I. ORIGINS OF EU PRIVACY LAW A. Integration of the European Union Economies B. Establishment of Privacy as a Fundamental Right C. Modern EU Privacy Instruments 1. The EU Data Protection Directive 2. The E-Privacy Directive 3. The Treaty of Lisbon 4. The Role of Data Protection Authorities D. New Challenges 1. New Technologies and Business Practices 2. Enforcement 3. Coordination and Harmonization II. THE EU GENERAL DATA PROTECTION REGULATION A. Overview of the GDPR B. Strengthening Individual Control: Substantive Rights and Transparency C. Increased Responsibility and Accountability of Data Processors and Controllers D. Harmonization, Consistency, and Clarification of Process III. APPLICATION TO THIRD COUNTRIES A. Under the EU Data Protection Directive (Articles 25 and 26) B. The EU-U.S. Safe Harbor Arrangement C. Under the General Data Protection Regulation D. The "Ratcheting-Up" Effect IV. RELATED DEVELOPMENTS A. The Need for a Third-Pillar Directive B. Modernization of Council of Europe Convention 108 C. OECD Privacy Guidelines D. Asia-Pacific Economic Cooperation Privacy Framework E. The U.S. Consumer Privacy Bill of Rights. CONCLUSION
In early 2012, the European Commission published its proposed General Data Protection Regulation, (1) which updates European data protection law and will significantly impact business practices around the globe, much as did the European Union Data Protection Directive of 1995. Although there will be considerable debate about the various provisions contained in the Regulation, an overview of the developments leading up to it shows the natural evolution of the newest legal instrument to safeguard the modern right to privacy. This Article develops that picture.
This Article proceeds in five parts. Part I describes the origins of European privacy law, including the development of the significant modern privacy instruments. Part II explores the key provisions of the proposed General Data Protection Regulation. Part III focuses on the Regulation's application outside the European Union (EU), and the "ratcheting-up" effect that is likely to result. Part IV examines related international privacy developments, including efforts to update the Council of Europe Privacy Convention, enforce the Organization of Cooperation and Development (OECD) Privacy Guidelines, and develop a privacy framework in the United States that is broadly applicable to global privacy challenges. Finally, the Article concludes by noting the significance of the Regulation in the development of modern privacy law. (2)
I. ORIGINS OF EU PRIVACY LAW
After World War II, privacy attained the legal and cultural status of a fundamental right in Europe. The right of privacy was recognized in the Universal Declaration of Human Rights, (3) in other post-war international instruments such as the European Convention on Human Rights (ECHR), (4) and in legislation implementing these instruments at the national level. Although EU member states have interpreted these instruments in light of new practices, such as wiretapping and DNA collection, the advent of automated data processing prompted the adoption of the Data Processing Convention and, later, the Additional Protocol, which created data protection authorities in all of the member states. (5) Most recently, the evolution of privacy as a fundamental right is reflected for the EU member states in the adoption of the Lisbon Treaty and the Charter of Fundamental Rights, which added the protection of individuals' fundamental rights and freedom with regard to the processing of personal data ("data protection") as a fundamental right. (6)
A. Integration of the European Union Economies
After World War II, six European countries united to create the European Coal and Steel Community (ECSC), as well as the European Economic Community (EEC) and the European Atomic Energy Community (EAEC). …