Author(s): Paul M. Schwartz
Year: 2013
Abstract:
The
European Commission’s release in late January 2012 of its proposed
“General Data Protection Regulation” provides a perfect juncture to
assess the ongoing EU-U.S. privacy collision. An intense debate is now
occurring around critical areas of information policy, including the
rules for lawfulness of personal processing, the “right to be
forgotten,” and the conditions for data flows between the EU and the
United States.
This Article begins by tracing the rise of the
current EU-U.S. privacy status quo. The 1995 Data Protection Directive
staked out a number of bold positions, including a limit on
international data transfers to countries that lacked “adequate” legal
protections for personal information. The impact of the Directive has
been considerable. Yet, the United States proves an outlier to the story
of international information privacy law. As an initial matter, the EU
is skeptical regarding the level of protection that U.S. law actually
provides. Moreover, despite the important role of the United States in
early global information privacy debates, the rest of the world has
followed the EU model and enacted EU-style “data protection” laws. At
the same time, the aftermath of the Directive has seen ad hoc policy
efforts between the United States and EU that have created numerous
paths to satisfy the EU’s requirement of “adequacy” for data transfers
from the EU to the United States.
This Article argues that this
policymaking has not been led exclusively by the EU, but has been a
collaborative effort marked by accommodation and compromise. It then
analyzes the likely impact of the Proposed Regulation on Data
Protection, which is slated to replace the Directive. The Proposed
Regulation threatens to destabilize the current privacy policy
equilibrium and prevent the kind of decentralized global policymaking
that has occurred in the past. The Proposed Regulation overturns the
current equilibrium by heightening certain individual rights beyond
levels that U.S. information privacy law recognizes. It also centralizes
power in the European Commission in a way that destabilizes the policy
equilibrium within the EU, and thereby threatens the current policy
processes around harmonization networks. To avert the privacy collision
ahead, this Article advocates modifications to the kinds of institutions
and procedures that the Proposed Regulation would create.
Keywords: information privacy law, data protection, European Union
Link: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2290261