Research Notes

The European Union wants to win on global privacy standards with the GDPR, just as it did with the global mobile standard GSM. Get free report “Understanding the GDPR and Its Unintended Consequences” from Strand Consult

At one time, Europe was center of the mobile industry with the leading manufacturers, operators, standards, and technologies. This leadership was secured in part with the superior technology of the Global System for Mobile Communications (GSM), a second-generation digital cellular standard developed by the European Telecommunications Standards Institute (ETSI) and promulgated by 13 European countries in 1987. The agreement created the framework for Europe’s response to the mobile technology race at the time between the Americans, Japanese and Europeans.

Global leadership is rarely long or guaranteed. While the EU had preeminence in mobile, it failed to create the companies that powered the Internet and is already behind the curve on 5G. Now the EU hopes to capture its former glory–not by making anything new or innovative–but in wielding the most draconian data protection regulation the world has ever seen. In so doing, it projects geopolitical leadership, empowers European regulatory institutions, and forces the nations and companies of the world to bend to its wishes. The General Data Protection Regulation (GDPR) claims to regulate data processing for “mankind”, but make no mistake, the goal is to carve out one global domain in which the EU is not the loser. For a region that claims to want to be a competitive destination for innovative technologies and exit the lingering financial crisis, the GDPR is not what the doctor ordered.

The GDPR applies to any entity processing data of a European resident, regardless of where it is located. This applies to corporations (Google, AT&T, Alibaba), non-profits (UNICEF, Doctors Without Borders), and even individuals and households if they are engaged in data processing for commercial purposes. The regulation still applies even if the entity has no presence in the EU. EU government entities are exempt, as is data processing conducted for national security purposes.

The GDPR has 47 specific provisions including consent, data portability, right to erasure, right to object to profiling, breach notification, data protection assessments, and data protection officers. Penalties for non-compliance and/or violation can be up to 4% of turnover or €20 million, whichever is greater.

New free GDPR report from Strand Consult
Strand Consult has expanded its library of strategic research and information to privacy and data protection. Its new report “Understanding the GDPR and Its Unintended Consequences” is available for free. Like Strand Consult’s other reports, it investigates the topic from the operators’ perspective and explains how it will impact the industry in the short, medium, and long term. The report also examines the assumptions and underpinnings of the GDPR. The GPDR is not based on an objective, scientific, evidenced, or even “best practice” standard, but rather a “satisficing” of many stakeholders’ preferences. No regulatory impact assessment or a cost-benefit analysis is publicly available.

Get Strand Consult´s new and free report “Understanding the GDPR and Its Unintended Consequences”. This report describes

1. An explanation of the GDPR and its provisions
2. Compliance costs of GDPR
3. The expansive data protection bureaucracy of the GDPR
4. Problems and deficiencies with the GDPR
5. Institutionalization of class action lawsuits by the GDPR
6. Regulatory scenarios for US tech companies under GDPR
7. How to make privacy and data protection regulation that empowers users and innovators

This report is helpful to understand the GDPR and EU policymakers in a geopolitical context. Many will find value in this report including tech and telecom companies, law firms, journalists, academics, regulators, policymakers, and others.

The missing pieces of the GDPR
Trust is an essential element in the digital economy, the sense of confidence and reliance in the integrity, strength, and security of technologies. The EU desires to increase Europeans’ trust in online services, but it neglected the best practices recommended by its own scientific agencies in favor of advocates’ wish list. As elaborated in a report by the European Union Agency for Network and Information Security, now the EU Cybersecurity Agency, trust is a function of (1) the user’s knowledge of online privacy, (2) the technology design, (3) the practices of providers, and (4) the institutions governing the system.

To improve trust, policymakers should focus on the first two drivers above all, raising the level of education and awareness about privacy and promoting trust building technologies. But the GDPR mentions very little about these two drivers and instead focuses almost entirely on the latter two: regulatory compliance and punishment of providers. This amounts to the buildup of a vast bureaucratic edifice on the premise of protecting personal data.

The new regime will surely enrich government coffers (and activist organizations empowered to bring class action lawsuits) by preying on companies, but it will do little to stimulate the European research community to develop much needed technologies such as data protection solutions in access control, authentication, intrusion detection/prevention, antivirus, firewalls, communication anonymizers, limited disclosure technologies, virtual identities, anonymizing credentials, and data access management.

Moreover, the GDPR does little to empower users through greater knowledge and learned behaviors. Naturally if users took more steps to protect themselves, they would need less of the vast bureaucracy the EU want to create. In the eyes of the EU, users are helpless wards of the state, beholden to its protection.

The front page of the EU’s GDPR website warns ominously that, starting May 25, 2018, “Organizations in non-compliance may face heavy fines,” suggesting that the EU will soon start collecting on unwitting firms. The heavy fines will ostensibly help fund the EU’s new privacy bureaucracy. Notably, the GDPR establishes a Data Protection Authority in each member state, a new European Data Protection Board, and the increased responsibility of the European Data Protection Supervisor including its supervision of 62 existing privacy regulatory authorities. These agencies are charged to receive and investigate complaints. Data processors need to submit Data Protection Assessments to these regulators, hire data protection officers, and make technology upgrades, which are estimated to cost €1 million for large enterprises.

The GDPR institutionalizes the class action lawsuit business model, similar to how patent trolls abuse the intellectual property rights regime. Privacy activists incorporated in non-profit organizations are empowered to sue companies and collect fines on behalf of their constituents. This represents an important revenue generation opportunity for activist groups, which are not only compensated by their funders (notably corporations, foundations, and other special interests), but they can collect winnings from lawsuits.

Countries considering data protection and privacy regulation, should not make the EU’s mistakes, but instead empower users with education, transparency, and choice. Innovators need safe harbors to test privacy enhancing technologies, and the EU has none. The GDPR can be noted because it is market, rather than industry-based, meaning that it applies to all firms equally. This removes the problem of regulatory arbitrage in which some companies use policies to regulate their competitors, for example in the US, Silicon Valley platforms want tougher obligations on mobile operators to deter them from entering the advertising business. Moreover, as a federal solution, the GDPR avoids the problem of each member state making its own rules, creating a patchwork that deters the rollout of pan-European products and services.

Strand Consult helps you navigate an increasingly complex regulatory environment
For more than 20 years, Strand Consult has held strategic workshops for boards of directors and other leaders in the telecom industry. With our new workshop, Next gen telecom policy and regulation – Workshop for leaders in the telecommunications industry we have consolidated our knowledge on global regulatory trends and the experience of operators worldwide and packaged it into a workshop for professionals with responsibility for policy, public affairs, regulation, communications, strategy and related roles.

It is common knowledge that the tech and telecom world is heavily regulated and closely monitored by politicians and governments. Nevertheless, companies can improve their business case with better management of the policy process as well as improved coordination with stakeholders inside and outside the enterprise. Policy leaders can also benefit by learning the state of the art academic policy research as well as the experience of operators in other countries. Strand Consult’s Next gen telecom policy and regulation: Workshop for leaders in the telecommunications industry equips your team with the knowledge and know-how to manage regulatory and policy threats and opportunities.

Contact us to get your free copy of the free report “Understanding the GDPR and Its Unintended Consequences”. Strand Consult wants to share its knowledge with you. Many actors assume that all regulation is beneficial and fail to examine the GDPR critically.

Contact us to get a copy of the report

Request the report