Illustration: Jayachandran/Mint
Illustration: Jayachandran/Mint

Learning from Europe on data privacy

The European Union's General Data Protection Regulation (EU GDPR) provides a template for countries like Indiabut a flawed one

Brussels’ eurocrats are not in the business of effecting global change. This changed last week. The European Union’s (EU’s) General Data Protection Regulation (GDPR) has been looming on the horizon for two years. When it came into force on Friday, it became the most comprehensive data privacy regime going. The consequences go beyond companies that have been scrambling to become GDPR-compliant. The regulation provides a template for other countries—such as India, which is working on its own data protection law. That makes it particularly important to recognize the flaws in that template.

First, the good. GDPR, or something like it, was inevitable. The tension between privacy concerns and the data-fuelled digital economy has been growing for a while now. Governments letting markets resolve the tension is the stuff of libertarian utopias. Given this, the GDPR’s rights framework that affirms individuals’ ownership of their personal data is a good base to build on. In theory, the GDPR’s requirement that personal data be portable—transferable from one service to another—could allow upstart services to challenge incumbents, increasing competition, and, thus, user benefits. It could also eventually enable users to monetize their personal data.

The transparency mandated by GDPR is likewise welcome. Companies being upfront about their privacy policies and storage and use of data means informed consumers—always good. Transparency has economic and security benefits as well. Take fund companies which manage staggering amounts of money and customer data. Unsurprisingly, they have been opaque about cyber hacks—a cottage industry worth some $600 billion annually. That opacity serves companies trying to maintain reputation and investor trust well. By the same token, it does investors a disservice. And it allows companies to skate by with poor cyber risk management as the Securities and Exchange Commission found in the US last year. By mandating disclosure of all breaches of personal data, GDPR pulls back the curtain.

But these potential benefits come at a cost. Part of it is literal. According to the International Association of Privacy Professionals and EY, Global 500 members will spend a combined $7.8 billion on GDPR compliance. The cavilling here from various quarters is largely theatre. A one-time hit of $16 million or thereabouts each will barely make a dent in the companies’ balance sheets. Smaller enterprises are a different matter. They don’t have similar logistical capabilities or reserves to burn. As the Financial Times notes, US companies, ranging from tech start-ups to advertising technology businesses, are already pulling out of the EU, unwilling to take on the burden of complying with a lengthy, complicated regulation—or, alternatively, pay hefty fines for running afoul of it. This gives larger companies an edge over scrappy contenders. The GDPR giveth when it comes to competition, but it also taketh away.

Part of the cost is to do with innovation. Michele Finck of Oxford University has pointed out in Blockchains And Data Protection In The European Union that blockchain data relating to a person that has been encrypted or hashed still qualifies as personal data under EU law. That makes it subject to the right to access, amend or delete such data guaranteed by the GDPR. The very nature of blockchains makes this difficult to implement. Artificial Intelligence (AI) environments similarly present technical challenges. Machine learning is based on consuming vast amounts of data. In an increasing number of industries—such as health—that data is personal. How exactly user rights to manipulate their data will work in such contexts is a head-scratcher. Perhaps the challenge will prompt further innovation in such areas that are already bleeding edge. But they could also throw up barriers that retard innovation in the EU and deprive EU citizens of services and benefits.

And then there is the question of implementation. Users’ rights regarding their data held by companies existed under EU law even before the GDPR. Exercising those rights was not easy. GDPR—far more comprehensive and complicated than preceding regulations—will be orders of magnitude more difficult to enforce. Without regulatory will and resources, it will remain so much hot air.

The extent to which the GDPR’s take on privacy and consent is applicable in other countries is also an open question. Take the “right to be forgotten". It is tricky to begin with, butting up against free speech issues. It becomes more so in a country like India, where the scope for political misuse is greater. Likewise, consent has a different dimension in an Indian context. A quick look at the new terms of service that have been flooding inboxes and popping up in apps over the past few days shows that they are scarcely less confusing than the pre-GDPR versions. Given India’s development and literacy challenges, they are unlikely to bring about greater accountability.

Other countries would do well to watch how the EU responds—or fails to respond—to the challenges the GDPR faces. The Union is as much a canary in the mine as it is the flag-bearer for data privacy. They would also do well to remember an important fact: Regulation can do only so much. In the end, users must vote with their clicks. And so far, users have shown that if it comes down to a choice between retaining data privacy and accessing free services, they will choose the latter.

Should India’s data privacy law be as stringent as the GDPR? Tell us at