Europe’s sweeping new privacy rules are fueling an explosion in complaints by individuals, reports of data breaches by companies, and greater awareness among Europeans about data protection.
But six months after coming online, research suggests the General Data Protection Regulation (GDPR) has also dampened investment in startups on the EU tech scene. Big companies like Google and Facebook are more dominant than ever in their markets, and no Silicon Valley giant has yet felt the sting of eye-watering financial penalties linked to the rules as regulators struggle to keep up with an increased workload.
These are some early lessons from the EU’s half-year experience with an unprecedented new privacy regime that U.S. lawmakers are considering whether to adopt, albeit in very different terms, according to conversations with senior EU officials, data protection watchdogs, privacy professionals, investors, entrepreneurs, lawyers and private citizens in several European countries.
Key findings include:
— More than 57,000 complaints have been lodged with national data protection watchdogs around the bloc over potential data misuse and more than 27,000 organizations have reported data breaches under the rules’ 72-hour time limits. National watchdogs are conducting dozens of investigations, including into the biggest U.S.-based tech firms.
— Google, Amazon and Facebook have increased their market share in online advertising while smaller players, struggling to keep up with compliance costs, have seen their slice of the pie shrink dramatically, according to statistics from industry watchers. Privacy-minded startups, however, say they are seeing an uptick in investor interest.
— While overall investment into the European tech ecosystem is likely to beat the $19.1 billion raised last year, according to Dealroom, a data provider, the amount of money the average EU startup pocketed per week was down $3.4 million on average in almost all EU countries, an aggregate 40-percent decline compared to before the rules came into force, according to academic research.
The broad effect of the rules on smaller players is that investors are often looking outside the 28-member bloc to place bets on fledgling companies, according to Liad Wagman, an associate professor of economics at the Illinois Institute of Technology in Chicago, who co-authored a study on the impact of GDPR.
“The costs are potentially significant, they’ll likely impact investment and jobs,” said Wagman. “The lesson from GDPR is that whatever regulation you adopt, don’t make it overly burdensome for the youngest companies.”
Follow the money
So far, Google, Amazon and Facebook are the short-term winners from GDPR, despite the drag on their cost structure.
In the build-up to the May 25 deadline, large multinationals earmarked approximately €6.8 billion, collectively, to comply, as well as hired thousands of lawyers and coders to ensure they don’t fall afoul of the revamped legislation. By contrast, many smaller firms are still struggling to meet the requirements because of the rules’ complexity, according to several privacy experts.
This mismatch is reshaping the world of online advertising.
In an industry heavily reliant on collecting data from internet users, the market share of Google, which was already the largest player, has increased as publishers became increasingly reliant on the search giant’s GDPR-compliant services, according to research from Cliqz, a German startup that provides online privacy tools.
Conversely, smaller online advertising firms which lack the resources to keep up with compliance costs have seen a roughly 30 percent drop in their market share over the last six months, based on Cliqz’s figures.
Even those who designed the law describe it as a mixed bag.
“GDPR is not the one of my dreams, it’s not perfect legislation,” said Giovanni Buttarelli, the European Data Protection Supervisor. “But it’s the best we could have hoped for.”
Much will now depend on whether Europe’s cash-strapped and under-resourced privacy regulators follow through on threats to levy large fines against some of the most aggressive practices.
“They think GDPR is a revolution, but it’s an evolution” — Vĕra Jourová
These include not just companies’ failure to protect sensitive information during data breaches such as one that affected 50 million Facebook users, or their collection of online information without people’s expressed permission, as illustrated by a report on how Google allegedly tracks location — but also potentially a broader remit to police targeting techniques and how data is shared inside companies.
Currently, the region’s watchdogs are sifting through tens of thousands of complaints, many of which are targeted at high-profile technology and financial services companies.
With the rest of the world, including the United States, mulling their own rules based on Europe’s standards, the ability of the region to exert its sway over the digital realm has yet to be fully tested.
“Where we see a problem with GDPR implementation is with member states where people’s privacy concerns were already underestimated,” Vĕra Jourová, the EU’s justice commissioner, told reporters at a tech conference in Lisbon earlier this month. “They think GDPR is a revolution, but it’s an evolution.”
Europeans wake up to privacy
Sarah McGovern remembers when she first heard about Europe’s new privacy standards.
The 33-year-old British elementary school teacher started receiving reams of emails in early 2018 asking her to opt in to newsletters and corporate updates, often from companies she barely remembered.
While she quickly became frustrated by the nonstop requests, McGovern’s interest peaked after reports that Facebook had inappropriately shared data on 87 million of its users, including almost 3 million in Europe, with Cambridge Analytica, the British data firm. Both companies deny any wrongdoing.
“It really made me think twice about what I was doing online,” she said recently on a cold London morning. “I don’t really understand what GDPR is. But if it gives me more control, I’m all for it.”
Privacy — once a subject relegated to the backwaters of policy debates — has become water-cooler fodder following the Facebook-Cambridge Analytica scandal. After high-profile mishandling of data by Google, Facebook and other U.S. tech giants, many like McGovern now question the earlier premise that people are willing to sacrifice privacy for a nifty free app.
“I don’t think this regulation is really geared to change the experience for consumers” — Omer Tene
“More and more people are aware of the importance to protect data — it’s no longer a crowd of CEOs, nerds, hackers, and paranoid people,” said Eric Leandri, CEO of French search company Qwant.
Two-thirds of Europeans, for instance, are now concerned their data will be used to target them with political messages online, according to EU figures, and many are choosing to cut ties with companies that repeatedly ask them to opt into data-collection programs. National regulators, too, have spent millions of euros, collectively, on marketing campaigns to educate people about the new privacy standards and how they can exercise their rights.
“GDPR in general has helped awareness,” said Gabriel Weinberg, chief executive of DuckDuckGo, a privacy-friendly search engine that has seen an increase in investor interest in its rival service to that of Google since Europe’s new rules came into force.
Yet even this renewed interest in privacy has its limits. In a survey for U.K. magazine Marketing Week, roughly two-thirds of people said their experience with brands has not changed since Europe’s new data protection rules began, while almost half of respondents said they do not have a better understanding of how their information is used by companies.
According to an IFOP survey commissioned by France’s data protection authority in November, 66 percent of French citizens are now more sensitive to the protection of their personal data. However, nearly half do not fully grasp what the GDPR has actually changed concerning their rights and what it means for companies.
“I don’t think this regulation is really geared to change the experience for consumers,” said Omer Tene, vice president at the International Association of Privacy Professionals, an industry group.