Skip to main content

The EU as a Global Standard Setting Actor: The Case of Data Transfers to Third Countries

  • Chapter
  • First Online:
Use and Misuse of New Technologies
  • 1323 Accesses

Abstract

The Chapter analyses the framework on the basis of which data collected in the European Union (EU) can be legitimately transferred to a third country, as well as the role of EU and national authorities in the context of the adequacy procedure. It also gives an account of recent developments in the context of data transfers, looking especially at the Schrems judgment and at the recently adopted Privacy Shield framework. The aim of the Chapter is to understand the potential role of the adequacy mechanism in the development of a common standard of fundamental rights protection, based on the concept of the EU as a normative power on the international level.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Vegetti (2017), p. 9.

  2. 2.

    Gonzàlez and Jouanjean (2017), pp. 7–8.

  3. 3.

    Data flows would even generate more economic value than traditional trade in goods. See McKinsey Global Institute, Digital Globalisation: The New Era of Global Flows, March 2016.

  4. 4.

    See Kuner (2013), pp. 4–7; Davenport et al. (2012), pp. 22–23. For instance, cross-border data flows are one of the main features of cloud computing services. See, in this regard, Svantesson and Clarke (2010), p. 391.

  5. 5.

    The ITU is the United Nations specialized agency for information and communication technologies. Its main purposes are to maintain and extend international cooperation in the use of telecommunications of all kind, and to promote the development of technical facilities and efficacy of telecommunications services. The ITU has recently revised its International Telecommunications Regulations (ITRs), an ITU treaty adopted in 1988, with the aim of providing a comprehensive regulatory framework for Internet governance. See International Telecommunication Regulations, in Final Acts of the World Conference on International Telecommunications, Dubai, 2012.

  6. 6.

    See ITU, Big data—Cloud Computing Based Requirements and Capabilities, Recommendation ITU-T Y.3600, 2015, pp. 3–4. See also United Nations Conference on Trade and Development, Data Protection Regulations and International Data Flows: Implications for Trade and Development, United Nations, 2016.

  7. 7.

    Andrejevic and Gates (2014) and Lyon (2014).

  8. 8.

    See Chander and Lê (2015). For an overview of domestic data localization measures currently in place, see Information Technology Industry Council, Data Localization Measures, 19 January 2017, available at https://www.itic.org/public-policy/SnapshotofDataLocalizationMeasures1-19-2017.pdf.

  9. 9.

    Bradford (2012).

  10. 10.

    Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 28 January 1981, ETS. No. 108.

  11. 11.

    The only exception is provided by Article 12(3)(b), according to which a State party could prohibit the transfer of data when “the transfer is made from its territory to the territory of a non-Contracting State through the intermediary of the territory of another Party, in order to avoid such transfers resulting in circumvention of the legislation of the Party referred to at the beginning of this paragraph”.

  12. 12.

    Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows, 8 November 2001, ETS. No. 181, Article 2: “Each Party shall provide for the transfer of personal data to a recipient that is subject to the jurisdiction of a State or organisation that is not Party to the Convention only if that State or organisation ensures an adequate level of protection for the intended data transfer”.

  13. 13.

    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, in OJ L 281, p. 31.

  14. 14.

    Regulation (EU) 2016/678 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and of the free movement of such data, and repealing Directive 95/46/EC (General data Protection Regulation), in OJ L 119/1 [2016].

  15. 15.

    Note that the protection of personal data on the Internet will be addressed in a separate but complementary regulation (so called “E-Privacy Regulation”). However, the limits to data transfers outside the EU will remain entirely disciplined by the GDPR. See COM(2017) 10 final of 10 January 2017, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications).

  16. 16.

    See Kokott and Sobotta (2013) and Gonzáles Fuster (2014).

  17. 17.

    The notion of personal data under EU law is particularly extensive and it covers the majority of data used in international online transactions. Cf. the definition of Article 4(1) of the GDPR; see also recently Case C-582/14 Patrick Breyer, judgment of 19 October 2016, EU:C:2016:779. Even if businesses activities may rely on the exchange of non-personal data, the relevance of personal data transfers between companies for global trade is extensively acknowledged in the literature. See e.g. Esteve (2017), p. 36.

  18. 18.

    The GDPR also includes the possibility to assess the adequacy of a portion of the territory or of a specific sector of a third country.

  19. 19.

    See in particular Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC, in OJ L 181, p. 19 (amended by Commission Decision C(2004) 5271); Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, in OJ L 39, p. 5. According to Article 46(2)(d) of the GDPR, cross-border transfers of data may also take place on the basis of model clauses adopted by single EU Data Protection Authorities in compliance with the GDPR.

  20. 20.

    However, model contract clauses are currently under the scrutiny of the Court of Justice for their alleged contrast with Articles 7 and 8 of the Charter of Fundamental Right of the EU. See Irish Data Protection Commissioner, Update on litigation involving Facebook and Maximilian Schrems. Explanatory Memo, available at https://www.dataprotection.ie/docs/16-03-2017-Update-on-Litigation-involving-Facebook-and-Maximilian-Schrems/1598.htm.

  21. 21.

    For instance, in terms of applicable law and of attribution of responsibility in cases of data breach.

  22. 22.

    Article 47 of the GDPR specifies the structure and the content binding corporate rules must present in order to be considered compatible with the data protection regime. Other grounds are available for justifying the transfer of data outside the EU, but they deal with rather specific situation (such as an agreement between public authorities, an approved code of conduct or an approved mechanism of certification) and they are only valuable for single transfer operations.

  23. 23.

    On binding corporate rules see Bender and Ponemon (2006), p. 154. See also Article 29 Data protection Working Party, Working Paper. Transfers of Personal Data to Third Countries: Applying Article 26(2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers, 11638/02/EN, WP74, 3 June 2003; Id., Explanatory Document on the Processor Binding Corporate Rules, 00658/13/EN, WP204, 19 April 2013 (revisited on 22 May 2015).

  24. 24.

    A detailed list of elements forming the object of the adequacy assessment can be found in Article 45(2)(a), (b) and (c).

  25. 25.

    Commission Decision 2000/520/EC of July 26 2000, pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, OJ L 215/7.

  26. 26.

    On the Schrems case see Azoulai and van der Sluis (2016) and Kuner (2017).

  27. 27.

    Case 362/14 Maximilian Schrems v. Data Protection Commission, judgment of 6 October 2015, EU:C:2015:650, paras. 64–65.

  28. 28.

    Whose competence on the validity of EU acts is exclusive. See Case 314/85 Foto-Frost, judgment of 22 October 1987, EU:C:1987:452, paras. 15–20.

  29. 29.

    Schrems case cit., para. 52.

  30. 30.

    Ibid., para. 73.

  31. 31.

    Ibid., paras. 91–95. The Court also identified a violation of Article 47 of the Charter, due to the lack in the US system of a proper judicial redress mechanism in the case of violations of data protection rights attributable to public agencies.

  32. 32.

    See Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield, OJ L 207/1 [2016].

  33. 33.

    Kuner (2017), pp. 900–901, highlighting that such a task is all the more difficult for national data protection authorities and individuals willing to challenge an adequacy decision adopted by the Commission.

  34. 34.

    Schrems case cit., para. 94.

  35. 35.

    Ibid., para. 93.

  36. 36.

    See, especially as regards privacy and data protection rights, Joined Cases 293/12 and 594/12 Digital Rights Ireland and Others, judgment of 8 April 2014, EU:C:2014:238, para. 52. See more recently Joined Cases C-203/15 and C-698/1521 Tele2 Sverige AB and Watson, judgment of 21 December 2016, EU:C:2016:970; Court of Justice, Opinion 1/15, 26 July 2017, ECLI:EU:C:2917:592. See also Article 29 Data Protection Working Party, Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees), 13 April 2016.

  37. 37.

    According to Article 52 of the Charter “Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others”. See generally Lenaerts (2012), p. 375; Peers and Prechal (2014), p. 1455. A similar construction of derogations to fundamental rights has been developed by the case-law of the European Court of Human Rights. See recently Roman Zakharov v Russia (App. No. 47143/06), ECtHR, Grand Chamber, judgment of 4 December 2005; Bărbulescu v. Romania (App. No. 61496/08), ECtHR, Grand Chamber, judgment of 12 January 2016.

  38. 38.

    See Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, OJ L 350/60 [2008], art. 13.

  39. 39.

    Council Framework Decision 2008/977, Article 1(2).

  40. 40.

    De Busser (2017), p. 624.

  41. 41.

    See Council Decision of 27 March 2000 authorising the Director of Europol to enter into negotiations on agreements with third States and non-EU related bodies—Council declaration concerning the relations between Europol and third States and non-European Union-related bodies—Council declaration concerning the priority to be given to third States and non-European Union-related bodies, OJ C106/1 [2000].

  42. 42.

    Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L119/89 [2016].

  43. 43.

    See Recital 68 of Directive 680/2016.

  44. 44.

    Under recital 16 the GDPR “does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security” and to “the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union”. Recital 14 of the Directive 680/2016 expressly excludes national security activities from the scope of application of the Directive.

  45. 45.

    See Convention No. 108, Article 12(3)(b), according to which parties to the Convention are entitled to derogate form the obligation dealing with free data transfers “when the transfer is made from its territory to the territory of a non-Contracting State through the intermediary of the territory of another Party, in order to avoid such transfers resulting in circumvention of the legislation of the Party referred to at the beginning of this paragraph”.

  46. 46.

    Recital 101 of the GDPR highlights the rationale for including the reference to onward transfers in the opening provision of the chapter dedicated to data transfers: “[…] when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union by this Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation”.

  47. 47.

    See Commission Decision 2002/27/EC of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act; Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield.

  48. 48.

    Case C-317/2004, Parliament v. Council, judgment of 30 May 2006, EU:C:2006:346.

  49. 49.

    Opinion 1/15 cit. See in particular paras. 95–104, where the Court recognised that, given the close interconnection between crime prevention and data protection, the PNR agreement with Canada should be based on both Article 16(1) and Article 87(2) of the TFEU.

  50. 50.

    Agreement between the United States of America and the European Union on the use and transfer of passenger name records to the United States Department of Homeland Security, OJ L 215/5 [2012], Article 17.

  51. 51.

    Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service, OJ L 186/4 [2012], Article 19.

  52. 52.

    Council Decision (EU) 2016/2220 of 2 December 2016 on the conclusion, on behalf of the European Union, of the Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences. The purpose of the agreement is outlined in Article 1.

  53. 53.

    Article 6(1) of the Agreement limits the transfer of personal information to “specific purposes authorized by the legal basis for the transfer (…)”, while Article 6(5) adds that the processing must be conducted “in a manner that is directly relevant to and not excessive or overbroad in relation to the purposes of such processing”. The protection is enhanced by the possibility under Article 14(2) to discontinue the transfer when purpose limitation or onward transfer conditions are not complied with.

  54. 54.

    EU-US Umbrella Agreement, Article 7(3). The EDPS has warned against the risk of this situation as a potential case of bulk transfer of personal data. See European Data Protection Supervisor, Opinion 1/2016, Preliminary Opinion on the agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection and prosecution of criminal offences, 12 February 2016, p. 12.

  55. 55.

    Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program, OJ L 195/5 [2010].

  56. 56.

    Ibid., Article 7.

  57. 57.

    See in this regard Kuner (2009), p. 4.

  58. 58.

    See Commission Implementing Decision (EU) 2016/1250, Annex II—EU-U.S. Privacy Shield Principles issued by the U.S. Department of Commerce.

  59. 59.

    On the territorial application of the GDPR see the Chapter of A. Miglio in this volume. See also De Hert and Czerniawski (2016), p. 230; Gömann (2017), p. 567.

  60. 60.

    This is further complicated by the fact that, from the standpoint of EU enforcement procedures, the GDPR can be considered as enshrining overriding mandatory provisions in the sense of conflict of laws. See Brkan (2016), pp. 333–334.

  61. 61.

    See Commission decision on the adequacy of the Privacy Shield, Recital 22.

  62. 62.

    See Commission decision on the adequacy of the Privacy Shield, Annex II, EU-U.S. Privacy Shield Framework Principles Issued by the US Department of Commerce, Principle 7(d): “In the context of an onward transfer, a Privacy Shield organization has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield organization shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage”.

  63. 63.

    Article 29 Working Party, Opinion 01/2016 on the EU-US Privacy Shield draft adequacy decision, WP 238, 13 April 2016, para. 2.2.3.

  64. 64.

    See Article 51 of the Charter. On the scope of application of the Charter with regard to Member States see Craig and de Búrca (2015), pp. 410–419; Fontanelli (2014), p. 193.

  65. 65.

    Kuner (2017), pp. 895–896.

  66. 66.

    Rosecrance (1998), p. 22.

  67. 67.

    Manner (2002), p. 241.

  68. 68.

    Bradford (2012), p. 3.

  69. 69.

    Kuner (2017), p. 910. See also Severson (2015), according to whom some of the reforms adopted in the US after the Datagate have offered only a “cosmetic change”, although the new adequacy decision by the Commission on the Privacy Shield also gave account of such developments in the US domestic legislation.

References

  • Andrejevic, Mark, and Kelly Gates. 2014. Big Data Surveillance: Introduction. Surveillance & Society 12: 185–196.

    Article  Google Scholar 

  • Azoulai, Löic, and Marijn van der Sluis. 2016. Institutionalizing Personal Data Protection in Times of Global Institutional Distrust: Schrems – Case C-362/14, Maximillian Schrems v. Data Protection Commissioner, Joined by Digital Rights Ireland, Judgment of the Court of Justice (Grand Chamber) of 6 October 2015, EU:C:2015:650. Common Market Law Review 53: 1343–1372.

    Google Scholar 

  • Bender, David, and Larry Ponemon. 2006. Binding Corporate Rules for Cross-Border Data Transfers. Rutgers Journal of Law and Urban Policy 3: 154–171.

    Google Scholar 

  • Bradford, Anu. 2012. The Brussels Effect. The Northwestern University Law Review 107: 1–68.

    Google Scholar 

  • Brkan, Maja. 2016. Data Protection and Conflict-of-Laws: A Challenging Relationship. European Data Protection Law Review 3: 324–341.

    Article  Google Scholar 

  • Chander, Anupam, and Uyên P. Lê. 2015. Data Nationalism. Emory Law Journal 64: 677–739.

    Google Scholar 

  • Craig, Paul, and Gráinne de Búrca. 2015. EU Law. Text, Cases and Materials. Oxford: Oxford University Press.

    Book  Google Scholar 

  • Davenport, Thomas H., Paul Barth, and Randy Bean. 2012. How ‘Big Data’ Is Different. MIT Sloan Management Review 54: 22–24.

    Google Scholar 

  • De Busser, Els. 2017. Adequate Transatlantic Data Exchange in the Shadow of the NSA-Affair. In Privacy and Power, ed. Russell A. Miller, 615–639. Cambridge: Cambridge University Press.

    Chapter  Google Scholar 

  • De Hert, Paul, and Michal Czerniawski. 2016. Expanding the European Data Protection Scope Beyond Territory: Article 3 of the General Data Protection Regulation in Its Wider Scope. International Data Privacy Law 6: 230–243.

    Article  Google Scholar 

  • Esteve, Asunción. 2017. The Business of Personal Data: Google, Facebook, and Privacy Issues in the EU and the USA. International Data Privacy Law 7: 36–47.

    Article  Google Scholar 

  • Fontanelli, Filippo. 2014. The Implementation of European Union Law by Member States Under Article 51 of the Charter of Fundamental Rights. Columbia Journal of European Law 20: 193–247.

    Google Scholar 

  • Gömann, Merlin. 2017. The New Territorial Scope of EU Data Protection Law: Deconstructing a Revolutionary Achievement. Common Market Law Review 54: 567–590.

    Google Scholar 

  • Gonzáles Fuster, Gloria. 2014. The Emergence of Personal Data Protection as a Fundamental Right of the EU. Heidelberg: Springer.

    Book  Google Scholar 

  • Gonzàlez, Javer López, and Marie-Agnes Jouanjean. 2017. Digital Trade: Developing a Framework for Analysis. OECD Trade Policy Papers, No. 205.

    Google Scholar 

  • Kokott, Juliane, and Chritoph Sobotta. 2013. The Distinction Between Privacy and Data Protection in the Jurisprudence of the CJEU and the ECtHR. International Data Privacy Law 3: 222–228.

    Article  Google Scholar 

  • Kuner, Christopher. 2009. Onward Transfer of Personal Data Under the U.S. Safe Harbour Framework. Privacy and Security Law Report: 1–6.

    Google Scholar 

  • ———. 2013. Transborder Data Flows and Data Privacy Law. Oxford: Oxford University Press.

    Book  Google Scholar 

  • ———. 2017. Reality and Illusion in EU Data Transfer Regulation Post Schrems. German Law Journal 18: 881–918.

    Article  Google Scholar 

  • Lenaerts, Koen. 2012. Exploring the Limits of the EU Charter of Fundamental Rights. European Constitutional Law Review 8: 375–403.

    Article  Google Scholar 

  • Lyon, David. 2014. Surveillance, Snowden and Big Data: Capacities, Consequences, Critique. Big Data and Society 2: 1–13.

    Article  Google Scholar 

  • Manner, Ian. 2002. Normative Power Europe: A Contradiction in Terms? Journal of Common Market Studies 40: 235–258.

    Article  Google Scholar 

  • Peers, Steve, and Sacha Prechal. 2014. Article 52 – Scope of Interpretations of Rights and Principles. In The EU Charter of Fundamental Rights, ed. Steve Peers, Tamara Hervey, Jeff Kenner, and Angela Ward, 1455–1522. Oxford: Beck/Hart Publishing.

    Chapter  Google Scholar 

  • Rosecrance, Richard. 1998. The European Union: A New Type of International Actor. In Paradoxes of European Foreign Policy, ed. Jan Zieloka, 15–23. The Hague: Kluwer Law International.

    Google Scholar 

  • Severson, Daniel. 2015. American Surveillance of Non-U.S. Persons: Why New Privacy Protection Offer Only Cosmetic Change. Harvard International Law Journal 56: 465–514.

    Google Scholar 

  • Svantesson, Dan, and Roger Clarke. 2010. Privacy and Consumer Risks in Cloud Computing. Computer Law and Security Review 26: 391–397.

    Article  Google Scholar 

  • Vegetti, Matteo. 2017. L’invenzione del globo. Spazio, potere, comunicazione nell’epoca dell’aria. Torino: Giulio Einaudi Editore.

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Stefano Saluzzo .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Saluzzo, S. (2019). The EU as a Global Standard Setting Actor: The Case of Data Transfers to Third Countries. In: Carpanelli, E., Lazzerini, N. (eds) Use and Misuse of New Technologies. Springer, Cham. https://doi.org/10.1007/978-3-030-05648-3_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-05648-3_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-05647-6

  • Online ISBN: 978-3-030-05648-3

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics