EU Pitches for Data Protection Gold Standard

On 25 May, the General Data Protection Regulation becomes legally enforceable - after six years of the most intensive lobbying campaign in EU policy-making history, says Matt Allison. Will the EU reap a benefit from imposing tough data protection standards on third countries?

On 25 May, the General Data Protection Regulation becomes legally enforceable, six years after the Commission’s original proposal was published. What followed was the most intensive (and expensive) lobbying campaign in EU policy-making history.

Over the past two years, member states have been afforded time to make the necessary preparations to enforce the new data protection rules. This has involved data protection authorities (DPAs) preparing comprehensive guidance for firms and individuals on what the new rules mean for them. EU member states have also brought forward domestic legislation to interpret aspects of the text which have been left deliberately ambiguous – so called “national derogations”.

Incredible as it seems to GDPR lobbyists, lawyers and privacy campaigners, awareness of the GDPR across the wider population is still low. A survey conducted on behalf of the UK government in January 2018 revealed that only 38 percent of British businesses are aware of the GDPR. Of those that were aware of the regulation, just over a quarter of businesses (27 percent) have made any changes to how they operate to ensure compliance with the new rules.

Nevertheless, the European Commission is determined to make a success of the new legal framework. In January, the Commission committed EUR 1.7 million to fund data protection authorities and train data protection professionals. A further EUR 2 million is being made available to support national authorities in reaching businesses, especially small- to medium-sized enterprises (SMEs).

On one level this is about fundamental rights: the regulation gives effect to article 8 of the European Charter of Fundamental Rights on the protection of personal data. However, the GDPR has a strong element of realpolitik, a means of “Europe exporting its soft power” in the words of Brussels Privacy Hub co-chair Christopher Kuner. Essentially, the GDPR provides the basis for the EU to export its model of data protection globally, to imprint the EU’s legal framework for protection of personal data on international trade deals.

The Commission has made no secret of this ambition. In February, after a protracted struggle between the Trade and Justice departments of the European Commission, the College of Commissioners eventually signed off on a set of horizontal provisions (i.e. negotiating guidelines) for cross-border data flows and personal data protection to be included within trade negotiations. The text stipulates that data protection is a fundamental right, and thus cannot be subject to trade negotiations, where it could be watered down. It follows that data flows between the EU and third countries can only be provided for using the mechanisms enshrined in the GDPR (the most straightforward being an “adequacy decision”) which can be negotiated in parallel but must be independent of trade negotiations.

The text affords the EU the best of both worlds: challenging the imposition of data localisation mandates in trade agreements by third countries, but essentially imposing the EU’s regulatory framework for data protection as a pre-requisite for free data flows. Unsurprisingly this approach has been criticised by advocates of free and open global data flows. A joint letter from the CCIA and Developers Alliance reflects with disappointment that the Commission guidance is “unlikely to remove existing and future data localisation measures enacted by Europe’s trading partners.”

The sheer size of the European Single Market means that businesses have no choice but to abide by regulatory standards enshrined in the GDPR. This counts as a win for EU privacy advocates and protectionist-minded EU officials, confident in their ability to shape the digital regulatory environment. Less clear is whether the EU will reap any benefit in seeking to impose tough data protection standards on third countries through trade negotiations, or whether this will simply lead to data flows being excluded from such deals, an outcome which would be detrimental to the growth of the digital economy.

Related Articles

Access Alert: What the abolition of Mexico’s telecoms and competition regulators means and what to do next

Access Alert: What the abolition of Mexico’s telecoms and competition regulators means and what to do next

Mexico’s Congress has approved the constitutional reform for the elimination of the Federal Institute of Telecommunications (IFT) and the Federal...

25 Nov 2024 Opinion
Access Partnership Concludes 2024 with Double Recognition: Best Tech Policy Advisory and Innovative Tech Consultancy of the Year

Access Partnership Concludes 2024 with Double Recognition: Best Tech Policy Advisory and Innovative Tech Consultancy of the Year

London, UK – Access Partnership has celebrated the end of 2024 by winning Best Technology Policy Advisory at The Business...

22 Nov 2024 General
Access Alert: New agency for digital transformation and telecommunications in Mexico

Access Alert: New agency for digital transformation and telecommunications in Mexico

The Mexican Congress has approved the creation of the Agency of Digital Transformation and Telecommunications, which will have the level...

19 Nov 2024 Opinion
Access Alert: The wider impact of Australia’s social media ban for under-16s

Access Alert: The wider impact of Australia’s social media ban for under-16s

Australia’s states and territories have unanimously backed a national plan to ban children under sixteen from most forms of social...

18 Nov 2024 Opinion