Eighty-nine countries, from almost all regions of the world, have now enacted data privacy laws covering most of their private sectors. Enactment of laws outside Europe is accelerating. In a few years, the majority of the world’s data privacy laws will be found outside Europe. This geo-political change has implications.
First, by examining the most important differences between the two European privacy standards (the EU Directive and the Council of Europe Convention 108) and the two non-European standards (the OECD Guidelines and APEC Framework), it is possible to identify what can reasonably be characterised as ‘European influences’ on data privacy laws outside Europe. Examination of 33 of the 39 national data privacy laws currently outside Europe shows that ‘European standards’ have had far more influence outside Europe than has been realised. This influence is increasing.
Second, the Council of Europe data Protection Convention (Convention 108) and its Additional Protocol are examined from the perspective of the possibility and desirability of their becoming a global international agreement on data privacy. It is argued that there are potential considerable advantages to both non-European and European states if Convention 108 (plus the Additional Protocol) were to become a global privacy agreement through accession of non-European states. However, for such globalisation to occur, the Council of Europe will have to settle and publicise appropriate policies on accession that are appropriate, transparent, and do not reduce European data privacy standards.
Europe has no reason to retreat from its privacy standards developed over forty years. The rest of the world is moving its way, and it should not compromise fundamental standards for the sake of compromise with powerful outliers, particularly the USA and China. Respect for their domestic prerogatives should not be confused with any need to reduce fundamental aspects of global data privacy standards.Greenleaf concludes that 'Globalisation of Convention 108 is possible, but not inevitable' -
Since there are already 39 data privacy laws outside Europe, with most of them at least having a superficial (ie on paper) strong resemblance to European privacy laws, there would seem to be fertile ground for a significant number of non-European countries to accede to Convention 108. A few would be ruled out by their failure to cover the public sector (Vietnam, Malaysia and India). Laws on paper should not be enough for accession, but a high degree of ‘family resemblance’ does at least suggest a plausible order for the Council of Europe to assess possible candidates for membership (as it has now asked the Venice Commission to do). It can then encourage suitable candidates to apply where it appears that reality might match the law on paper. Convention 108 looks to be at least as promising a candidate for globalisation as the Cybercrime Convention.
Despite this theoretical possibility, there is as yet little of substance to suggest that Convention 108 will become a key instrument of global governance of privacy, despite its great potential to do so. However, it has no realistic competitors as a global privacy instrument. Uruguay is the first country to request to be invited to accede, after its accession received a favourable opinion from the Consultative Committee. The CoE is ‘confident that it will only be the first country in a long list’. The Council of Europe was doing too little that's public to explain to the rest of the world that that non-European accession to Convention 108 is possible, let alone desirable or with a reasonably transparent procedural mechanism. An earlier version of this article suggested that its Data Protection Home Page needed to consolidate into one convenient location scattered information on all matters concerning accession. Since then it has created the heading ‘Accession’, but as yet only it only contains the September 2011 Note explaining the process and not (for example) documents on the invitation to Uruguay to accede, so more needs to be done. Five key issues that need to be addressed or confirmed have already been discussed above. Another key factor may be whether members of a regional data privacy agreement such as ECOWAS see Convention 108 accession as a collective means of establishing free flow of personal data between their region and Europe, and other countries. The CoE has a joint project with ECOWAS to help ensure that the data privacy laws of its member countries meet international standards. Globalisation of Convention 108 could become one of the most important developments in data privacy over the next decade, but it is too early to tell. It will not happen unless the Council of Europe takes more effective steps to promote the advantages of accession to the rest of the world, and to make its own policies better development and more transparent concerning the standards that must be met for accession, and the procedures to be followed.
This article has stressed the potential advantages of non-European accession to both European and non-European states, and to businesses operating within them. From the perspective of Civil Society (the perspective of this author) the key factor determining whether it will support the globalisation of Convention 108 and the Additional Protocol is that European data privacy standards are not compromised in the process, and that new accessions meet those standards. It is worth repeating that arguments in favour of globalisation are only valid on the assumptions that (i) the current ‘modernisation’ process for Convention 108 does not reduce the privacy standards found in the current Convention plus Additional Protocol, particularly in the key area of data exports; (ii) the non-European accession processes also maintain those standards.
Subject to all these caveats, we should observe that global conventions often take decades to obtain a ‘critical mass’ of ratifications. Convention 108 is well placed to do so by the end of this decade, but there is no inevitability in this result, it will take a lot of determined work.As a result 'Europe should stick to its standards' -
Increasingly, versions of the European privacy standards are becoming part of the laws of most countries in the world outside Europe (as well as all European countries), as the adoption of new data privacy laws accelerates past the current 89. The adoption of European data privacy standards in the legislation of a large and increasing number of countries outside Europe is a reason for Europe to adhere to those standards, additional to their intrinsic merit as a statement of human rights. There are no good reasons for Europe to retreat from the privacy standards it has slowly and relatively consistently developed over forty years. There are no alternative global standards worth considering. There are good reasons for European institutions to do a better job of enforcing their own standards, but not for abandoning them. The significant outliers – principally the USA and China – are few but powerful. They are increasingly living in neighbourhoods of countries that do have data privacy laws. There are some developments within each outlier country sympathetic to effective privacy protection. At least where the operation of US or Chinese businesses involves the personal data of citizens of other countries, European and other countries with data privacy laws should continue to put pressure on US and Chinese businesses and government agencies to comply with what is an increasingly global standard for data privacy. Respect for their domestic prerogatives should not be confused with any need to reduce fundamental aspects of global data privacy standards.