International Data Privacy Agreements after the GDPR and Schrems
(2016) 139 Privacy Laws & Business International Report 12-15
8 Pages Posted: 16 Apr 2016 Last revised: 27 Apr 2016
Date Written: January 30, 2016
Now that the content of the EU’s General Data Protection Regulation (GDPR) has substantially been settled, and the Schrems decision of the European Court of Justice has confirmed the parameters within which both it and the existing EU data protection Directive of 1995 must be considered, what are the implications for international agreements affecting data privacy? This brief article aims to sketch the larger picture, by focusing on five developments.
(i) Council of Europe (CoE) data protection Convention 108 of 1981 is strengthening its position as the emerging global data privacy agreement, but there remain unresolved issues in its operation. A quiet development with long-term significance is that the European Union is now more strongly supporting Convention 108 as a global privacy treaty, and has demonstrated this in three ways. The globalisation of Convention 108 is accelerating, with three new invitations to accede (to Mauritius, Senegal, and Tunisia) being issued in 2015. However, a problem with the existing Convention 108 is that its ‘conditions of membership’ only requires a Party to ‘take the necessary measures in its domestic law to give effect’ to the principles in the Convention, and do not involve any investigation of the effective enforcement of the law. This deficiency is expected to be remedied in the ‘Modernisation’ of Convention 108, which will now be finalised following the completion of the EU’s General Data Protection Regulation (GDPR).
(ii) The EU’s data protection Directive still has life in it until late 2018. This article explains how adequacy assessments made under the Directive will be dealt with until the GDPR. It also includes a first assessment of which elements of the GDPR, and the ‘modernised’ Convention 108, might constitute a ‘3rd generation’ of data privacy standards.
(iii) Trade agreements play an increasingly important role in the privacy landscape, and here the Schrems decision is like to affect the EU’s position in negotiations with the US concerning the Transatlantic Trade and Investment Partnership (TTIP). The EU's negotiating position on the TTIP has been disclosed, following disquiet with secret negotiations, and is much the same as in the GATS provision. If the EU maintains such approaches in the TTIP negotiations (and in other FTA negotiations), it will be providing a less privacy-hostile alternative for FTA development than has emerged from the Trans-Pacific Partnership (TPP) text.
(iv) According to the Schrems decision, the EU-US ‘Privacy Shield’ now proposed to replace the illegal ‘Safe Harbor’, ‘must provide a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the directive read in the light of the Charter.’ The US Judicial Redress Act is a necessary part of US efforts to achieve that goal.
(v) APEC’s privacy instruments continue to play a minor but increasing role.
Post GDPR, the most important influences in the global development of privacy standards remain European (both EU and Council of Europe). Their most significant challenge continues to come from the United States, increasingly from its ability to shape the Free Trade Agreements that threaten to cripple data export restrictions. A Great Game of 40 years continues.
Keywords: privacy, data protection, FTA, free trade agreement, EU, European Union, adequacy, Council of Europe, GDPR, Directive
Suggested Citation: Suggested Citation