June 4, 2018
GDPR's Quest for World Domination
By Ole Moehr
On May 25, the European Union’s (EU) sweeping new data privacy regulation came into force. The General Data Protection Regulation (GDPR) provides EU residents with more control and protection of their data.
Any company or organization around the world that collects or processes data of EU residents must comply with GDPR. The European Commissioner for Justice, Věra Jourová, outlined the EU’s ambitions on data privacy by stating “We want to set the global standard.” This edition of the EconoGraphic assesses how the EU is applying a “carrot and stick” strategy to countries and tech giants to broaden GDPR’s global reach and what this means for the United States.
With the recognition that data is set to become the most valuable commodity of the 21st century, the EU is making a concerted effort to define data protection and privacy rules around the world. European officials are using access to the EU’s internal market’s 500 million consumers as a bargaining chip to convince other countries to enact domestic data protection laws that mirror the GDPR. To enter into free-trade agreements (FTAs) with the EU, many countries must now commit to developing data privacy frameworks that afford consumers protections on par with GDPR. Japan, which has finalized its negotiations with the EU about a FTA, and Brazil, which hopes to sign a trade agreement with the EU, are both currently updating their data privacy laws to satisfy the EU’s data protection rules. Israel, New Zealand, and the United States are part of a group of twelve countries that already fulfill the GDPR’s adequacy requirements. Corporations from these countries can transfer EU individuals’ data from the EU because their domestic data privacy regulations are deemed to offer the same level of protections as the GDPR.
The current US administration criticized the implementation of GDPR. Commerce Secretary Wilbur Ross warned that GDPR “could significantly interrupt transatlantic co-operation and create unnecessary barriers to trade.” US compliance with GDPR is limited to data flows governed by the EU-US Privacy Shield framework, which allows Europeans’ data to be transferred to the US for commercial use. However, according to the Congressional Research Service, GDPR might render the Privacy Shield obsolete because most US companies must comply with its strict data protection rules. This in turn could reduce US companies’ compliance burden and costs. The upcoming US midterm elections might change the US stance vis-à-vis GDPR. Democrats in the US Senate have already signaled their intent to extend GDPR privacy rules to US citizens, should they win both Houses of Congress in November.
To ensure compliance by small and large companies around the world, GDPR has real teeth. For violations of technical requirements, such as a failure to report a data breach, companies and organizations can receive a fine of up to €10 million or 2 percent of global annual revenue (whichever is greater). Offenses that violate one or more of GDPR’s core pillars, for example processing EU residents’ data without sufficient consent or transferring data to countries that do not fulfill GDPR’s adequacy requirements, can result in fines up €20 million or 4 percent of global annual revenue (whichever is greater). Multinational companies’ tendency to adopt the most stringent regulations they encounter and implement them globally to minimize costs, dubbed the Brussels effect, will likely act as a catalyst to expand GDPR’s global reach. Surely also because of reputational effects, Microsoft has already committed itself to adopt GDPR’s privacy protections for all of its global customers. Similarly, Facebook’s Mark Zuckerberg said that his company would extend the GDPR’s protections “in spirit” to all its users around the world.
The EU’s economic soft power paired with the absence of meaningful US data privacy regulations or legislation, and a global desire to regulate US tech giants, might in fact result in GDPR setting the global standard for privacy protections. The question remains, however, whether national European regulatory authorities are up to the task of enforcing GDPR across the EU and the world.