New Global (EU/US) Privacy Rules: The Impacts on Technology

Data protection is a fundamental right for every individual and organization. With the growing need for businesses to cater to global markets, it is essential for organizations to clearly understand their worldwide privacy rules to prevent regulatory breaches, operational fines, or harm to their reputation.

This article explores the evolving landscape in recent key global data privacy laws – GDPR, DMA, and Antitrust – and their effects on the tech industry.  

The GDPR

The General Data Protection Regulation (GDPR) frequently emerges as a primary topic in conversations about data privacy. Effective since 2018, these European Union (EU) privacy rules have influenced international privacy norms and motivated nations globally to establish their own privacy legislation.

This regulation pertains to any entity providing products or services to people in the EU or EEA (European Economic Area) or tracking their actions. GDPR mandates those to maintain specific privacy rights and protect the personal information of these individuals.

The impacts on technology involve the handling of personal information in accordance with the following principles. 

Legitimacy, equity, and openness

There is a need for a legal foundation for data processing, and individuals must receive explicit details regarding the usage of their data.

Limitation of specific purpose(s)

The use of personal information only for definite purpose(s) for which it was gathered.

Data minimization

Organizations should gather solely the data required to achieve the purpose(s) of data processing.

Accuracy

The requirement for organizations is to maintain current data and rectify any inaccuracies or obsolete information as soon as they recognize them.

Limitations on storage

Organizations must not retain any personal information longer than necessary once they achieve the intended objectives.

Integrity and privacy

Organizations need to enforce strict security protocols to protect personal information from unauthorized access or other violations.

Accountability 

Organizations need to show that they adhere to the regulations’ stipulations.

The DMA

The Digital Markets Act (DMA) sets a series of well-defined objective standards to recognize and target the big “gatekeepers.” Along with the new US privacy rules, it impacts technology by demanding enhanced data protection, encouraging fair competition, and altering the operations of tech firms. 

The gatekeepers are major digital platforms offering essential platform services, including app stores, online search engines, and messaging applications. They must adhere to obligations and prohibitions outlined in the DMA.

The impacts on technology are, among others. 

• Mandatory shifts, where gatekeepers enable users to pick various app stores and payment methods, as well as facilitate the removal of pre-installed software.
• Messaging platforms need to ensure they are interoperable with rival services when requested (interoperability).
• User approval for gatekeepers prior to merging personal data from their various services (data usage).
• The act regulates competition by preventing actions that favor their own services above those of other competitors.
• Any entity that does not adhere to the regulation may incur substantial fines reaching 20% of its worldwide revenue.

The Tech Antitrust 

The EU and US uphold distinct, yet increasingly aligned, strategies for antitrust enforcement, especially regarding competition policies. The impact is not only on privacy rules but also beyond, on the anti-monopoly, especially by disciplining the digital influence of Big Tech. Let’s see two prominent examples here.

In April, the EU imposed fairly modest fines and corrective measures (behavioral remedies) under the DMA on Apple and Meta for engaging in anticompetitive practices. In that same month, the Federal Trade Commission of the United States (FTC) started its legal proceedings to dismantle Meta’s supposed monopoly in personal social networking.

The Evolving Landscape

The GDPR is unquestionably the most recognized and impactful global data regulation to date, and it continues to influence existing policies. Other latest privacy rules are the EU Data Act and the EU-US Data Privacy Framework. They have impacts on technology by establishing new regulations for data access, distribution, and transfer. 

The EU Data Act 

Effective in September 2025, the EU Data Act mandates the sharing of data from connected services and devices (e.g., smart vehicles and wearables). It covers both personal and non-personal data. The purpose is to dismantle data silos maintained by big corporations and provide users with greater control over the data they produce.

The EU-US Data Privacy Framework 

Meanwhile, the Trans-Atlantic (EU-US) Data Privacy Framework (effective in July 2023) facilitates data transfers to the US. It implements additional protections against US government surveillance. 

As a result, the regulation substitutes the invalidated Privacy Shield. Another significant effect is more open cross-border data movements by protecting against U.S. intelligence agencies accessing data to a level considered “necessary and proportionate” for national security.

Other Significant Changes

The evolving privacy landscape in the EU may include the European Health Data Space (EHDS), Artificial Intelligence Regulation, ePrivacy Regulation, and Data Governance Act (DGA). The AI and Data regulations stem from the GDPR, emphasizing risk-based strategies. 

As for the US, various states (e.g., Texas, Oregon, Montana) are enacting their own privacy regulations, resulting in complicated rules for businesses to follow or manage.

More importantly, the above privacy rules, particularly the GDPR, are applicable to public and private entities, nonprofit organizations, and government agencies alike. Also, it does not provide any exceptions regarding the size or revenue of organizations.