Two weeks back, two hearings in Congress were held about a possible forthcoming new federal data privacy law for the United States. Some of the testimony included fascinating insight.
It’s been nearly nine months since the European Union’s (EU) General Data Protection Regulation (GDPR) took effect — with its tentacle effects worldwide – and it is helpful to look at what has transcribed, and to avoid making GDPR’s mistakes. That’s what one of the witnesses, Roslyn Layton, visiting scholar, American Enterprise Institute, had to say to the House Committee on Energy and Commerce, Subcommittee on Consumer Protection and Commerce, in her statement titled “How the US Can Leapfrog the EU.”
GDPR’s Early Impacts Are Foreboding
From Dr. Layton’s testimony, I found these excerpts (footnotes removed) to be particularly insightful – and somewhat frightful, though some of it predictable. She examined GDPR’s early deleterious effects — which we, in the United States and elsewhere, would be wise to reject:
GDPR Is Not about Privacy — It’s About Data Flows
“A popular misconception about the GDPR is that it protects privacy; it does not. In fact, the word ‘privacy’ does not even appear in the final text of the GDPR, except in a footnote. Rather, the GDPR is about data protection or, more correctly, data governance. Data privacy is about the use of data by people who are allowed to have it. Data protection, on the other hand, refers to technical systems that keep data out of the hands of people who should not have it. By its very name, the GDPR regulates the processing of personal data, not privacy.”
GDPR Has Only Concentrated Big Digital Since Taking Effect
“To analyze a policy like the GDPR, we must set aside the political pronouncements and evaluate its real-world effects. Since the implementation of the GDPR, Google, Facebook and Amazon have increased their market share in the EU.”
GDPR Has Decimated Small- and Mid-Sized Ad Tech
“One study suggests that small- and medium-sized ad tech competitors have lost up to one-third of their market position since the GDPR took effect. The GDPR does not bode well for cutting-edge firms, as scientists describe it as fundamentally incompatible with artificial intelligence and big data. This is indeed a perverse outcome for a regulation that promised to level the playing field.”
GDPR Raises Costs, Prohibitively — Acting as a Trade Barrier
“To do business in the EU today, the average firm of 500 employees must spend about $3 million to comply with the GDPR. Thousands of US firms have decided it is not worthwhile and have exited. No longer visible in the EU are the Chicago Tribune and the hundreds of outlets from Tribune Publishing. This is concerning because the EU is the destination of about two-thirds of America’s exports of digital media, goods and services. Indeed, the GDPR can be examined as a trade barrier to keep small American firms out so that small European firms can get a foothold.”
GDPR Denies Valuable Content to European Citizens
“Of course, $3 million, or even $300 million, is nothing for Google, Facebook and Amazon (The Fortune 500 firms have reportedly earmarked $8 billion for GDPR upgrades.), but it would bankrupt many online enterprises in the US. Indeed, less than half of eligible firms are fully compliant with the GDPR; one-fifth say that full compliance is impossible. The direct welfare loss is estimated be about €260 per European citizen.”
What if the US Enacted GDPR Here … Oh, the Costs
“If a similar regulation were enacted in the US, total GDPR compliance costs for US firms alone would reach $150 billion; twice what the US spend on broadband network investment and one-third of annual e-commerce revenue in the US.”
Dr. Layton, in her testimony, also questioned the California Consumer Privacy Act, which may create even more enterprise requirements then GDPR. She suggested more pragmatic paths need to be forged.
A Better Way — Privacy by Design
“Ideally, we need a technologically neutral national framework with a consistent application across enterprises. It should support consumers’ expectations to have same protections on all online entities. The law should make distinctions between personally identifiable information which deserves protection, but not require same high standard for public data, de-identified, and anonymized data which do not carry the same risks. Unlike the GDPR, the US policy should not make it more expensive to do business, reduce consumer freedom or inhibit innovation.”
Data ‘Seat Belts and Air Bags’ for Privacy
In a second hearing, before the Senate Committee on Commerce, Science and Transportation, Interactive Advertising Bureau (IAB) CEO Randall Rothenberg provided a spirited statement of data’s role in the U.S. economy — and the benefits that continue to accrue. He, too, drew from an another industry’s history which he believes offers a helpful analogy and cooperative blueprint:
Internet’s Profound Communication Power
“The Internet is perhaps the most powerful and empowering mode of communication and commerce ever invented. It is built on the exchange of data between individuals’ browsers and devices, and myriad server computers operated by hundreds of millions of businesses, educational institutions, governments, NGOs, and other individuals around the world.”
Advertising’s Essential Role Online — Much of It Data-Driven
"Advertising has served an essential role in the growth and sustainability of the digital ecosystem, almost from the moment the first Internet browsers were released to the public in the 1990s. In the decades since, data-driven advertising has powered the growth of e-commerce, the digital news industry, digital entertainment, and a burgeoning consumer-brand revolution by funding innovative tools and services for consumers and businesses to connect, communicate and trade.
The Indispensable Ingredient: Trust
“Central to companies’ data-fueled growth is trust. As in any relationship, from love to commerce, trust underlies the willingness of parties to exchange information with each other; and thus, their ability to create greater value for each other. The equation is simple: The economy depends on the Internet; the Internet runs on data; data requires trust. IAB strongly believes that legislative and regulatory mechanisms can be deployed in ways that will reinforce and enhance trust in the Internet ecosystem.”
Universal Truth: Consumer Data Is Good
“We recommend Congress start with a premise that for most of American history was self-evident, but today seems almost revolutionary: consumer data is a good thing. It is the raw material of such essential activities as epidemiology, journalism, marketing, business development, and every social science you can name.
The Auto Industry Offers Us a Proactive Model
“We believe our goals align with the Congress’ decision to take a proactive position on data privacy, rather than the reactive approach that has been adopted by Europe and some states. We believe we can work together as partners in this effort with you to advance consumer privacy. Our model is the partnership between government and industry that created the modern concept of automotive safety in the 1960s. Yes, the partnership began as a shotgun wedding. Yes, the auto industry resisted at first. But an undeniable consumer right — to be safe on the highways — met well-researched solutions, which the Congress embedded in well-crafted laws that were supported by the states.
Auto Safety and Digital Wellness
“The result has been millions of lives and billions of dollars saved. We believe the analogy holds well here. Americans have a right to be secure on the information superhighway. Well-researched solutions and well-crafted laws can assure their ‘digital wellness.’ We should be thorough, practical and collaborative. Our goal should be to find the three or five or 10 practices and mechanisms — the seat belts and air bags of the Internet era — that companies can implement and consumers can easily adopt that will reinforce privacy, security and trust.”
Notice and Choice Bombardment — Or Predictable Rules of the Road
“Together, based on our members’ experience, we can achieve this new paradigm by developing a federal privacy law that, instead of bombarding consumers with notices and choices, comprehensively provides clear, even-handed, consistent and predictable rules of the road that consumers, businesses and law enforcers can rely upon.
One Federal Standard — in Harmony
“Without a consistent, preemptive federal privacy standard, the patchwork of state privacy laws will create consumer confusion, present significant challenges for businesses trying to comply with these laws, and ultimately fall short of consumers’ expectations about their digital privacy. We ask the Congress to harmonize privacy protections across the country through preemptive legislation that provides meaningful protections for consumers while allowing digital innovation to continue apace.”
It is worth reading the testimonies of the privacy advocates present at these two hearings, as well. These GDPR fans have many sympathetic voices in the media and Congress, and truly need to be part of any conversation where consensus ought to be built. It is my hope the right federal legislation will result. The early evidence from Europe — where advocates won over reason — portends the punitive risks of getting it wrong.