The GDPR’s Impact on Innovation Should Not Be Overstated

Protecting individuals’ privacy is far too often pitted against innovation and economic interests. This concern is not totally unfounded. While companies face growing trust deficits, small businesses and startups worry that privacy laws disproportionately fall upon them. However, this doesn’t have to be the case: strong privacy laws can establish clearer ground rules that level the playing field for businesses large and small and protect individuals from unfair, surprising, and privacy-invading practices.

For the past year, there has been an ongoing debate as to whether the EU General Data Protection Regulation (GDPR) is that clear, strong privacy framework. Some have argued the GDPR may well spur innovation, but several companies have made headlines by blaming the GDPR for shuttering their EU businesses.

Earlier this month, CDT testified on this subject before the Senate Judiciary Committee. Our message: the evidence that GDPR itself has hurt small- and medium-sized businesses is anecdotal and ultimately inconclusive.

Many companies, large and small, have used the GDPR as an opportunity to improve their data handling practices and invest in privacy.

There have been a number of efforts to determine what the compliance costs of the GDPR are. The reality is that higher compliance costs appear to have fallen on certain business models, including data brokers, consumer scoring entities, and advertising companies. As the UK Information Commissioner has explained, there is “a dynamic tension” between the way these businesses operate and the underlying fair information practice principles in the GDPR. Rather than blame the complexity of GDPR, however, these industries ought to reflect on the reality that their existing practices may not have done enough to recognize the value of the information they hold.

Nor is every business closure in Europe the direct result of the GDPR. Some of the examples which have been suggested, like the marketing company that peddled “Klout” scores or the online game serving approximately two dozen active players, withdrew from the EU rather than continue moribund businesses.

Much has also been made of the fact that more than 1,000 U.S. news sites shut down service to European users after May 25, but most of these sites and services are owned by just a few companies that had small amounts of traffic in the EU. Rather than block European readers, USA Today instead removed some ad-related software that harvests information and tracks the online behaviors of its readers. This reveals an unexplored benefit of privacy rules to reduce the complexity of adtech: USA Today’s American website is 5.5 megabytes in size and includes more than 800 ad-related requests for information involving 188 different domains. In contrast, the EU-facing site is less than half a megabyte in size and contains no third-party content. This website not only does less surreptitious tracking, but it also loads faster.

Other publishers have taken even more creative approaches. After the GDPR went into effect, The New York Times cut off advertising exchanges in Europe and kept growing ad revenue for itself. The paper’s Vice President of Advertising Data called privacy laws that reduce reliance on third-party ad targeting a “win-win-win” for publishers, advertisers, and importantly, consumers. Earlier this year, the Washington Post committed to “go beyond cookie-based ad targeting and match ads to people without being ‘creepy’.” The Local Media Consortium currently is exploring consumer-friendly privacy policies and standards for smaller online publishers.

Investing in data protection ultimately offers competitive advantages and better protects individuals.

Focusing on companies whose business models and privacy-invasive offerings made GDPR compliance challenging also ignores the very real consumer benefits that have been derived as a result of the Regulation. As part of GDPR compliance, companies have been investing in new data security systems to protect data and ensure it is only accessed by appropriate staff. GDPR has been an opportunity for all organizations to engage in a sort of “spring cleaning” to look at the data they were holding, why they held it, and whether it was accurate.

A January 2019 survey from Cisco found numerous competitive advantages to entities that invested in privacy under the GDPR. That study also found that the two biggest challenges for companies under the GDPR were data security requirements and employee training. Data security requirements and employee training are basic and foundational privacy practices; the fact that these requirements have proven challenging is, itself, evidence of how cavalier companies have been with respect to data privacy.

Early GDPR enforcement has been measured, and regulators have looked to work with smaller businesses and startups.

The eye-popping fining authority — up to 4% of global revenue — given to EU Data Protection Authorities (DPAs) forced companies to pay attention to the GDPR. Nearly a year later, large companies have been subject to the most scrutiny, while DPAs have signaled a willingness to work with smaller businesses, including online advertisers and startups.

For example, the French Commission nationale de l’informatique et des libertés (CNIL) issued a warning against small advertising technology company Vectuary for failing to collect appropriate consent for obtaining geolocation data from scripts embedded in the mobile applications of its partners. While some argued this could be the end of online advertising, the probe was recently dropped after the company made changes to its disclosures. The CNIL also worked with several other location analytics companies. As the CNIL has explained, data protection regulators are not interested in “fin[ing] companies out of existence if there is any alternative” and “will be more gentle and take the time to first explain to companies how they have to do things.”

Some of the early fines under the GDPR reflect this. They are proportional and targeted at serious privacy problems. They range from a few thousand euros for a small business in Austria to a record-setting €50 million fine against Google in France.

Whatever complaints companies have about the GDPR, the lack of a U.S.-centric data protection regime is the worst of both worlds. Companies that intend to compete globally must contend with the GDPR and similar legal requirements in Brazil, Japan, and soon India, while at the same time Americans cannot be certain if big or small businesses are protecting their data. This state of affairs is bad for individuals’ privacy and business innovation. The U.S. should move quickly to pass comprehensive legislation to restore it’s national leadership on privacy. For more details on what we believe that law should look like please see our proposed legislation.