Understanding the GDPR and Its Unintended Consequences

While the EU had preeminence in mobile for a time, it failed to create the companies that powered the Internet and is already behind the curve on 5G. Now the EU hopes to capture its former glory–not by making anything new or innovative–but in wielding the most draconian data protection regulation the world has ever seen. In so doing, it projects geopolitical leadership, empowers European regulatory institutions, and forces the nations and companies of the world to bend to its wishes. The General Data Protection Regulation (GDPR) claims to regulate data processing for “mankind”, but make no mistake, the goal is to carve out one global domain in which the EU is not the loser. For a region that claims to want to be a competitive destination for innovative technologies and exit the lingering financial crisis, the GDPR is not what the doctor ordered.

The GDPR applies to any entity processing data of a European resident, regardless of where it is located. This applies to corporations (Google, AT&T, Alibaba), non-profits (UNICEF, Doctors Without Borders), and even individuals and households if they are engaged in data processing for commercial purposes. The regulation still applies even if the entity has no presence in the EU. EU government entities are exempt, as is data processing conducted for national security purposes. The GDPR has 47 specific provisions including consent, data portability, right to erasure, right to object to profiling, breach notification, data protection assessments, and data protection officers. Penalties for non-compliance and/or violation can be up to 4% of turnover or €20 million, whichever is greater.

The free GDPR report from Strand Consult
Strand Consult has expanded its library of strategic research and information to privacy and data protection. Its report “Understanding the GDPR and Its Unintended Consequences” is available for free. Like Strand Consult’s other reports, it investigates the topic from the operators’ perspective and explains how it will impact the industry in the short, medium, and long term. The report also examines the assumptions and underpinnings of the GDPR. The GPDR is not based on an objective, scientific, evidenced, or even “best practice” standard, but rather a “satisficing” of many stakeholders’ preferences. No regulatory impact assessment or a cost-benefit analysis is publicly available.

Get Strand Consult´s new and free report “Understanding the GDPR and Its Unintended Consequences”. This report describes

• An explanation of the GDPR and its provisions
• Data Protection Actors in the EU
• Compliance costs of GDPR
• The expansive data protection bureaucracy of the GDPR
• Problems and deficiencies with the GDPR: No attention to user education; no safe harbor for privacy enhancing technology development; no obligation for governments to protect data
• Institutionalization of class action lawsuits by the GDPR: How non-profits can game the GDPR like patent trolls
• Regulatory scenarios for US tech companies under GDPR: Dumb platforms and platform neutrality; essential facilities doctrine; nationalization of platforms; breaking up Big Tech
• Government failure and moral hazard: Empowering bureaucrats and litigants• How to make privacy and data protection regulation that empowers users and innovators

This report is helpful to understand the GDPR and EU policymakers in a geopolitical context. Many will find value in this report including tech and telecom companies, law firms, journalists, academics, regulators, policymakers, and others.

The missing pieces of the GDPR
Trust is an essential element in the digital economy, the sense of confidence and reliance in the integrity, strength, and security of technologies. The EU desires to increase Europeans’ trust in online services, but it neglected the best practices recommended by its own scientific agencies in favor of advocates’ wish list. To improve trust, policymakers should work to increase users’ education and awareness about privacy, promote trust building technologies, and strengthen institutions. But the GDPR focuses on regulatory compliance and punishment of providers. This amounts to the buildup of a vast bureaucratic edifice on the premise of protecting personal data.

The new regime will surely enrich government coffers (and activist organizations empowered to bring class action lawsuits) by preying on companies, but it will do little to stimulate the European research community to develop much needed technologies such as data protection solutions in access control, authentication, intrusion detection/prevention, antivirus, firewalls, communication anonymizers, limited disclosure technologies, virtual identities, anonymizing credentials, and data access management.

Moreover, the GDPR does little to empower users through greater knowledge and learned behaviors. Naturally if users took more steps to protect themselves, they would need less of the vast bureaucracy the EU want to create. In the eyes of the EU, users are helpless wards of the state, beholden to its protection.

The GDPR institutionalizes the class action lawsuit business model, similar to how patent trolls abuse the intellectual property rights regime. Privacy activists incorporated in non-profit organizations are empowered to sue companies and collect fines on behalf of their constituents. This represents an important revenue generation opportunity for activist groups, which are not only compensated by their funders (notably corporations, foundations, and other special interests), but they can collect winnings from lawsuits.

Countries considering data protection and privacy regulation, should not make the EU’s mistakes, but instead empower users with education, transparency, and choice. Innovators need safe harbors to test privacy enhancing technologies, and the EU has none. The GDPR can be noted because it is market, rather than industry-based, meaning that it applies to all firms equally. This removes the problem of regulatory arbitrage in which some companies use policies to regulate their competitors, for example in the US, Silicon Valley platforms want tougher obligations on mobile operators to deter them from entering the advertising business. Moreover, as a federal solution, the GDPR avoids the problem of each member state making its own rules, creating a patchwork that deters the rollout of pan-European products and services.

Contact us to get your free copy of the free report “Understanding the GDPR and Its Unintended Consequences”. Strand Consult wants to share its knowledge with you.