GDPR: Good Intentions, Unintended Consequences?
By Jen Patterson-Radovancevic | July 17, 2020
The EU’s General Data Protection Regulation, or GDPR, has often been lauded for its progressiveness, having seemingly pushed the definition of what can be considered to be under a governing body’s supervision when it comes to technology. The goal was to make Europe “fit for the digital age,” but GDPR has implications for businesses and individuals on a global scale — and only some of them good.
While GDPR protects European residents (it is not exclusive to citizens) and has inspired adherence to its principles and similar policies abroad, there could be some negative economic costs incurred on non-EU countries — and these costs would be most inflicted, potentially, on the most economically vulnerable countries, or those who still catching up from behind in terms of technological globalization.
The EU regulation impacts firms both inside and outside the EU — in effect, it can affect any company that touches the data of EU businesses, residents, or citizens, regardless of having a physical headquarters in Europe. If the business is outside the EU, but handles any European data, it is required to designate a representative to monitor the company’s data practices, notify relevant EU authorities of potential data breaches, and attend enforcement proceedings in the event of GDPR non-compliance. In such a case of noncompliance, the ICO or another European Protection Authority can serve a formal enforcement notice on the company. This would likely take the form of blocking the service in the case of unlawful data processing, or goods seizure in the case of personal data related to the sale of physical goods being processed unlawfully. For repeat offenders, up to €20 million (approximately $23.5 million USD) or 4% of a company’s worldwide turnover can be fined.
This presents a tricky situation for non-EU countries and companies that have high market contact with the EU, in whatever capacity. These might include, for example, “fringe” European countries, like those in Southeastern Europe. Countries must decide whether or not they will follow in the EU’s footsteps, and create their own “progressive” data protection policies. If they do, they may be able to ensure that their companies can maintain business relationships in Europe, but would face the high cost of actually enforcing the regulation — certainly, this would affect the poorer, most vulnerable countries the most. If they do not pursue such policies, they might save regulation costs, but risk losing overall GDP; furthermore, companies within their borders will have to compete amongst themselves and decide if they will meet GDPR’s requirements, possibly with little governmental support. Firms surviving at the edge may be sunk simply from the administrative cost of determining who among their user base is an EU resident. EU countries, and other rich western countries, can more easily afford to switch over to the GDPR standards either via policy or via natural market competition, and likely have the private technical knowledge and public governmental support to do so.
Aside from the economic burden, there’s another effect to consider when it comes to GDPR’s influence: that the rest of the world, as it mimics Europe’s policies and practices to fit into the global economy, will de facto adopt the European model of data privacy. With the European and California models of privacy poised to become the dominant privacy paradigm globally, the question must be asked — is it right for the West to impose its conceptualization of privacy on the rest of the world? No matter how well-intentioned, the ideological effects of GDPR may, in a sense, act as a form of technological imperialism. Furthermore, exacting regulations after the West’s Internet tech companies have been firmly established is a practice reminiscent of other potentially harmful “progressive” movements by the West: imposing environmental laws on industrial-era Stage 2 and 3 countries, while the West’s service-based economies reached their current state of comfort by engaging themselves in environmental exploitation; or even the apparent solidification of national borders in the name of self-determination, once Europe and the US were satisfied with the outcomes. The West generously exporting its morality is not new; nor is the world’s willingness to adopt that morality, if it means staying competitive in the global market.
In this piece, I don’t intend to muddle the benefits GDPR provides. The transparency that it demands from large companies, especially concerning data practices and data breaches, is a huge leap forward from pre-GDPR times. Rather, my goal was to highlight some of the potential negative externalities of the legislation, and hope it may inspire others to deeply consider the true effects of such a premium, global policy on the world’s underdogs.