By Joseph Squillaro
Joseph M. Squillaro is a member of the Class of 2022 at the University of Pennsylvania studying Philosophy, Politics and Economics (PPE) with a concentration in cyber policy and internet law.
In the past few years when visiting various websites, how many times have you encountered a salient prompt asking for you to accept “cookie” permissions or select which types of data the website is able to retain? I know I personally have seen more than I can count. Yet prior to 2018, you likely would not have seen any such prompt and that was because it simply was not required, at least not in the European Union. That all changed, however, when on May 25th 2018, the European Parliament implemented a sweeping set of cyber reforms collectively known as the European Union General Data Protection Regulation (GDPR). The GDPR revolutionized the ways in which tech companies can collect and store your data. From that day forward, companies were required to ask your permission to save information to their servers in the form of the aforementioned cookies. This included details such as your navigation history for personalizing results or your IP address to provide location specific content, among many other examples . This policy, on balance, is a great boon for the liberty for all users of technology: to have control on who stores your data and what kind of information they collect. But a large number of users of technology, including myself, do not reside in the European Union, nor are a citizen of any EU country, yet the prompt and intention of the GDPR still applies. Why is this?
A Global NetworkTo answer this question, it is important to keep in mind the way the internet works. The internet, simply put, is a collection of files connected together that exist on servers around the world, likely including redundancy servers located in another part of the world. This means your data is decentralized and is difficult to pin down exactly “where” your information is located and hence, which jurisdiction it falls under . But what can be held accountable are the tech companies themselves by holding them to a set of standards if they wish to continue to operate within a jurisdiction. This is precisely how the GDPR makes its way to you, for example an American, even though you are very far removed from any European country. For the company to operate in such a large and important market as the EU, take US-based Twitter for example, they implement the stringent standards of the GDPR as it is inefficient to tailor data collection strategies to different markets. More significantly, they can’t discern your location in the first place without consent. As a result of the GDPR, every user of that company’s service receives that prompt and gets to opt in or out. In essence, the EU legislated tech policy for the whole world, without other nations’ input, due to the global and indeterminate nature of digital data and the internet . Obviously there have been exceptions to this, where some companies have gone out of their way to exclude millions of users just to avoid GDPR compliance.However, this issue requires a different perspective than what this article entails and will perhaps be discussed at length in a future post. Regardless, it is this type of policy-making phenomenon, in the scope of cyber policy, that I like to refer to as the “global legislature.”
A Global Legislature, Yes. But A Global Enforcer?Elementary-level civics has taught us that in most democracies, the legislatures create policy, but it is up to another system (the Executive branch in the U.S.) to enforce it. This means that if the enforcer chooses not to implement a policy, it is as if the policy does not have any weight. A similar dilemma exists with the scenario created by the GDPR and other similar cyber laws like it. While the company doing business itself in the EU may face punishment if they violate the GDPR due to the EU’s enforcement mechanism, the company likely will not face punishment in other jurisdictions like the U.S. because it is not policy there . This means the sense of protection given to non-EU users is a false one and would not hold up in a U.S. court of law if Twitter, to use our last example, is found in violation of a GDPR-centric data collection limitation. So what does this mean for non-EU users like myself who use such services? It means we are not protected within the modern ideal of digital privacy unless your home country has passed similar GDPR-like laws that can be enforced and thus be used to hold companies that violate such trust accountable. The intention of the GDPR applies, but not its actual legal protective execution . In short, the enforcers must be on the same page as the legislatures, even if it is a global one.
A (Data)Path ForwardAll hope is not lost for having confidence in the protection of our data, however. In the U.S. at least, laws are being formed to provide similarly stringent data protections. Ratified shortly after the GDPR, California enacted the California Consumer Privacy Act (CCPA) which sets forth a set of data rules that fit within more of a U.S.-based legal system but still provides much of the aforementioned protections . While this again is not at the federal level, and hence will not affect (through enforcement) all Americans like those here in Philadelphia, it is a step in the right direction and perhaps a blueprint for federal policy to be mandated by Congress in the future. This would then be taken up by various federal enforcement agencies in the same way the EU does for its own citizens.
The new era of data privacy legislation occurring around the world is exciting not only for cyber policy analysts like myself, but also for everyday users of services like Twitter who can soon feel more at ease and more in control of their digital footprint. As technology and digital services become ever more prevalent in our lives, it is time for us users to press our local legislatures, rather than just relying on the intentions of the “global legislature,” to strength our digital rights. So the next time you come across a GDPR compliance prompt on a website asking for your permission to use your data, thank the global legislature for setting the groundwork and precedent for protecting your information. However, recognize that more must be done closer to home to feel central to making decisions on your digital footprint within the very decentralized nature of our digital future.
 Kamleitner, Bernadette. “Your Data Is My Data: A Framework for Addressing Interdependent Privacy Infringements.” American Marketing Association, 2019, https://journals.sagepub.com/doi/10.1177/0743915619858924. Accessed 5 12 2020.
 Niemela, Leo. “What Percentage of Your Software Vulnerabilities Have GDPR Implications?” HackerOne, 16 1 2018, https://www.hackerone.com/sites/default/files/2018-01/GDPR%20Implications-ebook.pdf. Accessed 5 12 2020.
 Schmitt, Judy, and Florian Stahl. “How the Proposed EU Data Protection Regulation Is Creating a Ripple Effect Worldwide.” IAPP Privacy, https://iapp.org/media/presentations/A12_EU_DP_Regulation_PPT.pdf. Accessed 5 12 2020.
 Fox, Chris. “Google hit with £44m GDPR fine over ads.” BBC, BBC, 21 1 2019, https://www.bbc.com/news/technology-46944696. Accessed 5 12 2020.
 Eickmeier, Frank. “What does the ePrivacy Regulation mean for the online industry?” ePrivacy, ePrivacy, 14 2 2018, https://www.eprivacy.eu/en/news/news-detail/article/what-does-the-eprivacy-regulation-mean-for-the-online-industry/. Accessed 5 12 2020.
 Lapowsky, Issie. “California Unanimously Passes Historic Privacy Bill.” WIRED, Wired, 28 6 2018, https://www.wired.com/story/california-unanimously-passes-historic-privacy-bill/. Accessed 5 12 2020.
The opinions and views expressed in this publication are the opinions of the designated authors and do not reflect the opinions or views of the Penn Undergraduate Law Journal, our staff, or our clients.