One year after EU’s groundbreaking General Data Protection Regulation took effect, evidence is mounting that the law has shortcomings and unintended consequences that are hurting businesses, consumers and innovation.
Brussels has set out to make the bloc a leader in the digital economy, and policymakers are actively seeking to make GDPR the global standard for privacy and data use. Proponents argue that the regulation, which limits how companies can use information that touches on someone’s ethnicity, political opinions, religious beliefs or sexual orientation, is key to building user trust.
But a closer look shows that GDPR is holding European businesses back. For example, the law requires organisations to explain how they use personal data in artificial intelligence systems and other automated decision-making that has a significant impact on individuals, such as whether to offer a mortgage.
This is far easier said than done. The complexity of AI systems makes them more accurate, but it also makes their decisions harder to explain. Businesses that are unable to comply with this “explainability” requirement will end up eschewing advanced AI systems altogether. In a recent survey by Bitkom, Germany’s digital trade association, 74 per cent of respondents said data protection requirements are the main obstacle to developing new technologies — up from 45 per cent in 2017.
The rollout of GDPR has also coincided with a sharp drop in venture funding for EU tech companies, which raised on average 33 per cent less per deal than in the 12 months before GDPR rolled out.
The regulation has also failed to convince users that they have more control over their data. Six months after it went into effect, EU consumers’ trust in the internet was at its lowest in a decade.
According to a Eurobarometer survey published in May, internet users in nine EU countries are now less likely to feel they have at least some control over their personal information than they did in 2015, compared with five where they are more likely to feel they have partial control. (The rest are unchanged.)
Moreover, nearly two-thirds of Europeans (63 per cent) either have not heard of GDPR or do not know exactly what it is. Concerns about the regulation have led more than 1,000 US news sites to block users coming from Europe.
Instead of taking a victory lap, EU policymakers should make targeted reforms to GDPR. They should help the bloc to adapt better to the use of algorithms throughout the economy by expanding authorised uses of AI in the public interest and allowing the repurposing of data that poses minimal risk.
They should also facilitate the use of automated decision-making by allowing companies to provide basic explanations of how the process works and make fines proportional to harm. These changes would make GDPR more suitable for the algorithmic economy without undermining the original goals of the regulation.
In addition, reforms could help support companies that are trying to comply with the regulation. The European Commission vowed to do so, but the UK and French data protection authorities have admitted they are overwhelmed by a flood of companies reporting themselves for violations.
The EU should ensure national authorities have sufficient resources to offer better guidance and address the growing number of breaches. Furthermore, Brussels should improve co-ordination to avoid diverging national interpretations that add to the legal uncertainty.
We need a GDPR reality check. Ignoring the regulation’s shortcomings will hold Europe back as it struggles to remain competitive in the digital economy. As EU policymakers start their new term, they should make the necessary reforms and ensure its second anniversary is more successful than its first.
The writer is a senior policy analyst for the Center for Data Innovation
