Once upon a time, I couldn’t even spell GDPR. Now I hear about it at least once a day. My life is whacky.
I’ve spilled a lot of ink on the topics of privacy and data protection. There is no arguing that the General Data Protection Regulation deserves full credit for the change in attitude around online privacy. We used to complain about targeted advertising and worry about what the internet knew about us. We now have a much deeper understanding of where our data lives and who has access to it. We have a much greater degree of control (though still imperfect) over our digital lives. These are all good things.
On the flip side, the GDPR’s reach outside of the EU has spawned a raging debate in the US. How, and who, should regulate privacy on this side of the pond? I’ve said from the beginning that US and EU law are incompatible around the edges. At least in its first year, GDPR provided an easy starting point for policymakers in DC. California, well, let’s hope that they can find something useful inside the tangled web they’ve woven.
So, what grades does the regulation earn after one year?
“A”, for raising awareness and focusing industry and public attention
“B-”, for an extra-territorial framework that imposes EU values on others
“B”, for improving industry practices, but ignoring cost/benefit tradeoffs
“A”, for positioning the EU front and center as a voice of reason on digital
“B”, for mixing data protection and competition law into a muddled package
The US has some catching up to do on privacy regulation. The time lag has allowed the EU experiment to run for a while, which can only be useful as policymakers seek to craft US-centric rules. Our hope is that they avoid the non-privacy related excesses of the GDPR (while adopting the good stuff), then stick to regulating on their own shores (or at least harmonizing with laws elsewhere). Above all, we hope they provide a balance of early guidance and ongoing flexibility. But the biggest single lesson from the EU is that online privacy must be uniform across jurisdictions. Anything less and we’ll either fragment the market or operate under a franken-law that takes the strictest pieces of all the regional regulatory variants.
A final thought: how will we know if we go too far on privacy? It’s clear that there are forces out there that are trying to prohibit all data sharing. Why is that a bad idea?
One of our foundational beliefs at the Developers Alliance is that the flow of data drives profound benefits for consumers and society. Data enables us to spot patterns, predict outcomes, and model the future – without the risk of real-world consequences as we learn. Data provides us insights into the behavior of large and complex systems. It helps us build better services, and helps us know what customers want and need. We must avoid rules that prohibit data sharing, or that substitute paternalistic regulators for consumer control. In the meantime, we’ll fight to maintain a balance between indiscriminate data collection and informed sharing between digital economy participants.
So, happy birthday GDPR. Here’s hoping that you’ll have an American cousin to help blow out the candles in year two.