GDPR Freeloaders: Why Other Countries Should Fight Back

August 16, 2018

(Ed. Note: The “Innovation Fact of the Week” appears as a regular feature in each edition of ITIF’s weekly email newsletter. Sign up today.)

Since Europe’s new data protection law, the General Data Protection Regulation (GDPR), took effect in May, businesses have been struggling to cope with the costs of compliance. The new rules are confusing and impractical, and they have forced organizations to dedicate an enormous amount of time and money to comply. These rules come at the expense of both Europeans and non-Europeans, but policymakers around the world should ensure that Europe alone bears the costs.

GDPR imposes strict rules on how businesses use, store and share information about European customers. For example, these rules require companies to obtain affirmative consent before collecting data from users that browse news websites, watch videos, or shop online. Companies that do not comply with the GDPR face penalties of up to €20 million or 4 percent of global annual revenues—whichever is higher. Wary of these fines, businesses have started placing indefinite holds on their services for Europe or closing shop altogether.

Take the digital media industry: When GDPR took effect, major newspapers throughout North America blocked EU citizens from visiting their websites, including the NY Daily News, the Chicago Tribune, and the Los Angeles Times. Other online entertainment sites also blocked Europeans. For example, when Europeans visited the websites for TV networks like A&E, Lifetime, and History, they were confronted with messages that explained, “This content is not available in your area. Other companies, like the American public radio organization NPR, are serving visitors that did not agree to web cookies with a plain-text website—something users have not been accustomed to since the 1990s.

Even though companies had two years to prepare for these rules, many would still rather block EU users altogether than comply with the new rules. This is because the new regulations drastically reduce the effectiveness of an important source of income for digital media companies—online advertising—by restricting how information is packaged and shared. Online advertising is most effective when advertisers can serve relevant ads—a benefit both to consumers who get more utility from these ads and advertisers who are willing to pay more to reach their target audience. Targeted ads based on information about a user—such as the user’s browsing history or other user-specific data—help deliver higher-value ads. And in most cases, the privacy concerns of targeted advertising are minimal because advertisers do not see personal information about those who see their ads, only aggregate data. However, when regulations limit the effectiveness of advertising, revenues go down. This is one reason Europe has fewer Internet companies than the United States. One company even closed its advertising business in the European Union due to the new rules.

Several digital media companies like the New York Times and USA Today complied with GDPR and were accessible in Europe immediately after it went into effect. These companies are not immune to the decreased ad revenue and the increased compliance costs. They must raise the money elsewhere—such as by offloading costs on U.S. and other non-E.U. users. Indeed, the rules effectively turn EU users that do not choose to share their data into free riders for digital services. European citizens can access online services without providing the information necessary for companies to monetize those services. As fewer Europeans provide data for the services they use, the result will be more ads for citizens in more innovation-friendly countries.

One company, however, found a way to make Europeans pay their fair share. When GDPR went into effect, the Washington Post started offering a “premium E.U. subscription,” which offered no ads and no third-party tracking for $30 more than the cost of a basic annual online subscription. More international companies should embrace this strategy to ensure the costs of complying with the GDPR are not placed on non-Europeans.

Policymakers in other countries should not let Europe’s practices go unchallenged, too. Countries should work to create disincentives for other nations to pass laws that allow their citizens to become digital economy free-loaders. For example, trade negotiators should push back against these practices just as they push back against data localization requirements. Similarly, by holding public hearings about these costs, legislatures can shine a light on these foreign-imposed costs and encourage companies to align compliance expenditures and revenue with the citizens of the countries imposing those costs. By working together, like-minded countries can send clear signals that these practices are unacceptable.

EU policymakers created the GDPR to protect an individual’s right to privacy—a right that they see worth protecting at any cost. However, its creators did nothing to prevent these costs from being levied on non-Europeans. Policymakers around the world should step in to ensure that if Europe wants privacy, it must pay its own bill.