An American Perspective: The Three Worst Things About the EU GDPR

EU businesses have resigned themselves to the fact that they will have to start complying with the long-awaited EU General Data Protection Regulation and are preparing themselves for 2018. How is the GDPR perceived from the outside looking in? Kitty Kolding, CEO and president, Infocore Inc. writes exclusively for ExchangeWire, to give her valuable insight into what American businesses think about the GDPR and how it will have an impact beyond the EU borders.

With the GDPR ready for implementation in mid-2018, data collectors, processors, brokers, and buyers are grappling with what this truly onerous legislation will mean to their businesses – and if they aren’t, they should be. The law is completely finalised, and there is no going back. There are no grace periods, no grandfathering, and no appeals to be made.

As an American company that assists US-based marketers to source data from more than 4,500 data collectors in over 90 countries – including every EU market – we’ve necessarily taken a very hard look at the more than 200 pages of the GDPR. We are nothing short of alarmed at what we see.

Let’s stipulate for a moment that sane business people agree that consumers’ privacy rights are critical, and that advertisers and their many partners absolutely must play by clear, fair, and specific rules regarding how they use this data. With that fundamental belief in place, we believe that this legislation will, ultimately, undermine the sanctity of consumers’ data privacy and security, not enhance it. We also believe it will hobble marketing and advertising worldwide, especially if the tenets included in this legislation start to spread to other markets, which is already starting to happen. Here are our top concerns:

The 'Right to Be Forgotten' provisions will in fact mandate precisely the opposite 

Under the GDPR, EU citizens must be given the easy ability to withdraw their consent, often called 'the right to be forgotten'. If consent is withdrawn, those data subjects have the right to have their personal data erased and no longer used for processing by the data collector, nor by any other entity who has ever used or purchased or rented that data legitimately in the past.

But, in order to do this, every company that has anything to do with the rental or sale of legitimately collected and fully opted-in data from EU data subjects will henceforth be required to retain extensive details on that same consumer data. In a single transaction, this might include seven or eight separate companies – e.g. the advertiser, its agency, two, or sometimes more, intermediaries, the data collector and a data processor. What the GDPR requires is that every one of those companies must retain every detail on every consumer in every transaction, so that, should the consumer decide to withdraw consent, that consumer can be provably deleted from every place it ever existed – including hard drives, on premise servers, backup datasets, cloud servers, and the like. Up until now, best practice typically mandated the total erasure of consumer data from all these parties’ storage when it was not in active use, to ensure that the data could not possibly fall into unintended (read: hackers’) hands.

But now? Now, we have increased the likelihood by at least 10x that this data will be hacked somehow, because companies cannot delete data that is no longer permitted to be used. Everyone involved must retain all records so that, three years after consent was given, a consumer can withdraw consent and the data handler can prove that the record was deleted. And, as we all know, everyone’s data storage is subject to hacking under the right conditions.

The long arm of the A29WP, soon to be known as the European Data Protection Board

Kitty Kolding | InfocoreThe brand new enforcement body for the GDPR, currently called the 'Article 29 Working Party', has a shocking amount of completely unfettered authority over companies everywhere in the world. All EU nations are automatically and wholly subject to the GDPR and its enforcement authority with no exceptions or option to modify by individual EU countries. Additionally, every company everywhere that handles data on EU citizens is also automatically subject to this group’s absolute power – though it’s anybody’s guess how the EU believes they can enforce such a broad mandate outside its own borders.

The A29WP also has the exclusive and unchallengeable right to search and seize records in question – from any company anywhere – and conduct their own independent, sovereign investigations, functioning as the only adjudicating body as to the outcome of the investigation. They are truly judge, jury, and executioner, with no oversight and no appeals. And, when they and they alone decide they have found infractions, they are able to levy two levels of harsh penalties:

– For operational infractions, such as insufficient or wrong contract clauses, the penalty is 2% of annual worldwide revenues, or €10m, whatever is greater.

– For infringement of privacy rights, noncompliance with an order from the supervisory authority, or other more serious violations, the penalty is 4% of annual worldwide revenues, or €20m, whatever is greater.

The data storage, consent tracking, and evidentiary requirements of the GDPR law are so extensive that very few, if any, companies will be able to confidently consider themselves as compliant. And that means that companies all over our increasingly interconnected world are truly at risk anytime the A29WP decides they’d like to have a go at them. It also means that the number of illegal data collectors and sellers will skyrocket – and that is nothing but bad for consumers.

The law helps the companies the EU most wants to hurt

It seems obvious to many that the EU fashioned this legislation to punish, or at least attempt to limit, the activities of the companies that the EU loves to hate: Facebook, Google, Uber, and the like. Ironically, it is these huge, technically sophisticated companies that will overcome the GDPR hurdles without missing a beat. They’ll simply divert a platoon from their army of lawyers and engineers to build all the needed compliance elements called for in this lugubrious legislation. And while they sail past the difficulties, virtually every other company that does business with EU citizens will suffer direct, immediate and, in many cases, life-threatening harm to their businesses. First these companies – most of them EU-based businesses – will spend years trying to properly architect solutions for all the requirements, causing them to ignore other critical parts of their businesses. And, finally, they’ll be hobbled trying to afford building and managing those same solutions.

Some industry experts in the UK predict a 50% loss of revenue for audience data collectors, brokers, ad platforms, and related services such as data cleansing and processing. There is no question that truly compliant, marketable audiences will become scarcer by the minute – we’re already seeing this across Europe and the law isn’t in force for two more years. And, like any free market, the more the supply dwindles, the higher the price will go for the supply that is considered compliant. Targeted, relevant marketing will become more difficult, less specific and will reach fewer consumers for a much higher price. All but the largest businesses and services will exit the market, while the remaining behemoths dominate the market and raise prices. The idea that this will hurt those big guys that the EU loves to hate is a fallacy. It will only help them by demolishing everyone not big and profitable enough to withstand these requirements while small and mid-sized companies are destroyed.

While we’ve only outlined these three areas, don’t let that fool you into thinking these are the only problems – quite the contrary. This legislation will hurt the global economy and EU businesses – owned by those same consumers the law says it wants to protect – for many years to come.