Opinion

Three Questions: Prof. David Bach on the Reach of European Privacy Regulations

A change to European privacy rules has unleashed a flood of emails about updated privacy policies to customers all over the world. We asked Yale SOM’s David Bach why businesses outside the EU are responding this way and whether it signals a potential race to the top in regulation.


People all over the world are getting privacy notices in response to a new European regulation. Why are companies doing this?

The new EU rules, called the General Data Protection Regulations (GDPR), are designed to enhance European citizens’ data privacy. They not only apply to firms based in the EU but to anybody who stores or processes data about European citizens. While the rules were adopted two years ago, they came into force today, May 25, 2018, and many organizations have scrambled over the last several weeks to bring their policies in line. For some companies, some big changes are in store; Facebook reportedly had more than 1,000 people—engineers, lawyers, and product managers—working to ensure compliance.   
 
Is this an indication that the strongest regulation becomes the de facto standard because it is too expensive for companies to maintain different standards in different markets?
 
The prevailing narrative about globalization is that it sets off a “race to the bottom” as firms arbitrage among jurisdictions and incentivize policymakers to lower anything from environmental standards to corporate tax rates in an attempt to attract or retain business. But that’s clearly too simplistic, as the European data privacy example shows. In fact, as David Vogel at Berkeley Haas has shown, in addition to the so-called “Delaware effect” there is also a “California effect” whereby jurisdictions progressively ratchet up standards as a result of global competition.

Much of the world—with the U.S. being a notable exception—had converged on earlier European data privacy rules, and countries such as Argentina, Brazil, and South Korea are already discussing legislation to bring their domestic rules in line with GDPR. Their own business communities are often driving these efforts because (a) they need to comply with EU standards to process European data and (b) ensuring greater protection for European customers than for domestic customers is not only costly and inefficient but also generates reputational risk. In fact, for the same reason, many American companies are taking the leap and are extending GDPR-compliant policies to all their customers. As my colleague Abe Newman and I explained in an earlier paper, it’s the combination of a highly attractive market of 500 million consumers and potent regulatory authority over that market, including the ability to deploy this authority extraterritorially, that gives the EU so much global regulatory clout—call it the “Brussels effect.”  

Is there a distinctive European approach to privacy? Is it likely to win out?
 
In short, yes. While there are strong protections for certain types of data in the U.S.—say, health records and certain types of financial information—there is no cross-sectoral data privacy protection. In contrast, European countries more than 30 years ago adopted comprehensive data protection rules, created potent national regulators, and networked them across the EU as part of the Single Market project. Europeans effectively own their personal data and have a right to access their data stored on third party systems, correct it, have it erased, and control when and how it can be shared. This is in contrast to the American approach, where companies who successfully mine personal data use it with few constraints. Moreover, the new European rules require pseudonymization and storing encryption keys separately from the data to protect against breaches and obligate firms to build their systems with data protection as the foundational principle rather than, say, optimizing databases for analytics or ease of access.

Distinct approaches have informed policies on opposite sides of the Atlantic for decades and that might continue. But recent scandals such as Cambridge Analytica and massive data breaches have highlighted how little protection American consumers have. Facebook, Google, and others have been more supportive of the European approach than early U.S. dotcoms were when the previous EU rules came into force in the late 1990s. That alone might extend the reach of the “Brussels effect” all the way to America’s shores. 
 

Deputy Dean & Professor in the Practice of Management