The General Data Protection Regulation (GDPR) was finally introduced the 25th of May this year and in general it was a welcomed move - also by data centric companies like Unacast. But are there secondary delayed negative effects to GDPR? Perhaps.
This description of GDPR is helpful and accurate: “GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU”.
In layman terms, it means that end users now get better insight into their data and its usage data, as well as across-the-board access to control measures like opt-outs, right to be forgotten, and data portability. It’s hard to argue that this isn’t for the greater good. On the surface at least. I'll get back to what could lie lurking beneath the surface later in the piece.
Although we have yet to see how the EU will react to and sanction against GDPR violations, it is already clear that the industry is forming better data relationships between end users and themselves, where there might be slightly less data available but that data will be of much higher quality (and by quality I mean improved richness and accuracy). A win-win from a Unacast perspective.
All good then, right? Well, the potential problem is that the EU is not the whole wide world. Far from it. I argue that GDPR has the potential to put European companies behind their global competitors when it comes to innovation.
In the EU, GDPR was generally greeted as a welcomed move, by consumers and most data-centric companies. It is already clear that the GDPR will have a deep and profound effect, as less serious players will vacate Europe or simply close up shop altogether, while the remaining, as mentioned, will position themselves as "friendly" and transparent data companies.
Things are different in the rest of the world. Aside from certain state-specific legislation, there are few signs that the US will migrate to a nation-wide system similar to GDPR, especially with Trump as president. Region-wise in Asia, this is even more unlikely, and some data-driven products and services are pushing far into the personal realm.
While some companies will introduce GDPR compliance functions outside the EU, it is unlikely that the majority of companies collecting or processing consumer data will add potential cost-increasing and revenue-decreasing measures if they are not needed to.
The immediate conclusion would be that European consumers are therefore better off than their brothers and sisters around the globe. I’d argue that things are not really that clear cut.
The secondary effect of this newly created imbalance in global privacy regulations is that data-centric companies will have different growth possibilities and growth rates around the globe. Without taking into account that, for example, an individual Chinese company may or may not follow “good” privacy principles, it can be argued that, in total, Chinese data-driven companies will be able to launch, test and iterate products faster than European companies. Yes, Europe will be ahead of any other region in terms of innovation within privacy itself, but the applications and value of that will be limited compared to a general increased rate of innovation.
This effect is multiplied with the advancements offered by AI and machine learning, which require vast amounts of data to improve their algorithms and decision making accuracy. Put very simply, access to 10 times the data might mean 100 times the value creation.
So, while most agree that GDPR is a good thing, and that end consumers should be protected, GDPR could create bigger privacy problems down the line than the EU set out to fix, due to the fact that it is not a global standard. Therein is the paradox.
Vital services such as finance, government, and health all rely on the use and protection of data. As technology advances, these services adopt and adapt in order to stay up to date. With GDPR, future advancements designed for these services is more likely to come from non-GDPR countries. This is simply because companies in other parts of the world will have the ability to build vast and complex platforms quicker than European companies can under GDPR rule.
Time will tell if this prediction holds through, but it could be that by 2050, our health data is cared for by a Chinese company. The EU would have little insight into the company, and little recourse to protect against data leakage. In the end, the legislation that set out to protect EU consumers will have ended up putting them more at risk.
Any company operating in Europe in 2050 will still have to comply with GDPR legislation of course, but issues can arise when countries intermix state-driven and private-driven strategies. Chinese companies have a complicated relationship with the Chinese government, making it hard to determine how much influence the government has over private businesses. If Chinese companies end up working with EU data, then that EU data (and the citizens behind the data) suddenly could have an indirect exposure to the Chinese government.
The best remedy to this is global privacy legislation to create a level innovation playing field. But this is not a realistic goal. The second best remedy is for the EU to invest capital into European data-driven companies so that future finance, government, and health platforms are safe and in line with the ambitions GDPR set out to deliver on.
Companies based in countries with fewer regulations, such as China, will be able to grow quicker through their increased access to data, resulting in strong products. Without access to data, European companies will grow at a slower rate, resulting in weaker products. Even though technology products built outside the continent will have to comply with GDPR within Europe, the slower rate of innovation will make EU companies less competitive internationally and likely force them to cede the domestic marketplace to international competitors.
But lack of data isn’t a problem if companies have the same ability to survive over time. By making strategic investments in data-driven companies early on, the EU can help accelerate the rate at which a company develops a cutting-edge product, simultaneously spurring growth while maintaining GDPR compliance. The EU already has such a mechanism in place in Horizon 2020, an investment vehicle that is strategically involved in several companies. By adding an investment vertical focused on companies that build products on top of consumer data, this creates a vehicle to support growth across several verticals while complying with GDPR.
With this financial backbone in place, EU companies can, in theory, innovate at the same rate as companies in China and around the world - with less data. The end result is a model that continues to protect European end-users and also protects an EU economy that needs to embrace innovation to grow.
Let's call this GDPR setup with regulation and financing for GDPR 2.0.