Foreign Policy Blogs

New European GDPR Rules Affect Everyone

New European GDPR Rules Affect Everyone

The new General Data Protection Regulations, or GDPR that has recently come into effect inside the European Union may have as much of an influence inside the EU as it will internationally. Any companies that do not adhere to the new data privacy protection rules may find themselves in violation of the GDPR if they are seen to breach the new rules and have that breach linked to a citizen of the EU. The penalties are designed to not only deter local European based companies from violating the new regulations, but also gives the EU the power to levy massive fines on international corporations who do not adhere to the new data privacy standards. The EU has applied strict enforcement to many of their regulations, and are not timid in the application of billions of Euros in fines on large multinational corporations in the past when found abusing competition regulations in the EU. The effect of these settlements that would calculate the fine to be a punishing double digit percentage of the international value of the company in violation is meant to deter future illegal activities by significantly crippling large companies who conduct themselves in an improper manner, hitting them precisely where it hurts the most.

From a company perspective, new rules and regulations with penalties that could theoretically destroy a company may be difficult to adhere to with the new regulations not yet being tested in court nor experts completely agreeing to what constitutes full compliance. Companies are scrambling to find the best experts and set up entire data privacy compliance departments in an effort to throw as much as possible against the wall and hope that they meet the standards of compliance with the new regulation. In effect, no one wants to become the test case for the new regulations, as past cases on competition breaches lead to now famously large fines against companies in the past. Non-EU companies will have to also consider how the new regulations affect their data privacy policies, as companies outside the EU may be just as vulnerable as those based in Paris or Munich. After breaches in the finance industry by HSBC and other large companies, bank and finance companies worldwide set up Compliance Departments in order to not violate US and EU banking regulations, even if they were not located or even operated in the US or EU. Like many competition regulations, the economic weight of the European Union may as well be considered as a development in international policy, but with new rules abroad, the difficulty in ensuring compliance when most of the experts are based in the EU adds an additional layer or chaos and confusion in applying GDPR worldwide.

From a consumer perspective, many of the regulations applied on European and international companies are meant to lower the actual cost of services, allow for more options, and protect an individual’s privacy, savings and even the security of EU citizens. The question of what an official might call a discrepancy in accounting practices or policy could reach into the range of billions of dollars, and it is appropriate and significant that a formal and effective deterrent is applied so that the loss of large amounts of money do not pass as simple disagreements in accounting standards. The disappearance of so much money from consumers or the public severely costs communities, makes so that infrastructure, housing and hospitals so not get built, and even leaves the sick without beds essential in receive humane treatment. Actions that seek to prevent public authorities from accessing information that can have such a great effect on citizens are particularly horrendous. The practice of midnight raids used by EU authorities, entering companies at night in order to find valid evidence of breaches in policy has become part of their tool kit for this reason. This became the rationale the competition authority of the European Union used to set the standard in punishing companies like Microsoft and Google when they tried to push out their competition, effectively taking any financial benefits away from their illegal actions. With GDPR in effect in the EU, it would be logical for other countries to adopt many of the same measures as the EU, not simply to avoid any fines coming from the new regulations, but to give their citizens a better standard of protection on their personal data. No one should expect less from their public authorities and breaches should be applied diligently. The EU has likely set the global standard on data protection, and until the new policy matures and finds its place through legal jurisprudence, members of government and the business community should work in good faith to set a global standard that protects individuals. Appropriate punishments need to be effective but not enter the realm of abusing those who attempt to work within their understanding of regulatory obligations. If the regulation becomes a political tool, it will degrade its effectiveness and betray public trust on its application by local EU and authorities abroad.



Richard Basas

Richard Basas, a Canadian Masters Level Law student educated in Spain, England, and Canada (U of London MA 2003 LL.M., 2007), has worked researching for CSIS and as a Reporter for the Latin America Advisor. He went on to study his MA in Latin American Political Economy in London with the University of London and LSE. Subsequently, Rich followed his career into Law focusing mostly on International Commerce and EU-Americas issues. He has worked for many commercial and legal organisations as well as within the Refugee Protection Community in Toronto, Canada, representing detained non-status indivduals residing in Canada. Rich will go on to study his PhD in International Law.

Areas of Focus:
Law; Economics and Commerce; Americas; Europe; Refugees; Immigration