Nick Dedeke is an associate professor at Northeastern University, Boston. His research interests include digital transformation strategies, ethics and privacy. His research has been published in IEEE Management Review, IEEE Spectrum, and the Journal of Business Ethics. He holds a PhD in industrial engineering from the University of Kaiserslautern-Landau, Germany. The opinions expressed in this piece do not necessarily reflect the views of Ars Technica.
In a previous article, I discussed some of the shortcomings in Europe's flagship data privacy policy, the General Data Protection Regulation (GDPR). Building on that criticism, I would now like to go further and propose specifications for the development of a robust privacy protection regime in the US.
Writers must overcome several hurdles to have a chance of convincing readers of potential flaws in the GDPR. First, some readers are skeptical of any piece criticizing the GDPR, as they believe the law is still too young to evaluate. Second, some are suspicious of any piece criticizing the GDPR, suspecting that the authors may be covert supporters of Big Tech's anti-GDPR agenda. (I can assure readers that I have not, and have never worked, to support any agenda of Big Tech companies.)
In this piece I will highlight the cost of ignoring the GDPR. I will then present several conceptual shortcomings of the GDPR that have been recognized by one of the law's leading architects. Next, I will propose certain features and design requirements that countries such as the United States should consider when developing a privacy protection law. Finally, I'll give you some reasons why everyone should be concerned about this project.
The high price of ignoring the GDPR
People sometimes assume that GDPR is mainly a “bureaucratic headache,” but this perspective is no longer valid. Consider the following actions by GDPR administrators in different countries.
- In May 2023, Irish authorities fined Meta $1.3 billion for unlawfully transferring personal data from the European Union to the US.
- On July 16, 2021, Luxembourg's National Data Protection Commission (CNDP) imposed a 746 million euro ($888 million) fine on Amazon Inc. The fine was imposed following a complaint by 10,000 people against Amazon in May 2018, orchestrated by a French privacy rights group.
- On September 5, 2022, the Irish Data Protection Commission (DPC) imposed a GDPR fine of €405 million on Meta Ireland as punishment for breaching the GDPR provision relating to the lawfulness of children's data (see other fines here).
In other words, the GDPR is not merely a bureaucratic issue; it can lead to high, unexpected fines. The idea that the GDPR can be ignored is a fatal mistake.
9 Conceptual Shortcomings of the GDPR: Perspective from the GDPR's Chief Architect
Axel Voss is one of the main architects of the GDPR. He is a Member of the European Parliament and author of the 2011 initiative report entitled “Comprehensive approach to personal data protection in the EU” when he was European Parliament rapporteur. His call to action resulted in the development of GDPR legislation. After considering the GDPR's unfulfilled promises, Voss wrote a position paper highlighting the law's weaknesses. I want to mention nine of the shortcomings that Voss described.
First, while the GDPR was excellent in theory and pointed a way to improving data protection standards, it is an overly bureaucratic law that was largely created using a top-down approach by EU bureaucrats.
Secondly, the law is based on the premise that data protection should be a fundamental right of EU citizens. Therefore, the provisions are absolute and one-sided or only aimed at protecting the “fundamental rights and freedoms” of natural persons. By implementing this change, the GDPR architects have transferred the relationship between the state and the citizen and applied it to the relationship between citizens and companies and the relationship between companies and their peers. This construction is one of the reasons why the obligations imposed on controllers and processors are rigid.
Thirdly, the GDPR law aims to empower data subjects by giving them rights and enshrining these rights in law. In concrete terms, the law enshrines nine rights of data subjects in the law. These are: the right to be informed, the right of access, the right to rectification, the right to be forgotten/or erased, the right to data portability, the right to restrict processing, the right to object to the processing of personal data, the right to object to automated processing and the right to withdraw consent. As with any list, there is always the concern that certain permissions may be missing. If crucial rights are left out of the GDPR, it would hinder the law's effectiveness in protecting privacy and data protection. In particular, the protected rights of data subjects in the case of the GDPR are not exhaustive.
Fourth, the GDPR is based on a prohibition and restriction approach to data protection. For example, the principle of purpose limitation rules out accidental discoveries in science. This ignores the reality that current technologies, for example machine learning and artificial intelligence applications, function differently. Therefore, these old views on data protection, such as data minimization and storage limitation, are no longer workable.
Fifth, the GDPR states in principle that any processing of personal data limits the data subject's right to data protection. It therefore requires that each of these processes needs justification under law. The GDPR considers any processing of personal data as a potential risk and in principle prohibits its processing. It only allows processing if a legal basis is met. Such an approach against processing and sharing may not make sense in a data-driven economy.
Sixth, the law does not distinguish between low-risk and high-risk applications, imposing the same obligations for each type of data processing application, with some exceptions requiring the consultation of the data processing administrator for high-risk applications.
Seventh, the GDPR also excludes exemptions for low-risk processing scenarios or when SMEs, startups, non-commercial entities or private individuals are the data controllers. Furthermore, there are no exceptions or provisions that protect the rights of the controller and of third parties for such scenarios where the controller has a legitimate interest in protecting corporate and trade secrets, fulfilling confidentiality obligations, or economic interest in avoiding enormous and disproportionate efforts to comply with GDPR obligations.
Eighth, the GDPR lacks a mechanism for small and medium-sized businesses and startups to shift the burden of compliance to third parties, who then store and process data.
Ninth, the GPR relies heavily on government-based bureaucratic oversight and management of GDPR compliance. This means that an extensive bureaucratic system is needed to manage the compliance regime.
There are other issues with the enforcement of the GDPR (see pieces by Matt Burgess and Anda Bologa) and its negative impact on the EU digital economy and on Irish tech companies. This piece will only focus on the nine shortcomings described above. These nine shortcomings are some of the reasons why US authorities should not simply copy the GDPR.
The good news is that many of these shortcomings can be solved.