While policymakers around the world are frantically nurturing their digital economies, what's happening here in Europe? Lots, lots more red tape is coming. Politicians are furiously running around giving media interviews about how this will rein in Facebook or Google, as though all of Europe's privacy laws should be written for one or two companies. Indeed, wags have started to call Europe's new proposed privacy laws "Lex Google" or "Lex Facebook". But trying to write a privacy law to "rein in" Google or Facebook is a sure recipe for writing a bad privacy law that would apply to all companies in Europe.
Very few people have actually looked at how Europe is planning to change fundamental privacy laws. While politicians are posturing that this is a reduction of red tape, the reality is that it is on track to become the biggest increase in paperwork and compliance process obligations in the history of privacy law anywhere on the planet. Moreover, here's an assessment that would surprise some people: I think Facebook and similar big companies could cope just fine with the new proposals, one way or another. But there is absolutely no way Small and Medium-size Enterprises in Europe could cope. SME's are already an embattled group in Europe, facing the highest regulatory and employment tax burdens in the world. Data protection officers at large corporations generally have lots of resources, and they can manage bureaucracy and paperwork, even if it costs a few more million euros. For big companies, it's not a big deal if the data protection "compliance tax" increases by a few million "new pesetas" or "new lira". Frankly, I wonder how an SME could possibly deal with this paperwork and process torrent, and how they're supposed to pay for it.
Consider the details of this regulatory torrent, and ask yourself how new legal obligations like those below would impact an SME:
- 1) Breathtaking fines for routine paperwork data protection lapses. Large fines are proposed for data protection violations, some of which are really nothing more than paperwork lapses or documentation foot-faults. Does anyone really think European SME's are set up to be able to report a data breach in less than 24 hours? It baffles me how policymakers can propose to impose fines of 1 or 2% of a company's global turnover for not "adequately" filling out paperwork, such as "privacy impact assessments" or "documentation of data processing", especially since there is not even any agreement on what such paperwork is even supposed to look like.
- 2) Mandatory Data Protection Officers. What happens if we obligate all enterprises with over 250 employees to appoint a Data Protection Officer? Practically, where are all these people going to come from, since only a handful exist today? Can SMEs afford the cost of these new employees, or of outsourcing this function to expensive law firms? Or over-burden others on their staff, e.g., a Human Resources person, to try to play this role too? and needless to say, some companies with 250 employees (like Internet or health companies) have vastly different privacy impacts than others (like construction companies), so laws with arbitrary fixed rules are rarely well-adapted to the different realities of the real world.
- 3) Mandatory privacy impact assessments. What will SMEs have to do, if they are obligated to carry out privacy impact assessments on all new projects? While I think such privacy impact assessments can be a useful privacy compliance tool for some projects, I also know that they are burdensome and time-consuming. Can SMEs handle this additional burden? While "privacy impact assessments" are still undefined, I estimate doing one would cost, roughly 10,000 to 100,000 euros. I imagine most SMEs would have several, and larger companies would have many projects requiring such privacy impact assessments.
- 4) Mandatory data processing documentation. Documenting such data handling processes is time-consuming and difficult. How much will it cost SMEs to document their data processing practices? I would roughly assume that the burden to comply with this requirement would be comparable to the time/money spent complying with tax laws. No one knows what it means to "adequately" document data processing, but nonetheless, these confused proposed privacy laws would threaten massive fines for failing to comply with an undefined standard.
Europe is about to threaten companies with fines so large that they will throw them into bankruptcy for bureaucracy and paperwork foot-faults? As countries around the world begin the competitive race to build their digital economies, we in Europe are starting the race by shooting ourselves in the foot? It's possible to be deeply committed to privacy, without drowning in a torrent of privacy bureaucracy.