Dents In The GDPR

The British government took an unexpected but important step recently. U.K. Culture Secretary Oliver Dowden announced plans to scrap the EU’s General Data Protection Regulation (GDPR) requirements in favor of a new data protection law that protects consumer privacy but “does so in as light touch a way as possible.”

This is an important development in its own right in light of the enormous amount of reciprocal data flow and transatlantic commerce between the U.K. and the United States. Also, it should be a critical warning signal to state and national legislators and regulators in the U.S. who are considering the GDPR approach. U.K. leaders, who have lived for a number of years under the GDPR regime are stating that it is counterproductive for both business activity and innovation. 

This U.K. initiative simply recognizes reality. The GDPR’s regulations impose tremendous costs on businesses, interfering with their ability to function efficiently. Thanks to the GDPR, company audits are up but investments are down (according to a recent study showing that venture capital investment in Europe has fallen behind that of the U.S. and elsewhere). Start-ups and small businesses are hindered by the GDPR’s excessive limitations, and companies find themselves facing possible GDPR-induced litigation. Rather than being protected better, GDPR consumers are bombarded with constant pop-up opt-in consent requests, and they are likely to notice reduced innovation in products and services resulting from businesses’ decisions to suspend or withhold spending on important upgrades. In short, the GDPR isn’t working well at all. 

The U.K. says it is going to take a different approach that, in the words of Culture Secretary Dowden, starts with a world-leading data policy to prioritize innovative and responsible uses of data and that is based on “common sense, not box-ticking.” The U.K. says its new regimen will boost growth (especially for smaller entities), speed up scientific discoveries, and improve public services. As part of this initiative, the U.K. plans to appoint a new Information Commissioner to oversee privacy enforcement in a way that reduces cookie pop-ups and online consent requests.

Here in the U.S., ANA and others have long supported data policy that prioritizes innovation and responsible uses of data and that is based on “common sense, not box-ticking.” We have pointed out that consumers become fatigued by overly burdensome and annoying privacy notifications, and we have discouraged the adoption of policies that pile excessive regulations on businesses. We have emphasized that opt-in regimes are not the way to ensure true consumer privacy and information control. 

Despite these warnings, more than a few states are busily adopting inconsistent laws and regulations that weigh down the online experience for consumers and businesses. Some Members of Congress continue to insist that such policies will protect consumers online. But the U.K.’s experience with the GDPR should inform all of us here in the United States. We can have privacy protections that really work and still allow businesses to function properly. This is why ANA and a broad group of associations and companies are strongly supporting the Privacy for America coalitions national privacy outline and approach. This proposal would set one clear and comprehensive national privacy standard that identifies acceptable privacy practices and eliminates a patchwork of conflicting state laws and regulations. It also would enhance the ability of the Federal Trade Commission to go after violators of those standards. 

As it reforms its privacy laws, the U.K. Government will need to address such issues as the intersection of its own requirements with those of countries that remain subject to the GDPR, to avoid data transfer problems. Further, the recent invalidation of the EU-U.S. Privacy Shield by the EU’s Court of Justice is another issue to be resolved. But the U.K. Government’s decision to go in a different direction from the GDPR shows that it is possible to have good privacy protections without unnecessary constraints. U.S. policymakers would do well to take note.