This is the first work to examine the fundamental aims and principles of data privacy law in an international context. Bygrave analyses relevant law from across the globe, paying particular attention to international instruments and using these as a foundation for examining national law.
Access options:
The following links lead to the full text from the respective local libraries:
This article considers various factors that will shape the potential effect of the Council of Europe's modernised Convention on data protection (Convention 108+) on non-European states' regulatory policy. It does so by elucidating the logic and mechanics of this effect in light of the 'Brussels Effect' that is commonly attributed, in part, to EU data protection law. The central arguments advanced in the article are that the impact of Convention 108+ beyond Europe will rest primarily on the Council of Europe's ideational power tempered by processes of acculturation, and secondarily on the degree to which the EU is willing to use the 'Brussels Effect' as a vehicle for promoting non-European states' accession to the Convention.
In this paper, a critical examination is conducted of Article 25 of the European Union's General Data Protection Regulation (Regulation 2016/679). Bearing the title ʻdata protection by design and by default', Article 25 requires that core data protection principles be integrated into the design and development of systems for processing personal data. The paper outlines the rationale and legal heritage of Article 25, and shows how its provisions proffer considerably stronger support for data protection by design and by default than is the case under the 1995 Data Protection Directive (Directive 95/46/EC). The paper further shows that this strengthening of support is in keeping with jurisprudence of the European Court of Human Rights and the Court of Justice of the European Union. Nonetheless, it is herein argued that Article 25 suffers from multiple flaws, in particular a lack of clarity over the parameters and methodologies for achieving its goals, a failure to communicate clearly and directly with those engaged in the engineering of information systems, and a failure to provide the necessary incentives to spur the ʻhardwiring' of privacy-related interests. Taken together, these flaws will likely hinder the traction of Article 25 requirements on information systems development.
This article critically examines fundamental aspects of the recently reformed European regime for protection of personal data, focusing on the General Data Protection Regulation (GDPR) adopted by the European Union (EU) in 2016. Although the GDPR is now a central concern for many organizations across multiple sectors, many complain that it is arcane, confusing, and complex. By combining knowledge from two disciplinary perspectives – from regulatory governance scholarship, on the one hand, with legal scholarship from the fields of data protection law, constitutional law, and fundamental rights, on the other hand – this article seeks to "demystify" the key elements of the regime's architecture and approach in light of the significant uncertainties concerning the nature of its requirements. In particular, this article examines the tension between the regime's pronounced "risk-based" approach to compliance and its basic objective of safeguarding fundamental rights, and the challenges facing data protection authorities in providing timely clarifications of the regime's norms. We argue that, despite its complex and arcane character and continuing uncertainty about the precise scope of its requirements, the regime is an innovative hybrid with a significant degree of in-built "future-proofing" that should help render it more resistant to being rapidly overtaken or outpaced by organizational–technological developments. The secondary aim of this article is to demonstrate how academic insights from two distinct but related disciplinary perspectives – legal scholarship and regulatory governance studies – offer a potentially fruitful approach to enrich understandings of the European data protection regime in particular, and of the mechanics, efficacy, and legitimacy of regulatory governance regimes more generally.
Abstract On January 1, 2021, Great Britain (England, Scotland and Wales) left the EU single market and customs union. Although the Trade and Cooperation Agreement between the UK and EU ensures that no tariffs or quotas are to be imposed on traded goods, there are still numerous non-tariff barriers to trade. These added a significant layer of trade complexity that did not exist pre-Brexit and it was thus inevitable that there would be ramifications for the UK economy. Carefully judging this impact is a complicated task, however, as a counterfactual must be used: how would the UK economy have fared if it were still in the EU? This difficulty is exacerbated by two other highly significant events affecting the UK economy at the same time, namely the Covid-19 pandemic and the Ukraine war. Disentangling Brexit from all this and deciding what is and is not a Brexit effect makes the evaluation thereof difficult. Nevertheless, there have been a number of studies published that have attempted such a task. UK-EU trade is widely judged to have taken a significant hit due to Brexit, with smaller firms producing a limited range of products being affected the most. The consensus view is that Brexit has also had a negative impact on UK investment levels and GDP, with the latter judged to be approximately 6 % lower than if the UK had stayed in the EU. In the long run, the UK economy may benefit from more skilled foreign labour due to the post-Brexit immigration rules. Nevertheless, any positive effects are likely to be outweighed by the non-tariff barriers in UK-EU trade, acting as a deterrent in exploiting comparative advantage and widely seen as being the main drag on UK productivity.