The EU Privacy Law is Not Working, But Why?

May 30, 2019

by Larry Clinton

In 2016 the European Union enacted arguably the most stringent privacy law in the western world. Following a two-year transition, the law went into full effect last May. Although advocates had suggested the stringent penalties in the General Data Protection Regulation (GDPR) would deter individual privacy invasions and reduce market domination from large providers, the empirical results one year later show none of this seems to be happening.

Notwithstanding the threats of massive fines (up to 4% of world-wide corporate revenue) designed to scare enterprises into doing more to protect individual privacy, EU regulators have been inundated with privacy complaints at a rate of nearly 10,000 a month.

Moreover, the smaller providers who supposedly would benefit from the more privacy-sensitive environment have been especially hard hit by the large compliance costs, leading investors to increasingly doubt their ability to compete, making the regulation decidedly anti-competitive.  Even the regulators appear to be confused by their role and mission with only one significant enforcement action to date – and even that one is under appeal.

Other jurisdictions, initially inspired by the GDPR model, (and the flattering press it received) may now want to reassess following an approach that is proving to be costly, burdensome, anti-competitive, and ineffective.

As they contemplate how best to protect individual privacy in the digital age, they may do well to consider: Why is GDPR failing? There is no doubt that there are many reasons why GDPR is floundering, but the biggest reason is probably this: GDPR betrays a fundamental misunderstanding of the cybersecurity issue.

At its core, the cybersecurity issue — and the largest threats to personal data — is not uncaring corporations. The prime tension is not between bad companies and good governments. Cybersecurity is not like Enron or Volkswagen. Criminals and nation-states are stealing individual data, corporate intellectual property, and national state secrets – including vital military and defense secrets.

In the cybersecurity space, consumers, corporations, and governments are actually all on the same side. Our approach ought to be less punitive and more collaborative.  In reality, and especially in relation to the size and nature of the threats, government is doing very little to work in partnership with industry on cybersecurity.

Our focus ought to be far less on pointing fingers and figuring our how to blame organizations that are the victims of attack with vague and pious assertions that the organizations “didn’t do enough” and focus more on collectively addressing the real problems with data security in the digital age.

Surely there are corporations that are guilty of digital misfeasance or malfeasance and these entities ought to be addressed. But uncaring companies are not our main problem in cyberspace.  Our main problem is that we — all of us — have an inherently vulnerable system housing incredibly valuable data.

In the digital age, all the incentives favor the attackers. Cyber attacks are comparatively easy to access and operate, they are immensely profitable, and the business plan is extremely efficient.  On the defense side, we are defending an open system becoming more technologically vulnerable all the time (IoT, mobile devices etc.), the attackers almost always have first-mover advantage, and we get almost no help from law enforcement. We successfully prosecute maybe 1% of cyber criminals.  Governments have provided neither the legal structure nor adequate resources to take even a nibble out of cybercrime

Trying to devise a 20thcentury regulatory system to manage as dynamic a 21stcentury issue as cybersecurity is — as the GDPR regulators are finding — is a Sisyphean task.  Indeed, GDPR is possibly the paradigmatic example of a 20thcentury solution to a 21stcentury problem. Rather than pointing fingers at each other government and industry, we need to come together in a 21stcentury version of the Social Contract — a cybersecurity social contract — redefining the essence of the government-industry relationship to alter the incentive models and begin to aggressively address the cybersecurity issue.