SPIRITED AWAY: THE EU'S ADEQUACY DECISION FOR JAPAN AS A ROADMAP FOR U.S. PRIVACY LAW AFTER SCHREMS II.

AuthorBlue, Nick

INTRODUCTION

The European Union's General Data Protection Regulation ("GDPR") attempts to protect the rights of member states' citizens by enacting a regulatory scheme for processing personal data. The GDPR is notable both for the strength of the protection it offers and for the reach of said protection. The GDPR requires entities outside of the European Union ("EU") who process the personal data of EU citizens to have protections similar to those of the GDPR in place. Foreign persons, companies, and governments who process said data must be aware of, and abide by, the GDPR's provisions. The purpose of this paper is to analyze weaknesses in the U.S. system of privacy and data protection law by comparing the adequacy decision made for Japan to the Schrems II case recently decided in the EU. This note begins with a discussion of the history of data protection law in the EU and its importance to Europe before moving on to a description of the GDPR and its adequacy requirements. Then, this paper will parse the relevant considerations discussed in the Adequacy Decision for Japan and drawing comparisons to the U.S.' data protection measure under the EU-US Privacy Shield.

  1. DATA PROTECTION LAW IN THE EUROPEAN UNION BEFORE THE GDPR.

    The EU views data privacy (1) differently from the U.S. (2) As a result, the approaches the U.S. and EU take to data privacy regulation have diverged. (3) Beginning in the 1970s, the EU "deepened and expanded" the Fair Information Practices ("FIPs") (4) that were originally developed in the United States, (5) applying those privacy principles broadly to both public and private entities. (6) The EU lists data protection as a right in its Charter of Fundamental Rights, (7) elevating it to a status equal to that of freedom of religion, the right to own property, and freedom of expression. (8) This elevation of the right of data protection is "anchored in interests of dignity, personality, and self-determination." (9) The result is a system of data protection that is "strongly anchored at the constitutional level" (10) and that considers data privacy to be "part of its legal culture of fundamental rights." (11)

    In 1995, the European Union adopted directive 95/46/EC ("the Data Protection Directive" or "the Directive") with the intention of lowering barriers to data transfer and providing more effective protection for EU citizens by consolidating the privacy laws of member states. (12) The Data Protection Directive concerned protections afforded to the personal data (13) of EU citizens during its processing and communication to third parties. (14) Within the Directive's scope, (15) data processing (16) was allowed in only seven general circumstances. (17) However, the Directive included exceptions for data processed for the purpose of national security, criminal investigations, and "personal or household use" of data. (18) It also set out criteria that needed to be met to transfer EU citizens' data to parties in countries outside of the EU. (19) Also introduced in the Directive were "adequacy decisions," preventing the exportation of personal data to a third country unless that country had been judged to have sufficient data protection measures in place. (20)

    While the Directive laid out basic standards for data protection, it required individual member states to pass legislation at the national level to put those standards into effect. (21) The Data Protection Directive did make data protection law more uniform throughout the EU, but still allowed for variation between member states since each country enacted its own interpretation of the Directive's requirements. (22) Additionally, enforcement was often lacking because member states, regulated directly by their own laws and not the Data Protection Directive itself, (23) often only lightly enforced data protection laws, if at all, in an attempt to attract technology companies. (24) The Directive also provided for miniscule fines that failed to deter noncompliance. (25)

  2. THE GENERAL DATA PROTECTION REGULATION.

    1. Purpose, Application, and Important Definitions.

      The GDPR was, in part, a response to concerns regarding the poor enforcement of the Data Protection Directive. (26) The GDPR is a regulatory scheme composed of "rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data." (27) Adopted on April 14, 2016, the GDPR came into full effect on May 25, 2018, (28) repealing and replacing the Data Protection Directive. (29) While recognizing the Data Protection Regulation's "objectives and principles... remain[ed] sound," the GDPR acknowledged that the Directive had failed to establish a consistent data protection framework across the EU. (30) Changing technology further necessitated a "strong[er] and more coherent" protection scheme with more consistent enforcement. (31) The GDPR has two major objectives: "protect[ing] fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data" (32) and ensuring the "free movement of personal data within the [European] Union," (33) but places greater emphasis on protecting individuals. (34)

      The GDPR is widely considered "the most consequential regulatory development in information policy in a generation." (35) The passage and adoption of the GDPR spawned a myriad of papers discussing its implications and speculating as to its possible effects; even more articles were written to educate businesses, lawyers, and researchers about the GDPR and to apprise them of requirements for compliance. (36) Such a deluge of preparatory material might suggest that the GDPR marked a sea-change in data protection and privacy law, but the GDPR is closer to an "evolution" of the Data Protection Directive than a "revolution." (37)

      Since the GDPR is an evolution of the Data Protection Directive, there are many similarities between the two regulations. Like the Directive before it, the GDPR is based on the FIPs. (38) However, the GDPR adds additional rights and provides further details about the rights of data subjects. (39) Similarly, the GDPR also regulates the processing of "personal data." (40) Personal data is defined in the GDPR as "any information relating to an identified or identifiable natural person," (41) a nearly identical definition to that found in the Directive. This definition of personal data is broad, encompassing practically everything "that identifies a person or could identify a person." (42) Processing is defined as "any operation or set of operations which is performed on personal data or on sets of personal data." (43) With its key concepts defined so broadly, the GDPR applies nearly every time an entity "touches data that relate to an individual, whether the data are public or private, sensitive or non-sensitive, directly or indirectly identify a person, and whether identification is possible now or in the future." (44)

      Several other terms used in the GDPR merit definition. First, a "controller" is an entity that governs how personal data is used. (45) In contrast, a "processor" is an entity that performs the actual processing of personal data. (46) The difference between a controller and a processor is subtle, yet very important for understanding the GDPR's regulatory scheme. (47) An entity "processes" data when, for example, it collects, stores, uses, or deletes data. (48) A "recipient" is an entity to whom personal data is disclosed. (49) Any entity other than the data subject or anyone authorized to process data by the controller or processor is a "third party." (50) A controller's "main establishment" is its administrative headquarters within the EU or wherever decisions over the use of data are made. (51) A processor's main establishment is its administrative headquarters within the EU or, if the administrative headquarters are not within the EU, the location where the data processing covered by EU law takes place. (52)

      The GDPR applies whenever personal data is processed "wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system." (53) One of the most important features of the GDPR is its territorial scope. The regulation applies "in the context of the activities of an establishment of a controller or a processor in the [EU]," even if the processing does not happen within the EU. (54) The fact that processors are included within the scope of the regulation is a significant change from the Data Protection Directive. (55) If a controller or processor is located within the EU, the GDPR applies, even if the data processing takes place outside of the EU. (56) Under certain circumstances, the GDPR's provisions will apply to controllers and processors located outside of the EU when they process data related to the offering of goods or services from subjects within the EU" or monitor the behavior of data subjects within the EU. (58) The GDPR's requirements follow the data, even if the data is processed outside of the European Union. (59)

    2. Provisions of the GDPR

      Article Five of the GDPR lists principles (60) designed to achieve the GDPR's objectives. (61) Article Five's principles can be summarized as "lawfulness, fairness and transparency," "purpose limitation;" "data minimization;" "accuracy;" "storage limitation;" "integrity and confidentiality;" and "accountability." (62) It is the duty of a controller to ensure that its data practices fall within the coverage of the GDPR and comply with these principles. (63)

      Article Six lays out the circumstances in which it is legal to process data. (64) The GDPR is a permissive regulation, meaning that, within the regulation's scope, the processing of personal data is banned except in those specific circumstances the statute allows. (65)

      The first such circumstance is when...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT