How does the «Brussels effect» shape new standards? The impact of the GDPR data protection standard and other EU initiatives on Ukraine and countries outside the European Union
Abstract
This article examines the impact of the European Union’s General Data Protection Regulation (GDPR) on countries beyond the borders of the EU, with a particular focus on Ukraine, through the lens of the «Brussels Effect» concept. The purpose of the article is to unveil the role of the «Brussels Effect» in shaping global standards for personal data protection and its influence on the regulatory adaptation processes of Ukraine and other Eastern Partnership countries to GDPR requirements, based on theoretical and empirical analysis. The methodology employed in this article relies on an eclectic combination of conceptual-theoretical approaches and empirical methods from the arsenal of legal sciences, political analysis, economics, and sociology. This methodological diversity is driven by the need for a holistic understanding of the multidimensional phenomenon of the «Brussels Effect» and its impact on various aspects of personal data regulation. The authors analyze how the GDPR de facto creates a transnational legal regime for personal data protection, compelling third countries to adapt their legislation to European standards. Based on a comparative case study of Ukraine, Georgia, and Moldova, common patterns and specific factors of the harmonization process with GDPR are identified – ranging from the intensity of digital trade with the EU to the political will of national stakeholders. The authors argue that despite the powerful transformative influence of the GDPR, its effective implementation critically depends on the local institutional ecosystem and a cultural revision of attitudes towards privacy. Therefore, full-fledged adaptation to the GDPR requires targeted efforts at all levels – from modernizing legislation to strengthening the capacity of regulators and shaping a proactive stance of citizens. Drawing on a matrix of 6 key dimensions (regulatory framework, institutional model, law enforcement, etc.), practical recommendations are provided for enhancing the extraterritorial effect of the GDPR in the Eastern Partnership region, taking into account the security challenges of hybrid warfare for Ukraine. The article contributes to the current discussion about the EU’s new role as a global regulatory player in the digital age.
Downloads
References
Association Agreement between the European Union and its Member States, of the one part, and Ukraine, of the other part. (2014). Official Journal of the European Union, L 161. UTL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:22014A0529(01)
Association Agreement between the European Union and the European Atomic Energy Community and their Member States, of the one part, and Georgia, of the other part. (2014). Official Journal of the European Union, L 261. UTL: https://eur-lex.europa.eu/legal-content/en/TXT/PDF/?uri=CELEX:22014A0830(02)
Azzi, A. (2018). The challenges faced by the extraterritorial scope of the general data protection regulation. Journal of Intellectual Property, Information Technology and Electronic Commerce Law, 9(2), 126–137. URL: https://www.jipitec.eu/jipitec/article/view/222
Belyakova, O. (2024). Ukraine – Data Protection Overview. URL: https://www.dataguidance.com/notes/ukraine-data-protection-overview
Biedenkopf, K. (2015). EU Chemicals Regulation: Extending Its Experimentalist REACH. In J. Zeitlin (Ed.), Extending Experimentalist Governance? The European Union and Transnational Regulation (pp. 107–136). Oxford University Press. URL: http://surl.li/bkhysw
Bradford, A. (2020). The Brussels Effect: How the European Union Rules the World (New York, 2020; online edn, Oxford Academic, 19 Dec. 2019), DOI: https://doi.org/10.1093/oso/9780190088583.001.0001, accessed 18 Dec. 2024.
Bratasyuk, O. (2023). Legal basis of personal data protection in Ukraine and Germany: organizational and managerial aspect. Visegrad Journal on Human Rights, 1. URL: https://journals.uran.ua/journal-vjhr/article/view/295441 DOI: https://doi.org/10.61345/1339-7915.2023.1.5
Breitbarth, P. (2019). The impact of GDPR one year on. Network Security, 11–13. DOI: https://doi.org/10.1016/S1353-4858(19)30084-4 URL: https://www.researchgate.net/publication/334584226_The_impact_of_GDPR_one_year_on/citation/download
Chua, H.N., Herbst, P., Wong, S.F., & Chang, Y. (2017). Compliance to personal data protection principles: A study of how organizations frame privacy policy notices. Telematics and Informatics, 34(4), 157–170. URL: https://researchprofiles.herts.ac.uk/en/publications/compliance-to-personal-data-protection-principles-a-study-of-how- DOI: https://doi.org/10.1016/j.tele.2017.01.008
Civil, Ge (2024). Personal Data Protection Service Says Regulatory Clarifications are Necessary in the Agents’ Lawю URL: https://civil.ge/archives/608189
CMS Expert Guide (2024). CMS Expert Guide: Data Law Navigator - Ukraine. URL: https://cms.law/es/int/expert-guides/cms-expert-guide-to-data-protection-and-cyber-security-laws/ukraine
CNIL. (2021). Législations en matière de protection des données personnelles dans le monde. URL: https://www.cnil.fr/fr/la-protection-des-donnees-dans-le-monde
Council of Europe. (2021). Treaty 223: Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 223). URL: https://rm.coe.int/16808ac918
DataGuidance (2024). Moldova – Data Protection Overview. URL: https://www.dataguidance.com/notes/moldova-data-protection-overview
Djonovic, A. (2024). Moldova’s EU-Inspired Path to Enhanced Data Protection. URL: http://surl.li/doyfrq
DLA Piper. (2022). Data protection laws of the world. URL: https://www.dlapiperdataprotection.com/
EU4Digital (2024). New data protection law taking effect in Georgia. URL: https://eufordigital.eu/new-data-protection-law-taking-effect-in-georgia/
European Commission. (2020). Commission Staff Working Document: Evaluation of Regulation (EC) No 1907/2006 concerning the Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH). SWD(2018) 58 final. URL: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=SWD:2020:247:FIN
European Commission. (2021). Adequacy decisions: How the EU determines if a non-EU country has an adequate level of data protection. Retrieved from https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. URL: http://surl.li/azwntw
European Commission. (2022). Adequacy decisions. URL: https://ec.europa.eu/commission/presscorner/detail/it/qanda_22_7632
European Data Protection Board. (2022). EDPB strategy 2021–2023. 6 p. URL: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_strategy2021-2023_en.pdf
EUu4DigitalUA (2024). Rada supports draft law “On Personal Data Protection” in first reading. URl: https://eu4digitalua.eu/en/news/rada-supports-draft-law-on-personal-data-protection-in-first-reading/
Floridi, L. (2020). The Fight for Digital Sovereignty: What It Is, and Why It Matters, Especially for the EU. Philosophy & Technology, 33(3), 369–378. URL: http://surl.li/llfxuj. DOI https://doi.org/10.1007/s13347-020-00423-6
GDPR.eu. (2022). GDPR enforcement tracker: List of GDPR fines. UTL: https://www.enforcementtracker.com/
Geradin, D., & Kuschewsky, M. (2013). Competition Law and Personal Data: Preliminary Thoughts on a Complex Issue. SSRN Electronic Journal. DOI: https://doi.org/10.2139/ssrn.2216088 URL: http://surl.li/qosuyw
Government of the Republic of Moldova. (2020). Roadmap for boosting the process of digitization of the national economy and development of electronic commerce. URL: https://consecon.gov.md/wp-content/uploads/2020/09/eEconomy-Roadmap.pdf
Greenleaf, G. (2021). Global data privacy laws 2021: Despite COVID delays, 145 laws show GDPR dominance. Privacy Laws & Business International Report, 169, 21–60. URL: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3836348
Hofstede, G. (2011). Dimensionalizing cultures: The Hofstede model in context. Online Readings in Psychology and Culture, 2(1). DOI: https://doi.org/10.9707/2307-0919.1014 . URL: https://scholarworks.gvsu.edu/orpc/vol2/iss1/8/
Jaiswal, A. (2019). Data Localization: The Concept and Its Impact. IOSR Journal of Computer Engineering, 21(1), 32–39.
Jansen, R., et al. (2021). GDPR and the lost generation of innovative apps. Harvard Business Law Review, 11(1), 75–100. URL: https://www.nber.org/system/files/working_papers/w30028/w30028.pdf
Klein, M. (2020). The Brussels effect and the global battle for data protection. Georgetown Journal of International Affairs, 21(3), 119–129.
Lachaud, E. (2017). The General Data Protection Regulation and the rise of certification as a regulatory instrument. Computer Law & Security Review. DOI: https://doi.org/10.1016/j.clsr.2017.09.002
OECD (2023). Review of the OECD Recommendation on Cross-Border Co-operation in the Enforcement of Laws Protecting Privacy. OECD Digital Economy Papers, No. 359, OECD Publishing, Paris, DOI: https://doi.org/10.1787/67774f69-en
Parliament of Georgia (2024). Law of Georgia on Personal Data Protection. URl: https://matsne.gov.ge/en/document/view/1561437?publication=23
Parliament of Republic of Moldova (2024). Law on personal data protection, No. 195 of 25.07.2024. URL: https://datepersonale.md/wp-content/uploads/2024/09/Law-no.-195-2024-on-personal-data-protection-1.pdf
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), OJ 2016 L 119/1. URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
Rekhviashvili, L., Lang, T. (2024): Chinese investments as part of infrastructure-led development: multi-scalar contestations around Georgia’s flagship infrastructure projects, Eurasian Geography and Economics. URL: https://www.tandfonline.com/doi/pdf/10.1080/15387216.2024.2311712 DOI: https://doi.org/10.1080/15387216.2024.2311712
Rustad, M.L., & Koenig, T.H. (2019). Towards a global data privacy standard. Florida Law Review, 71(2), 365–453. URL: https://scholarship.law.ufl.edu/cgi/viewcontent.cgi?article=1446&context=flr
Schimmelfennig, F., Sedelmeier, U. (2019). The Europeanization of Eastern Europe: the external incentives model revisited. Journal of European Public Policy, 27(6), 814–833. DOI: https://doi.org/10.1080/13501763.2019.1617333
Schrems v. Data Protection Commissioner, Case C-311/18, ECLI:EU:C:2020:559 (July 16, 2020). URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:62018CJ0311
Schwartz, P.M. (2019). Global data privacy: The EU way. New York University Law Review, 94(4), 771–818. URL: https://www.nyulawreview.org/wp-content/uploads/2019/10/NYULAWREVIEW-94-4-Schwartz.pdf
Schwartz, P.M., & Peifer, K.N. (2017). Transatlantic data privacy law. Georgetown Law Journal, 106, 115–179. URL: https://www.law.georgetown.edu/georgetown-law-journal/wp-content/uploads/sites/26/2019/10/Transatlantic-Data-Privacy-Law_Schwartz-and-Peifer.pdf
Scott, J. (2014). Extraterritoriality and Territorial Extension in EU Law. American Journal of Comparative Law, 62(1), 87–126. DOI: https://doi.org/10.5131/AJCL.2013.0009
Stolyarenko, O., Oleniuk, K. (2024). Data Protection Laws and Regulations in Ukraine /
Baker McKenzie. URL: https://ceelegalmatters.com/data-protection-2024/ukraine-data-protection-2024
Taylor, L., Floridi, L., & van der Sloot, B. (Eds.). (2017). Group Privacy: New Challenges of Data Technologies (Vol. 126). Springer. URL: https://link.springer.com/book/10.1007/978-3-319-46608-8
Tudorica M., Mulder, T. (2019). The GDPR Transfer Regime and Modern Technologies. In Proceedings of ITU Kaldeioscope: ICT for Health: Networks, standards and innovation (pp. 211–218). International Telecommunication Union. http://handle.itu.int/11.1002/pub/8145e952-en
UNCTAD. (2021). Data Protection and Privacy Legislation Worldwide. URL: https://unctad.org/page/data-protection-and-privacy-legislation-worldwide
Wolford, B. (2022). What is GDPR, the EU’s new data protection law? URL: https://gdpr.eu/what-is-gdpr/
World Bank. (2022). World Development Report 2021: Data for Better Lives. UTL: https://wdr2021.worldbank.org/
Yakymenko, B. (2023). Formation of the institute of personal data protection and experience of its implementation in the countries of the EU. Scientific Journal of the National Academy of Internal Affairs, Vol. 28, No. 4. 68–79. URL: http://surl.li/vadrki DOI: https://doi.org/10.56215/naia-herald/4.2023.68
