EU Pitches for Data Protection Gold Standard

On 25 May, the General Data Protection Regulation becomes legally enforceable - after six years of the most intensive lobbying campaign in EU policy-making history, says Matt Allison. Will the EU reap a benefit from imposing tough data protection standards on third countries?

On 25 May, the General Data Protection Regulation becomes legally enforceable, six years after the Commission’s original proposal was published. What followed was the most intensive (and expensive) lobbying campaign in EU policy-making history.

Over the past two years, member states have been afforded time to make the necessary preparations to enforce the new data protection rules. This has involved data protection authorities (DPAs) preparing comprehensive guidance for firms and individuals on what the new rules mean for them. EU member states have also brought forward domestic legislation to interpret aspects of the text which have been left deliberately ambiguous – so called “national derogations”.

Incredible as it seems to GDPR lobbyists, lawyers and privacy campaigners, awareness of the GDPR across the wider population is still low. A survey conducted on behalf of the UK government in January 2018 revealed that only 38 percent of British businesses are aware of the GDPR. Of those that were aware of the regulation, just over a quarter of businesses (27 percent) have made any changes to how they operate to ensure compliance with the new rules.

Nevertheless, the European Commission is determined to make a success of the new legal framework. In January, the Commission committed EUR 1.7 million to fund data protection authorities and train data protection professionals. A further EUR 2 million is being made available to support national authorities in reaching businesses, especially small- to medium-sized enterprises (SMEs).

On one level this is about fundamental rights: the regulation gives effect to article 8 of the European Charter of Fundamental Rights on the protection of personal data. However, the GDPR has a strong element of realpolitik, a means of “Europe exporting its soft power” in the words of Brussels Privacy Hub co-chair Christopher Kuner. Essentially, the GDPR provides the basis for the EU to export its model of data protection globally, to imprint the EU’s legal framework for protection of personal data on international trade deals.

The Commission has made no secret of this ambition. In February, after a protracted struggle between the Trade and Justice departments of the European Commission, the College of Commissioners eventually signed off on a set of horizontal provisions (i.e. negotiating guidelines) for cross-border data flows and personal data protection to be included within trade negotiations. The text stipulates that data protection is a fundamental right, and thus cannot be subject to trade negotiations, where it could be watered down. It follows that data flows between the EU and third countries can only be provided for using the mechanisms enshrined in the GDPR (the most straightforward being an “adequacy decision”) which can be negotiated in parallel but must be independent of trade negotiations.

The text affords the EU the best of both worlds: challenging the imposition of data localisation mandates in trade agreements by third countries, but essentially imposing the EU’s regulatory framework for data protection as a pre-requisite for free data flows. Unsurprisingly this approach has been criticised by advocates of free and open global data flows. A joint letter from the CCIA and Developers Alliance reflects with disappointment that the Commission guidance is “unlikely to remove existing and future data localisation measures enacted by Europe’s trading partners.”

The sheer size of the European Single Market means that businesses have no choice but to abide by regulatory standards enshrined in the GDPR. This counts as a win for EU privacy advocates and protectionist-minded EU officials, confident in their ability to shape the digital regulatory environment. Less clear is whether the EU will reap any benefit in seeking to impose tough data protection standards on third countries through trade negotiations, or whether this will simply lead to data flows being excluded from such deals, an outcome which would be detrimental to the growth of the digital economy.

Related Articles

Brazil and the Future of Democracy in the Age of Disinformation

Brazil and the Future of Democracy in the Age of Disinformation

Fake news is far from new. That said, digital tools such as social media and online bots have changed the...

25 Jan 2023 Opinion
GDPR: Is it still fit for purpose? 

GDPR: Is it still fit for purpose? 

The EU’s landmark General Data Protection Regulation (GDPR) has fundamentally changed how personal privacy is respected and protected. However, cracks...

25 Jan 2023 Opinion
Access Alert | Environmental Footprint and Data Collection by ARCEP

Access Alert | Environmental Footprint and Data Collection by ARCEP

The impact of the deployment of electronic communications networks, mass production of terminals, operation of data centres, and ever-expanding data...

23 Jan 2023 Opinion
Access Alert | The International Telecommunication Union Focuses on Metaverse 

Access Alert | The International Telecommunication Union Focuses on Metaverse 

The International Telecommunication Union’s Standardization Sector (ITU-T) has established a new Focus Group that will take the first steps towards...

20 Jan 2023 Metaverse Policy Lab