Externalization of the GDPR: Promoting Global Regulatory Standards in Data Protection and Privacy. Student Name: Orin Pieterso

Total Page:16

File Type:pdf, Size:1020Kb

Externalization of the GDPR: Promoting Global Regulatory Standards in Data Protection and Privacy. Student Name: Orin Pieterso Page 1 of 70 Externalization of the GDPR: promoting global regulatory standards in data protection and privacy. Student name: Orin Pieterson Student number: S2067064 Coursecode: 8921M900 Program: Master Crisis & Security Management Course title: Master Thesis 1st reader : Drs. Georgieva / Dr. Van den Berg 2nd reader: Dr. Els de Busser Date: 10-6-2018 Wordcount: 22.257 Page 2 of 70 Page 3 of 70 Abstract Over the last seven decades, the EU has grown into a formidable economic actor in its own right. By bundling economic capabilities and leveraging them vis-à-vis other international actors, the EU has obtained a strong position as a regulatory power. With the GDPR, the EU once again reiterates its commitment to safeguard its core principles. This thesis explores the mechanisms in the GDPR that trigger the extraterritorial application of the regulation, possibly leading to a global standard on data protection and privacy. Building on the notion of soft power – the ability to exert influence by utilizing attractive elements in an actor’s culture, society, or values – this thesis argues that the EU managed to devise a legislative framework that incorporates its ideological conviction when it comes to privacy and data protection, while facilitating international data transfers, and does so on its own terms. The theoretical notion of soft power is made tangible by placing it within the concept of ‘Normative Power Europe’, which describes the processes through which the EU diffuses its normative preferences throughout the world. This is supplemented with the Brussels Effect, which describes how EU regulatory standards gain global traction and are adhered to by organizations outside the jurisdictional scope of the EU. The GDPR involves six instruments that drive the extraterritorial application of the Regulation, mainly focusing on multinational corporations and other organizations that regularly transfer data across jurisdictional lines. These instruments aim to create uniform frameworks that safeguard data protection and privacy within these organizations, and when they transfer personal data to other organizations. Moreover, the EU devised a system to assess the adequacy of data protection in third states in which it also takes into account whether this third states adheres to the same normative preferences as the EU. The GDPR is an example how the EU actively pursues a normative agenda in relation to other states, and in relation to private actors. This research adds to NPE research paradigm by analyzing a landmark legislation that will have effects for years to come. Page 4 of 70 Contents Abstract 3 1 Introduction 6 2 Theoretical Framework and Body of Knowledge 10 2.1 Societal and Academic Relevance 10 2.1.1 The Political Dimension 12 2.1.2 Academic relevance 13 2.2 Literature review: GDPR 14 2.3 Soft Power: The power of Attraction. 17 2.4 Normative Power Europe 20 2.5 The Brussels Effect 22 2.5.1 The Brussels Effect 22 2.5.2 Conditions for the Brussels Effect 24 2.6 Externalization in the soft and normative power framework 25 3 Methodology 28 3.1 Formulating the Research Questions 28 3.2 Using a holistic approach 30 4 Analysis 33 4.1 The GDPR: the European rights-based approach 33 4.2 Why history and context matters 35 4.3 The ‘Transatlantic Data War’ 38 4.4 Externalizing the GDPR: triggers and mechanisms 41 4.5 Diffusing the GDPR: a NPE perspective 48 4.6 The GDPR and the Brussels Effect 50 4.6.1 De Facto or De Jure? 55 4.7 GDPR as an attempt to externalize EU Policies on a global scale 56 4.8 The GDPR: pushing EU norms 57 Page 5 of 70 5 Conclusion: Externalization of the GDPR: an exercise in soft and normative power? 59 5.1 Analytical Results 62 5.2 Limitations of the research 63 6 Bibliography 65 Page 6 of 70 1 Introduction The Regulation 2016/679 of the European Parliament and the Council, or the General Data Protection Regulation (hereafter: GDPR), the EU’s new legislative framework for privacy and data protection, has been drafted in 2016 and will be enforced by national Data Protection Authorities (DPAs) from the 25th of May 2018. Over the last 23 years since Directive 95/46/EC (hereafter: DIR95) came into existence, a tremendous advance in information- and communication technology has transformed the European and the global economy. DIR95 was drafted in 1995, before the commercialization of the internet and thus urgently required a review and adaptation to current practices. (European Data Protection Supervisor, 2018) The GDPR provides a comprehensive framework that prepares the Union for the increased digitalization of its economy, and lays the groundwork for years to come. The aim is to harmonize the European framework for data protection and privacy by creating one uniform legislation for all Union Member States, facilitate the free flow of data between member states, and to ‘contribute to the accomplishment of an area of freedom, security and justice, and of an economic union, to economic and social progress, to the strengthening and convergence of the economies within the internal market, and to the well-being of natural beings.’ (GDPR: Recital 2) Moreover, the European Data Protection Supervisor Giovanni Buttarelli, promoted the GDPR as ‘a clarion call for a new global digital gold standard’ (Buttarelli, 2016), which facilitates ‘streamlining international data transfers and setting global data protection standards.’ (European Commission, 2018b) This outspoken ambition of the EU to shape global standards with regard to data protection come as no surprise, just as it comes as no surprise that it is the EU that has realized the most far-reaching privacy framework in the world. The right to the protection of personal data is enshrined in article 16(1) of the Treaty on the European Union and in article 8(1) of the Charter of Fundamental Rights of the European Union and thus firmly codified within legal documents in the Union. The inclusion of the right to protection of personal data, and to a certain degree of privacy, stems from a long commitment to the individual’s right to informational self-determination, which is Page 7 of 70 understood as the individual’s ability to determine what information is publicly disclosed. (Bloch-Wehba, 2015) Europe’s history has engrained its societies with an appreciation of respect for the private sphere and private life, which is clearly valued by its citizens and its legislators. (Schwartz, 2013) Especially as the societal impact of unlimited and unrestricted data gathering becomes more controversial following recent discussions about the use of personal data in political campaigns and by intelligence services, this new legislative framework provides more control over personal data for individual data subjects. Moreover, recent incidents with Cambridge Analytica and Facebook, and the surge in data breaches occurring around the world have elevated the issue of protecting personal data on the political agenda. (Boyd & Crawford, 2012; Cadwalladr, 2017, 2018; Eriksson & Giacomello, 2006; Identity Theft Resource Center, 2017; van Den Broek & van Veenstra, 2018) Besides a much-needed update - especially in the light of these revelations about the potential abuse of personal data by both private and public actors - the GDPR also provides the EU with an instrument to extend and cement its influence abroad. This thesis argues that the GDPR contains a number of mechanisms or ‘triggers’ that legitimate the application of the GDPR beyond the jurisdictional and territorial borders of the EU, and that these triggers result in externalization of the GDPR. Potentially leading to global regulatory convergence. Joanne Scott (2014: 1344) defined these triggers as ‘a mechanism that launches the application of EU law and delimits its personal and territorial scope of application.’ In the GDPR, these triggers are identified as: the definition of the scope of the regulation (article 3 GDPR), the adequacy decisions on adequate data protection standards (article 45 GDPR), Binding Corporate Rules (BCRs) (article 47 GDPR), Standard Contractual Clauses (SCCs) (article 28(6) GDPR), Codes of Conduct (article 40 GDPR), the certification procedure (article 42 GDPR), and the Privacy-by-Design and Privacy-by-Default principles (article 25). These legal triggers launch the application of the GDPR beyond the territorial borders of the EU, but there are also other factors that enable this process, rooted in a market-based approach. These are identified using the theory of the ‘Brussels Effect’, as coined by Anu Bradford Page 8 of 70 (2012: 5). These factors include the large single market, the propensity to enforce strict rules over inelastic targets, a significant regulatory capacity, the nondivisibility of standards, and the emergence of the privacy-by-design and the privacy-by-default standards. The motivation for including these mechanisms that trigger extraterritorial application of the GDPR are explained using two theories: the theory of soft power, as conceived by Joseph Nye, and the theory of the normative power approach, as formulated by Ian Manners. A consequence of this jurisdictional muscle-flexing by the Union is that it potentially clashes with other conceptualizations of privacy and data protection. One example is found in relation to the United States, where these concepts are regarded in a different light. Unlike the EU, where data protection is seen as a right and finds its legal base in the Treaty of the EU, privacy and data protection in the US is found in a fragmented collection of state law, case law, and commercial law, or ‘a patchwork of sectoral law’. (Schwartz & Peifer, 2017: 147) Accordingly, the European approach to data protection and privacy, and its inclusion in constitution-like documents, is not self-evident. It is a product of the historical context that facilitated this process.
Recommended publications
  • The Brussels Effect
    Copyright 2012 by Northwestern University School of Law Printed in U.S.A. Northwestern University Law Review Vol. 107, No. 1 Articles THE BRUSSELS EFFECT Anu Bradford ABSTRACT—This Article examines the unprecedented and deeply underestimated global power that the European Union is exercising through its legal institutions and standards, and how it successfully exports that influence to the rest of the world. Without the need to use international institutions or seek other nations’ cooperation, the EU has a strong and growing ability to promulgate regulations that become entrenched in the legal frameworks of developed and developing markets alike, leading to a notable “Europeanization” of many important aspects of global commerce. The Article identifies the precise conditions for and the specific mechanism through which this externalization of EU’s standards unfolds. Enhanced understanding of these conditions and this mechanism helps explain why the EU is currently the only jurisdiction that can wield unilateral influence across a number of areas of law—ranging from antitrust and privacy to health and environmental regulation—and why the markets, other states, and international institutions can do little to constrain Europe’s global regulatory power. AUTHOR—Professor of Law, Columbia Law School. Helpful comments were provided by Lucas Bergkamp, George Bermann, Travis Bradford, Rachel Brewster, Tim Buthe, Grainne DeBurca, Lee Fennell, Jacob Gersen, Tom Ginsburg, Victor Goldberg, Michael Graetz, Todd Hendserson, Aziz Huq, Suzanne Kingston, Katerina Linos, Richard McAdams, Jay Modrall, Henry Monaghan, Jide Nzelibe, Nathaniel Persily, Katharina Pistor, Eric Posner, Tonya Putnam, Charles Sabel, Joanne Scott, Anne-Marie Slaughter, and David Vogel, as well as the participants of the workshops held at Columbia Law School, Duke Law School, University of Chicago Law School, and the University of Florence.
    [Show full text]
  • Interfacing Privacy and Trade
    Case Western Reserve Journal of International Law Volume 53 Issue 1 Article 5 2021 Interfacing Privacy and Trade Mira Burri Follow this and additional works at: https://scholarlycommons.law.case.edu/jil Part of the International Law Commons Recommended Citation Mira Burri, Interfacing Privacy and Trade, 53 Case W. Res. J. Int'l L. 35 (2021) Available at: https://scholarlycommons.law.case.edu/jil/vol53/iss1/5 This Article is brought to you for free and open access by the Student Journals at Case Western Reserve University School of Law Scholarly Commons. It has been accepted for inclusion in Case Western Reserve Journal of International Law by an authorized administrator of Case Western Reserve University School of Law Scholarly Commons. Case Western Reserve Journal of International Law 53 (2021) Interfacing Privacy and Trade Mira Burri* Table of Contents Table of Contents ............................................................................ 35 A. Introduction: The increasingly contentious nature of the trade and privacy interface ................................................... 35 B. Legal frameworks for the protection of privacy .................. 44 I. International rules for the protection of privacy .................................... 44 II. Transnational rules for the protection of privacy: The OECD and the APEC frameworks............................................................................ 46 III. National approaches for data protection: The European Union versus the United States ........................................................................
    [Show full text]
  • Exporting Standards: the Externalization of the EU's Regulatory Power Via Markets
    G Model IRL-5662; No. of Pages 16 ARTICLE IN PRESS International Review of Law and Economics xxx (2014) xxx–xxx Contents lists available at ScienceDirect International Review of Law and Economics Exporting standards: The externalization of the EU’s regulatory power via markets ∗ Anu Bradford Columbia Law School, Jerome L. Greene Hall, 435 West 116th Street, Room 927, New York, NY 10027, USA a r t i c l e i n f o a b s t r a c t Article history: This Article examines the unprecedented and deeply underestimated global power that the EU is exercis- Received 30 August 2012 ing through its legal institutions and standards, and how it successfully exports that influence to the rest Received in revised form 4 June 2014 of the world. Introducing the notion of “the Brussels Effect,” the Article shows how market forces alone Accepted 27 September 2014 are sufficient to convert EU standards into global standards. Without the need to use international institu- Available online xxx tions or seek other nations’ cooperation, the EU has a strong and growing ability to promulgate regulations that become entrenched in the legal frameworks of developed and developing markets alike, leading to Keywords: a notable “Europeanization” of many important aspects of global commerce. This Article identifies and Regulation explains the precise conditions for and the specific mechanism through which this externalization of EU’s Brussels effect standards unfolds. Enhanced understanding of this dynamic explains why the EU is currently the only California effect European union jurisdiction that can wield unilateral influence across a number of areas of law, ranging from competition Regulatory power and privacy to health and environmental regulation.
    [Show full text]
  • Catalyzing Privacy Law
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Georgetown Law Scholarly Commons Georgetown University Law Center Scholarship @ GEORGETOWN LAW 2019 Catalyzing Privacy Law Anupam Chander Georgetown University Law Center, [email protected] Margot E. Kaminski University of Colorado Law School, [email protected] William McGeveran University of Minnesota Law School, [email protected] This paper can be downloaded free of charge from: https://scholarship.law.georgetown.edu/facpub/2190 https://ssrn.com/abstract=3433922 This open-access article is brought to you by the Georgetown Law Library. Posted with permission of the author. Follow this and additional works at: https://scholarship.law.georgetown.edu/facpub Part of the Law and Economics Commons, Privacy Law Commons, and the Science and Technology Law Commons Draft, February 6, 2020 CATALYZING PRIVACY LAW Anupam Chander, * Margot E. Kaminski,** & William McGeveran***† The United States famously lacks a comprehensive federal data privacy law. In the past year, however, over half the states have proposed broad privacy bills or have established task forces to propose possible privacy legislation. Meanwhile, congressional committees are holding hearings on multiple privacy bills. What is catalyzing this legislative momentum? Some believe that Europe’s General Data Protection Regulation (GDPR), which came into force in 2018, is the driving factor. But with the California Consumer Privacy Act (CCPA) which took effect in January 2020, California has emerged as an alternate contender in the race to set the new standard for privacy. Our close comparison of the GDPR and California’s privacy law reveals that the California law is not GDPR-lite: it retains a fundamentally American approach to information privacy.
    [Show full text]
  • How the WTO Shapes Regulatory Governance
    Legal Studies Research Paper Series No. 2014-53 How the WTO Shapes Regulatory Governance Gregory Shaffer [email protected] University of California, Irvine ~ School of Law The paper can be downloaded free of charge from SSRN at: How the WTO Shapes Regulatory Governance by Gregory Shaffer1 Abstract: The World Trade Organization (WTO) arguably shapes regulatory governance in more countries to a greater extent than any other international organization. This article provides a framework for assessing the broader transnational regulatory implications of the WTO as part of a transnational legal order (TLO) in terms of four dimensions of regulatory change that permeate the state: (i) changes in the boundary between the market and the state (involving concomitantly market liberalization and growth of the administrative state); (ii) changes in the relative authority of institutions within the state (promoting bureaucratized and judicialized governance); (iii) changes in professional expertise engaging with state regulation (such as the role of lawyers); and (iv) changes in normative frames and accountability mechanisms for national regulation (which are trade liberal and transnational in scope). In practice, these four dimensions of change interact and build on each other. The article presents what we know to date and a framework for conducting further study of such transnational legal ordering. I. Introduction Regulatory governance within nation states is transnationally shaped in different ways. By regulatory governance, we refer to governance characterized by a “rule-based, technocratic and juridical approach” that aims to shape the behavior of market actors (Phillips 2006: 24). Arguably no international organization exercises as broad influence over national regulatory governance in as many countries as the World Trade Organization (WTO).
    [Show full text]
  • Resisting Europe's Regulatory Imperialism
    Resisting Europe’s Regulatory Imperialism By Robert D. Atkinson All nations want globally competitive economies. That is why most try to structure their regulatory systems in ways that protect key societal interests, such as public health, privacy, and the environment, but in ways that don’t burden their companies with too much red tape. Europe is an exception to this rule. That is partly because powerful civil society groups exert disproportionate influence on policymakers. But more generally it is because in an economic era defined by technological innovation, Europeans embrace the “precautionary principle”—the idea that if an innovation may cause harm, then those proposing responsible for it should bear the burden of proving it will not. The resulting regulatory system makes European industry markedly less globally competitive. Europe would be better off if its policymakers challenged civil society and embraced the “innovation principle”—the idea that because new technologies usually benefit society and pose modest risks, government should pave the way for innovation while ensuring baseline protections are in place, where necessary, to limit harms. But Europe has instead tried to get other nations, including in Latin America, to adopt its regulatory regime in order to reduce its own competitive disadvantage. To be sure, the European Union mostly uses the velvet glove of persuasion, but it is not above using the iron fist of coercion by threatening trade restrictions as punishment. In other words, the EU wants rules-based globalization so that it can have its cake and eat it too: restrictive, precautionary principle-based regulations and competitive industries.
    [Show full text]
  • TOWARDS a GLOBAL DATA PRIVACY STANDARD1 Michael L. Rustad* & Thomas H. Koenig** Abstract This Article Questions the Widespre
    TOWARDS A GLOBAL DATA PRIVACY STANDARD1 Michael L. Rustad* & Thomas H. Koenig** Abstract This Article questions the widespread contention that recent updates to European Union (EU) data protection law will drive a disruptive wedge between EU and United States (U.S.) data privacy regimes. Europe’s General Data Protection Regulation (GDPR), which took effect in May 2018, gives all EU citizens easier access to their data, a right to portability, a right to be forgotten, and a right to learn when their data has been hacked. These mandatory privacy protections apply to non-EU companies that offer goods or services to EU consumers, whether through a subsidiary or a website. The “Brussels Effect” hypothesis projects a “race to the top” as multinational entities find it easier to adopt the most stringent data protection standards worldwide, rather than satisfying divergent data privacy rules. The GDPR is said to be a prime example of the Brussels Effect because of its aggressive extraterritorial scope that unilaterally imposes EU law on U.S. entities. This Article acknowledges a Brussels Effect, but there is also an overlooked “D.C. Effect” reflected in the GDPR’s adoption of many U.S. data privacy innovations. The GDPR imports long-established U.S. tort concepts for the first time into European privacy law, including deterrence-based fines, collective redress, wealth-based punishment, and arming data subjects with the right to initiate public enforcement. Under the GDPR, the EU Commission adopted “Privacy by Design” and security breach notification obligations, innovations pioneered in the U.S. The net effect of the GDPR is a bilateral transatlantic privacy convergence, which is rapidly evolving into a global data privacy 1.
    [Show full text]
  • Assessing the Impact of the European Union's Novel Data Protection Legislation on European Transatlantic Competitiveness in Th
    Assessing the Impact of the European Union’s Novel Data Protection Legislation on European Transatlantic Competitiveness in the Development of Artificial Intelligence Nick Ambrosius Akkerman July 2, 2019 Leiden University Master’s thesis International Relations, EUS Thesis supervisor: Dr J.S. Oster s2389290 1 Nick Ambrosius Akkerman Hoofddorpplein 8-3, 1058PD, Amsterdam Student number 2389290 +31(0)630987969 [email protected] MA International Relations, European Union Studies Thesis supervisor: Dr J.S. Oster Second reader: Dr J.Q.T. Rood Number of pages: 50 Word count (total): 14.842 Submitted July 2, 2019 s2389290 2 Table of Contents List of Frequently Used Abbreviations ....................................................................................... 3 1. Introduction ........................................................................................................................ 4 2. Research Design and Sub Questions ................................................................................... 7 3. AI and How It Uses Personal Data ..................................................................................... 9 3.1 Defining AI....................................................................................................................................... 9 3.2 Personal Data .................................................................................................................................... 9 3.3 Machine-Learning ..........................................................................................................................
    [Show full text]
  • Exporting Data Protection Law
    Exporting data protection law The extraterritorial reach of the GDPR William Höglund Term 9, Autumn 2018 Final thesis, 30 hp Master of Laws, 270 hp Supervisor: Markus Naarttijärvi Table of Contents Abbreviations ............................................................................................................................ 4 1 Introduction ....................................................................................................................... 5 1.1 Terminology .............................................................................................................. 6 1.2 Purpose ...................................................................................................................... 6 1.3 Delimitations .............................................................................................................. 7 1.4 Methodology and sources .......................................................................................... 7 1.4.1 What is the territorial scope of the GDPR? ................................................. 7 1.4.2 What are the legal instruments provided for by the GDPR to extend jurisdiction? ................................................................................................. 8 1.4.3 What types of jurisdiction and jurisdictional bases does the GDPR reflect? ......................................................................................................... 8 1.4.4 Analysis ....................................................................................................
    [Show full text]
  • Global Data Privacy: the Eu Way
    41674-nyu_94-4 Sheet No. 99 Side A 10/04/2019 07:34:32 \\jciprod01\productn\N\NYU\94-4\NYU406.txt unknown Seq: 1 3-OCT-19 13:53 GLOBAL DATA PRIVACY: THE EU WAY PAUL M. SCHWARTZ* EU data protection law is playing an increasingly prominent role in today’s global technological environment. The cornerstone of EU law in this area, the General Data Protection Regulation (GDPR), is now widely regarded as a privacy law not just for the EU, but for the world. In the conventional wisdom, the EU has become the world’s privacy cop, acting in a unilateral fashion and exercising de facto influ- ence over other nations through its market power. Yet, understanding the forces for convergence and divergence in data privacy law demands a more nuanced account of today’s regulatory environment. In contrast to the established narrative about EU power, this Article develops a new account of the diffusion of EU data protection law. It does so through case studies of Japan and the United States that focus on how these countries have negotiated the terms for international data transfers from the EU. The resulting account reveals the EU to be both collaborative and innovative. Three important lessons follow from the case studies. First, rather than exercising unilateral power, the EU has engaged in bilateral negotiations and accommodated varied paths for non-EU nations to meet the GDPR’s “adequacy” requirement for international data transfers. Second, while the adequacy requirement did provide significant leverage in these negotiations, it has been flexibly applied throughout its history.
    [Show full text]
  • The Brussels Effect
    Columbia Law School Scholarship Archive Faculty Scholarship Faculty Publications 2012 The Brussels Effect Anu Bradford Columbia Law School, [email protected] Follow this and additional works at: https://scholarship.law.columbia.edu/faculty_scholarship Part of the Antitrust and Trade Regulation Commons, European Law Commons, International Trade Law Commons, and the Law and Economics Commons Recommended Citation Anu Bradford, The Brussels Effect, 107 NW. U. L. REV. 1 (2012). Available at: https://scholarship.law.columbia.edu/faculty_scholarship/271 This Article is brought to you for free and open access by the Faculty Publications at Scholarship Archive. It has been accepted for inclusion in Faculty Scholarship by an authorized administrator of Scholarship Archive. For more information, please contact [email protected]. Copyright 2012 by Northwestern University School of Law Printed in U.S.A. Northwestern University Law Review Vol. 107, No. 1 Articles THE BRUSSELS EFFECT Anu Bradford ABSTRACT-This Article examines the unprecedented and deeply underestimated global power that the EU is exercising through its legal institutions and standards, and how it successfully exports that influence to the rest of the world. Without the need to use international institutions or seek other nations' cooperation, the EU has a strong and growing ability to promulgate regulations that become entrenched in the legal frameworks of developed and developing markets alike, leading to a notable "Europeanization" of many important aspects
    [Show full text]
  • Global Data Privacy: the EU Way 8 Forthcoming 94 NYU Law Review -- (2019) Do Not Quote Or Cite Without Permission
    01-15-19 Global Data Privacy: The EU Way 8 Forthcoming 94 NYU Law Review -- (2019) Do Not Quote or Cite Without Permission Global Data Privacy: The EU Way By Paul M. Schwartz* EU data protection law is playing an increasingly prominent role in today’s global technological environment. The cornerstone of EU law in this area, the General Data Protection Regulation (GDPR), is now widely regarded as a privacy law not just for the EU, but for the world. In the conventional wisdom, the EU has become the world’s privacy cop, acting in a unilateral fashion and exercising de facto influence over other nations through its market power. Yet, understanding the forces for convergence and divergence in data privacy law demands a more nuanced account of today’s regulatory environment. In contrast to the established narrative about EU power, this Article develops a new account of the diffusion of EU data protection law. It does so through case studies of Japan and the United States that focus on how these countries have negotiated the terms for international data transfers from the EU. The resulting account reveals the EU to be both collaborative and innovative. Three important lessons follow from the case studies. First, rather than exercising unilateral power, the EU has engaged in bilateral negotiations and accommodated varied paths for non-EU nations to meet the GDPR’s “adequacy” requirement for international data transfers. Second, while the adequacy requirement did provide significant leverage in these negotiations, it has been flexibly applied throughout its history. Third, the EU’s impressive regulatory capacity rests on a complex interplay of institutions beyond the European Commission.
    [Show full text]