The Great Experiment

On May 25th, only 30 days away, the European Union will launch the greatest privacy experiment in history. On that date, the General Data Protection Regulation (GDPR) goes into effect. It will immediately impact the more than 508 million people who populate the EU and multi-millions more throughout the world who collect personally identifiable information about EU citizens. Despite the hopes and claims for these highly complex proposals, no one knows the true impacts of these stringent regulations.

The stakes riding on this experiment could not be higher. My blog post last week noted that the digital revolution already has generated the fastest growth in media (Internet and mobile) ever recorded. It created the first truly 24/7 international competitive marketplace with low-cost ease of entry and worldwide reach. It funded and promoted access to the largest amount of information to everyone via the Internet or a mobile device regardless of income level. Finally, it has been and continues to be an enormous economic driver with U.S. companies clearly taking the lead in launching and propelling this digital explosive growth.

Now we will find out if the GDPR proposals sustain this momentum or seriously retard it. We need to take a deep breath and acknowledge a key GDPR reality: nobody knows, even at this late date, the effects of the many GDPR key requirements, or how they will be implemented and enforced since EU regulators are still formulating many of these fundamental policies.

Here are just a few of the numerous key questions still to be answered:  

•     Will GDPR opt-in requirements help the Internet to run smoothly, or will they lead to a bombardment of opt-in requests that will “overload the system” and seriously annoy and frustrate consumers?
•     Will regulators be overwhelmed by the challenges of defining, enforcing and digesting the vast amount of information companies must provide them on a constant basis to comply with GDPR requirements; and how will they meet these demands?
•     Will the GDPR’s complex legal and regulatory obligations lock in already well-positioned incumbent market leaders and become steep barriers to entry for new, innovative (albeit smaller) online participants?
•     How will the GDPR’s requirements impact the Privacy Shield agreements that presently allow for ease of transfer of international data, and will these agreements be sustainable?
•     Will the GDPR’s regulations be enforced in a fair and even-handed manner or be differentially used to target non-EU companies primarily?
•     Finally, how will these policies impact economic growth, innovation and employment in the EU and beyond?

For the U.S. and other non-EU countries presently considering next steps in regard to developing enhanced privacy regimes, the GDPR experiment provides us a rare and vital opportunity. If we are prudent, in the very near future the GDPR will yield vastly more information about how highly proscriptive comprehensive opt-in and rapid data breach notice regimes operate in the real world. We will move from prognosticating or merely guessing to having substantial data to analyze. There is no reason to step on unseen privacy landmines, when the EU is about to provide a far clearer map of the actual real world contours of the privacy landscape. With this information in hand we can all hold a far more meaningful and productive discussion and debate as to the best steps forward to provide consumers the needed privacy protection they deserve, while preserving the economic benefits of a competitive and efficient marketplace which also strongly benefits us all.