In January 2012, the European Commission published a draft regulation that would replace the 1995 Data Protection Directive. This article was one of the earliest English-language academic analyses of what the world now knows as the General Data Protection Regulation (GDPR).
Before GDPR Was GDPR
When this article was published, the proposed regulation was still three years from adoption and five years from enforcement. Most American companies had never heard of it. The article examined the draft text with a focus on its extraterritorial reach — the provision that the regulation would apply to any company processing data of EU residents, regardless of where the company was located.
What the Article Got Right
The analysis identified several aspects of the proposed regulation that would prove to be the most challenging in practice: the right to data portability, the requirement for explicit consent, the obligation to appoint data protection officers, and the steep penalties for non-compliance. Each of these provisions generated significant industry pushback during the legislative process, and each remained in the final text that took effect in May 2018.
Transatlantic Data Flows
The article gave particular attention to the implications for transatlantic data transfers — a prescient focus, given that the EU-U.S. Safe Harbor framework was invalidated by the Court of Justice in 2015 (Schrems I), and its successor, the Privacy Shield, suffered the same fate in 2020 (Schrems II). The current EU-U.S. Data Privacy Framework, adopted in 2023, represents the third attempt to resolve the fundamental tension the article identified.
Relevance Today
For anyone seeking to understand the origins of GDPR and the policy debates that shaped it, this article offers a valuable window into how the regulation was perceived before it became the global standard for data protection. The compliance challenges it anticipated, from consent management to cryptocurrency transaction tracking, have become the daily reality for thousands of organizations worldwide.
The Ripple Effect
GDPR's influence has extended far beyond Europe. Brazil's LGPD, California's CCPA and CPRA, India's DPDP Act, and dozens of other data protection laws around the world were directly influenced by the GDPR framework. The regulation's extraterritorial reach, which this article identified as one of its most significant provisions, has effectively made GDPR the de facto global standard for data protection. Companies operating internationally now typically design their data practices to comply with GDPR, treating it as the highest common denominator rather than maintaining separate compliance regimes for each jurisdiction.
The enforcement landscape has also matured significantly. By 2025, European data protection authorities had collectively imposed billions of euros in fines under GDPR, with penalties targeting not only technology companies but also retailers, telecoms, and public sector organizations. The regulation's emphasis on accountability and demonstrable compliance has driven the creation of an entire industry of data protection officers, privacy engineers, and compliance consultants.
Frequently Asked Questions
What is the GDPR?
The General Data Protection Regulation is a European Union regulation that governs the collection, processing, and storage of personal data. It applies to any organization that processes data of EU residents, regardless of where the organization is located. It took effect in May 2018.
Does the GDPR apply to companies outside Europe?
Yes. The GDPR applies to any organization that offers goods or services to EU residents or monitors their behavior, regardless of where the organization is based. This extraterritorial reach was one of the most significant aspects of the regulation, anticipated in this 2013 article years before GDPR took effect.
What are the penalties for GDPR violations?
Maximum fines under GDPR can reach 20 million euros or 4% of annual global turnover, whichever is higher. By 2025, European data protection authorities had collectively imposed billions of euros in fines against companies ranging from technology giants to small local businesses.
Related articles: DNA Databases and Privacy · E-Discovery in the Cloud · IP Privateering and Patents · Pharmaceutical Patent Conflicts