The Missing "california Effect" in Data Privacy Law

Jens Frankenreiter (Columbia Law School)

Abstract : The “California Effect” is a recurring trope in discussions about regulatory interdependence. This effect predicts that businesses active in multiple jurisdictions sometimes adopt the strictest standards that they face in any jurisdiction globally, even if the law does not require global compliance. There is a substantial literature that assumes the existence of California Effects both at the interstate level in the United States and the international level. However, empirical evidence documenting their existence and strength is scarce. This paper investigates the existence of California Effects in data privacy law, a field in which these effects have been said to be particularly influential. Its main goal is to understand the extent to which EU law influences transactions between U.S. online services and consumers. Using a range of computational and traditional quantitative techniques, the paper tracks changes in almost 700 webpages’ privacy policies. The analysis covers two years starting in November 2017, a period that saw the enactment of a new, sweeping data privacy law in the EU. Contrary to what many assume, the analysis reveals that most U.S. online services treat U.S. consumers and EU consumers differently, with EU consumers enjoying higher levels of protection. This result indicates that the impact of EU law on the operations of U.S. online services is limited. Moreover, it suggests that California Effects driven by costs of differentiation might be less important than is commonly assumed, at least in data privacy law. The paper also discusses the implications of these findings for researchers and policymakers.


Governance of Data Sharing: a Law & Economics Proposal

Inge Graef (Tilburg University)
Jens Prüfer (Tilburg University)

Abstract : To prevent market tipping, which inhibits innovation, there is an urgent need to mandate sharing of user information in data-driven markets. Existing legal mechanisms to impose data sharing under EU competition law and data portability under the GDPR are not sufficient to tackle this problem. Mandated data sharing requires the design of a governance structure that combines elements of economically efficient centralization with legally necessary decentralization. We identify three feasible options. One is to centralize investigations and enforcement in a European Data Sharing Agency (EDSA), while decision making power lies with National Competition Authorities in a Board of Supervisors. The second option is to set up a Data Sharing Cooperation Network coordinated through a European Data Sharing Board, with the National Competition Authority best placed to run the investigation adjudicating and enforcing the mandatory data-sharing decision across the EU. A third option is to mix both governance structures and to task national authorities to investigate and adjudicate and the EU-level EDSA with enforcement of data sharing.


Narrowing Data Protection's Enforcement Gap

Filippo Lancieri (UChicago Law; ETH Zurich Center for Law and Econ.)

Abstract : The rise of data protection laws is one of the most profound legal changes of this century. Yet, despite their nominal force and widespread adoption, available data indicates that these laws recurrently suffer from an enforcement gap—that is, a wide disparity between the stated protections on the books and the reality of how companies respond to them on the ground. This raises the question: what accounts for this gap and what can be done to improve the performance of these laws? This Article begins by describing three core building blocks of data protection regimes in the United States and Europe—namely, market forces, tort liability and regulatory enforcement—that these jurisdictions combine in different ways to ensure that companies act in accordance consumers’ privacy preferences. It then identifies two key reasons—particularly deep information asymmetries between companies and consumers/regulators, and high levels of market power in many data markets—that enable companies to behave strategically to protect private interests and undermine legal compliance. The conclusion looks at the institutional design of antitrust and anti-fraud laws, two regulatory regimes that face similar challenges in their implementation, to argue that an effective online privacy regulatory system should be built around three key principles. First, the system must multiply monitoring and enforcement resources, and antitrust demonstrates how litigation can fund sophisticated civil-society intermediaries that safeguard consumers. Second, the system must bring violations to light, and anti-fraud policies demonstrate the importance of establishing effective whistleblower programs for data protection. Third, the system must increase governmental accountability, and antitrust provides examples on how to promote public transparency without sacrificing enforcement capacity.