The previous chapters have shown which market and technological regulations can implement effective privacy management. Now it is time to define the legal recipe for putting those tools in place.

To do this, first, section 1 marks the gaps in current privacy laws in European law, and in Australia, Canada and New Zealand; that is, it describes the origin and content of statutory level privacy laws, and verifies how they fit into privacy management. In doing so, it looks at so-called Fair Information Practice Principles (FIPPs), which form the operative core of the privacy laws in all the researched jurisdictions. The chapter examines early privacy recommendations to check how FIPPs were designed and what problems are inherent within them. It also describes national privacy laws built on the basis of those privacy principles and reflects on their capacity to implement privacy management. Additionally, it formulates some conclusions as to the deficiencies of a procedural approach to managing privacy processes.

Second, section 2 concentrates on closing the gaps that have just been identified. It describes in detail how privacy management should be applied on top of the most advanced privacy law - the EU General Data Protection Regulation (GDPR). It uses the evaluation criteria of the Privacy Management Model (PMM) presented in Chapter 4 as operational goals. For each goal (i.e. each functionality of controlling, organising and planning), it checks the GDPR's ability to achieve it and describes the additional legal measures necessary to do so. This is done in three steps, each of which relates to a core function of privacy management: controlling, organising and planning.

Section 3 finishes closing the gaps by describing the legal requirements of a more general character necessary to implement PMM. It presents a way in which the implementation of privacy management laws could be supported and secured by enacting an overarching legal principle of informational self-determination. It argues that such a principle containing a substantive, positive liberty needs to replace the FIPPs-based model and that this is possible in Europe or perhaps is even already being developed there. Furthermore, it shows how privacy management laws should cover services delivered from abroad.