The General Data Protection Regulation came into effect throughout the member states of the European Union on the 25th May 2018. As you are no doubt already well aware, the GDPR is, in simple terms, a new framework of conditions aimed at giving citizens of the European Union more influence over the use of their own personal data. Its goal is to simplify the regulatory settings for business so both citizens and businesses in the EU can better profit from the digital economy.
The reality of the internet age is that almost every aspect of our lives concerns the storage and use of personal data. From our social media use, to bank accounts, to online shopping, to online state services, and numerous others – practically every service we utilise concerns the acquisition and analysis of personal data. On its face, the GDPR was designed to give individuals more protection in how their data can be gathered, stored, used or communicated. In many respects, this is proving successful.
Given the very nature of data-processing in the 21st century, it is clear that the GDPR has influence far beyond the geographical boundaries of EU member states. At first glance, one might assume that the GDPR applies in the EU and the EU alone, and while legally speaking that is technically correct, in reality it also affects foreign companies that deal with the personal data of EU citizens. Companies (whether huge multinationals or start-ups) based in Africa, Asia or the Americas which employ people, or have customers or clients in EU member states, are therefore impacted by the GDPR.
The Influence of Brussels
Some believe that this is, at least in part, a deliberate strategy of the European Union. The size and strength of the European market means that when the EU creates rules for itself, other economies are left with little choice but to conform to them. When faced with multiple regulatory systems, most companies will choose to work towards that which demands the highest standard. This has already been witnessed in numerous fields, such as anti-trust law, chemical regulation, and aircraft emissions. It is apparent that the General Data Protection Regulation has similarly increased the EU’s influence when it comes to the treatment of personal data.
This term is attributed to to Professor Anu Bradford of Columbia Law School who observed the trend and named it after the somewhat similar “California effect” that had previously been observed in the USA. This name was derived from the spread of environmental regulatory standards that had originally been adopted by the state of California and were later adopted in other parts of the US. In the Califirnia example, the spread was, and continues to be, supported by larger businesses and corporations, which stand to benefit as they have the resources at hand to adapt to meet the new regulations, unlike some of their smaller rivals.
Brexit remains the number one topic of debate in British politics at present. Twice delayed, it is presently somewhat uncertain as to whether the UK will exit the European Union at all. Assuming it does so, however, the UK may discover that the Brexiteers’ beliefs that it could abandon what they saw as the overburdensome regulation of the EU in favour of enjoying great freedom in international trade were but a dream. The UK will of course be obliged to ensure continuing compliance with European Union conditions should it wish to trade with the continental market. The difficulty for a post-Brexit UK does not end there, however. In some areas Britian will be forced to choose which of the contradictory sets of American and EU regulations it wishes to adhere to in order to continue trading.
Some critics feel that the EU’s General Data Protection Regulation (GDPR), is key to the ‘Brussels Effect’ expanding into data protection and privacy. At first glance, the new regulations guarantee citizens of EU member states broad powers over how their own personal data may be gathered, employed and stored. This is clearly a good thing for the individual. Nonetheless, whether intentionally or unintentionally, the new rules present non-EU nations worldwide with a dilemma: modify their own domestic law to conform with the European Union’s new policies, or take the risk of being deprived of a market which boasts a €15 trillion economy and over 500 million comparatively wealthy consumers.
The world-wide influence of the GDPR was immediately apparent: As soon as it was introduced, companies as large as Facebook Inc. and Microsoft acknowledged that they would largely adhere to General Data Protection Regulation everywhere they operate, not only in Europe. They are not alone. Is the GDPR therefore another example of what Professor Bradford lable, the Brussels Effect?