The European Union’s General Data Protection Regulation (GDPR) — the most comprehensive regulation on the protection of personal data that currently exists — comes into effect on May 25. It will profoundly impact global debates about privacy and freedom of speech; cybersecurity and disinformation; citizen and consumer relationships with technology and technology companies; innovation and entrepreneurship; and the future of the transatlantic economy.
So, what is GDPR? And what can those who care about the transatlantic relationship expect going forward?
What is GDPR?
European authorities have been struggling for years to update the EU’s 1995 Data Protection Directive, put in place well before most of today’s major Internet firms were founded. The directive resulted in a hodgepodge of privacy laws and uneven enforcement across the 28 EU member states. GDPR is an update to the 1995 directive and a key plank in the EU’s overarching goal to create a “digital single market.” As with other digital single market policies, GDPR is designed to offer EU citizens equal protections and equal access to digital goods across the European Union. For industry, it is supposed to create a single regulatory framework, rather than 28, with access to a single, unified European market, giving companies and startups a wider initial user-base and reducing legal costs.
GDPR gives EU consumers far-reaching control over their personal data. Users must receive notice in plain language of how, where, and by whom their data will be used, and in most cases must give explicit, opt-in consent for each intended use. Users will have the right to see what data have been collected on them; the right to have errors corrected, and the right to ask that information be erased (the “right to be forgotten”). Consumers also have the right to take their data to a competing service.
The law imposes sweeping procedural, compliance monitoring, and data security requirements, especially on companies processing massive data troves. Companies that violate the law could see fines levied up to 4 percent of annual global turnover, or €20 million, whichever is greater. For Facebook, that could mean a tab of up to $1.6 billion.
GDPR offers valuable privacy rights. But as with all public policy, there are trade-offs. GDPR privileges privacy over free speech, innovation, entrepreneurship, and business interests. In some cases, these trade-offs are the results of considered policymaking. In others, GDPR has been critiqued for creating needless regulation where technical solutions would be more appropriate. And in yet other cases, the trade-offs in GDPR are the result of the compromises necessary to satisfy the multiple and sometimes divergent interests within and between Brussels and the different EU member states.
What is the U.S. approach to Data Protection?
The United States does not have a general law like GDPR. Given the trade-offs involved in developing data protection regulations, reaching political consensus is difficult. Instead, the United States protects personal data in specific contexts: medical, financial, employment, and children.
However, many in the United States are warming to the idea that narrowly crafted privacy legislation might be appropriate. Should that gather steam, federal or state rules could be in the offing. Some U.S. states are stepping in where Congress has so far failed to tread. California could be the test case if its sweeping privacy initiative garners enough signatures to place it on the ballot this fall. If so, it could become the de facto U.S. standard — unless Congress acts to create uniformity by preempting state legislation.
The EU bloc’s far-reaching and complex rules could also wind up filling a policy and regulatory vacuum in the United States if American multinationals choose to extend all or a meaningful part of the GDPR privacy rights to their users outside of Europe. But the tech titans are unlikely to swallow GDPR whole. Facebook, for instance, is poised to offer GDPR-lite to its non-European-domiciled users. They would enjoy many of the privacy rights, but the company would not be on the hook for the GDPR’s massive fines.
How will GDPR impact the transatlantic relationship?
The EU’s approach to protecting personal data has already significantly affected transatlantic relations. As discussed in a previous GMF explainer, the EU believes it has adopted the best approach to protecting consumers’ privacy, which it sees as a fundamental right. By law, it accordingly prohibits the transfer of personal data outside of the EU, unless the Commission has determined that the receiving country’s laws are “adequate,” or, failing that, if the transfer of the data is protected by contract, or if a company has accepted binding rules on the way it will handle the data; or if the individual has given his or her “informed” consent to the transfer.
Because the United States does not have a general law protecting personal data, it is not an approved destination, unless the company transferring the data has undertaken a series of commitments on handling the data. The initial program, Safe Harbor, was judged wanting after the revelations by Edward Snowden about the U.S. government’s ability to access data held by companies. The U.S. government eventually had to accept certain limitations on its ability to access such data under the new Privacy Shield agreement. This new arrangement is now being reviewed by the EU’s European Court of Justice in light of the GDPR; if the U.S. is again found wanting, a new and even more acrimonious debate can be expected.
The United States is not the only country caught by this prohibition on the transfer of personal data — the EU Commission has found only five countries outside Europe as providing “adequate” protections. The EU wants to increase this, and is using its enormous weight as a trading power to encourage other countries to adopt strong data protection rules, even as it argues strenuously that data protection is too important to be included in trade agreements. This was, for example, a major issue in the EU–Japan trade agreement that was recently finalized. The EU sought to carve data protection totally out of the agreement, but Japan felt that without the certainty that the EU considered it “adequate” for data transfers, its ability to sell digital products and services to the EU could be compromised. So in parallel to the trade deal, the EU is likely to soon issue a determination that Japan provides adequate protection for personal data. This is likely to set a pattern for the EU’s future FTA negotiations.
What does GDPR mean for innovation, entrepreneurship, and technological progress?
Data sits at the heart of many of today’s most lauded technological developments: machine learning, the internet of things, self-driving cars, personalized healthcare, increasing energy efficiency, and even reduced waiting times at traffic lights.
To take one example, Google and Facebook employ many of the world’s leading artificial intelligence researchers and scientists. Those researchers rely on the data consumers have shared with their employers to advance machine learning: a computer learns to recognize a picture of a dog because it is fed millions of images of dogs labeled with the tag “dog” and is thus able to decipher the particularly dog-like characteristics in a given image. One interpretation of GDPR is that a user will now need to explicitly consent to having their pictures used for such a purpose,. GDPR also includes vague language about a “right to explanation” — showing a user how an algorithm makes a decision about, for instance, what advert to show, or which content to recommend. Companies may choose to simplify their products and change their business models rather than explain all of the complex decisions generated by algorithms, resulting in a less personalized experience and less evolved technologies.
If so, some experts fear GDPR may have a chilling effect on the development and use of AI and other new technologies in Europe. While the trade-off is one that has been acknowledged by EU policymakers, the extent to which GDPR will impact European entrepreneurs, technology companies, and scientists is not yet known — a consequence of the opaque wording in the regulation. China and the United States have much simpler privacy requirements, giving companies based in these countries access to more data and thus a competitive advantage relative to their European peers.
What developments can we expect over the next few years as a result of GDPR?
GDPR’s often ambiguous and complex terms will take years to sort out through the National Data Protection Authorities or in court, creating uncertainty in the marketplace. Indeed, the Austrian lawyer and privacy advocate Max Schrems, whose Facebook privacy complaint resulted in the European Court of Justice nullifying the EU–U.S. Safe Harbor for data flows to the United States, is poised to file privacy cases on May 26. How expansively the newly minted European Data Protection Board chooses to interpret GDPR will determine whether the new law advances or stifles the digital economy in Europe.
For many, GDPR will be a global beacon for securing long overdue personal data privacy rights. For others, it signals the end of an era in which innovation and entrepreneurship reigned supreme on the Internet. As the Wild West of the Internet is tamed, GDPR will set the tone for the global debate about data privacy.
– Susan Ness , Peter Chase