Does the European Union Set or Export Data Privacy Standards?

The EU does not merely set standards in data privacy regulation, it exports ideas.

Recent concerted legislative efforts from the European Union (EU), over the last five years, in particular, have led to the “Brussels effect”—a term used to refer to the increased global influence of EU regulation­.

When it comes to data privacy standards, for example, Jack Goldsmith of Harvard Law School and Tim Wu of Columbia Law School posit that the EU has become the effective sovereign for the rest of the world. This global influence is problematic given that the EU’s data protection regulations are grounded in European constitutional values, which are not necessarily the same as those in other countries.

Although the first hints of the EU’s global influence on privacy issues can be traced to the 1995 EU Data Protection Directive, the diffusion of European privacy law has become more firmly established since the advent in 2016 of the General Data Protection Regulation (GDPR). GDPR’s impact has spread far beyond even the traditional scope of influence enjoyed by other European initiatives.

The overall trend in the global influence of EU’s standards has been interpreted by scholars such as Anu Bradford of Columbia Law School and others as part of a pattern called “unilateral regulatory globalization”—where one country’s regulation functions like an export, extending beyond the country’s borders through the global market.

Yet it is worth looking beyond this immediately apparent pattern and asking what exactly the EU is exporting. Is the EU, as Bradford and others claim, exporting regulatory standards? Or is it—far more intriguingly—engaged in globalizing its norms and extending the reach of European data privacy values through regulatory standards?

In an analysis that hints at this question, Paul M. Schwartz of the University of Berkeley School of Law notes that European regulatory dominance in the area of privacy is not a function of markets, but a result of a more diffuse set of cultural processes that influence how the global community views privacy rights protection. Although Schwartz takes interest in the drivers of the Brussels effect, he does not look to the content of what precisely is being exported—regulations or rights?

The EU, after all, specifically understands the GDPR as giving force to the right to data protection and the right to privacy as those rights are contained in the EU’s constitutional documents—in particular Article 7 and Article 8 of the Charter of Fundamental Rights. As a result, although the GDPR is both in name and in form a regulatory law, it is also one that specifically seeks to ensure that the rights articulated in the Charter extend to contexts that the constitutional protections in the Charter cannot reach.

A Brussels effect exists in the context of consumer safety or climate-based regulatory standards, for example, because regulatory standards in those areas, although they may reinforce rights-related claims, are not oriented specifically to securing discrete rights. In contrast, in the area of data protection, the EU has effectively sought to globalize its constitutional privacy standards.

This effort has crystallized in the recent decision of the European Court of Justice (ECJ) in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems—or Schrems II, for short.

In that case, the ECJ was asked to consider the validity of the Standard Contractual Clauses Decision and the Privacy Shield—the two mechanisms under which the data of European citizens were being transferred to the United States under Part V of the GDPR. The ECJ specifically confirmed that the GDPR should be interpreted in light of the rights provided for under the Charter.

More fundamentally, however, the ECJ found that the Privacy Shield that permitted U.S. authorities to access and use personal data was not limited in a way that satisfied Article 46 of the GDPR, which requires data transferred outside the EU to benefit from “essentially equivalent” privacy protections.

Indeed, after the judgment, non-EU states must now ensure that European constitutional—or Charter—standards of privacy and data protection are vindicated with respect to European data transferred to their jurisdiction. Not only did the ECJ extend the substantive reach of EU constitutional rights but, elsewhere in the judgment, the court also assessed U.S. law in light of these standards.

The ECJ found, for example, that the collection and use of data by U.S. authorities are not “limited to what is strictly necessary to achieve the legitimate objective” of national security and is not necessary to “meet objectives of general interest” recognized by the EU or “the need to protect the rights and freedoms of others.”

In particular, the ECJ noted that the provisions of both Section 702 of the U.S. Foreign Intelligence Surveillance Act and Executive Order 12333 are incompatible with the protection of the rights guaranteed under Articles 7 and 8 of the Charter. It held that the United States failed to ensure the protection of the EU Charter rights, so the Privacy Shield was invalid.

The decision in Schrems II exposed the true character of much of Europe’s international influence in setting standards that, although ostensibly regulatory, are in fact fundamentally rights-based and create an extraterritorial reach for European rights with implications not only for procedural but also substantive laws of non-member countries.

Although international exportation of regulatory standards may lead, as Schwartz and others have noted, to a more general increase in regulatory protections, it also raises more fundamental concerns.

Regulatory standards are easy to track as they migrate. In contrast, the value presumptions that characterize rights are less easily discernible and may be identifiable only in retrospect. This ambiguity is problematic in contexts where an amorphous body of European constitutional values is now effectively “latched onto” the EU’s regulatory standards as they migrate to other jurisdictions. Like fugitives, these rights escape their EU context, evade detection by non-EU countries, and get incorporated into these countries’ regulatory standards. This fugitive rights element of the Brussels effect must be acknowledged and should be questioned.

Critical engagement of rights-based regulation is necessary because rights have cultural specificity. They develop in discrete socio-political contexts and in response to the historical experiences and contemporaneous concerns of their jurisdictions. As a result, a European understanding of rights may not capture the particular aspects that would make the right valuable to citizens in the United States or any other country.

More fundamentally, the current pattern of exportation of regulations and rights means that the flaws of European privacy jurisprudence will become globalized, and ultimately they will reach a level of entrenchment that is hard to undo.

Setting aside the knottier issues of sovereignty and, indeed, the desirability of a more constitutionalized treatment of personal data, the recent Schrems II decision forces regulators to acknowledge that, when speaking about and engaging with the Brussels effect in the coming years, they must do so with the understanding that it represents more than a regulatory trend. It represents a risk of global cultural impact.

Róisín Á. Costello

Róisín Á. Costello is an assistant professor in law at Dublin City University’s School of Law and Government.