While the General Data Protection Regulation (GDPR), the core of the EU digital privacy legislation, afforded protections for users of digital, internet, and online services – including the rights to data subjects – a new paper from Geradin Partners suggests that the well-intended regulation while delivering “positive outcomes by enhancing the protection” has additionally borne “adverse effects on [the] competition by strengthening the position of Google and other large online platforms”.
Given the enormous amount of data it collects and processes, GDPR may have initially been thought to negatively impact Google’s ability to deliver advertising and technology services. However, the paper argues that compared to Google, smaller rivals were less capable of absorbing the implementation costs of the GDPR and coping with the restrictions on the collection and processing of data.
The Irish Data Protection Authority, for instance, has yet to challenge questionable data-related practices at Google, while the Data Protection Authorities (DPA) have subjected smaller actors to harsh intervention, the paper’s authors suggest.
They believe that Google weaponized GDPR and the concern for privacy in general in order to strengthen its control on the ad tech ecosystem to the detriment of advertisers, publishers, and smaller rivals. One actual example of this was the announcement from Google to phase out third-party cookies on Chrome, the browser it owns.
In a joint statement shared with Marketing Dive, Dan Jaffe and Dick O’Brien, both serving as EVP of government relations at the ANA and 4A’s respectively, said that Google’s decision to block third-party cookies in Chrome would threaten to substantially disrupt much of the infrastructure of today’s internet without providing any viable alternative, adding that it may choke off the economic oxygen from advertising that startups and emerging companies need to survive. Indeed, the announcement itself was followed by shares of ad-tech companies such as Criteo falling to a record low.
A year after the GDPR went into effect, the Center for Data Innovation published a report on the ten unintended consequences of GDPR such as the cancellation of mergers & acquisitions, time-wasting tools that overload businesses with GDPR-authorized data requests, reduced venture funding received by EU technology startups, and the reduction of competition from digital advertising companies. A report from CNN found that complying with the new regulations resulted in the world’s biggest companies spending tens of millions of dollars to prepare. Smaller companies that do not have the same resources are struggling.
Michal Gal, a law professor at the University of Haifa and Oshrit Aviv, Founder of Entero.io, echoed the sentiment in a paper titled The Competitive Effects of the GDPR, stating that the GDPR limits competition in data markets, creating more concentrated market structures and entrenching the market power of those who are already strong. The authors added that the GDPR limits data sharing between different data collectors, thereby preventing the realization of some data synergies which may lead to better data-based knowledge.
“I would rather have ‘one neck to choke’, as the saying goes, rather than hundreds of shadowy ad tech companies collecting, buying, and selling my data, and me having no recourse because I don’t even know who they are,” said Dr Augustine Fou, a cybersecurity and anti-advertising fraud consultant, in a statement to Branding In Asia. Fou said that, in terms of privacy, Google has so much public pressure to make changes for the better that they have the most to lose.
Across all its products, users of Google products are logged in all the time, counting as first-party cookies, and Fou believes that advertising technology companies that buy & sell consumer data will complain that Google is weaponizing the GDPR to consolidate power to themselves.
“Doing away with 3rd party cookies means third parties cannot track and target users as easily anymore and for Google, they have logged in users all the time anyway,” said Fou.
The paper from Geradin Partner concludes with four suggestions for DPAs identify and remedy the shortcomings of the GDPR: a differentiated approach on the baseline obligations expected from small and medium-sized businesses that fall under the scrutiny of the Magna Carta of data protection, uniform enforcement of the regulation without divergent interpretations, examine any justification based on data protection legislation and keep a watchful eye on Google’s decision to phase out third-party cookies on Chrome and the evolution of the Privacy Sandbox.
“Though formally an open-source project, we are sceptical as to which extent third parties will have any meaningful say in the process, and past experience from the Android Open Source Project shows how Google may end up running initiatives which are nominally open-source,” said the authors from Geradin Partners. “There is a real risk that Chrome’s policy change will further strengthen walled gardens to the detriment of the open web (and the ad tech ecosystem).”
The added that the Privacy Sandbox risks making the Chrome browser the “gatekeeper” of data, on which third parties (be it publishers, advertisers, or ad tech vendors) will be dependent. With more advertising expenditure concentrated in the Google walled garden, the Privacy Sandbox, the authors ponder, may impoverish the open web – with all the societal implications this entails.