The European Unionâs General Data Protection Regulation (GDPR) widens the scope and strengthens the enforcement of privacy standards. To protect privacy abroad, personal data is allowed out of the EU under strict conditions: if a non-EU country enacts privacy legislation equivalent to the GDPR, or if firms accept Binding Corporate Rules (BCR) or use Standard Contractual Clauses (SCC) for specific business deals. These conditions pose a challenge, particularly for developing countries. A GDPR-based national privacy law would impose the same high standard on all firms, even when they sell at home, leading to higher economy-wide costs of doing business. BCRs and SCCs have proved to be costly and time-consuming. While the GDPR may raise WTO issues, litigation cannot address the central challenge: preserving opportunities for digital trade while respecting countriesâ chosen levels of privacy protection. An alternative approach would involve negotiating agreements under which data destination countries protect the privacy of foreign citizens in return for source countries committing not to restrict data flows, as in the EUâUS Privacy Shield and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP). In parallel, and as a step toward multilateralizing these agreements, countries would develop common privacy principles, building upon the work in the OECD and APEC.
https://doi.org/10.1093/jiel/jgy044
Disclaimer
Please note that external content will only work for subscribers who have access either using a log-in and password or associated with their IP Address.
No other access is implied or intended.
If you find anything you consider should not be available, even in this limited form, please leave a comment below.