Global Convergence of Data Privacy Standards and Laws: Speaking Notes for the European Commission Events on the Launch of the General Data Protection Regulation (GDPR) in Brussels & New Delhi, 25 May 2018
7 Pages Posted: 12 Jun 2018
Date Written: May 24, 2018
The presentation covered the following six aspects of the relationship between new data protection standards such as the General Data Protection Regulation (GDPR) and what is being enacted in the rest of the world.
(1) The global diffusion of data privacy laws since 1970, seen through five key facts: (i) 126 countries (as at June 2018) now have data privacy laws which at least meet the ten minimum standards set by international agreements as early as 1980: (ii) 60% of these laws (75) are from outside Europe; (iii) 45 of the 126 laws have been enacted this decade, an average of 5 new laws per annum; (iv) At least 34 further countries have official Bills in the legislative process; and (v) Many countries (not only in the EU) are now enacting, or have already enacted, new laws to strengthen their original DP laws. Maps of the 126 laws and 34 Bills are included.
(2) Global convergence on higher standards is occurring, not chaotic development. My estimate is that the average enactment of the distinctive new principles in the 1995 EU general data protection Directive, across all 75 non-European data privacy laws is at least 7/10 of those principles. Within European jurisdictions it is closer to 10/10. Data protection laws outside Europe already converge on more than ½ of the higher standards that have been required in Europe since the 1990s.
(3) The GDPR is already influencing a higher level of legislative convergence. An incomplete study of over 30 countries outside Europe (in Africa, Asia and elsewhere), shows that six new ‘GDPR principles’ have been enacted by at least 10 countries, and all new GDPR principles by at least one.
(4) ‘GDPR creep’, voluntary convergence by businesses where there is no legal obligation, is a new global phenomenon.
(5) There is convergence on a global treaty, (Global) Data Protection Convention 108, which originated with the Council of Europe, but is being acceded to by non-European countries since 2011. It has also last week (18 May) been ‘modernised’ with new standards including many but not all of the GDPR’s new elements. ‘GDPR Lite’ may be the new global standard.
(6) There are potential impediments to adoption of high global standards, First, countries may make commitments to regional agreements requiring lower standards, including to allow data exports, and then legislate to implement them. Second, Free Trade Agreements may place stronger prohibitions on personal data export restrictions than does the global GATS agreement, creating clashing standards.
Note: These are my Speaking Notes for my presentation and discussion contributions at the European Commission’s General Data Protection Regulation (GDPR) launch events in Brussels (in person) and in New Delhi (by video) on 25 May 2018. The programmes for the two events are attached.
Keywords: data protection, privacy, GDPR, European Union, EU, convergence
Suggested Citation: Suggested Citation