1. The Evolution of Data Protection in Europe
The origins of the European data protection regime can be found in different national and international legal instruments that were enacted in the old continent during the twentieth century, being the most emblematic, the 1980 OECD guidelines, a non-binding instrument that reflected the increasing concerns in relation to digital information, privacy and transborder of data. The Convention 108/1981 is another important instrument in the history of data protection as it was the first European treaty protecting personal information and regulating transborder flow of personal data.
The Directive 95/46/EC was passed to safeguard individuals in relation to the automatic processing of personal information and to make possible the free movement of that information. It also required Union Member States to implement data protection laws with minimum standards to guarantee the privacy of individuals as stated in article 8 of the European Convention of Human Rights and Fundamental Freedoms. The Directive 95/46/EC was later replaced by Regulation (EU) 2016/679, currently in place as an international instrument for the harmonisation of data protection legislation.
The General Data Protection Regulation is a body of principles and rules that on the one hand promotes the protection of individuals’ rights and freedoms in relation to the processing of their personal data, in particular, the protection of personal data as a fundamental right, which is spelled out by article 81of the Charter. One the other hand it encourages the free flow of personal data that takes place in transactions between members of the European single market. In other words, GDPR provides for the protection of personal data in a way that is respectful of individuals’ interests and friendly towards the market economy of information processing.
2. Territorial and Extraterritorial Scope of the General Data Protection Regulation
After considering the evolution of data protection, it is evident that the GDPR has become the most important data protection framework in history. To understand the influence of this regulation that extends beyond Europe, it is necessary to review its territorial scope, which, according to article 3 of the European regulation, involves three situations:
- The processing of personal information in the context of the activities of an establishment of a controller and/or processor in the Union
- The data subject is located in the EU and the processing refers to offering goods or services, even if there is no payment from the data subject, or to monitoring data subject’s behaviour that happens in the EU
- The ‘controller is not established in the Union, but the law of member applies on foot of public international law.
Closer examination of Article 3, in particular numerals 1 and 2, puts in evidence that the territorial scope of the GDPR extends beyond Europe, as the said disposition contemplates that the processing of personal data could take place outside the Union, provided that the controller or processor has an establishment in Europe, and admits that the controller or processor, offering goods or services or monitoring the data subject’s behaviour, could be located in a non-European country, which manifests the realities of a global digital market. The extraterritorial effect of the GDPR appears to be motivated by the need to provide meaningful and effective protection to data subjects’ fundamental rights and freedoms during the processing of their personal information.
After identifying the motivation behind the extraterritorial effect of the European data protection framework, it is relevant to discuss the power dynamics that support that wide territorial scope, which can be explained by the Brussels Effect, a term coined in 2012 by Columbia Law Professor Anu Bradford.
3. The Brussels Effect as a European Phenomenon
The Brussels Effect is a regulatory power that allows the European Union to unilaterally influence the global marketplace. This far-reaching power effects both developed and developing countries that end up adopting similar rules to those enacted in Europe to have access to the European market. According to Professor Bradford, there are two complementary variants of the Brussels Effect: the de facto Brussels Effect that occurs when corporations adjust their international behaviour to comply with European regulations and the de jure Brussels Effect that materialises when foreign governments adopt European style rules, after corporations have adjusted to those regulations and put pressure on their local governments to enact those rules.
4. The Brussels Effect and The General Data Protection Regulation
The influence of the Brussels Effect can be observed in different areas of law such as environmental regulations, competition law, data protection rules and many other areas where a global impact is feasible. The GDPR offers a good example of a regulation with global influence, since it is considered to be a ‘gold standard’ for privacy and data protection to be observed by members of the Union as part of their obligations and to be aspired by third countries that wish to conduct businesses in the European digital market.
There are three characteristics of the Brussels Effect that can be seen in the GDPR: unilateral power, strict standard in relation to the protection of personal data and extraterritorial effect that relies in the influence of the European market. The combination of those characteristics suggests that the GDPR is a form of modern imperialism or ‘data imperialism,’ portrait by its critics as the result of a regulatory power that affects foreign jurisdictions as it imposes a standard of data protection without taking ‘into account the different cultural, political, and economic realities existing in countries outside the EU.’ Those same critics also allude to the high costs of complying with data protection rules, in particular for developing countries that are at disadvantage in relation to their competitors from developed countries that are likely to have the financial, legal and technical resources to adjust their international behaviour to the GDPR.
5. The General Data Protection Regulation as an Expression of Modern Imperialism
It is true that the global impact of the European data protection framework, explained by the Brussels Effect, shows a regulatory power with imperialist tendencies that does not seek the cooperation of third countries to define the standard of data protection that will be expected from them if they are to engage in transactions involving the processing of personal data of data subjects within the Union, confirming the argument that the European data protection law is an expression of modern imperialism and, up to some extent, justifying the claims made by GDPR critics.
However, viewing GDPR as a manifestation of modern imperialism, exercised by the European Union, is an assertion that needs to be carefully considered as it might suggest that there is some coercive power involved, which is not the case. The GDPR manages to inspire or influence the development of data protection rules in foreign countries because of the importance and size of the European digital market. In fact, the Union ‘does not have to do anything except regulate its own market to exercise global regulatory power.’ The appeal of trading with Europe, and not the use of force, is what motivates foreign governments to develop regulations like the GDPR to facilitate the flow of personal data and to provide appropriate protection to individuals within Union.
Recognising that the global influence of the GDPR is a form of modern imperialism, understood as regulatory power that exports the European data protection standard to foreign jurisdictions, does not necessarily imply that there is a negative connotation attached to it. In fact, it would be unfair to ignore the benefits linked to that unilateral power.
6. Benefits of the Brussels Effect
Since the GDPR has become the gold standard in privacy and data protection, it has created a ‘race to the top’ for those who want to offer goods or services to natural persons in Europe or that want to provide data services to establishments in the Union, as Professor Bradford says, the observation of EU rules is the price of trading with Europe. That race to the top is supported by the extraterritorial scope of GDPR that reduces the chances, for controllers and processors, of escaping liability by moving the data to a jurisdiction with a lower level of protection, which would take the race in the opposite direction.
Another benefit that comes with that regulatory power is the effective protection of individuals’ fundamental rights and freedoms in relation to the processing of their personal data, regardless the jurisdiction where it takes place, ensuring that those individuals located within Europe have enforceable rights against controllers and processors who use their personal data in contrary to the GDPR, even when they are established in foreign countries. The effective protection of data subjects empowers individuals and, unintentionally, creates expectations of better data protection in relation to the information of natural persons, putting pressure on local governments to develop data protection rules, that considering the accomplishments of the GDPR, are likely to draw inspiration from the European standard.
As a final benefit, the imperialistic effect of the GDPR facilitates the transfer of personal information by requiring third countries, exporting personal data from Europe, to follow the standard of data protection set up by the Union within its data protection rules, which acknowledges the international nature of the digital market. The possibility of successfully transferring data from the EU to a foreign country is a persuasive argument to develop data protection regulations akin to the GDPR or to create appropriate safeguards in accordance with the European standard, allowing data subjects to exercise their rights and making possible to legally process personal information outside the Union.
7. In a Nutshell
The key to understand the global impact of the General Data Protection Regulation can be found in the Brussels Effect, that is defined as a regulatory power that allows the Union to influence the global market. That unilateral power materialises in legal standards exported to third countries that want to develop commercial relationships with the European Union. In relation to the GDPR, the Brussels effect is characterised by a unilateral power that determines the standard of data protection, a strict data standard to access the European digital market and an extraterritorial application in accordance with article 3.
The combination of those features plus the global influence of the European market developed into a form of modern imperialism in relation to data protection. That imperialistic approach is often used to criticise the European standard for being indifferent to the cultural, political, legal and technological realities of those foreign countries and for imposing high costs of compliance. However, the observance of the European data protection standard is a necessary step to engage in long lasting commercial relationships within the EU digital market and as the GDPR does not require those third countries to copy the data regulation word by word, there is still space for introducing local values into their data protection rules.
It is important to understand that what the GDPR intends to achieve is a balance between facilitating the transfer of personal information outside the European Union, something that benefits Member States and foreign countries, and offering effective protection to data subjects located in Europe, even when processing is carry out elsewhere, incidentally creating high expectations around the globe in relation to data protection safeguards, which is positive for individuals in foreign jurisdictions.
Natalia Uribe is a Master’s candidate in European Law, Data, and Artificial Intelligence. With a legal background, she has contributed to GDPR implementation projects in clinical audit and played a key role in planning the Patient Safety Act 2023 in Irish healthcare. Natalia’s expertise spans dispute resolution, debt recovery, and legal support for top-tier firms. She holds a Bachelor’s Degree in Law from Institución Universitaria de Envigado, Colombia.