Original: The GDPR at Two — Global Floor or Global Ceiling?
By Elizabeth M. Renieris
Translated by Zhou Yuhan
Proofreading: Phala Team
As Omidyar Network“Paths and pitfalls of global data protection[1] Part of a series of topics, this article explores theEuropean General Data Protection Regulation(General Data Protection Regulation, hereinafter referred to as GDPR) [2] has had an impact on the global data protection landscape since it came into force in May 2018. It is true that the GDPR has opened up new avenues for legal change in global jurisdictions, promoted public attention to data governance and privacy, and thus greatly affected the global data protection landscape; While expanding its own influence, it also magnified its flaws and limitations, which led to the inheritance of these shortcomings in the codes of other countries.
The shackles that have emerged in the past two years include: the leverage ratio of some clauses is too low/too high, and the undeniableInsufficient execution[3], and the ongoing confrontation between law and innovation (such as the challenge of applying law to emerging technologies). Next, this article explores the nature, scope, and core limitations of the GDPRs impact, and considers whether the law is a global data protection paradigm or a failing bottom line.
Across the globe, the direct impact of the GDPRs extraterritorial applicability is being felt everywhere. With more than half a billion consumers, the European Union is the worlds largestsingle market[4], so GDPR can affect almost every region in the world that does business with the EU. Even if it is as strong as an American technology giant, it is hard not to touch such a delicious cake. In this way, the GDPR sets a de facto standard for many large corporations and multinational corporations. The reasons are, first, GDPR is a single standard or framework that is convenient for companies to implement, rather than a local or national data protection law; second, global data governance lacks a flexible paradigm. Currently, it is difficult to find a framework comparable to the EU data protection framework.
We have also observed an indirect effect of the “Brussels Effect” (translation: referring to the EU’s ability to unilaterally regulate global markets with market forces): some countries directly copy the GDPR by proliferating newly enacted and adjusted laws in jurisdictions around the world. From this we can see Sima Zhaos heart of GDPR: the core of its principles, the foundation of its interests, and the mechanism of its implementation. Since coming into force, the GDPR has prompted countries such as Kenya and Uganda to enact their first national data protection laws, while also prompting other countries to improve or amend their existing laws. Argentina, for example, introduced a data protection law in 2018, in part only to preserve its vested interest in the European Data Protection Directive (the predecessor of the GDPR) in 2003. The GDPR has also prompted countries such as India, Nigeria and Brazil to expand partially applicable data protection regulations into more general laws.
The Brussels Effect is also a manifestation of the European Commissions desire to converge privacy and data protection laws through various multilateral/bilateral forums and trade policies.The EUs Comprehensive Strategy for Africa[5] is an example. Among the several high-profile items listed in the strategy is a digital transformation strategy across the African continent, which will be deeply influenced by GDPR and affect cross-border trade and international investment at the national level. In practice, however, coordination at the global level may lead to less stringent enforcement of standards and principles in some countries. Small and medium-sized enterprises struggle to comply, while global tech companies such as Facebook and Google benefit from competition due to their global responsiveness. In fact, the content of the strategy did lead toattention of the african union[6], the AU reiterated that this provision should be formulated jointly by the AU and the EU.
In its report on evaluating the application and operation of GDPR in the past two years[7], the European Commission emphasized that it should focus on how to help small and medium-sized enterprises comply with this regulation. However, overall, the European Commission has a relatively high self-evaluation and believes that GDPR has successfully achieved its goals: to enhance the right to personal data protection and to ensure the free flow of personal data within the EU. The report also praised the flexibility of the GDPR framework, arguing that it has done a good job of being compatible with the new crown anti-epidemic measures.
But the committee also acknowledged that there is room for improvement, especially in terms of international data transfers, cooperation and harmonization, such asOne-stop mechanism[8]; Data Protection Authorities (DPAs) have insufficient resources, and the right to data portability has not been fully implemented; the application of GDPR to emerging technologies such as blockchain and artificial intelligence is still unclear. Finally, the Commission noted that member states have been inconsistent in their resolutions to address the tension between the fundamental right to data protection and freedom of expression.
While this is not explored in the European Commission report, it is important to point out other shortcomings of its framework, especially as the GDPR is widely exported through its significant impact on the global landscape. The reason for some of these restrictions is that the GDPR is largely the same as its predecessor, the 1995 Data Protection Regulation. But the digital environment back then was a far cry from what it is today. Another reason is the lack of a meaningful alternative paradigm.
First, the GDPR and the laws inspired by it rely too heavily on consent as a lawful basis for data processing. Especially in todays digital realm, meaningful informed consent is often elusive. There is a huge asymmetry in todays digital world. A small number of large enterprises often occupy most of the knowledge and power, while individuals not only lack the awareness and ability to manage and understand data decision-making, but also have few truly meaningful choices. .
It also exposes the shortcomings of a data protection framework like the GDPR, which does not address dynamics in the market and needs to be complemented by other areas, such as competition law or antitrust law. For example, in a recent Germanantitrust case[9], the High Court ruled that Facebook abused its dominant position in social media to illegally obtain user data by mixing data on Facebook platforms such as Instagram, WhatsApp and Messenger. While this mixing of data may be challenged on the basis of the GDPR, the ruling shows that the market environment that dabbles in data protection rights also limits our choices in the marketplace and thus our freedom and autonomy. This also illustrates the complementary nature of data protection and antitrust law.
In some GDPR-related regulations, some dross are retained too much (such as data processing based on the user agreement I agree), while some essences have not received enough attention, such asGDPR Article 25[10] - Privacy protection options based on application design and default settings, automatic data collection and decision-making, and effective measures for personal data portability.
In addition, GDPR-based regulations are relatively tolerant of strengthening national security, safeguarding government interests and legal authority, such as how to balance public interests and public health crises exposed during the COVID-19 period. Despite fundamental measures by the European Commission, resistance to widespread applicationfacial recognition system[11] and other invasive technologies, the committees response was much weaker. Without a strong and well-established traditional code as the basis for GDPR-style legislation, crises such as the present one greatly weaken the text and spirit of the law. Moreover, where there is a lack of corresponding legal, political, institutional and other infrastructure, GDPR-style laws are copied and pasted or directly converted into national laws, or the harm outweighs the benefits, and the deficiency is whitewashed with protection.
Fortunately, we can already see some post-GDPR trends in the field of global data protection. After GDPR raised the threshold for personal data protection, one of them is to encourage and promote more data sharing in the public and research fields. Such an iteration may be promoted by the EU itself, seeShaping Europes Digital Future[12]Artificial Intelligence White Paper[13] andEuropean Data Strategy[14]. As part of this strategy, the Commission may subsequently introduce the 2021 version of the Data Act to facilitate data sharing and flow, and help individuals expand the boundaries of data portability rights. Obviously, the EU is also very concerned about data protection in artificial intelligence and other emerging fields, and is worried that its data protection and privacy standards will put the EU at a disadvantage.
a proposala proposal[15], the proposal would prohibit the collection, use, or sharing of data by default, except for a small number of purposes agreed in advance and informed by users. States and municipalities across the U.S. have gradually suspended the use of facial recognition technology, and in some cases banned it entirely. The proposal also mentions the creation of information fiduciaries or intermediaries to negotiate data subject rights, and the introduction of collective bargaining entities such as data trusts or data collectives.
GDPR has been implemented for two years. Whether it is the bottom line of data protection or the ceiling of legislation is still uncertain. From this point of view, the cause of global data governance still has a long way to go.
About Phala
Phala Network is a private computing parachain on Polkadot. Based on a pow-like economic incentive model, it releases the privacy computing power of countless CPUs and applies it to the Polkadot parachain, thereby serving other applications such as Defi and data services on Polkadot. The Phala-based applications pLibra and Web3 Analytics have received grants from the web3 Foundation. In March 2020, Phala became one of the first projects to join the Substrate Builders Program. In July 2020, Phala was awarded the Privacy Computing Emerging Original Force by the computing power think tank.
Reference
[1]Paths and Pitfalls of Global Data Protection;
[2]European General Data Protection Regulation (GDPR);
[4]single market;
[5]EUs comprehensive strategy for Africa;
[6]Report;
[7]Report;
[9]A recent antitrust case in Germany;
[11]facial recognition system;
[12]Shaping Europes Digital Future;
