The European General Data Protection Regulation: An instrument for the globalization of privacy standards?

The recent revelations about Cambridge Analytica and the breach that allowed the harvesting of the personal information of some 87 million Facebook users (at latest count) has pushed privacy protection to the front pages, and focussed attention on “surveillance capitalism” (Zuboff, 2017) and on the capture of personal data as the central resource for the “platform economy”. As Facebook reels from the scandal, and rushes to rebuild consumer confidence, it has also pledged to apply the standards contained in the European Union’s General Data Protection Regulation (GDPR) to its global operations, if not all of them and if not immediately (Constine, 2018). At no time in the past 40 years, has the protection of privacy been so prominently, globally and intensively debated. How did it get to this point? Information privacy as a public policy question is quite modern. It arose in the 1960s and 1970s at about the same time that “data protection” (derived from the German, datenschutz) entered the vocabulary of European experts. The issue was inextricably connected to the information processing capabilities of computers, and to the need to build protective safeguards at a time when large national data integration projects were being contemplated by governments (Flaherty, 1989), raising fears of an omniscient “Big Brother” state with unprecedented surveillance power. Study commissions were established in different countries, and a closely-knit group of experts coalesced, shared ideas and forged a broad consensus on how best to resolve the privacy problem as a matter of public policy (Bennett, 1992). “Data protection” or “information privacy” statutes, based on a strikingly similar set of principles, then spread around the world in a number of stages (Swire, 2013). These core principles operate as both fully fledged legal rules, as well as guiding standards for the balancing of privacy rights with legitimate organizational interests (Bygrave, 2002, p. 57). During these early debates, it was also commonly recognized that information privacy could not simply be regarded as a domestic problem. The increasing ease with which personal data might be transmitted across borders produced two international agreements in the 1980s to regulate the cross-border