Kara Sutton
Former Senior Manager, Center for Global Regulatory Cooperation


May 24, 2018


Across the world, consumers are noticing that many of the websites and online services they use daily have been updating their terms of service – those long, legal documents on which we are required to click “I Agree” before using the service. Why is this happening now?

It’s happening because the European Union’s General Data Protection Regulation (GDPR) is entering into force May 25, and U.S. firms with operations in the EU are taking steps to meet its terms. The GDPR’s regulatory reach is such that it is reaching across the Atlantic to American citizens.

GDPR may be the new norm for privacy in Europe, but we may not see its full implications for months or years to come. How will we measure the success or failure of this new regulation as a policy? As a start, here are eight things to watch for:

1. Uneven and selective enforcement

The ability of all 28 EU Member States’ data protection authorities (DPAs) to regulate effectively remains one of the biggest question marks around GDPR. While regulators have been adamant that there is “no grace period,” the majority of regulators are unlikely to be ready to enforce GDPR and expect to remain under-resourced and overstretched. Some regulators point to the fact that their governments have yet to update regulations taking into account the new EU-wide laws, which means the potential for divergent approaches remains.

With harmonization across the EU as a key policy goal of GDPR, as DPAs start launching investigations we will be able to see if they are working together to police GDPR through the mechanisms the regulation created, such as the one-stop-shop and European Data Protection Board (EDPB). However, with so many DPAs under-staffed and -resourced, DPAs could instead independently turn to investigations and cases that are more symbolic in nature leading to enforcement that is haphazard and prejudicial.

2. Europeans exercising new rights

The GDPR creates eight new rights that Europeans data subjects have the ability to exercise in their relationships with companies. Companies have vigorously updated their privacy policies and internal procedures for handling data around these new rights.

DPAs have a role to play too in educating citizens about these new rights and how to use them. The success of GDPR depends on whether individuals exercise these rights.

As part of the European Commission promised one-year review in 2019, it would be interesting to measure just how many Europeans actually use these rights and which rights are exercised the most.

3. Security of the internet

A major side effect of GDPR implementation is that the Internet Corporation for Assigned Names and Numbers (ICANN) WHOIS database could “go dark,” detrimentally impacting public safety, and the security and stability of the Internet. The WHOIS database plays an indispensable role in ensuring good governance, accountability, and transparency for the Internet.

The success of GDPR as a policy depends on whether it allows data privacy to coexist with other important policy priorities, such as cybersecurity. While ICANN is working toward a solution where the WHOIS database is compliant with GDPR, the database is already becoming harder to access as some registries and registrars limit access and information to avoid potential GDPR fines.

Limiting the information or the ability of those with a legitimate purpose to access information in the WHOIS database will undermine the security of the internet, resulting in an uptick of cybercriminals as well as spam and phishing attacks in your inbox.

4. Global market fragmentation

Many companies have already announced they will pull out of the European market or begin to tailor products and services specifically for EU residents. For example, the internet company Seznam.cz, based in the Czech Republic where Commissioner Věra Jourová who was responsible for creating GDPR is from, will shut down its social network for classmates because of GDPR.

Like Seznam.cz, many businesses are deciding that complying with GDPR creates unnecessary barriers and costs for doing business in Europe. Other companies may not pull entirely out of the market, but instead limit the good and services that they offer to Europeans vis a vis global consumers.

While some privacy advocates have applauded companies pulling out that cannot offer strong data protections, the aim of GDPR is really to empower consumers to make choices around their privacy. The ultimate loser if this trend continues is the EU consumer, as they will lack choice and access to the most innovative and cutting-edge products and services.

5. Fewer small business and start-ups operating in the European market

Most SMEs and start-ups already start at a disadvantage against larger, existing players that have a mass amount of data to utilize. Now, having to comply with GDPR creates further disadvantages.

Large corporations have proven better equipped to comply with GDPR thanks to their ability to invest in education, legal counsel, and a shift in their data practices. GDPR could move the competitive advantage further toward larger companies over small companies that lack the resources to ensure compliance.

Smaller companies may decide to focus instead on more accessible markets, and start-ups will find it more difficult and pricier to launch their business.

6. Clashes with emerging technologies

Regulation is usually behind technology, and GDPR is no exception. GDPR is already creating issues for emerging technologies. For example, the right to be forgotten and the right to inform could prove at odds with blockchain, a technology that could actually help improve privacy. Further, the Article 29 Working Party (WP29) has created a strict interpretation of GDPR that will make use of automated decision-making more stringent. There are also uncertainties around GDPR and the use of artificial intelligence.

Only a risk-based, flexible interpretation of GDPR will ensure emerging technology can flourish under these new rules. Otherwise, it will be increasingly difficult for companies to introduce and use new technologies within Europe.

7. Global data flows and interoperability

The EU is already exporting GDPR abroad, and many are pointing to it as the next global norm. Yet, this is dangerous as the policy is untested and questions around implementation remain.

Many countries want to adopt GDPR in order to ensure the EU deems them adequate, enabling data flows to and from the bloc.

Even if countries adapt their laws to be “GDPR-like”, differences in culture, legal systems, and enforcement capabilities will ultimately create divergence. In particular, with more than 120 countries with data protection laws in place, the challenge now becomes ensuring interoperability and the movement of data between these differing privacy regimes.

As the EU and Japan finalize joint adequacy decisions, the EU can continue to demonstrate GDPR’s global reach by working with APEC countries to create interoperability between the APEC Cross-Border Privacy Rules system and GDPR.

8. More regulation, guidance, and court cases

More regulation is already in the European policy pipeline with the ePrivacy Regulation being discussed in the European Parliament and Council. As currently envisioned, ePrivacy will create further overlap and confusion with GDPR. Continuing to layer sector-specific regulation will only create more uncertainty and cost for companies.

Further, many questions around GDPR are still unanswered. DPAs will continue to create new guidance, but, ultimately, many of these issues will play out in European courts.

Meanwhile, companies will continue to operate in uncertainty over whether the privacy programs they spent two years and millions of dollars putting into place are actually compliant.

About the authors

Kara Sutton

Kara is former Senior Manager for the Center for Global Regulatory Cooperation.