Dhara Shah
Associate Editor
Loyola University Chicago School of Law, JD 2020
In a world where our reliance on technology and the cloud is increasing exponentially, data security’s growth has stagnated. The European Union (EU) passed the General Data Protection Regulation (GDPR) in hopes of ensuring that consumer data is protected and not harbored by businesses. The effects of the GDPR, however, have passed the borders of the European Union. In a world where our actions extend internationally with just the click of a button, the GDPR’s impact circles the globe as well. The GDPR has pushed for a shift in data privacy and regulation for companies within and outside of the EU as it holds to protect European citizens, no matter where they are in the world. This international reach has not only created forces to drive U.S. companies to comply, but states within the U.S. are now creating GDPR-inspired laws to protect their own citizens. The GDPR has started a trend that will soon become the norm and finally push compliance to keep up with the exponential growth of technology.
What is the GDPR?
The General Data Protection Regulation (GDPR) came into effect on May 25th 2018, after six years of the European Union’s (EU) efforts of attempting to make Europe “fit for the digital age.” The GDPR was drafted with hopes to allow EU citizens to have control over their data in a world where the data for everything they do is constantly being harvested by hundreds of companies. The GDPR ensures data protection of citizens for both the benefit of the citizens as well as for allowing businesses to have an even playing field.
How does GDPR affect the U.S.?
The online world changed drastically in May of 2018 but many U.S. citizens would not be able to state why. Now, you probably did not consciously realize it either, but if I tell you to recall all of those emails you got from your favorite online retailers that suddenly informed you of their privacy policies and how much they cared about keeping your data safe – you will suddenly realize an uptick in emails right around May of 2018. That’s it. That’s the GDPR.
The implications associated with the GDPR reach far beyond the borders of the EU. People today shop, chat, and work online – with the pings from each individual’s computer and smartphone traveling across seas and crossing over borders. The same way technology allows users to “travel” worldwide, the GDPR encompasses the citizens of the globe. The GDPR regulates any entity that has a direct contact with any European’s information. Purchasing an Apple product is an international affair, and thus must be regulated with the policies set in place to protect the EU. For this reason, companies situated in the U.S. have had to adjust their policies to ensure compliance with the GDPR – or face high penalties that include a fine up to 20 million euros or 4% of the business’s total annual turnover. That’s $1.6 billion for Facebook and up to $4.8 billion for Google. As U.S. companies adjust their policies to comply with the GDPR, U.S. citizens will feel the impact beyond just privacy policy updates and emails.
GDPR versus Blockchain: One Goal, Two Methods
Blockchain, the tech-world’s latest obsession, could suffer innovation and growth due to the GDPR. Blockchain, put simply, allows for the storing of transaction records in blocks and chains, which allows for digital transfers of ownership. Blockchain is subject to GDPR since (1) data that is encrypted or hashed still qualifies as personal data under Working Party Article 29 and (2) it has an international reach, triggering the GDPR. When boiled down, blockchain’s purpose is to help further secure its user’s data, which sounds a lot like the purpose of the GDPR. At the same time, GDPR runs the risk of making blockchain users proceed with caution and it risks halting and stampeding upon progress in the world of blockchain out of fear of violating the GDPR. Not to mention its lack of a centralized body to hold users accountable if there was a violation which exacerbates those problems.
What does the GDPR mean for the future?
While no U.S. federal law exists that compares to the GDPR, many states are following suit and implementing laws that are GDPR-inspired. California led the way by enacting the California Consumer Privacy Act in hopes of serving as a wake-up call to other states. This Act ensures the protection of California citizen’s data in a similar manner as the GDPR. While consumers may not feel its impact immediately, as the reliance on the online world grows, so will the importance of ensuring data is kept safe. The importance encompasses more obvious reasons such as wanting to keep credit card information away from prying eyes and extends to larger big data issues of not allowing personal data to be constantly collected and used behind the scenes for the benefit of the company.
Overall, the implications of the GDPR have been felt heavily by companies both within and outside of the European Union. The effects of the GDPR go beyond the scope of protecting consumer data, so it is important that data privacy laws do not stifle progress within the field. The GDPR is the right step towards ensuring that consumers feel safe while extending their worlds to the online scope – especially in a time where we rely heavily on technology. With California quickly following the EU’s actions, it is guaranteed that this is just the beginning of the new norm.