The GDPR as a chance to break down borders

This journal prides itself on taking a global and international view of data protection and privacy issues. Inevitably, much of what we publish deals with European Union (EU) data protection law, and in particular the EU General Data Protection Regulation (GDPR) that will become enforceable in May 2018. But over the years we have been proud to publish articles covering the law of countries and regions that have otherwise received little scholarly attention in Anglophone law journals thus far. This has included articles covering the law of countries in Africa (Cape Verde, Ethiopia, Mauritius, Nigeria, South Africa, Uganda, etc), the Asia-Pacific region (Japan, Korea, Nepal, Singapore, etc) and Latin America (Brazil). IDPL’s international focus is in keeping with the global nature of data processing. It has become a truism that data are routinely transferred internationally, and that data processing takes little account of national borders, largely because of the Internet. However, much data protection and privacy law scholarship is still inward-looking and constrained by national boundaries. This kind of attitude is perhaps not surprising if one keeps in mind that taking a global approach is not always helpful in advancing one’s academic career in law. The parochialisms of academia are also often reflected in the attitudes of governments and regulators. The GDPR is set to become the most influential piece of data protection legislation ever enacted, and its influence will extend beyond the boundaries of Europe. This poses challenges at both the European and international levels, but also presents opportunities. At the European level, the GDPR is designed to lead to large-scale (but not total) harmonization of data protection law across the EU. It is thus important to view it through the lens of EU law, rather than that of a particular national legal system. However, to take one example from books published recently, a review of several commentaries on the GDPR in German is not encouraging in this regard. The ones we have seen are all written by teams of authors who are almost exclusively German (and yes, there are data protection experts outside of Germany who can write in German). Even more disconcerting is that, based on a quick perusal of these works, they tend to cite almost exclusively works written in German. Evaluating an instrument of EU law exclusively through the lens of a particular national legal system is not the way to build a pan-European legal edifice. The GDPR will also have a global impact by restricting cross-border data transfers, directly regulating the conduct of many non-EU organizations, and, importantly for our discussion here, influencing data protection legislation around the world. While it may be pie in the sky, we can only hope that the GDPR will also lead to the development of greater globalization of data protection scholarship. Granted this would require changes in the university systems in different countries that are unlikely to happen any time soon, such as giving greater weight to publications in other languages and legal systems and to collaborative research that considers other relevant disciplines (eg economics, politics, or computer science) when making decisions about career advancement. But there are also other ways that the entry into force of the GDPR can spur the internationalization of data protection scholarship and data protection law. Scholars writing on the GDPR should at least show that they are aware of materials in other languages and from other legal systems. Teams of scholars from different legal systems can also cooperate in GDPR-related projects. There is also an opportunity for the European Commission or some other funding body to support the creation of an online database containing court decisions and opinions from around the EU that interpret the GDPR, in order to make transparent how it is being interpreted in different legal systems and give


Editorial
The GDPR as a chance to break down borders Christopher Kuner*, Dan Jerker, B. Svantesson**, Fred H. Cate**, Orla Lynskey**, Christopher Millard** and Nora Ni Loideain** This journal prides itself on taking a global and international view of data protection and privacy issues. Inevitably, much of what we publish deals with European Union (EU) data protection law, and in particular the EU General Data Protection Regulation (GDPR) that will become enforceable in May 2018. But over the years we have been proud to publish articles covering the law of countries and regions that have otherwise received little scholarly attention in Anglophone law journals thus far. This has included articles covering the law of countries in Africa (Cape Verde, Ethiopia, Mauritius, Nigeria, South Africa, Uganda, etc), the Asia-Pacific region (Japan, Korea, Nepal, Singapore, etc) and Latin America (Brazil).
IDPL's international focus is in keeping with the global nature of data processing. It has become a truism that data are routinely transferred internationally, and that data processing takes little account of national borders, largely because of the Internet. However, much data protection and privacy law scholarship is still inward-looking and constrained by national boundaries. This kind of attitude is perhaps not surprising if one keeps in mind that taking a global approach is not always helpful in advancing one's academic career in law. The parochialisms of academia are also often reflected in the attitudes of governments and regulators.
The GDPR is set to become the most influential piece of data protection legislation ever enacted, and its influence will extend beyond the boundaries of Europe. This poses challenges at both the European and international levels, but also presents opportunities.
At the European level, the GDPR is designed to lead to large-scale (but not total) harmonization of data protection law across the EU. It is thus important to view it through the lens of EU law, rather than that of a particular national legal system. However, to take one example from books published recently, a review of several commentaries on the GDPR in German is not encouraging in this regard. The ones we have seen are all written by teams of authors who are almost exclusively German (and yes, there are data protection experts outside of Germany who can write in German). Even more disconcerting is that, based on a quick perusal of these works, they tend to cite almost exclusively works written in German. Evaluating an instrument of EU law exclusively through the lens of a particular national legal system is not the way to build a pan-European legal edifice.
The GDPR will also have a global impact by restricting cross-border data transfers, directly regulating the conduct of many non-EU organizations, and, importantly for our discussion here, influencing data protection legislation around the world. While it may be pie in the sky, we can only hope that the GDPR will also lead to the development of greater globalization of data protection scholarship. Granted this would require changes in the university systems in different countries that are unlikely to happen any time soon, such as giving greater weight to publications in other languages and legal systems and to collaborative research that considers other relevant disciplines (eg economics, politics, or computer science) when making decisions about career advancement.
But there are also other ways that the entry into force of the GDPR can spur the internationalization of data protection scholarship and data protection law. Scholars writing on the GDPR should at least show that they are aware of materials in other languages and from other legal systems. Teams of scholars from different legal systems can also cooperate in GDPR-related projects. There is also an opportunity for the European Commission or some other funding body to support the creation of an online database containing court decisions and opinions from around the EU that interpret the GDPR, in order to make transparent how it is being interpreted in different legal systems and give impetus to a European view of it, rather than one based on national preconceptions.
We should also not forget that many third countries, including many in the developing world, will likely want to adopt the GDPR in their own law, in order to potentially be found 'adequate' by the European Commission. Many such countries may have limited resources, and enacting a legal framework for data protection based on EU standards with all that entails can be a significant burden, since the GDPR is considerably longer and more complex than the Directive 95/46/EC that it will replace. Furthermore, adopting data protection legislation that is essentially equivalent to the GDPR (as required for an adequacy finding under the Schrems judgment of the Court of Justice of the EU), or revising existing legislation to meet this standard, will require third countries to invest in a large-scale legislative project that could take many years. The EU could begin initiatives to assess the impact of EU legislation on third countries, particularly developing countries; to provide information on EU legal developments of particular relevance to them (for example, via an Internet portal); and to solicit input from third countries to learn about the impact of EU law on them. Indeed, these kinds of initiatives are foreseen in Article 50 GDPR.
The GDPR presents an opportunity to break down borders in data protection law and scholarship. At the European level, scholars should adopt more of a pan-European view of data protection law. Such an approach is compelled both because of the status of the GDPR as an EU Regulation, and the increasing number of judgments of the Court of Justice that have affirmed the status of data protection rights under EU law. Scholars taking a more European view could influence courts and regulators to do so as well. At the international level, the EU should take into account the effect of the GDPR on third countries, particularly those in the developing world, and support measures to lead to a harmonized and globally aware interpretation of the GDPR. Let us hope that the GDPR will prove to be an impetus to taking a more global approach to data protection law and scholarship, and to breaking down borders. doi:10.1093/idpl/ipx023