This paper assesses to what degree new European online privacy regulation addresses official European Union government research on best practices for online privacy. Specifically it investigates the European Commission’s General Data Protection Regulation (GDPR) and to what degree it coheres to the official EU government report on “Privacy, Accountability and Trust - Challenges and Opportunities” by the European Union Agency for Network and Information Security (ENISA). The paper maps the provisions of the GDPR to the model proposed by ENISA and finds that the GDPR regulation appears to overemphasize some inputs while under-emphasizing or even ignoring others. We propose a behavioral model to explain the discrepancy. We assume that the ENISA inputs represent the best official approximation of how to achieve long-term welfare outcomes while the GDPR regulation is optimized to maximize short-run outputs for political support.
The paper presents the provisions of the GDPR as a function of the four inputs for privacy as defined by ENISA: (1) the user’s knowledge of online privacy, (2) the technology design, (3) the practices of providers, and (4) the institutions governing the system. With regard to institutions, the GDPR applies to any entity regardless of location, if processing EU resident data; it requires that a data protection authority in each member state; and if GDPR provisions are violated, allows fines up to 4 percent of annual revenue of €20 million, whichever is greater. For practices of providers, the GDPR has provisions for consent, breach notification, right to access, right to be forgotten, data portability, and data protection officers. The GDPR has some privacy by design requirements which map to ENISA’s technological design parameter. Finally there are no specific GDPR provisions that would remedy users’ knowledge such as an education campaign etc. From the preliminary analysis, we find that the GDPR tends to overemphasize compliance and punishment while underemphasizing technology design and user education.
The GDPR encompasses perhaps the most monumental pan-European regulation in the last decade. It has the potential to impose significant penalties, add significant bureaucracy through the creation of national data protection authorities, and require the appointment of chief privacy officers in enterprises, a requirement that many medium size organizations find onerous. As the European Commission did not provide empirical justification for its rules other than a factsheet, this research attempts to quantify the choice of instruments and model political behavior and expectation based upon a selection of policy options.
The model is reviewed with e-privacy panel data for the 28 EU member states based on Eurostat and Eurobarometer. It investigates whether there are any relationships between the ENISA inputs and the GDPR provisions by measuring the level of privacy awareness and skills, the degree of deployment of privacy by design technologies, the presence of a data protection authority in the member state, and other variables. In addition to general online privacy research, the findings may shed light on the assumptions of the policy making process and to what degree evidence informs regulation.
Keywords: GDPR, online privacy, regulation, data protection, European Union, privacy by design, regulatory behavior and performance
