Even Brussels is concerned about the unintended consequences of the GDPR
The EU General Data Protection Regulation, or GDPR, is a sweeping piece of legislation intended to protect Europeans’ personal information in a digital world. With the recent spotlight on Facebook and the sensitive topic of data privacy, one would expect the timely implementation of this privacy law to be treated with justified optimism. So why is it that less than a month out from the May 25 implementation date, companies, media and even EU lawmakers are ringing the alarm bells?
The answer – a collective realisation that the GDPR could, and most probably would, reinforce the duopolistic power of Facebook and Google. That regulations often carry unintended consequences should not be surprising to anyone; what is surprising, however, is how disproportionately favourable the unintended outcomes are to the incumbents whose power the regulation tries to curb. I have written about these unintended consequences previously (here and here) in the context of the Facebook/Cambridge Analytica scandal, and last week The Wall Street Journal and the Financial Times picked up on this controversial topic.
Leaving aside the obvious consequence of the regulatory burden falling disproportionately on the smaller companies being regulated, one not so obvious but very profound difference between the GDPR and most other industry-wide regulations is that the regulators are not really the regulators.
What do I mean by this? Consider the Dodd-Frank Act which was signed into law following the GFC to regulate the US financial industry. Although the Act created a greater regulatory burden on smaller regional banks than large global banks such as J.P. Morgan, all banks were regulated by US government bodies. With the GDPR, many affected companies may find that their ultimate regulators are not the EU Supervisory Authorities, but actually Facebook and Google. This is because the digital advertising industry is so interconnected, and power is so concentrated in the two companies, that running afoul of Google is more likely to kill a publisher than running afoul of the EU regulators.
From the WSJ: “Google told website owners and app publishers last month they would have to get consent for targeted ads on behalf of each of their digital-ad vendors or risk being cut off from Google’s ad network. At the same time, Google told digital-ad vendors using its products they would be blocked from targeting any user who hadn’t given specific consent to the vendors and to each of their partners […]
“Digital advertising companies, known as ad tech firms, say Google and Facebook’s strict interpretation of GDPR squeezes their business. The ad tech firms embed their own technology in publishers’ websites and apps, putting them in competition with the tech giants.”
This highlights my point above – Google is holding websites and publishers responsible for getting explicit user consent for each 3rd party data tracker they run, which can number in the dozens or even hundreds for large publishers. Most website users don’t even know they are being tracked, let alone who is tracking them. These 3rd party trackers – ad tech firms – typically have no direct relationship with the user, and when presented with a list of 5 or 30 or 100 unknown names asking for consent to track their personal data, how many users are simply going to be overwhelmed and leave the website, especially if it’s one they seldom visit? Compare this to Facebook and Google – how many people are realistically going to reject Facebook or Google’s user consent policies and abstain from using those companies’ properties?
Further from the WSJ: “A digital-advertising firm called AdUX recently closed a service that harvested location data from people’s smartphone apps to show them targeted ads, said CEO Cyril Zimmermann, because his firm had little hope of asking for—much less getting—consent from users […]
“Because Google is involved in so many layers of the ad business, some publishers say they have no choice but to comply, and others say they’re not sure what they’ll do yet. ‘It’s the classic Google approach: Either you take it or leave it,’ said Carsten Schwecke, chief digital officer of Media Impact, Axel Springer ’s media sales division. ‘It is not a pleasant situation for a publisher like us.’”
And this quote from the FT summarises the situation well: “The trust issue could also make it harder for smaller internet services to gain traction. They already face the inherent problem for all small companies from higher regulation, that the fixed costs of compliance fall harder on them: now they will have a brand deficit to overcome as well.”
Finally, some may argue that the GDPR and potentially similar US legislation to follow would limit the amount and type of data that Facebook and Google can collect from their users, and thus can’t be positive for these companies. However, this argument falls flat when one considers the much greater impact that the regulation has on competing data aggregators and publishers. So long as Facebook and Google’s data remain relatively better than the alternatives (and likely even more so), these two behemoths are likely to continue cementing their dominant positions in the global advertising industry.
The Montgomery Global Funds own shares in Facebook and Google. This article was prepared 01 May 2018 with the information we have today, and our view may change. It does not constitute formal advice or professional investment advice. If you wish to trade Facebook or Google you should seek financial advice.Why is it that less than a month out from the May 25 GDPR implementation date, companies, media and even EU lawmakers are ringing the alarm bells? Click To Tweet