The European model: point of convergence, source of divergence?
Rédigé par Jeanne Saliou
-
27 October 2021Data protection laws are proliferating around the world, often following the GDPR model. What are the convergence logics at work and how far can they go?
[Dossier] Data protection and privacy around the world
Published on 18 October 2021The global legislative momentum for data protection is often attributed to the strengthening of the European data protection framework with the adoption in April 2016 of the General Data Protection Regulation (GDPR) and its subsequent entry into force in May 2018. Admittedly, in comparison to the Directive 95/46/EC that preceded it, the GDPR more broadly incorporates data controllers located outside the territory of the Member States into its territorial scope. Nevertheless, in 2012, when the European Commission was just publishing its proposal for a regulation, 81 states already had a cross-cutting data protection law, providing general data protection coverage, and sometimes in addition to specific sectoral legislation. Moreover, of 39 non-European data protection regimes, 32 were very similar to the Directive, according to Graham Greenleaf , a professor at the University of New South Wales. Therefore, without calling into question the influence of the GDPR, this finding places this phenomenon in a longer dynamic of influence of the European standard.
While it has indeed become the standard for data protection worldwide, it is necessary to question the logic and the degree of uniformity resulting from it, with the persistence of differences, in some cases tangibly, in other cases much more discreetly.
The triumph of the European transversal model: the paths to uniformity
The GDPR: an accepted standard
The success of the European model can be seen in many ways, starting with the ousting of alternative types of standards and in particular the US model based on sectoral regulations, like the Health Insurance Portability and Accountability Act of 1996 focusing on health care, and if possible on a voluntary basis. Throughout the world, 106 pieces of legislation are already cross-sectoral, and no less than 25 are in the process of being adopted (see Article 1), indicating a clear predominance of this format. This adherence to the cross-cutting model is reflected not only in the adoption of such laws by States that did not have a legal framework for data protection, but also in the transition from one model to the other in certain States where cross-cutting legislation is superimposed on and complements sectoral provisions.
This dynamic is particularly tangible in the Asia-Pacific region, where the United States, through APEC (Asia-Pacific Economic Cooperation) and the CPTPP (Comprehensive and Progressive Trans-Pacific Partnership), initially pushed for the maintenance of data transfers and the limitation of data localization requirements, before exiting the CPTPP in 2017, under the Presidency of Donald Trump. Within the APEC framework, two schemes embody this US model of self-regulation and voluntarism in data protection. The 2005 Privacy Framework is neither justiciable nor binding, and the Cross-border Privacy Rules are based entirely on voluntary country recognition and company certification. And yet, in parallel with these regional frameworks, cross-border texts are being tested. New Zealand and Canada have already adopted legislation aligned with the European model, with the Privacy Act of 2020 and the Personal Information Protection and Electronic Document Act of 2000 respectively. Moreover, many other countries, such as Singapore, draw inspiration from the GDPR. In this regard, Graham Greenleaf noted in 2019 the integration in Thailand within the Personal Data Protection Act of many specific features of the GDPR, such as the right to data portability and the obligation to notify personal data breach. China also introduced in August 2021 in its Personal Information Protection Law a clause very similar to the adequacy principle limiting data transfers to less data protective countries.
Another manifestation of this "Brussels effect" is the adherence, not to the scope, but to the content of the European standard. Graham Greenleaf noted in 2012 the high rate of similarity of ex post laws with the 1995 EU Directive. This observation can be extended to the GDPR since its. As an example, the Republic of Congo's 2019 law on personal data protection synthesizes the GDPR, but also the 2002 EU e-privacy directive. An equally strong indicator of this recognition of the European model is the launch by many countries of procedures to revise their national framework to adapt them to the GDPR. The Chilean draft law No. 11144-07 on the processing and protection of personal data, which is in the pipeline since 2017, is for example very similar to the GDPR. The same can be said about the texts currently underway in Belarus, Serbia or Montenegro.
The influence of the European framework on the international scene is also reflected in its relationship to the Convention 108 of the Council of Europe. The latter, first amended in 2001 to align with the EU Directive, was again modernised in 2018 and includes some of the latest innovations of the GDPR. The Convention is the only binding international data protection instrument since it is open to ratification by states outside the Council of Europe. By 2021, the process had been completed in 8 states: Argentina, Cape Verde, Mauritius, Morocco, Mexico, Senegal, Tunisia and Uruguay; and it was still underway for Burkina Faso. As Eduardo Bertoni - an academic and former director of the Argentinean Agency for Access to Public Information - notes, far from imposing itself as an international standard per se, the Convention 108 appears for some of these countries as a tool for compliance with the GDPR, allowing them to strengthen their advocacy to obtain from the European Commission the recognition of the adequate level of data protection under Article 45 of the GDPR. One of the reasons according to him is that "there is enough connection between the modernized Convention 108 and the GDPR to consider that these two instruments are very close and that accession to the former should greatly weigh in the adequacy of the latter" . And indeed, recital 105 of the GDPR makes this clear: accession to Convention 108 will be "particularly taken into account" in the adequacy decision of the European institutions.
A normative success built and maintained
How to explain such a normative success? The quality of European data protection principles should not be minimized. Starting from the point of view of individuals, their rights and plastic concepts such as proportionality, the EU framework is extremely robust and was applicable in a coherent way during 40 years of technological evolution. The European legal framework has also undoubtedly benefited from its anteriority, the "strength in numbers" and the attractiveness of the Union in the region. Before the other continents, Europe has experienced a boom in data protection, as few non-European states had adopted laws before 2000 (see Article 1). The now classic logics of Europeanization of the Union's neighbourhood are also at work: the enlargement of the European Union, with the logics of legal harmonization specific to this hybrid regional organization, as well as the prospect of accession of neighbouring States, have strongly contributed to the regional development of similar laws. Indeed, Ian Manners, professor at the University of Lund, identified "human rights" as one of the main standards disseminated by the European Union as early as 2002. In a context of weak regional cooperation in this area and slower national developments on other continents, the European model quickly and quite logically became predominant.
Nevertheless, its hegemony on the world stage was not built, nor has it endured, without a certain amount of proactivity on the part of the European Union. Ian Manners described a plurality of mechanisms for the dissemination of European standards, that are at work here, ranging from the production of information to a much more explicit and institutionalized dissemination.
The market power of the organisation, as well as its massive contribution to development aid in some regions, have provided strong incentives to follow the model, sometimes reinforced by institutionalised injunctions. For example, in 2006 the European Union included the establishment of local national data protection frameworks as a contractual obligation in Chapter 6 of the 2008 CARIFORUM-EU Economic Partnership Agreement. More broadly, the adequacy principle is a flagship example of this European activism, the success of which was reflected in the context of relations with Japan by the updating of its legislative framework with a view to a positive decision.
This expertise in normative dissemination takes other forms, in particular through the development of cooperation organisations dedicated to data protection.
These cooperative ventures, which bring together one or more former metropolises and the states that were linked to them, are based on cultural ties developed for many of them during the colonial era, and in the wake of the export and implementation of legal systems similar to the European framework. In this respect, according to Alex Makulilo, professor at the Faculty of Law of the Open University of Tanzania, the concept of privacy developed in Africa at the end of the colonial period with the transposition of constitutions containing this right, even if the constitutions did not reflect the reality of the collective values of the time. A study by Privacy International makes a similar observation on the Asian continent in terms of data protection: countries with similar approaches often share a colonial past rather than geographical proximity or traditions. In this context, the hybrid character of European data protection regime, at the intersection between the traditions of Roman law and common law, facilitated its integration into various legal systems.
Moreover, far from being merely North-South flows, these organizations are forums for exchange for the states that participate voluntarily. Nevertheless, whether it is the Francophone Association of Personal Data Protection Authorities (AFAPDP) created in 2007, the Ibero-American Data Protection Network (2003), or the Common Thread Network (2013) which is dependent on the Commonwealth, these organisations enable former metropolises to disseminate the European model through transfers of skills. From support for drafting legislation to training for agents, the modes of action are multiple and are part of a long timeframe. As an example, AFAPDP supported Madagascar in the drafting of its law n°2014-038 on the protection of personal data, notably by revising the draft law and exchanging information with the Malagasy Ministry of Justice.
Permanent differences and potential divergences: a precarious convergence
Despite the strong logic of convergence that drives the data protection sector, this dynamic is precarious and, in a way, a façade. In addition to the states that have not yet adopted this transversal model, differences between national data protection standards and the European framework persist, even when the latter is integrated. On the one hand, it may only be partially integrated, and on the other hand, full integration does not imply identical implementation.
Partial integration
The variety of ways in which the European model is recognized as an international standard is reflected in the varying degrees of integration of this model. While the transversal model is widely adopted, the content of European texts is adopted to a lesser extent: à la carte choices of GDPR provisions are developing, particularly in Asia. Work is underway to identify these practices, but Graham Greenleaf's preparatory work highlights the diversity of practices. By studying the adoption of what he calls the "third generation principles", we observe that only seven States have adopted or are considering adopting the right to portability: China, India, Indonesia, Pakistan, the Philippines, Singapore and Thailand. The obligation of having a local representation for data controllers and processors based outside the territory has only been included or envisaged by China, South Korea and Thailand. The heterogeneity and fragmentation of legal frameworks in Asia, which Clarisse Girot, Director of the Future of Privacy Forum's Asia office, identified as one of the main characteristics of recent developments in data protection in the region, can be seen here.
These pick-and-choose strategies are not limited to the Asian continent, and are neither recent nor specifically related to the GDPR. As Chawki Gaddes, President of the INPDP (National Institute for Data Protection), pointed out in an interview with LINC on June 8, 2021, the creation of the Tunisian legal framework for data protection, modelled on the French Loi informatique et libertés, did not happen without a "tunisification" of the latter, with in particular the introduction of an exemption for public persons from processing obligations.
Total integration with complex and sometimes divergent implementation
Moreover, although some countries go as far as to adopt the letter of the GDPR, the literal integration of a legal text is not enough to ensure perfect consistency of the systems.
"A text does not make the spring, even if it is Arabic."
The implementation can prove to be very complex for countries that integrate decades of European normative construction in just a few years. For these states, the GDPR is a "disproportionate" standard (Clarisse Girot, interview with LINC, 19 May 2021) imposing numerous administrative obligations: impact assessment, portability, certification, codes of conduct... that neither companies nor authorities have the means to implement.
Moreover, even though there are sometimes few disparities in the design of legislative texts, national or regional particularities are expressed in the interpretation of terms. Indeed, one of the major legal issues is the normative interpretation, whether by the Courts, by the dedicated authorities, or in the derived acts. Thus, concepts stemming from the GDPR can be translated in different ways depending on the approach. Whether it is the notion of legitimate interest, or the exceptions contained, the impacts are colossal.
Differences in the making?
Finally, the acceptance of the GDPR as an international standard cannot be taken for granted, nor can it guarantee uniformity in the long term. The logic behind the adoption of laws in Asia and the objectives that underlie them underline the precariousness of this status.
In an interview with the LINC on 19 May, Clarisse Girot drew attention to the fact that with the growth of the population and therefore of the different Asian markets, trade with Europe becomes less important and thus the need to accept the European normative framework and to tie in national legal frameworks is likely to decrease. The refocusing on intra-Asian trade and the gradual de-coupling of the Asian and European markets could therefore encourage the development of a new approach to data protection, on the fringes of the one initially developed in the West. In an interview with the Future of Privacy Forum, Clarisse Girot stressed that this approach will probably be a composite one, combining fundamental rights, consumer protection and trade.
Paradoxically, this precariousness of adherence to the European model highlights its strength. Adopted not simply because of the European Union's strength of influence, but as the best norm per se for the time being, it constitutes a real standard against which laws are measured.