GDPR: Privacy, Yes. Innovation, No

If you spend too much time clearing privacy protection notices from your email box, thank the General Data Protection Regulation (GDPR). But what exactly is this regulation and how might it impact future supply chain technological innovation?

GDPR is a new rule with the goal of protecting European Union residents’ personal data and adding privacy measures on web transactions that include personal data—no matter where in the world that processing takes place. These new data privacy rules will negatively impact the development and use of artificial intelligence in the EU and put European firms "at a competitive disadvantage compared with their competitors in North America and Asia," says the Center for Data Innovation.

While the Center is concerned about competitiveness and AI advances, I’m concerned about the full stop these new regulations may have on supply chain innovation. The regulations are described as chilling and ambiguous by many, and impact all companies capturing EU personal data. The judicial overreach into areas outside the EU aside, GDPR’s vague nature should give pause to any enterprise engaging in back-office, web, cloud-based operations.


Here are open questions about the rules:

Article 22 says that companies must have a human review some AI-based machine activity. Does that render AI in e-commerce at risk in, say, voice ordering and other automated buying activities? What about blockchain pipes that include personal data?

Chapter 5 of the GDPR mandates controls of personal data outside the EU, seemingly requiring any company collecting EU personal data to maintain data centers inside the EU. Does that mean companies will have to maintain additional data centers in the EU to comply?

Most observers agree the GDPR is complex, and conflicts with other EU regulations. The risk is great because lack of compliance can draw a fine of four percent of a company’s global sales—or 20 million euros, whichever is greater.

The quest to protect consumer privacy and data is admirable. But, unintended consequences alert here. GDPR vagueness needs to be clarified, with carve outs for the WHOIS domain database, AI, IoT data, and blockchain operations. Let’s not protect privacy at the expense of supply chain and technological innovation.