Introduction to the Symposium on the GDPR and International Law
Grainne de Burca2020, AJIL Unbound
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
It is rare that a lengthy and detailed piece of legislation adopted in one jurisdiction becomes not only a law with powerful impact across multiple jurisdictions and continents, but also an acronym that trips readily off the tongue of laypeople and lawyers alike around the world. Yet this has been the fate of the European Union's General Data Protection Regulation, now commonly known as the GDPR, since its coming into force in 2018. Perhaps the Helms-Burton Act came somewhat close in its global impact when the United States adopted the extensive anti-Cuba sanctions regime in 1996. But Helms-Burton was a deliberately globally-targeted sanctions regime that sought to pressure foreign companies trading in or with Cuba into ceasing those activities, and it was adopted as an instrument of U.S. foreign policy. By comparison, the GDPR at first glance appears to be a domestically-focused piece of legislation intended to strengthen data protection and privacy standards within the EU, and to make Europe, in the terms used by the European Commission, "fit for the digital age." Describing itself as a measure intended to harmonize data privacy laws across Europe's single market, the GDPR-which in principle requires no transposition on the part of EU member states in order to have immediate and binding legal effect within those states-applies to any organization operating within the EU or offering goods or services to customers or businesses in the EU. The legislation imposes a demanding set of regulatory standards on those who control or process personal data, in relation to the purposes, uses, handling, and storage of such data. Breaches of these standards can result in the imposition of hefty fines. While the overriding purpose of the regulation may be the protection of personal privacy, the GDPR addresses multiple aspects of data governance that are relevant to businesses worldwide. The key to the way in which the GDPR goes far beyond being a domestic EU-focused legislative measure is in its application to any business or organization anywhere in the world that offers goods or services to persons within the EU, or that monitors the behavior of individuals in the EU. This has meant that the numerous and detailed regulatory standards imposed on companies and organizations-which include the need to obtain the affirmative consent of those whose data they gather or hold; the requirement to inform; the obligation to rectify and to erase data; and restrictions on transfers of data outside the EU-have a very extensive global reach indeed. As Anu Bradford has convincingly argued, at a time when the EU has emerged from a series of economic and political crises as a weakened international political actor, its global regulatory influence and power by comparison has, if anything, increased. 1 While some have welcomed the EU's digital leadership in setting strong data protection and privacy standards, others have been critical of the reach and implications of the GDPR, with the Heritage Foundation and others accusing the EU of digital imperialism. 2 One evident consequence of the global impact of the GDPR is that many of its requirements are in tension with, if not directly in conflict with, other regimes and
Related papers
Deficient by Design? The Transnational Enforcement of the GDPR
International and Comparative Law Quarterly
Four years following the entry into force of the EU data protection framework (the GDPR) serious questions remain regarding its enforcement, particularly in transnational contexts. While this transnational under-enforcement is often attributed to the role of key national authorities in the GDPR's procedures, this article identifies more systemic flaws. It examines whether the GDPR procedures are deficient-by-design and, if not, how these flaws might be addressed. The conclusions reached inform our understanding of how to secure effective protection of the EU Charter right to data protection. They are also of significance to EU law enforcement more generally given the increasing prevalence of composite decision-making as the mechanism of choice to administer EU law.
The European Union general data protection regulation: what it is and what it means
Information & Communications Technology Law, 2019
This paper introduces the strategic approach to regulating personal data and the normative foundations of the European Union's General Data Protection Regulation ('GDPR'). We explain the genesis of the GDPR, which is best understood as an extension and refinement of existing requirements imposed by the 1995 Data Protection Directive; describe the GDPR's approach and provisions; and make predictions about the GDPR's implications. We also highlight where the GDPR takes a different approach than U.S. privacy law. The GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a detailed regulatory regime, that will influence personal data usage worldwide. Understood properly, the GDPR encourages firms to develop information governance frameworks, to in-house data use, and to keep humans in the loop in decision making. Companies with direct relationships with consumers have strategic advantages under the GDPR, compared to third party advertising firms on the internet. To reach these objectives, the GDPR uses big sticks, structural elements that make proving violations easier, but only a few carrots. The GDPR will complicate and restrain some informationintensive business models. But the GDPR will also enable approaches previously impossible under less-protective approaches.
Jurisdiction and Applicable Law under the GDPR: A New Landscape
The John Marshall Journal of Information Technology & Privacy (JITP), 2020
Technology, since its introduction into the industry, has observed global and drastic changes over the years. With communication channels expanding across nations, the threats to security continue being increased with each growing day. Management of communication channels, by state or federal authorities, is thus important in the identification of criminals masked behind the internet. These criminals utilize the internet to generate or perform criminal acts, such as fraud and theft, from a personal to a state level. Countless times institutions have complained of the presence of a breach within their networking or predominant organizational system. For this reason, it is important to define rules and regulations that govern a region of the world that, previously, did not have any laws or regulations. Cyber-attacks are issues that are experienced in every nation. For persons who engage in cyber-attacks, violate the privacy of persons and thus are acting against the law of the land. However, the determination of which nation has a right to convict the actor of the deed differs as various laws stipulate which nation is to be sovereign in given situations. Various states differ as to the point at which a person’s private life is invaded with the action of processing data that is from within their account. For this reason, there is a need to develop regulations that state where the privacy of an individual is contravened when accessing information that is online. In 2016, the European Parliament and the Council of the European Union developed the General Data Protection Regulation (GDPR). Previously, it was a directive that had been developed to manage the European Union's (EU) jurisdiction in international conditions within the use of the Internet. In this article, a critical analysis of the GDPR is given with concentration being placed on the clauses stated concerning the factors and institutions it affects, and its scope of jurisdiction within and beyond the European Union.
The Brussels Effect and the GDPR: EU Institutions as Catalysts for Global Data Protection Norms
European Digital Policy Institute, 2024
This article explores the pivotal role of European Union institutions in the global projection of EU regulatory power, focusing on the General Data Protection Regulation (GDPR) as a case study within the framework of the Brussels effect. The Brussels effect describes the process by which EU regulations become de facto global standards, driven by two key conditions: regulatory capacity and a preference for stringent rules. The article argues that EU institutions are essential in fulfilling these conditions. The theoretical discussion introduces the Brussels effect and highlights how EU institutions contribute to regulatory capacity and the formation of stringent regulations. By examining the GDPR, the article illustrates that EU institutions, such as the European Commission and European Parliament, have both the regulatory expertise and the enforcement power necessary to create and uphold comprehensive data protection standards. Additionally, the article presents an original argument that the stringent nature of EU regulations, necessary for the Brussels effect to unravel, can be attributed to the neofunctionalism theory's cultivated spillover effect, where supranational institutions push for stricter regulations to foster further integration. The case of the GDPR demonstrates how EU institutions not only establish and enforce these regulations within the EU but also drive their adoption internationally through both de facto and de jure mechanisms. The findings underscore that without the active involvement of EU institutions, the Brussels effect would not materialise, and EU standards, such as those embodied in the GDPR, would not achieve global influence.
Challenges of General Data Protection Regulation (GDPR)
Proceedings of the International Scientific Conference - Sinteza 2018, 2018
The aim of this paper is The General Data Protection Regulation (GDPR), an overview of current achievements in this domain within the framework of existing knowledge in literature, international standards and the best practice as far as the GDPR is concerned. This paper is particularly dedicated to GDPR who harmonizes data protection requirements across all 28 Member States, introduces new rights for data subjects, and applies extraterritorially to any organization controlling or processing data on natural persons in the European Union.
GDPR as a Global Standards? Brussels' Instrument of Policy Diffusion
2022
This study applies the same method on a sample of 58 non-EU national privacy acts published and enforced between 2016 (the year the GDPR was published) and 2020. The timeframe appears drastically shorter than the one opted by Greenleaf. This however is counterbalanced by the higher concentration of legislations issued in this shorter period. The parameters for comparison were increased to 11 to include the appointment of a Data Protection Officer (DPO), which is arguably another key element that distinguished the GDPR from the previously existing frameworks. The remaining 10 are consistent with the Greenleaf (2012) study. These are: 1) appointment of an independent Data Protection Authority (DPA); 2) possibility to appeal to a court to enforce one’s privacy rights; 3) sufficient measures of data protection for cross-border data transfer; 4) principles of purpose limitation and data minimization; 5) a general definition of what does it mean to collect and process data fairly and lawf...
The European Union and the Search for an International Data Protection Framework
The European Union (EU) has supported the growing calls for the creation of an international legal framework to safeguard data protection rights. At the same time, it has worked to spread its data protection law to other regions, and recent judgments of the Court of Justice of the European Union (CJEU) have reaffirmed the autonomous nature of EU law and the primacy of EU fundamental rights law. The tension between initiatives to create a global data protection framework and the assertion of EU data protection law raises questions about how the EU can best promote data protection on a global level, and about the EU's responsibilities to third countries that have adopted its system of data protection.
GDPR – Main international implications
2020
e Journal is one of the results of the European project TAtoDPR (Training Activities to Implement the Data Protection Reform) that has received funding from the European Union's within the REC (Rights, Equality and Citizenship) Programme, under Grant Agreement No. 769191. e contents of this Journal represent the views of the author only and are his/her sole responsibility. e European Commission does not accept any responsibility for use that may be made of the information it contains.
The Long-Arm of the GDPR and its inherent Weakness - The EDPB’s Guidelines 05/2021 on the Interplay of Article 3 and Chapter V of the GDPR
Revue critique de droit international privé , 2022
The European Data Protection Board’s Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR continue the maximalist territorial approach the EU has taken, at least since Google Spain and its insistence on ‘effective and complete protection of data subjects’ but speak particularly to the recognition in Schrems II that the simple extension of a protective law to another country does not necessarily translate into equivalent protection if the wider legal landscape in that country distorts it in its actual operation. This recognition almost necessarily entails that being subject to the GDPR (by virtue of Art 3) should not displace the transfers rules in Chapter V if the processing occurs in a third country, given that only the transfer rules are specifically directed towards the actual reception of GDPR duties and rights in the third country. Consistently but not easily reconcilable with the rules' inherent design, the Guidelines take a cumulative - rather than a complementary or compensatory - approach to the interplay of Art 3 and Chapter V of the GDPR. Implicitly, the approach acknowledges that giving the GDPR a wide territorial scope hardly delivers a panacea of effectiveness and control over data controllers or processors on far away shores in fundamentally different legal and political orders. Yet, whether this cumulative approach will deliver on the promise of increased protection is equally doubtful.
Extraterritorial application of the GDPR: promoting European values or power?
Internet Policy Review, 2021
Take-down policy If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim.
Externalizing Europe: the global effects of European data protection
Digital Policy, Regulation and Governance, 2019
Purpose This paper aims to explain how the EU projects its own data protection regime to third states and the US in particular. Digital services have become a central element in the transatlantic economy. A substantial part of that trade is associated with the transfer of data, most of it personal, requiring many of the new products and services emerging to adhere to data protection standards. Yet different conceptions of data protection exist across the Atlantic, with the EU putting a particular focus on protecting the fundamental right to privacy. Design/methodology/approach Using the distinction between positive and negative forms of market integration as a starting point (Scharpf, 1997), this paper examines the question of how the EU is projecting its own data protection regime to third states. The so-called California effect (Vogel, 1997) and the utilization of trade agreements in the EU’s foreign policy and external relations are well researched. With decreasing effectiveness ...
The Sanctioning Regime Provided by Regulation (EU) 2016/679 on the Protection of Personal Data
Abstract In the public space and in the debates among professionals, the new general data protection regulation, which is to be applied from May 25th 2018, is debated more and more conjunctively with the news brought by this European Union legislative act, but especially regarding the new sanctioning regime. We analyse the questions that arise concerning the violations to be sanctioned, the classification of sanctions and their amount, the deliberate nature of the violation and the effective procedural safeguards, in accordance with the general principles of European Union law and the CFSP. During the analysis we identify answers to these questions and, last but not least, underline the competence of the Member States as well as the role of the national supervisory authorities regarding to the sanctioning regime provided for by the Regulation. Keywords: Regulation (EU) 2016/679 (GDPR), the protection of personal data, corrective powers, administrative fines, sanctioning regime, the competence of the Member States, national supervisory authorities Irina Alexe, The Sanctioning Regime Provided by Regulation (EU) 2016/679 on the Protection of Personal Data (December 05, 2017). Law Review, Volume VIII, Issue 1, January-June 2018, p. 60-73.
The Global Reach of EU Law in the Digital Age: The Territorial Scope of Data Protection
EU Internet Law in the Digital Single Market
The extraterritorial reach of EU data protection law is welcomed by many as enhancing individuals' trust as to the protection of their data in a globalized world. However, there is considerable diversity around the world regarding the appropriate balance between data protection and privacy on the one hand and freedom of expression and information on the other. Unilaterally determining this balance can raise legitimacy concerns and jeopardize the trust of external actors in the EU's commitment to transparency and free movement of data. The global reach of EU data protection law is manifested both in the legal design of secondary legislation, with its territorial scope expanded in the GDPR, as well as in judicial interpretation by the CJEU, which usually extends the EU's regulatory reach. Within this context, this chapter analyzes the enabling features of EU law and relevant case law that have facilitated the extraterritorial reach of EU law as well as the CJEU's recent attempt to limit this territorial expansion as regards the right to be forgotten. This constraining approach may partly address the concerns of third countries and restore external trust but raises questions about the promise of EU law to protect privacy rights against tech giants thus undermining individuals' trust.
OLD WINE WITH A NEW LABEL : RIGHTS OF DATA SUBJECTS UNDER GDPR
International Journal of Advanced Research in Computer Science, ISSN No. 0976-5697, Volume 8, No. 7, July-August 2017, 2017
Recent reforms in data privacy protection framework in European Union have lead to enactment of General Data Protection Regulation (GDPR). However, it remains debatable if GDPR would lead to significant improvement in the protection of privacy rights of individuals, which is always considered the fundamental right. The advent of technology and movement of data across geographical barriers and outsourcing of data processing jobs to countries outside the EU necessitated enactments of GDPR. An analysis is done to demonstrate that though some of the provision of GDPR remain generically remain similar to the Data Protection Directive, GDPR has incorporated some new provisions by choosing the 'regulation' as an instrument of law for better harmonisation, expensing the 'right to be forgotten, legitimisation the role of consent, providing data protection by design and default, increasing accountability of data controllers and expanding the scope of provision of the directive to extra territorial jurisdiction would be remain to be seen whether GDPR is an old wine with the new label or something else in a wine bottle.
Dawn of a new era of global data protection
2021
The recent survey of the United Nations Conference on Trade and Development indicates that 128 out of 194 countries have put data privacy legislations in place. By implication, around 66% of countries in the world have enacted legislations on data protection signifying the importance that states attach to the regulation of information flow in the digital age. The General Data Protection Regulation (GDPR) implemented in May 2018 by the European Union (EU) has marked a new era for data protection across the globe. Although the GDPR serves to harmonize data protection regulations within the EU member states, many countries outside the EU have taken the GDPR as an inspiration. The emergence of the GDPR as a model has decreased differences between data protection frameworks globally, however, the differences have not disappeared entirely. In this context, we seek to explore whether the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data – No...
Cross-Border Data Flows, the GDPR, and Data Governance (29 Wash. Int'l L.J. 485 (2020))
Washington International Law Journal, 2020
Today, cross-border data flows are an important component of international trade and an element of digital service models. However, they are impeded by restrictions on cross-border personal data transfers and data localization legislation. This Article focuses primarily on these complexities and on the impact of the new European Union ("EU") legislation on personal data protection-the GDPR. First, this Article introduces its discussion of these flows by placing them in their economic and geopolitical setting, including a discussion of the results of a lack of international harmonization of law in the area. In this framework, rule overlap and rival standards are relevant. Once this situation is established, this Article turns to an analysis of the legal measures that have filled the gap left by the lack of international regulation and the failure to harmonize law: extraterritorial laws in the European Union (regional legislation) and the United States (state legislation);
The General Data Protection Regulation and its Violation of EU Treaties
Juridica International, 2018
While the EU General Data Protection Regulation, which entered force on 25 May, is generally good and necessary in its vigorous protection of the fundamental rights of self‑determination and identity of European people, the article identifies a core issue that has gone unnoticed: the GDPR violates EU treaties. It is, at base, a ‘European law’, yet European laws are banned under the TEU and TFEU. The article examines the background for this conflict. The ambitious plan for ratification of 2003’s draft treaty establishing a constitution for Europe fell at the first hurdle in 2005. The draft Constitution envisaged a legislative innovation: the European law and European framework law, directly applicable in the Member States and superior to them. These legal instruments, envisaged as replacing EU regulations, could readily be cited as a major federalist pillar of the draft. Yet there would be no European laws – they were rejected with the draft constitution in the 2005 referenda, and th...
EXTRATERRITORIAL APPLICATION OF THE EU GENERAL DATA PROTECTION REGULATION: AN INTERNATIONAL LAW PERSPECTIVE
IIUM Law Journal, 2020
The General Data Protection Regulation (the GDPR) of the European Union (EU) emerges as a hot-button issue in contemporary global politics, policies, and business. Based on an omnibus legal substance, extensive extraterritorial scope and influential market powers, it appears as a standard for global data protection regulations as can be witnessed by the growing tendency of adopting, or adjusting relevant national laws following the instrument across the globe. Under Article 3, of the GDPR applies against any data controller or processor within and outside the EU, who process the personal data of EU residents. Therefore, the long arm of the GDPR is extended to cover the whole world, including Malaysia. This gives rise to tension worldwide, as non-compliance thereof leads to severe fines of up to €20 million or 4% of annual turnover. This is not a hypothetical possibility, rather a reality, as a huge amount of fines are already imposed on many foreign companies, such as Google, Facebook, Uber, and Equifax to name a few. Such a scenario, due to the existence of state sovereignty principles under international law, has made the researchers around the world curious about some questions, why does the EU adopt an instrument having the extraterritorial application; whether the extraterritorial scope is legitimate under normative international law; how the provisions of this instrument can be enforced, and how these are justified. This article attempts to search for answers to those questions by analyzing the relevant rules and norms of international law and the techniques of the EU employed. The article concludes with the findings that the extraterritorial scope of the GDPR is justified under international law in a changed global context. The findings of
Related topics
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.