Should the US adopt the GDPR?

Last week, I had the honor of being a panelist at the Information Technology and Innovation Foundation’s event on the future of privacy regulation. The debate question was simple enough: Should the US copy the EU’s new privacy law?

When we started planning the event, California’s Consumer Privacy Act (CCPA) wasn’t a done deal. But now that it has passed and presents a deadline of 2020 for implementation, the terms of the privacy conversation have changed. Next year, 2019, Congress will have the opportunity to pass a law that could supersede the CCPA and some are looking to the EU’s General Data Protection Regulation (GDPR) for guidance. Here are some reasons for not taking that path.

GDPR imposes three kinds of costs on firms. First, the regulation forces firms to retool data processes to realign with the new demands. This is generally one time fixed cost that raises the cost of all information using entities. Second, the regime adds risk compliance costs, causing companies to staff up to ensure compliance. Finally, the law will change the dynamics of the industry, as companies adapt to the new requirements.

Right now, the retooling costs and the risk compliance costs are going hand in hand, so it is difficult to suss out the costs of each. Still, they are substantial. A McDermott-Ponemon survey on GDPR preparedness found that almost two-thirds of all companies say the regulation will “significantly change” their informational workflows. For the just over 50 percent of companies expecting to be ready for the changes, the average budget for getting to compliance tops ///$13 million, by this estimate. Among all the new requirements, this survey found that companies were struggling with the data-breach notification the most. The inability to comply with the notification requirement was cited by 68 percent of companies as posing the greatest risk because of the size of levied fines.

The International Association of Privacy Professionals (IAPP) estimated the regulation will cost Fortune 500 companies around ///$7.8 billion to get up to speed with the law. And these won’t be one time costs since, “Global 500 companies will be hiring on average five full-time privacy employees and filling five other roles with staff members handling compliance rules.” A PwC survey on the rule change found that 88% of companies surveyed spent more than ///$1 million on GDPR preparations, and 40% more than ///$10 million.

It might take some time to truly understand the impact of GDPR, but the law will surely change the dynamics of countless industries. For example, when the EU adopted the e-Privacy Directive in 2002, Goldfarb and Tucker found that advertising became far less effective. The impact seems to have reverberated throughout the ecosystem as venture capital investment in online news, online advertising, and cloud computing dropped by between 58 to 75 percent. Information restrictions shift consumer choices. In Chile, for example, credit bureaus were forced to stop reporting defaults in 2012, which was found to reduce the costs for most of the poorer defaulters, but raised the costs for non-defaulters. Overall the law lead to a 3.5 percent decrease in lending and reduced aggregate welfare.  

As the Chilean example suggests, some might benefit from a GDPR-like privacy regime. But as Daniel Castro, my co-panelist pointed out, strong privacy laws haven’t done much to sway public opinion. As he wrote with Alan McQuinn,

The biannual Eurobarometer survey, which interviews 100 individuals from each EU country on a variety of topics, has been tracking European trust in the Internet since 2009. Interestingly, European trust in the Internet remained flat from 2009 through 2017, despite the European Union strengthening its ePrivacy regulations in 2009 (implementation of which occurred over the subsequent few years) and significantly changing its privacy rules, such as the court decision that established the right to be forgotten in 2014. Similarly, European trust in social networks, which the Eurobarometer started measuring in 2014, has also remained flat, albeit low

In other words, it doesn’t seem as though strong regulations have done anything to make people feel as though they are getting a better deal with Internet companies.   

One of my top concerns with the GDPR that wasn’t really discussed relates to the consent requirement in the law. Now, people must affirmatively say that data processors can use their data. As I explained at the American Action Forum,

Affirmative consent is also known as an opt-in privacy regime. Opt-in is frequently described as giving consumers more privacy protection, but opt-out regimes give an individual the same option to exit data processing without the added burdens. Indeed, most of the large companies already provide a method of opting out of certain data processing and collection. Setting the default by regulation simply biases consumer choices in a particular direction.

Overall, I think I think there was general agreement among the panelists that the US should not adopt the GDPR. But, both Amie Stepanovich of Access Now and Justin Brookman of Consumer’s Union were generally in favor of implementing a couple of the fundamental elements of the GDPR, assuming they were adopted to the US legal system. Indeed, Access Now released a paper on exactly this topic. 

The big question is whether the GDPR or something similar is a set of optimal rules. For countless reasons, I’m skeptical they will really improve consumer experience without imposing substantial costs. 
For more on this topic, check out:

• Explaining The EU’s General Data Protection Regulation by Will Rinehart & Allison Edwards

• Why Stronger Privacy Regulations Do Not Spur Increased Internet Use by Alan McQuinn and Daniel Castro