Graham Greenleaf (University of New South Wales, Faculty of Law) has posted Global Data Privacy Laws 2023: International Standards Stall, but UK Disrupts ((2023) 183 Privacy Laws & Business International Report 8-15) on SSRN. Here is the abstract:
Since 2020 there has been very limited progress in the development of international data privacy standards, but there have been some noticeable disruptive steps by post-Brexit UK. This paper surveys the post-2020 developments to the end of 2022 (and occasionally longer), covering the following areas:
• EU GDPR-created standards, by both emulation (still the ‘gold standard’) and by formal adequacy processes under the GDPR (only three positive assessments). The incomplete new Trans-Atlantic Data Privacy Framework, and the situation of countries held adequate under the 1995 Directive are discussed.
• Ratifications and accessions to Council of Europe Convention 108 and the prospects for its successor Convention 108+ to come into force are analysed.
• Progress is detailed on regional agreements in Africa, the African Union Convention and ECOWAS Supplementary Act.
• Development of various non-binding agreements and declarations is explained, including the Standards for Personal Data Protection for Ibero-American States (‘RIPD Standard’); the RIPD network’s model contractual clauses for international transfers; the ASEAN Model Contractual Clauses; and an EU/OECD Declaration on Government Access to Personal Data Held by Private Sector Entities; and finally the Commonwealth’s Model Provisions on Data Protection.
• Reasons are given for why the impact of CBPRs (Cross-Border Privacy Rules system) both APEC and ‘global’, continues to be negligible, but also why it is possible this may change.
• Conflicting data privacy standards continue to be entrenched in Asia-Pacific Free Trade Agreements) (FTAs), including the USMCA, the CPTPP and RCEP. The result is that they provide three different models for the permissible breadth of data export restrictions, and data localisation.
• ‘Data Free Flow with Trust’ (DFFT) at G20 and G7 continues to be an empty slogan.
Progress in development of international data privacy standards is too slow, and with no convincing direction globally. The UK’s actions in relation to both ‘Gloabal CBPRs’ and the CPTPP potentially introduce some disruptive global elements into this otherwise predictable trajectory.