GDPR After One Year: Costs and Unintended Consequences

Alec Stapp —  24 May 2019
Source: KC Green

GDPR is officially one year old. How have the first 12 months gone? As you can see from the mix of data and anecdotes below, it appears that compliance costs have been astronomical; individual “data rights” have led to unintended consequences; “privacy protection” seems to have undermined market competition; and there have been large unseen — but not unmeasurable! — costs in forgone startup investment. So, all-in-all, about what we expected.

GDPR cases and fines

Here is the latest data on cases and fines released by the European Data Protection Board:

  • €55,955,871 in fines
    • €50 million of which was a single fine on Google
  • 281,088 total cases
    • 144,376 complaints
    • 89,271 data breach notifications
    • 47,441 other
  • 37.0% ongoing
  • 62.9% closed
  • 0.1% appealed

Unintended consequences of new data privacy rights

GDPR can be thought of as a privacy “bill of rights.” Many of these new rights have come with unintended consequences. If your account gets hacked, the hacker can use the right of access to get all of your data. The right to be forgotten is in conflict with the public’s right to know a bad actor’s history (and many of them are using the right to memory hole their misdeeds). The right to data portability creates another attack vector for hackers to exploit. And the right to opt-out of data collection creates a free-rider problem where users who opt-in subsidize the privacy of those who opt-out.

Article 15: Right of access

  • “Amazon sent 1,700 Alexa voice recordings to the wrong user following data request” [The Verge / Nick Statt]
  • “Today I discovered an unfortunate consequence of GDPR: once someone hacks into your account, they can request-—and potentially access—all of your data. Whoever hacked into my Spotify account got all of my streaming, song, etc. history simply by requesting it.” [Jean Yang]

Article 17: Right to be forgotten

  • “Since 2016, newspapers in Belgium and Italy have removed articles from their archives under [GDPR]. Google was also ordered last year to stop listing some search results, including information from 2014 about a Dutch doctor who The Guardian reported was suspended for poor care of a patient.” [NYT / Adam Satariano]
  • “French scam artist Michael Francois Bujaldon is using the GDPR to attempt to remove traces of his United States District Court case from the internet. He has already succeeded in compelling PacerMonitor to remove his case.” [PlainSite]
  • “In the last 5 days, we’ve had requests under GDPR to delete three separate articles … all about US lawsuits concerning scams committed by Europeans. That ‘right to be forgotten’ is working out just great, huh guys?” [Mike Masnick]

Article 20: Right to data portability

  • Data portability increases the attack surface for bad actors to exploit. In a sense, the Cambridge Analytica scandal was a case of too much data portability.
  • “The problem with data portability is that it goes both ways: if you can take your data out of Facebook to other applications, you can do the same thing in the other direction. The question, then, is which entity is likely to have the greater center of gravity with regards to data: Facebook, with its social network, or practically anything else?” [Stratechery / Ben Thompson]
  • “Presumably data portability would be imposed on Facebook’s competitors and potential competitors as well.  That would mean all future competing firms would have to slot their products into a Facebook-compatible template.  Let’s say that 17 years from now someone has a virtual reality social network innovation: does it have to be “exportable” into Facebook and other competitors?  It’s hard to think of any better way to stifle innovation.” [Marginal Revolution / Tyler Cowen]

Article 21: Right to opt out of data processing

  • “[B]y restricting companies from limiting services or increasing prices for consumers who opt-out of sharing personal data, these frameworks enable free riders—individuals that opt out but still expect the same services and price—and undercut access to free content and services.” [ITIF / Alan McQuinn and Daniel Castro]

Compliance costs are astronomical

  • Prior to GDPR going into effect, “PwC surveyed 200 companies with more than 500 employees and found that 68% planned on spending between $1 and $10 million to meet the regulation’s requirements. Another 9% planned to spend more than $10 million. With over 19,000 U.S. firms of this size, total GDPR compliance costs for this group could reach $150 billion.” [Fortune / Daniel Castro and Michael McLaughlin]
  • “[T]he International Association of Privacy Professionals (IAPP) estimates 500,000 European organizations have registered data protection officers (DPOs) within the first year of the General Data Protection Regulation (GDPR). According to a recent IAPP salary survey, the average DPO’s salary in Europe is $88,000.” [IAPP]
  • As of March 20, 2019, 1,129 US news sites are still unavailable in the EU due to GDPR. [Joseph O’Connor]
  • Microsoft had 1,600 engineers working on GDPR compliance. [Microsoft]
  • During a Senate hearing, Keith Enright, Google’s chief privacy officer, estimated that the company spent “hundreds of years of human time” to comply with the new privacy rules. [Quartz / Ashley Rodriguez]
    • However, French authorities ultimately decided Google’s compliance efforts were insufficient: “France fines Google nearly $57 million for first major violation of new European privacy regime” [Washington Post / Tony Romm]
  • “About 220,000 name tags will be removed in Vienna by the end of [2018], the city’s housing authority said. Officials fear that they could otherwise be fined up to $23 million, or about $1,150 per name.” [Washington Post / Rick Noack]
    UPDATE: Wolfie Christl pointed out on Twitter that the order to remove name tags was rescinded after only 11,000 name tags were removed due to public backlash and what Housing Councilor Kathrin Gaal said were “different legal opinions on the subject.”

Tradeoff between privacy regulations and market competition

“On the big guys increasing market share? I don’t believe [the law] will have such a consequence.” Věra Jourová, the European Commissioner for Justice, Consumers and Gender Equality [WSJ / Sam Schechner and Nick Kostov]

“Mentioned GDPR to the head of a European media company. ‘Gift to Google and Facebook, enormous regulatory own-goal.'” [Benedict Evans]

Source: WSJ
  • “Hundreds of companies compete to place ads on webpages or collect data on their users, led by Google, Facebook and their subsidiaries. The European Union’s General Data Protection Regulation, which took effect in May, imposes stiff requirements on such firms and the websites who use them. After the rule took effect in May, Google’s tracking software appeared on slightly more websites, Facebook’s on 7% fewer, while the smallest companies suffered a 32% drop, according to Ghostery, which develops privacy-enhancing web technology.” [WSJ / Greg Ip]
  • Havas SA, one of the world’s largest buyers of ads, says it observed a low double-digit percentage increase in advertisers’ spending through DBM on Google’s own ad exchange on the first day the law went into effect, according to Hossein Houssaini, Havas’s global head of programmatic solutions. On the selling side, companies that help publishers sell ad inventory have seen declines in bids coming through their platforms from Google. Paris-based Smart says it has seen a roughly 50% drop. [WSJ / Nick Kostov and Sam Schechner]
  • “The consequence was that just hours after the law’s enforcement, numerous independent ad exchanges and other vendors watched their ad demand volumes drop between 20 and 40 percent. But with agencies free to still buy demand on Google’s marketplace, demand on AdX spiked. The fact that Google’s compliance strategy has ended up hurting its competitors and redirecting higher demand back to its own marketplace, where it can guarantee it has user consent, has unsettled publishers and ad tech vendors.” [Digiday / Jessica Davies]

Unseen costs of forgone investment & research

  • Startups: One study estimated that venture capital invested in EU startups fell by as much as 50 percent due to GDPR implementation: “Specifically, our findings suggest a $3.38 million decrease in the aggregate dollars raised by EU ventures per state per crude industry category per week, a 17.6% reduction in the number of weekly venture deals, and a 39.6% decrease in the amount raised in an average deal following the rollout of GDPR … We use our results to provide a back-of-the-envelope calculation of a range of job losses that may be incurred by these ventures, which we estimate to be between 3,604 to 29,819 jobs.” [NBER / Jian Jia, Ginger Zhe Jin, and Liad Wagman]
  • Mergers and acquisitions: “55% of respondents said they had worked on deals that fell apart because of concerns about a target company’s data protection policies and compliance with GDPR” [WSJ / Nina Trentmann]
  • Scientific research: “[B]iomedical researchers fear that the EU’s new General Data Protection Regulation (GDPR) will make it harder to share information across borders or outside their original research context.” [Politico / Sarah Wheaton]

GDPR graveyard

Small and medium-sized businesses (SMBs) have left the EU market in droves (or shut down entirely). Here is a partial list:

Blockchain & P2P Services

  • CoinTouch, peer-to-peer cryptocurrency exchange
  • FamilyTreeDNA, free and public genetic tools
    • Mitosearch
    • Ysearch
  • Monal, XMPP chat app
  • Parity, know-your-customer service for initial coin offerings (ICOs)
  • Seznam, social network for students
  • StreetLend, tool sharing platform for neighbors

Marketing

  • Drawbridge, cross-device identity service
  • Klout, social reputation service by Lithium
  • Unroll.me, inbox management app
  • Verve, mobile programmatic advertising

Video Games

Other

27 responses to GDPR After One Year: Costs and Unintended Consequences

  1. 

    As much as you say investment in startups has decreased. GDPR has opened up the privacy industry with a load of new startups helping in areas like compliance to helping them respond to data rights. It’s something we’re doing at tapmydata.com. At Tap we’ve created a new breed of CRM for businesses.

  2. 

    A bit of a shame you leave so many of the claims you’re citing completely unchallenged, though, given how cringe-worthy some of the cited misconceptions are. For example, the right to data portability hinges on what data portability means – and while it’s perfectly reasonable to expect a JSON data export, one would have some problems arguing that Facebook’s Specific DB Structure^TM qualifies.

    As a different example, it’s a shame to see journalists cowed into deleting articles, but journalism is specifically exempt from the rights of the data subject (see Article 85).

    But generally, the worst problem with GDPR has been that it’s a pretty long piece of legislation, almost no one’s actually read it (even the so-called experts), meaning scaremongering unfortunately falls on fertile ground – and the quotes you’ve put here do show that nicely. A lot of people are just not equipped to know whether a threat someone’s making, supposedly based on GDPR, is credible.

    Indeed, on that note, it’s completely nonsensical that various US sites have bothered to do anything about GDPR at all (including blocking EU countries). GDPR only affects sites that demonstrably target the EU market (e.g. have a shop with EUR price tags; or a localisation in Finnish; etc). If you just kind of accidentally end up in the EU market, purely due to being on the internet, GDPR doesn’t even *apply* to you.

    And it’s a real shame that this information isn’t more accessible. Even now, I wish there were more official supplementary material and summaries.

    By the way, by contextual association, it reads like you’re conflating general compliance efforts with GDPR-specific efforts. I don’t think you did that on purpose, so I’d really love if you could make the distinction clearer for people who might be tripped up by that.

    • 

      @Someone: “If you just kind of accidentally end up in the EU market, purely due to being on the internet, GDPR doesn’t even *apply* to you.” — ARE YOU SERIOUS???
      GDPR goes out of it’s way to say it does NOT matter where your company is located, or where your site is located, or even where the user accessing your site is located.
      IF THE USER ACCESSING YOUR SITE IS EUROPEAN then you are supposed to comply with this bureaucratic overreach of legislation.
      I Have Read the legislation, and it is very clear that the only two things that matter are 1) Is the individual a citizen of the EU? and 2) Is there PI that is being processed? If both of those are true then GDPR is intended to apply to you. Period.

      • 

        I does not really matter what GDPR says about compliance of non EU companies. Non EU companies are free to not follow GDPR even if they are servicing Europeans. EU courts has no way of enforcing it. It is the same thing as the DMCA from a european perspective. Europeans can actively ignore DMCA request, because it is an American law, for American people and businesses. The Pirate Bay did this to great effect.

  3. 

    A bit of a shame you leave so many of the claims you’re citing completely unchallenged, though, given how cringe-worthy some of the cited misconceptions are. For example, the right to data portability hinges on what data portability means – and while it’s perfectly reasonable to expect a JSON data export, one would have some problems arguing that Facebook’s Specific DB Structure^TM qualifies.

    As a different example, it’s a shame to see journalists cowed into deleting articles, but journalism is specifically exempt from the rights of the data subject: https://gdpr-info.eu/art-85-gdpr/

    But generally, the worst problem with GDPR has been that it’s a pretty long piece of legislation, almost no one’s actually read it (even the so-called experts), meaning scaremongering unfortunately falls on fertile ground – and the quotes you’ve put here do show that nicely. A lot of people are just not equipped to know whether a threat someone’s making, supposedly based on GDPR, is credible.

    Indeed, on that note, it’s completely nonsensical that various US sites have bothered to do anything about GDPR at all (including blocking EU countries). GDPR only affects sites that demonstrably target the EU market (e.g. have a shop with EUR price tags; or a localisation in Finnish; etc). If you just kind of accidentally end up in the EU market, purely due to being on the internet, GDPR doesn’t even *apply* to you.

    And it’s a real shame that this information isn’t more accessible. Even now, I wish there were more official supplementary material and summaries.

    By the way, by contextual association, it reads like you’re conflating general compliance efforts with GDPR-specific efforts. I don’t think you did that on purpose, so I’d really love if you could make the distinction clearer for people who might be tripped up by that.

  4. 

    Also, Klout was already planned to close down completely.

    Thank you for the overall roundup!

  5. 

    Regarding the Vienna case, it seems they didn’t go through with the name tags change. Obviously, GDPR doesn’t apply here
    https://mobil.derstandard.at/2000092429383/Wiener-Wohnen-stoppt-Austausch-der-Namensschilder

  6. 

    What a load of baloney. If your account is compromised your data is compromised. Don’t blame GDPR for that. And small businesses close their doors all the time, must be very nice to be able to blame a law instead of their own incompetence. Besides, GDPR is there to protect the consumer, not to help businesses. Nice try Big Ad.

    • 
      Leif Peterson 28 May 2019 at 7:41 am

      They didn’t “close their doors”, they just left the EU market.

      • 

        But not all of the cited examples did. Hitman was a game from 2012 and they just closed the servers for that game. A game of that age likely wasn’t profitably running servers anymore anyway, and then to update them wasn’t feasible. But that doesn’t mean that IO Interactive retreated from the European market at all, their later games are still there.

  7. 

    Looking forward to your index of GDPR’s industrial accomplishments, economic benefits, structural changes to business models, and human rights protected.

  8. 

    I don’t know about all the apps/services, but unroll.me has a very scummy business model*. Good riddance. Thank you GDPR.

    *They sell access to your e-mails.

  9. 

    What about the cost to hundreds of millions of people who now have to click “OK” at websites each day?

Trackbacks and Pingbacks:

  1. Episódio #204 – Resumo de Notícias – Segurança Legal - June 21, 2019

    […] da GDPR em Portugal, um ano após a lei (via Expresso, TruthonTheMarket e […]

  2. Is GDPR worth the cost? – TeckView - June 11, 2019

    […] is also a realistic, well at least serious, estimate that GDPR compliance will cost $7.8bn just for the 500 largest global firms, and $150bn for all US firms. Microsoft alone had 1,600 engineers working on […]

  3. Is GDPR price the associated fee? | Doers Nest - June 5, 2019

    […] additionally a practical, nicely at the very least severe, estimate that GDPR compliance will price $7.8bn just for the 500 largest global firms, and $150bn for all US corporations. Microsoft alone had 1,600 engineers working on […]

  4. Links of May 2019 | Concurrentialiste Review - June 3, 2019

    […] GDPR After One Year: Costs and Unintended Consequences (Alex Stapp) […]

  5. Alec Stapp on GDPR | AlltopCash.com - May 30, 2019

    […] Here is just one segment of an excellent piece: […]

  6. GDPR Compliance Costs Are Astronomical – Augmented Lawyer - May 30, 2019

    […] GDPR After One Year: Costs and Unintended Consequences (via Marginal Revolution) […]

  7. Is GDPR the End of Recruiting? - Biotech & Pharmaceutical Recruiting - May 30, 2019

    […] will arise. Complying with changing privacy regulations is stressful for companies, as well as a drain on resources, but many are embracing it as an opportunity to increase trust and […]

  8. GDPR Turns 1! 8 Reasons GDPR is a Horrible Law – Tech Law Policy Blog - May 28, 2019

    […] estimate that businesses have spent around $150 billion in compliance efforts, and that was just before GDPR went into effect. That’s not taking into […]

  9. Astăzi au loc alegeri europarlamentare în România - Cronica dimineții - Cronica.ro - May 25, 2019

    […] 7. După un an de GDPR: amenzi de $60 milioane, $150 miliarde este costul implementării pentru companiile americane, Google e mai puternic, investițiile de tip VC în startupurile europene au scăzut. (Link) […]

  10. GDPR After One Year: Costs and Unintended Consequences – Truth on the Market – Digital Garner - May 25, 2019

    […] GDPR is officially one year old. How have the first 12 months gone? As you can see from the mix of data and anecdotes below, it appears that compliance costs have been astronomical; individual data rights have led to unintended consequences; privacy protectio…Read More […]

  11. GDPR After One Year - TopFeatured.com - May 25, 2019

    […] Article URL: https://truthonthemarket.com/2019/05/24/gdpr-after-one-year-costs-and-unintended-consequences/ […]

  12. GDPR After One Year: Costs and Unintended Consequences | My Tech Blog - May 25, 2019

    […] Source: truthonthemarket.com […]

  13. New top story on Hacker News: GDPR After One Year: Costs and Unintended Consequences – Hckr News - May 25, 2019

    […] GDPR After One Year: Costs and Unintended Consequences 2 by goerz | 0 comments on Hacker News. […]

  14. One Year Into The GDPR: Can We Declare It A Total Failure Yet? – Curtis Ryals Reports - May 24, 2019

    […] Alec Stapp has collected a ton of stories and examples of the GDPR’s negative impact. It notes much of the stuff above, but also highlights just how […]