This article is a part of the Perspectives on Industrial Policy symposium.
You had a recent post on LinkedIn that offered a critical analysis of the European Data Protection Board’s (EDPB) August 2024 consent-or-pay opinion, highlighting concerns about its effects on the freedom to conduct business. The decision was part of a larger context of developments in the European Union that, at least in the United States, have been referred to as a sort of “shadow” industrial policy. How can non-EU observers differentiate between EU regulations that protect fundamental rights and those potentially favoring EU firms?
The “consent or pay” debate is fascinating, because it highlights tensions between how U.S. firms are viewed and handled compared to European companies. The EDPB’s opinion was initially based on a request related explicitly to Meta’s rollout of the consent-or-pay approach (subscribe or accept). The EDPB opinion came as a result of the adoption of this business model. In practice, this business model has been present in Europe for years. In Germany and France, a large number of publishers have been using this approach, and it’s increasing across the European Union. The debate suddenly started because an American social platform adopted it.
The European Data Protection Board then crafted a specific scope for this opinion, saying it’s about “large online platforms”—a term that’s never defined in any legislation. They’re creating a distinction that isn’t yet properly defined. It’s unclear to whom this opinion applies and to whom the future guidelines will apply. There’s a good likelihood that this will allow them to distinguish between certain larger, potentially American companies, and more national players.
The problem is that creating this distinction without a legal definition or threshold just creates uncertainty. There are political questions behind this opinion that haven’t been made clear. Why is this being adopted in this way, rather than as a guideline?
When the opinion came out, I published a critical analysis of it and saw support for my arguments from various sectors and companies of different sizes. The concerns were real for many companies throughout Europe, not just large U.S. firms. There’s a political dimension to this that isn’t properly explained, but that has broad ramifications.
The next step will be the guidelines, which will involve more consultation and potential ways to tone things down. The scope of these guidelines will, however, be crucial. They will clarify what we’re talking about in terms of this “shadow industrial policy.” Based on the thresholds and criteria, if we get something tangible, we’ll be able to see to whom it really applies.
It sounds like it might be too early to make a definitive call, but do you think there’s evidence that enforcement of the General Data Protection Regulation (GDPR) disproportionately targets U.S. firms, even though the rules are neutral regarding country of origin?
The priority cases at the European level often depend on how large a platform is internationally. There have been several large cases against social-media networks—not just Meta, but others like Grindr. There have also been cases against large e-commerce platforms with accessory services, including a big one against Amazon in relation to advertising. Many of these more prominent cases do happen to be against U.S. firms.
We must distinguish between cases based on complaints, and those based on investigations initiated by the authorities themselves. Complaints typically cover companies of all sizes, including many small businesses and “mom-and-pop” stores that may not have extensive resources for data protection. Numerous complaints have also been made about personal data use in electoral campaigns involving European politicians and parties. The nature of the case—whether it’s complaint-based or authority-initiated—often determines its profile. Authority-initiated investigations tend to target higher-profile cases, which can have a political dimension. While I wouldn’t say U.S. firms have been disproportionately targeted, they are undoubtedly prominent in the number of cases.
When we look at fines, the largest ones have, indeed, been levied against big U.S. firms. This is partly because fines are often calculated as a percentage of global turnover—i.e., larger companies face larger fines. The criteria for determining fines, however, aren’t always clearly explained, and there is a need for regulatory clarity in this area.
Overall, U.S. firms are more often the subject of high-profile cases, but European businesses aren’t being ignored. There have been significant fines in the adtech sector, including against a French company. So, while there are high-profile cases against European players, the penalties are typically a fraction of those against large U.S. firms.
In the United States, the GDPR has faced criticism for its effects on firms’ business models, with similar commentary about the Digital Markets Act (DMA) and the AI Act. U.S. firms typically have broad discretion in arranging their affairs. How does this compare to the mindset of EU regulators and enforcers?
For many EU enforcers, their approach is somewhat akin to tunnel vision. Regulators often focus on their specific powers, scope, and remit, viewing issues through a particular lens. This has led to tension between different fundamental rights. In the EU, we have the Charter of Fundamental Rights, which specifically lists the right to privacy and the right to data protection as separate fundamental rights. It also includes the freedom to conduct business as another fundamental freedom. Recently, there’s been more discussion about balancing these rights, as was apparent during “consent-or-pay” exchanges during a stakeholder event organized by the European Data Protection Board.
Until recently, the balance has predominantly favored data-protection rights. This is likely because regulators, being in charge of data-protection compliance, naturally favor this aspect. But even the GDPR explicitly states that the right to data protection is not absolute and must be balanced with other freedoms, including the freedom to conduct business. Regulators need to adopt a wider perspective and consider the fundamental freedom to conduct business. Not all of them do this currently, which creates enforcement problems. It raises questions about whether we’re imposing changes to business models purely based on a narrow viewpoint.
As a data-protection litigator, I believe there’s merit in challenging the view that data protection should prevail over everything else, as that’s not what the fundamental texts stipulate. From a U.S. perspective, there’s typically a more pragmatic approach to business, with greater emphasis on these freedoms. While it’s not articulated as a fundamental right, there’s a similar idea that businesses should have some degree of autonomy. I believe this aspect has been lacking in EU enforcement recently, and I hope we can change this trend.
The United States is often considered a leader in innovation, with some commentators noting that startup formation and innovative behavior in the EU seem to lag behind. To what extent do you agree with this framing? If you agree, what challenges exist in the EU that make it harder to enact policies that would bridge this gap?
From my experience in due diligence and acquisitions, I’ve observed that Europe is a hub of innovation, with bright minds, great founders, and brilliant ideas. When it comes to raising capital and growing businesses, however, there’s often competition between European and U.S. investors. Typically, U.S. investors come with larger cash contributions than their European counterparts. There are various reasons for this, and the situation is constantly evolving. We’re seeing more competition from European venture capitalists (VCs) now, but historically, this hasn’t been the case. Often, European founders with good ideas try to do something in the United States, as well. This is partly due to the perception that the United States has fewer regulatory hurdles and focuses more on innovation than regulation. But this perception isn’t always accurate.
I believe this perception stems from how rules are framed. In Europe, we tend to start with a code of regulations—a large piece of legislation with many principles covering various aspects. The U.S. approach is typically more based on use cases and specific scenarios. As a result, U.S. laws tend to be very detailed, covering many scenarios, while European laws often start from a more principles-based approach. This gives the impression that Europe is regulating everything. In practice, however, U.S. and EU laws often end up in similar positions regarding outcomes. If you look at the laws abstractly, you might think the United States is more accessible. But for many businesses, it isn’t. A lot of these concerns are purely perception-based.
Yes, European legislators tend to regulate extensively, but the United States has a huge body of case law that creates a substantial legal framework. So, there are still many rules to consider in the United States. From a European perspective, we could better frame our approach. We must emphasize that much of our regulation is focused on responsibly enabling innovation. This is where we sometimes see tension, like with the AI Act. The intention is to enable responsible innovation, but it’s often perceived as overregulation that might scare innovators to the United States.
But if you look at the fundamental idea behind the AI Act—responsible use of artificial intelligence—we’re seeing similar trends in the United States now. There’s a growing focus on responsible AI use and potential liability for not following best practices. Ultimately, the ideas are similar; it’s largely a matter of perception. We need to shift the focus from “the EU is overregulating” to “the EU is enabling responsible innovation.” Legislators and lawyers need to improve in communicating this—focusing less on compliance deadlines and fines, and more on how to innovate responsibly.
There is an interesting tension between the national perspectives of EU member states regarding how their firms are treated versus the EU’s overall approach, and how this affects competition. Even with industrial policy potentially lurking at the edges of European policy, there seems to be resistance at the national level due to each member state’s own interests. Could you discuss this tension?
There’s a noticeable difference between political discussions at the European level and the national discussions of EU member states. National interests can be fundamentally different from the consensus among European partners. We see this in the context of the “consent-or-pay” debate.
The European internal market is supposed to be unified, but certain areas always have distinct national markets. For example, in publishing newspapers in specific languages, the market is inherently national. This is particularly evident with languages like German and French, where markets are well-defined territorially. As I noted above, in the publishing industry, you have large players in France, Germany, and Austria who have been adopting the “pay-or-consent” model for years, increasingly across Europe.
National authorities can’t just consider the European perspective; they must also listen to their own constituents. While companies aren’t directly constituents of regulators, there’s a general idea of listening to your market. This creates tensions between the positions of national regulators, and messaging at the European level. Sometimes, national regulators might be content to let a European body be the scapegoat for a specific position, allowing them to claim they’re defending national interests. There can be a bit of “schizophrenia” in this approach, but it’s crucial for them to consider both the national and European stages. We must be careful that this doesn’t become mere political theater.
When examining European strategy or industrial policy, it’s essential to always keep in mind this distinction between the national and European levels. You must look beyond the surface and consider what national interests might be playing behind the scenes.
Relatedly, how does the EU balance its goals of fostering a single market, promoting European businesses, and engaging in international trade, while managing internal competition and concerns about foreign takeovers?
There’s a dual dimension to this discussion in the EU. First, there’s the idea of the single market. The single market allows a product or service to be offered throughout the European Union, with customers benefiting from providers across the EU, regardless of language or location. The goal is to reduce internal barriers within the EU to facilitate this. Another dimension is below the EU level; you have the national level, which is still relevant for certain products and services that might be national for various reasons, such as publishing. Then there’s the international dimension—interactions with the United States, with the United Kingdom in a post-Brexit world, with Asian partners, etc.
There is a lot of pride in having European unicorns. Even individual countries proudly claim the largest number of unicorns per-capita in the EU. This creates healthy internal competition. From a macro European perspective, however, there might be fears of U.S. companies taking over European companies. This was evident in the recent discussion about U.S. investment in Mistral AI, a French company that built a powerful LLM. It raised questions about the consequences for Europeans.
Politically, there’s a desire to keep things European, while not appearing closed to the world. There’s work to be done to reinforce pride in European champions, as there are many strong European players. Spotify, for instance, is a European success story. Not every large tech company is American, but there’s still work to be done to incentivize growth without being too fearful of U.S. companies.
Part of this fear stems from the U.S. VCs coming with larger amounts of capital. There’s concern that opening up too quickly might lead to losing key European players. There’s a real tension here. Europe wants to show it’s an innovator capable of growing talent and companies, but it doesn’t want to be too fearful of competition, which is ultimately healthy.
This situation is complicated by the tension between European and national interests, similar to what we discussed earlier about regulatory perspectives. Some member states might have a kind of national pride that conflicts with the European message being marketed abroad, which complicates trade discussions. This complexity extends to the legislative process, as well. For example, in discussions about the AI Act, there were questions about whether certain changes—particularly regarding open-source models—were being pushed by specific countries like France, as opposed to reflecting the overall European consensus.
This tension between national and European interests is normal, and is part of what drives the evolution of laws. It’s an essential aspect to consider when examining European strategy or industrial policy.
