Too much regulation – or too little? GDPR – the EU’s mammoth data protection regulation
– eventually went live on May 25 after a two year transition period. There are some who celebrate the GDPR, not unfoundedly, as a milestone and global role model for user rights. Fostering individual rights to access, rectify, transfer and request the deletion of personal data, the regulation essentially gives back data ownership to more than 500 million “data subjects” within the EU rather than leaving it in the hand of the “data controllers”, i.e. the companies that store and process users’ data.
However, the regulation also attracts criticism from both industry representatives and privacy rights advocates. Former often describe the regulation as too complex, restrictive and creating substantial legal uncertainty for companies. The latter claim that vague formulations and exceptions in the framework as well as a still relatively high level of discretion provided to national regulators (e.g. when it comes to fines) would weaken the enforceability of the regulation.
Business and national regulators lagging behind. The implementation of the regulation on the industry side is still lagging behind. According to a survey conducted by Bitkom, the German digital association, shortly before the May 25 deadline only ¼ of German companies said that they will be fully compliant with the regulation in time. Even among national regulators in charge of enforcing the regulation, 8 out of the 28 EU member states missed the May deadline.
More competition – or less? GDPR is foremost about the protection of personal data in the EU. But it also aims to ensure the free flow of personal data within the union and prevent legal and regulatory arbitrage. Its broader impact is far from clear, though. GDPR applies to all companies that process personal data within the EU, no matter where they and their servers are located or process data. But for European companies the single market is usually of much bigger importance than for their foreign peers. Aspects of the regulation that could hamper their business model – e.g. user consent requirements as well as the provision to use personal data only for the purpose that they were originally collected for and to minimize data collection in general – could therefore hit them much harder.
Old versus new, big versus small. Large established companies might find it easier to comply with the regulation than small or medium-sized competitors. At the same time, costs of compliance, legal risks and restrictions on data processing could hamper innovation in Europe’s tech industry. While large US tech players invested substantially in order to comply with GDPR, several small US companies and tech startups already withdrew from the EU market at the end of May against the risk of clashing with the regulation and the impact on their profitability. For European startups with a focus on the single market, this option is not available. As a consequence, GDPR could end up rather strengthening the position of incumbent tech giants than fostering competition.
In addition, users might more readily give consent to data processing through incumbent providers and platforms that they are familiar with or which they might find indispensable (e.g. such as leading social and business networks) rather than to new unfamiliar competitors. In fact, early reports show that shortly after the GDPR came into effect, Google managed to increase its share in online advertising as its appears to receive user consent to targeted ads at much higher rates than its peers.
On the other hand, big techs might also be more exposed to the GDPR’s reinforced sanction regime that foresees substantial fines of up to EUR 20 million or 4% of a company’s previous year’s global revenues (whichever is higher) for non-compliance. This has been illustrated by several lawsuits filed against large US tech companies that have been initiated by privacy rights activists immediately after the GDPR took effect.
Right to data portability could break “data silos” – in principle. The GDPR’s right to data portability – if properly implemented – could help break “data silos” and lower barriers to market entry for emerging platform companies and AI startups. However, in practice, direct transmission of personal data from one provider to another upon request of the data subject might still face many obstacles. For example, GDPR asks companies to provide data in a common machine-readable format but does not prescribe a certain standard. Also, direct transmission of data to third parties is only required “if technically feasible”, a vague term that leaves room open for interpretation and weakens the rights enforceability.
Undermining the EU’s AI strategy?
The development of AI systems based on machine learning heavily relies on access to vast datasets in order to train and improve their algorithms. This gives countries like China with over 700 million (mobile) internet users and (so far) rather lax privacy laws a huge competitive edge. In Europe, restrictions under the GDPR could put the European AI industry into a disadvantageous position compared to international peers. In particular a right to transparency in automated decisions (e.g. regarding online loan-applications) gives AI developers a headache as for machine learning techniques based on deep neural networks, the decisions behind the algorithm are a black box – even to the developers – and are evolving over time. As e.g. the Center for Data Innovation argues, the regulation’s requirements to make algorithmic decisions explainable could therefore reduce the scope and accuracy of compliant algorithms. This could undermine the EU’s declared ambition to catch up with the US and China in the emerging global race for AI dominance and to the opposite, rather cause the continent to fall further behind (see also Digital economics: How AI and robotics are changing our work and our lives
However, there are also ways to mitigate risks to Europe’s AI industry. For example, GDPR only applies to personal data, i.e. data that allow to identify the individuals behind. Automated (AI-based) anonymisation and pseudonymisation of datasets could here help to allow for AI-related research and algorithmic development without breaching privacy rights protected by the regulation. Increasing efforts in developing more interpretable AI, such as the “Explainable AI” program initiated by DARPA, the US Defense Research Agency, and the LIME (Local Interpretable Model-Agnostic Explanations) framework could also show ways to address the black box problem and concerns regarding the GDPR’s right to explanation. AI could also help companies to comply with the GDPR’s requirements, e.g. by handling user requests and managing databases, thus rather supporting than suppressing innovation.
New business model – data protection “made in Europe”. Also GDPR-imposed restrictions on the processing of personal data are not necessarily only a bad thing from a business perspective. As users might become increasingly privacy aware, European companies with a business model focused on trust and data protection could gain a competitive edge with products and services “made in Europe”. Following the principles of “data protection by design and by default” and gaining respective certification they could contribute to setting industry standards and adjust users’ expectations.
Balance between privacy rights and ability to innovate. Keeping pace with current rapid technological change is a formidable challenge for regulators, not only in Europe. Recent data scandals such as the one surrounding Facebook and Cambridge Analytica have illustrated the far-reaching socialpolitical (and economic) implications and rapidly growing importance of data protection and privacy rights. Despite its complexities and difficulties regarding its implementation, the GDPR can be seen as a major step to strengthen individual ownership of personal data. If the EU lives up to its ambition to set global legal and ethical standards for data protection and AI development, this regulatory environment could give European tech startups a competitive advantage. For innovation in the field of automated decision-making to diffuse further, legal certainty and algorithmic accountability are of the essence. In this context, GDPR should be seen as an opportunity for European AI researchers and companies to become the frontrunners of explainable AI.
Given the GDPR’s often vague formulations it might ultimately be in the hands of national courts to which side the scale will tilt. That there will be lots of lawsuits is probably the one thing we can be certain about at this infant stage. However, if risks to Europe’s tech industry and AI strategy materialize in a significant way and aspects of GDPR weaken competition and competitiveness, lawmakers should not hesitate to make necessary adjustments – where possible, without prejudice to the legitimate protection of user rights.
 See e.g. Digital Europe (2017)
and EDRi (2016)
 Bitkom (2018): 3 von 4 Unternehmen verfehlen die Frist der Datenschutz-Grundverordnung.
 EUobserver (2018): Eight countries to miss EU data protection deadline.
 Financial Times (2018): US small businesses drop EU customers over new data rule.
 Wall Street Journal (2018): Google emerges as early winner from Europe’s new data privacy law.
 Euractiv (2018): Silicon Valley giants hit with first complaints on day one of GDPR
 An advisory body of EU national data protection authorities recommends industry stakeholders and trade associations to collaborate in order to develop a set of “interoperable standards and formats” to fulfill the GDPR’s requirements of the right for data portability (Article 29 Data Protection Working Party, 2017
 Center for Data Innovation (2018): The Impact of the EU’s New Data Protection Regulation on AI.
 EU member states signed a declaration on AI cooperation
this year and the European Commission outlined an EU AI strategy
that foresees substantially increased AI investment over the next decade.
 DARPA (2017): Explainable Artificial Intelligence (XAI).
 Ribiero, M. T. et al. (2016): "Why Should I Trust You?” Explaining the Predictions of Any Classifier.
 See also ZDNet (2018): GDPR's silver lining: Data-driven AI and innovation in the enterprise.