Though GDPR’s multi-billion dollar costs keep escalating as companies bridge gaps in awareness and readiness, privacy advocates and EU regulators remain hopeful that first-moving compliers and digital users will derive some form of competitive advantage from complying with the new rule.
The requirement that companies check the lawful origin of the data they hold even when collected by third parties, the rationale goes, will spark a rush to compliance as companies seek to surpass competitors by appearing GDPR-ready for business.
A more far-fetched line of argument anticipates companies will proactively map out the data they store in order better to take stock of what parts of it they can monetize in the future – the very activity that GDPR is hell-bent on taming.
If both of those arguments hold as true as proponents posit, it is hard to see why 40 percent of surveyed companies told the International Association of Privacy Professionals (IAPP) in a poll back in April that they would not be in compliance before the May 25 deadline.
On top of the ever-growing compliance tabs surveyed in an earlier column - $18 million per FTSE500 company according to Ernst & Young and the IAPP - a few issues are likely to further debunk GDPR’s pretense of handing a competitive edge to digital customers and companies.
Given the rule’s vagueness, opacity, and the uncertainty over the degree of enforcement, full-fledged implementation is far from a foregone conclusion even inside the EU. Giovanni Buttarelli, the EU’s coordinator of enforcement efforts, warned in December 2017 that the staff of 2,500 at the European Data Protection Supervisor (EPDS) he leads was unready to oversee compliance with such a far-reaching rule.
Staff and budgets at the EDPS and the 27 member-state Data Protection Authorities (DPAs) in charge of locally enforcing GDPR have indeed been sluggish to catch up with the vast demands of implementing the rule.
At the 2017 International Conference of Data Protection and Privacy Commissioners, the annual gathering of the world’s privacy supervisory authorities, data turned in by attendants revealed the EU’s enforcement infrastructure to be woefully unprepared to implement GDPR, one year away from it coming into force.
Mexico’s DPA employs double the combined staff of EDPS and the 28 member-state DPAs per internet user and draws on a budget-per-user 1.5 times larger. In September last year, the head of the UK’s DPA complained to the Financial Times about the small staff she oversees and the dismal pay levels that make it hard to retain scarce privacy expertise.
There are also wide disparities in enforcement capabilities across member states, which seem to bear little relation to data-sharing activities on regulators’ plates. With 40 times the population of internet users, the budget at Romania’s DPA is a third of Malta’s DPAs.
With the EU’s infinitesimal budget - less than one percent of GDP - and a fixed pool of qualified privacy experts, strained budgets and staff shortages can be expected to grow worse in the near future. Even if personnel and funding kick in high gear in the early months of GDPR’s effective life, the threat of mammoth fines will likely stay unmatched by DPAs’ zeal to enforce them.
Furthermore, by leaving enforcement to locally-appointed and locally-accountable authorities, the EU has sowed incentives for laxness in jurisdictions looking to free-ride on GDPR’s hype without relinquishing the pull factor of lower tax rates and slimmer regulations on foreign tech. Bulgaria, Greece, Malta, Portugal and Romania have yet to issue specific enforcement guidelines to their DPAs.
In the UK, despite Secretary of State for Digital Matt Hancock’s assurances to the contrary, Brexit may present an opportunity for Westminster to pick up some slack by departing from the tough tone of GDPR.
As the EU’s enforcement apparatus is shown unable to fulfill even GDPR’s elementary promise of harmonizing the patchwork of member-state regulatory frameworks, much of the apparent benefit of early compliance for companies will begin to fade.
As explained by Michael Morgan, head of the privacy practice at law firm McDermott Will and Emery, “companies are taking a look at what makes the most sense for them given the range of considerations, including the scope of their global operations and customer base.”
Indeed, predictions of a worldwide rush to comply with GDPR generally underestimate tech companies’ ability to internally segment their customer base and eventually leave the tougher-to-reach EU market out on major innovations down the line.
The ad-tech industry, potentially the worst hit by GDPR’s requirement of unequivocal consent to collect and process personal data, shows worrying signs of what could await EU users of ad-supported free sites if advertisers choose to shut down EU operations.
Cross-device ad platform Drawbridge, for instance, was first to wind down its ad business in Europe back in March this year. EU users could soon wake up to the downsides of GDPR as they start hitting paywalls on previously free sites if more companies follow suit.
The consequences for long-term investment in innovative technologies could be even more. The EU hopes that its long-haul efforts to harmonize its digital market, along with its almost 434 million internet users, will act as catalysts for seismic technological breakthroughs.
The reality, though, is that over half of the so-called “digital single market” is made up of US-based online services, and the EU has lagged far behind other hotspots of innovation through the past decade.
With nearly seven percent of the world’s population, the EU was home to far less than its share of patents granted between 2010 and 2016, per data by the World Intellectual Property Organization (WIPO). Namely, 4.3 percent in audio-visual technologies, 3 percent in computing and a dismal 1 percent in IT methods for management - all fields with much to lose from GDPR’s constraints on data collection.
In short, the EU’s privacy landscape will likely fall short of full-fledged harmonization as long as the enforcement infrastructure in place itself stays fragmented. Coupled with the lack of teeth of member-state DPAs, fines may turn out to be more bark than bite. As the crippling costs and burdens of GDPR keep coming to light along the sluggish road to compliance, the illusion of any first-mover advantages will likely vanish.
Jorge González-Gallarza is a policy associate at Economics21. Follow him on Twitter here.
Interested in real economic insights? Want to stay ahead of the competition? Each weekday morning, e21 delivers a short email that includes e21 exclusive commentaries and the latest market news and updates from Washington. Sign up for the e21 Morning Ebrief.