No Choice? GDPR's Impact on the U.S., UK, and the EU

Four letters will have a profound impact on the future of global digital trade: GDPR or the General Data Protection Regulation (GDPR) is the EU’s new data privacy regime that regulates companies’ access to and transfer of the data of individuals in the EU and enters into effect on 25 May 2018.  The GDPR protects such data as basic identity information such as name, address and ID numbers, web data such as location, IP address, cookie data and RFID tags, health and genetic data, biometric data, racial or ethnic data, political opinions, and sexual orientation. EU citizens have the right to know upon request what personal data a company is using and how it is being used. Importantly, the GDPR applies to businesses based outside the EU if they collect or process personal data of EU residents. U.S. and UK companies are already working to meet the GDPR requirements; some are ahead of their EU counterparts.  The framework is costly – and there could be ways to attenuate them. Another complicating factor is Brexit.  As the UK and EU intensify their Brexit negotiations, British companies are seeking to divine their future trade regulatory frameworks that will govern their activities with the EU. One area where UK companies, just like their American counterparts, appear to have no room for negotiation is data privacy. 

Why is data so important?  Data is the lifeblood of just about any industry – a critical input in companies’ operations and production processes that enables companies to generate new insights on their processes, competitors, and customers; streamline their business operations and supply chains; and develop new products. Consider Unilever which compiles data from 190 countries in real time to its UK data center of 4,000 servers that help the company mitigate supply chain risks, improve business performance and lower the price of products. The mining giant Rio Tinto taps data from its trucks, drills, process surveillance cameras, control systems, and maintenance system logs from its mines around the planet. Analyzing these data in Brisbane, Australia, the company is able to cut costs and readily improve the safety and environmental performance of its mines. Mexico’s cement company Cemex gained its global leadership position by using data on cement delivery times and best routes to navigate through busy urban areas.
The savings companies can glean from better data and analytics help them invest in new activities and pass cost savings to consumers. McKinsey predicts that companies that make most of business analytics could increase operating margins by up to 60 percent.
The EU has been the vanguard of tough data privacy rules.  EU citizens have the right to know upon request what personal data a company is using and how it is being used. GDPR applies to EU-based “data controllers”, or organizations that collect data from EU residents, and “processors”, or organizations such as cloud service providers that process data on behalf of data controller.
There are many limitations on how businesses can deal with data. For example, companies:
  • Can store and process personal data only when the individual consents and for “no longer than is necessary for the purposes for which the personal data are processed”;
  • Must erase personal data upon request;
  • Must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected;  
  • Need to conduct data protection impact assessments to identify risks to EU citizens;
  • Have a data protection officer (DPO) if processing large amounts of data.  
For an online shopper in the EU, the GDPR extensive coverage and global reach may sound reassuring.   UK or American companies that touch the data of EU individuals have no choice but to comply with the GDPR. 
All companies with 250 employees or more need to adhere; companies with fewer than 250 employees whose data processing is not occasional, or includes certain types of sensitive personal data, also need to comply. Larger firms can swallow the GDPR’s high costs; smaller firms face very high costs and these higher costs are passed along to European consumers, companies, and economies alike. Some of the costs imposed by the GDPR include the following:
  • Very high implementation costs. According to a Pricewaterhouse Coopers survey, two-thirds of American businesses are spending between $1 and $10 million just to implement the GDPR by the time it enters into effect; a tenth is spending over $10 million. UK companies have yet to face these costs: only 29 percent have started preparing from GDPR. Some 25 percent of UK businesses have cancelled all preparations for the GDPR on the mistaken belief that it will not apply after Brexit.
  • Impending penalties. Companies are swallowing the implementation costs in part because the penalties for companies that fail to enforce GDPR run as high as €20 million or 4 percent of a company’s global revenues. However, losses are impending: GDPR fines are expected to cost European banks $5.2 billion in the first three years in hard cash. The 100 companies listed on the London Stock Exchange could face fines of up to £5 billion for GDPR breaches. Had the regime been in place for the past five years, the top listed UK companies could have been fined £25 billion.
  • Business losses from decreased access to data. Given its limits to access to data that curb efficiencies, GDPR is estimated to result in an immediate loss of $66 billion in sales for EU companies. The more profound implications, such as the curtailment of credit information on consumers and ability for web analytics firms to function is expected to results in losses of $173 billion and 2.8 million European jobs.  
  • Negative impacts on GDPs, trade, investment, and welfare. Brussels think-tank ECIPE’s simulations discovered that EU’s data privacy and localization laws, depending on their final outcome, will lower EU GDP by 0.4-1.1 percent, exports by 0.4 percent, domestic investments by 3.9-5.1 percent, and welfare by $334-$806 per worker.
American companies have, for a long time, struggled with EU’s digital regulations. In a 2014 U.S. International Trade Commission study, small and large U.S. businesses ranked the EU is among the top-3 hardest markets to do business with online – including in terms of market access, data protections, and data localization.
As the GDPR kicks in, the bigger question is what happens next at the global level. After all, GDPR is inconsistent with the General Agreement of Trade in Services (GATS) and it is philosophically at odds both with U.S. regulations and the U.S.-promoted APEC Cross Border Privacy Rules (CBPR) system, which focuses on self-enforcement.
Countless emerging markets and developing countries are being encouraged to fashion their data privacy and transfer regimes along the lines of  the GDPR. This is a flashing red light that could be a major digital trade disruption with the U.S. and one that is completely unnecessary.  The CBPR provides a model for a neat, replicable “regulation in a box” and serves as an equivalent to EU processes.
If GDPR seriously dents U.S. and UK companies’ access to data and revenues in Europe, these will seek new opportunities with each other, and look to emerging markets with flexible data transfer rules for easier markets. Will markets or governments decide?