top of page

‘We’re all updating our privacy policies’: the EU regulation behind the emails you keep receiving

Image credit: Wikimedia Commons

Anyone who has opened their inbox lately would no doubt find themselves inundated with emails from various companies updating their privacy policies. The impetus behind this sudden flurry of activity is the General Data Protection Regulation (GDPR) that came into force in the EU on 25 May 2018. The GDPR aims to give European Union (EU) citizens greater control over their personal data.

But the implications of the regulation extend far beyond the EU’s borders. The regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU. Hence the current stream of emails from companies collecting and storing personal data.

So why is the issue of personal data so important? The aim of the GDPR is mostly to protect privacy and give EU citizens control over their personal data. However, personal data is an increasingly important component of international trade flows and the ownership of personal data will have considerable effects on competition policy.

For businesses, data is increasingly seen as a valuable asset. When Caesars Casino of Las Vegas went into administration in 2015, its holdings of data on its customers was deemed by creditors its most valuable asset at over US$1 billion.

More recently Uber was estimated to be worth US$50 billion despite owning none of the vehicles used for their services. As The Economist asserts, ‘data is to this century what oil was to the last one: a driver of growth and change’. It is estimated that global trade in data will be worth US$20 trillion by 2025.

Data is now gathered from numerous sources, from structured government or customer databases to unstructured, real-time emojis or videos. A person’s GPS coordinates from their phone can be combined with data such as their sleeping habits from their Fitbit and social connections on Facebook to do anything from generating targeted advertising to predicting their risk of mental health issues.

A concern for the EU and addressed through the GDPR was that many widely used services cannot be accessed without consenting to the product’s terms and conditions. These are excessively long and legalistic, meaning that in most cases individuals either do not read or cannot understand, the conditions they have agreed to. Individuals, therefore, lack power when it comes to giving up rights over the data they generate.

Yet that data is potentially very valuable. Individuals rarely know the value of their own data, so they provide it for free in exchange for a free service. The GDPR provides the right for a consumer to transmit their personal data to another body. By giving consumers the right to transfer their personal data to third parties, markets could form where consumers could sell their data, for instance through the ability of companies to show them targeted advertisements.

Companies who own or control data have power over their rivals who cannot access this data for themselves. There is a risk then that a world fuelled by data will create new behemoths that monopolise the market for data just as Standard Oil did in the early 20th century in the oil market.

Alphabet, Amazon, Apple, Facebook and Microsoft are already the five most valuable listed firms in the world. These companies could end up stifling competition because personal and enterprise data are not traded essentially creates entrenched monopolies by market-leaders. Indeed, Big Data collectors such as Alphabet and Facebook become more useful to the consumer by collecting more data. The more data that is collected on an individual’s search history the more accurate the search engine becomes.

Similarly, the more people that use a particular social media platform, the more appealing it is for consumers by offering greater connectivity. This results in market dominance for some firms and can squeeze out innovative start-ups that cannot achieve the same scale. This may create incentives for companies to engage in anticompetitive practices, such as pre-emptive mergers or collusion, such as Facebook’s acquisition of WhatsApp and Instagram.

The best antidote for the increasing market power of data firms is allowing data portability, which the GDPR goes partly towards doing. By requiring firms to allow consumers access to the data they have gathered on them is the first step towards creating a market in personal data in which consumers could share or sell their data to third parties would increase competition and innovation amongst data companies. Companies that persistently ignore these rules face fines of up to €20m or 4 per cent of global annual sales, whichever is greater.

The GDPR, therefore, will result in not just a flurry of emails. Its implications for how companies use and trade data will have a huge impact on the world economy, especially if others decide to emulate the EU and introduce their own data legislation.

Jeremy Rees is the International Trade and Economy Fellow ​ for Young Australians in International Affairs.

bottom of page