By Alexander Egber.
At first blush, it might not be obvious why legislation coming out of the European Union is pertinent to Arizona residents. Europe is about 5,000 miles away, after all, and intuition suggests that a more appropriate focus would be on state and federal legislation. Nonetheless, a myopic focus at home might distract us from critically important developments taking place across the Atlantic. One such development is the rapid enactment and evolution of data privacy and internet usage laws that have an outsized impact on the rest of the globe.
Although these legislative actions aren’t specifically directed towards American business, we must remember that our nation’s economic prosperity is inevitably intertwined with EU affairs. As described in this post, EU initiatives aimed at protecting its own citizens’ data privacy rights, for example, necessarily bind American businesses that wish to avail themselves of the European Economic Area. From a practical standpoint, isolating oneself from that market would be injurious and, as a result, many businesses here at home must obey EU rules or, alternatively, risk large fines. As a result, we should educate ourselves on the happenings of our neighbors in Europe.
The EU and Data Privacy
The first update to observe from the EU is the General Data Protection Regulation (GDPR), adopted in 2016 and effective as of May 25, 2018. The EU had pre-existing data privacy protections in place via the Data Protection Directive, but the GDPR was the most comprehensive regulation of its time covering topics such as the rights of the data subject, duties of data controllers and processors, and data transfers to third countries. Importantly, the regulation broadly applies to any organization that collects data from EU residents regardless of its location. That includes, as one might guess, American companies collecting data from EU residents.
The GDPR’s goals are to ensure the protection of fundamental privacy rights, update privacy laws to reflect the evolution of technology, and unify the privacy laws of EU member states. These goals are laudable, no doubt, but the means of achieving them come with a price. In 2018, it was estimated that the GDPR had imposed a cost of $7.8 billion on American companies through compliance and other legal costs. As the law continues to develop through legal challenges, we can expect to see that cost rise.
One example that highlights the GDPR’s bearing on the United States is the noteworthy July 2020 decision by the Court of Justice of the European Union (CJEU) in Data Protection Commission v. Facebook Ireland, Schrems (known as Schrems II). In Schrems II, the plaintiff challenged the legitimacy of the European Commission’s adequacy determination that, in short, authorized the transfer of data from the EU to the United States. The CJEU held that the so-called EU-US Privacy Shield was invalid due, in part, to the intrusive surveillance powers of the US government. This was a monumental development in the world of data privacy as exemplified by the newly uncertain authority of, say, Amazon to transfer data amongst its data center facilities. Amazon, for what it’s worth, has expressed an independent dedication to securing its customers’ data.
The Schrems II decision is significant not because it will shut down all data transfers to the US (it will not), but because of the additional due diligence that businesses must undertake to remain compliant. American businesses now need to verify that they have a separate legal basis to transfer data outside the EU that ensures a level of security commensurate with that found in the EU by year’s end. This obligation effectively compounds the total economic costs of the GDPR. To reiterate, the GDPR’s goals are commendable but they are not free of charge, and it’s important to understand the costs as weighed against the advantages.
The EU and Big Tech
While the GDPR has been in effect for a few years, another wave of relevant EU initiatives is right around the corner. That wave involves the Digital Markets Act (DMA) and the Digital Services Act (DSA). These two acts, adopted in July of 2022, will become enforceable over the next year and, like the GDPR, apply to all businesses that offer services in the EU irrespective of their principal place of business. This means that, just as the GDPR has resulted in many US companies universally adopting the EU standard for data privacy, the DMA and DSA may also have a similar impact on affected businesses.
That said, the DMA and DSA encapsulate a smaller subset of target companies. The DMA is directed towards “gatekeepers” who are online companies with a dominant market share. It is essentially an antitrust law that strives to ensure a fair marketplace for consumers. Meanwhile, the DSA imposes obligations on “Very Large Online Platforms” (VLOPs) and “Very Large Online Search Engines” (VLOSEs) to limit the proliferation of illegal or misleading content online.
Perhaps less pertinent to Arizona businesses as compared with the GDPR due to the narrower scope, the DMA and DSA will still conceivably influence the media that Arizona residents consume. As described, the GDPR induced many US businesses to homogenize their data protection policies to account for business efficiencies, and it’s undetermined how the DMA and DSA will influence large tech companies, like Facebook, Google, or Apple, to change their offerings here in the US as part of their compliance efforts over in Europe.
One interesting aspect of the DSA to consider is its relationship with the uniquely American First Amendment freedom of speech. Whereas the American framework is one that, on a basic level, permits private regulation of speech while prohibiting public regulation of speech, Europe generally takes the opposite approach. It will be worth keeping an eye on that tension as the DSA takes effect and begins to place potentially conflicting obligations on social media companies’ content moderation in different parts of the world. The relationship between social media companies and us, their consumers, is sure to be in flux for quite some time.
America, the birthplace of the internet, has left a regulatory vacuum for the EU to fill. Certain states at home have taken steps to address data privacy concerns, but more is likely needed to regain our position in the international conversation. The EU has shown little desire to join along in America’s sluggish journey to pass meaningful legislation, and the time is now to work with our European friends to ensure the interests of Arizona businesses are represented. If we continue abdicating our responsibility of keeping up with the times, others will continue setting our domestic policies for us.