Europe’s smart take on the fourth industrial revolution: the GDPR
Hi, welcome on the blog of PersonalData.IO! This story is to reflect on new data protection regulations, a little further than from the mere compliance angle. We hope you’ll enjoy it!
“By pursuing his own interest [an individual] frequently promotes that of the society more effectually than when he really intends to promote it.”
Such hypothesis proposed originally by Adam Smith, the “invisible hand”, was only used three times in his 1000+ pages book (The Wealth of Nations) and Smith in fact never talked about market concepts. Yet it was largely misused to ground neoliberal economic theories arguing that government regulations should be removed to let markets freely drive social benefits.
Aha! After years of market deregulations, everyone now recognizes that the theory just doesn’t work. Free markets do not systematically promote social benefits. The pharmaceutical industry is a striking example: many life saving drugs have become unaffordable for an outrageous number of people in the US. This is happening in a highly profitable industry, in the richest nation in modern human history, and in a relatively unregulated environment compared to the EU healthcare system.
Regulations are necessary to realign markets with the general interest when they fail to “self-regulate”.
What regulations do is simple: they distribute negotiation power to ensure an actor (or a group of them) does not extract too much value to the detriment of others in a given context (market). “Others” can be society in general but also specific consumers groups, segments of the population, competitors, etc.
The data market also requires regulations. The decisions we take today on how to regulate it are critical because data is about to change the fabric of our society. Data will profoundly change how we build connections and interact as citizens, consumers, workers, beings. Such important changes require that democratic checks and balances are in place, as a digital tsunami is progressively swallowing every aspects of our society. This is what the General Data Protection Regulation (GDPR) will bring in the EU. That’s how I think we should look at it first and foremost.
I am writing this because a now common rant about the GDPR is that it’s a really bad thing.
“it will increase costs; it will impact competitiveness; it will kill innovation; it will favour large corporates; etc.”
If you think so… think again. Or read what follows as a starter to check some of those ideas.
Consumers had rights already…
They had lot of rights in the “pre-GDPR” world but little means to exercise them. The data access right or the right to be forgotten, for example, are often misrepresented as GDPR innovations but in fact they existed already in law or at least jurisprudence.
What GDPR does is mainly to streamline those rights across the EU market (which is more useful for businesses than consumers) and to provide consumers with clearer recourse mechanisms and stronger negotiation power.
As fines for non-compliance will be (much) higher, corporations (data controllers and processors) are now incentivized to care about consumers (data subjects) rights in terms of data protection and privacy. Many companies therefore are (only) now realizing that individuals had rights with regards to their personal data.
The GDPR provides consumers with the additional rights to (i) be represented by a third party and (ii) conduct class actions. Those two elements are key in my view: both allow consumers to act as a group when it comes to data protection, which increases their collective negotiation power. A balancing act that is important to preserve democratic power in a market economies.
We can now look at some of the usual counter-arguments. Let’s check if those concerns are really justified or if they are not rather arguments widespread by angry lobbyists who largely failed to oppose the essence of the regulation in Brussels despite a record 4000+ amendments (my hypothesis after watching this great documentary).
“It will favor large businesses”
There is an amount of fixed costs in adapting to the GDPR and, indeed, large companies theoretically will have more opportunities to “absorb” those costs within existing capabilities. Smaller operations may comparatively incur more incremental costs such as those for additional employees or the hiring of service providers to align with the regulation. This argument is however largely exaggerated and here is why I think so:
1/ Many components of the GDPR take the business size into account. The requirement to have a “data protection officer” (DPO), for example, is effective only when the core activities of the company consist of operations which require processing of data on a large scale. The GDPR correlates large scale to factors such as the number of data subjects, the quantity of data being processed, the duration of the process, and the geographical extent of those operations. Proportionality is also ensured in the penalty system that works primarily as a % of turnover, meaning the consequences of a breach will be relative to business size. The idea that tomorrow the bakery at the corner of the street or a small entrepreneur may go bankrupt because it mismanaged an 800 people mailing list is a myth.
Of course, if an SME’s core business is to process personal data of billions of people, the GDPR may challenge its business model. But if that’s the case, is the issue not more in the business model itself rather than in a regulation that protects consumers? Take the company 23andMe. It offers cheap DNA analysis services to consumers and their privacy policy certainly leaves many doors open on the reuse of this data by third parties for advertising purposes. Quite a frightening prospect. It may not be the case (they deny having such intention), but I feel reassured as a EU citizen that the GDPR makes such prospect impossible without my informed consent (not just with a privacy policy and terms & conditions written in font size 3).
2/ Regulators have a fixed amount of resources they can dedicate to enforcement. That’s why I believe regulators will apply an implicit 80/20% rule when putting their limited resources into one or another inquiry. Same will apply to consumers organizations who will try to take on cases to set jurisprudence. They will look at places that create exposure to many EU citizens, especially foreign companies using worldwide server infrastructures. Follow my eyes…
3/ Technology will evolve and rapidly bring solutions to conduct data operations in compliance with new regulations. Once adopted at scale, the cost of those automation will be negligible for those using them. The cost for small businesses will be minimal, but it will take some management brain time to think through those issues responsibly. Is it really so bad?
“It will hinder EU competitiveness”
This argument is based on the following logical steps: (i) regulations are bad for businesses (ii) we have more regulations in EU than in other countries (iii) as a result our companies will be less competitive. Almost trivial right? Well, we can disagree again:
1/ The argument disregards a key feature of GDPR: its extraterritorial effect means any company (even located outside the EU market) willing to sell goods, or services to EU citizens will have to be compliant. There won’t be any way to “escape” the regulation and to access the EU profit pool at the same time. If it makes companies less competitive, then it will be all of them and not only those operating in the EU.
2/ The regulation has, on the contrary, potential to increase EU competitiveness: EU being the first market to have such a modern data protection regulation, companies operating in the EU will be readier than others when foreign markets enforce similar regulations. In that respect, it is critical to note that the EU is pushing other countries such as Japan, Canada or Korea to raise their standards in terms of data protection as a precondition to allow data outflows from the EU. This means that, as long as other countries are operating “below EU standards”, the only solution for their companies willing to exploit EU citizens’ data will be to have it located and processed it in the EU. Could this not rather lead to job creation in the EU?
“It will kill innovation”
This is the idea that (i) companies will use less data as result of the regulation because it creates a compliance risk and (ii) data is an important source of innovation. The second part is true, but the first one is again very hypothetical.
Before looking at how the GDPR may in fact generate innovations, let us remember one thing: companies used to have tons of data that they did not really use. The consequence of having less data (if they decide so) will be minimal for them. And if companies have less data that they don’t use for their primary business objectives, there will be less temptation, as we see currently, to do “anything” with it such as resell it to obscure data brokers without caring about how such data will be reused.
So, how can the GDPR trigger innovations?
1/ As mentioned, technologies will be created to allow data be transferred and used compliantly in the EU. We can expect those innovations to happen in the EU first, and be exported later when other markets modernize their data protection regulations. The GDPR will trigger a whole range of “Reg Tech” innovations in the EU. A new center of expertize to be exported. Isn’t that rather something we need?
2/ Adblock technologies are one of the biggest consumers boycott ever seen, costing the industry more than USD 20 billion every year. This is the price of misalignment with a huge consumers base willing to regain control over their internet experience, which goes beyond advertising. As the industry is about to roll out IoT technologies, it is urgent to restore consumers’ trust if we want to see adoption of those new technologies. The GDPR will allow more transparency and control from users’ perspective. If data controllers and processors embrace GDPR’s philosophy rather than try to minimize it, there is a good chance that they will be allowed to use more data than they would have been previously. Contributing to a more trusted environment, the GDPR may create more space for data-driven innovation than some are trying to argue.
3/ Data portability reinforces that innovation potential even further. This new right for consumers brought by the GDPR means that, to some extent, some data ownership remains with users. It allows them to move a copy of their personal data from one controllers to another without hindrance. For example, users should soon be able to collect their Facebook or Google data and give it directly to health research funds without Facebook or Google intermediating the transaction.
This is perhaps the single most important innovation embedded in the GDPR: it could considerably reduce the power of intermediation that platformists like Facebook have acquired over time, a significant industrial threat that I wrote about here if you’re interested. Monopolistic markets tend to be much less innovative than those with strong competition dynamics. If the GDPR reduces the supremacy of a few actors over the data market, it is very likely to have positive effects on data-driven innovation across the EU.
The list could continue but the objective is not to draw an exhaustive repository of GDPR pro’s and con’s. The hope here is rather to indicate through a few examples that we should use our critical sense, as entrepreneurs, managers, citizens when hear or read those GDPR related complaints.
As an actor / entrepreneur in this context, I spend quite some time observing and reading about opinions and debates around the GDPR. My concern right now is that the attention of the business community is almost exclusively drawn on mitigation, risks, and other “negative” assumptions about the GDPR. Very few actors of the business community debate about the social changes that are envisioned in the regulation. It always boils down to the following dominant question:
“how can we do the same and still be compliant?”
I wish people spend more of their time thinking (and innovating) around the following question instead: “Which data-driven society do we want to design over the next five years and how can we collectively contribute to such change positively?” This requires go one step further than paying expensive lawyers to find loopholes in the regulation and buying an additional “GDPR add-on” package to complement a list of compliance softwares.
Companies that are courageous enough to embrace such mindset will develop strong competitive advantages. GDPR is not a mere compliance issue. It’s a long-term strategic trend driven by consumers needs. Leaders don’t mitigate issues. They transform them into opportunities.
Thanks for reading! If you liked the article don’t hesitate to “heart” it, follow us, and share around you. My name is Jerome Groetenbriel, co-founder of PersonalData.IO, a startup helping individuals regain control over their personal data, through innovative products built around the GDPR. We also offers business innovation and consulting services to companies, as well as expert advice to educators, regulators and journalists. Dont hesitate to contact us if you think we could help.
