The unintended consequences of Europe’s GDPR

The General Data Protection Regulation (GDPR) came into force on 25 May, affecting entities worldwide that do business with EU citizens. While the regulation has stringent requirements for consent and high penalties for non-compliance, it may have unintended consequences. Large platforms can easily adapt, but smaller entities and start-ups may struggle with the complexity and cost of compliance, potentially leading to a consolidation towards large data platforms and a chilling effect on new ventures.

This article was first published in The Mint. You can read the original at this link.

On 25 May, the General Data Protection Regulation (GDPR) came into force in Europe and the entire world was forced to reboot its privacy settings. Even though the regulation is only legally binding in the European Union, thanks to its sweeping cross-border provisions, every entity that does business with an EU citizen is now obliged to comply with the GDPR.

That we now have a new global privacy standard could hardly have escaped anyone’s attention. In the run up to 25 May, my inbox was bombarded with emails from entities of every nationality asking—sometimes begging—me to consent to the terms of their privacy policies so that they can continue to mail me. When I first noticed the rising tide of emails, my instant reaction was why is this happening now? Surely existing data protection laws already obliged all these companies to ensure that they didn’t spam my mailbox without my prior consent. Why this sudden rush to refresh consents?

For one thing, the new GDPR requirements for consent are somewhat more stringent than any of those that preceded it. Anyone who processes the data of an EU resident can now only do so if they have obtained consent that meets the higher GDPR standard and can adequately document that they have obtained that consent. More importantly, the penalty for failing to comply with GDPR obligations can now be as high as €20 million or 4% of global turnover, a fact that seems to have significantly increased the incentive to comply.

To be sure, consent is just one of six legal grounds under which information can be processed. Anyone who can demonstrate that their use of personal information was justified under one of the other grounds would still be in compliance with GDPR even if the consent they had on record was insufficient. That said, there are very few mailing lists that can justify their need to send me regular updates on the grounds of their contractual relationship with me, their legal obligation or a vital, public or legitimate interest to do so.

The fact of the matter is despite the other options, most entities rely on consent to process data. Even if they had originally obtained my consent before emailing me, few, if any, of them can be sure that the terms to which I had consented meet the high standards of GDPR. Some might even struggle to produce a record of this consent since the mailing lists they used to maintain before GDPR were little more than a database of contact information whose primary privacy safeguard was the option to unsubscribe if you no longer wanted to hear from them. Now that GDPR is in force, this approach is not nearly enough and rather than risk stringent penalties, most organizations have resorted to refreshing their privacy policies.

I did respond to some of the emails asking to continue to “stay in touch", but as the volume increased I just didn’t have the energy to process them all. I can’t be bothered to evaluate each one to identify those I really want to continue to hear from. That said, I didn’t think twice before accepting the revised privacy terms of the applications I use on a daily basis—the various social media ecosystems I have invested in over the years, the large platforms that I shop on, the services that have hosted my emails and on which I have gigabytes worth of images. I am hugely dependent on each of these services on a day-to-day basis, and I literally cannot afford to not sign up to whatever it was that they ask me to agree to.

It is here that the unintended consequences of the GDPR regime will start to play out. All the large platforms on which we are heavily dependent will have no problem getting us to accept the new rules of the game. Wherever the regulation says that they need to seek exceptional consent for some of the more intrusive features of their service, they just need to ask and most of us will quietly provide them the permission they need. If there is an additional cost to complying with these regulations, it will make no difference to them as they have deep enough pockets to be able to do whatever it takes to stay compliant. Most, if not all of them have already committed to making GDPR their new global standard operating procedure.

Every other entity—from those that are looking to retain us on their mailing lists to the small start-ups and indie application developers that are looking to enrol us as new customers—will now face an uphill battle. They will have to deal with apathy and inertia from users like me, so numbed by consent fatigue that the effort of having to select consent is a burden. Young start-ups will find the cost of compliance very hard to meet. Those that are slightly better funded will make half-hearted attempts to meet the new requirements, but might still be forced into taking the commercial call to cut corners wherever they can, potentially resulting in an even less secure privacy framework than before.

Post GDPR, I can see us consolidating even more in the direction of the large data platforms. It is perhaps too early to say whether this will have a chilling effect on start-ups but given the complexity and additional cost that this new data-protection regime demands, it is clear that the table stakes have just been raised. Many will argue that this is a necessary price and that we should all be willing to bear it for the sake of our personal privacy.

I wonder whether there might be a better way.