In May 2018, the European Union (EU) launched its newest data protection legislation, known as the General Data Protection Regulation (GDPR). Next to it representing the largest overhaul of the world’s privacy rules in the last 20 years, the regulation is Europe’s attempt to extend its influence and regulatory might globally. Companies were presented a choice – comply with the EU’s standards or face being shut out of a market of 500 million consumers in one of the richest regions of the world. Today, six months after the rollout of the GDPR, it is time to ask whether the effects of the regulation are in line with the EU’s goals and what changes it has brought around the world.
According to a study conducted by Kosinki et al. in 2013, one’s ethnicity, gender, sexual orientation or political views could be predicted with more than 90% accuracy solely from Facebook ‘likes’. The growing concern about what type of information about users was gathered by numerous companies pressured European policymakers to act -- in the first place, labeling their data as personal property and a part of one’s identity. Furthermore, according to the European Commission, 9 in 10 Europeans wanted regulation adopted on the EU level, or in business terms – a market of 500 million people. Conveniently, the concern for Europeans’ personal information was a way for the EU to further its own influence in the digital world and, hence, the GDPR was adopted in April 2016 and entered into force in May 2018.
Next to the question of privacy and ownership of personal data, the personal data collected, analyzed, and moved across the globe has acquired substantial economic significance. According to Commission estimates, the total value of EU citizens’ data has the potential to grow to EUR 1 trillion annually by 2020. The regulation helps European companies cut the ‘red tape’ and deal with a single set of regulations rather than 28 different ones. However, it also creates trouble for business originating outside of the Union. Furthermore, the data protection regulation had a substantial impact on large companies and the regulative framework around the globe.
In practice, international regulation of data privacy is largely fragmented and regional in nature. Because of the this, the impact of the EU’s regulation in this area is significant as it provides a model for others to follow. Moreover, the proof that the EU remains highly involved in leading the way in the data privacy regulation is seen in recently negotiated trade agreements such as the EU-Canada Comprehensive Economic and Trade Agreement (CETA) and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP). In addition, countries like Argentina, Israel, New Zealand, Japan, Colombia, South Korea, and many others have already overhauled their domestic legislation to reflect the European rules.
Among those still trying to navigate the new environment is the United States. U.S. policymakers argue that American data protection standards, defined in the Constitution and enforced by the Federal Trade Commission, offer even higher protection than the European ones. Yet, this claim did not seem to be of sufficient importance for the European Court of Justice in 2015, whose ruling effectively ended the data transfer agreement between the U.S. and the European Union (known as ‘Safe Harbor’) on the premise that it does not fully protect EU citizens’ data.
On the corporate side, the regulation had a major impact, as well. Following its rollout, Google announced that it would stop mining emails in Gmail in order to personalize ads, and in September 2018, it changed its privacy user agreement and made it more user-friendly. Moreover, Facebook has announced the overhaul of its privacy regulations, particularly after its founder, Mark Zuckerberg, testified in front of the European Parliament earlier this year. It is no surprise, nor is it unnatural for large corporations to adjust to the EU rules. Adhering to the EU regulation and changing their systems to be compliant is simply cheaper for companies than creating separate systems for each region in which they operate. Moreover, non-compliance is costly; caught red-handed, a company could pay up to 4% of its annual global profits in fines, which is something that no corporation, however large, is ready to risk.
In conclusion, with its new regulation on data protection, coupled with its requirements and provisions for any future free trade agreement with the European Union, the EU has effectively managed to set a global standard. It once again managed to confirm that in terms of regulatory influence, just like when it made Microsoft exclude Windows Media Player from its operating system globally, the EU is a global superpower.