EU’s GDPR in a Data Driven World

Arup Maity
26th February 2022

Picture Courtesy: Reuters

In the 21st century, privacy has become a necessity, every moment; every person is being followed by other humans and machinery, not only in the social structures but also in geopolitical and foreign policy. The data or information is a new weapon for nations, and the data breach in foreign policy is transforming state’s activities in war and peace. Christopher Hart  contends that, “Data privacy often refers to a specific kind of privacy linked to personal information that is provided to private actors in a variety of different contexts.” To resolve these privacy concerns, the European Union (EU) enacted the General Data Protection Regulation (GDPR) law on 24 May 2016 and has been in force since 25 May 2018. More than 90% of Europeans say they want the same data protection rights across the EU and regardless of where their data is processed. Northern Europe is a clear global leader, with an online penetration rate of 97 percent and followed closely by Western Europe at 93 percent.

The law is determined to strengthen individuals’ fundamental rights in the digital age and facilitate business by clarifying rules for companies and public bodies in the digital single market for sustainable democracy, which is inextricably intertwined with European values.  In recent times, the EU’s most amicable ally, the USA’s big giant multinational companies’ activities has become a concern within the United States and beyond. On 11 December 2018, in a US congressional hearing, former US Representative Lloyd Theodore Poe raised a question to Google’s CEO Sundar Pichai, “could my phone (Google) track if I stood up and moved across the room?’ However, until now, the US has not adopted any national policy for securing its data, that’s why, in a judgment of 16 July 2020 (Case C-311/18), the Court of Justice of the European Union invalidated the adequacy decision. The EU-US Privacy Shield is therefore no longer a valid mechanism to transfer personal data from the European Union to the United States. USA’s federal policy for data protection is tremendously weak and it gives preemption to its big tech companies (excluding The California Consumer Privacy Act of 2018 and The Illinois Biometric Information Privacy Act of 2008).

Following Brexit and efforts to mirror-GDPR to avoid the conflict between the British and European law, the UK has its own Data Protection Act, a new regime known as the UK GDPR (General Data Protection Regulation). Incidents like Russian intervention in the USA’s election and severe cyber threats from China have compelled the EU to adopt an adequate level of protection. Germany and Spain have the toughest data privacy systems. Not only the citizen’s data privacy from multinational companies but also on the geo-economical grounds, this law is protecting the EU’s trade, services, and explicitly the democratic process because data is enormously powerful and will be a post-industrial oil.  Cybercrime alone was predicted to cost the global economy $6 trillion by 2021. In 2017 December, France’s international digital strategy and 2018’s Villani Report indicates that France has a great vision to lead in the EU and the rest of the world through the ‘AI for Humanity’ of the GDPR.

As there are currently no pan-Middle Eastern or pan-Gulf Cooperation Council (GCC) laws governing data protection and privacy, Israel is the only Middle Eastern country with data protection laws deemed adequate by the EU. Africa has no Privacy Shield and unanimously the EU has not considered it to be at par with their standards. China has adopted the Personal Information Protection Law (PIPL) in 2021; EU’s GDPR has many techniques that have been borrowed by China in legislating the PIPL. Nevertheless, there are still many differences between the GDPR and the PIPL because of the different visions for individual’s rights and national security. On 23 January 2019, the European Commission adopted its decision finding that the level of data protection in the EU and Japan are equivalent. In parallel, Japan adopted its equivalent decision. These decisions create the world’s largest data area of safe data flows and will boost commercial opportunities for European and Japanese companies by facilitating the transfer of their data. When Russia and the EU both were making their laws, there was tension for double burdens. Therefore, it has limited impact on Russian policy, only in Russian multinational business groups. The Russian proposal entitled “Countering the use of information and communications technologies for criminal purposes” passed in the United Nations General Assembly (UNGA), framed the treaty as an alternative to the Budapest Convention. This law aims to provide standard protection of individuals’ data globally under the Budapest Convention’s vision. One of EU’s important partners, India has taken steps to enact a data protection framework modelled along the lines of the GDPR. India votes in favour of a Russia-led resolution in the United Nations General Assembly (UNGA) because the memorandum of India is on the side of data localisation.

The 21st-century’s international political economy will be incredibly influenced by the GDPR.  The EU wants to play a major role in the digital zeitgeist. For the developing countries, especially for India, from the GDPR, there are lots to learn, basically in localising the data in its territory and cross-border transition. In addition, India has a huge population and USA’s big giant companies have a long influence on it. So, India, an emerging global economic power, has to protect its citizens’ democratic and civil rights at the societal level, the government system running at the political level and business and trade from all kinds of threats of data privacy breaching.


*The Author is a Research Intern at the Kalinga Institute of Indo-Pacific Studies.

Disclaimer: The Views in the Article are of the Author