By now it is well-understood that the EU’s expansive new data privacy regulations, the General Data Protection Regulation (GDPR), are bad for competition and consumer choice. What is less often noted is that the GDPR erects an international barrier to trade.
Because the GDPR imposes costs on the data industry, and the leading firms in this space are located outside of the EU, it serves as a kind of “crypto-tariff” on foreign technology companies. What’s more, the steep fines levied for GDPR violations may have the effect of segregating data in different localities, which will effectively serve as a data localization requirement.
Privacy protection is an admirable goal, but the GDPR is far from the best way to achieve this end. The text of the GDPR is quite vague, and regulators in the majority of member states admit that they don’t really know how to enforce the rules. Very little specific detail is given to affected firms about what “compliance” looks like, and opinions differ wildly even within the EU.
Can we expect a robust improvement in privacy practices to emerge from such an indiscernible legal morass? It seems doubtful. So far, there have been two noteworthy outcomes from the GDPR, and neither have had the net effect of “improving privacy.”
First is the rise of “consent fatigue,” where deluged users simply click to “accept” the maelstrom of “updated privacy policies” without regard to form or function. And since people trust brand names more than unknown upstarts, the biggest “sinners” in the eyes of the EU like Facebook and Google have the easiest time getting consent. The net effect is that smaller firms must limit their activities or exit the European market completely, which benefits established giants and potential European competitors—and leads to less choice for European consumers.
Second, the GDPR created a punitive legal apparatus that can be opportunistically wielded against foreign companies. The retributive fees for deviating from this opaque legislative infrastructure are considerable: either €20 million or 4 percent of a firm’s global revenue, whichever is higher. It is no surprise that the first major lawsuits launched after the GDPR took effect targeted Facebook and Google for an astounding $8.8 billion in fees.
It is clear that the EU views personal data as a critical commodity in the digital age. Official communiqués frequently refer to trusted data as a “key resource” and “the gold of the 21st century.” One bombastic blog post on the website of the European Data Protection Supervisor characterized the free data economy as a “digital sweat factory” where foreign companies presumably extract the surplus value of European laborers for profit and malice.
As our colleague Adam Thierer frequently points out, Europe lags far behind in the technology sector despite its wealth of capital and educated labor force, perhaps for reasons of cultural and institutional inertia. So when it imposes tough privacy laws, it puts much of the $9 billion onus on foreign companies. And because the EU believes that these foreign companies have a zero-sum monopoly on this century’s gold rush, it is not surprising that the GDPR looks a lot like a roundabout economic punishment doled on foreign firms that have outpaced the European technology market.
While the analogy is imperfect, it is instructive to compare the GDPR to a tariff on data. The technology scholar Daniel Lyons makes this point well. He writes: “The GDPR may have an effect on European consumers akin to the effects that Trump’s tariffs will have on Americans: It may reduce the percentage of foreign commerce in the domestic market, denying consumers some choice and raising prices to pursue a different policy objective.” Like a tariff, the economic protectionism of the GDPR trades a short-term knock against a foreign competitor for long-term costs imposed on European consumers. Meanwhile, the world digital economy will chug along without them.
It is too early to tell exactly how companies will handle GDPR compliance, but one likely outcome will be a de facto data localization structure for EU member countries. One of the most generative elements of the digital economy is the dynamism that instant information flows can yield.
The boundary-less and instantaneous transfer of data is critical to the technical functioning and economic benefits of internet commerce. The GDPR significantly hampers the ability of firms and consumers to extract the greatest value from data by arbitrarily imposing costs on transferring data to different municipalities. A report from the US International Trade Commission notes that these rules are “expected to raise the cost of data storage and processing.” Because affected applications like cloud computing and e-commerce cut across large swaths of the international economy, the negative effects of data localization policies will be considerable.
As with any barrier to trade, the GDPR will ultimately punish EU citizens for an illusory economy benefit that will never materialize for their economy as a whole. The law undoubtedly imposes major costs on foreign companies, but ironically, the biggest losers will likely be European consumers
Photo credit: Isopix/Shutterstock