International privacy and data protection framework
Privacy is a fundamental right in the EU and knowing this is crucial for understanding the data
transfer mechanism that we have. The right to privacy in the EU is treated differently than in the US,
where it is a consumer right. For example, they can for example be set aside more easily than in
Europe.
The OECD Guidelines can be found basically anywhere in the world. The APEC Framework contains
the same principles but with a slightly different outline and they are included in the current DPD and
will be in the new GDPR. A main difference between the two is the prevention of harm, which is a
fundamental principle under the APEC rules. It’s based on the American perspective where it is a part
of consumer rights. Prevention of harm is a requirement for the whole regulatory framework, or in
other words; if you can’t prove harm, then there is no privacy infringement in the US. In Europe,
harm doesn’t have to be proven for a privacy infringement as privacy is a fundamental right. If the
basic principles of privacy have been infringed in Europe, we assume that a privacy infringement has
taken place
Four different models that implement these principles.
I. Comprehensive model, like we have in the EU, covering both private and public sectors.
Having one law, one legislation covering everything with some specialized sectoral
regulation. Germany is exempted from the rule that each member state has one DPA as all
Bundesländer have their own DPA.
II. Sectoral Model, in the US and Japan. Here, there is regulation for specific sectors, so no
general regulation in privacy, making it hard for businesses that operate in multiple sectors
to comply with the rules.
III. Self-regulatory model, focussed on development of industry codes, sector codes and mostly
pushed by independent organizations. We see this in the Netherlands up to a limited level,
but not in the field of privacy. We have providing personal data in case of Amber alerts, if a
child is missing and in danger. There are no questions asked regarding personal data about
the child or the parents whereas normally this would be the case except if you have a
warrant. In case of an Amber alert, the child’s rights prevail as the parents’ rights are given
up to save the child. Industry pushed this right itself instead of the justice department,
thinking it would be hard to act upon the Amber alert if they needed lawyers around to
determine whether a request is valid.
IV. Co-regulatory model, in Australia, is an overarching legislative framework, having several
standards set by industry. The privacy commissioners serve as a protection authority.
For Europe, the comprehensive model was used to remedy past and justices, and after WO II,
Germany needed guidelines from the EU and this model was thought to be a good start. It was also
chosen to provide for consistency between European privacy law and trade laws as the free flow of
information benefits free trade. And the privacy Directive 1995 was used to promote electronic
commerce. Although most laws were the same, there was a need for the GDPR to harmonize the
data protection laws a bit more.
Geographic blocks
Only ¾ of EFTA that is relevant for privacy regulation because Switzerland is not included in the EFTA
countries. The comprehensive set of banking laws is one of the reasons that they are not included in
the EFTA countries as they didn’t want to apply secrecy of banking laws in their regulation. This
means that they do not comply with the GDPR, but have different privacy regulations.
Privacy is a fundamental right in the EU and knowing this is crucial for understanding the data
transfer mechanism that we have. The right to privacy in the EU is treated differently than in the US,
where it is a consumer right. For example, they can for example be set aside more easily than in
Europe.
The OECD Guidelines can be found basically anywhere in the world. The APEC Framework contains
the same principles but with a slightly different outline and they are included in the current DPD and
will be in the new GDPR. A main difference between the two is the prevention of harm, which is a
fundamental principle under the APEC rules. It’s based on the American perspective where it is a part
of consumer rights. Prevention of harm is a requirement for the whole regulatory framework, or in
other words; if you can’t prove harm, then there is no privacy infringement in the US. In Europe,
harm doesn’t have to be proven for a privacy infringement as privacy is a fundamental right. If the
basic principles of privacy have been infringed in Europe, we assume that a privacy infringement has
taken place
Four different models that implement these principles.
I. Comprehensive model, like we have in the EU, covering both private and public sectors.
Having one law, one legislation covering everything with some specialized sectoral
regulation. Germany is exempted from the rule that each member state has one DPA as all
Bundesländer have their own DPA.
II. Sectoral Model, in the US and Japan. Here, there is regulation for specific sectors, so no
general regulation in privacy, making it hard for businesses that operate in multiple sectors
to comply with the rules.
III. Self-regulatory model, focussed on development of industry codes, sector codes and mostly
pushed by independent organizations. We see this in the Netherlands up to a limited level,
but not in the field of privacy. We have providing personal data in case of Amber alerts, if a
child is missing and in danger. There are no questions asked regarding personal data about
the child or the parents whereas normally this would be the case except if you have a
warrant. In case of an Amber alert, the child’s rights prevail as the parents’ rights are given
up to save the child. Industry pushed this right itself instead of the justice department,
thinking it would be hard to act upon the Amber alert if they needed lawyers around to
determine whether a request is valid.
IV. Co-regulatory model, in Australia, is an overarching legislative framework, having several
standards set by industry. The privacy commissioners serve as a protection authority.
For Europe, the comprehensive model was used to remedy past and justices, and after WO II,
Germany needed guidelines from the EU and this model was thought to be a good start. It was also
chosen to provide for consistency between European privacy law and trade laws as the free flow of
information benefits free trade. And the privacy Directive 1995 was used to promote electronic
commerce. Although most laws were the same, there was a need for the GDPR to harmonize the
data protection laws a bit more.
Geographic blocks
Only ¾ of EFTA that is relevant for privacy regulation because Switzerland is not included in the EFTA
countries. The comprehensive set of banking laws is one of the reasons that they are not included in
the EFTA countries as they didn’t want to apply secrecy of banking laws in their regulation. This
means that they do not comply with the GDPR, but have different privacy regulations.
