Almost a year ago, the European Union’s General Data Protection Regulation (GDPR) went into effect. In that year, the United States has been engaging in its own debate about what, if anything, should be done to bolster our data privacy protections. While some have suggested that the United States implement its own GDPR — a comprehensive reform to more tightly regulate the collection, use, and retention of data — we have the advantage of looking at the early consequences of Europe’s policy.
As debates about potential federal data privacy legislation continue, what can the first year of the GDPR teach us about what such a regime may do in America?
First, the cost of compliance with complicated data regulations is not cheap, and as a result, some companies may choose to leave the market rather than comply. According to a PwC survey, more than 40 percent of companies surveyed, including American companies with a data presence in the EU, spent over $10 million preparing to comply with GDPR.
From video game sellers to various news outlets including the Los Angeles Times, some companies found the costs too high to continue doing business in Europe, and removed themselves from the EU. For others that chose to remain, things remain uncertain. In some cases, courts and countries continue to work through interpretations, often with differing results.
Now, almost a year later, many of these companies still have not returned to Europe. Some might argue this is not necessarily a bad thing if new, more privacy-sensitive companies take their place. Yet, venture capital investment in startups in Europe post-GDPR is down by over $3 million, according to a National Bureau of Economic Research study. As a result, there were likely 3,000 to 30,000 fewer jobs.
Large companies are not immune from the effects of cumbersome regulatory schemes, but policies like the GDPR are more difficult on new entrants struggling to find footing in the market. In the immediate aftermath of GDPR, large players in the targeted advertising space were able to grow or maintain their market share. Newer and smaller players seemed to struggle.
While we shouldn’t assume big is bad, strict top-down regulations like the GDPR will make it more difficult for new companies and competitors to challenge existing players. In the long-term, we may get a static market in which the “next Google” fails to emerge and improve upon what more established tech giants are doing.
It may be worth it for consumers to have the extra privacy, but are European consumers actually safer than they were before GDPR?
GDPR’s requirement that companies respond quickly to user requests for large amounts of data (and harsh penalties for failing to comply), may not always be the silver bullet for portability or transparency. For example, in one incident, Amazon sent 1,700 Alexa recordings to the wrong user.
Laying out some of these consequences is not to say that we shouldn’t place a premium on internet privacy. Rather, it’s to point out that pursuing privacy is not without tradeoffs with other things that we value or benefit from. There are already a wide variety of options for individuals to make choices about their own privacy, and we hold a wide variety of individual privacy preferences in the first place.
As the United States debates whether or not to implement its own comprehensive, federal privacy law, we should pay attention to the recent lessons of the GDPR. A U.S. GDPR may sound comforting, but perhaps we should simply adapt the more permissionless notice-and-choice approach that has allowed us to lead the world in innovation — and reap tremendous benefits. As a result, we may be able to find more solutions with fewer negative consequences.