfortunately, the GDPR is ill-suited to protect people’s privacy and threatens to drown technological innovation in a morass of bureaucracy.
In fact, new data shows that the GDPR is helping strengthen the very tech platforms it was supposedly designed to reign in. This should not surprise anyone, especially on the heels of a decade of GDPR-like regulations. American lawmakers should study these outcomes and ensure that any future U.S. rules avoid similar pitfalls.
As my paper What the GDPR Really Does and How the U.S. Can Chart a Better Course describes, Europeans have long endured intrusive pop-ups and disclosures on every digital property they visit, yet they report no greater sense of trust online. As of 2017, only 32 percent of Europeans shop outside their own country, demonstrating that the European Commission’s Digital Single Market goals are still elusive. Moreover, only 20 percent of EU companies are highly digitized. These are primarily large firms. Small to medium sized companies invest little to modernize and market to other EU countries. A European company has not appeared on Mary Meeker’s list of top internet companies since 2013.
If the idea was that regulation would somehow tame big Silicon Valley platforms, the reality is that the opposite is happening. The GDPR, along with similarly heavy-handed solutions like California’s Consumer Privacy Act, emboldens established platforms that have the resources to comply. Studies confirm the rank and market share of small and medium sized ad tech companies have declined by 18 to 32 percent in the EU while these measures have increased for Google, Facebook and Amazon.
What’s more, the cost of compliance for regulations like these are so onerous that many firms have just stopped operating under them completely. The paper describes more than 1,000 American news media and websites that are no longer available in the EU, including The Chicago Tribune and The Los Angeles Times. If the U.S. adopted these stringent approaches, it would strengthen existing players at the detriment of startups.
The EU and California rules also require that every entity collecting data must disclose in advance the exact purpose for which it will be used. This is especially problematic for many entities, particularly universities and research institutes that do not know in advance which data points may be relevant to an important scientific inquiry in the future. Such rules threaten the creative, problem-solving approach that drives academic research and entrepreneurship in the U.S. This situation is better addressed with trust-based principles rather than prescriptive regulation.
All of these unintended consequences severely threaten competition and innovation in today’s digital marketplace. Yet, perhaps the most notable problem of the GDPR and California rules are their denial of individual freedom. If you don’t like the way that a company like Facebook uses your data, the answer is simple: don’t use their services. Indeed, one-third of Facebook users under 30 quit various social media platforms. But, data privacy and protection should focus on empowering people to make decisions, not empowering governments to influence which platforms people use.
Good regulation should embolden people to understand the tradeoffs they are making when they use these services and encourage innovation so that platforms compete on improving how they protect data. Neither the EU nor California regulations do these things. The U.S. must take serious note of these failures and move forward with crafting comprehensive legislation that protects privacy without harming prosperity. Ultimately, this is the solution that will drive future innovation and finally provide consumers with the online protections they deserve.
