Professor Graham Greenleaf, Professor of Law & Information Systems. Faculty of Law, UNSW Australia
Topic: 2nd & 3rd Generation Data Privacy Standards Implemented in Laws outside Europe
Abstract: The implementation of ‘European’ data privacy principles in laws outside Europe continues to be substantial, but it needs to be defined and quantified in order for its full effect to be understood. This paper will attempt to do so in relation to the ‘2nd generation’ standards, and will also make some suggestions concerning the potential (or ‘candidate’) 3rd generation standards based on the EU General Data Protection Directive (GDPR) and the ‘Modernised’ Convention 180.
The concept of ‘2nd generation’ data privacy principles/standards is that of the principles/standards that are found in the EU data protection Directive (1995) and CoE Convention 108 (plus Additional Protocol of 2001), but are not found in the ‘1st generation’ standards of the OECD Guidelines (1980) and original CoE Convention 108 (1981). To be manageable, only the ten most important differences between generations are considered In 2012 I assessed 33 of the 39 data privacy laws that then existed outside Europe (as at December 2011) to determine the extent to which they included the ten 2nd Generation’ ‘European standards’. That analysis showed that they had been substantially incorporated into these 33 non-European laws. On average they included 7 out of the 10 ‘European principles’.
This presentation reports on work-in-progress assessing their effect five years later in 2017. By February 2017 the number of non-European laws had increased to 66. Assessment of all 66 countries with data privacy laws, while having the virtue of thoroughness, also has the disadvantage that it treats all countries as of equal weight (as done in the 2012 study). So the data privacy law in Burkina Faso is given the same significance as that in South Africa, and that of a small Caribbean island is given the same weight as that in Argentina. All 66 data privacy laws is also too large a number of laws to be a practical basis for an initial assessment – that task must come later.
For both reasons an objective selection of a particular sub-set of laws outside Europe is needed. An alternative pragmatic approach is to assess the laws of countries with the largest Gross Domestic Product (GDP) (nominal) as a measure of their economic significance. The 20 highest-ranked countries outside Europe that do have data privacy laws covering at least most of their private sectors occur in first 52 countries ranked by GDP. They include all 8 OECD members outside Europe (except the USA), and 17/20 are APEC economies. To what extent the effects of European data privacy principles outside Europe continue to be substantial is then considered.
The presentation concludes with some speculation about the present ‘watershed period’ in the strengthening of content of international agreements. Finalization of GDPR and CoE 108 Modernisation, signals the development of a new 3rd Generation of standards, and as many as eighteen new ‘candidates’ of European origin can be identified. Are the 2013 OECD revision and 2016 APEC revision also contributing to this ‘3rd Generation’? Are any of these new ‘candidate’ standards already being enacted outside Europe? Which are most likely to be adopted globally?