Adequacy of Data Protection in the EU - General Data Protection Regulation as Global Benchmark for Privacy Laws?
Posted: 23 Jan 2017
Date Written: January 17, 2017
The European Union is currently holding out its Directive 95/46/EC as a global benchmark standard for data privacy laws. It has been issuing decisions "on the adequacy of the protection of personal data in third countries" based on its Directive of 1995 as recently as in July 2016. Quite a few other countries have adopted EU-like data privacy laws to qualify for an "adequacy" decision by the EU and thereby tacitly accepted not only the adequacy of EU data protection laws but also the right of the EU to judge other countries' laws.
Directive 95/46/EC is now more than 20 years old and a measure to harmonize national privacy laws in Europe from a time before the Internet, mobile phones, cloud computing, artificial intelligence, big data, connected cars, drones and Pokemon. After a legislative process of more than 4 years, the European Union finally updated its data privacy laws in May of 2016 in the form of a new General Data Protection Regulation (GDPR) which shall become effective in May of 2018.
Countries outside the EU that adopted the rules of Directive 95/46/EC have to consider if and how to adopt the rules of the GDPR to maintain their "EU adequacy" status. Such countries should also form an opinion about the adequacy of the GDPR based on their own national laws, particularly if they adopted the adequacy decision mechanisms of Directive 95/46/EC. Also, a few countries that did not adopt Directive 95/46/EC have implemented national laws to judge the adequacy of other jurisdictions' privacy laws in connection with their own restrictions on international data flows. Even countries that do not formally judge other countries' privacy laws may want to look to the GDPR as one of the most modern privacy laws worldwide to consider whether they should adopt some of its provisions. This raises the question of the adequacy of the GDPR itself.
In this paper, I will examine (1) standards for adequacy examinations (including existing national and international laws and common public policy goals as potential benchmarks), (2) how the GDPR responds to changes in data processing practices since 1995 (including new technologies and use cases in the private and public sector), (3) how the GDPR addresses perceived deficits in Directive 95/46/EC (including weaknesses regarding harmonization within the EU, compliance, enforcement and international interoperability), (4) how the GDPR addresses key privacy threats (including data security breaches, public and private sector surveillance, reputation attacks), (5) pronounced differences in the GDPR v. other countries privacy laws, and (6) the impact of GDPR provisions on conflicting policy goals (including freedom of speech and information, innovation and economic development).
Suggested Citation: Suggested Citation