Fear and loathing in data protection

All eyes in the tech community in Europe and beyond are fixed on 25th May 2018 when the EU’s General Data Protection Agreement (GDPR) finally enters into force. But many are misunderstanding what is driving the agenda here - focusing on the apparent loathing of big tech in Brussels when, in truth, the European Commission is driven more by fear of failure.

The stakes are high for the Commission. The GDPR provides validation of the EU’s ability to act as a global standard setter, a role which has been threatened by the rise of competing economic powers, most notably China. This was demonstrated in the Commission’s communication published yesterday which immodestly declared the regulation as “a source of inspiration” globally. Just as importantly for the Commission’s self-confidence, the GDPR represents a potentially popular policy offer to European citizens, something the Commission has lacked since its abolition of mobile roaming charges.

[tableau]

However, the coming implementation is also prompting anxiety in the Berlaymont over whether businesses and public authorities will be ready in time. It is one thing to give big tech a warning shot, quite another to cause a compliance crisis in the European business community. 

The vast scope of the GDPR means that countless companies covering a range of different sizes and sectors will need to comply. The Commission’s problem is that it lacks the policy and implementation levers to help these businesses, which explains the communication it published yesterday. The Commission called on national governments and data protection authorities to get their act together in preparing for the GDPR and raised concerns over whether enforcement structures, e.g. the new European Data Protection Board, will be fully operational by the end of May. 

One group which may take comfort from this structural disorganisation is large software companies. As I heard in a roundtable with companies in Washington D.C. last week, there is anxiety that large American firms could be targeted for enforcement action, building on years on attritional relations with data protection authorities and the European Parliament. Indeed, it is no coincidence that this week Facebook’s Sheryl Sandberg chose to announce the company’s new privacy centre in Brussels as firms look to pre-empt the GDPR’s implementation and subsequent enforcement action.

For those with sleepless nights in Silicon Valley, the Commission’s public doubts over the preparedness of EU authorities should serve as a reminder that the enforcement risk is only as great as the capacity of regulators to prosecute their powers. Their greatest fears – fines up to 4% of annual turnover – are unlikely to be realised in the short term, at least since such enforcement cases could expose data protection authorities to significant legal risk and costs, something that will not be pursued lightly. With all the furore over the large fines for Apple, Google, Qualcomm and Amazon, it is easy to forget that the EU’s data enforcers are still some way off the confidence, resources and legal expertise of big tech’s nemesis, Commissioner Vestager and DG Competition.

How the GDPR’s implementation plays out has a greater significance than the specific issue of privacy enforcement. The Commission’s anxieties are rooted in the knowledge that the success or otherwise of the implementation will shape and potentially limit the ambition for the EU’s future digital reform agendas. As the Commission struggles to generate momentum in the rest of its Digital Single Market agenda, failure on the GDPR is not an option.