Illustration: Liu Rui/Global Times
The EU General Data Protection Regulation (GDPR), considered the most wide-ranging and stringent data privacy law to date, took effect on May 25. Taking privacy protection as a starting point, the GDPR has strict regulations on collection, storage, use, transmission, transfer, disclosure and destruction of online personal data.
In the digital era, both internet and traditional enterprises are inevitably subject to its jurisdiction. Therefore, although the GDPR seems to be mainly aimed at personal privacy protection, it also has a big impact on cyber security and the digital economy. It reflects the strategic intention of the EU in cyberspace.
The GDPR can be regarded as a significant measure of the EU to cope with large-scale network monitoring and other problems. On the day it was implemented, the European Commission tweeted, "Europe is asserting its digital sovereignty and gets ready for the digital age."
The EU has been highly dependent on the US for cyber security and digital economy and lacked the power and influence commensurate with its global status in cyberspace. The implementation of the GDPR will not only have a significant impact on the EU, but also on global cyberspace. In this sense, the EU has established its discourse power and strengthened its influence in cyberspace through the GDPR.
But in the long run, the GDPR will pose risks to the EU's cyberspace strategy. It has significantly increased the cost of data collection and use. Large internet companies may be able to transfer the cost to users, but small- and medium-size enterprises (SMEs) will face large cost pressures. This will particularly affect startups and strangle innovation. Many SMEs based outside of the EU stopped their business activities in the EU market because of high costs.
There are few influential EU internet enterprises in the world. GDPR's suppression of innovation will further reduce the possibility of the emergence of EU internet giants, at the same time impeding the future business activities of multinational internet companies in Europe. The overly forward-looking policy perhaps will make the EU an isolated island for global data circulation.
Although the EU adopted a two-year grace period before the GDPR became enforceable, companies are still confused about the requirements. Provisions of the GDPR are very stringent, forcing fundamental changes to the way the digital industry operates. Complaints were filed against Facebook and Google for falling foul of its regulations within hours of the new data protection law taking effect and they could face up to billions of dollars in fines. It's believed many enterprises are waiting to see whether they should make the EU the focus of their future business.
Moreover, according to the new legislation, only enterprises in countries recognized by the EU can transfer data unimpeded, others will have to pass tedious procedures full of legal risks. As a result, non-EU-recognized nations will adopt measures to restrict data flowing to the EU. Such division of the internet will affect users. The EU will be accused of increasing trade barriers in the name of privacy protection.
Cyberspace is facing paradoxes of freedom versus order and security versus development and any policymaking must be carefully weighed. It will take time to know if the GDPR will transform the EU into a formidable player or an isolated island of data.