Thursday, September 13, 2018
Mike Rustad & Tom Koenig have posted to SSRN Towards a Global Data Privacy Standard. The abstract provides:
On May 25, 2018, the General Data Protection Regulation (GDPR) went into effect in the twenty-eight countries of the European Union and the EFTA countries, effective creating European-wide data protection law modernized for the age of the Internet. One of the key aspects of the GDPR is that it applies to non-European entities that processes personal data of EU consumers. Unlike the Data Directive of 1995 that it supplanted, the GDPR applies to U.S data controllers outside the EU. Many academic and industry commentators claim that the GDPR will drive a wider gulf between U.S. and EU data protection law because of the GDPR’s aggressive extraterritorial rules.
This Article rebuts the widespread assertion that recent EU updates to its data protection law will drive a disruptive wedge between EU and U.S. data privacy laws. Instead, the European General Data Protection Regulation (GDPR) creates convergences between EU/U.S. data protection law that overshadows the divergences. The GDPR is said to be a foremost example of the Brussels Effect because it unilaterally imposes EU privacy law on the United States. We acknowledge a Brussels Effect on U.S. privacy law but there is also an overlooked D.C. Effect reflected in many GDPR provisions. The European Commission imported many privacy rights first developed in the U.S. into this wide-ranging EU-wide legislation. U.S. privacy law had already recognized the duty of the processor to obtain consent, a data subject’s right to access, data minimization, and the right to notice in the aftermath of a data security breach.
The GDPR adopts deterrence-based fines and other long-established U.S. tort law remedies. U.S. tort concepts such as collective redress, wealth-based punishment, arming data subjects with the right to initiate public enforcement are recognized for the first time in European history in this comprehensive statute. Under the GDPR, the EU Commission adopted privacy by design and security breach notification obligations, innovations first instituted in the U.S. The net effect is a bilateral transatlantic privacy convergence, rather than a divide, which is rapidly evolving into a global data protection standard. Nations around the world, some U.S. states, and the major U.S.-based data processors are instituting policies conforming to the GDPR. We argue that the GDPR has the potential to not only bring an end to the transatlantic data privacy wars, but to become the foundation of a worldwide “gold standard” for information privacy.