The GDPR: An Example Of the Extraterritorial Effects Of Regulations

By Kemal Su

The European Union’s (EU) new regulation on data protection, The General Data Protection Regulation (GDPR), went into effect on May 25, 2018, slightly more than two (2) years after it was accepted by the European Parliament on April 14, 2016. The EU has had regulations pertaining to data protection since 1995. However, the GDPR unifies and simplifies all previous regulations in this regard.

Although the GDPR is only effective and designed to protect individuals’ data within the EU, the effects of the GDPR can be felt more globally. For example, all companies which process the personal data of EU citizens, i.e. by collecting, receiving, transmitting, using or storing data, must abide by the provisions of the GDPR even if they are not located in an EU member state. Moreover, the GDPR also applies to companies who offer goods or services to EU individuals or monitor these individuals’ behavior.

As the EU generates more than 20% of global GDP,[1] it’s a market that a multinational company would be hard-pressed to ignore.  For this reason, multinational companies which deal with the EU and are subject to the GDPR should ensure that they are aligned with the regulation’s strict data protection regime. For instance, most of these companies will be required to set up a data protection team and a system which enables their clients and consumers to understand and act upon their rights. This includes, but is not limited to the right to access to personal data; rectify, obtain, object, or erase data; or withdraw consent or restrict processing. Nevertheless, establishing a system which enables individuals to instantly access, obtain, and erase their personal data is extremely costly and time-consuming.

Once such a system is established, the next question becomes whether a multinational company should attempt to harmonize its data protection policies consistent with the GDPR or apply different policies depending on where its clients/consumers live? In practice, however, attempting to maintain different policies may be impossible. After all, EU citizens maintain their GDPR rights regardless of where they live.

This is probably the most important reason underlying Apple’s plan to expand their GDPR-compatible data protection services worldwide.[2]  Given that Apple has a reputation for protecting the data of its users, Apple’s plan is not surprising. Moreover, Apple will likely benefit from expanding GDPR-compatible services by taking a single, global approach. For example, an EU citizen who lives in the US and uses a US Apple ID should still be treated in line with the GDPR as long as that individual keeps EU citizenship. By harmonizing it’s data protection services with the GDPR, Apple will successfully avoid all manner of possible conflicts. In addition, the company’s global reputation on personal data protection will only be bolstered.

For all of these reasons, multinational companies will likely expand GDPR-compatible privacy policies worldwide sooner rather later. To the extent this prophesy proves true, the GDPR is a perfect example of how territorially-limited regulations can have significant global impact.

Dr. Kemal Su is an industrial organization economist with expertise in antitrust, regulations, and compliance issues. He is a graduate of Middle East Technical University (Business Administration B.S. 1997), the University of Illinois at Urbana-Champaign (M.S. in Policy Economics 2002), and Hacettepe University (Ph.D. in Economics, 2008). 

Dr. Su began his career at the Turkish Competition Authority in 1997, where he served for eight (8) years.  He consulted international companies in antitrust/competition law and economics, regulations, and compliance for more than ten (10) years until late 2016.  During that time, he led many projects and compliance programs, submitted tens of written testimonies, represented tens of clients in antitrust investigations, filed hundreds of M&As and exemption/negative clearance cases, and taught hundreds of seminars.  He taught competition law and practices at the Middle East Technical University to undergraduate and graduate students from 2009 – 2016. 

Dr. Su is currently a visiting scholar at Duke University School of Law.

[1] As of the end of 2017, GDP EU is $17.3 Trillion and Global GDP is $80.7 Trillion. See https://data.worldbank.org/indicator/NY.GDP.MKTP.CD?locations=EU-1W.

[2] Apple announced that the company is undertaking privacy assessments as part of its GDPR work. (See https://www.apple.com/legal/privacy/en-ww/governance/). Apple introduced a new privacy portal to comply with GDPR in late May, just before the GDPR went into effect and said it plans to expand the same options across the rest of the world within this year. (See https://techcrunch.com/2018/05/23/apple-introduces-new-privacy-portal-to-comply-with-gdpr/).