The increasingly urgent scrambling sound you can hear in offices all over Europe is companies rushing to comply with the EU’s General Data Protection Regulation by the deadline of May next year.
The amount of money at stake is dramatic for companies if they fail to meet the standard. In one sense, this is just the cost of doing business in a digital age, where privacy and the protection of data have become among the most pressing issues in global governance.
But in the form that the new rules are taking, it also represents a missed opportunity for the EU. Brussels could have used the regulation to integrate the fragmented digital single market and make a constructive contribution to adding cross-border data flows into international trade deals. Instead, it is loading costs on to companies and threatening huge fines for breaking rules whose interpretation is unclear.
There is a sound case for updating the EU’s data protection regulations: the previous ones stretch back years to a very different internet landscape. In an era of data harvesting, the GDPR offers greater protection for individuals over how their data can be used and stored. But lobbying, particularly from France and Germany, has slowed down the process and made it hard for companies to transfer personal information under the new rules.
Although there are supposed to be carveouts for the information that individuals collect and share, it is not clear where the lines are drawn. Cyclists with helmet cameras, for example, may find themselves caught by the law, as may individuals who post on social media that is open to the public rather than shared privately.
The regulation does harmonise rules across member states. But it will not stop them introducing more data localisation rules requiring information held by companies to be held on servers in their home country, thus further Balkanising an already incomplete digital single market. The stiff penalties against mishandling data will simply raise the costs of compliance across the bloc. The potential fines for a breach of the GDPR are dramatic, the maximum penalty being a hefty 4 per cent of a company’s total global turnover.
Moreover, the EU has further confused the issue by proposing to bring in a separate “ePrivacy” regulation at the same time. Building on the rules introduced several years ago, obliging users to give permission for internet cookies to be placed on their computers, ePrivacy will add a whole series of requirements to grant permission to collect and use personal data. In practice this will hand the established tech companies like Google an advantage when it comes to harvesting information, because of their existing relationships with customers.
The GDPR will also have an international dimension. The regulation requires compliance from any company, even outside Europe, doing business with EU customers. Through the so-called Brussels effect, where companies gravitate towards implementing the toughest rules they face, this is likely to spread restrictive practices through the world economy.
The EU has also resisted attempts to protect cross-border data flows in any of the trade deals it is negotiating with individual countries and groups of governments. This is a constraint when trying to agree meaningful rules to govern the modern economy.
The GDPR aims to address genuine European public concerns with privacy and to constrain the US internet giants such as Google and Facebook. But the way it has been constructed is likely to load costs on to businesses and retard the growth of the EU digital economy.
Get alerts on Data protection when a new story is published