Early computer programmers created the Y2K bug by failing to consider if computers would know the date 00 meant the year 2000. Fixing this simple oversight cost an estimated $500 billion worldwide with little to no added value to the global economy. But at least it was a one-time only cost.
Today, the world is counting down to another massive and ongoing techno-spend with no added value: the European Union’s General Data Protection Regulation (GDPR).
The GDPR is a set of regulations imposed by the European Union on all organizations processing European personal data. Companies face several requirements under the legislation, which goes into effect May 25, including explaining to their customers how their algorithms make decisions, alerting data protection authorities of breaches within 72 hours, and deleting an individual’s data upon request. While privacy advocates are swooning over the new rules, the reality is that the new regulations will harm not only the organizations that must comply with them, but consumers—the very people the GDPR is intended to help.
The regulation places significant burdens on organizations. To comply with the GDPR’s requirements, organizations have to buy and modify technology, create new data handling policies, and hire additional employees. For Fortune Global 500 companies, the biggest firms worldwide by revenue, the costs of compliance will amount to $7.8 billion. In the U.S., PwC surveyed 200 companies with more than 500 employees and found that 68% planned on spending between $1 and $10 million to meet the regulation’s requirements. Another 9% planned to spend more than $10 million. With over 19,000 U.S. firms of this size, total GDPR compliance costs for this group could reach $150 billion. And this does not include smaller firms and nonprofit organizations, most of which, if they have European customers, will have their own compliance costs.
Compliance is not an easy or one-time cost. For example, the task of deleting individuals’ data upon request is one of the most difficult obligations to fulfill for organizations. Firms will also face significant fines for noncompliance as soon as the rules go into effect. The fines can be as much as €20 million or 4% of a company’s worldwide annual revenue, whichever is larger.
This means that the EU could fine a company like Amazon over $7 billion. Smaller companies that do not comply may be at a more significant risk, because €20 million can be substantially more than 4% of their global revenue. Given that a Gartner study found that more than 50% of organizations affected by the GDPR will not be compliant with all of its requirements by the of end 2018, fines could be hefty.
Privacy rules can have a significant impact on the digital economy. When the European Union implemented data protection rules in 2003 restricting how advertisers collect and use consumer information, the effectiveness of online ads dropped by 65%. The GDPR will likely have a similar effect. After the GDPR goes into effect, 82% of Europeans plan to view, limit, or erase data collected about them. As more people delete their data and do not allow it to be collected, advertisements will become less effective and revenues from online advertising will fall.
Many organizations will pass these costs on to consumers either by erecting paywalls or forcing users to view more ads. Others may choose to operate with less revenue, which means they will have less money to invest in innovation and service quality improvement will stagnate.
But even though firms face massive expenses, the indirect costs of the GDPR will likely be even larger, as organizations in Europe shy away from using data-driven innovation to cut costs or improve quality. Why would organizations take the risks of using the limited data that is available if they can be fined 4% of revenue? It is better to play it safe and dumb.
Some firms will simply eliminate services. In a sign of things to come, one online gaming company announced it would shut down one of its multiplayer video games rather than take on the cost of making it GDPR-compliant. Another decided to simply block all European gamers. Bigger companies that can spend more on compliance are also being cautious. Facebook, for example, has turned off facial recognition by default in the EU to avoid running afoul of privacy rules. Google has notified users of its popular website traffic monitoring service, Google Analytics, that they must adjust their data retention settings.
Services directly linked with personal data are most at risk. For example, Lithium Technologies, which acquired Klout a few years ago for $200 million, announced it was shutting down its service on May 25. Another company, Parity Technologies, announced that it would shut down its growing identify verification service, used by blockchain services to comply with anti-money laundering laws that apply to initial coin offerings.
Other European companies will reduce the data they collect, thereby limiting their ability to use data to train sophisticated algorithmic models. The result will be less accurate algorithms and less use of automation by European companies, reducing EU productivity growth and putting these firms at a competitive disadvantage.
Y2K and the GDPR are both manmade mistakes. But whereas most people did not discover the Y2K problem until it was too late to avoid, EU policymakers have known about these coming costs for years. And unlike the Y2K bug, which could only be fixed with massive recoding of computer systems, the GDPR problem could be fixed relatively easily by updating legislation. Unfortunately, EU policymakers show no signs of acknowledging their mistake.
Daniel Castro is the vice president of the Information Technology and Innovation Foundation (ITIF). Michael McLaughlin is a research assistant at ITIF.