Externalization of the GDPR: Promoting Global Regulatory Standards in Data Protection and Privacy. Student Name: Orin Pieterso
Total Page:16
File Type:pdf, Size:1020Kb
Page 1 of 70 Externalization of the GDPR: promoting global regulatory standards in data protection and privacy. Student name: Orin Pieterson Student number: S2067064 Coursecode: 8921M900 Program: Master Crisis & Security Management Course title: Master Thesis 1st reader : Drs. Georgieva / Dr. Van den Berg 2nd reader: Dr. Els de Busser Date: 10-6-2018 Wordcount: 22.257 Page 2 of 70 Page 3 of 70 Abstract Over the last seven decades, the EU has grown into a formidable economic actor in its own right. By bundling economic capabilities and leveraging them vis-à-vis other international actors, the EU has obtained a strong position as a regulatory power. With the GDPR, the EU once again reiterates its commitment to safeguard its core principles. This thesis explores the mechanisms in the GDPR that trigger the extraterritorial application of the regulation, possibly leading to a global standard on data protection and privacy. Building on the notion of soft power – the ability to exert influence by utilizing attractive elements in an actor’s culture, society, or values – this thesis argues that the EU managed to devise a legislative framework that incorporates its ideological conviction when it comes to privacy and data protection, while facilitating international data transfers, and does so on its own terms. The theoretical notion of soft power is made tangible by placing it within the concept of ‘Normative Power Europe’, which describes the processes through which the EU diffuses its normative preferences throughout the world. This is supplemented with the Brussels Effect, which describes how EU regulatory standards gain global traction and are adhered to by organizations outside the jurisdictional scope of the EU. The GDPR involves six instruments that drive the extraterritorial application of the Regulation, mainly focusing on multinational corporations and other organizations that regularly transfer data across jurisdictional lines. These instruments aim to create uniform frameworks that safeguard data protection and privacy within these organizations, and when they transfer personal data to other organizations. Moreover, the EU devised a system to assess the adequacy of data protection in third states in which it also takes into account whether this third states adheres to the same normative preferences as the EU. The GDPR is an example how the EU actively pursues a normative agenda in relation to other states, and in relation to private actors. This research adds to NPE research paradigm by analyzing a landmark legislation that will have effects for years to come. Page 4 of 70 Contents Abstract 3 1 Introduction 6 2 Theoretical Framework and Body of Knowledge 10 2.1 Societal and Academic Relevance 10 2.1.1 The Political Dimension 12 2.1.2 Academic relevance 13 2.2 Literature review: GDPR 14 2.3 Soft Power: The power of Attraction. 17 2.4 Normative Power Europe 20 2.5 The Brussels Effect 22 2.5.1 The Brussels Effect 22 2.5.2 Conditions for the Brussels Effect 24 2.6 Externalization in the soft and normative power framework 25 3 Methodology 28 3.1 Formulating the Research Questions 28 3.2 Using a holistic approach 30 4 Analysis 33 4.1 The GDPR: the European rights-based approach 33 4.2 Why history and context matters 35 4.3 The ‘Transatlantic Data War’ 38 4.4 Externalizing the GDPR: triggers and mechanisms 41 4.5 Diffusing the GDPR: a NPE perspective 48 4.6 The GDPR and the Brussels Effect 50 4.6.1 De Facto or De Jure? 55 4.7 GDPR as an attempt to externalize EU Policies on a global scale 56 4.8 The GDPR: pushing EU norms 57 Page 5 of 70 5 Conclusion: Externalization of the GDPR: an exercise in soft and normative power? 59 5.1 Analytical Results 62 5.2 Limitations of the research 63 6 Bibliography 65 Page 6 of 70 1 Introduction The Regulation 2016/679 of the European Parliament and the Council, or the General Data Protection Regulation (hereafter: GDPR), the EU’s new legislative framework for privacy and data protection, has been drafted in 2016 and will be enforced by national Data Protection Authorities (DPAs) from the 25th of May 2018. Over the last 23 years since Directive 95/46/EC (hereafter: DIR95) came into existence, a tremendous advance in information- and communication technology has transformed the European and the global economy. DIR95 was drafted in 1995, before the commercialization of the internet and thus urgently required a review and adaptation to current practices. (European Data Protection Supervisor, 2018) The GDPR provides a comprehensive framework that prepares the Union for the increased digitalization of its economy, and lays the groundwork for years to come. The aim is to harmonize the European framework for data protection and privacy by creating one uniform legislation for all Union Member States, facilitate the free flow of data between member states, and to ‘contribute to the accomplishment of an area of freedom, security and justice, and of an economic union, to economic and social progress, to the strengthening and convergence of the economies within the internal market, and to the well-being of natural beings.’ (GDPR: Recital 2) Moreover, the European Data Protection Supervisor Giovanni Buttarelli, promoted the GDPR as ‘a clarion call for a new global digital gold standard’ (Buttarelli, 2016), which facilitates ‘streamlining international data transfers and setting global data protection standards.’ (European Commission, 2018b) This outspoken ambition of the EU to shape global standards with regard to data protection come as no surprise, just as it comes as no surprise that it is the EU that has realized the most far-reaching privacy framework in the world. The right to the protection of personal data is enshrined in article 16(1) of the Treaty on the European Union and in article 8(1) of the Charter of Fundamental Rights of the European Union and thus firmly codified within legal documents in the Union. The inclusion of the right to protection of personal data, and to a certain degree of privacy, stems from a long commitment to the individual’s right to informational self-determination, which is Page 7 of 70 understood as the individual’s ability to determine what information is publicly disclosed. (Bloch-Wehba, 2015) Europe’s history has engrained its societies with an appreciation of respect for the private sphere and private life, which is clearly valued by its citizens and its legislators. (Schwartz, 2013) Especially as the societal impact of unlimited and unrestricted data gathering becomes more controversial following recent discussions about the use of personal data in political campaigns and by intelligence services, this new legislative framework provides more control over personal data for individual data subjects. Moreover, recent incidents with Cambridge Analytica and Facebook, and the surge in data breaches occurring around the world have elevated the issue of protecting personal data on the political agenda. (Boyd & Crawford, 2012; Cadwalladr, 2017, 2018; Eriksson & Giacomello, 2006; Identity Theft Resource Center, 2017; van Den Broek & van Veenstra, 2018) Besides a much-needed update - especially in the light of these revelations about the potential abuse of personal data by both private and public actors - the GDPR also provides the EU with an instrument to extend and cement its influence abroad. This thesis argues that the GDPR contains a number of mechanisms or ‘triggers’ that legitimate the application of the GDPR beyond the jurisdictional and territorial borders of the EU, and that these triggers result in externalization of the GDPR. Potentially leading to global regulatory convergence. Joanne Scott (2014: 1344) defined these triggers as ‘a mechanism that launches the application of EU law and delimits its personal and territorial scope of application.’ In the GDPR, these triggers are identified as: the definition of the scope of the regulation (article 3 GDPR), the adequacy decisions on adequate data protection standards (article 45 GDPR), Binding Corporate Rules (BCRs) (article 47 GDPR), Standard Contractual Clauses (SCCs) (article 28(6) GDPR), Codes of Conduct (article 40 GDPR), the certification procedure (article 42 GDPR), and the Privacy-by-Design and Privacy-by-Default principles (article 25). These legal triggers launch the application of the GDPR beyond the territorial borders of the EU, but there are also other factors that enable this process, rooted in a market-based approach. These are identified using the theory of the ‘Brussels Effect’, as coined by Anu Bradford Page 8 of 70 (2012: 5). These factors include the large single market, the propensity to enforce strict rules over inelastic targets, a significant regulatory capacity, the nondivisibility of standards, and the emergence of the privacy-by-design and the privacy-by-default standards. The motivation for including these mechanisms that trigger extraterritorial application of the GDPR are explained using two theories: the theory of soft power, as conceived by Joseph Nye, and the theory of the normative power approach, as formulated by Ian Manners. A consequence of this jurisdictional muscle-flexing by the Union is that it potentially clashes with other conceptualizations of privacy and data protection. One example is found in relation to the United States, where these concepts are regarded in a different light. Unlike the EU, where data protection is seen as a right and finds its legal base in the Treaty of the EU, privacy and data protection in the US is found in a fragmented collection of state law, case law, and commercial law, or ‘a patchwork of sectoral law’. (Schwartz & Peifer, 2017: 147) Accordingly, the European approach to data protection and privacy, and its inclusion in constitution-like documents, is not self-evident. It is a product of the historical context that facilitated this process.