The coming EU privacy regulation will end up remaking the world's web

Europe's General Data Protection Regulation kicks in this May, and it enforces a user-first, privacy-centric set of rules for the internet that is totally incompatible with the adtech industry and the ad-supported web in general (though much rides on a potentially humungous loophole).

But these rules won't just affect Europe, but all the companies that want to trade with the world's largest, richest trading block: to sell products and services in Europe, these businesses will have to adhere to European rules. The compliance is going to be expensive for some of these companies -- especially those from the poor world -- but the changes mean that people in all countries, not just the EU, may inherit a future web that rebalances the deal between surveillance capitalism and the people who function under it.

For many countries, the choice is a no-brainer. Breaking commercial ties with the world’s largest trading bloc is unthinkable, and failing to comply brings the risk of hefty fines — up to €20 million or 4 percent of global revenue, whichever is higher — for any company with European customers that mishandles data.

In response, legislators worldwide are scrambling to update their domestic legislation to bend to Europe’s privacy rules. The data revamp will allow EU consumers to pull their data from a company at any time, force businesses to alert customers within three days if their data is hacked and let people move information to rival services at a drop of a hat.

The “Brussels effect” is mostly manageable for advanced economies like Japan, which last year set up an independent agency to handle privacy complaints to conform with Europe’s privacy standards during negotiations for a new Japan-EU trade deal.

But for emerging countries, the cost and administrative burden of applying the EU privacy standards can be daunting. In countries like South Africa, whose domestic legislation is primarily based on Europe’s rules, the upcoming data protection changes risks being viewed as yet another diktat handed down by former colonial powers in a form of “data imperialism.”

Europe’s new data protection rules export privacy standards worldwide [Mark Scott and Laurens Cerulus/Politico]