Europe’s privacy rules hurt small firms, not tech giants

The European Commission is largely hap-py with the first year of its sweeping digital privacy rules. Evidence moun-ts, however, that the General Data Protection Directive, or GDPR, as applied today hur-ts smaller firms and has no effect on tech giants, which are the least interested in preserving user privacy.
The directive went into effect in May 2018, demanding companies provide privacy by design and by def- ault on all digital platforms and websites. It laid down rules for collecting and processing private data, including cases in which consent is necessary for their harvesting. This week, the commission put out an optimistic progress report, describing GDPR’s first year as “overall positive” and suggesting a number of mild improvements in applying it.
The report said, among other things, that the national privacy watchdogs tasked with enforcing the GDPR had “focussed on dialogue rather than sanctions, in particular for the smallest operators which do not process personal data as a core activity.” This explains why there are few examples of anyone being fined for noncompliance, though, according to the directive, sanctions can be quite severe — up to 4 percent of global annual sales.
The fines that actually have been imposed range from 5,000 euros ($5,558) on a sports-betting cafe in Austria for illegal video surveillance to 50 million euros on Google in France for the opaque process of signing in for a Google account, all but necessary to use an Android smartphone. In between, there are some penalties of hundreds of thousands of euros, such as 220,000 for a Polish data broker that failed to inform people that their data was being processed. Altogether, authorities in the entire European Economic Area (which includes the EU member-states plus Norway, Iceland and Liechtenstein) have imposed just 56 million euros worth of fines.
But 50 million euros is not even a mosquito bite for Google, and other tech companies — most notably that other greedy data harvester, Facebook — haven’t been taken to task at all. This despite many well-grounded complaints filed against some of them by activists, most notably the Austrian lawyer Max Schrems’ noyb (None of Your Business) initiative, which was also behind the successful complaint against Google in France. Indeed, it was a US regulator, not a European one, that slapped a $5 billion penalty on Facebook for privacy violations this week – even though the US lacks a comprehensive regulatory framework like the GDPR.
It’s hard to quantify the exact impact of the GDPR on the internet giants, but they haven’t stopped growing in Europe.
That, however, can’t be said of many smaller digital businesses. According to a recent paperby Samuel Goldberg from Northwestern University, Garrett Johnson from Boston University and Scott Shriver from the University of Colorado, these have seen 10 percent lower European page views and revenues since the GDPR went into effect. Among e-commerce sites, revenue dropped by 8.3 percent, or $8,000 a week for the median site. The economists used data from the Adobe Analytics platform, tracking the traffic and sales of 1,500 firms from various industries, which generate a total of about $500 million in weekly revenues.
The losses likely weren’t driven by more privacy awa-reness among users: More than 90 percent of them consent to the collection and processing of their data when prompted to do so. Rather, the GDPR deterred companies from using email and display ads to drive traffic, because these methods require the use of personal data; it has also reduced the number of third-party cookies on websites, making it more difficult to track consumer behaviour.
The national data privacy authorities are ill-equipped to deal with the giants. Before the GDPR came into effect, most of them asked for 30 percent to 50 percent funding increases but none received that much; in fact, two of the national watchdogs saw their funding cut and three others didn’t receive any extra money. With their inadequate resources, they had to handle more than 200,000 GDPR cases. Big Tech’s expensive legal teams can run circles around such overstretched opposition.

—Bloomberg

Leonid Bershidsky is Bloomberg Opinion’s Europe columnist. He was the founding editor of the Russian business daily Vedomosti and founded the opinion website Slon.ru

Leave a Reply

Send this to a friend