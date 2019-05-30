LONDON — The European General Data Protection Regulation (GDPR) has its first birthday this month, and according to the European Commission, it has changed the landscape in Europe and beyond. In fact, it is probably…

LONDON — The European General Data Protection Regulation (GDPR) has its first birthday this month, and according to the European Commission, it has changed the landscape in Europe and beyond.

In fact, it is probably the most well-known piece of legislation in the European Union. Everybody with online accounts will have encountered the GDPR in the subject lines of countless emails with privacy notices and requests for consent renewals.

Whatever search phrases people used to learn about the GDPR remain a secret; spam filters were tempted to block any message with the word GDPR in it.

What is known is that the law is an achievement for the EU in many respects. What also is known is that the privacy law’s bold promises are facing a reality check that may serve as a lesson for countries outside of Europe.

The Law Has Sparked a Jobs Boom

A data protection framework had already existed since 1995 and it was easy to claim that it was outdated due to advancements in technology. However, the European Commission — the arm of the EU responsible for proposing legislation and managing the day-to-day business of the bloc — had great difficulty deciding on how a new legal framework could be applicable to new and future technologies.

The stakeholders had to be persuaded of the priority of the reform. The legislative debate around the GDPR was hugely controversial and all in all, it was a miracle that the European Commission passed the law.

However, as loud as the celebrations at the European Commission may be, most independent reports assessing the first year of GDPR voice substantive criticism. Those criticisms fall into two general categories: Either because the GDPR has not shown much practical impact on how companies process personal data, or because of the enormous bureaucratic burden caused by it.

The European Commission promoted the reform with a bold claim: “A strong, clear and uniform legal framework at EU level will help to unleash the potential of the digital single market and foster economic growth, innovation and job creation.”

Admittedly, the GDPR has created jobs. Every company caught by it, as well as every data protection supervisory authority in the EU, had to increase staff to ensure compliance with the law. It is clear now that this job creation was not only temporary during the initial GDPR implementation projects, but a long-term development. Approximately 500,000 organizations have registered a data protection officer. Most of them work part-time in this role, but in larger companies they are full-time and some have additional staff.

Additionally, complying with the GDPR has created additional work in departments such as human resources, IT, legal and marketing. All supervisory authorities have at least doubled their staff and most of them ask for more, because they are clocked with case work. For example, the Irish Information Commission increased its employees from 27 in 2014 to 137 today, and is currently discussing with the government additional positions.

No Evidence of Promised Efficiency, Savings

However, there is no evidence that the GDPR has fostered economic growth. Compliance work, as necessary as it is, does not produce products or provide services. It mainly creates additional costs.

Whether customers are willing to pay more for GDPR compliance products or services seems unlikely. The most successful online business models offer free services financed by advertising. The users are more willing to attend to advertising and accept data use for interest-based targeting then registering with a service and pay a fee for it. This has not changed.

One claim by GDPR proponents was that the law would increase efficiency because it would provide a uniform legal framework across the EU. In order to archive this, the original proposal gave the European Commission substantive power to set detailed rules with limited political scrutiny.

This unprecedented attempt to gain power was quickly and unsurprisingly wiped out by the EU’s member states. EU members insisted on more flexibility to implement the GDPR in their respective countries. As a result, the GDPR did not create the promised level of uniformity.

The European Commission advertised savings of over 2.3 billion euros (about $2.6 billion) a year due to the introduction of the GDPR. There is no sign of such administrative savings. The only question is how expensive the law has become. When the European Commission will prepare its first evaluation of the GDPR next year, all eyes will be on the question how far off the GDPR is off its promised savings.

Breach Notifications Undercut Attempts to Build Public Confidence

The European Commission hoped that the GDPR would enhance trust in digital services and, therefore, unleash the potential of the digital market. Such an effect would require users to trust that providers comply with the new regulatory framework.

However, the high number of complaints to supervisory authorities and the obligatory data breach notifications do not help develop trust.

Widely publicized reports about fines served by data protection authorities will further erode trust. This is unfortunate, because most companies have made enormous investments in GDPR compliance and consumers should appreciate it.

If the supervisory authorities are frequently complaining about non-compliance, the dividend will not emerge for those who have made the effort.

Should the U.S. Take the GDPR As a Blueprint?

The European Commission praises the GDPR as game-changing rules that have “become a global reference point.” As examples, they refer to developments in Chile, Japan, Brazil, South Korea, Argentina and Kenya. One can also see that the new California Consumer Privacy Act (CCPA) might be partly inspired by the GDPR.

However, a close examination shows that legislators around the world may have considered the GDPR when drafting their own privacy laws but they have parted from its approach as much as they took it on board. None of these laws can be regarded as being based on the GDPR.

The United States Congress has flirted for decades with the idea of a Federal privacy law applicable to businesses, but the idea never gained momentum. This may change, because the CCPA and other potential state laws prompt the question of whether a federal law would be more effective.

Furthermore, the extra-territorial scope of the GDPR forces many U.S. companies to comply with it. This makes a similar framework for the U.S. appealing for them. However, the odds for a Federal privacy law for business in the U.S. are still low at least in the near future. If the idea gains momentum, the legislator would be well advised to examine the European GDPR experiment, but not necessarily to copy it.

Case For a U.S. Law Still Needs to be Made

There is one major motivation for non-EU countries to stay close to the GDPR. It increases the likelihood that the European Commission will consider the protection provided in these countries as “adequate.” The advantage of such a finding would be that data transfers to such a country are not restricted under the third-country rules of the GDPR. However, the European Commission has in past decisions never required a country to copy the European law.

Many U.S. businesses with EU customers have already undergone GDPR compliance requirements and have signed up to the so-called “privacy shield,” which has been recognized by the European Commission as a method to provide adequate protection. For the time being, the concept works, but it might not be a long-term solution.

The Court of Justice of the European Union has put up a high bar for compliance and will probably further look in more detail into the privacy shield. In the U.S., a federal privacy law for businesses could be the basis for a separate adequacy decision and make the privacy shield redundant. However, this might not be enough of an advantage to justify the introduction of GDPR-style obligations for all businesses in the country.

The political case for a U.S. federal privacy law for businesses must be more convincing and will depend largely on voters’ demands.

