European politicians proffered that General Data Protection Regulation (GDPR) regime would level the playing field with big tech and put users in control, but almost two years since implementation, the opposite has happened. Microsoft, Google, Facebook, Amazon, and Apple have increased revenues and market shares since the launch of the GDPR, to the detriment of startup European firms. Moreover, Europeans rarely exercise their 17 newly invented “rights”, and maintaining this regime imposes a large burden on small and medium sized firms which have significantly less resources than the large Silicon Valley platforms. Researchers at Aalborg University found that the GDPR has led to smaller third-party trackers disappearing to the advantage of the big ones, enhancing concentration of power for access to and collection of user data.

Despite some years of notice about the GDPR’s coming implementation, only 20 percent of EU companies, primarily large firms, are digitised.  The European Commission’s Digital Scoreboard reports show a consistent lag in the small to medium enterprise segment, particularly to modernise their websites and market outside their own EU countries.  The European Commission’s “Digital Economy and Society Index Report 2019 – Integration of Digital Technology”, an effort formally launched in 2015, shows the stark situation of low-tech Europe.  While the Nordic countries, Netherlands, Belgium, and Ireland may score relatively high, the rest of Europe still struggles to digitise their business and conduct e-commerce. Less than one-fifth of the companies in the EU-28 are highly digitised (defined by use of electronic information, social media, cloud computing, and big data), and even in leading countries such as Denmark and Finland, only half of companies are digital.  As for e-commerce, only 17 percent of the EU’s small to medium sized enterprises sell online, and a mere 8 percent sell across borders.

SMEunited, which represents 12 million of the 24 million micro- to medium-sized enterprises in Europe (99.8 percent of all enterprises, two-thirds of employment, and close to 60 percent of the added value created in the EU), observes, “Overall this legislation creates severe difficul-ties for micro-enterprises and SMEs as it is not proportional. The legislation was conceived to tackle attitudes of big players, not those of SMEs. The administrative burden for documentation has increased and SMEs suffer from the lack of human and economic resources to cope with this legislation.”

Melissa Blaustein of Allied for Startups, a pan-European advocacy group, recognised that while there are fewer examples of European firms closing because of the GDPR, the regulation has not made it easier for startups. “Shutting down is not the same of growing slower,” she wrote to me in an email.

The GDPR might be justified if it created greater trust in the digital ecosystem, but there is no such evidence. Eighteen months after the promulgation of the GDPR, Europeans report the lowest level of trust online ever.  After a decade of GDPR-type regulations—in which users en-dure intrusive pop-ups and disclosures on every digital property they visit —Europeans’ trust online has plummeted. Eurostat notes that only one third of consumers trust the internet; and more than half do not trust it.

GDPR has proved cost prohibitive for many firms. To do business in the EU today, the average-sized firm must spend about $3 million to comply with the GDPR.  Indeed, less than half of eli-gible firms are fully compliant with the GDPR; one-fifth say that full compliance is impossible.  In a recent survey of small business owners in the EU, a whopping nine out of 10 reported not knowing about the GDPR and that its fines for noncompliance could hurt them.

Firms are right to be concerned about noncompliance. Failing to meet one of the GDPR’s 45 business regulations appears to be the leading cause of complaints against individuals, small businesses, and nonprofit organizations, and the bulk of complaints are billing issues with re-tailers and bank statement disputes with financial institutions.   While these issues are already covered under other laws, plaintiffs use the GDPR to win additional leverage for separate legal actions and litigation such as wrongful termination, personal injury, identity theft, inappropri-ate disclosure, and so on.  Sadly, the GDPR has unwittingly strengthened the largest US players and imported the worst of the litigious class action legal culture in which every dispute is turned into a lawsuit.

1  Jannick Kirk, Sorensen and Van den Bulck, Hilde and Kosta, Sokol, Privacy Policies Caught Between the Legal and the Ethical: European Media and Third Party Trackers Before and After GDPR. (July 26, 2019). Available at SSRN: https://ssrn.com/abstract=3427207

2 European Commission, “Integration of Digital Technology,” 2018, http://ec.europa.eu/information_society/newsroom/image/document/2018-20/4_desi_report_integration_of_digital_technology_B61BEB6B-F21D-9DD7-72F1FAA836E36515_52243.pdf.

3  European Commission, “Better Access for Consumers and Business to Online Goods,” 2015, https://ec.europa.eu/digital-single-market/en/better-access-consumers-and-business-online-goods.

4 Digital Economy and Society Index Report, EU, 2019, https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=59979

5 “SMEunited Members’ Contributions on the Application of GDPR,” accessed November 20, 2019, https://smeunited.eu/news/smeunited-members-contributions-on-the-application-of-gdpr.

6 European Commission. Public Opinion on Trust on the Internet. September 2018. https://ec.europa.eu/commfrontoffice/publicopinion/index.cfm/Chart/getChart/themeKy/18/groupKy/93

7  Daniel Castro and Alan McQuinn, “The Economic Cost of the European Union’s Cookie Notification Policy,” In-formation Technology & Innovation Foundation, November 6, 2014, https://itif.org/publications/2014/11/06/economic-cost-european-unions-cookie-notification-policy.

8  European Commission, “Use of Internet Services,” 2018, 4, http://ec.europa.eu/information_society/newsroom/image/document/2018-20/3_desi_report_use_of_internet_services_18E82700-A071-AF2B-16420BCE813AF9F0_52241.pdf.

9  International Association of Privacy Professionals, “IAPP-EY Annual Governance Report 2018,” 2019, https://iapp.org/resources/article/iapp-ey-annual-governance-report-2018/.

10  International Association of Privacy Professionals, “IAPP-EY Annual Governance Report 2018.”

11  “GDPR Still a Mystery to SMEs: The Risks of Non-Compliance,” Hiscox Business Blog (blog), January 10, 2019, https://www.hiscox.co.uk/business-blog/gdpr-still-mystery-smes-risks-non-compliance/.

12  Statement    of    Helen    Dixon,    Commissioner,    Data    Protection Commission of Ireland , May 1, 2019, https://www.commerce.senate.gov/public/_cache/files/82740fd0-dc86-4665-9c3f-378892c6fca0/649B8DBDAF3E93DC2B0B79B982E83585.05-01-19dixon-testimony.pdf

Visiting scholar at the American Enterprise Institute, Visiting researcher at Aalborg University Center for Communication, Media, and Information Technologies and a Vice President at Strand Consult in Denmark.