TAP Scholars Examine the GDPR Effect

By TAP Staff Blogger

Posted on May 25, 2018


Today (May 25, 2018), the European Union’s General Data Protection Regulation (GDPR) goes into effect. The GDPR is a new law that significantly expands data protections for people across the European Union, giving them greater control over their personal data and setting heavy fines for companies that violate the new terms. It will restrict how tech companies collect, store, and use EU residents’ personal data.


Even though the GDPR is an EU regulation for EU citizens, it has an important impact globally. For companies doing business with EU citizens or interacting with their data in any manner (Google, Facebook, Twitter, and Netflix, to name a few), they must comply with the GDPR requirements whether their headquarters are located in the EU or not. Many global companies are updating their terms of service for everyone, not just EU customers. Additionally, given that the GDPR places obligations on companies that have vendors that process personal data, and many large companies have hundreds of vendors processing data, the demand for GDPR compliance will thread through the network of contractual relationships that companies have with personal data.


Several TAP scholars have been studying the GDPR to understand what its impact will be beyond how the EU regulators enforce it. Below are excerpts from selected articles by and about TAP scholars that explore the scope of the General Data Protection Regulation on privacy and security controls globally and the potential influence on U.S. data protection regulation.


Woodrow HartzogThe GDPR Is a Watershed Moment.
Professor of Law and Computer Science, Northeastern University


In an interview with News@Northeastern, Professor Hartzog “calls the [GDPR] law a ‘watershed moment,’ saying it’s built on the notion that privacy is a fundamental right. He said that while the law applies directly to Europeans, companies that have customers all over the world—like Facebook, Google, Twitter and many of your favorite apps—are updating their terms for everyone, including Americans.”


Will the United States ever go as far as Europe on this?


There’s been a lot of talk about the United States adopting the U.S. version of the GDPR. I don’t see that happening for several reasons. One is that the First Amendment looms very large within the United States, and what subjects are allowed to request of companies would be more limited because of free speech concerns. I’m skeptical that a full-on robust GDPR proposal in United States would make it all the way through to law in even remotely the same shape. I think it would be watered down given political realities in the United States. I wonder if there’s a different, more piecemeal strategy that can strike at really important places in more precise ways and embolden the frameworks that exist.


What is the legal foundation of these terms of service agreements?


For better or for worse, lawmakers in both Europe and the United States have decided that the main model for effectuating people’s privacy rights is control and informed consent. The idea is that if companies fully tell you about their data practices, and you click ‘I agree,’ then your privacy is being respected because you exercised control over that data by agreeing or not agreeing to it. In a lot of ways this is expressed in these terms of use. Courts in the United States have been pretty consistent, that if you click the box that says you’ve read the terms of services and agree to them, whether you read them or not doesn’t matter, they’re going to enforce them anyway. It seems ill fitting, given we have to make this decision so many times per day, and we have no bargaining power whatsoever. So these terms are usually enforced as contracts, but they do a terrible job of actually informing people of a company’s data practices. People don’t have the time or resources to read them or fully process the risks they are meant to describe, I suspect that people’s lack of understanding of the fine print will continue now and forever more—and rightfully so. People shouldn’t be expected to read thousands of lines of a boilerplate agreement every time they interact with a new online service. Nor should they be saddled making decisions based upon over-simplified pop-up warnings. Informed consent models just aren’t a good fit for complexity and neediness of modern online services.


Read the full article: “We know you’re not reading all those new terms of service emails. You might want to.


Anu BradfordThe Brussels Effect
Henry L. Moses Professor of Law and International Organization, Columbia Law School


Professor Bradford, a leading EU and international law expert who has worked in the European Parliament, was interviewed by Columbia Law School about the new regulations and how they might apply to the United States. One key point she makes is that of “the Brussels effect.” The is a term Professor Bradford coined in her article by the same name. The Brussels effect reflects on the global influence the European Union exercises through its legal institutions and standards, and how that influence is exported to the rest of the world.


Will this force U.S.-based global internet giant like Facebook and Twitter to change their business models?


Absolutely. Many U.S. companies such as Facebook, Google, Apple, Microsoft, and Airbnb have revised their privacy policies to conform to the GDPR, extending the same privacy rights to their customers globally, as the logic behind “the Brussels Effect” would suggest. These companies find it often difficult to follow different privacy standards in different markets and therefore tend to apply the strictest international standards across the board. At times, it is technologically difficult to separate data involving European and non-European citizens. It can also be hard to justify offering better privacy protections for some users than others, further pushing companies towards a single global standard.


Tech giants such as Apple and Microsoft have also emphasized how they incorporate European privacy norms into the design of their products, developing their products with built-in features that conform to the strictest privacy settings by default. This is in line with the GDPR’s requirement regarding “privacy by design.”


Are these new laws too far-reaching or too limiting in regulating the personal privacy of users?


It depends whom you ask. Some privacy advocates claim that the GDPR does not go far enough while many companies worry about the high compliance costs associated with the new law. The U.S. government and many U.S. companies have criticized the EU’s heavy-handed privacy regulation in the past, alleging that it harms business transactions and curtails innovation. However, recently many U.S.-based companies have conceded that the EU privacy norms are the “right” norms. For example, Sheryl Sandberg of Facebook admitted that “Europe was ahead of this.” Similarly, in responding to a question from Sen. Lindsey O. Graham (R-S.C.) during the recent Senate hearing about whether the Europeans had it right in regulating privacy, Mark Zuckerberg said: “I think they get things right.”


Read the full article: “Data Privacy and the New EU Law: Five Questions with Columbia Law School Professor Anu Bradford


Daniel SoloveThe GDPR is the most profound privacy law of our generation.
John Marshall Harlan Research Professor, George Washington University School of Law


Professor Solove is an internationally-known expert in privacy law. He is the author of numerous books, textbooks, and law review articles addressing privacy and data security. Frequently, Professor Solove republishes his blog posts about privacy and technology policy issues on the TAP site. Three of the recent posts discuss the GDPR. Below are overviews.


Why I Love the GDPR: 10 Reasons

The GDPR is the most profound privacy law of our generation. Of course, it’s not perfect, but it has more packed into it than any other privacy law I’ve seen. The GDPR is quite majestic in its scope and ambition. Rather than shy away from tough issues, rather than tiptoe cautiously, the GDPR tackles nearly everything.


Beyond GDPR: The Challenge of Global Privacy Compliance — An Interview with Lothar Determann

As formidable as the GDPR is, only aiming to comply with the GDPR will be insufficient for a worldwide privacy compliance strategy. True, the GDPR is one of the strictest privacy laws in the world, but countries around the world have other very strict laws. The bottom line is that international privacy compliance is incredibly hard.


The Hidden Force That Will Drive GDPR Privacy Compliance

GDPR will have an impact far beyond how EU regulators enforce it. This is because of the intricate network of contractual relationships that companies have with personal data. GDPR will start sending some electricity through this network, and it will start lighting up.


Over time, this will lead to GDPR’s privacy and security controls becoming implemented more widely and eventually becoming generally-accepted business practices.


Paul Schwartz - Bridging the Transatlantic Data Divide
Jefferson E. Peyser Professor at UC Berkeley School of Law and a Director of the Berkeley Center for Law and Technology


In “Transatlantic Data Privacy Law,” co-written with Karl-Nikolaus Peifer, Professor Schwartz analyzes the legal identities constructed around data privacy in the EU and the United States. The article proposes that the GDPR could “play a central role in developing mutually acceptable standards of data privacy.”


From the abstract:

International flows of personal information are more significant than ever, but differences in transatlantic data privacy law imperil this data trade. The resulting policy debate has led the EU to set strict limits on transfers of personal data to any non-EU country—including the United States—that lacks sufficient privacy protections. Bridging the transatlantic data divide is therefore a matter of the greatest significance.


Read the full article: “Transatlantic Data Privacy Law.”