Milad Mohammadi
Leave a Comment

American firms and GDPR: A New Era of Digital Privacy Rights

By: Milad Mohammadai

In an era of increasing globalization, what does one region’s internet regulations mean for foreign firms?

The past few years have been marked by many high profile disastrous data breaches in the US. There was the infamous Yahoo mail data breach of 2014, which resulted in a recent $35 million dollar fine imposed by the SEC, Equifax’s major 2017 data breach which resulted in hundreds of thousands of customers data being leaked, and; Facebook’s recent Cambridge Analytica misfortune. Data breaches like these have led to the protection of data and data privacy to become an important concern as our lives have become further digitized. What companies and governments should be able to do with data has been a major area of debate. It remains very unclear as to the direction both citizens, corporations, and policy makers would like to move forward. The infamous Senate testimony hearing of Mark Zuckerberg in the US Capital showed just how unprepared both companies and the US Federal government are when it comes to this issue.

In Europe, things are taking a completely different turn. A widely known piece of legislation for the technology sector is slowly being implemented.  GDPR, standing for General Data Protection Regulation, was approved by the European Parliament in 2016. It is set to harmonize data protection law across the whole of the EU. Unlike an EU directive, which requires legislation to be implemented on a per-member basis, this regulation will take effect on a full union level. The aim of the GDPR is to delineate exactly how user data, specifically in the consumer context, is to be treated by firms. The GDPR grants many “digital rights”, which include; the right of access to data a company has collected, consent requirements, notification of data breaches, data portability (similar to the HIPAA healthcare law in the US), a protocol for data protection, and finally the controversial “right to be forgotten”. This is not an exhaustive list, as GDPR completely reshapes data protection law in the EU.

This raises the question, how will this regulation fit with US firms that operate in the EU? By far the most significant effect GDPR will have on US companies is the fact that the law will apply to all companies doing business in the EU. This means that companies like Facebook and Google must fulfill their obligations under the GDPR in order to operate in the EU. During the Congressional hearing on the Cambridge breach, Zuckerberg had remained unclear as to whether Facebook will implement GDPR policies only in its operations across the EU, or whether he will decide to have the protections extended to US citizens as well. It remains to be seen whether companies will find ways to fight the implementation, considering the increasing costs to comply and hire data protection officers, who would be responsible for implementing much of the process in house.

There are many reasons for companies to be very wary of new regulation like GDPR. For one, costs are enormous both for compliance as well as non-compliance. At the upper level, fines can be as much as 20 million Euros or 4% of each respective firm’s annual revenue. While implementation costs will vary from firm to firm, companies are expecting to spend millions on developing the proper processes and departments to meet the compliance deadlines. In certain industries these regulatory changes have met strong criticism, particularly in the online video game sector, where certain server and software arrangements remain incompatible with implementation. A popular massive online battle arena game (MOBA) “Super Monday Night Combat”, recently cited GDPR compliance as the primary reason for shutting down their servers.

For the US market in general, many firms have responded by saying that they will either reduce their presence in Europe (32%) or completely leave (26%) according to a survey conducted by PwC in 2016.  Because of this, it remains important for policy makers to remain careful as to how they approach this sensitive issue. In the US, similar plans to implement a national “internet” tax on sales by companies such as Amazon resulted in much controversy about the future of an internet that is open and free for commerce. By making abrupt changes to the way internet companies are taxed or regulated, policymakers risk fueling increased uncertainty in an age where cyber security fears have already jostled the market. The internet has always remained a marketplace of innovation, free for commerce, with its low barrier to entry and ease of use. We can only hope it remains that way.

Works Cited

European Commission . (2018). Data Protection. Retrieved from European Commission:

Good, Owen S. “Super Monday Night Combat Will Close Down, Citing EU’s New Digital Privacy Law.” Polygon. April 28, 2018. Accessed May 24, 2018.

Gordon, M. (2018, April 24). Ex-Yahoo paying $35M to settle SEC charges over 2014 hack. Retrieved from ABC News:

Gressin, S. (2017, September 8). The Equifax Data Breach: What to Do. Retrieved from Federal Trade Commission:

Jeong, S. (2018, April 11). Zuckerberg says Facebook will extend European data protections worldwide — kind of. Retrieved from The Verge:

Khan, M. (2017, Novemeber 19). Companies face high cost to meet new EU data protection rules. Retrieved from Financial Times:

PwC. (2016). Pulse Survey: US Companies ramping up General Data Protection Regulation (GDPR) budgets. PwC. Retrieved from PwC:

Spiske, M. (2016, October 10). Pexels. Retrieved from Pexels:

The Editorial Board . (2018, May 15). The GOP’s Internet Tax. Retrieved from The Wall Street Journal:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s