By Elizabeth M. Renieris in collaboration with Omidyar Network
In line with Omidyar Network’s pathways and pitfalls themed series, this piece focuses on the impact of Europe’s General Data Protection Regulation (GDPR) on the global data protection landscape since taking effect in May of 2018. It is undeniable that the GDPR has dramatically influenced the global landscape for data protection by creating pathways for other jurisdictions in the evolution of their own laws, while simultaneously elevating the public consciousness with respect to data governance and privacy.
At the same time, the GDPR’s global reach, both directly through its extraterritorial scope and indirectly through its influence on other laws, has amplified its pitfalls and limitations, with the result that GDPR-inspired laws also suffer from GDPR-style limitations. At the two-year mark, some of those key limitations include simultaneously under- and over-leveraged provisions, undeniably weak enforcement, and ongoing tensions between law and innovation, including challenges in applying the law to emerging technologies. Below, we explore the nature and scope of the GDPR’s influence and some of its core limitations, and consider whether the law represents a global floor or a global ceiling for global data protection.
The GDPR’s direct effects through the extraterritorial scope of its application are acutely felt around the world. As the European Union is the world’s largest single market, with more than 500 million consumers, the GDPR has a direct effect on virtually any entity anywhere in the world aiming to do business with consumers within the EU. Even the U.S. tech giants are hard pressed to avoid a market of that size. In this way, the GDPR has created a de facto global standard for most large corporates and multinationals, in part because it is easier for them to comply with a single standard or framework rather than a patchwork of local and national data protection laws, and in part due to the absence of an alternative paradigm for global data governance. At present, it is hard to identify a second-place competitor to the EU’s data protection framework.
We have also observed a more indirect “Brussels effect” through a proliferation of new and upgraded data protection laws in jurisdictions around the world, falling on a spectrum of outright copycats that directly reference the GDPR to more divergent laws exhibiting a clear influence of the GDPR’s core principles, substantive rights, and enforcement mechanisms. Since taking effect, the GDPR has inspired countries like Kenya and Uganda to introduce their first-ever national data protection laws, and motivated others to update or amend their existing laws. For example, Argentina introduced a new data protection law in 2018, in part to preserve the adequacy status it obtained from the European Commission in 2003 under the European Data Protection Directive (the “Directive”), the predecessor to the GDPR. Finally, the GDPR has also inspired countries with a previously sectoral approach to data protection, including India, Nigeria, and Brazil, to shift to a comprehensive or general approach to data protection.
The “Brussels effect” is also a function of the European Commission’s strategic efforts to foster a convergence of privacy and data protection laws through various bilateral, regional, and multilateral fora, as well as through data-related aspects of trade policies, including through the proposed EU Comprehensive Strategy with Africa. The Strategy lays out several priority areas including digital transformation across Africa that will be heavily influenced by GDPR at a country-level and for cross-border and international trade and investments. But global harmonization may actually result in weak standards and principles in some countries, making it challenging for many small and medium-sized enterprises to comply, while giving large global technology companies like Facebook and Google a competitive advantage in so far as they can organize a coordinated global response. In fact the African Union expressed concerns over the Strategy and reiterated that it must jointly dictate the terms with the EU.
In its recent report evaluating the GDPR’s application and functioning two years in, the European Commission emphasized that helping small and medium enterprises comply with the law will continue to be one of its major focal points. Overall, the Commission gave itself high marks, concluding that “the GDPR has successfully met its objectives of strengthening the protection of the individual’s right to personal data protection and guaranteeing the free flow of personal data within the EU.” It also celebrated the flexibility of the GDPR framework in adapting to COVID-19-related measures such as contract-tracing.
The Commission did concede that there is room for improvement, particularly with respect to international data transfers and cooperation and consistency, including the “one stop shop” mechanism. It also acknowledged that data protection authorities (DPAs) are under-resourced, that the right to data portability has yet to be fully implemented or utilized, and that the GDPR’s application to new or emerging technologies like blockchain and AI remains unclear. Finally, the Commission noted the inconsistent resolution by Member States of the ongoing tensions between the fundamental rights to data protection and the freedom of expression.
Though unexplored in the Commission’s report, it is important to flag other shortcomings of the European framework, especially as GDPR is exported around the world through its vast influence on the global landscape. Some of these limitations are due to the fact that the GDPR is largely identical to its predecessor, the Directive of 1995, designed at a time when the digital landscape looked wildly different from what it is today. Others are due to the lack of a meaningful alternative paradigm.
First, the GDPR and many GDPR-inspired laws exhibit an overreliance on consent as the lawful basis for processing data, particularly because meaningful informed consent is often elusive in today’s digital realm. Given the vast asymmetries of knowledge and power available to the handful of large dominant commercial actors in the digital realm, individuals not only lack the capacity or awareness to manage or understand the implications of their decisions with respect to data, they also lack meaningful choices.
This also exposes a shortcoming of a data protection framework like the GDPR, which fails to address market dynamics and requires supplementation from other domains, such as competition or antitrust laws. For example, in a recent antitrust case in Germany, the high court ruled that Facebook abused its dominance in social media to illegally harvest data about users by commingling data across Facebook platforms including Instagram, WhatsApp, and Messenger. While this commingling of data could be challenged on GDPR grounds, the ruling demonstrates that market conditions that interfere with our data protection rights also limit our freedom and autonomy by limiting our choices in the market. It also demonstrates the complementarity of data protection and antitrust laws.
While elements of the GDPR, including consent as a basis for processing, have been over-leveraged in the GDPR-inspired paradigm, other provisions have arguably been under-leveraged, especially the requirements for data protection by design and default set out in Article 25 of the GDPR, as well as requirements around automated processing and decision-making and meaningful mechanisms for individual data portability. These provisions are unlikely to become widely implemented before they are meaningfully challenged and national DPAs take an enforcement interest in them.
Additionally, the GDPR and many laws it has inspired, also tend to feature broad exemptions for national security and law enforcement purposes, as well as for government purposes, such as in furtherance of the public interest in the context of a public health crisis, as the COVID-19 pandemic has exposed. Despite its fundamental rights approach, the Commission has also been relatively weak on resisting widespread deployment of intrusive technologies such as facial recognition systems. In places without a strong tradition of fundamental rights underpinning GDPR-style legislation, crises like the present one can dramatically dilute the letter and spirit of the law. Moreover, where GDPR-style laws are copy-pasted or directly transposed into national law in places where the corresponding legal, political, institutional, and other infrastructure is lacking, they might even do more harm than good, giving the appearance of protection where it is lacking.
Looking ahead, we can already see some post-GDPR trends emerging in the global data protection landscape. As the GDPR has made progress on raising the bar for personal data protection, one emerging trend is a push to encourage more data sharing, especially for beneficial uses, including public sector services and research. One such upgrade may come from the EU itself through its new digital strategy, as articulated in its recent communications on Shaping Europe’s Digital Future, White Paper on Artificial Intelligence, and European Data Strategy. As part of that strategy, the Commission may introduce a Data Act 2021 focused on facilitating data sharing and promoting free flows of data, as well as expanding the individual’s right to meaningful data portability. It is also clear that the EU is concerned about its data protection and privacy standards putting it at a competitive disadvantage when it comes to the future of AI and other emerging data-driven technologies and industries.
Despite the absence of a comprehensive federal privacy law to date, it is possible that an alternative paradigm could even emerge in the United States, where one late-mover advantage may include learning from what has not worked well in Europe and other places. Challenges to the individual notice and choice or consent-based paradigm are increasing, including a recent proposal by U.S. Senator Sherrod Brown that would ban the collection, use, or sharing of data by default, save for a handful of previously negotiated permissible purposes. States and municipalities in the U.S. have been implementing moratoria and, in some cases, outright bans on the use of facial recognition technologies. Other proposals include the creation of information fiduciaries or intermediaries to negotiate data subject rights, and the introduction of collective bargaining entities such as data trusts or data collectives.
Two years into its application, it may be too soon to tell whether the GDPR has in fact set a global floor or a global ceiling for data protection. At this point, the future of global data governance is uncertain.