In March 2018, the European Union passed the General Data Protection Regulation (GDPR) that expanded data protection rights to the blocs 446 million people, including the right to be forgotten. Since its passage, there have been increasingly vocal calls for the U.S. government to adopt its own GDPR-styled data protection standard.
While GDPR has provided essential data protections for Europeans, it has also imposed substantial compliance costs on American companies seeking to do business in the bloc and forced many companies to cease their European operations. The result has been increased prices for European and American consumers and reduced access to new products and services for Europeans. The consequences of GDPR should present a clear warning to lawmakers in D.C. and state capitols around the country about the dangers of imposing onerous data protection requirements.
In its 261 pages, GDPR outlined several data protection measures that must be enacted by companies wishing to do business in the EU. The measures outlined in GDPR range from requiring the use of two-factor authentication to requiring specific consent to use data and certain companies employing a data protection officer. GDPR also provides residents of the block certain rights, such as the right to erasure, the right to data portability, and the right to access information companies have stored on them.
Failure to comply with GDPR can result in substantial fines for companies, even if they are not based in the bloc. For example, in July 2021, Amazon was fined €746 million, “the biggest GDPR fine issued to date and is more than double the amount of every other GDPR fine combined.” However, as Wired reported, “little is really known about the details of what Amazon has been fined for.” In addition, in 2019, Google was fined $56 million for failing to provide sufficient information to consumers about the company’s use of personalized adverts.
Arguably the biggest flaw with GDPR is the compliance costs it has imposed on American companies who want to conduct business in the EU. Studies have found that American companies are spending an estimated $1.3 million on complying with GDPR, with many expecting to spend an additional $1.8 million on compliance in the future. Having to make these investments to comply with GDPR means that companies cannot make investments in new products or hire new staff members with little or no benefit being extended to American consumers.
Following GDPR, the State of California enacted the California Consumer Privacy Act (CCPA) that contained many of GDPR’s provisions. Even before the bill became law, state authorities fully understood the high compliance costs it would impose on businesses. In the impact assessment of the CCPA, the California Department of Justice and attorney general’s office outlined that small firms who employ fewer than twenty people “will incur $50,000 in initial costs,” while medium-sized firms employing between 20 and 100 people can expect to “incur an initial cost of $100,000.”
The state acknowledged the bill’s provisions would be particularly harmful to smaller businesses given “smaller firms are likely to face a disproportionately higher share of compliance costs relative to larger enterprises” as they have fewer capital resources than larger companies.
The onerous provisions of GDPR have also forced many American companies to abandon or reduce services in Europe, deeming compliance more expensive. Instapaper, a social media bookmarking service, was forced to temporarily suspend service because of GDPR, ultimately returning with a premium subscription option to ensure compliance. Uber Entertainment announced in 2018 that it was shutting down several of its multiplayer games because complying with GDPR would simply have been too expensive.
European consumers were denied access to popular services in both instances because parent companies could not comply with GDPRs provisions. The warning could not be more explicit for lawmakers across the country: onerous data protection regulations could force companies to deny consumers the ability to access their goods and services.
When GDPR became EU law in 2018, it was widely known the consequences of the new rules would be felt across the globe. Yet, lawmakers in Europe proceeded, knowing it would impose substantial compliance costs on European and non-European businesses and force some companies out. In both instances, consumers lost out.
GDPR should provide lawmakers in Washington and in state capitols across the country with clear evidence of the dangers of crafting overly burdensome data protection rules and failing to balance the needs of consumers and businesses.
Rather than simply following Europe’s blueprint, Congress should chart its own path in the realm of data privacy.