Ignore the Privacy Across the Pond

The Brussels Effect 

May 25, 2018 marked a change in the way companies used the internet.  On that day, the European Union’s General Data Protection Regulation (“GDPR”) went into effect.  Hailed as the “World Toughest Privacy Laws,” the GDPR promised to change the way European companies handle the private data of their customers by requiring, among other things:  a customer be able to erase all of his or her information, disclosure of what the firm is doing with the information, and, that the customer be able to object to the usage of their data.  The GDPR, however, was not just lauded as an important step forward for the EU, but, due to its extraterritoriality clause, it was assumed the GDPR would force companies located in the United States to adjust to the GDPR standard as well.  This process, known as the Brussels Effect, is part of the larger trend in administrative law’s assumption that rising regulation in one large jurisdiction will also improve regulation in other jurisdictions.

Evidence of the Brussels Effect

Despite the prevalence of this assumption, the empirical data has been mixed.  One study by Professor Jens Frankenreiter at Washington University in St. Louis found that of two-thirds of American firms which had changed their privacy policies in response to the GDPR, only around eighteen percent were actually GDPR compliant.  This indicates that companies in the United States changed their policies around the time that the GDPR went into effect, yet did not truly attempt to comply with it.  

This result seems perplexing, for if the purpose of changing their policy was to fit with the European Union’s stringent privacy law, about eighty-two percent of those companies seemed to have failed.  Yet, on the other hand, it seems they did care about the GDPR somewhat, as they changed their privacy policies around the time the GDPR came into force.  The confusion is further compounded when one realizes it is relatively easy to differentiate one’s policy depending on the location of the person accessing the website.  For example, if a consumer logged in from Europe, the website would apply the GDPR to their private data, while a consumer logging in from the U.S. would be regulated under U.S. privacy law (see, for example, Sullivan & Cromwell’s privacy policy).

Proposed Theories for U.S. Adoption of the GDPR

1. Market advantage

The perplexities suggested by Professor Frankenreiter’s study have led empirical researchers to argue that American companies tried to comply with the GDPR because of market forces, rather than the expenses involved in creating a privacy policy for its European users and a separate one for U.S. users.  Observing that firms dealing primarily with sensitive information (i.e., dating websites) tend to adopt more stringent privacy policies, these researchers hypothesize that it is not so much the European Union’s market power, but rather the improved product.  In other words, companies changed their policy based on the assumption that users would respond positively to increased security, once they see it offered in other places.  

This idea is seemingly supported by an online study by TrustArc, which found that most EU citizens reportedly liked the GDPR and felt more confident with their information being online.  However, one difficulty with the study is that only twenty-five percent of people said that they would be able to determine whether a website is GDPR compliant.  Thus, while it is possible some businesses are reacting to a perceived market for increased privacy, appealing to consumers would likely be a waste of effort on the business’s part if users cannot even tell the difference between a website with a strong privacy policy and one with a weak policy.  To assume that so many businesses are engaging in wasteful behavior is to assume that a large part of the U.S. market is behaving irrationally, which makes this theory slightly tenuous. 

2. Perception of Market Advantage 

In addition to the idea that American companies are adopting the GDPR because the GDPR represents a better product, there is another reason why these companies would voluntarily adopt the GDPR.  Namely, they want to give their consumers the illusion of control, by letting them decide what data is put online.  Indeed, one study found that people are more likely to view a price as fair if they choose to share their personal information with the website.

Conclusion

These theories, if true, would have a profound impact on the way the Brussels Effect should be examined and invoked.  Under the current cost-based model, the European Union is assumed to act unilaterally, establishing rules by diktat, and other markets must follow.  This idea posed a significant concern for scholars, as what is good for Europe is not necessarily good for the rest of the world (see this article concerned with the effect the GDPR would have on African E-commerce).  However, if the mechanism is something other than cost, many of those fears may be overblown.  

If the reason for the Brussels Effect is the advantages offered to companies by higher standards, there is less of a worry about the negative externalities of the GDPR.  If companies are not forced into adopting European privacy laws but are instead making a market choice, one can assume that the companies would only adopt the higher standards if the standards were beneficial to their development.  While this would give the European Union a freer hand in drafting their privacy laws, it does mark the end of the European Age, where European capitals get to dictate policy for the world.  If the European Union’s seemingly unilateral externalization of its laws is not unilateral at all, European authorities should worry less about the impact their regulations have on the world and put the European consumers’ interest first at all times.

Henry Bloxenheim is a second-year law student at Columbia Law School and a Staff member of the Columbia Journal of Transnational Law.  He graduated from CUNY-Brooklyn College in 2019.