When the European Union introduced the General Data Protection Regulation (GDPR) in 2018, it outpaced the United States in protecting consumers’ privacy and data online. The GDPR gives EU consumers the right to be alerted before their information is collected by a website, to know how their information will be used, and to permanently delete their information, among other protections, and it includes harsh penalties for noncompliance. By comparison, federal US data protection policies have remained weak.
A new paper by Kevin Davis, Beller Family Professor of Business Law, and Florencia Marotta-Wurgler ’01, Boxer Family Professor of Law, however, explores how the EU’s regulations are also protecting US citizens.
“Filling the Void: How EU Privacy Law Spills Over to the US,” forthcoming in the Journal of Law and Empirical Analysis, builds on Davis and Marotta-Wurgler’s 2019 article, “Contracting for Personal Data,” which examined the privacy policies of a large number of firms conducting business online to examine whether contract law provided an adequate framework for transactions involving personal information. While doing research for the earlier paper, Davis and Marotta-Wurgler found that many firms revised their US-facing policies in ways that seemed to imply compliance with the GDPR—for example, notifying users when their personal data has been compromised by a security breach and allowing users to request copies of the data collected from them. The discovery prompted the researchers to examine why, and to determine to what extent GDPR’s policies have affected companies’ privacy practices in the US.
Working with research assistants and NYU Law student interns, Davis and Marotta-Wurgler quantified the language of privacy contracts among 177 firms across markets in the EU and the US before GDPR went into effect and afterward in order to track the extent of GDPR’s influence. Among firms studied, 75 percent used exactly the same privacy policy language for EU and US residents, forgoing the potential benefits of laxer US policies. Companies that had physical offices in the EU were more likely to have policies for US residents that include GDPR-inflected protections—a claim previously undocumented.
In this Q&A, NYU Law spoke with Davis and Marotta-Wurgler about how they became interested in studying GDPR and what implications their work might have for the future of US privacy protections.
What was the genesis of your research into the GDPR? How did you decide to tackle the huge quantitative work this new paper required?
Marotta-Wurgler: We had written an article…regarding whether contract law offered a good framework for exchanges involving information or data. One of the desirable features of contract law, as opposed to top down regulation, is that contracting parties have flexibility in determining their rights and obligations. Interestingly, during that research, GDPR came into effect, which mandated particular practices and disclosures. To explore the contracting aspect of policies,we needed to control for GDPR language. When controlling for GDPR, we realized that GDPR has had a huge effect on US-facing practices. So in this subsequent article we explored that aspect further.
Davis: We hit on, basically, a version of what Anu Bradford calls the “Brussels Effect” applying to US contract law. [Bradford’s research tracks how the EU’s regulatory policies have had a global influence.]
It’s a big deal because the US is a big economy [and] you would think that it would be somewhat insulated from this [influence]. We realized that the research on spillover effects of laws across borders is quite well developed from a theoretical perspective, but didn’t seem to have much in the way of empirical testing, and here we had all of this great data we could test these theories against.
How does your research fit into this existing theoretical framework? Does it comply with your hypotheses or were any of your findings surprising?
Marotta-Wurgler: We offer some nice empirical evidence that shed light on existing theories. For example, we do find that when it’s cheaper to comply with something, you’re more likely to comply with it, and when it’s very expensive to comply with something, you’re less likely to offer it.
That being said, the things that are cheaper to comply with are still costly. There is no need for firms to comply at all [in the US-facing market]. So [what we found is a] really interesting dynamic going on.
We also have new theories and…new surprising evidence…about the fuzzier role of norms and intra-firm dynamics. We find that the strongest predictor of whether the spillover effect will occur in the US is whether a firm has some physical presence in the EU… This wasn’t discussed much in the existing literature. We consider the role of norms and the role, maybe, of in-house lawyers speaking to each other, and the role of expertise within a firm. It becomes a bigger deal to comply with GDPR as a US arm of a global firm when the people in the EU are telling you the GDPR is a big deal.
Davis: Thus far the literature on these kinds of international regulatory spillovers has focused largely on the compliance costs. But there has also been some [interest in the] idea of the signaling effect – that firms might want to boost their reputation by saying they’re complying with the higher standard. Our findings suggest this element merits further investigation.
How effectively does the GDPR’s spillover fill the void in federal US privacy policies? What impact might this have on efforts to reform US privacy policies?
Davis: The fact that there is clear evidence of spillovers doesn’t mean that the spillover results in perfect compliance in the US.
Our research shows that there is not even perfect compliance in the EU. Part of what we have done in this paper is to compare the levels of compliance with GDPR in the US to the levels, as far as we can ascertain them, in the EU. And that’s how we’re identifying the spillover. There are lots of US privacy policies that still don’t reflect compliance with the GDPR. And so there is still work to be done in terms of US legislation [to protect consumer privacy].
We end up saying we’re not sure what the ramifications of filling the void might be, in terms of the future of reform of the US regime. On the one hand, [these spillover policies] can provide a building block and smooth the path for the development of, say, federal privacy legislation. On the other hand, [the existence of spillovers] might take some of the wind out of the sails of reformers by reducing the need for reform.
Marotta-Wurgler: There is this interesting phenomenon that when there is a regulatory vacuum, firms need to look somewhere. And GDPR seems to have filled that void in a way. And it does have some interesting implications as to how firms may react to more protective information privacy rules. There is this fear that regulation is going to stifle innovation. It doesn’t seem to have had that effect.
What implications does your research have for future research? In what particular ways does lack of data protection impact consumers?
Davis: For me, there is more research to be done on spillovers in other domains. A lot of my research focuses on developing countries. Most recently, I’ve been thinking about the spillover effects of US immigration policy and US gun laws on countries like Mexico or Jamaica and other countries in the Caribbean.
Marotta-Wurgler: I think the finding of a regulatory spillover, particularly when it comes to information privacy, [is important]. There have been numerous [US] bills seeking to introduce federal privacy regulations that have failed to move forward. I think highlighting that firms are likely to comply with GDPR is a pretty big thing.
Consumer privacy has been at the forefront of lots of recent explorations, especially after Dobbs [the 2022 US Supreme Court case that ended women’s federal right to an abortion], where women fear that their data…about their periods or buying histories and other information could be used in a criminal case against them. This interesting spillover in this area, in particular, is quite relevant at the moment.
Posted April, 5, 2024. This interview has been edited and condensed.