Economist John Maynard Keynes once suggested, tongue only just in his cheek, that if governments want to create jobs, they could fill bottles with cash and bury them, so companies would hire workers to dig them up.
The EU’s incoming General Data Protection Regulation (GDPR), its attempt to strengthen and unify data protection laws, looks like Keynesianism’s evil twin: while Keynes’s idea would benefit the unemployed with paying jobs and companies with bottled government cash, the GDPR looks set to create pointless work, destroy productive jobs, stifle innovation, and cost everybody money.
Brexit will do nothing to spare the UK economy from this, because digital minister Matthew Hancock has already said the government intends to amend UK data protection law to mirror the GDPR. This is one rule that both the EU and Britain really should ditch.
A report by the International Association of Privacy Professionals (IAPP), a trade association representing privacy specialists, estimates that businesses around the world will have to appoint at least 75,000 data protection officers to help them comply with the many complex requirements of the GDPR. Filling these positions will be costly and difficult, and it will divert money away from investments that would create more productive jobs and benefit customers through lower prices and better product features – including privacy-enhancing ones.
The EU should amend the GDPR to reduce its complexity and prevent member states from obstructing the development of the Digital Single Market with additional, even more complex privacy regulations that go well beyond the GDPR.
Some may wonder what sort of Dickensian miser would complain about the creation of 75,000 jobs. The problem with the GDPR is that it will eliminate at least as many potential jobs as it creates, and those lost jobs would have contributed to better products and services, whereas data protection officers will be even less useful than workers digging up old bottles.
Data protection officers’ primary role is not, as some might think, to protect customers’ privacy. That comes through better design, where the market is already well ahead of regulators. Data protection officers help shield their employers from regulators, whether those regulators act in the public interest or not.
Besides being unproductive, data protection officers will also be difficult to hire, as experts in European privacy law are scarce in most non-European countries, where many companies that would be subject to the GDPR are based. This will exacerbate costs that, one way or another, will be passed on to European consumers through higher prices, more advertising, less innovation, and restricted choice.
Firms will have to offer generous salaries to persuade qualified people to come and work for them. Some major firms – especially in the US – already have considerable in-house privacy expertise among their staff, but even these people will require additional training, and will become harder and more expensive to retain as demand for European privacy specialists grows.
Moreover, full compliance with the GDPR will require expertise that almost no one has, inside or outside the EU. Article 39 of the GDPR stresses that in addition to understanding EU privacy regulations, data protection officers must monitor compliance with each member state’s own privacy laws as well. That means understanding the unique and often obscure regulations of 28 countries with 24 official languages, and being aware of the vast differences in how member states apply Union rules. Realistically speaking, firms cannot hope to find such an encyclopedic knowledge in any one job candidate, meaning they will have to hire multiple experts and shell out on legal consulting fees to cover all the bases.
At first blush, it might appear these costs will mostly fall on non-European companies: the fact most of these jobs will be outside the EU highlights just how far behind Europe already is in data innovation, as there are fewer European firms processing enough personal data for them to have to appoint data protection officers in the first place.
But the truth is American tech giants are already better equipped than most to fill these positions, so the GDPR will actually tip the competitive balance further in their favour. Smaller foreign firms are likely to shun Europe and focus their comparatively limited resources on more accessible markets, while European startups will find it costlier to get off the ground in the first place. These problems come alongside many other costs and limitations imposed by the GDPR, which will limit European attempts to benefit from data innovation.
One could argue that the passage of European legislation is always slow and messy, that the GDPR’s passage was slower and messier than usual, and that nobody in Brussels has much appetite to amend it lest they have to re-live the last four years of tedious negotiation, lobbying, and horse-trading. This is all true, but until the EU amends the GDPR to reduce its complexity, Europe will be marching into the data economy with a self-inflicted limp.
Member states can at least lessen the damage a little by exercising discretion and restraint in how they transpose and implement the GDPR, but the only effective solution is legislative change at the Union level. The fact this is unlikely to happen anytime soon just highlights the danger of over-regulating a new and rapidly-changing field that policy-makers do not yet understand. They should learn not to be so overzealous.