Privacy is a fundamental right. More and more countries are developing their own data protection laws to ensure that consumers’ personal data are protected, while at the same time allowing businesses a certain leeway to use these data.
Europe has been the great pioneer in the area of privacy and the steps it has taken continue to influence current legislation in other parts of the world The failure of the US to enact a comprehensive consumer privacy law reduces this country’s influence in this field, although to date several states have enacted their own privacy laws, including California, Virginia, Colorado and Utah.
Several Asian countries have also developed strong privacy laws over the past years, or have amended their existing legislation to include requirements similar to the General Data Protection Regulation (GDPR), a comprehensive privacy law, binding on all European member countries. South Korea has a strict privacy law (prior to GDPR) which was amended in 2020. Pakistan recently published its own privacy law (in 2021), and India, China and Russia also have strict privacy laws with data localization requirements. Elsewhere, new privacy laws have been passed in Mexico, Brazil, Peru, and Colombia.
Nevertheless, only Europe has a comprehensive and directly applicable privacy law: the GDPR. The fact that GDPR is directly applicable i.e. the provisions of GDPR are legally binding on EU member states without any action by member states (unlike its predecessor, the Directive), has meant that Europe has established a unique mindset with regard to privacy. The GDPR itself states in its Recitals that: “Consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union”. Mechanisms such as the One-Stop-Shop were introduced in the GDPR to encourage this homogeneous application.
The aims of the legislator are to ensure that GDPR respects the balance between this homogeneous application and the maintenance of certain powers by the different data protection entities throughout Europe. Southern European countries have powerful data protection bodies with a strong tradition of complying with the requirements of privacy. The Spanish Data Protection Agency (AEPD), created in 1999, is a proactive and pioneering agency in the area of privacy. The AEPD recently published a Code of Conduct promoted by Pharmaceutical industry on processing data in the Field of Clinical Trials, Clinical Research and Pharmacovigilance. Note that as yet there does not exist a code at European level.
The French Commission nationale de l’informatique et des libertés (CNIL) is a strong data protection agency, which has resolved interesting cases on cookies (among other issues) and has recently published a full decision on the Google Analytics ruling. These bodies have a strong background in privacy culture, but they lack resources (for example, they have few tech experts) and, furthermore, they do not deal with the most complex and most public cases.
Given the idiosyncrasy of Europe, a large number of technology and internet platform companies have their headquarters in Ireland (Google, Twitter, Microsoft, Facebook, Apple, etc.) with the result that the core of the analysis and resolution of the most important cases is carried out in that country. This unequal distribution of cases means that on the one hand the resources we have in southern Europe are not capitalized upon 100%, and on the other that the Irish Commission for Data Protection has been branded a “bottleneck” and has been criticized for its failure to enforce GDPR. In response, the Irish Commission for Data Protection recently issued a report on the cases it had successfully resolved, both local and cross-border.
We have already seen that Europe is a pioneer in terms of privacy and has a great influence on the rest of the world. The biggest challenge facing Europe is how to remain pioneers in the area and to ensure its optimal development. Are we deriving the best possible performance from the resources we have? For example, if we look at most of the sanctions imposed by the Spanish Agency for Data Protection, most are small sanctions for relatively obscure web pages or less well-known companies. So, the challenge facing the agencies in southern Europe is to maintain their position as powerful and pioneering agencies, even though the decisive cases are not resolved in their countries. The challenge facing Europe is how to remain a leader in the sector if the tool that established it as such (i.e., the GDPR), is not being enforced efficiently.