While the convention offered a first step toward an international privacy regime, its effect on national laws remained relatively limited [Mayer-Schönberger, 1998].
It was the 1995 Data Protection Directive 95/46/EC [European Parliament and Council, 1995] (in the following simply called “the Directive”) that achieved what Convention 108/81 set out to do, namely a lasting harmonization of the various European data protection laws and providing an effective international tool for privacy protection even beyond European borders.
The Directive had two important aspects that advanced its international applicability. On the one hand, it required all EU member states14 to enact national law that provided at least the same level of protection as the Directive stipulated. This European harmonization allowed for a free flow of information among all its member states, as personal data enjoyed the same minimum level of protection set forth by the Directive in any EU country.
On the other hand, the Directive’s Article 25 explicitly prohibited the transfer of personal data into “unsafe third countries,” i.e., countries with data protection laws that would not offer an adequate level of protection as required by the Directive. After European officials made it clear that they intended to pursue legal action against the European branch offices of corporations that would transfer personal data of EU residents to their corresponding headquarters in such unsafe third countries, a large number of non-European countries around the world began to adjust their privacy laws in order to become a “safe” country with regards to the Directive, and thus become part of the European Internal Information Market. Eventually, a dozen countries were considered “safe” third-countries with respect to personal data transfers: Andorra, Argentina, Canada, Switzerland, Faeroe Islands, the British Channel Islands (Guernsey, Jersey, Isle of Man), Israel, New Zealand, the U.S.,15 and Uruguay.
However, despite its significant impact, the 1995 Directive was woefully ignorant of the rapid technological developments of the late 1990s and early 2000s. It was created before the Web took off, before smartphones appeared, before Facebook and Twitter and Google were founded. It is not surprising then that many criticized it for being unable to cope with those realities [De Hert and Papakonstantinou, 2012]. While the Directive was specifically written to be “technology neutral,” it also meant that it was unclear how it would apply to many concrete technical developments, such as location tracking, Web cookies, online profiling, or cloud computing. In order to bring the European privacy framework more in line with the realities of mobile and pervasive computing, as well as to create a single data protection law that applies in all EU member states, an updated framework was announced in 2012 and finally enacted in early 2016—the General Data Protection Regulation (GDPR). The GDPR then went into effect on May 25, 2018. Its main improvements over the 1995 Directive can be summarized as follows [De Hert and Papakonstantinou, 2012, 2016].
1. Expanded Coverage: As per its Article 3, the GDPR now also applies to companies outside of the EU who offer goods or services to customers in the EU (“marketplace rule”)—the 1995 Directive only applied to EU-based companies (though it attempted to limit data flows to non EU-based companies).
2. Mandatory Data Protection Officers (DPO): Article 37 requires companies whose “core activities… require regular and systematic monitoring of data subjects on a large scale” to designate a DPO as part of their accountability program, who will be the main contact for overseeing legal compliance.
3. Privacy by Design: Article 25 requires that all data collection and processing must now follow a “data minimization” approach (i.e., collect only as much data as absolutely necessary), that privacy is provided by default, and that entities use detailed impact assessment procedures to evaluate the safety of its data processing.
4. Consent: Article 7 stipulates that those who collect personal data must demonstrate that it was collected with the consent of the data subject, and if the consent was “freely given.” For example, if a particular piece of data is not necessary for a service, but if the service is withheld from a customer otherwise, would not qualify as “freely given consent.”
5. Data Breach Notifications: Article 33 requires those who store personal data to notify national data protection authorities if they are aware of a “break-in” that might have resulted in personal data being stolen. Article 34 extends this to also notify data subjects if the breach “is likely to result in a high risk to the rights and freedoms of natural persons.”
6. New Subject Rights: Articles 15–18 give those whose data is collected more explicit rights, such as the right to object to certain uses of their data, the right to obtain a copy of the personal data undergoing processing, or the right to have personal data being deleted (“the right to be forgotten”).
How these changes will affect privacy protection in Europe and beyond will become clearer over the coming years. When the GDPR finally came into effect in May 2018, its most visible effect was a deluge of email messages that asked people to confirm that they still wanted to be on a mailing list (i.e., giving “unambiguous” consent, as per Article 4) [Hern, 2018, Jones, 2018], as well as a pronounced media backlash questioning both the benefits of the regulation [Lobo, 2018] as well as its (seemingly extraordinarily high) costs [Kottasová, 2018]. Many of the new principles in the GDPR sound simple, but can be challenging to implement in practice (e.g., privacy by design, the right to erasure). We will discuss some of these challenges in Chapter 6. Also, the above-mentioned Council of Europe “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” (108/81) [Council of Europe, 1981] has recently been updated [Council of Europe, 2018] and is now being touted as a first step for non-EU countries to receive the coveted status of a “safe third country” (adequacy assessment) [European Commission, 2017] with respect to the new GDPR [Greenleaf, 2018].
Privacy Law and Regulation in Other Countries
Beyond the U.S. and Europe, many countries have adopted data protection or privacy laws [Greenleaf, 2017, Swire and Ahmad, 2012]. An increasing number of countries have been adopting comprehensive data protection laws, which not just follow the Europan model, but are often based on EU Directive 95/46/EC or the GDPR. For instance, the data protection laws of Switzerland, Russia, and Turkey are similar to the EU Directive. Mexico’s 2010 Federal Law on the Protection of Personal Data Held by Private Entities also follows a comprehensive approach similar to the EU Directive, in particular with respect to data subjects’ rights, obligations of data controllers and processors, and international data transfer requirements. The Mexican law further incorporates the Habeas Data concept common in Latin American legal regimes [Swire and Ahmad, 2012]. Habeas Data refers to the constitutional right that citizens “may have the data” that is stored about them, i.e., they have the right to pose habeas data requests to entities to learn whether and what information is stored about them and request correction. The Mexican law requires data controllers to designate a contact for such requests and process them in a timely manner. The GDPR’s data portability right (Art. 20, GDPR) provides a similar right for data subjects and obligations for data controllers. In 2018, Brazil adopted the General Data Privacy Law (LGPD), which goes into effect in 2020. The LGPD closely mirrors the GDPR in its key provisions.
Canada also employs a comprehensive data protection approach. PIPEDA, the Personal Information Protection and Electronic Documents Act, regulates data protection for the private sector in Canada. A key difference between the GDPR and PIPEDA is that under PIPEDA individual informed consent is the only basis for lawful data collection, processing, and sharing, with limited exceptions [Banks, 2017].
Australia employs a co-regulatory model. Australia’s Federal Privacy Act defines National Privacy Principles for government agencies and the private sector. Industries then define self-regulatory codes that reflect the National Privacy Principles, with oversight by the Australian National Privacy Commissioner.
