The European Union’s consumer data privacy regulation just turned one. As Congress and 14 legislatures across the United States consider how to regulate consumer privacy, there are valuable lessons to be learned about what works and what does not as we look back at Europe’s first year under the General Data Protection Regulation (GDPR).
Certain aspects of GDPR are worth replicating, such as empowering the consumer, the enactment timeline, and one uniform standard for privacy, but we have also seen the shortcomings and consequences of the regulation, especially for innovation and small businesses. First, let’s look at what works.
GDPR enhances the portability of consumers’ personal data while enabling them to correct and delete their data. These measures empower consumers and are worthy of broad support. However, in pursuing this goal, federal and state policymakers should take great care to avoid unintended consequences. For example, the California privacy law passed in 2018 was written and approved so hastily that many potential scenarios were not addressed and could allow an employee who was fired for sexual harassment, fraud, or theft to request that a company delete the records with evidence of their misconduct. To their credit, California lawmakers are actively working to correct these types of errors before the law takes effect in 2020, but the goal should be to avoid them in the first place.
Another lesson learned from GDPR is that patience can be a virtue. The two-year window between GDPR’s final approval and the regulation taking effect allowed EU members to confirm GDPR was workable in their country. By contrast, California's privacy law can be modified up to mid-October of this year. The law also establishes the timeline for the Attorney General's rulemaking process, which says the Attorney General will enforce the law six months after issuing regulations or by July 2020, meaning businesses could have as little as one month to comply before enforcement begins. U.S. lawmakers should consider a path similar to the EU’s when drafting and implementing their own privacy regulations. Having more, not less, time is critical for businesses to understand the new regulation and prepare for how to comply.
We must also be clear-eyed about what is not working with GDPR. One recent report shows that GDPR has already had a chilling effect on innovation related to artificial intelligence (AI). The report says GDPR “inhibits the development and use of AI in Europe,” which puts companies in the EU “at a competitive disadvantage against their global competitors.” The race is on to lead the world on AI, and we should be careful not to stifle American innovators who are hard at work in this area and other emerging technologies.
GDPR’s impact on Europe’s startup economy offers more cautionary tales. Since it took effect, academic research estimates that startup investments in European companies have dropped 40 percent. U.S. policymakers charged with drafting privacy legislation should ensure that the complexity of privacy requirements in any law does not effectively become a barrier to entry for new or potential innovators.
While many policymakers craft privacy legislation with some of the biggest companies in the world in mind, the reality is that startups and small businesses have limited resources to comply with complex regulations. New businesses in the U.S. already spend an average of $83,000 navigating regulations in their first year of operation, but that pales in comparison to the $3 million the average firm of 500 employees must spend to ensure they are compliant with GDPR. A federal privacy law should set baseline requirements, but also provide flexibility for smaller companies and startups with resource constraints.
In 2015, the 414,000 startup firms here in the U.S. created 2.5 million jobs and in 2018, there were nearly 60 million small business employees. These businesses are truly the backbone of the American economy, and we should not enact legislation that would stifle their growth and ability to create jobs. That is why a key goal to guide the U.S. data economy going forward should be to have one clear privacy law.
In adopting GDPR, the EU established one continent-wide standard that recognizes cross-border data flows are a critical part of the modern economy and should be seamless across national boundaries. Similarly, a federal privacy law in the U.S. that promotes digital commerce across state boundaries is essential. The goal for Congress this year should be to pass legislation that ensures consumers’ privacy and security are protected while enabling businesses to continue providing consumers with the online experience they expect.
Individual state laws could result in a fragmented internet that provides different experiences for consumers depending on where they live. A consumer in California should know they will have the same online experience and options as a consumer across the country in Pennsylvania. One national standard also makes sense for businesses. A patchwork of state and local laws would create a complex and incohesive regulatory environment that is bad for economic growth and innovation.
A privacy law can protect consumers’ privacy and allow businesses of all sizes to continue to innovate. The U.S. should use what works and heed the lessons learned from GDPR. Doing so will be good for both consumers and businesses.