GDPR & the new digital economy 

Over two years ago, the EU ruined the digital economy. Or so you’d think based on countless headlines bashing the General Data Protection Regulation, or GDPR. The landmark privacy law drew criticisms due to burdensome compliance, exorbitant fines and legal vagueness. In this article, I am going to take a step back and assess the real impact that GDPR has had on the digital economy. 

“We value your privacy” is probably the most-used phrase on the internet since 2018. Following the implementation of the General Data Protection Regulation, or GDPR, nearly every website has a pop-up with this statement. Beyond the sudden universal appreciation for your privacy, the GDPR fundamentally disrupted the way the digital economy functions. 

Before its implementation, our digital economy was primarily run on what Larry Downes dubbed the ‘Internet’s Grand Bargain’ [1] (2018). Technology firms like Google or Facebook would provide free tools and platforms that are designed to offer you value in return for selling your data to advertisers. As profit-driven companies, their goal was to get as much data out of users as possible to be able to make more revenue. The processes they used were highly opaque and the greater bargaining power of tech giants meant that users had little to no control over how their data was being used. 

One of the key goals of the GDPR was therefore to hand over control of users’ data back to the users. Companies now have to obtain meaningful consent for the extent to which they process personal data and ensure its security. To enforce this, the GDPR threatens fines of up to 4% of global annual turnover or €20 million[2], whichever is larger. This endangers the ‘Grand Bargain’ [3] by adding the cost of legal compliance and the risk of an astronomical fine on the e-service providers, who will in turn pass this onto the consumer in the form of paid subscription services or simply more ads — We’re looking at you, YouTube.


Now, you may say that this is just the price to pay to take back control of your own data. However, the real question is how much control you actually have. What we have seen in the past two years is the proliferation of pop-ups that no-one really reads and automatically accepts. According to Giovanni Buttarelli, the European data protection supervisor, ‘[e]ven ticking a box does not necessarily mean consent is freely given’[4]. In his opinion, operators have implemented fixes that are designed to protect themselves, rather than the privacy of their users[5].


So, users click through dozens of pop-ups that, instead of amounting to actual consent, end up just adding friction to their surfing of the web. Ultimately, the pop-up is just there to appease regulators. Another factor is the bargaining power of giant tech companies. Consider Google with its omnipresent services like Google Maps or Gmail and Facebook with its iron grip on your social life. You cannot afford to refuse them your data as they have made themselves indispensable to modern life.


This meaningless consent is not what legislators had in mind when drafting the GDPR. Instead, they aimed to implement the principle of ‘Privacy by Design and Default’ by Ann Cavoukian[6], Ontario’s former Information and Privacy Commissioner. Dating back to the 90s, the key message is that there should be no trade-off between security, privacy and user-friendliness. Instead, privacy should be at the heart of new technological developments to minimise the risk of later infringement. 

There are signs that this purpose is bearing fruit: start-ups are increasingly trying to get it right from the start, prioritising privacy in product development[7]. However, this is far from easy as an annual survey by Bitkom found that 74% of participating businesses saw data protection as the main obstacle for taking up new technologies[8]. Many small business leaders point out the fact that the cost of compliance is proportionally larger for smaller companies as compared to the tech giants[9]. This takes much-needed funds away from start-up development. 


At the other end of the spectrum, Silicon Valley players like Apple and Facebook seemingly embrace the spirit of the GDPR, with slogans like ‘Privacy. That’s iPhone’[10] or ‘The Future is Private’[11]. They see the GDPR and the wider shift in society’s view on privacy as an opportunity to reposition themselves. Google, for instance, argues that giving them your data means more useful services and also ensures that they stay free. Apple, on the other hand, uses privacy to justify its bigger price-tag as they then do not need to sell your data to advertisers to make profits. 


It is no wonder, therefore, that Tim Cook, Apple’s CEO, called on the US and the whole world to follow the EU’s lead and adopt stricter data protection standards[12]. This leads to arguably the biggest impact the GDPR has had to to date: it inspired other jurisdictions to take action. 



On January 1st 2020, the California Consumer Privacy Act or CCPA went into effect. It applies to any company with an annual gross revenue greater than $25m that does business in California, or collects and processes data of Californian citizens. It, too, has been heavily criticised, for some of the same reasons as the GDPR. The law is said to be harder to comply with as a small or medium-sized company, given that it is structured in a similar way as the GDPR[13]. Plenty of other examples will follow such as the Lei Geral de Proteção de Dados (LGPD) for Brazil and they will all benchmark against the GDPR, the pioneering legislation that paved the way towards a new digital economy. 

Being in its early stages, this landmark regulation still has many flaws to work out. Only time will tell what the new ‘Grand Bargain’ [14] will look like and if meaningful consent can arise through new developments following the ‘Privacy by Design and Default’ [15] principle. One thing is for sure, though: the GDPR has disrupted a long-standing dynamic within the tech industry, enabling much-needed transparency and even opening up opportunities for its most innovative players on a global scale. 

[1] Larry Downes, 'GDPR And The End Of The Internet’S Grand Bargain' (hbr.org, 2018) <https://hbr.org/2018/04/gdpr-and-the-end-of-the-internets-grand-bargain> accessed 24 June 2020. 

[2] Ryan Browne, 'Europe's Privacy Overhaul Has Led To $126 Million In Fines — But Regulators Are Just Getting Started' (CNBC.com, 2020) <https://www.cnbc.com/2020/01/19/eu-gdpr-privacy-law-led-to-over-100-million-in-fines.html> accessed 24 June 2020. 

[3] Larry Downes, 'GDPR And The End Of The Internet’S Grand Bargain' (hbr.org, 2018) <https://hbr.org/2018/04/gdpr-and-the-end-of-the-internets-grand-bargain> accessed 24 June 2020.

[4] Jessica Davies, 'Giovanni Buttarelli On State Of GDPR Adoption: ‘Even Ticking A Box Does Not Necessarily Mean Consent Is Freely Given’' (Digiday.com, 2019) <https://digiday.com/media/european-commissions-giovanni-buttarelli-state-gdpr-adoption-even-ticking-box-not-necessarily-mean-consent-freely-given/> accessed 24 June 2020.

[5] ibid.

[6] Ann Cavoukian, 'Keynote - Ann Cavoukian, Ph.D. - ADRIC 2016.' <https://www.youtube.com/watch?v=IdIw01wbknY> accessed 24 June 2020. 

[7] Rebecca West and Coffin Mew, 'Better The Data You Know – How GDPR Is Affecting UK Tech Companies' (Computerweekly.com, 2018) <https://www.computerweekly.com/opinion/Better-the-data-you-know-how-GDPR-is-affecting-UK-tech-companies> accessed 24 June 2020. 

[8] Christoph Krösmann, Susanne Dehmel and Benjamin Ledwon, 'Annual Survey: Bitkom Draws Mixed Conclusion Regarding GDPR Implementation' (Bitkom.org, 2019) <https://www.bitkom.org/EN/List-and-detailpages/Press/Annual-Survey-Bitkom-draws-mixed-conclusion-regarding-GDPR-implementation> accessed 24 June 2020. 

[9] GDPR.EU, '2019 GDPR Small Business Survey' (Gdpr.eu, 2019) <https://gdpr.eu/wp-content/uploads/2019/05/2019-GDPR.EU-Small-Business-Survey.pdf> accessed 24 June 2020. 

[10] Apple, 'Privacy On Iphone — Simple As That — Apple' <https://www.youtube.com/watch?v=Py0acqg1oKc&fbclid=IwAR2T9Q7ElYFBYw37fYzTNdI02yXOBePqtBTEiACgD_310S7we7epQjTluxY> accessed 24 June 2020.

[11] NBC News, 'Facebook CEO Mark Zuckerberg On Facebook Changes: 'The Future Is Private' | NBC News' <https://www.youtube.com/watch?v=V1g0RUWfauw&fbclid=IwAR2p_sUWdZERPWGalWo-qKfKouxY_9UIdzAj-BHwWRSneJr-2kw5u-HU4hg> accessed 24 June 2020.

[12] Natalia Drozdiak and Stephanie Bodoni, 'Apple CEO Tim Cook Slams Tech Rivals Over Data Collection' (Time.com, 2018) <https://time.com/5433499/tim- cook-apple-data-privacy/> accessed 24 June 2020.

[13] Hannah Murphy, 'Californian Privacy Law Looms Large For 500,000 US Companies' (Ft.com, 2019) <https://www.ft.com/content/19a66bca-dfa3-11e9-9743-db5a370481bc> accessed 24 June 2020.

[14] Larry Downes, 'GDPR And The End Of The Internet’S Grand Bargain' (hbr.org, 2018) <https://hbr.org/2018/04/gdpr-and-the-end-of-the-internets-grand-bargain> accessed 24 June 2020.

[15] Ann Cavoukian, 'Keynote - Ann Cavoukian, Ph.D. - ADRIC 2016.' <https://www.youtube.com/watch?v=IdIw01wbknY> accessed 24 June 2020.

About the author:
Ludwig Wilke is a final year Management student at Warwick Business School. He is interested in examining the ways law can have an impact on different types of businesses. 

Connect with the author on LinkedIn.