ARTICLE | GDPR’s “Real Seat Approach” Effect on Corporate Law and Corporate Policies

I. Introduction

Foreign corporations are generally defined as corporations that are incorporated in another jurisdiction. [1] A pseudo-foreign corporation is a “corporation that is incorporated in another jurisdiction but has no significant contacts with that other jurisdiction.” [2]  This creates corporate law and  corporate policy issues as to the applicable law, protection of shareholders and third parties and a state’s interest in legislating, for example. [3]

The “real seat approach” hypothesis projects a “race to the top” as multinational entities find it easier to adopt the strictest data protection standards worldwide, rather than satisfying differing data privacy laws.[4] The real seat approach can be defined in different ways, but the definition for purposes of this article, is primarily based on elements of “physical” contact between a corporation and a particular jurisdiction.[5]  Traditionally, the theory has been justified because it allows the state that is most closely involved in the activities of the company to apply its law with a view of protecting the interests involved.[6]

Europe’s General Data Protection Regulation (GDPR) took effect in May 2018, and gives all European Union (EU) citizens easier access to their data, a right to portability, a right to be forgotten, and a right to learn when their data has been hacked.[7] These mandatory privacy protections apply to any company that offers goods or services to EU consumers.[8] The GDPR is said to be a prime example of the real seat approach because of its aggressive extraterritorial scope that unilaterally imposes EU law on other countries. [9]

This article discusses the “real seat approach” theory and how the EU’s GDPR has impacted both global corporate law and corporate policies. Part II provides the historical background on the creation of the GDPR. Part III compares the EU and U.S. data governance models. Part IV analyzes the GDPR’s “real seat approach” on multinational corporate law and policies and discusses the “race to the top” of various developed and developing countries.  Part V provides recommendations towards a globalized privacy protection law in order to promote transatlantic data harmonization. Finally, Part VI concludes that through the enactment of GDPR, the real seat approach theory has generated a race to the top among multination corporations to change corporate law and policies.   

II. Background on the General Data Privacy Regulation

In an effort to harmonize European corporate law, the EU has enacted several directives and regulations. [10]  In 1995, the European Parliament adopted the EU Data Protection Directive (DPD) with two major goals: to protect the fundamental right of data protection and to guarantee the free flow of personal information between member states.[11]  Prior to the enactment of the GDPR there was Directive 95/46/EC on the protection of personal data and Directive 2002/58/EC on the processing of personal data and privacy protection of electronic communications. [12]

As directives, the legislation set out goals or minimum requirements, but member states had to pass their own national laws to implement these goals. [13]   Directive 95/46/EC and Directive 2002/58/EC were replaced by the GDPR and laid the foundation for many its provisions. [14]  For example, the directives addressed a number of areas that subsequently became the legal bases for the GDPR, including the definition of personal data and data controller, processing requirements, rights afforded to the data subject, remedies for breach, and transferring of data. [15]

To meet new privacy challenges brought by the development of digital technologies, the EU spent years drafting the GDPR to strengthen its data protection standards. [16] The GDPR is the most comprehensive EU regulation dealing with personal data and privacy and is a binding framework across all twenty-eight member states, defining the rules for processing, storing, managing the data of EU citizens. [17]

III.  Comparison of the EU and U.S. Corporate Data Governance Models

To understand the gravity of such legislation, one must understand the corporate governance frameworks among different nations. For purposes of this paper, I have only compared the EU data governance framework, which is often portrayed as the “golden standard” for data privacy, and the U.S. data governance framework which is often seen as a country with a “weak or non-existent privacy regime.” [18]

The EU model has one primary source of data governance law, the GDPR, making it a straightforward, streamlined framework.[19] Moreover, EU informational privacy grants a broad right to privacy across the board, regardless of the type of business or information involved.[20] In contrast, the U.S. has developed its data privacy laws through a series of unconnected pieces of legislation targeting specific markets or sectors, to reactively address concerns, leaving state and federal laws often inconsistent with one another. [21] This patchwork framework has transformed U.S. data privacy law into a regulatory system in which state and federal laws “overlap, dovetail and contradict one another.”[22]

In the U.S. the option to shop for corporate charter has created what is known as the “Delaware effect,” or “incorporation principle.”[23]  This allows states to profit from incorporations under their law and make attempts to attract re-incorporations by repeatedly adapting their laws.[24]  In Europe, the Delaware effect is widely regarded with suspicion, and many commentators fear a “race to the bottom.” [25]

IV. GDPR’s “Real Seat Approach” Effect on Corporate Law and Corporate Policies

The GDPR has extraterritorial reach and applies to any entity in the world which processes the personal data of an EU citizen and has become the de facto standard for many industries. [26] The GDPR makes clear that anyone processing the data of residents of the EU regardless of whether or not they have an office in the EU is subject to the regulation.[27]

The law does not “discriminate” its regulations by where the “center of the administration is located, determined by where the corporate bodies (board of directors or shareholders’ meeting) meet. [28] Instead, the GDPR goes to great lengths to ensure that companies, both internal and external to the EU, comply with its high standards for citizen data protection. [29]   By adding a requirement that a country provide protections for personal information before a data transfer can occur, the EU intended to set the tone and raise the bar for data privacy standards around the world. [30]

A.    The GDPR “Choice” of Applicable Corporate Law

Generally, corporations use two main approaches to determine the applicable laws governing an issue at hand, the “incorporation principle” and the “real seat approach.”[31] Under the incorporation principle, the internal affairs of a corporation are governed by the laws of the state in which the corporation is incorporated.[32] The internal affairs of a corporation are subject to the laws of the state of incorporation even if the corporation does not do business in that state, and has no meaningful contacts with the state, besides having incorporated there.[33] This means that in countries that follow the incorporation principle, a regulatory competition can develop in order to attract corporations.[34]

The second choice-of-law principle, which prevails in continental Europe and more generally civil law systems, is the real seat approach. This principle is based on elements of “physical” contact between a corporation and a particular jurisdiction.[35] Under the real seat approach, the applicable law depends on physical contacts with a specific jurisdiction, it might be impossible, or inefficient, for a corporation to choose incorporation in one jurisdiction over another.[36]  Physical contacts as it relates to GDPR are the EU citizens. Thus, companies globally can either comply with the GDPR or cease offering sales and services to EU consumers.[37]  While at first glance this may seem like a “free choice,” there is no real alternative for most large multinational organizations.[38]

U.S. industry advocates have argued the GDPR is pushing the U.S. and EU apart by placing Europeans in the “data protection driver’s seat.” [39] American conservative public policy think tanks contend that the GDPR intensifies the transatlantic conflict in data protection standards.[40] For example, a Heritage Foundation senior research fellow views the GDPR as a form of EU “imperialism that is hostile to the U.S. free market principles.” [41] Another commentator notes that the “U.S. and the EU not only have different notions of what personal data includes, but also operate under two very different definitions of privacy more generally.” [42]

B.     Enforcement & Penalties of Non-Compliance with GDPR 

The real seat approach has always been predominantly influenced by control policies. Thus, enforcement mechanisms and financial penalties are instrumental in securing compliance with the GDPR.  [43] Article 58 of the GDPR established the Data Protection Agency’s (DPA) enforcement authority which requires member states to establish independent DPAs to address compliance concerns.[44] The DPAs’ enforcement responsibilities can be categorized in two ways: individual rights protections and compliance with data processing. [45]  If a violation of the regulation is suspected, the DPAs have investigative authority and can issue warnings to the data processor. When a violation is confirmed, the DPAs have several enforcement measures they can exercise such as the authority to enforce penalties and fines. [46]   

What sets the GDPR apart from the previously enacted DPD and arguably strengthens the real seat effect, are the financial penalties of non-compliance. Such penalties further create an enforcement mechanism to ensure the protections and prohibitions are a meaningful check on industry conduct around the world.[47] If a company is not in compliance with GDPR, they may face severe penalties, including fines of a minimum two percent of 10 million euros and maximum up to four percent of global revenue, or 20 million euros or more, whichever is higher. [48] 

While it may seem as if four percent may not be large enough to encourage a company to be compliant with GDPR, for a multibillion-dollar company, this low percentage can add up to hundreds of millions of dollars in violations and noncompliance.[49] These hefty penalties create strong incentives for companies to examine and update their corporate policies to comply with the GDPR.

On September 25, 2018, Facebook experienced a data breach incident which impacted 50 million accounts. [50]Although less than five million of the users affected were EU citizens, the incident may still result in fines up to $1.63 billion.[51] Forbes Magazine also analyzed the cost of data breaches before the enactment of the GDPR.[52] They concluded that the Yahoo data breach in 2013-2014 consisted of about three billion accounts. [53]  If GDPR had been the law, Yahoo, which had a gross revenue of over $4 billion USD, would have been fined between $ 80-160 million dollars because they failed to notify its consumers within the legal timeframe of GDPR. [54]

Critics argue that the GDPR creates serious, unclear legal obligations for both private and public sector entities, including the U.S. government. [55] “We do not have a clear understanding of what is required to comply. [56] That could disrupt transatlantic co-operation on financial regulation, medical research, emergency management co-ordination, and important commerce.” [57] While the GDPR’s impact on U.S. companies has been minimal thus far, it has already reared its devastating potential.[58]

C.    Changes in Corporate Policies

Organizations which are compliant with GDPR will likely have a competitive advantage over their non-compliant competitors. [59] To meet the requirements of GDPR, companies have to invest a lot of manpower and resources on upgrading at a minimum, their technology platforms, privacy policies and practices, as well as adjusting data storage processes. [60] However, there is no checklist that a company can go through to certify that it is in compliance with the GDPR because the requirements are ongoing. [61]  Compliance with the GDPR requires a complete culture change for companies because the rights afforded data subjects in the EU are not rights that other countries’ data subjects have, nor that most developed countries’ companies have been operating under. [62]

The impacts on American and Chinese companies are especially significant, since the U.S. and China, the two leading global economic powers, have many companies that do business with the EU.[63]  From a global perspective, the U.S. is home to some of the largest and most technologically advanced data companies in the world such as Amazon, Google and Facebook. According to a PwC survey, 92% of American companies considered compliance with the GDPR a top priority in 2017.[64] The survey also reported that 68% of American companies are expected to spend between $1 million and $10 million to meet the GDPR standards, and 9% are expected to spend more than $10 million.[65]

Similar to the U.S. approach, Asia-Pacific region exporters such as Japan, Hong Kong, and the Philippines have been particularly active in adapting to the GPDR.[66] Japan’s new data protection statute went into effect on May 30, 2017, making Japan the first country to be recognized as an EU “white listed” jurisdiction.[67] Furthermore, Japan and the EU have recently announced a GDPR safe harbor agreement, which is an EU approval of Japan’s data protection regime.[68]

Contrary to most developed countries’ corporate policy changes, many African countries have not taken significant steps toward compliance with the GDPR.[69] For example, in Nigeria, “only a small number of companies appear interested in setting up GDPR compliance processes.” [70] Africa has the largest number of the least-developed countries in the world, so it is not unexpected that the GDPR’s gravitational pull has been less than on other continents.[71]  One major reason for a lack of corporate policy change in developing countries to meet GDPR compliance is that much of Sub-Saharan Africa, for example, lacks wired broadband access, so there is little need to update their corporate privacy policies to comply with the GDPR.[72]

As predicted by the real seat approach, it is more cost-effective for a multinational entity to satisfy a single legal standard rather than multiple divergent standards that may conflict. [73] On the other hand, some smaller companies perceive the real seat approach as so onerous that they are blocking EU users in order to avoid the costs and burden of complying with the GDPR.[74]

D.    A Global “Race to the Top”

The GDPR has been globally influential partly due to the breadth of its applicability.[75] Since the EU has passed the GDPR, more countries have followed the EU’s strong-armed approach by passing their own data protection laws.[76]   This rise of global standards complicates international data transfers because countries must either adopt a similar strict approach to privacy or rely on negotiated trade agreements.[77]

1) South America

Many South American countries do not have data privacy rules in alignment with those of the EU, but there are exceptions.[78] In August 2018, Brazil’s President Michel Temer signed the country’s comprehensive data privacy regulation into law which closely mimics the GDPR and went into effect this past February 2020. [79]  Brazil’s law, Lei Geral de Proteção de Dados Pessoais (LGPD), is very similar to the EU’s GDPR. [80]  Like the GDPR, the LGPD applies to companies in Brazil and those selling to people in Brazil, even if the company is not located in Brazil.[81] In addition, the LGPD defines personal data broadly, requiring consent of the user to collect data, and also includes a similar fine structure for non-compliance.[82]

2) United States

Governor Jerry Brown signed into law the California Consumer Privacy Act (CCPA) on June 28, 2018 which went into effect on January 1, 2020 and is said to be the most aggressive privacy law in the U.S. [83]   The CCPA, while distinct from the GDPR, adopts several of the critical concepts established by the GDPR.[84] Due to California’s economic importance and the borderless world of ecommerce, the impact of this legislation transcends state borders and forces technology companies to comply. [85] The state’s enormous size and robust economy gives a California significant advantage in encouraging large companies to adopt its regulations nationwide.

Broadly, the CCPA grants California residents several important privacy rights with respect to their personal information: (1) the right to be informed of the categories of personal information being collected and the purposes for which such information shall be used, (2) the right not to have additional personal information collected without further information collected without further notice, (3) the right to request deletion of personal information, (4) the right to know whether personal information is being sold or disclosed and to whom, (5) the right to opt out of the sale of personal information, and (7) the right to equal services and prices regardless of whether they exercise prices regardless of whether they exercise privacy rights under the CCPA. [86]  The first, second, third, fourth and sixth rights are similar to that data subjects have under the GDPR. [87]

U.S. companies are likely to revise their privacy policies for all states to avoid having one standard for California that conflicts with privacy policies in other states.[88] The CCPA will affect most major U.S.-based institutions and has inspired other states to pass similar data privacy legislation. Companies operating within the EU and California can benefit from the corporate policies they have put in place under the GDPR to more seamlessly comply with the CCPA.[89] However, compliance with the GDPR does not necessarily equate compliance with the CCPA.[90]

3)    Middle East

Very few Middle Eastern countries, with the exception of Israel, target EU consumers, making the real seat approach relatively insignificant. [91] Most Middle Eastern countries do not have laws that regulate consumer data protection. [92]  In traditionalist Muslim countries, complying with the GDPR is an issue because Shari’a legal principles are based on the Quran’s moral teachings. [93]  These religious principles can conflict with the more individualistic personal privacy rights valued in Western nations:

“Shari’a principles (that is, Islamic principles derived from the Holy Quran and the Sunnah, the latter being the witnesses’ sayings of the Prophet Mohammed), which although not codified, are the primary source of law in the [Kingdom of Saudi Arabia (KSA)]. In addition to Shari’a principles, the law in the KSA consists of secular regulations passed by government, which is secondary if it conflicts with Shari’a principles.

At this time, there is no specific data protection legislation in place in the KSA (although we understand that  a new freedom of information and protection of private data law is under review by the Shura Council).” [94]

        Shari’a principles are the primary source of law in the KSA, but the law in the KSA consists of secular regulations passed by government, which is secondary if it conflicts with Shari’a principles. [95] Currently, there is no specific data protection legislation in the KSA, though a new freedom of information and protection of private data law is under review. [96]

V. Towards a Globalized Privacy Protection Law

 Since the enactment of GDPR, at least twenty countries have updated their privacy laws to become GDPR compliant. [97] However, a growing number of foreign countries, and some U.S. states have articulated distinct visions for how to address privacy concerns, leading to a fragmented regulatory landscape. Such fragmentation disincentivizes technological innovation by increasing the regulatory costs for products that require scale. [98] Consistent data privacy laws would result in harmonization in international data privacy law and reduce regulatory costs overall. 

  Data privacy is an important global social and economic issue. [99]The Internet, by its very nature, is international, but there is no singular legal infrastructure protecting data collection or transfers. [100] The paradox, moreover,  is that the open Internet is one that disregards privacy. [101]  Generally, countries will move to comply with the strictest privacy standard in order to obtain equal bargaining power and reduce their own costs of compliance. [102]

Utilizing the real seat approach, the GDPR unifies data privacy throughout the EU by providing efficiency through standardization.[103] Developing a compatible international framework to protect personal information that enables responsible data sharing and cross-border data transfers would be beneficial to all parties.[104]  As technology continues to advance, more governments will follow the EU’s lead in implementing strong consumer personal data protection which in hopes will make a globalized privacy protection law more feasible.  Without a unified data control standard, there is the threat of multiple cyberspace “checkpoints” that could fragment the Internet and worsen overall data transfer efficiency.[105] Most multinational private and public entities stand to benefit greatly from the efficiencies created by a globalized privacy protection policy. [106]

VI. Conclusion

Whether or not the EU intended to “strong arm” its data privacy regulations through the enactment of the GDPR, the real seat approach has showed a clear “race to the top” among multination corporations to change corporate law and policies.  Although many difficulties remain to be overcome, the GDPR is rapidly evolving into the transnational gold standard of data protection necessary to harmonize transatlantic data transfers and provides an important step toward the development of an international data control policy for the age of the Internet.[107] Harmonization of data privacy laws is essential to the achievement of not only data protection and sharing, but technological growth and development.

[1] ARTICLE: CORPORATE CHOICE OF LAW -- A COMPARISON OF THE UNITED STATES AND EUROPEAN SYSTEMS AND A PROPOSAL FOR A EUROPEAN DIRECTIVE, 28 Brooklyn J. Int’l L. 1, 1

[2] Id.

[3] Id.

[4] Rustard, Michael, ARTICLE: TOWARDS A GLOBAL DATA PRIVACY STANDARD , 71 Fla. L. Rev. 365, 367

[5] Ventoruzzo, Marco . Corporations: A Comparative Perspective (International Edition) (Coursebook) (2016).

[6] European Business Organization Law Review (2001) 2: 101-139

[7]  See 71 Fla. L. Rev. 365, 367.

[8] Id.

[9] Id.

[10] See Corporations: A Comparative Perspective (International Edition) (Coursebook) (2016).

[11] Directive 95/46 1995 O.J. (L 218) 31 (EC), available at http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML.

[12] See Corporations: A Comparative Perspective (International Edition) (Coursebook) (2016).

[13] Directive 95/46 1995 O.J. (L 218) 31 (EC), available at http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML.

[14] Id.

[15] Id.

[16] Id.

[17] Layton, Roslyn & Elaluf-Calderwood, Silvia. (2019). A Social Economic Analysis of the Impact of GDPR on Security and Privacy Practices. 1-6. 10.1109/CMI48017.2019.8962288.

[18] NOTE: NAVIGATING THE ATLANTIC: UNDERSTANDING EU DATA PRIVACY COMPLIANCE AMIDST A SEA OF UNCERTAINTY, 91 S. Cal. L. Rev. 163, 178-179

[19] Humerick, Matthew, ARTICLE: THE TORTOISE AND THE HARE OF INTERNATIONAL DATA PRIVACY LAW: CAN THE UNITED STATES CATCH UP TO RISING GLOBAL STANDARDS, 27 Cath. U. J. L. & Tech. 77

[20] Id.

[21] NOTE: NAVIGATING THE ATLANTIC: UNDERSTANDING EU DATA PRIVACY COMPLIANCE AMIDST A SEA OF UNCERTAINTY, 91 S. Cal. L. Rev. 163, 178-179

[22] Border, Amanda, NOTE: UNTANGLING THE WEB: AN ARGUMENT FOR COMPREHENSIVE DATA PRIVACY LEGILSATION IN THE UNITED STATES, 35 Suffolk Transnat’l L. Rev. 363, 373

[23] See 28 Brooklyn J. Int’l L. 1, 11.

[24] Id.

[25] Id.

[26] Layton, Roslyn & Elaluf-Calderwood, Silvia. (2019). A Social Economic Analysis of the Impact of GDPR on Security and Privacy Practices. 1-6. 10.1109/CMI48017.2019.8962288.

[27] Id.

[28] See Corporations: A Comparative Perspective (International Edition) (Coursebook) (2016).

[29] Oliver Smith, The GDPR Racket: Who’s Making Money From This $ 9bn Business Shakedown, Forbes (May 2, 2018 2:30 AM), https://www.forbes.com/sites/oliversmith/2018/05/02/the-gdpr-racket-whos-making-money-from-this-9bn-business-shake down/#3b0ff15234a2 [https://perma.cc/VV2H-Q7MW].

[30] See 35 Suffolk Transnat’l L. Rev. 363, 373.

[31] See Corporations: A Comparative Perspective (International Edition) (Coursebook) (2016).

[32] Id.

[33] Id. at 219.

[34] Id. at 220.

[35] Id.

[36] Id.

[37] Companies must adhere to requirements because the Data Protection Directive promises EU citizens protection of personal data, which cannot be achieved without the participation of the countries from whence the data originates. Safe Harbor Certification, PrivacyTrust (Feb. 2016), http://www.privacytrust.com/guidance/safe_harbor.html. A list of all participants in the Safe Harbor Framework can be found at U.S.-EU Safe Harbor List, U.S. Dep’t Com., https://safeharbor.export.gov/list.aspx (last visited Dec. 20, 2016) (a user types an identifier of the company in the search for “Organization Name,” which brings up the name of the organization as it was certified, how long it is U.S.-EU certified for, and the nature of its personal data).

[38] See 71 Fla. L. Rev. 365.

[39] Id.

[40] Id. at 387.

[41] Id.

[42] Id. at 387-388

[43] NOTE: COMPARATIVE ANALYSIS OF THE EU’S GDPR AND BRAZIL’S LGPD: ENFORCEMENT CHALLENGES WITH THE LGPD, 44 Brooklyn J. Int’l L. 859, 885-886

[44] Id. at 885.

[45] Id. at 886.

[46] See 44 Brooklyn J. Int’l L. 859, 885-888.

[47] SYMPOSIUM ARTICLE: Confiding in Con Men: U.S. Privacy Law, the GDPR, and Information Fiduciaries, 42 Seattle U. L. Rev. 1057, 1059

[48] Id. at 1058.

[49] Id. at 1059.

[50] See 27 Cath. U. J. L. & Tech. 77, 107.

[51] Id. at 109.

[52] See 44 Brooklyn J. Int’l L. 859, 860-861

[53] Id. at 860.

[54] Id. at 861.

[55] See 71 Fla. L. Rev. 365, 387-388.

[56] Id. at 387.

[57] Id. at 388.

[58] See 27 Cath. U. J. L. & Tech. 77, 108.

[59] Nathalie Morris, What New Zealand Marketers Need to Know About the GDPR, MARKETING ASS'N, https://www.marketing.org.nz/GDPR [https://perma.cc/H7PD-9RAT].

[60] See GDPR Compliance Top Data Protection Priority for 92% of US Organizations in 2017, According to PwC Survey, PWC (Jan. 23, 2017) [hereinafter GDPR Compliance Top Priority], https://www.pwc.com/us/en/press-releases/2017/pwc-gdpr-compliance-press-release.html [https://perma.cc/X2E6-MUEX].

[61] Houser, Kimberly, ARTICLE: GDPR: THE END OF GOOGLE AND FACEBOOK OR A NEW PARADIGM IN DATA PRIVACY, 25 Rich. J.L. & Tech. 1

[62] Id.

[63] Nicholas Confessore, Audit Approved of Facebook Policies, Even After Cambridge Analytica Leak, N.Y. TIMES (Apr. 19, 2018), https://www.nytimes.com/2018/04/19/technology/facebook-audit-cambridge-analytica.html [https://perma.cc/CKQ9-KKCP].

[64] See 25 Rich. J.L. & Tech. 1.

[65] See GDPR Compliance Top Data Protection Priority for 92% of US Organizations in 2017, According to PwC Survey, PWC (Jan. 23, 2017) [hereinafter GDPR Compliance Top Priority], https://www.pwc.com/us/en/press-releases/2017/pwc-gdpr-compliance-press-release.html [https://perma.cc/X2E6-MUEX].

[66] See 71 Fla. L. Rev. 365, 435.

[67] See 71 Fla. L. Rev. 365, 435.

[68] Id.

[69] Id. at 433.

[70] Id.

[71] Id. at 434.

[72] Id.

[73] Id. at 391.

[74] Id. at 394.

[75] Schwartz & Peifer, supra note 3, at 122 (Calling the GDPR “stunningly influential” on privacy law around the globe).

[76] Id at 372.

[77] See 27 Cath. U. J. L. & Tech. 77, 78.

[78] See 71 Fla. L. Rev. 365, 445.

[79] See 44 Brooklyn J. Int’l L. 859.

[80] Id. at 861-862.

[81] NOTE: A REPEATED CALL FOR OMNIBUS FEDERAL CYBERSECURITY LAW, 94 Notre Dame L. Rev. 2211, 2224-2225

[82] See 44 Brooklyn J. Int’l L. 859, 861-862.

[83]  Stites, Tyler, DEVELOPMENTS IN BANKING & FINANCIAL LAW: 2018: XI. Data Protection on the Doorstep: How the GDPR Impacts American Financial Institutions, 38 Rev. Banking & Fin. L. 132, 142-143

[85] See 71 Fla. L. Rev. 365, 405.

[86]  Id.

[87]  Id.

[88] Id.

[89]  Leonid Bershidsky, Opinion, Europe's Privacy Rules Are Having Unintended Consequences, BLOOMBERG OPINION (Nov. 14, 2018, 1:00 AM), https://www.bloomberg.com/opinion/articles/2018-11-14/facebook-and-google-aren-t-hurt-by-gdpr-but-smaller-firms-are .

[90]  Id.

[91] See 71 Fla. L. Rev. 365, 442-443.

[92] Id.

[93] Id.

[94] Id.

[95] See 771 Fla. L. Rev. 365, 442-443.

[96] Id. at 442-443.

[97] Id. at 453.

[98] Marc Rotenberg & David Jacobs, Updating the Law of Information Privacy: The New Framework of the European Union, 36 HARV. J.L. & PUB. POL'Y 605, 617 (2013).

[99] Id at 372.

[100] See 71 Fla. L. Rev. 365, 432.

[101] Id. at 435.

[102]  Hoang, Carol, ARTICLE: In the Middle: Creating a Middle Road Between U.S. and EU Data Protection Policies, 32 J. Nat'l Ass'n L. Jud. 810, 811.

[103] See  27 Cath. U. J. L. & Tech. 77, 78.

[104] Id. at 78.

[105] See 71 Fla. L. Rev. 365, 453.

[106] Id.

[107] Id. at 453.