Sign up for tech policy updates
The latest on technology policy from AEI, published daily.
What’s new in tech policy at AEI?
GDPR: Privacy as Europe’s tariff by other means?
View related content: Technology and Innovation
Yesterday the European Commission issued a hard-hitting paper criticizing President Trump’s threat to tariff cars imported from the European Union (EU). Trump has touted tariffs as a (misguided) attempt to prop up American manufacturing and reduce the trade deficit. But while America has a $101 billion overall trade deficit with the European Union, it maintains a $70 billion trade surplus in digitally-deliverable services. And in that vein, the EU’s new privacy law, the General Data Protection Regulation (GDPR), may have the same effect for the European tech sector that Trump hopes tariffs will have for American manufacturers: making space for domestic production by raising costs on foreign businesses.
The effect of the GDPR
The GDPR sets guidelines for collecting and processing the personal information of EU residents. Companies must engage in data protection by design and by default, requiring greater privacy protections than most other legal regimes, and are generally prohibited from using that data without informed consent. Importantly, the law applies not only to companies within the EU, but to any company that collects data about an EU resident. And the penalties for noncompliance are steep: Companies in violation can be sanctioned up to 4 percent of global revenue.
The costs of implementing such GDPR initiatives as tracking individual consent, storing data pseudonymously, hiring a data protection officer, implementing a right to erasure, and the like are significant. Forbes estimates that American Fortune 500 companies will collectively spend $7.8 billion on GDPR compliance. Facebook noted that it assembled “the largest cross-functional team” in the company’s history to meet the EU’s new demands.
But perhaps more significant than these direct costs is the GDPR’s indirect cost: the potential loss of services to European consumers. Behnam Dayanim, a partner at the law firm Paul Hastings who handles GDPR compliance, explained that American companies have “to think very hard about whether they really want to do business with EU data subjects.” When the GDPR came into effect in May, some US-based websites (most notably, news sites such as the Los Angeles Times and Chicago Tribune) became temporarily inaccessible for EU residents due to concerns that imperfect implementation would trigger liability. Many smaller American companies chose simply to block European users and withdraw from the EU market completely, including Washington-based online gaming company Uber Entertainment, mobile marketing company Verve, and many others.
The chilling effect on digital products available to European consumers could be significant. Even if companies are not actively marketing to European residents, they may have European visitors interacting with their webpage, taking advantage of marketing offers, or subscribing to newsletters. If these interactions result in retention of personally identifiable information, the company is subject to the GDPR. The ease with which a company may find itself bound, coupled with the cost of compliance and potentially draconian penalties for violation, creates strong incentives for companies to withdraw — aggressively — from European markets.
Making Europe great again?
Under the cynical logic of protectionism, tariffs increase foreign companies’ costs of doing business, which reduces their market share and makes room for domestic producers to compete. One could argue that by encouraging smaller American companies to withdraw from Europe and increasing the cost for larger companies to do business there, the GDPR similarly provides some assistance to native European tech companies that have thus far failed to get traction in internet markets. US Secretary of Commerce Wilbur Ross alluded to this, noting that the “GDPR’s implementation could significantly interrupt transatlantic co-operation and create unnecessary barriers to trade, not only for the US, but for everyone outside the EU.”
Although this has not been an explicit argument by GDPR supporters, the European Commission’s rhetoric has at times taken a somewhat nationalistic tone. On the eve of implementation, European Commissioner for Justice, Consumers and Gender Equality Věra Jourová stated in a press release that “personal data is the gold of the 21st century,” and that through the GDPR, “Europe asserts its digital sovereignty.” The European Commission’s Twitter account similarly celebrated that the GDPR “put[s] the Europeans back in control of their data,” implying perhaps that this control needed to be wrestled away from the mostly non-European companies that dominate the digital world.
This implication fits a broader narrative that some tell about enforcement of EU law in digital markets. Apple, Facebook, Uber, and Google have all faced significant penalties in recent years for running afoul of various EU laws. When Google received a record $2.7 billion fine for violating EU competition law with its search result algorithm, some American commentators asserted anti-American bias. The rhetoric was heated enough that the EU’s top antitrust official, Margrethe Vestager, issued a statement disclaiming any bias against American companies. (For the record, I have no reason to doubt her.)
Of course, it is important not to overstate the connection to tariffs. GDPR compliance differs from Trump’s protectionism in one important respect: that domestic European firms must incur the same costs as American firms. But as Forbes notes, the cost of GDPR compliance is falling disproportionately on American firms because many European companies in the space already have measures in place due to pre-GDPR EU law. As an aside, I also recognize there are legitimate, non-protectionist reasons to support greater privacy rights, which are popular among European consumers.
But regardless of intent, the GDPR may have an effect on European consumers akin to the effects that Trump’s tariffs will have on Americans: It may reduce the percentage of foreign commerce in the domestic market, denying consumers some choice and raising prices to pursue a different policy objective. The European Commission was right that tariffs could weaken the US economy, and the GDPR might similarly harm the EU.