In preparation for Stratfor's upcoming 2018 Third-Quarter Forecast, we are releasing a series of supporting analyses, focusing on critical topics, regions and sectors. These assessments have been designed specifically to contextualize and augment the upcoming quarterly global forecast.
Data privacy and protection regulations have become increasingly critical elements of corporate strategy, especially as more sectors integrate artificial intelligence (AI). Just before the start of the third quarter of 2018, the European Union will begin enforcing sweeping modifications to its personal data privacy protections, giving the first indications regarding the enforcement of the policy across the Continent and how companies and member states will approach implementation.
The Details of the GDPR
In an effort to allay the privacy concerns of EU citizens and make data privacy laws consistent across members' borders, the European Union began enforcing its General Data Protection Regulation (GDPR) on May 25. For two years, companies worldwide have been preparing for the changes, which will be widespread and significantly impact their day-to-day operations.
The new regulations deepen data protection for European citizens in several ways. First, they expand the scope of the definition of personal data and provide avenues to enforce greater transparency at all stages of data collection and use. The regulations emphasize informed consent (through simple, understandable language) and grant more control to the individual, including the right to be forgotten and the right to access all collected data. The regulations also lay out strict data storage requirements and set a time limit (72 hours) for the issue of breach notifications. Finally, the GDPR includes language that makes the reuse of data by third parties difficult, while also stipulating severe fines for violations.
How Will Countries Implement the GDPR?
Though the GDPR standardizes data protection policies across the European Union, each individual member state must place its own language into national law, leaving the door open for countries to interpret and implement the regulations in different ways. This process is meant to streamline the regulation and legislation of data privacy, making the country in question the single authority on the matter within its borders. But in practice, this means countries across the European Union can all monitor and fine businesses in different ways.
The regulatory and financial limitations of EU member states will be the primary factors determining how each proceeds in implementing the GDPR. Several countries did not even pass national GDPR bills before May 25, and according to a Reuters survey, a majority of the participants don't believe they'll have the funding or power to enforce the legislation they do eventually establish.
Portuguese authorities have been vocal about their inability to afford the costs of enforcing the data privacy regulations, and authorities from France and the Netherlands have already indicated that they will be lenient in the initial months after the GDPR goes into effect. Traditionally, Berlin has had stricter data privacy protection legislation. Germany was among the first countries to implement national laws with regards to GDPR and will likely continue to be on the stricter end of the spectrum in terms of enforcement.
How Will Companies Handle the GDPR?
For businesses, simply bringing their security measures and customer interfaces up to the new standards of the GDPR will be an expensive task. Companies of all size are reportedly behind schedule on implementing the necessary changes, and starting in the third quarter, it will be important to keep an eye on how countries levy fines against companies based on size, region of operation and the location of their headquarters.
Smaller companies will face the biggest challenge, as they will have a larger per employee cost of implementation, though the record-processing requirements are somewhat relaxed for companies employing fewer than 250 people. For companies small enough that they operate in a single country, the European Union's country-by-country implementation strategy will have a massive impact. Nations with looser enforcement and more forgiving penalties will offer potential areas where smaller technology companies in Europe can still thrive.
Large, international companies, meanwhile, will be obliged to keep track of the different legislation throughout the European Union. But they will also have the money both to implement the new changes fairly easily and to fight any eventual fines in court.
The GDPR is likely to hit the middle tier of companies in the European technology sector the hardest. These businesses are large enough that they operate across multiple borders, but they don't have the financial heft to fight the legislation long term.
The GDPR's Impact on AI Development
The European Union recently released a road map plotting the future of artificial intelligence (AI) in the bloc. France is leading the charge, as well as promoting a start-up culture within the country itself. But an extensive study from the Center of Data Innovation indicates that the GDPR has the potential to delay or disrupt AI development in Europe. Data – corporate, personal and more – fuels AI, and the more the GDPR limits the sharing, repurposing and reusing of data, the higher the cost will be for various AI applications.
The criteria that European countries develop to enforce data privacy will be a good indicator of whether the Continent prioritizes the GDPR or the somewhat incongruent goals of AI development. France, in particular, will be important to watch closely due to the stated goals of President Emmanuel Macron's government. The same goes for Germany, given that it has traditionally functioned as a strict enforcer of data privacy and protection.
Implications Beyond the European Union
How massive international tech companies handle the new regulations will indicate the degree to which the GDPR impacts the global market and the European Union's place within it. If companies such as Apple, Google and Facebook begin separating their European market from others by applying the privacy standards on the Continent alone, that would spell trouble for the European Union's ability to develop AI and keep pace with North American and Asian competitors. However, if these big corporations begin applying the privacy standards of the GDPR more broadly (Facebook already plans to offer EU safeguards to users globally), the European Union will be able to set the tone for future data privacy discussions and regulations on an international level.