The General Data Protection Regulation (GDPR), once hailed as one of the European Union’s greatest regulatory achievements seems to be among the laws targeted for reform in order to improve the competitiveness of the European economy. This move is part of a broader trend towards deregulation, following the publication of the Draghi report and amid increasing concerns about Europe lagging behind in the AI race. Based on media reports, it seems that the reform will focus on easing the reporting obligations of SMEs but there are fears that once the discussion on GDPR simplification opens it will be hard to keep it in check in the face of intense lobbying.
Regardless of the direction that the reform will eventually take, much of the discussion takes place on false premises and assumptions. First, innovation and competitiveness are often presented almost as end goals, or at least as something that needs to be traded off with privacy and data protection. However, the levels of innovation and competitiveness have little meaning by themselves. We could for example also increase these metrics by allowing unfettered environmental degradation or worsening working conditions but after some point the improvements in competitiveness and innovations would not be worth the sacrifices. Moreover, competitiveness and innovation only have instrumental value. To the degree that they do not achieve their end goals they are not worth pursuing.
It is telling that even under normative frameworks that are conducive to markets and which accept trading off human rights against economic gains, these arguments do not fare particularly well. A recent paper published by the Nobel in economics laureate Daron Acemoglu and others shows that the accumulation of data and their unfettered processing is inefficient, even under neoclassical economic standards. In fact, that paper argues that it would be more efficient to abolish data markets than to maintain the status quo. It is thus worth wondering how the proponents of deregulation could justify decreasing privacy for the benefit of innovation if it is not justifiable even under these generous criteria.
The second false assumption is that deregulation directly correlates with improved innovation or growth. The relationship between regulation and economic activity is complex and regulation can both facilitate and hinder it in many different respects. The use of technology platforms for example depends on users’ trust in them and a reduction in trust can hurt economic activity. Nor does competitiveness and innovation depend purely on the regulatory regime concerning data. Unless policymakers carefully consider these nuances, their efforts are likely to be unsuccessful or even backfire.
Finally, the dichotomy between regulation and de-regulation as a binary is false. The GDPR needs decreased regulation in some areas and increased regulation in others. The GDPR has a very wide scope that captures any automatic processing of data regardless of context. This has led to many absurd results. Following the decision of the Court of Justice of the EU (CJEU) in Google Spain there was a serious danger that a strict application of the law would outlaw search engines in Europe, which the Court avoided by —contra legem— creating a regime that reflects the characteristics of data controllers. In Fashion ID, the CJEU accorded the status of a (joint) data controller to a website owner that embedded a Facebook like button in its webpage. Under current law this website ower is jointly responsible for anything that happens in the processing and it is obliged to obtain the consent of visitors to its site while knowing nothing about how Facebook processes the data. These are only some of the numerous examples of excessive regulation.
At the same time, technology companies are using techniques such as Privacy Enhancing Technologies that can be harmful to people and society while evading the scope of data protection law because the data are conbsidered anonymous. Despite the efforts of regulators to stretch the law’s concepts to cover these practices, many of them seem to succeed in bypassing the law. At the same time the fast and loose application of these concepts increasingly runs the risk of making them incoherent or, even worse, meaningless. The same applies to other foundational concepts of the GDPR such as ‘sensitive data’ and ‘data subject’. Following the recent case-law of the CJEU, non-sensitive data that can enable the inference of sensitive data are also considered sensitive data. Yet, data analysis can make such inferences from any data rendering the distinction meaningless. Data analysis can also uncover information about other people from one person’s data. Under a strict interpretation of the law, these other people would also be data subjects vis-à-vis the same data. However, both the substance and the procedures of the GDPR cannot accommodate multiple data subjects.
To conclude, the GDPR is far from perfect. It is often ineffective and it regulates a very wide range of activities, often excessively, while failing to capture dangerous activities that can often be the cause of serious harm. Yet, these problems are far too complex and nuanced to be resolved by merely reducing regulation, especially in the narrow way that the Commission seems to consider. What is, in fact, needed is a foundational rethinking of data protection law that shifts the focus to the real problems that data processing entails while avoiding imposing excessive burdens on individuals and data controllers that do not engage in risky activities. Such a reform would not only avoid these excessive burdens, but it would also have the potential to curtail the dangerous activities that currently fly under the radars. This, perhaps surprisingly, is desirable both from a human right and an economic efficiency perspective. Academic research is making important headway in that direction; it is time that policymakers face the true dimensions of the problem instead of seeking easy solutions that are unlikely to work.
Manolis Bougiakiotis, LL.M. Oxford
