“GDPR Day” (May 25th, 2018) has brought a flood of activity. For example, most of us have experienced an overload of updated privacy statements in our inboxes, which can induce privacy fatigue (call it “privapathy”) that ultimately results in ignored or deleted emails.
Meanwhile, law firms have already filed suit with multiple regulators in Austria, France, Belgium and Germany – Facebook and Google were hit with $8.8B in lawsuits on the first day. Why so many different regulators? While there is one European Data Protection Board (EDPB), it acts only as a coordinator of the independent EU member states “Supervisory Authorities” (SAs), which will each handle GDPR governance in their own countries. Multi-national companies are supposed to have a single “lead authority”, but the chance of multi-jurisdiction legal complications should be cause for concern.
Other companies have attempted to opt-out of compliance with the new regulations by blocking European Union (EU) internet addresses. The Los Angeles Times, the Chicago Tribune, and The New York Daily News are telling visitors that, “Unfortunately, our website is currently unavailable in most European countries.” Of course, if they do business with an EU citizen or company at all – accepting payment for advertising German cars for example – then they remain subject to the regulation.
GDPR is proving disruptive for European citizens who are no longer able to interact with services from outside the EU. And the compliance costs can be significant as well. But are there legitimate concerns of overreach?
Will GDPR do more harm than good?
The costs paid (and ongoing) are necessary for the “fundamental human right to privacy”, according to the architects of GDPR. But how extensive should that privacy really be?
On May 25th, Gartner analyst Dr. Anton Chuvakin published a blog post titled, “My GDPR-Inspired Rant: Privacy, WTF!!!” One of his points is that GDPR defines personal data or personally identifying information (PII) too broadly. Certain information such as name, email address, phone number and physical address have been public information for decades or even centuries. He also makes the case there is a social benefit to shared data, such as a pharmaceutical company that pools data from healthcare records to spot a cure for cancer. Having lived in Russia, he also equates “the right to be forgotten” with Stalin-level evil.
So what is the future of GDPR?
In observing this activity and conflict, GDPR will either become dead, diluted, detested or accepted, as other regulations before it.
Dr. Chuvakin’s final conclusion is that “GDPR will either die a slow bureaucratic death or will destroy Europe’s chance to be a part of the digital future.” This is the “dead” scenario, which we have seen historically in legislation such as the Glass-Steagall Act.
But more commonly, legislation is modified. GDPR itself is an evolution of the Data Protection Directive, superseding and extending it to companies outside of the EU who conduct business with EU residents or companies. In the case of GDPR, though, given the flood of activity and costs, it would seem unlikely that further strengthening is in the future. More likely, it would be diluted the way that the Dodd-Frank Act has been reformed.
Another scenario is also likely. Legislation like GDPR tends to get the greatest attention from those impacted the most by it. EU citizens who can’t access web sites they prefer, and businesses being fined, will eagerly provide negative news about the regulation. This may not rise to a significant enough level for a repeal or modification, but will the negative outweigh the positive aspects such that more people detest it than appreciate it?
Finally, many regulations that begin with similar levels of resistance fade into general acceptance. The Sarbanes-Oxley Act of 2002 (SOX) hardly gets mentioned anymore, as companies have adapted to the compliance routines and costs that it introduced. Will GDPR fade into the background in a similar way?
Whichever path that GDPR takes, what is clear is that it will impact the understanding and discussion of privacy worldwide among technology companies and consumer advocates. What isn’t clear is if the general public will really value their “right to be forgotten”, their “right to access” their own data, and the right to “data portability”, or if privapathy will lead to a sense that the regulation has overreached. The ultimate outcome will be determined by which group cares the most about it.