Hosuk Lee-Makiyama is director of the European Centre for International Political Economy in Brussels and specializes in digital trade and East Asia diplomacy.
BRUSSELS — Europe has often been hailed as a global leader when it comes to trade and privacy, particularly after its passage of the General Data Protection Regulation, the European Union’s privacy law, which came into effect in May. And while it is no doubt a worthwhile endeavor to protect European citizens from illicit online surveillance, the landmark bill comes at a cost: it is a form of digital protectionism.
The GDPR gives the E.U. the authority to fine and regulate foreign online services. Like a rule straight out of President Trump’s protectionist playbook, the regulation uses steep fines and red tape to put pressure on foreign businesses to set up local servers within Europe. This may not be an issue for Google, Facebook and other Silicon Valley giants who already cater to their European users from subsidiaries and servers within the E.U. But some companies that do not have the means to set up servers in every country where they operate — including major U.S. news sites such as the Los Angeles Times and the Chicago Tribune as well as various mobile apps — have blocked E.U. citizens from accessing their services in order to avoid fines.
The Internet has a huge impact on international trade — global e-commerce accounted for $2.3 trillion in sales in 2017 — and the GDPR is likely to depress growth. Our own estimates show that Europe’s GDP will fall by 0.4 percent if the new regulation is fully enforced.
The GDPR’s negative impact on trade and growth is not limited to Europe. It has encouraged countries already hostile to the free flow of information — notably China and Russia — to copy and paste the GDPR into their own laws to further restrict market access and to demand that foreign companies set up local servers in order to store the data of their citizens. Europe finds itself incapable, or unwilling, to address such foreign data protectionism in its own trade agreements.
And yet, while Europe continues to retreat on the digital front, there is one country that has successfully found ways to protect digital privacy without resorting to digital protectionism: Japan.
Privacy is highly valued in Japan, and it has developed a unique culture of self-regulation. Many Japanese social media users often prefer to remain anonymous and consider it good manners to blur the faces of friends and family and sometimes even pets in online posts. In May 2017, Japan strengthened its own data privacy law with a comprehensive list of personal data that cannot be shared by businesses without an individual agreeing by actively opting in. The law also stipulates that user data can be shared internationally with countries whose privacy laws Japan deems adequate.
But unlike the E.U., which can penalize any company wherever they operate so long as they process an E.U. citizen’s data, Japan does not assume the authority to impose fines and penalties on foreign entities that collect data on Japanese users. It only penalizes businesses that operate within Japan. Japan also acknowledges international certificates that establish privacy standards for cross-border data, such as those developed under regional cooperation forums like the Asia-Pacific Economic Cooperation, a 21 member organization that includes the United States.
Japan not only takes privacy seriously but also recognizes that there doesn’t have to be a contradiction between domestic policy that strengthens citizens’ privacy rights and international trade agreements that keep data flowing and protect companies from discrimination in global markets.
After Trump pulled the United States out of the Trans-Pacific Partnership, Japan took the lead in saving the deal. The Obama administration had included a ban on unjustified online commercial discrimination in the original TPP, which Tokyo insisted on keeping intact when renegotiating terms for the updated deal, which is called the Comprehensive and Progressive Agreement For Trans-Pacific Partnership (CPTPP).
The recent E.U.-Japan trade deal provides another example of Japanese leadership when it comes to open data. Because of the GDPR, Europe sought to soften Japan’s proposed disciplines to maintain open data flows. But the Japanese negotiators stood firm against the E.U., preferring an empty placeholder in the agreement to be revisited at a later stage, rather than watering down the standards it had worked so hard to establish in the CPTPP. Any compromises on non-discrimination rules can be a slippery slope, especially if the ultimate goal of the CPTPP is to encourage China to open up. But Beijing is unlikely to agree to any rules that Western powers could not even agree upon among themselves.
Despite this recognition, Japan knows that E.U. privacy rules are a foreign policy dead end. The GDPR is not a tool for opening up new markets and incentivizing others to reform. Instead, it provides E.U. states with a means to protect its own markets from outside competition. It may look as if Europe is the master of global trade in America’s absence, but it is actually Japan that has taken the reins. As it turns out, Japan — not Europe — is the one finding the right balance between privacy and protectionism.