The Restrictive Effect of the Legal Mechanisms for Data Transfers in the European Union

Naef, Tobias

doi:10.1007/978-3-031-19893-9_3

Tobias Naef ORCID: orcid.org/0000-0002-5101-5152²⁶

Part of the book series: European Yearbook of International Economic Law ((EYIELMONO,volume 28))

3887 Accesses

Abstract

The right to data protection in Article 8 CFR has an extraterritorial dimension, which requires continuous protection for personal data that is essentially equivalent to the protection guaranteed within the EU. This right to continuous protection of personal data is an unwritten constituent part of the right to data protection in Article 8 CFR. Primary Union law in Article 16(2) TFEU instructs the European Parliament and the Council to establish rules relating to the protection of individuals regarding the processing of their personal data. This mandate also extends to the extraterritorial dimension of the right to data protection. Accordingly, Chapter V GDPR sets out the system for the transfer of personal data from the EU to third countries. The first section of this chapter defines the legal concept of “data transfers” and introduces the three legal mechanisms for the transfer of personal data in Chapter V GDPR (Sect. 3.1). The following sections address the three legal mechanism and their role in guaranteeing the right to continuous protection for personal data. Each section entails a fundamental rights analysis for the transfer of personal data on the basis of a legal mechanism in Chapter V GDPR. The second section is dedicated to data transfers based on adequacy decisions for third countries following Article 45 GDPR (Sect. 3.2). The third section is dedicated to data transfers based on the instruments providing appropriate safeguards in Article 46 GDPR such as standard data protection clauses and binding corporate rules (BCRs) (Sect. 3.3). Finally, the fourth section is dedicated to data transfers subject to contract-based and consent-based derogations in Article 49 GDPR (Sect. 3.4).

You have full access to this open access chapter, Download chapter PDF

The right to data protection in Article 8 CFR has an extraterritorial dimension, which requires continuous protection for personal data that is essentially equivalent to the protection guaranteed within the EU. This right to continuous protection of personal data is an unwritten constituent part of the right to data protection in Article 8 CFR. Primary Union law in Article 16(2) TFEU instructs the European Parliament and the Council to establish rules relating to the protection of individuals regarding the processing of their personal data. This mandate also extends to the extraterritorial dimension of the right to data protection. Accordingly, Chapter V GDPR sets out the system for the transfer of personal data from the EU to third countries. The first section of this chapter defines the legal concept of “data transfers” and introduces the three legal mechanisms for the transfer of personal data in Chapter V GDPR (Sect. 3.1). The following sections address the three legal mechanism and their role in guaranteeing the right to continuous protection for personal data. Each section entails a fundamental rights analysis for the transfer of personal data on the basis of a legal mechanism in Chapter V GDPR. The second section is dedicated to data transfers based on adequacy decisions for third countries following Article 45 GDPR (Sect. 3.2). The third section is dedicated to data transfers based on the instruments providing appropriate safeguards in Article 46 GDPR such as standard data protection clauses and binding corporate rules (BCRs) (Sect. 3.3). Finally, the fourth section is dedicated to data transfers subject to contract-based and consent-based derogations in Article 49 GDPR (Sect. 3.4).

1 The System of Data Transfers

The first section of this chapter is dedicated to introducing the EU’s system for the transfer of personal data from the EU to third countries. Rules on data transfers have been a part of data protection legislation since the beginning (Sect. 3.1.1). The EU system for data transfers has two major policy objectives: first, anticircumvention and the protection of fundamental rights, and second, enhancing trust in the information society (Sect. 3.1.2). There are different ways to describe the journey of personal data from one place to another following the GDPR. It thus has to be clear which data processing operations constitute data transfers and which do not (Sect. 3.1.3). Chapter V GDPR entails three legal mechanisms that enable the transfer of personal data from the EU to third countries: adequacy decisions, instruments providing appropriate safeguards, and derogations for specific situations (Sect. 3.1.4).

1.1 Development of the Rules on Data Transfers

Rules on the transfer of personal data have been a part of data protection legislation since the early data protection laws in Europe beginning from the 1970s (Sect. 3.1.1.1). The first international instruments for data protection were articulated in the 1980s and suggested the introduction of systems to facilitate cross-border flows of personal data (Sect. 3.1.1.2). In the EC, diverging rules on data transfers created problems on the common market. The EC thus sought to harmonize rules on data transfers with Directive 95/46/EC in the 1990s (Sect. 3.1.1.3). Ultimately, the EU consolidated those rules on an EU-wide level with the GDPR in 2016 (Sect. 3.1.1.4).

1.1.1 Early Data Protection Laws in Europe

Continental European countries were the first to adopt rules on the processing of personal data.^{Footnote 1} Computers and telecommunications were already facilitating transborder data flows when the first data protection laws were passed in Europe.^{Footnote 2} Legislators in Sweden, France, and Germany realized that it was pointless to establish a framework for the protection of personal data if that protection could be circumvented by simply sending the data of individuals it was designed to protect to another jurisdiction. In recognition of this transborder character of data processing, the laws in Sweden (Sect. 3.1.1.1.1), France (Sect. 3.1.1.1.2), and Germany (Sect. 3.1.1.1.3) all contained rules designed to protect personal data when it is transferred abroad.^{Footnote 3}

1.1.1.1 Sweden

Section 11 of the Swedish Datalag of 1973 contained the first data transfer rule:

If there is reason to assume that an item will be used for data processing abroad, it may be released only after permission by the Data Inspection Board. Such permission may be granted only in cases where it can be assumed that the disclosure will not entail undue encroachment on privacy.^{Footnote 4}

The Swedish data transfer system relied on obtaining permissions from the Data Inspection Board.^{Footnote 5} Without such permission, personal data was not allowed to be sent abroad. However, the government reserved the right to overturn decisions made by the Data Inspection Board. The Swedish data transfer system also had a direct link to the protection of fundamental rights. The Data Inspection Board was tasked with assessing data transfers according to their risk for privacy. An important guideline for this risk assessment was that data transfers should be permitted if it was ensured, to a relative degree of certainty, that there were rules for the processing of personal data in place in the country of destination, which corresponded to the principles of protection established in the Swedish Datalag.^{Footnote 6} This is the first legal manifestation of the idea of continuous protection for personal data across borders.

There were other important issues for the Swedish data transfer system, too. Sweden wanted to preserve national independence. For instance, Sweden feared that its centralized personal identification number system could be misused by foreign powers.^{Footnote 7} Nevertheless, the main focus of the law was the protection of personal data. In one case, the Swedish Datalag was used to deny the German company Siemens the ability to send Swedish employee records to Germany for storage because Germany did not have a reciprocal data protection law in effect at the time.^{Footnote 8}

1.1.1.2 Germany

The data transfer rules in the German Datenschutzgesetz of 1977 must be interpreted with recourse to the general provisions of the law.^{Footnote 9} These rules were different for the public and private sector. Article 11 of the Datenschutzgesetz entailed the rules for the public sector:

The transmission of personal data […] is permissible where it is necessary for the lawful fulfilment of the tasks within the competence of the transmitting authority or where the recipient can demonstrate convincingly a legitimate interest in the knowledge of the data to be transmitted and if protection-worthy interests of the data subject are not harmed as a result.

There was wide consensus that data transfers from public authorities to third countries in which the protection of personal data was not guaranteed impaired the interests of the data subjects and were thus not permitted.^{Footnote 10} This is also a manifestation of the idea of continuous protection for personal data.

The rules for the private sector distinguished between data transfers for internal purposes and commercial purposes. Article 24(1) of the Datenschutzgesetz entailed the rules for internal purposes. The transfer of personal data for internal purposes was permitted

within the scope of the purpose of a contractual relationship or a relationship of trust similar to a contract with the data subject or insofar as it is necessary to safeguard the legitimate interests of the transferring body or a third party or the general public and the protection-worthy interests of the data subject are not impaired as a result.

It was disputed whether a contractual arrangement had to impose data protection rules on the recipient and whether this was sufficient to safeguard the legitimate interests of the data subject when a third country did not have a data protection law comparable to the German Datenschutzgesetz.^{Footnote 11} It was undisputed, however, that the consent of the data subject was required for the transfer of personal data if the third country did not have a comparable data protection law. Article 32 of the Datenschutzgesetz entailed the rules for commercial purposes. The transfer of personal data for commercial purposes was permitted

if the recipient has shown a legitimate interest in their knowledge in a credible manner. The reasons for the existence of a legitimate interest and the means used to establish credibility shall be recorded.

The transfer of personal data for commercial use required less safeguards than the transfer of personal data for internal use. The recipient only needed to assert his or her legitimate interest in a credible manner. Such an assertion did not require much detail.^{Footnote 12} The German Datenschutzgesetz did not give any reason for providing individuals with less protection when companies used their personal data commercially. Spiros Simits reported that this difference in treatment was a concession to business at the expense of data protection.^{Footnote 13} Moreover, the German Datenschutzgesetz was not associated with fundamental or human rights.^{Footnote 14} This could explain why, unlike the Swedish data transfer system, the German data transfer system did not require express licensing of data transfers and mostly relied on a liberal approach of self-regulation.^{Footnote 15} A protectionist application of the German data transfer system was simply not in the DNA of the Datenschutzgesetz.

The rules for the private sector in the German Datenschutzgesetz introduced a new dimension to the idea of continuous protection for personal data. The liberal approach in the German Datenschutzgesetz allowed for the creation of a new mechanism for lawful data transfers. While contractual relationships were used to extend protection for personal data obligations to recipients in the third countries, the consent of the data subject was used to justify situations in which the third country did not have a data protection law comparable to the German Datenschutzgesetz.

1.1.1.3 France

Article 19 of the French loi relative à l’informatique, aux fichiers et aux libertés of 1979 addressed data transfers for the private sector:

[T]he transmissions between France and third countries of personal information subject to automated processing […] may be subject to prior authorization or regulated in accordance with procedures laid down by decree in the Council of State, in order to ensure compliance with the principles laid down by this law.

The transfer of personal data from France to another country had to be registered with the French National Data Processing and Freedom Commission (Commission nationale de l'informatique et des libertés, CNIL). The CNIL had discretionary power to prohibit data transfers abroad in order to ensure adherence to the standards of the French loi relative à l’informatique, aux fichiers et aux libertés. ^{Footnote 16} This licensing model in France was similar to the Swedish data transfer system. The CNIL also drew on its powers to negotiate contractual solutions concerning data transfers by private organizations.

It has been argued that the French were specifically concerned that personal data might be transferred from France to “data havens” (paradis de données) with lower standards for protection.^{Footnote 17} There are (scholarly transmitted) rumors that this concern was also related to the realization that dating service records might be sent overseas.^{Footnote 18} Consequently, a protectionist application of the French data transfer system cannot be completely ruled out. In any case, Article 1 of the French loi relative à l’informatique, aux fichiers et aux libertés specifically stated that information technology must not infringe human identity, human rights, private life, and individual or public freedoms. This was not simply a pretext. The CNIL blocked the transfer of employee data between the Fiat corporate offices in France and Italy in 1989 because Italy did not have adequate data protection regulations.^{Footnote 19} The CNIL required the company’s main office in Italy to sign a contract with its French offices obligating Fiat Italy to provide the standards of the French loi relative à l’informatique, aux fichiers et aux libertés to the data once it had been transferred to Italy.

1.1.2 Materialization in International Instruments

The early rules on data transfers in Europe created tensions. There were strong sentiments against restricting cross-border flows of personal data because of their importance for communication, commerce, science, and many other human endeavors.^{Footnote 20} These tensions occasioned the creation of international instruments specifically intended to address the restrictions of data flows. The OECD drafted the Privacy Guidelines (Sect. 3.1.1.2.1) and the Council of Europe passed the Convention 108 (Sect. 3.1.1.2.2) both of which were supplemented with a model contract (Sect. 3.1.1.2.3).

1.1.2.1 OECD Privacy Guidelines

The rapid proliferation of national data protection laws as well as their different rules on transfers of personal data worried international economic organizations such as the OECD. The OECD focused their work in the field of data protection on retaining the ability to exchange personal data between member states in their Privacy Guidelines of 1980.^{Footnote 21} The OECD’s approach was based on the creation of minimum standards for the protection of personal data and an approximation of national data protection laws in order to guarantee frictionless transborder data flows. Part three of the OECD Privacy Guidelines specifically addresses transborder data flows. OECD member states should:

consider the implication of their policies on processing and re-export of personal data for other member countries (Paragraph 15 OECD Privacy Guidelines);
take all reasonable and appropriate steps to ensure that transborder flows of personal data, including transit through member countries, are uninterrupted and secure (Paragraph 16 OECD Privacy Guidelines);
refrain from restricting transborder flows of personal data to other member countries except where a member country does not yet substantially observe the OECD Privacy Guidelines or where the re-export of such data would circumvent a country’s own domestic privacy legislation (Paragraph 17 OECD Privacy Guidelines); and
avoid developing laws, policies, and practices for the protection of privacy and individual liberties, which would create obstacles to transborder flows of personal data exceeding requirements for such protection (Paragraph 18 OECD Privacy Guidelines).

These paragraphs establish a system in which implementing the privacy principles of the OECD Privacy Guidelines enables the unhindered exchange of personal data between OECD member states. The explanatory memorandum describes the system (in relation with Paragraph 17 OECD Privacy Guidelines) as establishing “a standard of equivalent protection, by which is meant protection which is substantially similar in effect to that of the exporting country, but which need not be identical in form or in all respects.”^{Footnote 22} This was the first occurrence of a concept similar to the standard of “essential equivalence.” The principles contained in the OECD Privacy Guidelines were intended to be the benchmark for the safe exportation of personal data. The OECD warned that lax data protection laws that do not respect the principles contained in the OECD Privacy Guidelines affect the ability of other member states to allow transborder data flows (Paragraph 15 OECD Privacy Guidelines). The OECD Privacy Guidelines also called upon member countries to avoid creating obstacles to transborder data flows exceeding the requirements for the protection of personal data (Paragraph 18 OECD Privacy Guidelines). It was the first international instrument to formulate an international policy for data protection. The OECD realized that fighting against data protectionism meant fighting for data protection.

1.1.2.2 Council of Europe Convention 108

The Council of Europe was primarily concerned with the protection of human rights in Convention 108.^{Footnote 23} The preamble of Convention 108 aims to reconcile the values of privacy and free flow of information between peoples. Chapter three of Convention 108 addresses transborder data flows. It stipulates that members to Convention 108:

should not, for the sole purpose of the protection of privacy, prohibit or subject to special authorization transborder flows of personal data going to the territory of another member state (Article 12(2) Convention 108);
should be able to prohibit or otherwise regulate transborder flows of personal data when certain categories of personal data are specifically protected, except where the other member state provides equivalent protection (Article 12(3)(a) Convention 108); and
should be able to prohibit or otherwise regulate transborder flows of personal data when personal data is re-exported in order to circumvent the protection afforded to personal data in domestic legislation (Article 12(3)(b) Convention 108).

Just as in the OECD Privacy Guidelines, these articles established a system in which the implementation of the rules of Convention 108 actually facilitated the exchange of personal data between member countries.^{Footnote 24} Once again, a concept similar to the standard of “essential equivalence” appears.^{Footnote 25} The explanatory report maintains (with regard to Article 12(2) Convention 108) that a contracting state may not deny transborder data flows on the ground of protecting privacy if the recipient country provides equivalent protection.^{Footnote 26} The principles contained in Convention 108 were also intended to be the benchmark for safe exports of personal data.^{Footnote 27} Convention 108 makes clear that if the processing of personal data is subject to the same fundamental rules, then transborder data flows should not be subject to restrictions. Convention 108 was the first legally binding international instrument that formulated an international policy for data protection.

1.1.2.3 Council of Europe Model Contract

A study made jointly by the Council of Europe, the European Commission, and the International Chamber of Commerce (ICC) in 1992 found that “Article 12 [Convention 108] in itself may, at this stage, not be sufficient to ensure adequate protection of personal data which are transferred from one country to another.”^{Footnote 28} The study noted that by 1992 only 12 states had ratified Convention 108.^{Footnote 29} It was thus important, the study concluded, to find alternative legal solutions to balance effective protection of personal data and allow for the free flow of personal data across borders. The study went on to underline that “the personal data protection principles laid down in Convention 108 are not yet enshrined in the legislation, common law and social practices of the great majority of third countries” and “potential risks to the rights of data subjects of the countries that are Party to Convention 108 may arise when the processing of personal data of those individuals is carried out in such third countries.”^{Footnote 30}

Contractual techniques were seen as the best legal solution to manage cross-border flows of personal data. The 1992 study highlighted that some European countries already had experience with the use of contractual techniques for ensuring data protection beyond their borders and noted that several sectoral recommendations on data protection adopted by the Council of Europe Committee of Ministers referred to such contractual techniques.^{Footnote 31} A conference organized jointly by the Council of Europe and the EC two years before had also cautiously concluded that contractual techniques could promote equivalent protection in the context of transborder data flows:

While emphasising that the law of contract could never replace the need to legislate for data protection, contractual techniques could nevertheless be used as a sort of palliative or complement to the legal framework for data protection and transborder data flow.^{Footnote 32}

Erik Harremoes, Director of Legal Affairs at the Council of Europe and Rapporteur General of the Conference of Data Protection Commissioners, summarized the conclusion of the 13th Conference of Data Protection Commissioners in 1991:

The debate has shown that as long as legal lacunae subsist, such contracts may contribute to improving the protection of personal data which are communicated from one country to the other with different regulations. It has, however, also been underlined that such contracts do not provide a waterproof guarantee; questions remain as to the possibilities of controlling their implementation, or enforcing their clauses.^{Footnote 33}

The 1992 study offered a model contract containing a number of clauses designed to ensure equivalent protection in the context of transborder data flows. The model was based on the guarantees in Convention 108 and also adhered to the provisions in the OECD Privacy Guidelines.^{Footnote 34} The objectives of the model contract were:

to provide an example of one way of resolving the complex problems which arise following the transfer of personal data subjected to different protection regimes;
to facilitate the free circulation of personal data in the respect of privacy;
to allow the transfer of data in the interest of international commerce;
to promote a climate of security and certainty of international transactions involving the transfer of personal data.^{Footnote 35}

According to the model contract, the party sending personal data should affirm that the data was obtained and handled in accordance with domestic laws. The party receiving the personal data should commit to abiding by the same principles that bind the sending party domestically. The receiving party should also agree to use the data only for the purposes set out in the contract, to protect sensitive data in the manner required by the domestic law of the sending party, to refrain from communicating the data to a third party unless specifically authorized in the contract, and to rectify, delete and update the data as required by the sending party.

This joint venture of the Council of Europe, the European Commission, and the ICC provided a comprehensive foundation for the application of contractual techniques as a way to protect transborder data flows.^{Footnote 36} Nevertheless, the Consultative Committee of Convention 108 reiterated in 2002 that while contractual techniques provide a valid alternative legal solution to manage transborder data flows, “the use of contractual clauses should not be seen as a long-term substitute for domestic law protecting personal data.”^{Footnote 37} This is especially true in the public sector.

1.1.3 Harmonization in Union Law

The differing data protection laws in EC member states and their rules on data transfers created problems on the common market. The hopes of the European Commission that Convention 108 would solve these problems were left unfulfilled. This is why in 1990 the Commission proposed a draft for Community wide legislation.^{Footnote 38} The legislation also established common rules on transfers of personal data to non-Community states.^{Footnote 39} The EC system of data transfers in the first draft of Directive 95/46/EC (Sect. 3.1.1.3.1) was reviewed in the amended draft of Directive 95/46/EC (Sect. 3.1.1.3.2) and slightly changed in the final draft of Directive 95/46/EC (Sect. 3.1.1.3.3).

1.1.3.1 First Draft of Directive 95/46/EC

The first draft of Directive 95/46/EC from 1990 established a system for data transfers that was similar to the one found in Convention 108.^{Footnote 40} Article 24 of the 1990 draft established, as a principle, that the transfer of personal data from an EC member state to a third country may take place only if that third country ensures an adequate level of protection. The European Economic and Social Committee (EESC) noted in its opinion on the 1990 draft that instead of the term “adequate protection,” the principle of “equivalent protection,” which was used in Convention 108, should be adopted.^{Footnote 41} This was the first time that a predecessor of the right to continuous protection for personal data appeared in the legislative process of the EC. While these suggestions of the EESC were not ultimately implemented, the ECJ found in the Schrems judgment of 2015 that the term “adequate protection” should be interpreted as “protection essentially equivalent to that guaranteed within the European Union.”^{Footnote 42}

Article 24 of the 1990 draft charged the EC member states and, subsidiarily, the European Commission, with determining whether a third country ensured an adequate level of protection. To make this determination they had to consider the international commitments the third country had entered into and/or its domestic law. This reference to “international commitments” was clearly an invocation of Convention 108 as the international benchmark for data protection.^{Footnote 43}

If a country did not ensure an adequate level of protection, a derogation allowing the transfer of personal data according to Article 25 of the 1990 draft was available. The EC member state in which the data was located could authorize such a transfer if the controller of the data was able to guarantee an adequate level of protection for the transfer, and if neither the other EC member states nor the Commission had objections. Article 25 of the 1990 draft established a framework including a ten-day waiting period in which notice of opposition could be given. In cases where notice of opposition was given, the Commission could take all appropriate measures to prohibit the transfer. The whole data transfer system of the 1990 draft, including the derogation, was built around the objective of adequate protection for personal data when transferred to a third country. In retrospect, this data transfer system was quite restrictive, but it was able to guarantee fundamental rights. The explanatory memorandum of the draft considered the draft as a global approach and underlined that “the European Community must promote among its partners the introduction of adequate protection measures and support the efforts of the Council of Europe in this field.”^{Footnote 44} According to Recital (21) of the draft, in the absence of adequate protection in a third country, the Community should enter into negotiations with a view to promoting membership to Convention 108.^{Footnote 45} Overall, the data transfer system of the 1990 draft heavily relied on Convention 108 and aimed at expanding its membership.

1.1.3.2 Amended Draft of Directive 95/46/EC

In the course of draft consultations, some interest groups expressed concerns that the adequacy-based data transfer system might be too restrictive.^{Footnote 46} One of the main concerns raised by business associations during the consultation was the “impossibility of conducting international trade with third countries not guaranteeing an adequate level of protection.”^{Footnote 47} The amended draft of 1992 tried to accommodate this concern. The derogations in the 1990 draft were replaced with alternative legal mechanisms for data transfer to third countries.

The amended draft of 1992 included contractual techniques for data transfers co-developed by the European Commission within the framework of the Council of Europe.^{Footnote 48} Article 27 of the amended draft allowed the transfer of personal data to third countries that do not ensure an adequate level of protection when the data exporter can show “sufficient justification” in the form of contractual provisions. This mechanism explicitly referred to guarantees that the effective exercise of data subjects’ rights would not be jeopardized when deviating from the adequacy-based data transfer mechanism. The explanatory memorandum of the amended draft specifically mentions that these exceptions must also be compatible with the protection of individuals.^{Footnote 49}

Article 26(1) of the amended also draft allowed the transfer of personal data to third countries that do not ensure an adequate level of protection if the data subject has given consent, or if the transfers are necessary for the performance of a contract between the data subject and the data controller. In the last case, the data subject must be informed that personal data may be transferred to a third country. The data subject may then decide whether he or she wishes to take such a risk.

1.1.3.3 Final Draft and Directive 95/46/EC

The final draft of Directive 95/46/EC adopted by the Council in 1995 contained only minor changes regarding the system of data transfers.^{Footnote 50} Article 25 Directive 95/46/EC established adequacy decisions as the main pillar of the data transfer system. A decision on the adequacy for transfers of personal data was generally made at the EC member state level and on a case-by-case basis for individual data transfers. The European Commission was also entitled to find that third countries did not ensure an adequate level of protection and thus enter into negotiations with these countries with a view to remedying the situation.^{Footnote 51}

Just like the amended draft, the final Article 26 Directive 95/46/EC contained two types of derogations from the adequacy system. Article 26(1) Directive 95/46/EC entailed a list of derogations for data transfers in specific situations (such as the consent of the data subject or the necessity of performing a contract between the data subject and the data controller) and Article 26(2) Directive 95/46/EC outlined appropriate safeguards for data transfers. The Commission had the power to decide that certain standard contractual clauses offered appropriate safeguards according to Article 26(4) Directive 95/46/EC. Contrary to the amended draft, the second derogation in Article 26(2) Directive 95/46/EC did not use the words “sufficient justification” but “adequate safeguards” instead. Article 26(2) Directive 95/46/EC also added that “adequate safeguards” must be oriented toward the protection of the privacy and the fundamental rights and freedoms of individuals.^{Footnote 52} This explicit and strong reference to fundamental rights and freedoms clarified that the derogation must comply with them. The final draft of Directive 95/46/EC was clearly intended to close remaining loopholes in the language of the amended draft. The system for data transfers was thus presented as a fundamental rights-based regulation.

Soon after the adoption of Directive 95/46/EC in 1995, it became clear that the adequacy system with decisions on a case-by-case basis for individual data transfers was reaching its functional limits. Given the huge number of personal data leaving the EC on a daily basis and the multitude of actors involved, no EC member state could ensure that each case was examined thoroughly.^{Footnote 53} The Article 29 WP claimed that “mechanisms are to be developed to rationalize the decision-making process for a large number of cases, allowing decisions to be made timely and efficiently.”^{Footnote 54} Accordingly, the Article 29 WP suggested that the Commission should determine at a general level whether certain third countries ensured an adequate level of protection.^{Footnote 55} This more general approach avoided differences between national assessments and increased the stability and predictability for data exporters.^{Footnote 56} Subsequently, the Commission initiated procedures to make a series of adequacy decisions under Article 25(6) Directive 95/46/EC.

1.1.4 Consolidation in Union Law

The GDPR was adopted in 2016 and consolidated the EU rules on data transfers. EU member states no longer have any room left to implement individual rules in their national laws. Jan Albrecht, the GDPR rapporteur of the European Parliament, writes that the new regulation was designed from the beginning to follow the rules for data transfers in Directive 95/46/EC.^{Footnote 57} This is why the legal mechanisms for data transfers to third countries under the GDPR are basically the same as in Directive 95/46/EC although they are set out in more detail.^{Footnote 58} Some of these details concern adequacy decisions. Article 45 GDPR centralizes the adequacy assessment procedure by designating the European Commission as the sole body competent to execute this task. The deferral to the Commission aimed at eliminating problematic divergences that derived from the member state-based assessment in Directive 95/46/EC.^{Footnote 59} For example, under Directive 95/46/EC some member states required a determination of adequacy by a national supervisory authority, whereas others referred the responsibility for the adequacy assessment to the data controller.^{Footnote 60} There were also divergences in the standards set by EU member states for the adequacy assessment.^{Footnote 61} In that regard, the European Parliament demanded generally that more attention be paid to the laws surrounding data protection in the area of national security.^{Footnote 62} Article 45(2)(a) GDPR now requires the Commission to take into account the rule of law, respect for human rights and fundamental freedoms, relevant legislation, bot general and sectoral, including concerning public security, defense, national security and criminal law, and the access of public authorities to personal data, as well as the implementation of such legislation when assessing the adequacy of the level of protection in a third country. Article 45 GDPR also entails the possibility of an adequacy decision in respect to a territory or one or more specified sectors within a third country.

Even though the legal mechanisms for data transfers to third countries in the GDPR are basically the same as in Directive 95/46/EC, there are two important changes from Directive 95/46/EC to the GDPR. The first change relates to the derogations. According to Article 26(2) Directive 95/46/EC, data transfers based on adequate safeguards, for example in the form of appropriate contractual clauses, were treated as derogations. According to Article 46 GDPR, such data transfers are not treated as derogations anymore. This change is important for the interpretation of data transfers based on instruments providing appropriate safeguards with regard to the right to continuous protection of personal data in Article 8 CFR. The second change relates to Article 44 GDPR on the general principle for data transfers, which is the opening provision of Chapter V GDPR on transfers of personal data to third countries. The change is connected to the Schrems judgment of the ECJ. The Court decided Schrems before the conclusion of the trilogue negotiations that would culminate in the GDPR. The Schrems judgment pushed the trilogue negotiations toward a focus on data transfers and led to the introduction of a new sentence into Article 44 GDPR:

All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.

This sentence was introduced in order to ensure that the obligation to protect personal data transferred to a third country is taken seriously.^{Footnote 63} It is the implementation in the GDPR of the right to continuous protection for personal data in Article 8 CFR.^{Footnote 64} There was not enough time during the trilogue negotiations to adapt all legal mechanisms for the transfer of personal data in the GDPR to the findings of the ECJ in Schrems. Consequently, the second sentence of Article 44 GDPR now serves as a general interpretative rule for the EU system for data transfers.^{Footnote 65}

To conclude the development of the rules on transfers: The early rules on data transfers in Europe created tensions. The protection of personal data and privacy was certainly their main focus and not just a pretext, even though a protectionist application of these rules cannot be completely ruled out in some instances. There have always been strong reservations against restricting international data flows because of their importance for communication, commerce, science, and many other human endeavors. This is why international organizations such as the OECD and the Council of Europe sought to address the issue. The OECD realized that fighting against data protectionism meant fighting for data protection. Its approach was based on the creation of minimum standards for the protection of personal data and the approximation of national data protection laws in order to guarantee frictionless transborder data flows. The Council of Europe followed a similar approach. In Europe, however, these instruments failed to enable free movement of personal data between the EC member states. This is why the EC then sought to harmonize the protection of personal data on the common market, including the rules on data transfers abroad. All legal mechanisms for data transfers in Directive 95/46/EC had a prototype in the early data protection laws in Europe: decisions regarding the level of data protection in a third countries (in Sweden and France), contractual models for cross-border flows of personal data (in Germany and France), and consent-based constructions (in Germany). Importantly, the EC data transfer system in Directive 95/46/EC was already a fundamental rights-based system. The GDPR’s legal mechanisms for data transfers were modeled after Directive 95/46/EC, but compliance with fundamental rights was further strengthened. Article 44 GDPR provides—as a general interpretative rule for all legal mechanisms—that they must be applied in order to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined. It is the implementation in the GDPR of the right to continuous protection of personal data in Article 8 CFR.

1.2 Policy Objectives of the Rules on Data Transfers

Laws often have different kinds of policy objectives. Some of those objectives are explicitly stated, some are unexpressed or implicit.^{Footnote 66} It is important to clarify the objectives of the EU rules on data transfers to understand their restrictive effects. Anticircumvention (Sect. 3.1.2.1) and enhancing trust in the information society (Sect. 3.1.2.2) are the two main objectives of the EU rules on data transfers. In contrast, there is nothing to suggest that public security (Sect. 3.1.2.3) or economic protectionism (Sect. 3.1.2.4) must also be seen as objectives of the EU rules on data transfers.

1.2.1 Anticircumvention

The early data protection laws in Europe mainly regulated the export of personal data because they wanted to avoid that their rules are being circumvented.^{Footnote 67} The pioneering countries feared the erosion of their chosen level of data protection through the sending of personal data to third countries where the protection offered was lower. The problem at the root of the anticircumvention objective was the re-importation of personal data processed abroad in violation of certain provisions of the law of the country of origin. Third countries with less stringent data protection legislation were dubbed “data havens” to express this role.^{Footnote 68} Consequently, the first international instruments for data protection also addressed the issue of anticircumvention. The explanatory report to Convention 108 states that

[c]oncern has been expressed that data users might seek to avoid data protection controls by moving their operations, in whole or in part, to “data havens”, i.e. countries which have less strict data protection laws, or none at all.^{Footnote 69}

Similarly, the explanatory memorandum to the OECD Privacy Guidelines refers to “attempts to circumvent national legislation by processing data in a Member country which does not yet substantially observe the Guidelines.”^{Footnote 70}

It is no surprise that anticircumvention then was one of the original policy objectives of EU rules on data transfers. After all, they originated in the early data protection laws in Europe and the international instruments of the OECD and the Council of Europe. This is apparent from the commentary regarding the amended draft of Directive 95/46/EC:

The rule intended to prevent the Community rules from being circumvented in the course of transfers of data to non-community countries takes the form of a ban on the transfer of data to countries which do not provide an adequate level of protection; this has now been clarified in order to remove any ambiguity as to the purpose pursued.^{Footnote 71}

The Council highlighted in its Common Position that the rules on data transfers are “merely a corollary to the other Articles of the Directive of which they formed an integral part, in that they were designed to make the system ‘water-tight’.”^{Footnote 72} It is also evident from the fact that the Article 29 WP suggested early on that also the possibilities to transfer personal data from the destination third country to other third countries had to be part of the adequacy assessment.^{Footnote 73} In the same spirit, AG Henrik Saugmandsgaard Øe explained in his opinion in Schrems 2 with regard to Article 44 GDPR that

it should be borne in mind that the raison d’être of the restrictions that EU law places on international transfers of personal data, by requiring that the continuity of the level of protection of the fundamental rights of the data subjects be guaranteed, is designed to avoid the risk that the standards applicable within the Union will be circumvented.^{Footnote 74}

The policy objective of anticircumvention is closely connected with the protection of fundamental rights, including the right to continuous protection for personal data.

1.2.2 Enhancing Trust in the Information Society

Before the adoption of Directive 95/46/EC, a high-level group that reported to the Corfu European Council in 1994 on issues concerning the information society (the Bangemann Group) concluded that the lack of consumer confidence will undermine the rapid development of the information society.^{Footnote 75} This is why the Bangemann Group found that “a fast decision from Member States is required on the Commission’s proposed Directive setting out general principles of data protection.”^{Footnote 76} Similarly, the European Commission underlined in the explanations to the first draft of Directive 95/46/EC from 1990 that “[e]ffective protection of personal data and privacy is developing into an essential precondition for social acceptance of the new digital networks and services.”^{Footnote 77} Enhancing trust in the information society was thus a policy objective of EU data protection law from early on.

Trust in the information society is especially important regarding rules on data transfers. Dara Hallinan, Michael Friedewald, and Paul McCarthy submitted a meta-analysis of various public opinion surveys in 2012 demonstrating that there is a lack of clarity among Europeans when it comes to cross-border flows of personal data and that this lack of clarity feeds uncertainty with regard to digital trade.^{Footnote 78} They underlined that Europeans displayed significant fear regarding data processing and the potential consequences for the individual and society. That was before the revelations on mass surveillance by Edward Snowden in 2013, which certainly did not help public opinion in Europe. The need to enhance trust in data processing has been cited again and again as a motivation for EU data protection law.^{Footnote 79} The OECD recently stressed that “[t]he benefits of digital trade for both business and consumers are contingent on the degree of trust that is placed on the activities of different players operating in the digital space.”^{Footnote 80}

The European Commission underlined in the runup to the GDPR that the lack of trust makes consumers in the EU hesitant to buy online and accept new digital services and that, therefore, a high level of data protection is crucial to enhance trust in digital services and fulfil the potential of the digital economy.^{Footnote 81} Recital (6) GDPR describes how technology has transformed both the economy and social life, and outlines how it could further facilitate the free flow of personal data within the Union and the transfer of personal data to third countries, while ensuring a high level of protection for personal data. Recital (7) GDPR underlines that

[t]hose developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop.

The EU also started to recognize the necessity of ensuring the trust and confidence of users in the information society in free trade agreements (FTAs).^{Footnote 82} In Article 7.48(2) EU-South Korea FTA,

[t]he Parties agree that the development of electronic commerce must be fully compatible with the international standards of data protection, in order to ensure the confidence of users of electronic commerce.^{Footnote 83}

Rules on data transfers enable trust in the information society, which is of fundamental importance for digital trade to flourish.^{Footnote 84} Enhancing trust in the information society is a major policy objective of rules on data transfers.

1.2.3 Security

The 2017 Chinese Draft Administrative Measures on Evaluating the Security of Transmitting Personal Information and Important Data Overseas foresaw very restrictive data transfer rules based on national security concerns.^{Footnote 85} Yanquing Hong showed that many private businesses control vast amount of data resources and that this data may influence national and public interests.^{Footnote 86} He used Alibaba as an example to show how the scale and “granularity” of data on consumers can match the public security organs’ basic national population database and even surpass it in accuracy. He explained how a leak or exportation of this data could create a serious threat to national security. Similar considerations were already present in the early data protection laws in Europe. Sweden introduced rules on data transfers in 1973 because it feared that its centralized personal identification number system could be misused by foreign powers.^{Footnote 87}

Access to sensitive information about the population of a state by foreign governments (or other institutions, groups, etc.) can pose a threat to security.^{Footnote 88} When Directive 95/46/EC was drafted, different scholars reflected on the nexus between data transfers and the loss of national sovereignty. Cees Hamelink argued in 1994 that cross-border flows of personal data “imply a threat to national sovereignty since they facilitate the control over critical national decisions by foreign actors” and that “[c]ontrol over locations where vital data are processed and stored is an important factor in national and world politics.”^{Footnote 89} Eli Cohen argued in 1992 that a country is vulnerable when its data is in the hands of others.^{Footnote 90} He used the example of the US restricting access of Dresser Industry France to its US database during the 1982–1983 Siberian pipeline dispute to support his argument.

However, the preparatory materials of Directive 95/46/EC and the GDPR do not reveal any link between rules on data transfers and the protection of public security, national security, sovereignty, or data sovereignty. To the contrary, the communication of the European Commission on the first draft of Directive 95/46/EC underlined that it is essential that national information security policies do not become an obstacle to relations with third countries.^{Footnote 91} While states could—and some do—make a case for national security as a policy objective of (restrictive) rules on data transfers, it does not seem that national security is a policy objective of the EU rules on data transfers.

1.2.4 Economic Protectionism

A restrictive system for data transfers could suggest the existence of a protectionist policy objective. A restrictive system for data transfers requires companies to locally store and process data. Companies would need to invest in local servers and data centers. This generates economic activity, employment opportunities, and other spillovers associated with high-tech sectors.^{Footnote 92} Mishra Neha argues that many states with a highly restrictive system for data transfers explicitly state that their intentions are to protect fundamental rights and/or national security, while they are implicitly using them as a policy tool to promote economic protectionism.^{Footnote 93} The EU system for data transfers is often accused of serving a protectionist objective, especially in US literature and political discourse.^{Footnote 94} The US criticized the first draft of Directive 95/46/EC on the grounds that it imposes unfair non-tariff barriers to trade.^{Footnote 95} In 2015, President Barack Obama said in an interview that privacy challenges against US internet companies from European countries as well as EU roadblocks for data transfers to the US are not always entirely sincere because European countries want to displace US companies.^{Footnote 96} However, this criticism goes beyond the US. Hosuk Lee-Makiyama, director of the European Centre for International Political Economy, referred to the GDPR and stressed that “while it is no doubt a worthwhile endeavor to protect European citizens from illicit online surveillance, the landmark bill comes at a cost: it is a form of digital protectionism.” ^{Footnote 97}

Nevertheless, the legislative documents concerning EU data protection do not show any protectionist intentions behind the EU system for data transfers. The general comments in the EU Council’s Common Position in the preparation of the final draft of Directive 95/46/EC is one of the first legislative documents on data protection in the EC that mentions trade:

The Council felt that Articles 25 and 26 of the Directive, which dealt with the transfer of personal data to third countries, did not pursue a trade policy objective as such; they were merely a corollary to the other Articles of the Directive of which they formed an integral part, in that they were designed to make the system ‘water-tight’ by avoiding any ‘laxity’ as regards the transfer of data to third countries.^{Footnote 98}

This statement emphasizes that anticircumvention is the policy objective of EU rules on data transfers and denies that economic protectionism is one at all. Recital (56) Directive 95/46/EC even stressed that “cross-border flows of personal data are necessary to the expansion of international trade.” The EU is cognizant of the relationship between data transfers and trade. When the European Commission passed the first standard contractual clauses, which were considered to offer adequate safeguards for data transfers as required by Article 26(2) Directive 95/46/EC, it underlined in Recital (4) Decision 2001/497/EC that a flexible instrument for data transfer is “essential for maintaining the necessary flow of personal data between the Community and third countries without unnecessary burdens for economic operators,” particularly “in view of the fact that the Commission is unlikely to adopt adequacy findings under Article 25(6) for more than a limited number of countries in the short or even medium term.” The proactive role of the Commission regarding adequate safeguards under Article 26(2) Directive 95/46/EC shows that the EU is committed to reconcile data transfers and trade.

When the Commission started to review Directive 95/46/EC for an update in 2010, it identified “a general need to improve the current mechanisms allowing for international transfers of personal data.”^{Footnote 99} The European Data Protection Commissioner (EDPS) agreed in his corresponding opinion that the review of the data protection framework in the EU requires “consideration of how personal data protection can be ensured effectively in the globalised world without substantially hampering international processing activities.”^{Footnote 100} The Commission recognized in its comments on the first proposal of the GDPR that

[t]he complexity of the rules on international transfers of personal data is considered as constituting a substantial impediment to [operations of economic stakeholders] as they regularly need to transfer personal data from the EU to other parts of the world.^{Footnote 101}

In reaction, the EDPS again underlined that “EU rules on international data transfer should ensure that there is adequate protection of personal data without an unnecessary restriction of international trade and cooperation.”^{Footnote 102} The entire process that led to the adoption of the GDPR emphasizes the importance of trade concerns. This is also why Recital (101) GDPR contains a strong reference to trade: “Flows of personal data to and from countries outside the Union […] are necessary for the expansion of international trade.” While the legislative documents concerning data protection in the EU do not reveal any protectionist intentions behind the EU rules on data transfers, it is necessary to keep in mind that “policies that may appear protectionist may not have been designed to achieve trade-distorting effects.”^{Footnote 103}

1.3 The Concept of Data Transfers

The legal concept of data transfers is the centerpiece of the EU’s fundamental rights-based regulation of data transfers. The GDPR uses several terms to describe the transfer of personal data from one place to another including: the free movement of data, data flows, and data transfers. These terms must be distinguished from each other (Sect. 3.1.3.1). The GDPR uses the notion of data transfers without defining further what kind of data processing operations it entails (Sect. 3.1.3.2). However, it seems to be clear that the so-called data transits are excluded from the concept of data transfers (Sect. 3.1.3.3) and that the data flows to the special territories of the EU may not be considered data transfers (Sect. 3.1.3.4).

1.3.1 Terminology

The GDPR uses different terms to describe the transfer of personal data from one place to another: free movement of data (Sect. 3.1.3.1.1), data flows (Sect. 3.1.3.1.2), and data transfers (Sect. 3.1.3.1.3).

1.3.1.1 Free Movement of Data

The first term that refers to the journey of personal data from one place to another in EU data protection law is the “free movement of data.” The title of Directive 95/46/EC defined two goals. It set out to protect individuals with regard to the processing of personal data, and to enable the free movement of this data. The legal basis for Directive 95/46/EC was Article 100a TEC on the approximation of laws for measures which have as their object the establishment and functioning of the EU common market. It was thus the goal of free movement of personal data within the EU that justified data protection legislation on the level of the Community. Article 1(2) Directive 95/46/EC forbade member states to restrict or prohibit the free flow of personal data between member states for reasons connected with the protection of personal data. Article 1(2) Directive 95/46/EC employed the notion of “free flow” of personal data instead of “free movement” of personal data, which appears to have been an editorial mistake, when considered alongside the title of Directive 95/46/EC. Article 1(3) GDPR now refers to the “free movement” of personal data within the Union. Recital (13) GDPR explicitly mentions that the proper functioning of the common market requires the free movement of personal data within the EU.

The term free movement of data therefore refers to data processing operations across the borders of EU member states.^{Footnote 104} It is a key element of EU data protection law and policy. There are obvious similarities between the free movement of data and the four freedoms of the common market.^{Footnote 105}

1.3.1.2 Data Flows

The second term that refers to the journey of personal data from one place to another in EU data protection law is “data flows.” This term has already been used in the OECD Privacy Guidelines and Convention 108. The definition in these instruments reveals a data location centric understanding of cross-border data flows. The state of technology at the time of drafting only allowed straightforward point-to-point transactions and it was, compared with today, fairly easy to identify in which country data was actually located.

The GDPR also at times uses the notion of data flows to describe the journey of data across borders of EU member states^{Footnote 106} and sometimes to describe the journey of data outside the EU to third countries.^{Footnote 107} The notion of data flows should thus be understood neutrally as referring to any cross-border journey of personal data. It is a descriptive term and does not constitute a legal concept like data transfers. Such an interpretation is consistent with Recital (101) GDPR:

Flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and international cooperation. The increase in such flows has raised new challenges and concerns with regard to the protection of personal data. However, when personal data are transferred from the Union to […] third countries or to international organisations, the level of protection of natural persons ensured in the Union by this Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organization.^{Footnote 108}

Recital (101) GDPR indicates that out of all flows of personal data to third countries there is a special category of transfers of personal data from the EU to third countries.^{Footnote 109} The EDPB shares this interpretation, although in a different context.^{Footnote 110}

1.3.1.3 Data Transfers

The third term that refers to the journey of personal data from one place to another in EU data protection law is “data transfers.” The term is remarkably prominent in EU data protection law.^{Footnote 111} It signals a type of data processing operation endowed with legal implications. Directive 95/46/EC already used the term “data transfers” in Article 25 and Article 26. It did not further define the kind of data processing operation described by the term “data transfers”. Kuan Hon has suggested that the drafters of Directive 95/46/EC thought that the term was self-explanatory, although this is not necessarily the case.^{Footnote 112} This is why the EDPS called for a clear definition of data transfers in his opinion on the data protection reform package in 2012. An early draft of the GDPR actually contained an amendment that defined data transfers as “any communication of personal data, actively made available to a limited number of identified parties, with the knowledge or intention of the sender to give the recipient access to the personal data.”^{Footnote 113} This definition was omitted from the final version of the GDPR. The data processing operation of data transfers therefore requires further clarification.

1.3.2 The Data Processing Operation of Data Transfers

The transfer of personal data from the EU to a third country constitutes a data processing operation.^{Footnote 114} The transmission of personal data to a location in a third country is a suitable description of the term “data transfers” (Sect. 3.1.3.2.1). Equating the term transfer with disclosure could jeopardize fundamental rights protection where data flows do not involve intelligible access to personal data, such as cloud computing (Sect. 3.1.3.2.2). In addition, there is a reasonability test that limits the scope of data transfers (Sect. 3.1.3.2.3). Finally, the meaning of the term “third countries” has to be assessed in relation with the data processing operation of data transfers (Sect. 3.1.3.2.4).

1.3.2.1 Transmission of Personal Data

Conceptually, a data transfer denotes personal data traveling from the EU to a third country where something happens to that data. According to the OED, “transfer” means to convey or take from one place to another.^{Footnote 115} The European Commission has informally provided a basic definition for the data processing operation of data transfers:

The term ‘transfer of personal data’ is often associated with the act of sending or transmitting personal data from one country to another, for instance by sending paper or electronic documents containing personal data by post or e-mail.^{Footnote 116}

The sending of personal data is not the best description for data transfers. This is because––in the digital sphere–– it usually only covers push technology, which is a style of internet-based communication in which the request for a given transaction is initiated by the publisher or central server. It does not include pull technology, or requests for the transmission of information initiated by the receiver. Consequently, the transmission of personal data describes data transfers better than sending.

The location of servers to which data is transmitted plays an important role in determining whether a data transfer to a third country took place.^{Footnote 117} The Article 29 WP found that SWIFT, a worldwide financial messaging service that facilitates international money flows, transferred personal data to third countries when it mirrored personal data from servers in datacenters in the EU to servers in datacenters in the US.^{Footnote 118} With regard to cloud computing, the Article 29 WP found that the rules on data transfers have limitations because “cloud computing is most frequently based on a complete lack of any stable location of data within the cloud provider’s network.”^{Footnote 119} Nevertheless, the Article 29 WP insisted that cloud computing data flows to servers outside the EU also constitute data transfers to a third country. Cloud related decisions of supervisory authorities in EU member states confirm this finding. For example, the Swedish supervisory authority highlighted that Google Apps’ personal data flows to datacenters located in the US constituted data transfers and so found a list of subproviders for data storage inadequate without knowledge of their location.^{Footnote 120}

1.3.2.2 Disclosure of Personal Data

Kwan Hon has argued that a location centric approach in determining data transfers is not appropriate for cloud computing because there is no disclosure or making available of personal data when it is simply transmitted to servers in a third country. In such cases, persons have no intelligible access to the data because of strong encryption.^{Footnote 121} She thus concluded that the concept of data transfers should be understood in terms of disclosure and the making available of personal data across borders. The European Commission’s definition of data transfers considers similar situations:

Other situations also fall under this definition: all the cases where a controller takes action in order to make personal data available to a third party located in a third country.^{Footnote 122}

The possibility of access to personal data in a third country is an essential part of making data available across borders. The EDPS argued in a position paper that absent a formal definition of data transfer, controllers should consider that the term implies: “communication, disclosure or otherwise making available of personal data, conducted with the knowledge or intention of a sender subject to the Regulation that the recipient(s) will have access to it.”^{Footnote 123} The EDPS thus added the element of knowledge or intentionality to its definition of data transfers. According to the OED, to “disclose” means “to uncover and expose to view.”^{Footnote 124} The uncovering and exposing of something usually involves intention. To disclose personal data therefore means that a recipient or recipients must intentionally be afforded intelligible access to that data. The disclosure of personal data in a cross-border context certainly constitutes a data transfer. However, the concept of data transfers is broader than this.

The title of Article 48 GDPR—Transfers or disclosures not authorized by Union law—is an indication that transfers must mean something in addition to disclosures. According to Article 48 GDPR, data transfers can also be something different than intentionally afforded intelligible access to personal data in a cross-border context. Such an interpretation is consistent with the history of the GDPR. The definition of transfer in the draft of the GDPR—which was ultimately omitted—would have effectively equated the term transfer with the meaning of disclosure.^{Footnote 125} The omission of this definition in the GDPR indicates that the drafters wanted to have a broad understanding of the term transfer. Data transfers can also take place if personal data is not disclosed, i.e., if there is no recipient that is afforded intelligible access to the data in the third country. This is especially important for cloud computing where there is often no recipient afforded intelligible access to the data stored in the third country. Simply equating the term transfer with disclosure could jeopardize the fundamental right protection for cross-border flows of personal data that do not involve intelligible access to the data. Even Hon accepts that the location of personal data in a third country is important for the protection of fundamental rights to the extent that it gives that country jurisdiction over the data.^{Footnote 126} Foreign internet surveillance practices can threaten fundamental rights, even in a cloud computing context.^{Footnote 127} The three cumulative criteria defined by the EDPB in 2021 to qualify a processing as a transfer also seem to fall short of recognizing that a transfer is more than a disclosure or making available, or at least they do not describe what making available exactly means.^{Footnote 128}

1.3.2.3 Reasonableness Test

The ECJ had to deal with the concept of data transfers in the Lindqvist case. An elderly woman, Ms. Lindqvist, was uploading the personal data of her colleagues to an internet site hosted in the European Economic Area (EEA) that could also be accessed from any third country. The ECJ was confronted with the question of whether the activities of Ms. Lindqvist constituted data transfers. The ECJ decided that

in circumstances such as those in the case in the main proceedings, personal data which appear on the computer of a person in a third country, coming from a person who has loaded them onto an internet site, were not directly transferred between those two people but through the computer infrastructure of the hosting provider where the page is stored.^{Footnote 129}

The ECJ stressed that there must be a direct transfer of personal data. The ECJ found that in the case at hand the direct transfer of personal data was not between Ms. Lindqvist and a person in a third country but between the hosting provider of Ms. Lindqvist’s internet site and a person in a third country. The uploading of personal data onto an internet site by Ms. Lindqvist did not therefore constitute a transfer of personal data, even though Ms. Lindqvist disclosed and transmitted personal data to one or more third parties located in one or more third countries. The ECJ emphasized that the referring court only asked about the activities of Ms. Lindqvist and not about the activities carried out by the hosting provider.^{Footnote 130} The ECJ did not elaborate whether the activities of the provider on the behalf of Ms. Lindqvist—namely, the storing of the uploaded personal data on its servers and the disclosure and transmission of that data from its servers—actually constituted data transfers. The ECJ provided an important determination regarding data transfers in Lindqvist. If the concept of data transfers

were interpreted to mean that there is ‘transfer [of data] to a third country’ every time that personal data are loaded onto an internet page, that transfer would necessarily be a transfer to all the third countries where there are the technical means needed to access the internet. The special regime provided for by Chapter IV of the directive would thus necessarily become a regime of general application, as regards operations on the internet.^{Footnote 131}

The ECJ applied here what Dan Svantesson has called a reasonableness test.^{Footnote 132} The consequences of finding that the activities of Ms. Lindqvist constituted data transfers would have led to a massive coverage by EU law of activities on the internet. The ECJ explained that

if the Commission found, pursuant to Article 25(4) of Directive 95/46, that even one third country did not ensure adequate protection, the Member States would be obliged to prevent any personal data being placed on the internet.^{Footnote 133}

Such a result would have been devastating for the use of the internet and unreasonable, if not impossible, to enforce.^{Footnote 134} The ECJ’s reasonableness test has been described by Christopher Kuner as “praiseworthy, even visionary, in its willingness to consider the international implications.”^{Footnote 135} On the basis of this reasonableness test it can also be argued that even hosting providers of internet sites in the EU do not “transfer” personal data to third countries when they make the uploaded data from their servers available to everyone on an internet site. This would also lead to a massive coverage of activities on the internet. In conclusion, in cases where the application of the concept of data transfers would lead to unreasonable results, the cross-border flow of personal data should not constitute data transfers.

1.3.2.4 Third Countries

The data processing operation of data transfers is connected to the notion of “third countries.” Generally, all countries that are not EU member states are considered third countries for the purpose of the GDPR. The only exceptions are the three members to the Agreement on the EEA: Iceland, Liechtenstein, and Norway.^{Footnote 136} Together with the EU member states, the EEA member states form a common market. In light of the importance of data protection and the free movement of data for the functioning of the common market, Directive 95/46/EC has been considered EEA-relevant and was incorporated into Annex XI of the Agreement on the EEA in 1999.^{Footnote 137} On 6 July 2018, the EEA Joint Committee decided to update Annex XI and incorporate the GDPR into the Agreement on the EEA as the successor to Directive 95/46/EC.^{Footnote 138} With the incorporation of Directive 95/46/EC, as well as the GDPR, into the Agreement on the EEA, personal data can move freely within the EEA just as in the EU. Iceland, Liechtenstein, and Norway are therefore not considered third countries within the meaning of Articles 44-49 GDPR.^{Footnote 139}

Decisions by the European Commission regarding the adequacy of data protection laws of third countries made according to Article 25 Directive 95/46/EC include several locations which are not independent countries but have a kind of home rule that includes data protection law. One of the examples are the Faeroe Islands.^{Footnote 140} It has been argued that these decisions are based on the fact that the aforementioned locations exercise sovereignty with respect to data protection law.^{Footnote 141} The possibility in the GDPR for adequacy decisions of a “territory” covers these locations without stretching the concept of a third country.

1.3.3 Data Transits

The routing of internet traffic often involves data flows passing through other countries before reaching their final destination in a third country. This passing through other countries is called data transits. The GDPR does not mention data transits. Directive 95/46/EC only referred to data transits through EU member states in Article 4(1)(c) as exceptions from the application of national data protection provisions. The UK Information Commissioner’s Office published a guidance paper on data transfers in 2017 and stressed that “transfer does not mean the same as mere transit” because the ordinary meaning of transfer is transmission from one place to another.^{Footnote 142} Scholars also distinguish data transfers from data transits. Hon argues that data transits should not be considered when determining whether a data transfer occurs because neither the OECD Privacy Guidelines nor Convention 108 consider data transits to be relevant and Directive 95/46/EC (and the GDPR) largely adopted the legal mechanisms for the transfer of personal data from these international instruments.^{Footnote 143} Lianne Colonna maintained that routing data through a network is something different from its delivery to a final destination.^{Footnote 144} She suggested that the network can be thought of as a bridge and the activities that occur while the data travels across are thus unimportant. According to Colonna, what matters is what happens at the beginning and the end of the transaction. Christopher Kuner explained that the policy behind the exemption of data transits from data transfers is rooted in the fact that in mere transits the rights and freedoms of individuals in the EU are not affected.^{Footnote 145}

The problem with this perception is that surveillance practices of third country can capture the personal data in transit between the EU and another third country. Contrary to what Colonna and Kuner have argued, the surveillance activities that occur while the data travels across the network bridge does affect the rights and freedoms of individuals in the EU. Already in 1989, a study prepared by the Committee of Experts on Data Protection under the authority of the Council of Europe considered that “[p]roblems of data security and confidentiality are heightened when data are piped through communication lines which traverse countries where little or no attention is accorded to issues of data protection.”^{Footnote 146} The current infrastructure of the internet makes it very difficult to determine the actual route of data flows.^{Footnote 147} The internet is structured to route data flows based on technical parameters (such as latency, velocity, thermal control) rather than on geography.^{Footnote 148} A huge part of global internet traffic crosses the US, which has the highest developed international cable network worldwide.^{Footnote 149} The end-user cannot dictate the data’s routing (such as e.g. to avoid cables passing through the US or to use only the cable from Portugal to Brazil). Internet service providers could potentially do this if they had to, but such efforts would be technically difficult, very costly, and certainly require new cable infrastructure.^{Footnote 150} A group of scholars from Princeton found empirical evidence in 2016 that at the time some countries were completely avoidable, but that many of the most prominent surveillance states were the least avoidable.^{Footnote 151} For example, they showed that over 50% of the paths from the Netherlands to top domains transit the US.^{Footnote 152}

If the concept of data transfers were to include every time that personal data passes through a third country on its way to its destination, the special regime provided for by Chapter V GDPR would become a regime that demands practically impossible solutions for internet routing. If an “unavoidable” country (for internet routing) does not ensure adequate protection, a huge part of internet traffic from the EU would not be allowed. For example, if the US was found to ensure inadequate protection of personal data and the US could not be avoided for data flows to other destinations, internet traffic from the EU containing personal data would be severely restricted. The inclusion of data transits in the legal concept of data transfers would then have a huge impact on the internet as we know it today. The ECJ underlined in Lindqvist that it is necessary to take into account the technical nature of internet transactions in order to apply the concept of data transfers.^{Footnote 153} The ECJ demonstrated a willingness to apply data protection law based on technical realities rather than enforce unreasonable demands that would, in fact, disable the internet. I thus argue that data transits should not constitute data transfers based on the same reasoning. It would be unreasonable to prohibit a huge part of internet traffic from the EU that including data transits in the legal concept of data transfers would entail. It should be added that internet surveillance practices that affect personal data in transit are relevant under international human rights law and raise possibilities of international action in order to safeguard not only the right to data protection in Article 8 CFR but also Article 17 ICCPR.^{Footnote 154}

1.3.4 Special Territories of the EU

The special territories of the EU are territories of EU member states, which, for historical, geographical, or political reasons, enjoy special status in the EU. There are nine outermost regions (OMR) that form part of the EU including the Azores, French Guiana, La Réunion, and the Canary Islands.^{Footnote 155} There are 13 overseas countries and territories (OCT) that do not form part of the EU, though they cooperate with the EU via the overseas countries and territories association including Greenland, French Polynesia, and Aruba.^{Footnote 156} Lastly, there are several special cases. For example, the Faroe Islands where the EU Treaties do not apply, and which are considered a third country for the sake of the GDPR, have their own adequacy decision.^{Footnote 157} In contrast, the OMR and OCT are usually not considered third countries for the sake of the GDPR. In France, for example, the national adaption of the French law to the GDPR entails extensions of the GDPR to the French OCT such as French Polynesia and the Wallis and Futuna Islands.^{Footnote 158}

Data flows to the OMR and the OCT do not constitute data transfers to third countries and fall instead within the free movement of personal data according to Article 1(1) GDPR. The free movement of personal data to the OMR and the OCT may involve data transits, i.e. the routing of internet traffic through other (non-EU) countries before reaching their destination. It was explained above how data transits can be subject to surveillance practices while it travels across the network bridge. These surveillance practices affect the rights and freedoms of individuals in the EU. The GDPR allows the free movement of personal data, including to the OMR and the OCT, even if the respective data transits affect the rights and freedoms of individuals in the EU. This is clearly stated in Article 1(3) GDPR:

The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

Article 1(3) GDPR entails potential limitations on the right to continuous protection of personal data in Article 8 CFR when data transits to the OMR and the OCT are subject to surveillance measures of third countries. AG Henrik Saugmandsgaard Øe accepted the risk that a third country other than the destination country may secretly intercept data flows from the internet infrastructure while the data are in transit in his opinion in Schrems 2.^{Footnote 159}

1.4 Legal Mechanisms for Data Transfers

Chapter V GDPR from Article 44 to Article 49 GDPR is dedicated to the transfer of personal data from the EU to third countries. Article 44 GDPR maintains that data transfers may only take place according to the conditions laid down in Chapter V GDPR, which is the default position of the EU system for data transfers (Sect. 3.1.4.1). There are three legal mechanisms for data transfers: adequacy decisions according to Article 45 GDPR (Sect. 3.1.4.2), instruments providing appropriate safeguards in Article 46 GDPR (Sect. 3.1.4.3), and derogations for specific situations in Article 49 GDPR (Sect. 3.1.4.4).

1.4.1 Default Position

The default position for the cross-border flow of personal data is the principal rule underlying the system for data transfers. It describes the regulatory choice of a jurisdiction about cross-border flows of personal data.^{Footnote 160} There are two different options: Either cross-border flows of personal data are generally allowed, and regulators retain possibilities to block or limit them in certain instances, or cross-border flows of personal data are not allowed and should not take place unless a legal basis is present.

Christopher Kuner argues that the first option (allowing cross-border flows of personal das unless specific risks are present) may prove to be too reactive and allow enforcement only after personal data has already been misused abroad, whereas the second option (requiring a legal basis before cross-border flows of personal data take place) may be unduly restrictive and prove to be increasingly futile in light of technological developments such as cloud computing.^{Footnote 161} Which default position a jurisdiction chooses will largely depend on its own culture, history, and legal tradition. Article 44 GDPR maintains the regulatory choice of the EU. It follows the approach of the early data protection laws in Europe:

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country […] shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with.

Recital (107) GDPR specifies that in cases where the conditions of the three legal mechanisms for data transfers in the GDRP are not met, the transfer of personal data should be prohibited. Article 44 GDPR itself does not explicitly mention such a prohibition but it is clear from the wording of the provision that data transfers may not take place outside of the three legal mechanisms in Chapter V GDPR. The EU system for data transfers in the GDPR thus operates on the default position that data transfers should not take place unless a legal basis allows them.^{Footnote 162}

1.4.2 Adequacy Decisions

The first legal mechanism for data transfers is an adequacy decision for a third country according to Article 45 GDPR. The European Commission adopts adequacy decisions to enable data transfers from the EU to third countries without any further specific authorization. There are no limitations for data exporters who transfer personal data to third countries with an adequacy decision except for compliance with the other provisions of the GDPR. Article 45 GDPR sets out the elements that ought to be considered by the Commission when making an adequacy decision for a third country:^{Footnote 163}

Article 45(2)(a) GDPR specifically mentions that the Commission shall consider relevant legislation—both general and sectoral—concerning public security, defense, national security, and criminal law as well as the access of public authorities to personal data. This element covers internet surveillance practices in third countries and is extremely relevant for the right to continuous protection of personal data in Article 8 CFR.^{Footnote 164} Article 45(2)(a) GDPR also mentions effective and enforceable data subject rights in combination with effective administrative and judicial redress for data subjects whose personal data are being transferred. Furthermore, Article 45(2)(a) GDPR includes rules for the onward transfer of personal data to another third country. Article 45(2)(b) GDPR requires the existence and effective functioning of an independent supervisory authority in the third country with the responsibility and power to ensure and enforce compliance with data protection rules. An independent supervisory authority in the third country must also assist and advise the data subjects in exercising their rights and cooperate with the supervisory authorities of the EU member states. This element refers to the constituent requirement of independent supervision enshrined in Article 8(3) CFR, which is also relevant for the right to continuous protection of personal data. Finally, Article 45(2)(c) GDPR refers to the international commitments a third country has undertaken as well as to participation in multilateral or regional systems in relation to the protection of personal data such as Convention 108.

At the moment, the Commission recognizes the following countries and territories as providing adequate protection for personal data: Andorra, Argentina, Canada (only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom and Uruguay.^{Footnote 165} Two adequacy decisions for special frameworks in the US—Safe Harbor and Privacy Shield—were invalidated by the ECJ.^{Footnote 166} A third country that is not found to provide adequate protection, like the majority of third countries, is neither implicitly nor explicitly “black-listed.” According to the Article 29 WP, “[t]he public message would rather be that no general guidance regarding that particular country is yet available.”^{Footnote 167} The GDPR foresees that the other legal mechanisms in Chapter V GDPR should be used for data transfer in the absence of an adequacy decision. Up through present, the Commission has never issued a negative decision regarding the adequacy of data protection in a third country.

1.4.3 Instruments Providing Appropriate Safeguards

The second legal mechanism for data transfers is the provision of appropriate safeguards according to Article 46 GDPR. In the absence of an adequacy decision, a data exporter may transfer personal data to a third country if appropriate safeguards are provided and under the condition that enforceable data subject rights and effective legal remedies for data subjects are available. The EDPS noted, with respect to the notion of adequate safeguards in Article 26(2) Directive 95/46/EC, that these safeguards should be understood as data protection guarantees which are created for the specific situation and which do not already exist in the recipient’s legal system.^{Footnote 168} These safeguards are necessary because data subjects are not subject to an enforceable set of data protection rules providing an adequate level of protection in the third country.^{Footnote 169} It can be inferred from the right to continuous protection of personal data in Article 8 CFR that a legal mechanism for data transfers faces problems if it focuses solely on data protection obligations for the recipient of the personal data in the third country and ignores the shortcomings of the legal framework to which the recipient is subject in the third country.^{Footnote 170}

Article 46 GDPR contains different instruments that provide appropriate safeguards for the transfer of personal data. These instruments must contain the full set of basic data protection principles in Article 5 GDPR.^{Footnote 171} Lingjie Kong correctly described the instruments providing appropriate safeguards as “contractualized versions of Directive 95/46/EC” (or of the GDPR).^{Footnote 172} They have to guarantee the data subject rights in Articles 15-22 GDPR^{Footnote 173} and they must provide effective legal remedies according to Articles 77-84 GDRP. The Article 29 WP explains that the effectiveness of instruments providing appropriate safeguards for the transfer of personal data must be judged on the grounds of three criteria:^{Footnote 174}

They must deliver a good level of compliance. A good system is characterized by a high degree of awareness among data controllers of their obligations; the existence of oversight mechanisms; and effective and dissuasive sanctions for ensuring respect for rules.
They must provide support and help to data subjects in the exercise of their rights. Individuals must be able to enforce their rights rapidly and effectively without prohibitive cost.
They must provide appropriate redress to injured parties where rules are broken. This must involve impartial judgments.

The Article 29 WP further underlined that detail is imperative in cases where data transfers are based on a contractual instrument because they have to replace the substantive data protection rules of EU data protection legislation in the third country.^{Footnote 175}

Article 46 GDPR divides the instruments providing appropriate safeguards into two categories: those in Article 46(3) GDPR requiring further authorization from a supervisory authority and those in Article 46(2) GDPR not requiring further involvement of a supervisory authority once the safeguard has been approved by the competent authority.^{Footnote 176} The latter category entails standard data protection clauses that have been adopted by the European Commission and which were already recognized under Directive 95/46/EC (Article 46(2)(c) GDPR) as well as standard data protection clauses that have been adopted by a supervisory authority and approved by the Commission (Article 46(2)(d) GDPR). It explicitly recognizes two instruments that have been developed through practice under Directive 95/46/EC: legally binding and enforceable instruments between public authorities or bodies (Article 46(2)(a) GDPR) and BCRs (Article 46(2)(b) and Article 47 GDPR). In addition, it introduces new instruments: codes of conduct (Article 46(2)(e) GDPR) and certification mechanisms (Article 46(2)(f) GDPR). According to the European Commission, the new instruments are intended to allow for the development of more tailor-made solutions for the transfer of personal data, reflecting, for instance, the specific features and needs of a given sector or industry.^{Footnote 177} The first category of safeguards requires further authorization from a supervisory authority and so entails “ad hoc” contractual clauses between the data controller or processor and the controller, the processor or the recipient of the personal data in the third country (Article 46(3)(a) GDPR), and specific provisions to be inserted into administrative arrangements between public authorities or bodies (Article 46(3)(b) GDPR).

This research focuses on standard data protection clauses according to Article 46(2)(c) GDPR and on BCRs according to Article 46(2)(b) and 47 GDPR. The selection of instruments mirrors their usage. According to the Commission, standard data protection clauses based on Article 46(2)(c) GDPR are the main instrument on which companies rely for their data export.^{Footnote 178} BCRs are commonly used for data transfers within the same group of enterprises that are engaged in a joint economic activity. The selection covers an instrument that is approved for unspecified data transfers to unspecified third countries such as the standard data protection clauses (Sect. 3.1.4.3.1), and an instrument that is approved for specified data transfers to specified third countries such as the BCRs (Sect. 3.1.4.3.2).

1.4.3.1 Standard Data Protection Clauses

To date, the European Commission has issued four sets of standard data protection clauses for the transfer of personal data from the EU to third countries. Three sets were adopted under Directive 95/46/EC and repealed with effect from 27 September 2021 but still deemed to provide appropriate safeguards under the GDPR until 27 December 2022 (provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards).^{Footnote 179} A new set of clauses was adopted under the GDPR.^{Footnote 180} Standard data protection clauses based on Article 46(2)(c) GDPR simplify data transfers. Rather than use attorneys to draft contractual solutions to provide appropriate safeguards from scratch and then have them authorized by a supervisory authority according to Article 46(3)(a) GDPR, a company can use the model standard data protection clauses and their “off-the-rack” language without further engaging a supervisory authority.^{Footnote 181}

Standard data protection clauses based on Article 46(2)(c) GDPR are approved without referring to specified data transfers and specified third countries. The decision of the Commission provides a blueprint of contractual clauses that can be inserted in contracts for different types of data transfers to different third countries. However, the liberal approach of approving standard data protection clauses based on Article 46(2)(c) GDPR for unspecified data transfers to unspecified third countries is mostly blind to the inadequacies of data protection in third countries.^{Footnote 182}

1.4.3.2 BCRs

Many companies use BCRs based on Article 46(2)(b) GDPR for data transfers within their group of enterprises. Article 47(1) GDPR requires that BCRs be approved by the competent supervisory authority in accordance with the consistency mechanism set out in Article 63 GDPR. Article 47(2) GDPR contains different requirements for BCRs. They must specify, among others,

the structure and contact details of the group of undertakings, or group of enterprises engaged in the joint economic activity as well as the structure and contact details of each of its members (Article 47(a) GDPR);
the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question (Article 47(b) GDPR);
their legally binding nature, both internally and externally (Article 47(c) GDPR);
the application of the general data protection principles and in particular purpose limitation, data minimization, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the BCRs (Article 47(d) GDPR);
the rights of data subjects in regard to processing and their means to exercise those rights (Article 47(e) GDPR);
the complaint procedures (Article 47(i) GDPR);
the cooperation mechanism with the relevant supervisory authority to ensure compliance by all members of the group of undertakings (Article 47(l) GDPR); and
the mechanisms for reporting to the relevant supervisory authority any legal requirements to which a member of the group of undertakings is subject to in a third country and which is likely to have a substantial adverse effect on the guarantees provided by the BCRs (Article 47(m) GDPR).

A company has a claim on the approval of their BCR if they fulfill the requirements in Article 47 GDPR. The rules in Article 47 GDPR only cover an examination of the BCRs and their application by the companies involved, and not relevant legislation concerning public security, defense, national security and criminal law in third countries nor the access of public authorities to personal data that is transferred to third countries. However, unlike the approval of standard data protection clauses based on Article 46(2)(c) GDPR, the approval of BCRs is for specified data transfers to specified third countries and this information thus allows supervisory authorities to take risks for fundamental rights into account when assessing whether to approve BCRs.^{Footnote 183}

1.4.4 Derogations for Specific Situations

The third legal mechanism for data transfers is a derogation for specific situations according to Article 49 GDPR. As the wording in the title of Article 49 GDPR suggests, derogations are exceptions from the general principle that personal data may only be transferred to third countries if an adequate level of protection is provided for in the third country or if appropriate safeguards have been adduced.^{Footnote 184} The derogations in Article 49 GDPR must respect the principle inherent in EU law that any clauses making exceptions must be interpreted narrowly so that the exception does not become the rule.^{Footnote 185}

There are different types of derogations according to Article 49(1) GDPR. This research focuses on two derogations that are especially relevant for companies that use data transfers for the conduct of their business: the consent-based derogation in Article 49(1)(a) GDPR, which requires that the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject (Sect. 3.1.4.4.1); and the contract-based derogation in Article 49(1)(b) GDPR, which requires that the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request (Sect. 3.1.4.4.2).

1.4.4.1 Contract-based Derogation

Article 49(1)(b) GDPR contains the contract-based derogation for data transfers. This derogation refers to data transfers that are necessary for the performance of a contract between the data subject and the controller.^{Footnote 186} The use of the contract-based derogation is restricted. Recital (111) GDPR states that the contract-based derogation in Article 49(1)(b) GDPR shall be limited to occasional transfers. The EDPB underlined that “[d]ata transfers regularly occurring within a stable relationship would be deemed as systematic and repeated, hence exceeding an ‘occasional’ character.”^{Footnote 187} Furthermore, Article 49(1)(b) GDPR itself requires that data transfers must be necessary for the performance of a contract. At least one of the central contractual services must therefore be impossible if the data is not transferred to the third country in question. There must be a close and direct or substantial link between the data transfer and the performance of the contract.^{Footnote 188} Such a close and direct link does not exist, for example, simply for data storage in the third country or for additional direct marketing purposes.^{Footnote 189} It is not enough if the data transfer is only useful or allows cost savings. These conditions restrict the room for data exporters to lawfully use the contract-based derogation in Article 49(1)(b) GDPR. They prevent the contract-based derogation in Article 49(1)(b) GDPR from being used to undermine the extraterritorial dimension of the right to data protection.

This liberal approach of allowing unspecified data transfers to unspecified third countries within the limits of the contract-based derogation is not entirely blind to the inadequacies of data protection in third countries. The contract referred to in Article 49(1)(b) GDPR must outline the risks of the data transfer in the third country. Even if Article 49(1)(b) GDPR does not contain any specific duty for the data controller concerning the risks of the data transfer, such a duty results from the transparency requirement in Article 5(1)(a) GDPR and the general information duty for data transfers in Article 13(1)(f) GDPR.^{Footnote 190}

1.4.4.2 Consent-based Derogation

Article 49(1)(a) GDPR contains the consent-based derogation for data transfers. This derogation refers to data transfers in which the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers. The use of the consent-based derogation is restricted. Article 4(11) GDPR states that all consent must be freely given and Recital (42) GDPR holds that consent should not be regarded as freely given if the data subject has no genuine choice or is unable to refuse or withdraw consent without detriment. Recital (43) GDPR adds that consent is presumed not to be freely given if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance. Article 4(11) GDPR further states that any consent must be unambiguous. The Article 29 WP underlined that the GDPR is clear that unambiguous consent “requires a statement from the data subject or a clear affirmative act which means that it must always be given through an active motion or declaration.”^{Footnote 191} Similarly, the ECJ found that “[o]nly active behaviour on the part of the data subject with a view to giving his or her consent may fulfil that requirement.”^{Footnote 192} Recital (32) GDPR specifies that this could include ticking a box when visiting an internet website, choosing technical settings for information society services or some other statement or conduct which clearly indicates in context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes, or inactivity cannot therefore constitute consent.

Article 49(1)(a) GDPR is even stricter as it requires “explicit” consent. The GDPR requires explicit consent in situations in which particular data protection risks may emerge, and so, a high individual level of control over personal data is required.^{Footnote 193} Such risks appear in the context of cross-border flows of personal data. The term “explicit” refers to the way consent is expressed by the data subject. It requires that the data subject must give an express statement of consent.^{Footnote 194} Article 4(11) GDPR also states that consent must be specific. Article 49(1)(a) GDPR therefore holds that the data subject must explicitly consent to the proposed data transfer.

The consent-based derogation in Article 49(1)(a) GDPR is not entirely blind to the inadequacies of data protection in third countries, even though it allows unspecified data transfers to unspecified third countries. That is because Article 4(11) GDPR also requires that all consent must be informed. Article 29 WP found that “[f]or consent to be informed, it is necessary to inform the data subject of certain elements that are crucial to make a choice.”^{Footnote 195} This includes, among other things, the data controller’s identity, the purpose of the transfer, the type of data, the existence of the right to withdraw consent, and the identity or the categories of recipients.^{Footnote 196} Article 49(1)(a) GDPR specifically requires that the data subject may only consent to data transfers after having been informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards. An abstract reference to the absence of an adequacy decision and appropriate safeguards is not enough.^{Footnote 197} It is necessary to list the typical risks associated with a transfer to a third country lacking an adequate level of data protection such as difficult enforcement of data subject rights, lack of control over further processing and onward transfer of personal data, lack of a supervisory authority, and access to personal data by government agencies, i.e. surveillance activities.^{Footnote 198}

The recitals to the GDPR do not provide for a limitation to occasional data transfers for the consent-based derogation in Article 49(1)(b) GDPR. Nonetheless, the EDPS has highlighted that even though some of the derogations in Article 49 GDPR are not expressly limited to occasional or not repetitive transfers, they still have to be interpreted in a way that does not contradict the very nature of derogations as exceptions from a rule.^{Footnote 199}

1.5 Summary

The EU system for data transfers is the result of over fifty years of development. It has two major policy objectives. First, anticircumvention and the protection of fundamental rights, and second, enhancing trust in the information society. In contrast, there is no evidence that national security or economic protectionism is also a policy objective of the EU system for data transfers. The legal concept of data transfers is the heart of the EU system for data transfers. Out of all cross-border flows of personal data, there is a special category of transfers of personal data from the EU to third countries. The transmission of personal data to a (server) location in a third country is a suitable description for data transfers. Generally equating the term transfer with disclosure jeopardizes fundamental right protection for data flows that do not involve intelligible access to personal data in the third country. Where the application of the concept of data transfers leads to unreasonable results, cross-border data flows should not be interpreted to constitute data transfers. This is one reason why data transits do not constitute data transfers. The EU system for data transfers in the GDPR operates on the default position that transfers of personal data to third countries should not take place unless a legal mechanism in Chapter V GDPR allows the transfer of personal data to a third country. There are three legal mechanisms for data transfers. Adequacy decisions according to Article 45 GDPR; instruments providing appropriate safeguards in Article 46 GDPR; and derogations for specific situations in Article 49 GDPR.

2 Continuous Protection of Personal Data and Adequacy Decisions

The second section of this chapter is dedicated to the interplay of the right to continuous protection of personal data in Article 8 CFR and adequacy decisions as a legal mechanism to transfer personal data from the EU to third countries according to Article 45 GDPR. The analysis of the politics of adequacy decisions shows that their adoption is not always focused on fundamental rights (Sect. 3.2.1). This is problematic because adequacy decisions have to fully comply with the right to continuous protection of personal data in Article 8 CFR (Sect. 3.2.2). Nonetheless, the regulatory framework validates adequacy decisions as a legal mechanism for data transfers (Sect. 3.2.3). The European Commission carries the primary responsibility for the transfer mechanism in Article 45 GDPR to comply with fundamental rights (Sect. 3.2.4).

2.1 The Politics of Adequacy Decisions

An adequacy decision for a third country is the easiest legal mechanism for data exporters to use because it does not require any further specific authorization for the transfer of personal data. Many third countries want to be recognized as providing adequate protection for personal data under EU law. However, only a small number of countries and territories are currently recognized to provide such protection. Importantly, there is no right to an adequacy finding in EU law (Sect. 3.2.1.1). Furthermore, an analysis of the politics of adequacy decisions reveals shortcomings: arbitrary procedures (Sect. 3.2.1.2), content-related inconsistencies (Sect. 3.2.1.3), and indications of preferential treatment (Sect. 3.2.1.4).

2.1.1 No Right to an Adequacy Finding

The European Commission has so far only recognized a small number of countries and territories as providing an adequate level of data protection. Not everyone is happy with the small number of adequacy findings so far. After all, adequacy decisions are the least complicated legal mechanism for data exporters. The Article 29 WP recognized early on the potential for diplomatic tensions surrounding adequacy decisions and noted that

[a] risk is that some third countries might come to see the absence of a finding that they provided adequate protection as politically provocative or at least discriminatory, in that the absence of a finding is as likely to be the result of their case not having been examined as of a judgement on their data protection system.^{Footnote 200}

Peter Blume has argued that not placing a country on the white list is similar to blacklisting it.^{Footnote 201} He has also claimed that blacklisting a country can cause diplomatic problems. However, the Article 29 WP suggested that in cases in which a country is not (yet) found to have adequate protection, “this need not imply that the country is implicitly or explicitly ‘black-listed’” but rather only that “no general guidance regarding that particular country is yet available.”^{Footnote 202} Alex Boniface Makulilo has suggested that mitigating the possibilities of diplomatic tensions with third countries is the main reason why the EU has mostly awaited requests from third countries to initiate adequacy determinations instead of actively selecting third countries for adequacy assessments.^{Footnote 203} Theoretically, all countries can ask to be assessed.

The Commission has the power to determine, based on Article 45 GDPR, whether a country outside the EU offers an adequate level of data protection.^{Footnote 204} The Commission is not obliged to use that power. Matthias Oesch has argued that “[t]here is a common understanding in the EU that there is no right for a third country to receive a positive adequacy decision from the European Commission, even where the third country is convinced that the requirements are met.”^{Footnote 205} Stewart Room, the data protection lead partner at PwC UK, has also stated with regard to Brexit that “an adequacy decision is not an automatic right”.^{Footnote 206} In accordance with the ECJ’s settled case law, “there is in the FEU Treaty no general principle obliging the Union, in its external relations, to accord in all respects equal treatment to different third countries and traders do not in any event have the right to rely on the existence of such a principle.”^{Footnote 207} Indeed, there is nothing in the GDPR, or in EU law in general, indicating that a third country has a right to an adequacy finding, even if the conditions are met.

2.1.2 Arbitrary Procedures

The European Commission is responsible for adequacy decisions. The EDPB provides the Commission with opinions on the level of data protection in third countries according to Article 70(1)(s) GDPR.^{Footnote 208} In order to do that, the Commission provides the EDPB with all necessary documentation, including correspondence with the government of the third country. Makulilo has observed that the Commission sometimes engages in a bilateral dialogue with a third country to try to facilitate improvement of data protection until the required level of protection is achieved.^{Footnote 209} This happens before the Commission even consults the EDPS for an opinion. There were also instances where the Article 29 WP itself tried to facilitate improvements. The proactive role of the Commission and of the Article 29 WP in facilitating adequacy decisions is positive, but it seems to be arbitrary in application at times because it has not been equally applied to third countries.

A good example is the adequacy decision for Monaco. The supervisory authority tasked by the Article 29 WP with producing a preliminary report on the adequacy of Monaco’s data protection regime—the French Commission nationale de l’informatique et des libertés (CNIL)—called for a mediation meeting between the data protection authoritiy of Monaco, the Commission de contrôle des informations nominatives (CCIN), and the Monegasque government to discuss deficiencies regarding the effective independence of the CCIN.^{Footnote 210} This meeting led to an agreement clarifying the competences and the relationships between both parties in terms of human resources and budget management. This example stands in contrast with the case of Québec during which the CNIL made no attempt to contact the federal privacy commissioner in order to discuss deficiencies resulting from the relationship between federal and provincial data protection law.^{Footnote 211}

Another example concerns the four African countries—Burkina Faso, Mauritius, Tunisia, and Morocco—which sought adequacy assessments from the EU. In these cases, the Commission mandated the Research Centre on IT and Law (CRID) at the University of Namur in Belgium in 2010 to research the level of data protection in the four African countries. None of these jurisdictions were considered to provide adequate protection for personal data in the confidential report of the CRID.^{Footnote 212} Yet there has been no official opinion of the Article 29 WP or the EDPB on the adequacy of these countries and it is not clear if and how the Commission (or the EDPB) is engaging with these countries to remedy their deficiencies. Jennifer Stoddart, Benny Chan, and Yann Joly have highlighted the ad hoc and discretionary manner in which the Article 29 WP, the EDPB, and the Commission seek clarifications and broker deals.^{Footnote 213}

2.1.3 Content-related Inconsistencies

There are also some content-related inconsistencies between adequacy assessments that have been made. The adequacy assessments for Monaco and Argentina are good examples. The Article 29 WP determined that Monaco and Argentina both ensure an adequate level of protection for personal data transferred from the EU.^{Footnote 214} In the case of Monaco however, the Article 29 WP noted that the Monegasque supervisory authority did not in practice enjoy a sufficient degree of financial independence and then referred to an agreement clarifying the competences and the relationships in terms of human resources and budget management. In the case of Argentina, the Article 29 WP considered that the power to nominate and dismiss the head of the Argentinian supervisory authority by the Minister of Justice and Human Rights, who also decides on the staffing of the authority, does not guarantee that the supervisory authority can act in complete independence, and did not even mention the issue of independent budget management.^{Footnote 215} In addition, Monaco received an adequacy decision because the deal between the Monegasque supervisory authority and the Monegasque government covered the deficiency regarding the independence of the supervisory authority, whereas Argentina received an adequacy decision without having to significantly safeguard the independence of their supervisory authority.^{Footnote 216} It is important to highlight that independent supervision is one of the constituent parts of the right to data protection enshrined in Article 8(3) CFR, which aggravates the content-related inconsistency of the adequacy decision for Argentina.

Another content-related inconsistency can be found in the adequacy assessments for New Zealand and Québec. The Article 29 WP found seven instances in which New Zealand’s data protection legislation and practices were not fully adequate, but they were neither singly nor jointly sufficient to prevent a finding of overall adequacy.^{Footnote 217} One of the seven instances referred to onward transfers of personal data to another third country. The Article 29 WP noted that

[a]lthough the Working Party does not consider that New Zealand law complies fully with the onward transfer principle, it does not believe that there is a major shortfall or that this needs to stand in the way of an ‘adequacy’ finding.^{Footnote 218}

In the adequacy assessment for Québec, which did not result in finding that Québec ensures an adequate level of protection for data transferred from the EU, the Article 29 WP heavily criticized that

the onward transfer principle needs to be clarified in Quebec’s law. In fact, any onward transfer should require the use of contractual or other binding provisions in order to provide a comparable level of protection with the protection awarded by EU law. A comparable level of protection refers to all data protection principles, and is not limited to the purposes of processing and the requirement of consent for further communication of the personal data. Consent should not be promoted as the general legal basis for onward transfers as the recipient then does not commit to take any action to ensure an adequate level of protection; this situation should thus remain an exception.^{Footnote 219}

It is important to note that the regulation of onward data transfers is important for the right to continuous protection of personal data in Article 8 CFR, which aggravates the content-related inconsistency of the adequacy decision for New Zealand. Furthermore, New Zealand is a member of the Five Eyes intelligence sharing network and also maintains internet surveillance practices.^{Footnote 220} The examples reveal content-related inconsistencies in the assessment of adequacy. Adequacy findings cannot thus always be said to focus on fundamental rights.

Finally, it is worth mentioning that the politics of adequacy decisions is not immune from ulterior considerations. An example, although ultimately of no effect, was Ireland’s objection to the adequacy decision for Israel. After Israel received a favorable adequacy assessment from the Article 29 WP,^{Footnote 221} Ireland officially objected and delayed the European Commission’s adequacy decision. Ireland made an objection for reasons wholly unrelated to data protection, as it was outraged by the use of fake Irish passports by alleged Israeli agents in a targeted killing.^{Footnote 222} Christopher Wolf rightly points out that the use of the adequacy mechanism to achieve unrelated political ends could threaten the legitimacy and coherence of the EU system for data transfers.^{Footnote 223}

2.1.4 Indications of Preferential Treatment

The examples of Monaco and Québec show that the French CNIL went to extra lengths to broker a deal with Monaco. The Article 29 WP opinion also mentions that the French CNIL was appointed as rapporteur on the adequacy study for Monaco “due to its historical relationship with Monaco.”^{Footnote 224} One may thus think that European countries will find it easier to obtain a positive adequacy finding than non-European countries. However, geography may not be a central factor when it comes to the politics of adequacy decisions. The examples of Argentina and New Zealand show that distant countries were able to profit from lax adequacy assessments. With respect to New Zealand, the Article 29 WP opinion even stated that

given the geographical isolation of New Zealand from Europe, its size and the nature of its economy, it is unlikely that New Zealand agencies will have any business interest in sending significant volumes of EU-sourced data to third countries.^{Footnote 225}

In the case of New Zealand, geographical isolation from Europe was a factor that enabled a lax adequacy assessment with regard to onward data transfers.^{Footnote 226} The Article 29 WP opinion did not only consider the geographical isolation of New Zealand from Europe, but also the nature of its economy and the likelihood that significant volumes of EU-sourced personal data will be transferred onwards. This is why Christopher Wolf has argued that there is “a different standard for large- versus small-scale data processing countries when seeking adequacy determinations.”^{Footnote 227} Graham Greenleaf and Lee Bygrave argue that

[i]n a country like India, where outsourcing of the processing of European data is of large scale, as are other forms of business and travel involving personal data, different considerations are likely to apply.^{Footnote 228}

However, this position is put into perspective when one looks at the invalidated special framework adequacy decisions for the US or the most recent adequacy decision for Japan which followed an FTA between Japan and the EU. Nevertheless, apart from Argentina and Uruguay, all countries deemed to provide adequate protection for personal data transferred from the EU are members of the OECD. This selection of countries is not without strategy. The Commission explicitly stated that

[u]nder its framework on adequacy findings, the Commission considers that the following criteria should be taken into account when assessing with which third countries a dialogue on adequacy should be pursued: (i) the extent of the EU’s (actual or potential) commercial relations with a given third country, including the existence of a free trade agreement or ongoing negotiations; (ii) the extent of personal data flows from the EU, reflecting geographical and/or cultural ties; (iii) the pioneering role the third country plays in the field of privacy and data protection that could serve as a model for other countries in its region; and (iv) the overall political relationship with the third country in question, in particular with respect to the promotion of common values and shared objectives at international level.^{Footnote 229}

This strategy potentially puts third countries at a disadvantage if they are not negotiating an FTA with the EU, are potentially dangerous as a destination country for outsourcing of data processing operations, and are neither geographically nor culturally close to the EU. Despite this, the strategy also allows the consideration of countries informally at a disadvantage if they are data protection champions and serve as a role model for other third countries.

2.2 Limitations on Continuous Protection of Personal Data Using Adequacy Decisions

The right to continuous protection of personal data requires that the level of protection for personal data that is transferred from the EU to a third country is essentially equivalent to that guaranteed within the EU. This right is not absolute. Limitations on the exercise of the right to continuous protection of personal data can be lawful according to Article 52(1) CFR. Yet this interference must be found in the EU rather than in the third country (Sect. 3.2.2.1). The legal basis for the interference must indicate under what circumstances and conditions the interference takes place and impose minimum safeguards providing sufficient guarantees for individuals to effectively protect their personal data against the risk of abuse (Sect. 3.2.2.2). The material objectives of the interference must either qualify as a general interest recognized by the EU or be protected by another right or freedom in the Charter (Sect. 3.2.2.3). The principle of proportionality demands that there cannot be another measure, which would affect less adversely the right to continuous protection of personal data and still contribute effectively to the material objectives being pursued (Sect. 3.2.2.4).

2.2.1 Interference

The European Commission adopts adequacy decisions as the means of acknowledging that a third country provides an adequate level of protection for personal data. An interference with the right to data protection takes place when the processing of personal data does not respect one or more of the constituent parts enshrined in Article 8 CFR.^{Footnote 230} The right to continuous protection of personal data is an unwritten constituent part of the right to data protection in Article 8 CFR. Any processing of personal data that does not respect that right constitutes an interference with Article 8 CFR.

AG Yves Bot found in his opinion in Schrems that “the access enjoyed by the United States intelligence services to the transferred data […] constitutes an interference with the fundamental right to protection of personal data guaranteed in Article 8 of the Charter.”^{Footnote 231} His finding indicated that the processing of personal data by US intelligence services interferes with Article 8 CFR. He added, however, that this interference is permitted by derogations in Decision 2000/520, i.e. the Safe Harbor adequacy decision.^{Footnote 232} According to the fourth paragraph of Annex I Decision 2000/520, the applicability of the Safe Harbor principles in the adequacy decision may be limited by US authorities “to the extent necessary to meet national security, public interest, or law enforcement requirements.” The ECJ similarly explained in Schrems that

[i]n the light of the general nature of the derogation set out in the fourth paragraph of Annex I to Decision 2000/520, that decision thus enables interference, founded on national security and public interest requirements or on domestic legislation of the United States, with the fundamental rights of the persons whose personal data is or could be transferred from the European Union to the United States.^{Footnote 233}

The ECJ elaborated that while an interference with fundamental rights may take place in the third country, the legal basis that enables that interference in the third country must lie in the EU. With regard to Decision 2000/520, the ECJ recognized the fourth paragraph of Annex I Decision 2000/520 as the basis that enabled the interference in the US. Similarly, the ECJ held in Schrems 2 that the derogations set out in paragraph I.5 of Annex II Decision (EU) 2016/1250, the Privacy Shield adequacy decision, enable interference with the fundamental rights of the persons whose personal data is transferred to the US based on national security and public interest requirements or the domestic legislation of the US.^{Footnote 234}

Nevertheless, this seems to fall short of a comprehensive understanding of an interference with fundamental rights caused by data transfers on the basis of adequacy decisions. Apart from Decision 2000/520 and Decision (EU) 2016/1250, no other adequacy decision contains a similar derogation that explicitly enables public authorities of a third country to limit the protection of personal data for national security and law enforcement purposes. However, an interference with fundamental rights in the third country can also take place if an adequacy decision does not entail an explicit derogation for public authorities of the third country. In such a case, the ECJ would have to look elsewhere to find the legal basis that enables the interference in the third country.

Article 1 Decision (EU) 2019/419, i.e., the adequacy decision for Japan, which was also the first adequacy decision made under the GDPR, provides that

Japan ensures an adequate level of protection for personal data transferred from the European Union to personal information handling business operators in Japan subject to the Act on the Protection of Personal Information as complemented by the Supplementary Rules set out in Annex I, together with the official representations, assurances and commitments contained in Annex II.

Annex II Decision (EU) 2019/419 covers the legal framework in Japan concerning access to information by the government of Japan for criminal law enforcement and national security purposes. The Commission’s adequacy finding in Article 1 Decision (EU) 2019/419 is connected to the official representations, assurances and commitments contained in Annex II Decision (EU) 2019/419. Recital (173) Decision (EU) 2019/419 provides that

on the basis of the available information about the Japanese legal order, including the representations, assurances and commitments from the Japanese government contained in Annex II, the Commission considers that any interference with the fundamental rights of the individuals whose personal data are transferred from the European Union to Japan by Japanese public authorities for public interest purposes, in particular criminal law enforcement and national security purposes, will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists.

Article 1 Decision (EU) 2019/419 is the legal basis that enables possible interferences with fundamental rights in Japan because it connects the possibility to transfer personal data to Japan with an acknowledgment of the legal framework described in Annex II Decision (EU) 2019/419.

Older adequacy decisions under Directive 95/46/EC, such as the Decision 2000/518/EC, i.e. the adequacy decision for Switzerland, do not contain any specific reference to the legal frameworks of the third countries concerning access to information by public authorities of the third country for criminal law enforcement and national security purposes. Article 1 Decision 2000/518/EC only provides that “Switzerland is considered as providing an adequate level of protection for personal data transferred from the Community.”

Even if there is no explicit acknowledgment of the legal framework in the third country concerning access to information by public authorities of the third country for criminal law enforcement and national security purposes, the Commission’s adequacy finding still implies that it implicitly approves the legal framework of the third country. Accordingly, Article 1 Decision 2000/518/EC is the legal basis that enables possible interferences in Switzerland because it entails the possibility to transfer personal data to Switzerland.

All adequacy decisions approve, albeit in different ways, the legal framework concerning access to information in the third country for criminal law enforcement and national security purposes. Their common denominator in providing the legal basis for a potential interference is that they enable the transfer of personal data to a third country. Without the actual transfers of personal data there is no possibility of interference in the third country.

The ECJ had to determine the validity of a draft PNR agreement that would have enabled the transfer of PNR data from the EU to Canada in Opinion 1/15. The opinion required the ECJ to identify possible interferences with fundamental rights. The ECJ found that

both the transfer of PNR data from the European Union to the Canadian Competent Authority and the framework negotiated by the European Union with Canada of the conditions concerning the retention of that data, its use and its subsequent transfer […] constitute interferences with the right guaranteed in Article 7 of the Charter.^{Footnote 235}

The ECJ added that “[t]hose operations also constitute an interference with the fundamental right to the protection of personal data guaranteed in Article 8 of the Charter.”^{Footnote 236}

The ECJ underlined in Opinion 1/15 that not only the negotiated framework constitutes an interference but also the actual transfer of PNR data. If that finding is applied to adequacy decisions, both the transfer of personal data from the EU and the adequacy finding that approves the legal framework in the third country concerning access to information in the third country for criminal law enforcement and national security purposes constitute interferences with Article 8 CFR should they not respect the right to continuous protection of personal data.

The interference with the right to continuous protection of personal data in Article 8 CFR should be found in the EU. Ultimately, the rules, measures, and actions of third states also entail intrusions, which, if they were attributable to the authorities of an EU member state, would be regarded as interferences with the exercise of the right to data protection in Article 8 CFR.^{Footnote 237} Those intrusions should, however, be assessed with regard to the standard of essential equivalence that is part of the right to continuous protection of personal data. If intrusions caused by the rules, measures, and actions of third states do not respect the standard of essential equivalence, then the transfer of personal data based on the adequacy decision and the adequacy finding itself constitute interferences with the right to continuous protection for personal data enshrined in Article 8(1) CFR.

2.2.2 Legal Basis

The limitation of the exercise of fundamental rights must be provided for by law. The legal basis that permits an interference with Article 8 CFR must itself already define the scope of the limitation on the exercise of fundamental rights.^{Footnote 238} The legal basis for interferences with Article 8 CFR must indicate under what circumstances and conditions the interference will take place and impose minimum safeguards providing sufficient guarantees for individuals to effectively protect their personal data against the risk of abuse.^{Footnote 239} These safeguards are particularly important in cases in which personal data is subject to automated processing and involves sensitive data.^{Footnote 240}

The transfer of personal data based on an adequacy decision as well as the adequacy finding are both interferences with Article 8 CFR if the level of protection for personal data in the third country is not essentially equivalent to that guaranteed within the EU. The adequacy finding is usually elaborated in the first article of an adequacy decision. The adequacy decision of the Commission constitutes the legal basis for the transfer of personal data as it enables data transfers without any further authorization, implementation, or application of the decision. The question is whether adequacy decisions fulfill the conditions regarding the scope of the limitations on the exercise of fundamental rights and minimum safeguards.

Some adequacy decisions refer (or referred) to the scope of the limitations on the exercise of fundamental rights permitted for the respective third state, which, if they were attributable to the authorities of an EU member state, would be regarded as interferences with the exercise of the right to data protection in Article 8 CFR:

Decision (EU) 2019/419, i.e., the adequacy decision for Japan, contains representations, assurances, and commitments of the Japanese government regarding their legal framework for the collection and use of personal data by public authorities for criminal law enforcement and national security purposes. Annex II of Decision (EU) 2019/419 refers in particular to available legal bases for surveillance measures, applicable conditions (limitations) and safeguards, including independent oversight and individual redress possibilities. Article 3(5)(b) Decision (EU) 2019/419 holds that the Commission may suspend, amend or repeal the decision, if there are indications that the Japanese public authorities do not comply with the representations, assurances, and commitments contained in Annex II of Decision (EU) 2019/419, including as regards the conditions and limitations for the collection of and access to personal data transferred under Decision (EU) 2019/419 by Japanese public authorities for criminal law enforcement or national security purposes.
Decision (EU) 2016/1250, the Privacy Shield adequacy decision, maintained in Article 1(2) that the EU-US Privacy Shield is constituted by the principles issued by the US Department of Commerce as set out in Annex II of Decision (EU) 2016/1250 and the official representations and commitments contained in the documents listed in Annexes I, III to VI of Decision (EU) 2016/1250. Section I(5) Annex II Decision (EU) 2016/1250 held that the privacy principles in Annex II may be limited to the extent necessary to meet national security, public interest, or law enforcement requirement. Annex VI of Decision (EU) 2016/1250 contained two letters from the US General Counsel of the Office of the Director of National Intelligence that were sent to the US Department of Commerce which “extensively discuss, among other things, the policies, safeguards, and limitations that apply to signals intelligence activities conducted by the US”^{Footnote 241} Annex III of Decision (EU) 2016/1250 contained representations regarding the rules for the new EU-US Privacy Shield Ombudsperson mechanism for signals intelligence activities.
Older adequacy decisions under Directive 95/46/EC such as Decision 2000/518/EC, the adequacy decision for Switzerland, also refer to the scope of the limitations on the exercise of fundamental rights and minimum safeguards regarding the rules, measures and actions of the respective third state, which, if they were attributable to the authorities of an EU member state, would be regarded as interferences with the exercise of the right to data protection in Article 8 CFR, but in a less comprehensive way.^{Footnote 242}

With regard to minimum safeguards, independent oversight and remedies are important. According to Article 45(3) and (4) GDPR, the Commission has to monitor the application of the legal framework in the third country, upon which an adequacy decision is based, and, at least once every four years, evaluate the adequacy finding for the third country in question.^{Footnote 243} In cases where the Commission has indications that an adequate level of protection for personal data is no longer ensured, it may decide to suspend, amend, limit, or repeal an adequacy decision according to Article 45(5) GDPR.^{Footnote 244} In addition, supervisory authorities also have the investigative powers in Article 58(1) GDPR at their disposal, which should protect individuals against the risk of abuse of their personal data. Supervisory authorities are entitled to consider the validity of adequacy decisions, but the ECJ alone has jurisdiction to declare adequacy decisions invalid. Individuals have the right to lodge a complaint with a supervisory authority according to Article 77(1) GDPR. Supervisory authorities must handle complaints lodged with them, investigate the subject matter of the complaint, and inform the complainant of the progress and outcome of the investigation within a reasonable period of time based on Article 57(1)(f) GDPR. Adequacy decisions therefore provide a valid legal basis for an interference with the right to continuous protection for personal data in Article 8 CFR.

2.2.3 Objectives of General Interest and Protection of the Freedoms of Others

According to Article 52 CFR, justification for an interference that limits the exercise of fundamental rights further requires that the limitations genuinely meet objectives of general interest recognized by the EU or the need to protect the rights and freedoms of others. The public security in third countries qualifies as a general interest recognized by the EU (Sect. 3.2.2.3.1) and, both the freedom of expression and information in Article 11 CFR (Sect. 3.2.2.3.2) and the freedom to conduct a business in Article 16 CFR (Sect. 3.2.2.3.3) qualify as rights of others which must be protected.

2.2.3.1 Public Security in a Third Country

The protection of public security is an objective of general interest recognized by the EU.^{Footnote 245} The question is whether this objective also covers public security in third countries. In this regard it must be observed that the EU should contribute to peace and security in its relations with the wider world according to Article 3(5) TEU. The EU should also define and pursue common policies in all fields of international relations, to preserve peace, prevent conflicts, and strengthen international security based on Article 21(2)(c) TEU. The protection of international security is thus clearly an objective of general interest recognized in the EU Treaties. The ECJ elaborated in Opinion 1/15 that

the transfer of PNR data by air carriers to Canada and the use of that data by the Canadian Competent Authority are justified […] only by the objective of ensuring public security in that non-member country and in the European Union.^{Footnote 246}

It seems, therefore, that the protection of public security in a third country can be an objective of general interest recognized by the EU. In order to justify an interference with the right to continuous protection of personal data based on the protection of public security in a third country, that protection must be one of the material objectives of the data transfers and the adequacy finding.^{Footnote 247} However, data transfers on the basis of an adequacy decision are normally part of a commercial activity.^{Footnote 248} They do not typically relate to the protection of public security in a third country. Nevertheless, the adequacy findings must be interpreted in light of the whole adequacy decision.

Decision 2000/520, the Safe Harbor adequacy decision, allowed limitations on the privacy principles contained in the adequacy decision in the fourth paragraph of Annex I of Decision 2000/520:

(a)
to the extent necessary to meet national security, public interest, or law enforcement requirements;

(b)
by statute, government regulation, or case law that create conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization.

AG Yves Bot found that point (a) is “sufficiently precise to be regarded as an objective of general interest recognised by the European Union within the meaning of Article 52(1) of the Charter” and that point (b) does “not pursue an objective of general interest defined with sufficient precision.”^{Footnote 249}

Decision (EU) 2016/1250, the Privacy Shield adequacy decision, maintained in Section I(5) of Annex II that adherence to the privacy principles contained in the adequacy decision may be limited to the extent necessary to meet national security, public interest, or law enforcement requirements. Section I(b) of Annex VI added six specific purposes for signal intelligence:

detecting and countering certain activities of foreign powers; counterterrorism; counter-proliferation; cybersecurity; detecting and countering threats to US or allied armed forces; and combating transnational criminal threats, including sanctions evasion.

Decision (EU) 2019/419, the adequacy decision for Japan, also contains a series of representations of the Japanese government regarding the legal framework for the collection and use of personal data by Japanese public authorities for criminal law enforcement and national security purposes in Annex 2 of Decision (EU) 2019/419. In these adequacy decisions, the protection of public security in a third country was or––in the case of Japan––is one of the material objectives.

In contrast, older adequacy decision such as Decision 2000/518/EC, the adequacy decision for Switzerland, do not refer to security concerns of the third state at all. Accordingly, the public security of the third country cannot be considered a material objective of these older adequacy decisions.

2.2.3.2 Freedom of Expression and Information

The right to freedom of expression and information in Article 11 CFR includes the freedom to hold opinions and to receive and impart information and ideas without interference by public authorities and regardless of frontiers. AG Juliane Kokott suggested in her opinion in Satamedia that the freedom of expression in Article 11 CFR should be understood “in the sense of freedom of communication.”^{Footnote 250} AG Verica Trstenjak agreed with AG Kokott in her opinion in MSD Sharp and summarized that Article 11 CFR “includes the freedom to communicate information without interference by public authority” and that “not only is the communication of one’s own ideas but also the transmission of third-party ideas and information protected.”^{Footnote 251} It must be acknowledged at this point that data transfers enable the communication of information involving personal data.

The freedom of expression and information in Article 11 CFR corresponds to Article 10 ECHR.^{Footnote 252} The freedom to communicate information and ideas under Article 10 ECHR includes many types of information: political speech, cultural speech, and artistic speech, but it also includes economic communication, the so-called commercial speech.^{Footnote 253} The same is true for Article 11 CFR.^{Footnote 254} A private legal entity can invoke the protection of the right to freedom of expression and information even for purely commercial activities, that is, activities that are conducted for purposes of monetary gain.^{Footnote 255} Data transfers enable different types of speech that involve personal data.

The wording of Article 11 CFR implies that the freedom of communication is not confined to the borders of the EU.^{Footnote 256} The wording is similar to the freedom of expression enshrined in Article 19(2) ICCPR. Molly Land described Article 19(2) ICCPR as providing “an important countervailing force to the rise of borders on-line by creating an explicit right to seek, receive, and impart information across borders.”^{Footnote 257} Data transfers are a key tool for the exercise of the freedom of expression and information enshrined in Article 11 CFR. ^{Footnote 258}

In order to justify an interference with the right to continuous protection of personal data in Article 8 CFR based on the protection of the freedom of expression and information, the protection of this freedom must be one of the material objectives of the data transfers and the adequacy finding.^{Footnote 259} No adequacy decision to date refers to the protection of Article 11 CFR, but this does not preclude an argument using Article 11 CFR as a justification. Recital (4) GDPR states that the GDPR respects all fundamental rights and mentions, in particular, the freedom of expression and information. Furthermore, Article 85(1) GDPR specifically requires the EU member states to reconcile the right to data protection with the freedom of expression and information. The protection of freedom of expression and information is one of the material objectives of the GDPR and, therefore, also of Chapter V GDPR on the transfer of personal data to third countries.

2.2.3.3 Freedom to Conduct a Business

The freedom to conduct a business is a fundamental right enshrined in Article 16 CFR.^{Footnote 260} Article 16 CFR recognizes the freedom to conduct a business in accordance with Union law and national laws and practices. According to the explanations relating to the Charter, Article 16 CFR constitutes a bundle of rights: the freedom to exercise an economic or commercial activity, the freedom of contract, and the right to free competition.^{Footnote 261} AG Pedro Cruz Villalón maintained in his opinion in Alemo-Herron that “the case-law has not, in fact, provided a full and useful definition of this freedom.”^{Footnote 262} He then provided a useful description based on the explanations relating to the Charter:

In effect, the freedom to conduct a business, as stated in that article, acts to protect economic initiative and economic activity, obviously within limits but nevertheless ensuring that there are certain minimum conditions for economic activity in the internal market. Thus, the freedom to conduct a business acts as a limit on the actions of the Union in its legislative and executive role as well as on the actions of the Member States in their application of European Union law.^{Footnote 263}

AG Cruz Villalón added that “the freedom to conduct a business protects economic initiative and the ability to participate in a market, rather than the actual profit, seen in financial terms, that is earned in that market.”^{Footnote 264} The free movement of personal data protects the freedom to conduct a business on the internal market. It is, however, not clear whether data transfers and the freedom to conduct business across borders are also covered.

The ECJ dealt with questions regarding cross-border economic activities and Article 16 CFR on multiple occasions. In Affish BV, the ECJ had to assess the validity of Decision 95/119/EC concerning certain protective measures on fishery products originating in Japan.^{Footnote 265} Affish BV, a private company established in the Netherlands, imports deep-frozen fish products from Japan and distributes them in the EU. Affish BV argued that Decision 95/119/EC is a disproportional restriction on its business activity and a danger to its viability since a significant part of its revenue comes from the importation of fishery products from Japan.^{Footnote 266} The ECJ found that the freedom to pursue a trade or business is not absolute and that the contested decision cannot be regarded as constituting a disproportionate interference.^{Footnote 267} Even though the ECJ did not side with Affish BV, it did apply the freedom to conduct a business in a cross-border context. The ECJ also had to assess the quota arrangements for importing bananas imposed by Regulation (EEC) 1442/93 in Germany v Council.^{Footnote 268} The ECJ found that the restrictions imposed by Regulation (EEC) 1442/93 on the freedom of traditional third country banana traders correspond to objectives of general Community interest and thus do not impair the very substance of that right.^{Footnote 269} Again, the ECJ did not find a violation of Article 16 CFR, but it applied the freedom to conduct a business in cross-border context. The freedom to conduct a business in Article 16 CFR therefore also covers cross-border economic activities.^{Footnote 270} Data transfers to third countries may be used––and have to be used, at times––for cross-border economic activities. In this sense, they can be viewed as a tool for exercising the freedom to conduct a business that is enshrined in Article 16 CFR.

In order to justify an interference with the right to continuous protection of personal data in Article 8 CFR based on the protection of the freedom to conduct a business, that protection must be one of the material objectives of the data transfers and the adequacy finding objectives.^{Footnote 271} No adequacy decision to date refers to the protection of Article 16 CFR but that does not generally preclude an argument using Article 16 CFR as a justification. Recital (4) GDPR states that the GDPR respects all fundamental rights and also specifically mentions the freedom to conduct a business. Recital (101) GDPR states that flows of personal data to and from countries outside the Union are necessary for the expansion of international trade. Adequacy decisions also refer to the importance of data transfers for international trade. For example, Recital (1) Decision (EU) 2019/419, the adequacy decision for Japan, maintains that

[t]he flow of personal data to and from countries outside the European Union is necessary for the expansion of international cooperation and international trade while guaranteeing that the level of protection afforded to personal data in the European Union is not undermined.

This is also reflected in the submission of the Irish DPC in Schrems 2 before the IHC (but with a view to standard data protection clauses). The DPC argued that there is a crucial distinction between the data transfers in a PNR agreement and Facebook’s data transfers. The DPC maintained that PNR agreements have “no other, independent commercial reason for the transfer of the data” and that the data transfers of Facebook in Schrems 2 “are for commercial purposes by definition.”^{Footnote 272} The IHC also stated that “[t]he free transfer of data around the world is now central to economic and social life in the Union and elsewhere.”^{Footnote 273} The protection of the freedom to conduct a business in Article 16 CFR is one of the material objectives of the GDPR and, therefore, also of Chapter V GDPR on the transfer of personal data to third countries.

2.2.4 Proportionality

The principle of proportionality requires that limitations on fundamental rights must be appropriate in light of the objective pursued and limited to what is strictly necessary.^{Footnote 274} It is also necessary to examine if there are other measures which affect the right to continuous protection of personal data less adversely and still contribute effectively to the objectives of general interest recognized by the EU or the need to protect the fundamental rights and freedoms of others. It has to be seen if the interference with the right to continuous protection of personal data is proportional to the objective of public security in a third country (Sect. 3.2.2.4.1), to the protection of the freedom of expression and information in Article 11 CFR (Sect. 3.2.2.4.2), and to the protection of the freedom to conduct a business in Article 16 CFR (Sect. 3.2.2.4.3).

2.2.4.1 Public Security in a Third Country

The ECJ found in Digital Rights Ireland that—with regard to the growing importance of means of electronic communication—the retention of personal data from such communications may help criminal investigations shed light on serious crime and is, therefore, appropriate for the purposes of ensuring public security.^{Footnote 275} Similarly, the ECJ found in Opinion 1/15 that the transfer of PNR data from the EU to Canada and the subsequent processing of that data in Canada is appropriate for the purpose of ensuring public security.^{Footnote 276}

Adequacy findings may be considered appropriate for protecting public security in a third country because they allow systematic, structural, and continuous transfers of personal data to a third country. Normally, data transfers are part of a commercial activity. However, transfers of personal data can be used by third countries to extract information about individuals in the EU if they employ surveillance measures to analyze the transmitted information. Intelligence agencies of third countries can use the abundance of transmitted information to protect public security.

The ECJ held in Digital Rights Ireland that a proportionality assessment must take into account the extent and seriousness of the interference.^{Footnote 277} The extent of the interference depends on the amount of personal data and the number of individuals that are subject to intrusions in the third country. Because adequacy findings enable systematic, structural, and continuous data transfers to a third country without further authorization they potentially entail interference with the fundamental rights of a significant part of the European population.^{Footnote 278} The interference therefore requires a strict proportionality assessment. I argue that under such an assessment, the interference with the right to continuous protection of personal data in Article 8 CFR exceeds the limits of what is necessary to protect public security in a third country. There are measures that affect the right to data protection less adversely and could still effectively contribute to public security in third countries. For example, targeted international cooperation between intelligence agencies of EU member states and third countries could protect public security in a third country without subjecting a significant part of the European population to interferences with fundamental rights. Adequacy findings that do not respect the right to continuous protection for personal data cannot be justified based on the protection of public security in the third country.

2.2.4.2 Freedom of Expression and Information

Data transfers based on an adequacy finding enable individuals and companies to impart information and ideas without interference by public authorities and regardless of borders. Adequacy findings allow systematic, structural, and continuous data transfers to third countries and may, therefore, be considered appropriate to protect the freedom of expression and information enshrined in Article 11 CFR.

There must be a fair balance between the interference with the right to data protection and the protection of the freedom of expression and information. In this context, it is important to emphasize that some cross-border flows of personal data do not fall under the concept of data transfers. The ECJ held in Lindqvist that the uploading of personal data onto an internet site hosted in the EEA does not constitute a transfer of personal data.^{Footnote 279} I also underlined that even hosting providers of internet sites in the EEA do not transfer personal data to third countries when they make the uploaded data available to everyone on an internet site.^{Footnote 280} Consequently, these cross-border flows of personal data do not require an adequacy decision or another legal mechanism to legitimate them. This type of cross-border flows of personal data covers an important part of the freedom to impart information and ideas without interference by public authorities and regardless of borders. In order to address proportionality, it necessary to distinguish between cross-border flows of personal data for commercial speech and other forms of expression. The level of protection and the margin of appreciation are important considerations for balancing between two or more fundamental rights and freedoms.^{Footnote 281}

Commercial speech typically attracts a lower level of protection than other forms of expression and there is a greater margin of appreciation in determining limits to it.^{Footnote 282} The ECJ found multiple times that derogations from and limitations on the protection of personal data must apply only in so far as is strictly necessary.^{Footnote 283} Accordingly, it would not be proportional to justify limitations on the right to continuous protection of personal data using protection of commercial speech because the right to data protection attracts a higher level of protection than commercial speech.

Other forms of expression, however, are explicitly mentioned in Article 85(2) GDPR. Article 85(2) GDPR requires EU member states to provide exemptions or derogations from the rules in the GDPR, such as the legal mechanisms for the transfer of personal data in Chapter V GDPR, for journalistic purposes or the purpose of academic, artistic, and literary expression if they are necessary to reconcile the right to data protection with the freedom of expression and information.^{Footnote 284} The EU legislator clearly indicated in Article 85(2) GDPR that the right to data protection and journalistic, academic, artistic, and literary speech must be reconciled and that the freedom of expression and information may justify data transfers even if they interfere with the right to continuous protection for personal data. The EU legislator determined in Article 85(2) GDPR that this reconciliation should take place outside the regular legal mechanisms for the transfer of personal data in Chapter V GDPR and on the level of EU member states. In Sweden, for example, the Data Protection Act with supplementing provisions to the EU Data Protection Regulation of 18 April 2018 entails in Chapter 1 Section 7 that neither the GDPR nor this Act shall apply so far that they will infringe upon the Freedom of the Press Act or the Freedom of Expression Act and that the articles of the GDPR, which include the data transfer system, shall not apply to the processing of personal data for journalistic purposes and the purposes of academic, artistic or literary expression.^{Footnote 285}

It would therefore not be proportional to justify limitations on the right to continuous protection of personal data with the protection of journalistic, academic, artistic and literary speech because Article 85(2) GDPR explicitly requires EU member states to adopt rules that affect less adversely the right to data protection and still contribute effectively to the protection of journalistic, academic, artistic, and literary speech.

2.2.4.3 Freedom to Conduct a Business

Data transfers based on adequacy findings enable individuals and companies to operate business models that require transfers of personal data to third countries and must, therefore, be considered appropriate to protect the freedom to conduct a business enshrined in Article 16 CFR.

In these cases, there must be a fair balance between the interference of data transfers on the basis of an adequacy decision with the right to data protection and the protection of the freedom to conduct a business. AG Cruz Villa pointed out in his opinion in Alemo-Herron that the ECJ often used the freedom to conduct a business in its case law as a counterweight to other fundamental rights.^{Footnote 286} For example, the ECJ found in Achbita that an employer’s wish to project an image of religious neutrality towards customers falls under the freedom to conduct a business and that this wish allows the employer to restrict, within certain limits, the freedom of religion enshrined in Article 10 CFR.^{Footnote 287} ECJ Judge Allan Rosas suggested that one consideration for the balancing of different rights or freedoms is related to the wording and context of the rights or freedoms in question.^{Footnote 288} If the wording provides that someone has a right “in accordance with national laws and practices,” then this would suggest a wider margin of appreciation for limitations.^{Footnote 289} This is true for the freedom to conduct a business. In light of the wording of Article 16 CFR, the ECJ found that “the freedom to conduct a business may be subject to a broad range of interventions on the part of public authorities which may limit the exercise of economic activity in the public interest.”^{Footnote 290} It seems that the right to data protection in Article 8 CFR attracts a higher level of protection than the freedom to conduct a business in Article 16 CFR. The ECJ found multiple times that derogations from and limitations on the protection of personal data must apply only in so far as is strictly necessary.^{Footnote 291} Furthermore, in the absence of an adequacy decision for a third country, individuals and companies may still rely on other legal mechanisms for data transfers such as the derogations in Article 49 GDPR.

It would not be proportional to justify the limitations on the right to continuous protection of personal data with the freedom to conduct a business because the right to data protection attracts a higher level of protection and there are measures that affect the right to data protection less adversely and still effectively contribute to the protection of the freedom to conduct a business.

2.3 The Validity of Adequacy Decisions as a Legal Mechanism

Adequacy decisions must fully comply with the right to continuous protection of personal data. The validity of an adequacy decision depends on the level of protection in the third country being essentially equivalent to that guaranteed within the EU.^{Footnote 292} The validity of adequacy decisions as a legal mechanism for data transfers depends on the regulatory framework surrounding the transfer mechanism that guarantees the right to continuous protection of personal data. First, the Commission must be able to assess, review, and monitor the level of protection in a third country. Second, the transfer of personal data based on adequacy decisions must be subject to independent supervision. Third, data subjects must be able to enforce their right to continuous protection for personal data.

The assessment of the level of protection for personal data in the third country for an adequacy decision is regulated in Article 45(2) GDPR. The Commission is required to assess relevant legislation, both general and sectoral, concerning public security, defense, national security, and criminal law as well as the access of public authorities in the third country to personal data. The review of the level of protection for personal data in the third country is regulated in Article 45(3) GDPR.^{Footnote 293} The Commission must review every adequacy decision at least once every four years in order to take into account any relevant developments in the third country. The monitoring of the level of protection for personal data in third countries for an adequacy decision is regulated in Article 45(4) GDPR. The Commission must also monitor developments in the third country on an ongoing basis. If the review or the monitoring reveals that a third country no longer ensures an adequate level of protection for personal data, then the Commission must repeal, amend, or suspend an adequacy decision according to Article 45(5) GDPR.

Supervisory authorities are responsible for ensuring compliance with the legal mechanisms for data transfers in accordance with Article 8(3) CFR. They are vested with the power to check whether the transfer of personal data from the EU member state to the third country complies with the requirements laid down in the GDPR.^{Footnote 294} The ECJ made it clear that adequacy decisions can be subject to judicial review.^{Footnote 295} Data subjects have a right to lodge a complaint with a supervisory authority in order to protect their fundamental rights with regard to data transfers.^{Footnote 296} In cases in which a supervisory authority considers that there are well-founded objections as to the compliance of an adequacy decision with the GDPR and the Charter, the national legislature must provide for legal remedies enabling the supervisory authority to advance these objections before the national courts to allow them to make a reference to the ECJ for a preliminary ruling regarding the validity of the respective adequacy decision.^{Footnote 297} The same is true in cases in which a supervisory authority comes to the conclusion that the complaint of an individual against an adequacy decision is unfounded and therefore rejects it.^{Footnote 298} The data subject who lodged the complaint must have access to judicial remedies enabling him or her to challenge such a decision before national courts.^{Footnote 299} Finally, the ECJ has jurisdiction to declare an adequacy decision invalid.^{Footnote 300} The regulatory framework surrounding adequacy decisions validates them as a legal mechanism for data transfers.

2.4 The European Commission as Guardian of Fundamental Rights

Control over continuous protection for personal data in relation with adequacy decisions lies primarily with the European Commission. The Commission assesses the level of protection for personal data in third countries, decides whether that level is essentially equivalent to that guaranteed within the EU, reviews and monitors developments in third countries that could affect the validity of a previously made adequacy decision, and repeals, amends, or suspends an adequacy decision in cases in which available information reveals that a third country no longer ensures a level of protection for personal data that is essentially equivalent to that guaranteed within the EU. In this way, the European Commission acts as the guardian of fundamental rights with regard to the transfer of personal data based on an adequacy decision.

The primary responsibility for ensuring continuous protection for personal data in relation with the adequacy decisions of the Commission is complemented by the tasks of supervisory authorities and the judicial system. Supervisory authorities are responsible for monitoring compliance with rules concerning the protection of individuals regarding the processing of their personal data in accordance with Article 57 GDPR. Each of the supervisory authorities in the EU member states is vested with the power to examine whether the transfer of personal data complies with the requirements laid down in the GDPR.^{Footnote 301} This is also required by Article 8(3) CFR. The supervisory authorities and national judicial systems are entitled to consider the validity of adequacy decisions, but the ECJ alone has jurisdiction to declare adequacy decisions invalid.^{Footnote 302}

2.5 Summary

Adequacy decisions must fully comply with the right to continuous protection for personal data and the standard of essential equivalence. No limitations on the exercise of the right to continuous protection for personal data are possible for data transfers based on adequacy decisions. The right to continuous protection for personal data in Article 8 CFR has a restrictive effect on data transfers based on adequacy decisions. Only countries that guarantee a level of protection that is essentially equivalent to that guaranteed within the EU qualify for an adequacy decision. The justification of this restrictive effect is firmly rooted in the protection of fundamental rights. However, there are some problems when it comes to a consistent fundamental rights-based application of adequacy decisions. My analysis has revealed discriminatory procedures, content-related inconsistencies, geographic and economic biases, and other unconnected considerations. The European Commission is the guardian of fundamental rights with regard to adequacy decisions. It must follow a fundamental rights-based approach regarding the adoption of adequacy decisions.

3 Continuous Protection of Personal Data and Appropriate Safeguards

The third section of this chapter is dedicated to the interplay of the right to continuous protection of personal data in Article 8 CFR and the instruments providing appropriate safeguards according to Article 46 GDPR. The analysis of the politics behind appropriate safeguards reveals a laissez-faire attitude towards fundamental rights protection (Sect. 3.3.1). This is problematic because the instruments providing appropriate safeguards must fully comply with the right to continuous protection for personal data (Sect. 3.3.2). Nonetheless, the regulatory framework around the instruments in Article 46 GDPR validates appropriate safeguards as a legal mechanism for data transfers (Sect. 3.3.3). The supervisory authorities in the EU member states carry the primary responsibility for the instruments providing appropriate safeguards to comply with fundamental rights (Sect. 3.3.4).

3.1 The Politics of Appropriate Safeguards

The instruments providing appropriate safeguards in Article 46 GDPR allow systematic, structural, and continuous data transfers just like adequacy decisions. For a long time, the politics of appropriate safeguards could best be described with the term “laissez faire” because it tolerated the functional limits of the instruments providing appropriate safeguards and the associated violations of the right to continuous protection for personal data for many data transfers (Sect. 3.3.1.1). This kind of laissez-faire politics was especially evident after the ECJ invalidated Decision 2000/520, the Safe Harbor adequacy decision, in the Schrems judgment (Sect. 3.3.1.2). By now, it has become clear that the assumption of layered levels of protection among the different data transfer mechanisms cannot be maintained in light of the right to continuous protection for personal data (Sect. 3.3.1.3). The ECJ clarified that the data exporter is responsible to act on the functional limits of the instruments providing appropriate safeguards (Sect. 3.3.1.4).

3.1.1 Laissez-Faire Politics

Many of the instruments deemed to provide appropriate safeguards for the transfer of personal data in Article 46 GDPR are somewhat “blind” to the inadequacy of data protection in third countries.^{Footnote 303} For example, the European Commission generally approves standard data protection clauses in Article 46(2)(c) GDPR without specifying which data transfers to which third countries they can be used for. The standard data protection clauses adopted by the Commission are solely intended to provide contractual guarantees that apply uniformly in all third countries to controllers and processors established in the EU.^{Footnote 304} However, the standard data protection clauses do not offer all-encompassing guarantees for the protection of personal data. Due to their contractual nature, the standard data protection clauses cannot bind the public authorities of third countries, since they are not party to the contract.^{Footnote 305} This makes the data transfers vulnerable to surveillance practices in third countries. Even if this is not a recent realization, the standard data protection clauses, and other instruments providing appropriate safeguards, have long been used with little attention to the continuous protection of personal data.^{Footnote 306} According to the Commission, the standard data protection clauses in Article 46(2)(c) GDPR are still the main legal mechanism companies rely on for the export of personal data.^{Footnote 307} In practice, they are often being used for data transfers to third countries with a terrible track record when it comes to surveillance, data protection, and fundamental rights such as China, Russia, and also the US.^{Footnote 308} Before the ECJ handed down the judgment in Schrems 2 the politics of appropriate safeguards was one of a laissez-faire attitude that tolerated the functional limits of the instruments and the associated potential violations of the right to continuous protection for personal data in Article 8 CFR.

3.1.2 The Effect of Repealed or Invalidated Adequacy Decisions

The kind of laissez-faire politics described above is also apparent when it comes to the effect of repealed or invalidated adequacy decisions. The European Commission has to repeal, amend, or suspend an adequacy decision where available information reveals that a third country, a territory, or one or more specified sectors within a third country no longer ensures an adequate level of protection according to Article 45(5) GDPR. The ECJ invalidates adequacy decisions for the same reasons.^{Footnote 309} The legal vacuum left in the wake of an adequacy decision being repealed or invalidated creates a special situation for the instruments providing appropriate safeguards in Article 46 GDPR. In these cases, it has become clear that the third country does not provide a level of protection for personal data that is essentially equivalent to that guaranteed within the EU.

After the ECJ invalidated Decision 2000/520, the Safe Harbor adequacy decision, in the Schrems judgment, the Commission argued that instruments providing appropriate safeguards may be used as an alternative data transfer mechanism.^{Footnote 310} However, the Commission was careful to stress that their decision should not prejudice the powers and duties of supervisory authorities in the examination of the lawfulness of such transfers.^{Footnote 311} The Commission also pointed out that the availability of standard contractual clauses after the invalidation of Decision 2000/520 is without prejudice to additional measures that the data exporter may have to take.^{Footnote 312} The Commission thus acknowledged that the invalidation of Decision 2000/520 may have consequences for other data transfer mechanisms. The Article 29 WP also released a statement asserting that even if Decision 2000/520 cannot be relied on for data transfers to the US, other legal mechanisms for data transfers like the standard data protection clauses can still be used in the meantime as a legal basis for such transfers.^{Footnote 313} At the same time the Article 29 WP stressed that they will continue to analyze the impact of the Schrems judgment on these alternative legal mechanisms.^{Footnote 314} Some national supervisory authorities went further than that. For example, the Conference of the German Data Protection Authorities at the Federal and State Level stressed that they will no longer grant new authorizations for the use of alternative data transfer mechanisms for data transfers to the US.^{Footnote 315} Overall, however, there was no comprehensive reaction limiting data transfers to the US on the basis of instruments providing appropriate safeguards.

Similarly, after the ECJ invalidated Decision (EU) 2016/1250, the Privacy Shield adequacy decision, in the Schrems 2 judgment, the Commission underlined that even in the absence of the Privacy Shield, transatlantic data transfers can continue using other mechanisms for international transfers of personal data available under the GDPR.^{Footnote 316} Two commissioners even stressed that standard contractual clauses remain a valid tool for such transfers.^{Footnote 317}

An isolated reading of the GDPR would support such a conclusion. Article 45(7) GDPR states that a decision to repeal, amend, or suspend an adequacy decision pursuant to Article 45(5) GDPR is without prejudice to the other legal mechanisms for data transfers. In the same spirit, Article 46(1) GDPR maintains that data transfers with instruments providing appropriate safeguards are possible in the absence of an adequacy decision. This covers not only situations where the adequacy of data protection has not (yet) been officially assessed, but also situations where an adequacy decision has been repealed or invalidated. This is also confirmed in Recital (107) GDPR:

The Commission may recognise that a third country, a territory or a specified sector within a third country, or an international organisation no longer ensures an adequate level of data protection. Consequently the transfer of personal data to that third country […] should be prohibited, unless the requirements in this Regulation relating to transfers subject to appropriate safeguards […] and derogations for specific situations are fulfilled.

Such an isolated reading of the GDPR thus creates the impression that the repeal or invalidation of an adequacy decision has no influence on the other legal mechanisms for data transfers. This is problematic from a fundamental rights perspective.

3.1.3 Layered Levels of Protection Versus Same Levels of Protection

One of the reasons for this laissez-faire politics is the assumption that the different legal mechanisms for the transfer of personal data should provide different levels of protection for personal data. For example, Christopher Kuner has suggested––based on Directive 95/46/EC––that the legal mechanism of adequate safeguards in Article 26(2) Directive 96/46/EC “can be seen as the middle level of protection.”^{Footnote 318} He also argued that the different standards of protection of the legal mechanisms for data transfers can help explain how one legal mechanism can be invalid without affecting the other.^{Footnote 319} He maintained that “the fact that an adequacy decision is invalid for not providing essential equivalence (the highest standard) does not mean that a transfer may not be possible based on adequate safeguards (the middle standard).”^{Footnote 320}

Facebook, Digital Europe, and the Business Software Alliance argued similarly in the proceedings of Schrems 2 before the IHC. They pointed out that Article 26 Directive 95/46/EC––the legal basis of the standard contractual clauses–– is a derogation from Article 25 Directive 95/46/EC––the legal basis of the adequacy decisions––and that “[b]y definition, transfers of data to third countries pursuant to Article 26 are on the basis that the third country does not afford the data an ‘adequate level of protection’.”^{Footnote 321} In contrast, the DPC relied on Recital (10) Directive 95/46/EC, which maintains that the objective of laws on data processing is to protect fundamental rights and freedoms, to argue that

whether the Directive refers to adequate protection (Article 25), adequate safeguards (Article 26 (2)) or sufficient safeguards (Article 26 (4)), data processing is entitled to the same high level of protection whether or not the processing occurs within the EU or is transferred for processing to a third country and regardless of the method employed to effect a lawful transfer of personal data to a third country.^{Footnote 322}

The IHC accepted that Article 26 Directive 95/46/EC is a derogation from Article 25 Directive 95/46/EC and that data transfers pursuant to Article 26 Directive 95/46/EC are not premised upon the existence of an adequate level of protection in the third country.^{Footnote 323} At the same time, the IHC also maintained that even if Article 26 Directive 95/46/EC is a derogation, “the data is still entitled to a high level of protection” and that “[i]t follows therefore that transfers of personal data to a third country cannot simply step outside the protection guaranteed by the Directive entirely.”^{Footnote 324} The IHC found “that data exporters cannot rely solely upon the [standard contractual clauses] as complying with the requirements of the Directive regardless of the legal regime in the third country to which the data is exported.”^{Footnote 325} According to the IHC, the high level of protection accorded personal data is mandatory for the instruments providing adequate safeguards for data transfers in Article 26 Directive 95/46/EC.

AG Henrik Saugmandsgaard Øe supported this argument in his opinion in Schrems 2. He maintained––based on the GDPR––that both “Articles 45 and 46 of the GDPR are aimed at ensuring the continuity of the high level of protection of personal data.”^{Footnote 326} He referred to Article 44 GDPR and explained that the “rule is designed to ensure that the standards of protection resulting from EU law are not circumvented by transfers of personal data to a third country” and that “it is immaterial that the transfer is based on an adequacy decision or on guarantees provided by the controller or processor, in particular by means of contractual clauses.”^{Footnote 327} The ECJ followed the opinion of the AG in Schrems 2 and held that the instruments providing appropriate safeguards in Article 46 GDPR must be capable of ensuring that data subjects whose personal data are transferred to a third country are afforded, as in the context of a transfer based on an adequacy decision, a level of protection essentially equivalent to that which is guaranteed within the EU.^{Footnote 328} This is consistent with the finding of the ECJ in Opinion 1/15 in which the Court decided that the draft PNR agreement between the EU and Canada must provide continuous protection of personal data that is essentially equivalent to that guaranteed within the EU.^{Footnote 329} The PNR agreement is an instrument providing appropriate safeguards according to Article 46(2)(a) GDPR––a legally binding and enforceable instrument between public authorities or bodies.

The jurisprudence of the ECJ clarified that the assumption that the different legal mechanisms for the transfer of personal data should provide different levels of protection for personal data cannot be maintained with regard to adequacy decisions and instruments providing appropriate safeguards. AG Saugmandsgaard Øe summarized that only the way in which the continuity of the high level of protection is provided differs according to the legal basis of the transfer.^{Footnote 330} This finding is important as the instruments providing appropriate safeguards in Article 46 GDPR allow systematic, structural, and continuous data transfers just like Article 45 GDPR.

3.1.4 Responsibility for the Data Exporter

The findings of the ECJ that instruments providing appropriate safeguards in Article 46 GDPR must provide the same level of protection as adequacy decisions in Article 45 GDPR did not change the fact that many of those instruments cannot bind the public authorities of third countries, since they are not party to the contract between the data exporter and the data importer.^{Footnote 331} This is why the ECJ added in Schrems 2 that it is for the data exporter to verify whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to the instruments providing appropriate safeguards.^{Footnote 332} Should the data exporter not be able to ensure such protection, the transfer of personal data to the third country concerned must be suspended or ended.^{Footnote 333} It is thus the responsibility of the data exporter to guarantee that the instruments providing appropriate safeguards are not being used when they cannot guarantee a level of protection for personal data that is essentially equivalent to that guaranteed within the EU.^{Footnote 334} This seems to be a continuation of the laissez-faire politics of appropriate safeguards but with a clear allocation of the responsibility and a clear indication of the level of protection for personal data. Accordingly, the European Commission adopted a new set of standard data protection clauses on 4 June 2021––the old sets of standard data protection clauses were repealed with effect from 27 September 2021 but still deemed to provide appropriate safeguards under the GDPR until 27 December 2022 (provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards) according to Article 4 Decision (EU) 2021/914. This new set of standard data protection clauses adds specific duties for the data exporter and the data importer such as data protection impact assessments that should include a data transfer impact assessment, which has to be provided to the competent supervisory authority upon request,^{Footnote 335} as well as a description of security and organizational measures that are taken to ensure the protection of the data.^{Footnote 336}

3.2 Limitations on Continuous Protection of Personal Data Using Appropriate Safeguards

The right to continuous protection for personal data requires that the level of protection for personal data that is transferred from the EU to a third country is essentially equivalent to that guaranteed within the EU. That right is not absolute. Limitations on the exercise of the right to continuous protection of personal data can be lawful according to Article 52(1) CFR. This section analyzes the contract-based derogation in Article 49(1)(b) GDPR. Just as described with regard to the other legal mechanisms for the transfer of personal data, the interference must be found in the EU rather than in the third country (Sect. 3.3.2.1). The legal basis for the interference must indicate under what circumstances and conditions the interference will take place and impose minimum safeguards providing sufficient guarantees for individuals to effectively protect their personal data against the risk of abuse (Sect. 3.3.2.2). The material objectives of the interference must either qualify as a general interest recognized by the EU or be protected by another right or freedom in the Charter (Sect. 3.3.2.3). Finally, the principle of proportionality must be observed (Sect. 3.3.2.4).

3.2.1 Interference

Any interference with the right to continuous protection of personal data must be found in the EU.^{Footnote 337} Ultimately though, the rules, measures, and actions of third states also entail intrusions, which, if they were attributed to the authorities of an EU member state, would be regarded as interferences with the exercise of the right to data protection in Article 8 CFR.^{Footnote 338} Those intrusions should, however, be assessed with regard to the standard of essential equivalence. If the intrusions caused by the rules, measures, and actions of third states do not respect the standard of essential equivalence, then the transfer of personal data based on instruments providing appropriate safeguards constitutes an interference with the right to continuous protection of personal data enshrined in Article 8 CFR.

Unlike adequacy decisions, the approval of the instruments in Article 46 GDPR does not acknowledge the conditions for the processing of personal data in the third country but rather the provision of appropriate safeguards by the instruments themselves. Many of the instruments in Article 46 GDPR are "blind" to the inadequacies of data protection in third countries. This is why the actual transfer of personal data based on these instruments constitutes an interference with Article 8 CFR if it does not respect the right to continuous protection of personal data.

3.2.2 Legal Basis

The limitation on the exercise of a fundamental right must be provided for by law. The legal basis that permits the interference with Article 8 CFR must itself already define the scope of the limitation.^{Footnote 339} The legal basis for interferences with Article 8 CFR must indicate under what circumstances and conditions this interference can legally take place and impose minimum safeguards to provide sufficient guarantees that individuals’ rights will not be abused.^{Footnote 340} These safeguards are particularly important in cases in which personal data is subject to automated processing and involves sensitive data.^{Footnote 341}

The transfer of personal data based on instruments providing appropriate safeguards constitutes an interference with Article 8 CFR if the level of protection for personal data in the third country is not essentially equivalent to that guaranteed within the EU. The legal basis for transfers of personal data is different for each instrument. The two most important instruments in Article 46 GDPR will be analyzed here: standard data protection clauses based on Article 46(2)(c) GDPR (Sect. 3.3.2.2.1) and BCRs based on Article 46(2)(b) GDPR (Sect. 3.3.2.2.2).

3.2.2.1 Standard Data Protection Clauses Based on Article 46(2)(c) GDPR

Standard data protection clauses indicate under what circumstances and conditions a data processing operation may be said to interfere with the right to continuous protection for personal data, i.e., the transfer of personal data to a third country. This research covers both an old set of standard data protection clauses provided by Decision 2010/87/EU that was subject to the judgment in Schrems 2 and the new set of standard data protection clauses provided by Decision (EU) 2021/914.

Appendix 1 of the standard data protection clauses provided by Decision 2010/87/EU required the contracting parties to specify the data exporter, the data importer, the data subjects, the categories of data, and the processing operations that the transferred data will be subject to. Appendix 2 of the standard data protection clauses provided by Decision 2010/87/EU required the contracting parties to outline the technical and organizational security measures that the data importer will implement. Decision 2010/87/EU also described the circumstances which were compatible with these clauses regarding access to the transferred personal data by public authorities in the third country.^{Footnote 342}

As regards minimum safeguards, Clause 5(a) of the standard data protection clauses provided by Decision 2010/87/EU required the data importer to process the personal data in compliance with the standard data protection clauses. If the importer could not comply with those clauses, then the importer had to promptly inform the exporter. Under Clause 5(b) the data importer had to certify that there was no reason to believe that applicable legislation prevented it from fulfilling its obligations under the standard data protection clauses. In the event of a change in that legislation which was likely to have a substantial adverse effect on the warranties and obligations provided by the standard data protection clauses, the importer further had to promptly notify the data exporter about the change. In both cases, the data exporter was entitled to suspend the transfer and/or terminate the contract under the standard data protection clauses and was even required to do so.^{Footnote 343} Unless the controller terminated the contract, it was in breach of its obligations under Clause 4(a) as interpreted in the light of the GDPR and of the Charter.^{Footnote 344}

In accordance with Clause 4(g) of the standard data protection clauses provided by Decision 2010/87/EU, the data exporter had to forward all notifications received from the data importer to the competent supervisory authority if the exporter decided to continue the transfer. The forwarding of this notification to the supervisory authority as well as the supervisory authority’s right to conduct an audit of the recipient of personal data pursuant to Clause 8(2) enabled the supervisory authority to ascertain whether the proposed transfer should have been suspended or prohibited in order to ensure an adequate level of protection.^{Footnote 345} The current Article 4 Decision 2010/87/EU refered to the powers of supervisory authorities set out in Article 28(3) Directive 95/46/EC, which were replaced by Article 58 GDPR. The supervisory authorities were invested with investigative and corrective powers to protect individuals against the risk of abuse of their personal data. Data subjects may—when they consider that there has been a breach of the standard data protection clauses—request the relevant supervisory authorities to exercise their corrective powers according to Article 77(1) GDPR.

The standard data protection clauses provided by Decision 2010/87/EU also established, in favor of data subjects, enforceable rights and remedies against the exporter and against the importer. Clause 3(1) entailed a remedy for the data subject against the exporter in the event of a breach of standard data protection clauses. Clause 3(2) included the same remedy for the data subject against the data importer in cases in which the exporter has factually disappeared or had ceased to exist in law. These minimum safeguards guaranteed that individuals could effectively protect their personal data against the risk of abuse. Because of these safeguards, standard data protection clauses could provide a valid legal basis for interferences with Article 8 CFR.

This conclusion is also true for the new set of standard data protection clauses provided by Decision (EU) 2021/914. Annex 1 also requires the contracting parties to specify the data exporter, the data importer, the categories of data subjects whose personal data is transferred, the categories of personal data that is transferred, the frequency of the transfer (one-off or continuing), nature of the processing, purposes of the transfer and further processing, the period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period and the competent supervisory authority. Annex 2 also requires the contracting parties to outline the technical and organizational measures to ensure the security of the data. It provides a more detailed list of the possible technical and organizational measures necessary to ensure an appropriate level of protection, including measures to ensure the security of the data.^{Footnote 346} In addition, Clause 5 clearly stipulates that the new standard data protection clauses take precedence and supersede, for example, contradictory contractual or general terms and conditions clauses.

As regards minimum safeguards, the parties warrant in Clause 14(a) that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under the standard data protection clauses. Again, this is based on the understanding––which is explicitly stated in Clause 14(a)––that laws and practices that respect the essence of the EU fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) GDPR, are not in contradiction with standard data protection clauses. The warranty in Clause 14(a) has to rely on an assessment of different elements surrounding the data transfers in Clause 14(b). This ‘data transfer impact assessment’^{Footnote 347} must be documented and made available to the competent supervisory authority upon request according to Clause 14(d).

There are different notification requirements for the data importer in different situation: In Clause 14(e) notification must be given when the data importer has reason to believe that it is or has become subject to laws or practices that prevent it from fulfilling its obligations under the standard data protection clauses (such as protection from unauthorized disclosure or access). In Clause 15(a) the data importer has to notify the data exporter if it actually receives a legally binding request from a public authority for the disclosure of data transferred pursuant to the standard data protection clauses or if it becomes aware of any direct access by public authorities to personal data transferred pursuant to the standard data protection clauses. In Clause 16(a) the data importer generally needs to inform the data exporter if it is unable to comply––for whatever reason––with the standard data protection clauses.

When the data exporter receives a notification that the data importer has reason to believe that it is or has become subject to laws or practices that prevent it from fulfilling its obligations under the standard data protection clauses Clause 14(f) requires that it has to identify appropriate measures (e.g. technical or organizational measures to ensure security and confidentiality) to address the situation or suspend the data transfers if it considers that no appropriate safeguards for such transfer can be ensured. The data exporter immediately has to suspend the data transfer according to Clause 16(b) in the event that the data importer is in breach of or unable to comply with the standard data protection clauses. Clause 16(c) then regulates the grounds for the data exporter to terminate the contract with the data importer.

The data subjects are entitled to challenge compliance with the standard data protection clauses according to Clause 11. They can invoke third-party beneficiary rights in Clause 3 and lodge complaints with a supervisory authority and they can also be represented by not-for-profit body, organization or association.

Finally, according to Clause 8 the data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under the standard data protection clauses. This might imply that the data exporter has to make sure that the data importer has an active monitoring policy for any internet surveillance practice that it might be subject to.

3.2.2.2 BCRs Based on Article 46(2)(b) GDPR

BCRs also indicate under what circumstances and conditions the data processing operations can be said to interfere with the right to continuous protection for personal data, i.e., the transfer of personal data to a third country. According to Article 46(1) GDPR, a data exporter in the EU may only transfer personal data if appropriate safeguards are provided and under the condition that enforceable data subject rights and effective legal remedies are available. BCRs provide these appropriate safeguards. The circumstances of the data processing operations can be found in the BCRs themselves. Article 47(2) GDPR contains a list of requirements for BCRs to be approved by the relevant supervisory authority. For example, BCRs must specify the group of enterprises engaged in a joint economic activity that export and import the personal data; the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected, and the identification of the third country or countries in question; and the application of the general data protection principles. Additionally, some BCRs also provide general descriptions of the circumstances that are compatible with the BCRs regarding data processing operations carried out by public authorities in third countries.^{Footnote 348}

Regarding the minimum safeguards, the list in Article 47(2) GDPR entails further requirements: BCRs must specify the complaint procedures; the cooperation mechanism with the supervisory authority to ensure compliance by any member of the group of enterprises engaged in the joint economic activity; and the mechanisms for reporting to the competent supervisory authority any legal requirements which a member of the group of enterprises is subject to in a third country and which is likely to have a substantial adverse effect on the guarantees provided by the BCRs. Additionally, the GDPR framework for supervision as well as the complaint and appellate mechanisms concerning supervisory authorities also apply to BCRs. These minimum safeguards guarantee that individuals can effectively protect their personal data against the risk of abuse. BCRs therefore provide a valid legal basis for the interference with Article 8 CFR.

3.2.3 Objectives of General Interest and Protection of Freedoms of Others

The justification of an interference that limits the exercise of fundamental rights according to Article 52 CFR further requires that the limitations genuinely meet objectives of general interest recognized by the EU or are necessary to protect the rights and freedoms of others. Public security in a third country qualifies as a general interest recognized by the EU (Sect. 3.3.2.3.1) and both the freedom of expression and information (Sect. 3.3.2.3.2) and the freedom to conduct a business (Sect. 3.3.2.3.3) are rights of others which need to be protected.

3.2.3.1 Public Security in a Third Country

The public security in a third country can be an objective of general interest recognized by the EU.^{Footnote 349} In order to justify limitations to the right to continuous protection of personal data on the basis of public security in a third country, the public security of the third country must be one of the material objectives of the data transfers.^{Footnote 350} The data transfers in question are usually part of a commercial activity.^{Footnote 351} They thus do not relate to the protection of public security in a third country.

3.2.3.2 Freedom of Expression and Information

Data transfers are a tool for the exercise of the freedom of expression and information enshrined in Article 11 CFR.^{Footnote 352} In order to justify an interference with the right to continuous protection of personal data based on the protection of the freedom of expression and information, the freedom of expression and information must be one of the material objectives of the data transfers.^{Footnote 353}

To date, instruments providing appropriate safeguards for data transfers have not specifically referred to the protection of Article 11 CFR, but this does not generally preclude an argument using Article 11 CFR as a justification. The protection of the freedom of expression and information and its reconciliation with the right to data protection is one of the material objectives of the GDPR and, therefore, of Chapter V GDPR as well, which includes the instruments providing appropriate safeguards.^{Footnote 354}

3.2.3.3 Freedom to Conduct a Business

Data transfers to third countries may be used for transborder economic activities protected by the freedom to conduct a business enshrined in Article 16 CFR.^{Footnote 355} In order to justify an interference with the right to continuous protection of personal data based on the freedom to conduct a business, that freedom’s practice must be one of the material objectives of the data transfers.^{Footnote 356}

To date, instruments providing appropriate safeguards for data transfers have not specifically referred to the protection of Article 16 CFR, but that does not generally preclude an argument using Article 16 CFR as a justification. The IHC stated that the “free transfer of data around the world is now central to economic and social life in the Union and elsewhere.”^{Footnote 357} The protection of the freedom to conduct a business in Article 16 CFR is one of the material objectives of the GDPR and, therefore, of Chapter V GDPR as well.^{Footnote 358}

3.2.4 Proportionality

The principle of proportionality requires that limitations on fundamental rights must be appropriate in light of the objective pursued and limited to what is strictly necessary.^{Footnote 359} It is also necessary to examine if there are other measures which affect the right to continuous protection of personal data less adversely and still contribute effectively to the objectives of general interest recognized by the EU or the need to protect the fundamental rights and freedoms of others. It has to be seen if the interference with the right to continuous protection of personal data is proportional to the protection of the freedom of expression and information (Sect. 3.3.2.4.1), and to the protection of the freedom to conduct a business (Sect. 3.3.2.4.2).

3.2.4.1 Freedom of Expression and Information

Data transfers based on the instruments providing appropriate safeguards enable companies to distribute information and ideas without interference by public authorities and regardless of borders. Instruments providing appropriate safeguards allow systematic, structural, and continuous data transfers to a third country just like adequacy decisions and may thus be considered appropriate to protect the freedom of expression and information enshrined in Article 11 CFR.

It would, however, be disproportionate to justify limitations on the right to continuous protection of personal data with the protection of commercial speech, because the right to data protection attracts a higher level of protection than commercial speech.^{Footnote 360} It would also be disproportionate to justify the limitations on the right to continuous protection for personal data with the protection of journalistic, academic, artistic, and literary speech, because Article 85(2) GDPR contains a derogation for EU member states which affects less adversely the right to data protection and still contributes effectively to the protection of Article 11 CFR.^{Footnote 361}

3.2.4.2 Freedom to Conduct a Business

Data transfers based on instruments providing appropriate safeguard enable individuals and companies to operate business models that depend on transfers of personal data to third countries and must, therefore, be considered appropriate to protect the freedom to conduct a business enshrined in Article 16 CFR.

It would, however, be disproportionate to limit the right to continuous protection of personal data with the freedom to conduct a business because the right to data protection attracts a higher level of protection and the derogations for data transfers in specific situations according to Article 49 GDPR contain measures that affect the right to data protection less adversely while still effectively contributing to the protection of the freedom to conduct a business.^{Footnote 362}

3.3 The Validity of Appropriate Safeguards as a Legal Mechanism

Instrument providing appropriate safeguards must fully comply with the right to continuous protection for personal data. AG Henrik Saugmandsgaard Øe found in his opinion in Schrems 2 that the validity of the instruments providing appropriate safeguards depends on the soundness of the safeguards which those instruments provide to compensate for any inadequacy of protection created in the third country of destination.^{Footnote 363} In the following, the validity of the standard data protection clauses based on Article 46(2)(c) GDPR (Sect. 3.3.3.1) and of the BCRs based on Article 46(2)(b) GDPR should be analyzed (Sect. 3.3.3.2).

3.3.1 Standard Data Protection Clauses Based on Article 46(2)(c) GDPR

Article 46(1) GDPR states that in the absence of an adequacy decision, it is for the data controller or data processor to provide appropriate safeguards for the transfer of personal data to third countries.^{Footnote 364} The standard data protection clauses adopted by the European Commission on the basis of Article 46(2)(c) GDPR are intended to provide contractual guarantees independently of the level of protection for personal data in any given third country.^{Footnote 365} AG Henrik Saugmandsgaard Øe underlined in his opinion in Schrems 2 that the validity of the standard data protection clauses “cannot depend on the level of protection guaranteed in each of the individual third countries to which data might be transferred.”^{Footnote 366} Due to their contractual nature, the standard data protection clauses cannot provide guarantees beyond contractual obligations to ensure compliance with the level of protection for personal data required under EU law. They are not binding on the authorities of third countries to which the personal data is transferred and they cannot prevent the authorities in a third country from accessing personal data.^{Footnote 367} The ECJ held that the mere fact that standard data protection clauses “do not bind the authorities of third countries to which personal data may be transferred cannot affect the validity” of these clauses.^{Footnote 368}

The standard data protection clauses have to incorporate effective mechanisms that make it possible to ensure compliance with the level of protection required by EU law and to suspend or prohibit data transfers in the event of the breach of the clauses or it being impossible to honor them.^{Footnote 369} I argue that standard data protection clauses, such as those that were provided by Decision 2010/87/EU and are newly provided by Decision (EU) 2021/914 are valid as a legal mechanism to transfer personal data because they can be supplemented with additional safeguards (Sect. 3.3.3.1.1), they provide adequate compliance mechanisms (Sect. 3.3.3.1.2), the supervisory authorities have sufficient investigative and corrective powers (Sect. 3.3.3.1.3), individuals have rights and remedies at hand (Sect. 3.3.3.1.4), and there is a system for consistent enforcement of the right to continuous protection for personal data among the different EU member states (Sect. 3.3.3.1.5).

3.3.1.1 Additional Safeguards

The ECJ explicitly stated in Schrems 2 that insofar as the standard data protection clauses cannot by their very nature provide guarantees beyond a contractual obligation to ensure compliance with the level of protection required under EU law, it may prove necessary to supplement the guarantees contained in the standard data protection clauses with additional safeguards.^{Footnote 370} Recital (109) GDPR also mentions that data exporters should be encouraged to use additional safeguards via contractual commitments to supplement standard protection clauses. However, neither the GDPR nor the ECJ have defined or specified what such additional safeguards to the standard data protection clauses could be. Consequently, the EDPB has adopted a recommendation on measures that supplement transfer instruments to ensure compliance with EU law.^{Footnote 371}

Based on the principle of accountability in Article 5(2) and Article 28(3)(h) GDPR, the EDPB argued that data exporters “must seek to comply with the right to data protection in an active and continuous manner by implementing legal, technical and organisational measures that ensure its effectiveness.”^{Footnote 372} Annex II of those recommendations provides examples.^{Footnote 373} Annex 2 of Decision (EU) 2021/914 also entails examples for possible technical and organizational measures to ensure the security of the data.

Nevertheless, the EDPB also stated that there are scenarios in which no effective additional safeguards can be implemented. This is the case, for example, when personal data is transferred to cloud services providers or other processors which require access to the data in the clear.^{Footnote 374} This is consistent with the finding of the ECJ in Schrems 2 that additional safeguards may not be enough to provide the required protection, especially

where the law of [a] third country imposes on the recipient of personal data from the European Union obligations which are contrary to those clauses and are, therefore, capable of impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that third country to that data.^{Footnote 375}

This particularly concerns internet surveillance practices by third states not compatible with the European Essential Guarantees, and which cannot be addressed simply with additional safeguards.^{Footnote 376} However, these clauses entail compliance mechanisms for the data exporter and the data importer that can mitigate the risks of the personal data becoming subject to illegal practices.

3.3.1.2 Compliance Mechanisms

Should a third country not provide a level of protection for personal data transferred from the EU that is essentially equivalent to that guaranteed within the EU, the standard data protection clauses provided by Decision 2010/87/EU and by Decision (EU) 2021/914 entailed and entail compliance mechanism with obligations for the data exporter and the data importer leading to the suspension of the concerned data transfers.

Regarding Decision 2010/87/EU, the data exporter warranted in Clause 4(a) that the processing of personal data, including the transfer itself, has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law. The data exporter had to guarantee the right to continuous protection of personal data in Article 8 CFR and suspend the transfer and/or terminate the contract with the data importer if it was not able to guarantee the full exercise of that right. Under Clause 5(a), the data importer undertook to process the personal data in compliance with the standard data protection clauses. If the importer was not able comply with these clauses, the importer had to promptly inform the exporter. According to Clause 5(b), the data importer also had to certify that it had no reason to believe that the legislation applicable to it prevents it from fulfilling its obligations under the standard data protection clauses. In the event of a change in legislation that was likely to have a substantial adverse effect on the warranties and obligations provided by the standard data protection clauses, the importer had to promptly notify the data exporter about the change.^{Footnote 377} The data exporter was then entitled to suspend the transfer and/or to terminate the contract under the standard data protection clauses and indeed was required to do so in light of the right to continuous protection of personal data in Article 8 CFR.^{Footnote 378} Unless the controller did so, it was in breach of its obligations under Clause 4(a) as interpreted in the light of the GDPR and the Charter.^{Footnote 379}

The same logic applies under the new set of standard data protection clauses provided by Decision (EU) 2021/914. When the data exporter receives a notification from the data importer that it has reason to believe that it can no longer fulfil its obligations under the standard data protection clauses according to Clause 14(e), the data exporter has to promptly identify appropriate measures, such as technical or organizational measures to ensure security and confidentiality, to be adopted by the data exporter and/or data importer to address the situation as required by Clause 14(f). The same clause also demands that the data exporter suspends the data transfer if it considers that no appropriate safeguards for such transfer can be ensured. Clause 16(b) also demands that the data exporter suspends the data transfer to the data importer if the data importer is in breach of the standard data protection clauses until compliance is again ensured or the contract is terminated. There are obligations on the data importer to notify the data exporter but also on the data exporter to monitor compliance with the right to continuous protection of personal data in Article 8 CFR.^{Footnote 380} If the data transfers are subject to laws and practices that do not respect the essence of the fundamental rights and freedoms or exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) GDPR they must be suspended.

3.3.1.3 Powers of Supervisory Authorities

In accordance with Article 8(3) CFR and Article 57 GDPR, the supervisory authorities are responsible for monitoring compliance with EU rules concerning the protection of individuals regarding the processing of their personal data. Each supervisory authority is vested with the power to examine whether data transfers from its home EU member state to a third country comply with the requirements laid down in the GDPR.^{Footnote 381} If these data transfers do not comply with the requirements laid down in the GDPR, then the supervisory authorities must use their corrective powers to remedy the problem. These corrective powers include: the imposition of a temporary or definitive limitation including a ban on the processing of personal data according to Article 58(2)(f) GDPR and the suspension of data flows to a recipient in a third country according to Article 58(2)(j) GDPR.

Supervisory authorities have different ways in which they can become active in protecting the right to continuous protection of personal data.

Clause 4(g) of the standard data protection clauses provided by Decision 2010/87/EU asked the data exporter to forward all notifications received from the data importer to the relevant supervisory authority based on Clause 5(b) if the exporter decided to continue the transfer of personal data. This enabled the supervisory authority to ascertain whether the data transfers in question should have been suspended or prohibited in order to ensure an adequate level of protection.^{Footnote 382} Article 4 Decision 2010/87/EU also referred to the corrective powers of supervisory authorities.^{Footnote 383} The IHC expressed concerns in its referral of Schrems 2 to the ECJ that the corrective powers of supervisory authorities have to be interpreted narrowly in light of Recital (11) Decision 2010/87/EU:^{Footnote 384}

The supervisory authorities should have the power to prohibit or suspend a data transfer or a set of transfers based on the standard contractual clauses in those exceptional cases where it is established that a transfer on contractual basis is likely to have a substantial adverse effect on the warranties and obligations providing adequate protection for the data subject.

The IHC adduced from the fact that Recital (11) Decision 2010/87/EU described the power of supervisory authorities to prohibit or suspend data transfers in “exceptional cases” that the standard data protection clauses only envisage the use of the corrective powers in particular circumstances, rather than a systemic use of those powers.^{Footnote 385} AG Henrik Saugmandsgaard Øe stated that “the Commission failed to remove or amend that recital in order to adapt its content to the requirements of the new Article 4.”^{Footnote 386} Article 8(3) CFR demands that supervisory authorities are independent. A recital of a Commission decision cannot therefore bind them. Furthermore, Recital (5) Decision 2016/2297, the decision amending Article 4 Decision 2010/87/EU, reasserted the power of supervisory authorities to suspend or prohibit any transfer which they consider to be contrary to EU law.^{Footnote 387} The ECJ also confirmed that Article 4 Decision 2016/2297 did not confine the exercise of corrective powers to exceptional circumstances.^{Footnote 388}

In addition, the IHC expressed concerns that the corrective powers of the supervisory authorities are discretionary powers only.^{Footnote 389} The IHC argued that if the standard data protection clauses are valid because the supervisory authorities have the power to suspend or ban data transfers, then this can only be on the basis that supervisory authorities are obligated to so in circumstances in which it is established that a transfer of personal data on the basis of standard data protection clauses is likely to violate fundamental rights of individuals in the EU.^{Footnote 390} The IHC thus submitted that such an obligation would be incompatible with the independence of the supervisory authorities. AG Saugmandsgaard Øe rejected this claim and concluded that “the exercise of the powers to suspend and prohibit transfers set out in Article 58(2)(f) and (j) of the GDPR is no longer merely an option left to the supervisory authorities’ discretion.”^{Footnote 391} The ECJ confirmed this and stated that the relevant supervisory authority is required to use its corrective powers in cases in which the data controller or data processor has not itself suspended or put an end to the transfer of personal data.^{Footnote 392}

In order to use these corrective powers, Article 58(1) GDPR confers on the supervisory authorities significant investigative powers as well.^{Footnote 393} Supervisory authorities may order data exporters to provide any and all information they require for the performance of their tasks, carry out investigations in the form of data protection audits, obtain access to the personal data, and even to the premises of the data exporter.

The new standard data protection clauses provided by Decision (EU) 2021/914 explicitly refer in Article 2 of the decision to the corrective powers of supervisory authorities in Article 58 GDPR to suspend or ban data transfers to third countries when the data importer is or becomes subject to laws or practices in the third country that prevent it from complying it with the standard data protection clauses. This is repeated in Clause 14(f). The responsibility of the competent supervisory authority to ensure compliance by the data exporter with the GDPR is laid down in Clause 13(a). Furthermore, the data importer has to agree to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with the standard data protection clauses in Clause 13(b). The supervisory authority may demand access to the data transfer impact assessment carried out according to Clause 14 based on Clause 14(d). This and other information that the supervisory authority may request based on Clauses 15.1(d) or 15.2(b) help it to assess the situation at hand.^{Footnote 394}

3.3.1.4 Rights of Individuals

Supervisory authorities are also responsible for complaints of individuals concerning the transfer of their personal data. Article 57(1)(f) GDPR requires supervisory authorities to handle complaints lodged with them, to investigate the subject matter of the complaint, and to inform the complainant of the progress and outcome of the investigation within a reasonable period of time. Data subjects may also request the supervisory authorities to exercise their corrective powers according to Article 77(1) GDPR. In such cases, the supervisory authorities must make a legally binding decision. Article 78(1) GDPR sets out the right of the concerned data subjects to an effective judicial remedy against the decision of a supervisory authority. This guarantees that individuals have the possibility to enforce their right to continuous protection of personal data in Article 8 CFR against a data exporter. The standard data protection clauses provided by Decision (EU) 2021/914 explicitly state that the data subjects have third-party beneficiary rights in Clause 3 and that they may lodge complaints with supervisory authorities or refer the dispute to the competent courts according to Clause 11.

3.3.1.5 Consistent Enforcement Among Member States

The decentralized system of supervisory authorities in each EU member state faces challenges when it comes to the consistent enforcement of the right to data protection in Article 8 CFR among the EU member states. The IHC expressed concerns in its referral of Schrems 2 to the ECJ that the transfer of personal data to a specific third country on the basis of standard data protection clauses could be permitted in some EU member states but suspended or banned in others.^{Footnote 395}

AG Saugmandsgaard Øe did not deny the difficulties linked to the legislative choice to make the supervisory authorities in the EU member states responsible for ensuring that the fundamental rights of data subjects are observed in the context of data transfers.^{Footnote 396} The risk that such a choice takes is that the different supervisory authorities will be fragmented. But this is inherent in the decentralized structure intended by the EU legislator.^{Footnote 397} AG Saugmandsgaard Øe thus argued that “EU law does not require that a general and preventive solution be applied for all transfers to a given third country that might entail the same risks of a violation of fundamental rights.”^{Footnote 398} He referred to the consistency mechanism entailed in the GDPR that offers a procedure for cooperation between the supervisory authorities.^{Footnote 399} The consistency mechanism requires that the EDPB issues an opinion in cases in which a supervisory authority intends to adopt any of the measures listed in Article 64(1) GDPR. Three of the six measures listed in Article 64(1) GDPR relate to data transfers, but the decision of a supervisory authority to suspend or ban data transfers according to Article 58(2)(j) GDPR is not among the measures that obligate a supervisory authority to obtain an opinion from the EDPB.

The ECJ correctly referred to the possibility to use the voluntary alternative consistency mechanism in Article 64(2) GDPR.^{Footnote 400} The voluntary consistency mechanism allows any supervisory authority, the Chair of the EDPB, or the Commission to request that any matter having effects in more than one EU member state be examined by the EDPB with a view to obtaining an opinion from the EDPB. The decision of a supervisory authority to suspend or ban data transfers to a third country based on fundamental rights concerns should fall into this category. If a supervisory authority decides to suspend or ban certain data transfers to a third country, many data transfers from other EU member states to that third country must also be presumed to be incompatible with fundamental rights. In such cases, supervisory authorities have an interest that their practice is consistent with the practice of supervisory authorities in other EU member states. Supervisory authorities should therefore be inclined to use the voluntary consistency mechanism according to Article 64(2) GDPR and request an opinion from the EDPB when deciding to suspend or ban data transfers to a third country. The use of the voluntary consistency mechanism facilitates a unionwide enforcement of the right to continuous protection of personal data in Article 8 CFR.

Regular opinions of the EDPB are not legally binding, but they carry considerable weight. It is expectable that supervisory authorities will follow an EDPB opinion. They could be faced with many complaints of individuals concerned with the protection of their personal data if they do not. However, the ECJ also referred to the possibility of the EDPB adopting a legally binding decision under Article 65(1)(c) GDPR, should a supervisory authority not follow an opinion of the EDPB.^{Footnote 401}

Article 4 Decision 2010/87/EU already provided an instrument for the consistency of enforcement and Article 2 Decision (EU) 2021/914 entails the same instrument:

Where the competent Member State authorities exercise corrective powers pursuant to Article 58 of Regulation (EU) 2016/679 in response to the data importer being or becoming subject to laws or practices in the third country of destination that prevent it from complying with the standard contractual clauses set out in the Annex, leading to the suspension or ban of data transfers to third countries, the Member State concerned shall, without delay, inform the Commission, which will forward the information to the other Member States.

This mechanism guarantees that all EU member states are informed about any suspensions or bans on data transfers to third countries.

3.3.2 BCRs Based on Article 46(2)(b) GDPR

The mechanism to approve BCRs provides the possibility for the responsible supervisory authority to prohibit data transfers to a third country that interferes with the right to continuous protection of personal data in Article 8 CFR. In order to be approved, BCRs must specify a number of requirements listed in Article 47(2) GDPR. For example, BCRs must specify the types of data transfers, the categories of personal data, and the third country or countries to which the personal data will be transferred.^{Footnote 402} This information allows supervisory authorities to assess the risks of BCRs for the specific data transfers and to apply the right to continuous protection of personal data in Article 8 CFR. The approval of BCRs is subject to the mandatory consistency mechanism in Article 63 GDPR.^{Footnote 403} This mechanism supports the consistent application of the right to continuous protection for personal data in Article 8 CFR.

Once BCRs are approved, the supervisory authorities are still responsible for monitoring and enforcing the application of the GDPR in light of the Charter according to Article 57(1)(a) GDPR and Article 8(3) CFR. They thus retain their investigative and corrective powers enumerated in Article 58(1) and (2) GDPR. In order to be approved, BCRs must also specify the mechanisms for ensuring the verification of compliance with the BCRs. These mechanisms include data protection audits and methods for ensuring corrective actions to protect the rights of data subject. The results of such audits must be made available to the responsible supervisory authority upon request.^{Footnote 404} Data subjects have the right to lodge a complaint with the relevant supervisory authority against data transfers on the basis of BCRs according to Article 77(1) GDPR and to appeal a decision of the responsible supervisory authority according to Article 78(2) GDPR. Data subjects also have the right to a judicial remedy against the data exporter according to Article 79(1) GDPR. In order to be approved, BCRs must thus specify the means for the exercise of these rights.^{Footnote 405}

The validity of BCRs does not depend on the level of protection for personal data that exists in the given third country to which data might be transferred. Instead, the validity depends only on the soundness of the safeguards which those instruments provide in order to compensate for any inadequacy that results in the third country of destination. The information required for the approval of BCRs allows the responsible supervisory authority to assess the risks of BCRs for the data transfers in question and to apply the right to continuous protection of personal data. Just as in the case of the standard data protection clauses, the BCRs might have to include additional safeguards for the transfer of personal data to third countries where the protection of personal data is not essentially equivalent to that guaranteed within the EU.^{Footnote 406} If BCRs are used for data transfers that do not comply with the right to continuous protection for personal data, then there are compliance mechanisms in place.^{Footnote 407} The regulatory framework surrounding BCRs validates this instrument as a legal mechanism for data transfers.

3.4 Supervisory Authorities as Guardians of Fundamental Rights

Control over continuous protection of personal data in relation to the instruments providing appropriate safeguards often lies with the supervisory authorities. They are the bodies responsible for approving many of the instruments providing appropriate safeguards for data transfers. This includes BCRs according to Article 46(2)(b) GDPR and certifications according to Article 46(2)(f) GDPR.^{Footnote 408} Supervisory authorities are also responsible for authorizing specific (ad hoc) contractual clauses according to Article 46(3)(a) GDPR. Moreover, they adopt standard data protection clauses according to Article 46(2)(d) GDPR and submit them for approval to the Commission.^{Footnote 409} Lastly, the EDPD, which consists of all the supervisory authorities in the EU member states, is responsible for providing opinions to the Commission on whether a code of conduct according to Article 46(2)(e) GDPR provides appropriate safeguards.^{Footnote 410}

In accordance with Article 8(3) CFR and Article 57 GDPR, the supervisory authorities are responsible for monitoring compliance with EU rules concerning the protection of individuals regarding the processing of their personal data. Each supervisory authority is vested with the power to examine whether data transfers from its home EU member state to a third country comply with the requirements laid down in the GDPR and the right to continuous protection of personal data in Article 8 CFR.^{Footnote 411} If the data transfers do not comply with these requirements, then the supervisory authorities must use their corrective powers to fix the problem. The responsibility of the supervisory authorities is of a subsidiary nature. First of all, it is for the data exporter

to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses.^{Footnote 412}

Only in cases in which the data exporter does not suspend or end the transfer, if protection that is essentially equivalent to that guaranteed within the EU cannot be guaranteed, is the competent supervisory authority required to act.^{Footnote 413} Accordingly, the data exports are primarily responsible for safeguarding the right to continuous protection of personal data in Article 8 CFR. This architecture of self-regulation is not perfect. Due to the economic nature of many data transfers, a data exporting company will often have to decide between its economic goals and compliance with fundamental rights protection. Furthermore, this sort of private enforcement is underpinned by the threat of legal action by data subject. “It assumes data subjects have the energy and the resources to take action – a real weakness in this approach, despite the possibility for class actions.”^{Footnote 414} Lastly, the assessment of the level of protection for the personal data transferred to third countries is complicated and requires far-reaching information about government access to personal data in third countries. A diligent exercise of the responsibility of data exporters to comply with the right to continuous protection of personal data in Article 8 CFR is quite an effort and it is questionable if data exporters are ready to make this effort. Given the shortcomings of this self-regulation model, the supervisory authorities will in practice play an important role as guardians of fundamental rights.

3.5 Summary

The instruments providing appropriate safeguards must fully comply with the right to continuous protection of personal data and the standard of essential equivalence. No limitations on the exercise of that right are possible for data transfers on the basis of this legal mechanism. The right to continuous protection of personal data has a restrictive effect on data transfers based on instruments providing appropriate safeguards. The instruments in Article 46 GDPR do not acknowledge the conditions for the processing of personal data in third countries but rather the provision of appropriate safeguards through the instruments themselves. Nevertheless, the prevailing legal context in a third country of destination may, depending on the actual circumstances of the data transfer, make it impossible to comply with the right to continuous protection of personal data and the standard of essential equivalence. In such cases, data transfers may not take place. The justification of this restrictive effect is firmly rooted in the protection of fundamental rights. However, the politics behind appropriate safeguards are problematic when it comes to a consistent fundamental rights-based application of the instruments in Article 46 GDPR. The analysis of this section has revealed a laissez-faire attitude towards fundamental rights protection that has been grounded in an outdated understanding of the level of protection required for data transfers. The Schrems 2 judgment made it clear that the data exporter using the instruments in Article 46 GDPR for the transfer of personal data must ensure that the right to continuous protection of personal data is respected. However, based on the shortcomings of his architecture of self-regulation, the supervisory authorities in the EU member states have to act as the guardians of fundamental rights regarding the instruments in Article 46 GDPR. They must therefore take their responsibility seriously and make sure that the application of those instruments in practice respects the right to continuous protection of personal data in Article 8 CFR.

4 Continuous Protection of Personal Data and Derogations

The fourth section of this chapter is dedicated to the interplay of the right to continuous protection for personal data and the derogations for specific situations as a legal mechanism for data transfers according to Article 49 GDPR. An analysis of the politics of the derogations pursuant to Article 49 GDPR reveals a contradiction. While Article 49 GDPR allows derogations from the right to continuous protection of personal data, those derogations may not cause additional exemptions from the rule that fundamental rights should be respected nor lead to a situation in which fundamental rights might be breached (Sect. 3.4.1). There are two options for settling this contradiction: lawful limitations on the right to continuous protection for personal data with the contract-based derogation in Article 49(1)(b) GDPR (Sect. 3.4.2), or a waiver of the right to continuous protection for personal data with the consent-based derogation in Article 49(1)(a) GDPR (Sect. 3.4.3). In both cases, data subjects must be attentive because they are responsible for ensuring that their fundamental rights are respected (Sect. 3.4.4).

4.1 The Politics of Derogations

4.1.1 Contradiction

The derogations in Article 49 GDPR allow data transfers in the absence of an adequacy decision and the possibility of using instruments providing appropriate safeguards. However, the politics behind these derogations for specific situations is contradictory.

Adequacy decisions as much as instruments providing appropriate safeguards must fully comply with the right to continuous protection of personal data in Article 8 CFR. Limitations on the exercise of that right cannot be justified for data transfers based on these two legal mechanisms. The title of Article 49 GDPR indicates that it entails derogations from these other legal mechanisms. The title implies that the legal mechanism for data transfers in Article 49 GDPR does not have to comply fully with the right to continuous protection of personal data. Christopher Kuner has written that “derogations, by definition, may apply when there is no essential equivalence.”^{Footnote 415} However, Article 44 GDPR states that all provisions in Chapter V GDPR on transfers of personal data to third countries shall be applied in order to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined. Additionally, Recital (114) GDPR indicates that in cases in which the Commission has not made an adequacy decision, data exporters must use solutions for data transfers in which data subjects continue to benefit from their fundamental rights and safeguards. From its position among the other recitals, Recital (114) GDPR seems to apply to data transfers based on the derogations in Article 49 GDPR. This would imply that the derogations must still comply with the right to continuous protection of personal data.

The Article 29 WP has added to this contradiction by claiming with regard to the same derogations in Article 26(1) Directive 95/46/EC that

while the cases listed in Article 26(1) may constitute a derogation to the principle that the third country should guarantee an adequate protection, they do not provide additional exemptions from the rule that fundamental rights should be respected.^{Footnote 416}

On the one hand, the Article 29 WP states that the derogations in Article 26(1) Directive 95/46/EC are derogations from the principle that the third country should guarantee adequate protection. The ECJ defined adequate protection as protection that is essentially equivalent to that guaranteed within the EU.^{Footnote 417} Essential equivalence for protection of personal data in a third country entails the same limitations on fundamental rights in the third country as are permitted in the EU.^{Footnote 418} Article 26(1) Directive 95/46/EC would therefore allow data transfers that do not respect the right to continuous protection for personal data, which is essentially equivalent to that guaranteed within the EU. On the other hand, the Article 29 WP also states that the derogations in Article 26(1) Directive 95/46/EC do not provide additional exemptions from the rule that fundamental rights should be respected.

The EDPB similarly found with regard to the derogations under Article 49 GDPR that

derogations under Article 49 are exemptions from the general principle that personal data may only be transferred to third countries if an adequate level of protection is provided for in the third country” and that “recourse to the derogations of Article 49 should never lead to a situation where fundamental rights might be breached.^{Footnote 419}

So, while Article 49 GDPR seems to allow for derogations from the right of continuous protection of personal data, they may nonetheless not provide additional exemptions from the rule that fundamental rights should be respected nor lead to a situation in which fundamental rights can be breached.

4.1.2 Resolution

How is it possible to settle this contradiction? How can derogations from the right to continuous protection of personal data not provide additional exemptions from the rule that fundamental rights should be respected? There are two solutions to settle this contradiction.

The first solution is a lawful limitation on the right to continuous protection of personal data. The right to continuous protection for personal data is an unwritten constituent part of the right to data protection enshrined in Article 8 CFR.^{Footnote 420} An interference with Article 8 CFR is an interference with one or more of its constituent parts. Only the essence of a fundamental right cannot be touched, limited, diminished, restricted, or interfered with. The right to continuous protection of personal data and the standard of essential equivalence, however, have not been defined as part of the essence of Article 8 CFR. Limitations on the right to continuous protection of personal data are thus theoretically possible.^{Footnote 421} Such limitations would not provide additional exemptions from the rule that fundamental rights should be respected nor lead to a situation in which fundamental rights might be breached if the limitations are justified according to Article 52(1) CFR.

The second solution is a waiver on the right to continuous protection of personal data in Article 8 CFR. There is no obligation to exercise fundamental rights. It is thus possible to waive fundamental rights. Problems arise, in particular, in cases in which the decision to waive a fundamental right does not take place freely.^{Footnote 422} Moreover the waiver of a fundamental right should not be read as equivalent with the loss of that fundamental right.^{Footnote 423} If individuals lawfully waive their right to continuous protection of personal data, then this does not provide additional exemptions from the rule that fundamental rights should be respected nor lead to a situation in which fundamental rights can be breached.

4.2 Limitations on Continuous Protection of Personal Data with the Derogations

The right to continuous protection for personal data requires that the level of protection for personal data that is transferred from the EU to a third country is essentially equivalent to that guaranteed within the EU. That right is not absolute. Limitations on the exercise of the right to continuous protection of personal data can be lawful according to Article 52(1) CFR. This section analyzes the contract-based derogation in Article 49(1)(b) GDPR. Just as described with regard to the other legal mechanisms for the transfer of personal data, the interference must be found in the EU rather than in the third country (Sect. 3.4.2.1). The legal basis for the interference must indicate under what circumstances and conditions the interference will take place and impose minimum safeguards providing sufficient guarantees for individuals to effectively protect their personal data against the risk of abuse (Sect. 3.4.2.2). The material objectives of the interference must either qualify as a general interest recognized by the EU or be protected by another right or freedom in the Charter (Sect. 3.4.2.3). Finally, the principle of proportionality must be observed (Sect. 3.4.2.4).

4.2.1 Interference

Any interference with the right to continuous protection of personal data must be found in the EU.^{Footnote 424} Ultimately, the rules, measures, and actions of third states also entail intrusions, which, if they were attributed to the authorities of an EU member state, would be regarded as interferences with the exercise of the right to data protection in Article 8 CFR.^{Footnote 425} Those intrusions should, however, be assessed with regard to the standard of essential equivalence. If the intrusions caused by the rules, measures, and actions of third states do not respect the standard of essential equivalence, then the transfer of personal data subject to the contract-based derogation in Article 49(1)(b) GDPR itself constitutes an interference with the right to continuous protection of personal data enshrined in Article 8 CFR.

The contract-based derogation in Article 49(1)(b) GDPR cannot make up for the inadequacies of data protection in third countries. This is why the actual transfer of personal data subject to the contract-based derogation in Article 49(1)(b) GDPR constitutes an interference with Article 8 CFR to the extent that it does not respect the right to continuous protection of personal data.

4.2.2 Legal Basis

The limitation of the exercise of fundamental rights must be provided for by law. The legal basis that permits an interference with Article 8 CFR must itself define the scope of the limitation.^{Footnote 426} Moreover, the legal basis for interferences with Article 8 CFR must indicate under what circumstances and conditions the data processing operations will take place and impose minimum safeguards providing sufficient guarantees for individuals to effectively protect their personal data against the risk of abuse.^{Footnote 427} These safeguards are particularly important in cases in which personal data is subject to automated processing and involves sensitive data.^{Footnote 428} The transfer of personal data subject to the contract-based derogation in Article 49(1)(b) GDPR constitutes an interference with Article 8 CFR if, for the specific transfer of personal data, the level of protection for personal data in the third country is not essentially equivalent to that guaranteed within the EU.

The derogation in Article 49(1)(b) GDPR must be applied in a contract between the data exporter in the EU and the data importer in the third country if the transfer of personal data is to legally occur.^{Footnote 429} Article 49(1)(b) GDPR constitutes the legal basis for an interference with Article 8 CFR because it enables the transfer of personal data to a third country. The question is whether the legal basis fulfills the conditions regarding the scope of the limitations to the concerned fundamental rights and the presence of minimum safeguards.

The derogations in Article 49 GDPR are faced with functional limits regarding the definition of the scope of the limitations on the right to data protection in Article 8 CFR. The derogations in Article 49 GDPR ignore the conditions for the processing of personal data in the third country. They cannot refer to the scope of the limitations on the exercise of fundamental rights regarding the intrusions with rules, measures, and actions of the respective third state, which, if they were attributed to the authorities of an EU member state, would be regarded as interferences with the exercise of the right to data protection. Nonetheless, the contract-based derogation still indicates under what circumstances and conditions the data processing operations will take place that interfere with the right to continuous protection of personal data, i.e., the transfer of personal data to the third country.

According to Article 49(1)(b) GDPR, a data exporter may only transfer personal data to a third country if the transfer is necessary for the performance of a contract between a data subject and the controller. At least one of the central contractual services must therefore be impossible if the data is not transferred to the third country in question. This means there must be a close, direct or substantial link between the data transfer and the performance of the contract.^{Footnote 430} For example, such a close and direct link does not exist for additional direct marketing purposes or simply for data storage in the third country.^{Footnote 431} It is not enough if the data transfer is simply useful or allows cost savings. Additionally, Recital (111) GDPR states that the use of the contract-based derogation in Article 49(1)(b) GDPR shall be limited to occasional transfers. The EDPB has underlined that “[d]ata transfers regularly occurring within a stable relationship would be deemed as systematic and repeated, hence exceeding an “occasional” character.”^{Footnote 432}

Regarding the minimum safeguards required to provide sufficient guarantees for individuals to effectively protect their personal data against the risk of abuse, independent oversight and remedies are important. It is important to underline that the contract referred to in Article 49(1)(b) GDPR must outline the risks for individuals whose personal data will be transferred to a third country. Article 49(1)(b) GDPR itself does not contain any specific information duties for the data controller concerning the risks of the data transfer. The duty results from the transparency requirement in Article 5(1)(a) GDPR and the general information duty for data transfers in Article 13(1)(f) GDPR.^{Footnote 433} Supervisory authorities must monitor and enforce the application of the GDPR according to Article 57(1)(a) GDPR. Their investigative and corrective powers outlined in Article 58 GDPR should protect individuals against the risk of abuse of their personal data. Furthermore, data subjects may, according to Article 77(1) GDPR, request the relevant supervisory authorities to exercise their powers in cases in which they consider that the contract-based derogation has not been used properly. Data subjects also have the right to an effective judicial remedy against the data exporter according to Article 79(1) GDPR, in cases in which they consider that their rights under the GDPR have been infringed as a result of the transfer of their personal data. These minimum safeguards guarantee that individuals can effectively protect their personal data against the risk of abuse. The contract-based derogation in Article 49(1)(b) GDPR therefore provides a valid legal basis for interferences with Article 8 CFR.

4.2.3 Objectives of General Interest and Protection of the Freedoms of Others

The justification of an interference that limits the exercise of fundamental rights according to Article 52 CFR further requires that the limitations genuinely meet either objectives of general interest recognized by the EU or the need to protect the rights and freedoms of others. The public security in a third country (Sect. 3.4.2.3.1) qualifies as a general interest recognized by the EU and the freedom of expression and information (Sect. 3.4.2.3.2) and the freedom to conduct a business (Sect. 3.4.2.3.3) as rights of others which validate limitations on the right to continuous protection of personal data.

4.2.3.1 Public Security in a Third Country

The public security in a third country can be an objective of general interest recognized by the EU.^{Footnote 434} In order to justify the limitation on the right to continuous protection of personal data, the protection of public security in a third country must be one of the material objectives of the data transfers.^{Footnote 435} Because the data transfers in question are usually part of a commercial activity,^{Footnote 436} they rarely relate to the protection of public security in a third country.

4.2.3.2 Freedom of Expression and Information

Data transfers are a tool for the exercise of the freedom of expression and information enshrined in Article 11 CFR.^{Footnote 437} In order to justify an interference with the right to continuous protection of personal data based on the protection of the freedom of expression and information, the protection of that freedom must be one of the material objectives of the data transfers.^{Footnote 438}

The contract-based derogation in Article 49(1)(b) GDPR does not refer to the protection of Article 11 CFR but this does not generally preclude an argument using Article 11 CFR as a justification. The protection of the freedom of expression and information and its reconciliation with the right to data protection is one of the material objectives of the GDPR and, therefore, also of Chapter V GDPR.^{Footnote 439} In addition, the contract itself can refer to the freedom of expression and information in Article 11 CFR.

4.2.3.3 Freedom to Conduct a Business

Data transfers to third countries may be used for cross-border economic activities and therefore to protect the freedom to conduct a business enshrined in Article 16 CFR.^{Footnote 440} In order to justify an interference with the right to continuous protection of personal data based on the protection of the freedom to conduct a business, then the protection of that freedom must be one of the material objectives of the data transfers.^{Footnote 441}

The contract-based derogation in Article 49(1)(b) GDPR does not refer to the protection of Article 16 CFR but this does not generally preclude an argument using Article 16 CFR as a justification. The protection of the freedom to conduct a business is one of the material objectives of the GDPR and, therefore, also of Chapter V GDPR.^{Footnote 442} In addition, the contract itself can refer to the freedom to conduct a business in Article 16 CFR.

4.2.4 Proportionality

The principle of proportionality requires that limitations on fundamental rights must be appropriate in light of the objective pursued and limited to what is strictly necessary.^{Footnote 443} It is also necessary to examine if there are other measures which affect the right to continuous protection of personal data less adversely and still contribute effectively to the objectives of general interest recognized by the EU or the need to protect the fundamental rights and freedoms of others. It has to be seen if the interference with the right to continuous protection of personal data is proportional to the protection of the freedom of expression and information (Sect. 3.2.2.4.1), and to the protection of the freedom to conduct a business (Sect. 3.2.2.4.2).

4.2.4.1 Freedom of Expression and Information

Data transfers based on the derogation in Article 49(1)(b) GDPR enable companies to distribute information and ideas without interference by public authorities and regardless of borders. The contract-based derogation does not allow data transfers to third countries that are systematic, structural, and continuous. It allows data transfers that are occasional and necessary for the performance of a contract between a data subject and the data controller.

In theory, the contract-based derogation enables data transfers that protect journalistic, academic, artistic, and literary speech. However, the requirements of Article 49(1)(b) GDPR are strict and often pose an obstacle for such cross-border expression. The obligation in Article 85(2) GDPR for EU member states to provide exemptions or derogations from Chapter V GDPR on transfers of personal data to third countries for journalistic purposes or the purpose of academic, artistic or literary expression seems to be more appropriate for such data flows.

In theory, the contract-based derogation also enables data transfers that protect commercial speech. Again, the requirements of Article 49(1)(b) GDPR are strict and often pose an obstacle for such transfers. AG Nial Fennelly defined commercial speech as “the provision of information, expression of ideas or communication of images as part of the promotion of a commercial activity and the concomitant right to receive such communication.”^{Footnote 444} According to that definition, commercial speech encompasses statements strictly linked to the commercial promotion of products and services.^{Footnote 445} Article 49(1)(b) GDPR enables data transfers necessary for the facilitation of e-commerce services, but it does not allow additional follow-up transfers for marketing measures.^{Footnote 446} Such measures would not satisfy the requirement of a close and direct or substantial link between the data transfer and the performance of the contract. It is thus questionable whether the contract-based derogation is of much use to a data exporter with regard to commercial speech. The consent-based derogation in Article 49(1)(a) GDPR seems to be a more appropriate avenue for such purposes.^{Footnote 447}

4.2.4.2 Freedom to Conduct a Business

Data transfers subject to the contract-based derogation in Article 49(1)(b) GDPR enable companies to distribute information and ideas without interference from public authorities and regardless of borders. Even though the contract-based derogation does not allow for data transfers to third countries that are systematic, structural, and continuous, it is an appropriate tool for protecting the freedom to conduct a business enshrined in Article 16 CFR. While cloud computing applications such as Facebook or Google would not be able to rely on the contract-based derogation to outsource their data processing operations, e-commerce services for hotels, airlines, credit cards etc. could do so based on Article 49(1)(b) GDPR.

I thus argue that limitations on the right to continuous protection of personal data with data transfers subject to the contract-based derogation in Article 49(1)(b) GDPR can be justified under the freedom to conduct a business enshrined in Article 16 CFR. The derogation in Article 49(1)(b) GDPR is limited to occasional data transfers necessary for the performance of a contract between a data subject and the data controller. As it stands, it therefore already constitutes a measure that affects the right to data protection less adversely than data transfers based on adequacy decisions or data transfers based on instruments providing appropriate safeguards.

Normally, the right to data protection attracts a higher level of protection than the freedom to conduct a business. However, the contract-based derogation in Article 49(1)(b) GDPR reflects and protects the written constituent parts of the right to data protection enshrined in Article 8 CFR. The constituent part on purpose specification reflects the idea that data processing operations should be foreseeable for the data subject and should not go beyond the reasonable expectations of the individuals concerned.^{Footnote 448} The contract-based derogation requires the data exporter to specify the purposes of the data transfers. The constituent part on fairness demands that the data subject is in a position to learn of the existence of intended and possible data processing operations.^{Footnote 449} The contract-based derogation also requires the data exporter to outline the risks of the data transfers. The constituent part on consent as a legitimate basis for the processing of personal data is an expression of informational self-determination.^{Footnote 450} The contract-based derogation requires the data subject to consent to the data transfers by agreeing to the data transfers in question. The constituent part on independent supervision addresses the power asymmetries between data controllers and data subjects.^{Footnote 451} Independent supervision by the supervisory authorities of the EU member states is part of the minimum safeguards available for data transfers subject to the contract-based derogation. Only the right of access and the right to rectify data would have to be specifically included in the contract in order for the derogation in Article 49(1)(b) GDPR to reflect these two constituent parts in the second sentence of Article 8(2) CFR.^{Footnote 452}

Overall, the contract-based derogation in Article 49(1)(b) GDPR takes the written constituent parts of the right to data protection into account while protecting the freedom to conduct a business. This is why limitations on the right to continuous protection of personal data by data transfers subject to the contract-based derogation in Article 49(1)(b) GDPR can be justified using the freedom to conduct a business enshrined in Article 16 CFR even if the right to data protection attracts a higher level of protection than the freedom to conduct a business.

4.3 Waiver on Continuous Protection for Personal Data

This section analyzes the consent-based derogation in Article 49(1)(a) GDPR. The right to continuous protection of personal data requires that the level of protection for personal data that is transferred from the EU to a third country is essentially equivalent to that guaranteed within the EU. That right can be waived by the data subject (Sect. 3.4.3.1). The ECtHR has developed a standard test for determining the legality of a waiver of human rights under the ECHR. The ECJ has copied that test with regard to the fundamental rights in the Charter (Sect. 3.4.3.2). The test requires that six conditions are met: unforcedness, full knowledge of the surrounding circumstances, unequivocalness, minimum safeguards, respect for important public interests, and the condition that the waiver should not be connected with the loss of the respective fundamental right (Sect. 3.4.3.3). The consent-based derogation in Article 49(1)(a) GDPR complies with these requirements and therefore constitutes a lawful waiver of the right to continuous protection of personal data (Sect. 3.4.3.4).

4.3.1 Availability of the Waiver

The derogation in Article 49(1)(a) GDPR refers to data transfers in which the data subject has explicitly consented to the proposed transfer after having been informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards. The consent could amount to a waiver on the right to continuous protection of personal data if the level of protection in the third country is not essentially equivalent to that guaranteed within the EU. However, not every fundamental right can be waived. Some core elements of substantive rights cannot be waived since they reach beyond the individual right holder’s sphere. It must thus first be established that the text and spirit of the right to be waived does not prevent a waiver.

It is necessary to look at some of the foundational values of the right to data protection to determine whether the right to continuous protection of personal data can be waived with regard to data transfers subject to the consent-based derogation in Article 49(1)(a) GDPR.^{Footnote 453}

Privacy can be conceptualized as either the right to be let alone or limited accessibility to a person. It is possible to forgo one’s privacy. For example, individuals may voluntarily subject themselves to permanent video surveillance.
Informational self-determination guarantees the ability of individuals to determine for themselves the disclosure and use of their personal data. The consent of an individual to allow occasional data transfers to third countries in which personal data is at risk of becoming subject to government surveillance can be seen as an act of informational self-determination as long as the consent is informed.
Transparency addresses the power imbalances between a data controller and the data subjects. The consent of an individual to allow occasional data transfers to third countries is only possible after having been informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards. This information provides the necessary transparency.

The right to data protection can thus be waived pursuant to the consent-based derogation in Article 49(1)(a) GDPR. Consent allows individuals to decide for themselves if they want to accept the opportunities and the corresponding risks of data processing operations.

4.3.2 Test for the Waiver

The ECJ has previously ruled on the legitimacy of waivers. The case law of the ECJ so far covers waivers of the right to an effective judicial remedy and a fair trial provided for in Article 47 CFR and the rights of the defense guaranteed by Article 48(2) CFR.^{Footnote 454} In this context, the ECJ normally referred to the jurisprudence of the ECtHR.^{Footnote 455} Much of the ECtHR’s case law on waivers also relates to matters of fair trial based on Article 6 ECHR.^{Footnote 456} Nonetheless, there have been some cases that concerned waivers on substantive rights such as the right to damages under Article 41 ECHR or the right to education under Article 2 of Protocol No. 1 to the ECHR combined with the prohibition of racial discrimination in educational matters under Article 14 ECHR.^{Footnote 457}

The ECtHR has developed a standard test for determining the legality of a waiver of human rights under the ECHR, which the ECJ copied in Melloni with regard to the Charter. The ECJ stated, with respect to Articles 47 and 48(2) CFR, that an accused person may waive these rights of his or her own free will, provided that the waiver is established in an unequivocal manner, is attended by minimum safeguards commensurate to its importance, and does not run counter to any important public interest.^{Footnote 458} The lawfulness of the consent-based derogation in Article 49(1)(a) GDPR primarily depends on the lawfulness of the waiver.

4.3.3 Conditions of the Waiver

The test for the lawfulness of a waiver requires that certain conditions be met. The waiver for the right to continuous protection of personal data based on the derogation in Article 49(1)(a) GDPR is lawful because it is unforced (Sect. 3.4.3.3.1), made in full knowledge of the surrounding circumstances (Sect. 3.4.3.3.2), unequivocal (Sect. 3.4.3.3.3), attended by minimum safeguards (Sect. 3.4.3.3.4), does not run counter any important public interest (Sect. 3.4.3.3.5), and is not connected with the loss of the right to data protection (Sect. 3.4.3.3.6).

4.3.3.1 Unforcedness

The waiver for a fundamental right must be unforced. Waivers made under duress are invalid.^{Footnote 459} Article 4(11) GDPR requires that any and all consent must be freely given. Recital (42) GDPR states that consent should not be regarded as freely given if the data subject has no genuine choice or is unable to refuse or withdraw consent without detriment. Recital (43) GDPR adds that consent is presumed not to be freely given if the performance of a contract, including the provision of a service, is made dependent on the giving of consent despite such consent not being necessary for the performance. If a service is provided across borders, then the transfer of personal data is usually appropriate and necessary for the provision of that service. If a service could also be delivered without the transfer of personal data and consent for that data transfer is still required, then that consent cannot be presumed to be freely given. The requirement that consent must be freely given guarantees that the waiver for the right to continuous protection of personal data based on Article 49(1)(a) GDPR is unforced.

4.3.3.2 Full Knowledge of the Surrounding Circumstances

The waiver for a fundamental right must be made in full knowledge of the surrounding circumstances.^{Footnote 460} Article 4(11) GDPR requires that any consent must be informed. The Article 29 WP found that “[f]or consent to be informed, it is necessary to inform the data subject of certain elements that are crucial to make a choice.”^{Footnote 461} Those elements include the data controller’s identity, the purpose of the transfer, the type of data, the existence of the right to withdraw consent, and the identity or the categories of recipients.^{Footnote 462} Article 49(1)(a) GDPR specifically requires that the data subject may only consent to data transfers after having been informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards. An abstract reference to the absence of an adequacy decision and appropriate safeguards is not enough to comply with this requirement.^{Footnote 463} It is necessary to list the typical risks associated with a transfer to a third country in which the level of protection for personal data is not essentially equivalent to that guaranteed within the EU. Those risks include difficult enforcement of data subject rights, lack of control over further processing and onward transfer of personal data, lack of a supervisory authority, and access to personal data by government agencies including surveillance practices.^{Footnote 464} The requirements that consent must be informed and that a data subject may only consent to data transfers after having been informed of the possible risks of such transfers guarantee that the waiver for the right to continuous protection of personal data based on Article 49(1)(a) GDPR is made in full knowledge of the surrounding circumstances.

4.3.3.3 Unequivocalness

The waiver for a fundamental right must be unequivocal. Article 4(11) GDPR requires that any consent must be unambiguous. The Article 29 WP emphasized that it is clear in the GDPR that unambiguous consent “requires a statement from the data subject or a clear affirmative act which means that it must always be given through an active motion or declaration.”^{Footnote 465} Similarly, the ECJ found that “[o]nly active behaviour on the part of the data subject with a view to giving his or her consent may fulfil that requirement.”^{Footnote 466} Recital (32) GDPR specifies that this could include ticking a box when visiting an internet website, choosing technical settings for information society services, or another statement or conduct which clearly indicates in context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity cannot constitute unequivocal consent. Article 49(1)(a) GDPR is even stricter as it requires “explicit” consent. The GDPR demands explicit consent in situations in which particular data protection risks emerge and a high individual level of control over personal data is mandated.^{Footnote 467} Such risks emerge in the context of cross-border flows of personal data. The term “explicit” refers to the way consent is expressed by the data subject. It means that the data subject must give an express statement of consent.^{Footnote 468} Furthermore, Article 4(11) GDPR also requires that consent must be specific. Article 49(1)(a) GDPR implements that requirement by specifying that the data subject must explicitly consent to the proposed data transfer. All these requirements guarantee that the waiver for the right to continuous protection of personal data based on Article 49(1)(a) GDPR is unequivocal.

4.3.3.4 Minimum Safeguards

The waiver for a fundamental right must be attended by minimum safeguards.^{Footnote 469} The Article 29 WP explains that obtaining consent does not negate or in any way diminish the data controller’s obligations to observe the principles of data processing enshrined in the GDPR, especially Article 5 GDPR regarding the fairness, necessity, proportionality, and quality of the data.^{Footnote 470} Furthermore, Article 7(3) GDPR mandates that the data controller must ensure that consent can be withdrawn by the data subject at any time and that withdrawing consent be as easy as giving consent. The principles of data processing and the possibility to withdraw consent at any time guarantee that the waiver for the right to continuous protection of personal data based on Article 49(1)(a) GDPR is attended by minimum safeguards.

4.3.3.5 Respect for Important Public Interests

The waiver for a fundamental right may not run counter to any important public interest.^{Footnote 471} Recital (111) GDPR states that data transfers subject to the contract-based derogation in Article 49(1)(b) GDPR may only be occasional. The EDPB noted that although such a limitation is absent from the consent-based derogation in Article 49(1)(a) GDPR, the consent-based derogation must still be interpreted in a way which does not contradict the very nature of the derogation as being an exception.^{Footnote 472} Following this opinion, the consent-based derogation does not allow systematic, structural, and continuous data transfers like adequacy decisions or the instruments providing appropriate safeguards. Matthias Christoph Schwenke has argued that consent to data processing must be restricted when the related processing of personal data poses a threat to democracy which relies on individual self-determination and the free formulation of opinions.^{Footnote 473} He does not discern a threat like this in the context of individualized and personalized services. Similarly, such a threat should not arise in the context of occasional data transfers. Article 49(1)(a) GDPR does not allow data controllers to rely on the consent of individuals for systematic, structural, and continuous data transfers that would create a problematic aggregation of personal data that could pose a threat to democracy. The limitation for such data transfers guarantees that the waiver for the right to continuous protection of personal data based on Article 49(1)(a) GDPR does not run counter any important public interest.

4.3.3.6 Maintaining the Right

The waiver for the exercise of a fundamental right should not be connected with the loss of that fundamental right.^{Footnote 474} It must be repeated that consent for data transfers subject to the derogation in Article 49(1)(a) GDPR is only valid for the proposed data transfers and not for any other transfer. The waiver for the right to continuous protection of personal data subject to the derogation in Article 49(1)(a) GDPR only concerns the proposed data transfers. Furthermore, the consent can be withdrawn at any time. The waiver for the right to continuous protection of personal data based on Article 49(1)(a) GDPR is not connected with the loss of the right to data protection enshrined in Article 8 CFR.

4.3.4 Lawfulness of the Waiver

The waiver for the right to continuous protection for personal data pursuant to the consent-based derogation in Article 49(1)(a) GDPR is lawful. The EU legislator has anchored the requirements for a lawful waiver in Article 49(1)(a) GDPR. It is the responsibility of the data controller to adhere to these requirements when requesting the consent of individuals for data transfers based on Article 49(1)(a) GDPR. For the enforcement of the lawful waiver, it is however, indispensable that the concerned individuals are also responsible. This sensitivity to fundamental rights protection must and indeed may be assumed.

4.4 The Data Subjects as Guardians of Fundamental Rights

Control over the lawfulness of limitations on continuous protection for personal data in relation to derogations for specific situations lies primarily with the data subjects themselves. In cases in which data transfers take place subject to the consent-based derogation in Article 49(1)(a) GDPR, the data subjects must make sure that the conditions of the waiver for the right to continuous protection of personal data are met. In cases in which data transfers take place subject to the contract-based derogation in Article 49(1)(b) GDPR, the data subjects must make sure that there is a close, direct or substantial link between the data transfer and the performance of the contract and that the contract outlines the risks of the data transfer in the third country. Article 8(2) CFR explicitly allows consent as a legal basis for the processing of personal data. The Charter therefore accepts that some degree of control over compliance with the right to data protection stays with the individuals themselves. In these cases, the data subjects must act as their own guardian of fundamental rights with regard to data transfers subject to the derogations in Article 49 GDPR.

However, individual data subjects are not always in a position to control whether the derogations for specific situations are used for data transfers to third countries that are systematic, structural, and continuous. Consequently, the primary responsibility for control over the lawfulness of limitations on continuous protection for personal data in relation to derogations for specific situations is complemented with the tasks of the supervisory authorities. In accordance with Article 8(3) CFR and Article 57 GDPR, the supervisory authorities of EU member states are responsible for monitoring compliance with EU rules concerning the protection of individuals regarding the processing of their personal data. Each supervisory authority is therefore vested with the power to examine whether data transfers from its home member state to a third country comply with the requirements laid down in the GDPR.^{Footnote 475} While the control over individual data transfers rests with the data subjects, the supervisory authorities must ensure that data transfers based on the two derogations are only used for occasional transfers and not abused for data transfers to third countries that are systematic, structural, and continuous. This does not, however, release the data exporters from their own responsibility in complying with the derogation in Article 49 GDPR.

4.5 Summary

The right to continuous protection of personal data leaves two doors open for data transfers to third countries even if the transferred personal data will not be subject to a level of protection that is essentially equivalent to that guaranteed within the EU. The first door is for data transfers subject to the contract-based derogation in Article 49(1)(b) GDPR. The contract-based derogation allows lawful limitations on the right to continuous protection of personal data in Article 8 CFR. The second door is for data transfers subject to the consent-based derogation in Article 49(1)(a) GDPR. The consent-based derogation constitutes a lawful waiver for the right to continuous protection of personal data in Article 8 CFR. These two derogations, however, do not allow data transfers to third countries that are systematic, structural, and continuous. Cloud computing applications such as Facebook or Google are thus not able to rely on these legal mechanisms to outsource their data processing operations. However, there are many service providers that may still rely on these legal mechanisms for data transfers that are occasional. In these cases, the data subjects must be attentive and insist that the requirements of the derogations are complied with. The supervisory authorities are responsible for ensuring that the exceptions in Article 49 GDPR are not abused.

5 Conclusion

The right to continuous protection of personal data is an unwritten constituent part of the right to data protection enshrined in Article 8 CFR. This right is not absolute. Limitations on the exercise of the right to continuous protection for personal data are lawful according to the conditions in Article 52(1) CFR. This chapter shows that an interference with the right to continuous protection of personal data must first be found in the EU. Intrusions in the third country—which, if they were attributed to the authorities of an EU member state would be regarded as interferences with Article 8 CFR—should be assessed with regard to the standard of essential equivalence. It is the transfer of personal data to a third country itself that constitutes an interference with the right to continuous protection of personal data in cases in which the personal data is not subject to protection essentially equivalent to that guaranteed within the EU after it has been transferred to a third country.

The restrictive effect of the EU system for data transfers materializes in cases in which systemic, structural, and continuous data transfers to third countries take place. Adequacy decisions based on Article 45 GDPR and instruments providing appropriate safeguards based on Article 46 GDPR allow such transfers of personal data. Even though these mechanisms would constitute valid legal bases for an interference with the right to continuous protection of personal data, data transfers fail the proportionality test in cases in which a third country does not provide a level of protection for personal data that is essentially equivalent to that guaranteed within the EU. The objectives of general interest and the rights and freedoms of other identified cannot justify the interference with the right to continuous protection of personal data. The legal mechanisms for data transfers in Articles 45 and 46 GDPR cannot thus be used for systematic, structural, and continuous data transfers in these circumstances.

In contrast, the derogations in Article 49 GDPR, which do not allow for systematic, structural, and continuous transfers of personal data, can be used to limit the right to continuous protection of personal data. If the level of protection for the transferred data is not essentially equivalent to that guaranteed within the EU, occasional transfers of personal data are still possible based on the derogations in Article 49 GDPR. The contract-based derogation in Article 49(1)(b) GDPR provides for a lawful limitation on the right to continuous protection for personal data. This derogation allows occasional data transfers that are necessary for the performance of a contract between the data subject and the controller. Nevertheless, the contract must outline the risks for the personal data of the individual in the third country. In these cases, the limitation on the right to continuous protection for personal data can be justified based on the protection of the freedom to conduct a business in Article 16 CFR. In addition, the consent-based derogation in Article 49(1)(a) GDPR provides for a lawful waiver for the right to continuous protection of personal data. This derogation allows occasional data transfers in cases in which the data subject has explicitly consented to the proposed transfer after having been informed of the possible risks it entails. The waiver set out in Article 49(1)(a) GDPR is lawful because it does not force an individual to waive the right to continuous protection of personal data, allows for a decision made in full knowledge of the surrounding circumstances, requires an unequivocal statement of consent, is attended by minimum safeguards, does not run counter any important public interest, and is not connected with the loss of the right to data protection in Article 8 CFR. Nevertheless—without some sort of agreement of the data subject to the data transfer and the risk it entails—even occasional transfers of personal data are not possible when the level of protection for the transferred personal data is not essentially equivalent to that guaranteed within the EU. The restrictive effects of the EU system for data transfers are firmly rooted in the protection of fundamental rights.

Notes

1.
See Sect. 2.1.1.
2.
Wochner (1981), pp. 51–54.
3.
Bignami and Resta (2018), p. 370; Kuner (2013), p. 26.
4.
For the original Swedish text of Section 11 of the Swedish Datalag see Svantesson (2011), p. 180.
5.
González Fuster (2014), p. 77.
6.
Wochner (1981), p. 193.
7.
Burkert (2000), p. 48; Wochner (1981), pp. 194–195; SARK (1979), p. 9, 18.
8.
McGuire (1979), p. 5; Walsh (1978), p. 29.
9.
Günther (1991), p. 1096; Baumeister (1990), p. 23.
10.
Wochner (1981), p. 146; Ordemann and Schomerus (1988), Sect. 11 N. 3; Günther (1991), p. 1096.
11.
Günther (1991), p. 1097. Of the opinion that a contractual arrangement is enough are Ordemann and Schomerus (1988), Sect. 24 N. 5; Baumeister (1990), pp. 23–24. Contra Simitis et al. (1981), Sect. 24 N. 46.
12.
Ordemann and Schomerus (1988), p. 241.
13.
Simitis (1977), pp. 732–733.
14.
Lee Bygrave describes the German Datenschutzgesetz as particularly elusive to the interests or values it aimed to substantiate. Bygrave (2002), p. 8; see Sect. 2.1.1.
15.
Additionally, the data protection authorities were only able to act based on a complaint from a data subject according to Article 30(1) of the Datenschutzgesetz. Coombe Jr. and Kirk (1983), p. 40.
16.
Schwartz (1995), pp. 491–492; Reidenberg (1992), p. 162; Coombe Jr. and Kirk (1983), p. 39.
17.
Jacqué (1980), p. 774.
18.
Reidenberg (1992), p. 162; Lucas (1987), pp. 173–175.
19.
CNIL (1989), pp. 32–34; Schwartz (1995), pp. 491–492.
20.
Phillips (2018), p. 575; Ploman (1982), pp. 143, 228–232.
21.
Tzanou (2017), pp. 15–16; Nouwt (2009), p. 278; Kirby (2011), p. 8; see Sect. 2.1.2.
22.
OECD (1980), para. 67.
23.
See Sect. 2.2.2.
24.
Council of Europe (2001), pp. 5–6.
25.
This is not entirely surprising since the drafters of these two international instruments coordinated their efforts. Dove and Philipps (2015), p. 650.
26.
Council of Europe (2001), pp. 12–13.
27.
Ibid., 5.
28.
Council of Europe/European Commission/ICC (1992), para. 3.
29.
Ibid., para. 4.
30.
Council of Europe Consultative Committee of Convention 108 (2002), para. 4.
31.
Council of Europe/European Commission/ICC (1992), paras 8–11.
32.
Ibid., para. 12.
33.
Ibid., para. 13.
34.
OECD (2000), p. 14.
35.
Council of Europe/European Commission/ICC (1992), para. 23.
36.
OECD (2000), p. 15.
37.
Council of Europe Consultative Committee of Convention 108 (2002), para. 5.
38.
European Commission (1990).
39.
European Commission (1992), p. 34.
40.
European Commission (1990), p. 41; Kong (2010), p. 443.
41.
EESC (1991), para. 2.2.19.1.
42.
ECJ, Schrems, para. 74; see Sect. 2.3.4.
43.
European Commission (1990), p. 41.
44.
Ibid., 6.
45.
European Commission (1992), p. 35.
46.
Ibid.
47.
Ibid., 129.
48.
Article 29 WP (1998a), p. 2.
49.
European Commission (1992), p. 35.
50.
European Council (1995).
51.
Schwartz (2013), p. 1973.
52.
The Common Position (EC) No 1/95 adopted by the Council on 20 February 1995 referred here to a mechanism of “sufficient guarantees” which was changed to “adequate safeguards” in the final draft.
53.
Kong (2010), pp. 444–445.
54.
Article 29 WP (1998b), p. 26.
55.
Ibid.
56.
Kong (2010), p. 445.
57.
Albrecht (2016), p. 94.
58.
Ibid., 95.
59.
Mouzakiti (2015), p. 47.
60.
European Commission (2010a), para. 77.
61.
European Commission (2003a), pp. 18–19.
62.
Ibid.
63.
Albrecht and Jotzo (2016), pp. 102–103.
64.
Schantz (2019), p. 970.
65.
Kuner (2020), p. 757.
66.
Cp. Kuner (2013), p. 107.
67.
Hon (2017), p. 29, 149; González Fuster (2014), p. 77; Hondius (1975), p. 248.
68.
Kirby (1980), p. 2; Wochner (1981), pp. 33–45.
69.
Council of Europe (1981), para. 9.
70.
OECD (1980), para. 64.
71.
European Commission (1992), p. 4.
72.
European Council (1995), Sect. III.A.
73.
Article 29 WP (1997), para. 3(i)(6); see also ECJ, Opinion 1/15, para. 214.
74.
ECJ, AG Opinion, Schrems 2, para. 204.
75.
Bangemann Group (1994), p. 22.
76.
Ibid.
77.
European Commission (1990), pp. 77–78.
78.
Hallinan et al. (2012), p. 271.
79.
Kuner (2013), p. 118.
80.
OECD (2018), para. 60.
81.
European Commission (2012b), p. 2.
82.
Mishra (2019), p. 503.
83.
Free Trade Agreement between the European Union and its Member States, of the one part, and the Republic of Korea, of the other part [2011] OJ L 127/6.
84.
Kuner (2013), p. 118.
85.
The 2017 Chinese Draft Administrative Measures were never adopted. A new version of the Draft Administrative Measures was published on 13 June 2019. Delval (2019).
86.
Hong (2017), p. 8.
87.
Burkert (2000), p. 48; Wochner (1981), pp. 194–195; SARK (1979), p. 9, 18.
88.
IIF (2019), p. 4.
89.
Hamelink (1994), p. 230.
90.
Cohen (1992), p. 263.
91.
European Commission (1990), p. 3.
92.
IIF (2019), p. 6.
93.
Mishra (2016), p. 147.
94.
Chander (2020), p. 784; Aaronson (2019), pp. 557–562; Schwartz and Peifer (2017), p. 118; Farrell and Newman (2016); Aaronson (2015), p. 674; USITC (2013), pp. 5-1, 5-2; Bennett and Raab (2006), p. 87; Eger (1979), p. 1066.
95.
Madsen (1992), p. 26.
96.
Kara Swisher Interviews President Barack Obama on Cyber Security, Privacy and His Relationship With Silicon Valley, Re/code, 13 February 2015.
97.
Lee-Makiyama (2018).
98.
European Council (1995), Sect. III.A.
99.
European Commission (2011), p. 16.
100.
EDPS (2011), para. 15.
101.
European Commission (2012a), p. 4.
102.
EDPS (2011), para. 12.
103.
Aaronson (2019), p. 6.
104.
The use of the word “move” in Recital (116) GDPR describing data flows to and from countries outside the EU does not change the interpretation of “free movement of personal data.” The French and the German versions are not consistent with the English version. They use other notions (franchissent and übermittelt) which do not correspond to the notion of free movement of personal data.
105.
Cp. Krzysztofek (2017), p. 166; Gunnarsdótir (2016), p. 89.
106.
See Recitals (3), (9), (10), (53), (123), (170) and Articles 4(24) and 51(1) GDPR.
107.
See Recital (101) and Articles 58(2)(j) and 83(5)(e) GDPR. While the French version uses the same notion in these articles (flux de données), the German version uses the notion of data transfers (Datenübermittlung) which is better suited according to the differentiation suggested below because these articles refer to the legal concept in Chapter V GDPR. Article 8.81 of the Economic Partnership Agreement between the EU and Japan also contains a rendez-vous clause according to which the two parties “shall reassess within three years of the date of entry into force of this Agreement the need for inclusion of provisions on the free flow of data into this Agreement.” See Bartl and Irion (2017), p. 4.
108.
The French and German version of Recital (101) GDPR are consistent with the English version in differentiating these notions (flux de données/transfert de données and Datenströme/Datenübermittlung).
109.
Cp. ECJ, Lindqvist, para. 71.
110.
See EDPB (2021), p. 4.
111.
Despite the undisputable relevance for the understanding of EU data protection law and policy, the term “data transfers” has rarely been questioned, and is often simply quoted and plainly embraced even by critical literature. González Fuster (2016), p. 160, fn. 1; Hon (2017), p. 55.
112.
Hon (2017), p. 71.
113.
European Parliament (2013), Amendment 86, 65.
114.
ECJ, Parliament v. Council and Commission, para. 56.
115.
OED online, entry for transfer (v.).
116.
European Commission (2009), p. 18.
117.
Article 29 WP (2010), p. 21.
118.
Article 29 WP (2006), p. 21.
119.
Article 29 WP (2012a), p. 17. See also Tene (2013), p. 1229.
120.
Datainspektionen, Salems, para. 3.3; Hon (2017), p. 96.
121.
Hon (2017), p. 138.
122.
European Commission (2009), p. 18.
123.
EDPS (2014), p. 7.
124.
OED online, entry for disclose (v.).
125.
European Parliament (2013), Amendment 86, 65.
126.
Nonetheless, she argues then that even if that country has jurisdiction, cloud supply chains’ complexity may prevent it from having effective jurisdiction. Hon (2017), p. 123, 321.
127.
Ibid., 305; see Sect. 2.4.1.
128.
Cp. EDPB (2021), p. 4.
129.
ECJ, Lindqvist, para. 61.
130.
Ibid., para. 62.
131.
Ibid., para. 69.
132.
Svantesson (2010), p. 16.
133.
ECJ, Lindqvist, para. 69.
134.
Hon argues that data controllers would have simply ignored a contrary finding in Lindqvist. Hon (2017), p. 81.
135.
Kuner (2013), p. 13; Svantesson (2010), p. 16.
136.
Agreement on the European Economic Area of 2 May 1992 [1994] OJ L 1/3.
137.
EEA Joint Committee (1999).
138.
EEA Joint Committee (2018).
139.
Krzysztofek (2017), p. 167.
140.
According to the European Commission, the Faeroe Islands are a self-governing community within the Kingdom of Denmark that did not join the EU when Denmark did. Cp. European Commission (2003b), Recital (5).
141.
Blume (2015), p. 36.
142.
ICO (2017), para. 18.
143.
Hon (2017), p. 75.
144.
Colonna (2014), p. 217.
145.
Kuner (2013), p. 16; Simitis and Dammann (1997), p. 130.
146.
Council of Europe (1989), para. 9.
147.
“Internet protocols have no notion of national borders, and interdomain paths depend in large part on existing interconnection business relationships (or lack thereof).” Edmundson et al. (2016), p. 1.
148.
Kuner (2013), p. 6.
149.
It is possible that up to 80% of global internet traffic crosses the US. Hon (2017), p. 310 with reference to Ball (2013).
150.
Bennett and Oduro-Marfo (2018), p. 887; Hon et al. (2016), p. 254; Hon (2017), p. 311.
151.
Edmundson et al. (2016), p. 11.
152.
Ibid., 2.
153.
ECJ, Lindqvist, para. 57.
154.
Hon (2017), p. 311; see Sect. 2.4.4.
155.
Article 355(1) TFEU.
156.
Article 198 TFEU and Annex II TFEU.
157.
Article 355(5)(a) TFEU; see Sect. 3.1.3.2.4.
158.
Titre V Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés; CNIL (2019); Tambou (2019), p. 53.
159.
ECJ, AG Opinion, Schrems 2, para. 237.
160.
Weber (2013), p. 123.
161.
Kuner (2011), p. 27.
162.
New Zealand, for example, operates on the default position that presumes that data transfers are generally allowed unless the regulator exercises its authority to limit or forbid them in certain circumstances. Article 29 WP (2011), pp. 9–10; Greenleaf and Bygrave (2011), p. 9.
163.
Mouzakiti (2015), p. 47.
164.
See Sect. 2.4.1.
165.
With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive. See Article 36 Directive (EU) 2016/680.
166.
ECJ, Schrems, para. 106; ECJ, Schrems 2, para. 201.
167.
Article 29 WP (1998b), p. 27.
168.
EDPS (2014), p. 18.
169.
Article 29 WP (1998a), p. 3.
170.
Recital (114) GDPR; see also Kuner (2020), p. 802; Schantz (2019), p. 993.
171.
Article 29 WP (1998a), p. 4.
172.
Taking the example of standard data protection clauses. Kong (2010), pp. 447–448.
173.
See Article 12(2) GDPR.
174.
Article 29 WP (1998a), p. 6.
175.
Ibid., 5.
176.
Slokenberga et al. (2019), p. 37.
177.
European Commission (2017), p. 5.
178.
European Commission (2019), p. 10.
179.
European Commission (2001); European Commission (2004); European Commission (2010b). European Commission, Draft Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
180.
European Commission (2021).
181.
Cp. Schwartz (2013), p. 1982.
182.
Kuner (2020), p. 802; Schantz (2019), p. 993; see Sect. 3.3.3.1.
183.
See Sect. 3.3.3.2.
184.
EDPB (2018), pp. 3–4; Article 29 WP (2005), p. 9.
185.
Article 29 WP (2005), p. 7; Council of Europe (2001), para. 31.
186.
The derogation in Article 49(1)(b) GDPR also covers data transfers that are necessary for the implementation of pre-contractual measures taken at the data subject’s request. This part of the derogation in Article 49(1)(b) GDPR is of lesser interest here.
187.
EDPB (2018), p. 9; contra Chander (2020), pp. 776–777.
188.
Article 29 WP (2005), p. 13.
189.
Article 29 WP (2006), p. 23.
190.
Schantz (2019), pp. 1025–1026.
191.
Article 29 WP (2018), p. 15.
192.
ECJ, Planet49 GmbH, para. 54.
193.
EDPB (2018), p. 6.
194.
Article 29 WP (2018), p. 18.
195.
Article 29 WP (2018), p. 13.
196.
Ibid.; EDPB (2018), p. 7.
197.
That information must already be included on the basis of Article 13(1)(f) and Article 14(1)(f) GDPR.
198.
EDPB (2018), p. 8; Schantz (2019), p. 1023.
199.
EDPB (2018), p. 5; contra Chander (2020), p. 776.
200.
Article 29 WP (1998b), p. 27.
201.
Blume (2000), p. 70.
202.
Article 29 WP (1998b), p. 27.
203.
Makulilo (2013), p. 49.
204.
Statement on the website of the European Commission on adequacy decisions from 5 March 2020.
205.
Oesch (2018), p. 147.
206.
Room (2018). There are also substantial reasons not to be optimistic that a positive outcome will be achieved, especially because of the UK’s surveillance practices. Patel and Lea (2019), pp. 9–10.
207.
ECJ, Swiss International Air Lines AG, paras 26–35 with respect to the surrender of greenhouse gas emission allowances for flights between EU member states and third countries; ECJ, Balkan-Import Export GmbH, para. 14 with respect to the exemption from payment of compensatory amounts granted to certain varieties of cheese from third countries; ECJ, T. Port GmbH, para. 76 with respect to the allocation of country quotas for bananas to certain third countries.
208.
The Article 29 WP was responsible for opinions on the level of data protection in third countries under Article 30(1)(b) Directive 95/46/EC.
209.
Makulilo (2013), p. 49.
210.
The Article 29 WP noted that even on a wide interpretation of complete independence, as put forward by the ECJ, the CCIN would not be considered independent as expenditure control opens up the CCIN to the government’s influence on the recruitment and promotion of CCIN staff, thus potentially impacting the independence of the CCIN. Article 29 WP (2012b), pp. 2, 15–16.
211.
Stoddart et al. (2016), p. 147; Article 29 WP (2014), pp. 2, 17–18.
212.
Makulilo (2013), p. 49.
213.
Stoddart et al. (2016), p. 147.
214.
Article 29 WP (2012b), pp. 15–17; Article 29 WP (2002), p. 17.
215.
Stoddart et al. (2016), p. 147; Article 29 WP (2012b), 16, 20; Article 29 WP (2002), 14–15.
216.
Stoddart et al. (2016), p. 147; Wolf (2014), p. 241.
217.
Greenleaf and Bygrave (2011), p. 8; Article 29 WP (2011), p. 15.
218.
Article 29 WP (2011), p. 10.
219.
Article 29 WP (2014), p. 17.
220.
See Sect. 2.4.1.2.1.
221.
Article 29 WP (2009).
222.
Peter (2010).
223.
Wolf (2014), p. 242.
224.
Article 29 WP (2012b), p. 2.
225.
Article 29 WP (2011), p. 10.
226.
Wolf (2014), pp. 239–240; Greenleaf and Bygrave (2011), p. 9.
227.
Wolf (2014), p. 240.
228.
Greenleaf and Bygrave (2011), p. 9.
229.
European Commission (2017), p. 8.
230.
See Sect. 2.2.4.1.
231.
ECJ, AG Opinion, Schrems, para. 170.
232.
Ibid., para. 174.
233.
ECJ, Schrems, para. 87.
234.
ECJ, Schrems 2, para. 165.
235.
ECJ, Opinion 1/15, para. 125.
236.
Ibid., para. 126.
237.
Cp. ECJ, AG Opinion, Schrems 2, para. 256.
238.
ECJ, Opinion 1/15, para. 139; ECJ, WebMindLicenses, para. 81; see 2.2.4.4.
239.
ECJ, Opinion 1/15, para. 141; ECJ, Tele2/Watson, para. 109; ECJ, Schrems, para. 91; ECJ, Digital Rights Ireland, para. 54.
240.
ECJ, Opinion 1/15, para. 141; ECJ, Schrems, para. 91; ECJ, Digital Rights Ireland, para. 55.
241.
Annex I of Decision (EU) 2016/1250.
242.
See Recitals (5)–(10) Decision 2000/518/EC.
243.
See also Article 3(1) and (4) Decision (EU) 2019/419.
244.
See also Article 3(5) Decision (EU) 2019/419.
245.
ECJ, Digital Rights Ireland, para. 41.
246.
Ibid., para. 91.
247.
ECJ, Digital Rights Ireland, para. 41.
248.
ECJ, AG Opinion, Schrems 2, paras 106–107.
249.
ECJ, AG Opinion, Schrems, paras 181, 184.
250.
ECJ, AG Opinion, Satamedia, para. 39.
251.
ECJ, AG Opinion, MSD Sharp, para. 81.
252.
EU (2007), p. 21.
253.
ECtHR, Casado Coca v. Spain, para. 50; ECtHR, Markt intern Verlag GmbH and Klaus Beermann v. Germany, para. 26.
254.
ECJ, Germany v Parliament and Council, para. 142; Thiele (2017), p. 1161; Frenz (2009), p. 545.
255.
ECtHR, Autronic AG v. Switzerland, para. 47.
256.
See Thiele (2017), p. 1162.
257.
Land (2013), p. 438.
258.
Anupam Chander and Uyên Lê also maintain that measures prohibiting data flows (data localization) interfere with the freedom of expression. Chander and Le (2015), p. 739.
259.
ECJ, Digital Rights Ireland, para. 41.
260.
Xavier Groussot, Gunnar Thor Péturson and Justin Pierce submit that even if Article 16 CFR bears signs of a principle in the sense of Article 52(5) CFR, it is more akin to a right. Groussot et al. (2017), pp. 332–333.
261.
See EU (2007), p. 23.
262.
ECJ, AG Opinion, Alemo-Herron, para. 49.
263.
Ibid., para. 50.
264.
Ibid., para. 51.
265.
ECJ, Affish BV, para. 15.
266.
Ibid., para. 41.
267.
Ibid., paras 42–43. The case was handed down before the entry into force of the Charter and decided on the basis of a general principle of EU law that was replaced by Article 16 CFR. See Oliver (2013), p. 283.
268.
ECJ, Germany v Council (Bananas), paras 14–26.
269.
Ibid., para. 87.
270.
Kühling (2017), p. 1228; Frenz (2009), p. 799, Grabenwarter (2014), p. 517.
271.
ECJ, Digital Rights Ireland, para. 41.
272.
IHC, Schrems 2, paras 59, 61(4).
273.
Ibid., para. 45.
274.
ECJ, Opinion 1/15, para. 140; ECJ, Tele2/Watson, paras 96, 103; ECJ, Schrems, para. 92; ECJ, Digital Rights Ireland, paras 51–52; see Sect. 2.2.4.4.
275.
ECJ, Digital Rights Ireland, para. 49.
276.
ECJ, Opinion 1/15, para. 152.
277.
ECJ, Digital Rights Ireland, para. 48.
278.
Ibid., para. 56.
279.
ECJ, Lindqvist, para. 69.
280.
See Sect. 3.1.3.2.3.
281.
Rosas (2014), p. 356.
282.
ECJ, Germany v Parliament and Council, para. 155; ECtHR, Casado Coca v. Spain, para. 50; ECtHR, Markt intern Verlag GmbH and Klaus Beermann v. Germany, paras 32–33; Woods (2014), p. 322; Walter (2014), p. 497.
283.
ECJ, Satamedia, para. 56; ECJ, Schecke, para. 77; ECJ, Digital Rights Ireland, para. 52; ECJ, Schrems, para. 92; ECJ, Tele2/Watson, para. 96; see Sect. 2.2.3.4.
284.
Albrecht and Janson (2016), p. 502.
285.
Jonason (2019), p. 46.
286.
ECJ, AG Opinion, Alemo-Herron, para. 52 with reference to, for example, ECJ, Scarlet Extended, para. 49 and ECJ, SABAM, para. 47 where the injunction to install a filtering system did not struck a fair balance between the protection of the intellectual-property right enjoyed by copyright holders, and that of the freedom to conduct business enjoyed by operators such as hosting service providers. Cp. Oliver (2013), p. 299.
287.
ECJ, Achbita, C-157/15, paras 38–39.
288.
Rosas (2014), p. 356.
289.
Ibid.
290.
ECJ, Sky Österreich, para. 46.
291.
ECJ, Satamedia, para. 56; ECJ, Schecke, para. 77; ECJ, Digital Rights Ireland, para. 52; ECJ, Schrems, para. 92; ECJ, Tele2/Watson, para. 96; see Sect. 2.2.3.4.
292.
ECJ, Schrems 2, para. 129; see Sect. 2.3.4.
293.
The ECJ found in Schrems that the Commission must “check periodically whether the finding relating to the adequacy of the level of protection ensured by the third country in question is still factually and legally justified.” ECJ, Schrems, para. 76.
294.
Ibid., para. 47; see also Article 58 GDPR.
295.
ECJ, Schrems, para. 59; ECJ, Schrems 2, paras 156–157.
296.
ECJ, Schrems, para. 58; see also Article 77(1) GDPR.
297.
Ibid., para. 65.
298.
Ibid., para. 64.
299.
Ibid.; see also Article 47 CFR and Article 78 GDPR.
300.
Ibid., para. 61.
301.
ECJ, Schrems, para. 47.
302.
Ibid., paras 61–62.
303.
Kuner (2020), p. 802; Schantz (2019), p. 993.
304.
EDPB (2020), p. 5.
305.
ECJ, Schrems 2, para. 125.
306.
The criticism that instruments such as the standard data protection clauses do not offer all-encompassing guarantees for the protection of personal data dates back to the discussions around the Council of Europe Model Contract in the early 1990s. See Sect. 3.1.1.2.3.
307.
European Commission (2019), p. 10.
308.
Rotenberg (2020), pp. 10–12; Swire (2019).
309.
ECJ, Schrems, para. 97; ECJ, Schrems 2, para. 198.
310.
European Commission (2015), p. 4.
311.
Ibid.
312.
Ibid., 7.
313.
Article 29 WP (2015), p. 1.
314.
Ibid.
315.
DSK (2015), para. 7.
316.
European Commission (2020).
317.
Ibid.
318.
Kuner (2017), p. 905.
319.
Ibid.
320.
Ibid.
321.
IHC, Schrems 2, para. 137.
322.
Ibid., para. 134.
323.
Ibid., para. 153.
324.
Ibid.
325.
Ibid.
326.
ECJ, AG Opinion, Schrems 2, para. 117.
327.
Ibid.
328.
ECJ, Schrems 2, para. 96.
329.
ECJ, Opinion 1/15, para. 134.
330.
ECJ, AG Opinion, Schrems 2, para. 117.
331.
ECJ, Schrems 2, para. 125.
332.
Ibid., para. 134.
333.
Ibid., para. 135.
334.
Corrales Compagnucci et al. (2021), p. 40.
335.
Cp. Recital (22) Decision (EU) 2021/914.
336.
Cp. Annex II Decision (EU) 2021/914.
337.
ECJ, Schrems, para. 87; see Sect. 3.2.2.1.
338.
Cp. ECJ, AG Opinion, Schrems 2, para. 256.
339.
ECJ, Opinion 1/15, para. 139; ECJ, WebMindLicenses, para. 81; see Sect. 2.2.4.4.
340.
ECJ, Opinion 1/15, para. 141; ECJ, Tele2/Watson, para. 109; ECJ, Schrems, para. 91; ECJ, Digital Rights Ireland, para. 54.
341.
ECJ, Opinion 1/15, para. 141; ECJ, Schrems, para. 91; ECJ, Digital Rights Ireland, para. 55.
342.
See Footnote 2 relating to Clause 5 of the standard data protection clauses provided by Decision 2010/87/EU:

Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses.
343.
ECJ, Schrems 2, para. 140. AG Saugmandsgaard Øe stressed that “[t]he fact that the exporter is given a right, in its bilateral relations with the importer, to suspend the transfer or terminate the contract where the importer is unable to honour the standard clauses is without prejudice to the obligation placed on the exporter to do so in the light of the requirements to protect the rights of the persons concerned arising under the GDPR.” ECJ, AG Opinion, Schrems 2, para. 132.
344.
ECJ, Schrems 2, para. 140.
345.
Ibid., para. 145.
346.
Corrales Compagnucci et al. (2021), p. 44.
347.
Ibid.
348.
See Article IX BCRs of Mastercard Europe SA from December 2018:

Mandatory requirements of local law applicable to a Mastercard BCRs Entity, which are not massive, disproportionate, indiscriminate and do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 23 of the GDPR are in principle not in contradiction with Mastercard BCRs.
349.
See Sect. 3.2.2.3.1.
350.
ECJ, Digital Rights Ireland, para. 41.
351.
ECJ, AG Opinion, Schrems 2, paras 106–107.
352.
See Sect. 3.2.2.3.2.
353.
ECJ, Digital Rights Ireland, para. 41.
354.
See Recital (4) and Article 85(1) GDPR; see also Sect. 3.2.2.3.2.
355.
See Sect. 3.2.2.3.3.
356.
ECJ, Digital Rights Ireland, para. 41.
357.
IHC, Schrems 2, para. 45.
358.
See Recitals (4) and (101) GDPR; see also Sect. 3.2.2.3.3.
359.
ECJ, Opinion 1/15, para. 140; ECJ, Tele2/Watson, paras 96, 103; ECJ, Schrems, para. 92; ECJ, Digital Rights Ireland, paras 51–52; see Sect. 2.2.4.4.
360.
See Sect. 3.2.2.4.2.
361.
Albrecht and Janson (2016), p. 502.
362.
See Sect. 3.2.2.4.3.
363.
That finding specifically refers to standard data protection clauses, but it may also be extended to other instruments providing appropriate safeguards in Article 46 GDPR. See ECJ, AG Opinion, Schrems 2, para. 124.
364.
ECJ, Schrems 2, para. 131.
365.
Ibid., para. 133.
366.
Ibid.
367.
Ibid., para. 125.
368.
ECJ, Schrems 2, para. 136.
369.
Ibid., para. 137.
370.
ECJ, Schrems 2, paras 132–133.
371.
EDPB (2020), p. 6.
372.
Ibid., 7.
373.
Ibid., 21–37.
374.
Ibid., 26–27.
375.
ECJ, Schrems 2, para. 135.
376.
See EDPB (2020), pp. 4–6; see also Sect. 2.4.2.
377.
This includes surveillance practices that are not compatible with fundamental rights in the EU. See Schantz (2019), p. 1003.
378.
ECJ, Schrems 2, para. 140. AG Saugmandsgaard Øe stressed that “[t]he fact that the exporter is given a right, in its bilateral relations with the importer, to suspend the transfer or terminate the contract where the importer is unable to honour the standard clauses is without prejudice to the obligation placed on the exporter to do so in the light of the requirements to protect the rights of the persons concerned arising under the GDPR.” ECJ, AG Opinion, Schrems 2, para. 132.
379.
ECJ, Schrems 2, para. 140.
380.
Flint (2021), p. 252.
381.
ECJ, Schrems, para. 47.
382.
Ibid., para. 145.
383.
An older version of Article 4 Decision 2010/87/EU entailed a mechanism that allowed supervisory authorities to prohibit or suspend data transfers to a third country in specific situations. It was amended in 2016 because the ECJ clarified in Schrems that the Commission has no competence to restrict the powers of supervisory authorities under Article 28 Directive 95/46/EC. See ECJ, Schrems, paras 47, 101–103; Recital (6), Article 1 and 2 Decision (EU) 2016/2297 amending Decisions 2001/497/EC and 2010/87/EU on standard contractual clauses for the transfer of personal data to third countries and to processors established in such countries.
384.
IHC, Schrems 2, para. 306.
385.
Ibid., para. 308.
386.
ECJ, AG Opinion, Schrems 2, para. 143.
387.
ECJ, Schrems 2, para. 146.
388.
Ibid., para. 114.
389.
IHC, Schrems 2, para. 316.
390.
Ibid.
391.
ECJ, AG Opinion, Schrems 2, para. 144.
392.
ECJ, Schrems 2, para. 121.
393.
Ibid., para. 146.
394.
Flint (2021), p. 252.
395.
IHC, Schrems 2, para. 315.
396.
ECJ, AG Opinion, Schrems 2, para. 153.
397.
ECJ, Wirtschaftsakademie Schleswig-Holstein, paras 69–73.
398.
ECJ, AG Opinion, Schrems 2, para. 154.
399.
Ibid., para. 155.
400.
ECJ, Schrems 2, para. 147.
401.
Ibid.
402.
Article 47(2)(b) GDPR.
403.
Articles 47(1) and 64(1)(f) GDPR.
404.
Article 47(2)(j) GDPR.
405.
Article 47(2)(e) GDPR.
406.
EDPB (2020), p. 18.
407.
See Sect. 3.3.2.2.2.
408.
Articles 47(1) and 42(5) GDPR.
409.
Subject to the examination procedure in Article 5 of Regulation (EU) 182/2011.
410.
Article 40(7) GDPR.
411.
ECJ, Schrems, para. 47.
412.
ECJ, Schrems 2, para. 134.
413.
Ibid., para. 135.
414.
Woods (2019).
415.
Kuner (2017), p. 905.
416.
Article 29 WP (2005), p. 9.
417.
ECJ, Schrems, para. 73.
418.
Ibid., para. 96.
419.
EDPB (2018), pp. 3–4. The EDPS wrongly refers to Recital (114) GDPR, which also seems to apply to data transfers based on the derogations in Article 49 GDPR from its position among the other recitals.
420.
See Sect. 2.3.1.
421.
See Sect. 2.3.4.4.
422.
Winkler (2006), p. 112.
423.
Ibid.
424.
ECJ, Schrems, para. 87; see Sect. 3.2.2.1.
425.
Cp. ECJ, AG Opinion, Schrems 2, para. 256.
426.
ECJ, Opinion 1/15, para. 139; ECJ, WebMindLicenses, para. 81; see Sect. 2.2.4.4.
427.
ECJ, Opinion 1/15, para. 141; ECJ, Tele2/Watson, para. 109; ECJ, Schrems, para. 91; ECJ, Digital Rights Ireland, para. 54.
428.
ECJ, Opinion 1/15, para. 141; ECJ, Schrems, para. 91; ECJ, Digital Rights Ireland, para. 55.
429.
Not unlike BCRs. See Sect. 3.3.2.2.2.
430.
Article 29 WP (2005), p. 13.
431.
Article 29 WP (2006), p. 23.
432.
EDPB (2018), p. 9.
433.
Schantz (2019), pp. 1025–1026.
434.
See Sect. 3.2.2.3.1.
435.
ECJ, Digital Rights Ireland, para. 41.
436.
ECJ, AG Opinion, Schrems 2, paras 106–107.
437.
See Sect. 3.2.2.3.2.
438.
Cp. ECJ, Digital Rights Ireland, para. 41.
439.
See Recital (4) and Article 85(1) GDPR; see also Sect. 3.2.2.3.2.
440.
See Sect. 3.2.2.3.3.
441.
ECJ, Digital Rights Ireland, para. 41.
442.
See Recitals (4) and (101) GDPR; see also Sect. 3.2.2.3.3.
443.
ECJ, Opinion 1/15, para. 140; ECJ, Tele2/Watson, paras 96, 103; ECJ, Schrems, para. 92; ECJ, Digital Rights Ireland, paras 51–52; see Sect. 2.2.4.4.
444.
ECJ, AG Opinion, Germany v. Parliament and Council, para. 153.
445.
Krzemińska-Vamvaka (2008), p. 116.
446.
Article 29 WP (2005), p. 13.
447.
See Sect. 3.4.2.
448.
See Sect 2.2.2.2.
449.
See ibid.
450.
See ibid.
451.
See Sect. 2.2.2.4.
452.
See Sect. 2.2.2.3.
453.
See Sect. 2.2.1.
454.
See ECJ, Melloni, para. 49.
455.
The ECJ explicitly acknowledged that the interpretation of Articles 47 and 48(2) CFR “is in keeping with the scope that has been recognised for the rights guaranteed by Article 6(1) and (3) of the ECHR by the case-law of the European Court of Human Rights”. Ibid., para. 50.
456.
Caflisch (2011), p. 422, 426.
457.
See ECtHR, Neumeister v. Austria; ECtHR, Perez v. France; ECtHR, D.H. v. Czech Republic.
458.
ECJ, Melloni, para. 49.
459.
ECtHR, D.H. v. Czech Republic, para. 202.
460.
Ibid; ECtHR, Thompson v. United Kingdom, para. 44.
461.
Article 29 WP (2018), p. 13.
462.
Ibid.; EDPB (2018), p. 7.
463.
That information must already be included on the basis of Articles 13(1)(f) and 14(1)(f) GDPR.
464.
EDPB (2018), p. 8; Schantz (2019), p. 1023.
465.
Article 29 WP (2018), p. 15.
466.
ECJ, Planet49 GmbH, para. 54.
467.
EDPB (2018), p. 6.
468.
Article 29 WP (2018), p. 18.
469.
Caflisch (2011), pp. 427–429.
470.
EDPB (2018), p. 3.
471.
Caflisch (2011), pp. 427–429.
472.
EDPB (2018), p. 5.
473.
Schwenke (2006), p. 226.
474.
Winkler (2006), p. 112.
475.
ECJ, Schrems, para. 47.

References

Bibliography

Aaronson SA (2015) Why Trade Agreements are not setting information free: the lost history and reinvigorated debate over cross-border data flows, human rights, and national security. World Trade Rev 14(4):671–700
Article Google Scholar
Aaronson SA (2019) What are we talking about when we talk about digital protectionism? World Trade Rev 18(4):541–577
Article Google Scholar
Albrecht J (2016) Das neue EU-Datenschutzrecht – von der Richtlinie zur Verordnung. Überblick und Hintergründe zum finalen Text für die Datenschutz-Grundverordnung der EU nach der Einigung im Trilog. Computer und Recht 32(2):88–98
Article Google Scholar
Albrecht J, Janson N (2016) Datenschutz und Meinungsfreiheit nach der Datenschutzgrundverordnung. Computer und Recht 32(8):500–509
Article Google Scholar
Albrecht J, Jotzo F (2016) Das neue Datenschutzrecht der EU. Nomos, Baden-Baden
Google Scholar
Ball J (2013) NSA stores metadata of millions of web users for up to a year, secret files show. Guardian. 30 September 2013. https://www.theguardian.com/world/2013/sep/30/nsa-americans-metadata-year-documents. Accessed 3 Jan 2021
Bartl M, Irion K (2017) The Japan EU Economic Partnership Agreement: Flows of Personal Data to the Land of the Rising Sun. Institute for Information Law University of Amsterdam Commissioned Research Paper
Google Scholar
Baumeister D (1990) Grenzüberschreitender Datentransfer und Datenschutz im nicht-öffentlichen Bereich aus der Sicht der Bundesrepublik Deutschland. Recht der Datenverarbeitung 24(1):23–25
Google Scholar
Bennett CJ, Oduro-Marfo S (2018) Global privacy protection: adequate laws, accountable organizations and/or data localization? Proceedings of the UbiComp 18. New York, pp 880–890
Google Scholar
Bennett CJ, Raab CD (2006) The governance of privacy: policy instruments in global perspectives. MIT Press, Cambridge
Google Scholar
Bignami F, Resta G (2018) Human rights extraterritoriality: the right to privacy and national security surveillance. In: Benvenisti E, Nolte G (eds) Community interests across international law. Oxford University Press, Oxford, pp 357–380
Google Scholar
Blume P (2000) Transborder data flow. Is there a solution in sight? Int J Law Inf Technol 1(8):65–86
Article Google Scholar
Blume P (2015) EU adequacy decisions: the proposed new possibilities. Int Data Priv Law 5(1):34–39
Article Google Scholar
Burkert H (2000) Privacy - data protection. A German/European perspective. In: Engel C, Keller KH (eds) Governance of global networks in the light of differing local values. Baden-Baden, Nomos, pp 44–69
Google Scholar
Bygrave L (2002) Data protection law. Approaching its rationale, logic and limits. Kluwer, The Hague
Google Scholar
Caflisch L (2011) Waivers in international and European Human Rights Law. In: Arsanjani MH, Cogan J, Sloane R, Wiessner S (eds) Looking to the future. Essays on international law in Honor of W. Michael Reisman. Martinus Nijhoff, Leiden, pp 407–431
Google Scholar
Chander A (2020) Is data localization a solution for Schrems II? J Int Econ Law 23:1–14
Article Google Scholar
Chander A, Le UP (2015) Data nationalism. Emory Law J 64(3):677–739
Google Scholar
Cohen E (1992) Metanational information technology, national sovereignty, and social responsibility. In: Khosrowpourj M, Travers J (eds) Emerging information technologies for competitive advantage and economic development. Proceedings of 1992 Information Resources Management Association International Conference, Charleston, 1992, pp 262–268
Google Scholar
Colonna L (2014) Article 4 of the EU Data Protection Directive and the irrelevance of the EU – US Safe Harbor Program? Int Data Priv Law 4(3):203–221
Article Google Scholar
Coombe GW Jr, Kirk SL (1983) Privacy, data protection, and transborder data flow: a corporate response to international expectations. Bus Lawyer 39(1):33–66
Google Scholar
Corrales Compagnucci M, Aboy M, Minssen T (2021) Cross-border transfers of personal data after Schrems II: supplementary measures and new standard contractual clauses (SCCs). Nordic J Eur Law 4(2):37–47
Article Google Scholar
Delval G (2019) China pushes for approval-based cross-border transfer of personal information overseas. IAPP. 25 June 2019. https://iapp.org/news/a/china-pushes-for-an-approval-based-cross-border-transfer-of-personal-information-overseas/. Accessed 3 Jan 2021
Dove ES, Philipps M (2015) Privacy law, data sharing policies, and medical data: a comparative perspective. In: Gkoulalas-Divanis A, Loukides G (eds) Medical data privacy handbook. Springer, Heidelberg, pp 639–678
Chapter Google Scholar
Edmundson A, Ensafi R, Feamster N, Rexford J (2016) Characterizing and avoiding routing detours through surveillance states. Princeton University
Google Scholar
EDPB (2021) Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR. 18 November 2021
Google Scholar
Eger JM (1979) Emerging restrictions on transnational data flows: privacy protection or non-tariff trade barriers. Law Policy Int Bus 10(4):1055–1104
Google Scholar
Farrell H, Newman A (2016) The Transatlantic Data War. Europe Fights Back Against the NSA. Foreign Affairs January/February 2016. https://www.foreignaffairs.com/articles/united-states/2015-12-14/transatlantic-data-war. Accessed 3 Jan 2021
Flint D (2021) Raising the standard. Bus Law Rev 42(5):252–255
Article Google Scholar
Frenz W (2009) Handbuch Europarecht, Band 4 Europäische Grundrechte. Springer, Heidelberg
Google Scholar
González Fuster G (2014) The emergence of personal data protection as a fundamental right of the EU. Springer, Heidelberg
Book Google Scholar
González Fuster G (2016) Un-mapping personal data transfers. Eur Data Protect Law Rev 2(2):160–168
Article Google Scholar
Grabenwarter C (2014) Wirtschaftliche Grundrechte. In: Hatje A, Müller-Graf P-C (eds) Enzyklopädie Europarecht. Band 2: Europäischer Grundrechteschutz. Nomos, Baden-Baden, pp 507–526
Google Scholar
Greenleaf G, Bygrave L (2011) Not entirely adequate but far away. Lessons from how Europe sees New Zealand data protection. Priv Law Bus Int Rep 111:8–9
Google Scholar
Groussot X, Péturson GT, Pierce J (2017) Weak right, strong Court – the freedom to conduct business and the EU Charter of Fundamental Rights. In: Douglas-Scott S, Hatzis N (eds) Research handbook on EU human rights law. Edward Elgar, Cheltenham, pp 326–344
Chapter Google Scholar
Gunnarsdótir K (2016) The fifth freedom and the burden of executive power. In: Delgado A (ed) Technoscience and citizenship: ethics and governance of emerging technologies. Springer, Heidelberg, pp 80–98
Google Scholar
Günther A (1991) Datenschutzrechtliche Spaltung in Europa? - Teil 1. jur-pc 1991 5:1094–1098
Google Scholar
Hallinan D, Friedewald M, McCarthy P (2012) Citizens’ perceptions of data protection and privacy in Europe. Comput Law Secur Rev 28(3):263–272
Article Google Scholar
Hamelink C (1994) The politics of world communication. A human rights perspective. Sage Publications, London
Google Scholar
Hon WK (2017) Data localization laws and policy. The EU data protection international transfers restriction through a cloud computing lens. Edward Elgar, Cheltenham
Google Scholar
Hon WK, Millard C, Jatinder S, Walden I, Crowcroft J (2016) Policy, legal and regulatory implications of a Europe-only cloud. Int J Law Inf Technol 24(3):251–278
Article Google Scholar
Hondius FW (1975) Emerging data protection in Europe. Elsevier, Amsterdam
Google Scholar
Hong Y (2017) The cross-border data flows security assessment: an important part of protecting China’s basic strategic resources. Yale Law School Paul Tsai China Center Working Paper. 20 June 2017
Google Scholar
Jacqué J-P (1980) La Convention pour la protection des personnes à l'égard du traitement automatisé des données à caractère personnel. Annuaire français de droit international 26:773–789
Article Google Scholar
Jonason P (2019) The Swedish measures accompanying the GDPR. In: McCullagh K, Tambou O, Bourton S (eds) National adaptations of the GDPR. Blogdroiteuropeen, Luxembourg, pp 42–51
Google Scholar
Kirby M (1980) International guidelines to protect privacy in transborder data flows. Australian & New Zealand Association for the Advancement of Science Jubilee Congress
Google Scholar
Kirby M (2011) The history, achievement and future of the 1980 OECD guidelines on privacy. Int Data Priv Law 1(1):6–15
Article Google Scholar
Kong L (2010) Data protection and transborder data flow in the European and global context. Eur J Int Law 2(21):441–456
Article Google Scholar
Krzemińska-Vamvaka J (2008) Freedom of commercial speech in Europe. Kovač, Hamburg
Book Google Scholar
Krzysztofek M (2017) Post-Reform Personal Data Protection in the European Union. General Data Protection Regulation (EU) 2016/679. Kluwer, Alphen aan den Rijn
Google Scholar
Kühling J (2017) Artikel 16 Unternehmerische Freiheit. In: Pechstein M/Nowak C/Häde C (eds) Frankfurter Kommentar zu EUV, GRC und AEUV. Mohr Siebeck, Tübingen, pp 1221–1233
Google Scholar
Kuner C (2011) Regulation of Transborder Data Flows under Data Protection and Privacy Law: Past, Present and Future, OECD Digital Economy Papers No. 187. Paris
Google Scholar
Kuner C (2013) Transborder data flows. Oxford University Press, Oxford
Book Google Scholar
Kuner C (2017) Reality and illusion in EU data transfer regulation post schrems. German Law J 18(4):881–918
Article Google Scholar
Kuner C (2020) Chapter V transfers of personal data to third countries or international organisations (Articles 44-50). In: Kuner C, Bygrave L, Docksey C (eds) The EU general data protection regulation (GDPR). Oxford University Press, Oxford, pp 755–862
Chapter Google Scholar
Land M (2013) Toward an international law of the internet. Harv Int Law J 54(2):393–458
Google Scholar
Lee-Makiyama H (2018) Japan, not Europe, is now the leader of free trade. The World Post. 10 August 2018. https://www.washingtonpost.com/news/theworldpost/wp/2018/08/10/japan-free-trade/. Accessed 3 Jan 2021
Lucas A (1987) Le droit de l'informatique. Presses Universitaires de France, Paris
Google Scholar
Madsen W (1992) Handbook of personal data protection. Stockton Press, New York
Book Google Scholar
Makulilo AB (2013) Data protection regimes in Africa: too far from the European ‘adequacy’ standard? Int Data Priv Law 3(1):42–50
Article Google Scholar
McGuire RP (1979) The information age. An introduction to transborder data flow. Jurimetrics 20(1):1–7
Google Scholar
Mishra N (2016) Data localization laws in a digital world. Data protection or data protectionism? The Public Sphere 2016: 135–158
Google Scholar
Mishra N (2019) Building bridges: international trade law, internet governance, and the regulation of data flows. Vanderbilt J Transnatl Law 52(2):464–509
Google Scholar
Mouzakiti F (2015) Transborder data flows 2.0: mending the holes of the data protection directive. Eur Data Protect Law Rev 1(1):9–51
Article Google Scholar
Nouwt S (2009) Towards a common European approach to data protection: a critical analysis of data protection perspectives of the Council of Europe and the European Union. In: Gutwirth S, Poullet Y, de Hert P et al (eds) Reinventing data protection? Springer, Heidelberg, pp 275–292
Chapter Google Scholar
Oesch M (2018) Switzerland and the European Union. Schulthess, Zurich
Google Scholar
Oliver P (2013) What purpose does Article 16 of the Charter Serve? In: Bernitz U, Groussot X, Schulyok F (eds) General principles of EU law and European private law. Kluwer, Alphen aan den Rijn, pp 281–300
Google Scholar
Ordemann HJ, Schomerus R (1988) Bundesdatenschutzgesetz mit Erläuterungen, 4th edn. Beck, Munich
Google Scholar
Patel O, Lea N (2019) EU-UK data flows, Brexit and No-Deal: Adequacy or Disarray? UCL European Institute Brexit Insights Series, London
Google Scholar
Peter L (2010) Ireland Delays EU Deal with Israel on Data Transfers. BBC News. 3 September 2010. http://www.bbc.co.uk/news/world-europe-11176926. Accessed 3 Jan 2021
Phillips M (2018) International data-sharing norms: from the OECD to the general data protection regulation (GDPR). Hum Genet 137(8):575–582
Article Google Scholar
Ploman EW (1982) International law governing communications and information. Greenwood Press, Westport
Google Scholar
Reidenberg JR (1992) The privacy obstacle course. Hurding barriers to transnational financial services. Fordham Law Rev 60(6):137–177
Google Scholar
Room S (2018) No adequacy decision, no panic - PwC comments on the latest European Commission statement on Brexit and EU Data Protection Law. PwC UK. 10 January 2018. https://www.pwc.co.uk/press-room/press-releases/european-commission-data-protection-notice-brexit-adequacy.html. Accessed 3 Jan 2021
Rosas A (2014) Balancing fundamental rights in EU law. Cambridge Yearb Eur Legal Stud 16:347–360
Article Google Scholar
Rotenberg M (2020) Schrems II, from Snowden to China: toward a new alignment on transatlantic data protection. Eur Law J 26(1):1–12
Google Scholar
Schantz P (2019) Artikel 44-49. In: Simitis S, Hornung G, Spiecker I (eds) Datenschutzrecht. DSGVO mit BDSG. Nomos, Baden-Baden, pp 962–1032
Google Scholar
Schwartz PM (1995) Privacy and participation: personal information and public sector regulation in the United States. Iowa Law Rev 80(3):471–496
Google Scholar
Schwartz PM (2013) The EU U.S. privacy collision: a turn to institutions and procedures. Harv Law Rev 126(7):1966–2009
Google Scholar
Schwartz PM, Peifer K-N (2017) Transatlantic data privacy law. Georgetown Law J 106(1):115–179
Google Scholar
Schwenke MC (2006) Individualisierung und Datenschutz. Rechtskonformer Umgang mit personenbezogenen Daten im Kontext der Individualisierung. Deutscher Universitätsverlag, Wiesbaden
Google Scholar
Simitis S (1977) Bundesdatenschutzgesetz – Ende der Diskussion oder Neubeginn? Neue Juristische Wochenschrift 30(17):729–737
Google Scholar
Simitis S, Dammann U (1997) EU-Datenschutzrichtlinie Nomos, Baden-Baden
Google Scholar
Simitis S, Dammann U, Mallmann O, Reh HJ (1981) Kommentar zum Bundesdatenschutzgesetz, 3rd edn. Nomos, Baden-Baden
Google Scholar
Slokenberga S, Reichel J, Niringiye R, Croxton T, Swanepoel C, Okal J (2019) EU data transfer rules and African legal realities: is data exchange for biobank research realistic? Int Data Priv Law 9(1):30–48
Article Google Scholar
Stoddart J, Chan B, Joly Y (2016) The European Union’s adequacy approach to privacy and international data sharing in health research. J Law Med Ethics 44(1):143–155
Article Google Scholar
Svantesson DJB (2010) Privacy, internet and transborder data flows. Masaryk Univ J Law Technol 4(1):1–20
Google Scholar
Svantesson DJB (2011) The regulation of cross-border data flow. Int Data Priv Law 1(3):180–198
Article Google Scholar
Swire PP (2019) The US, China, and Case 311/18 on Standard Contractual Clauses. European Law Blog. 15 July 2019. https://europeanlawblog.eu/2019/07/15/the-us-china-and-case-311-18-on-standard-contractual-clauses/. Accessed 3 Jan 2021
Tambou O (2019) The French adaptation of the GDPR. In: McCullagh K, Tambou O, Bourton S (eds) National adaptations of the GDPR. Blogdroiteuropéen, Luxembourg, pp 52–60
Google Scholar
Tene O (2013) Privacy laws midlife crisis. A critical assessment of the second wave of global privacy laws. Ohio State Law J 74(6):1217–1261
Google Scholar
Thiele C (2017) Artikel 11 Freiheit der Meinungsäußerung und Informationsfreiheit. In: Pechstein M, Nowak C, Häde U (eds) Frankfurter Kommentar zu EUV, GRC und AEUV. Mohr Siebeck, Tübingen, pp 1157–1172
Google Scholar
Tzanou M (2017) The fundamental right to data protection. Normative value in the context of counter-terrorism surveillance. Hart, Oxford
Google Scholar
Walsh J (1978) There’s trouble in the air over transborder data flow. Science 202(4363):29–32
Article Google Scholar
Walter C (2014) Kommunikationsfreiheiten. In: Hatje A, Müller-Graf P-C (eds) Enzyklopädie Europarecht. Band 2: Europäischer Grundrechteschutz. Nomos, Baden-Baden, pp 475–506
Google Scholar
Weber R (2013) Transborder data transfers: concepts, regulatory approaches and new legislative initiatives. Int Data Priv Law 3(2):117–130
Article Google Scholar
Winkler R (2006) Die Grundrechte der Europäischen Union. Springer, Wien
Google Scholar
Wochner LN (1981) Der Persönlichkeitsschutz im grenzüberschreitenden Datenverkehr. Schulthess, Zürich
Google Scholar
Wolf C (2014) Delusions of adequacy? Examining the case for finding the United States adequate for cross-border EU-U.S. Data transfers. Wash Univ J Law Policy 43(1):227–257
Google Scholar
Woods L (2014) Article 11 – freedom of expression and information. In: Peers S, Hervey R, Kenner J, Ward A (eds) The EU Charter of fundamental rights. A Commentary. Oxford University Press, Oxford, pp 354–383
Chapter Google Scholar
Woods L (2019) The AG Opinion in Schrems II: Facebook, national security and data protection law. EU Law Analysis, 21 December 2019. http://eulawanalysis.blogspot.com/2019/12/the-ag-opinion-in-schrems-ii-facebook.html. Accessed 3 Jan 2021

Jurisprudence

Datainspektionen, Salems: Datainspektionen, Decision of 31 May 2013, Salems 2013, 263-2011, 1351-2012
Google Scholar
ECJ, AG Opinion, Alemo-Herron: ECJ, Opinion of AG Cruz Villalón delivered on 19 February 2013, Alemo-Herron, C-426/11, ECLI:EU:C:2013:82
Google Scholar
ECJ, AG Opinion, Germany v. Parliament and Council: ECJ, Opinion of AG Fennelly delivered on 15 June 2000, Germany v. Parliament and Council, C-376/98, EU:C:2000:324
Google Scholar
ECJ, AG Opinion, MSD Sharp: ECJ, Opinion of AG Trstenjk delivered on 24 November 2010, MSD Sharp, C-316/09, EU:C:2010:712
Google Scholar
ECJ, AG Opinion, Satamedia: ECJ, Opinion of AG Kokott delivered on 8 May 2008, Satamedia, C-73/07, EU:C:2008:266
Google Scholar
ECJ, AG Opinion, Schrems: ECJ, Opinion of AG Bot delivered on 23 September 2015, Schrems, C-362/14, EU:C:2015:627
Google Scholar
ECJ, AG Opinion, Schrems 2: ECJ, Opinion of AG Saugmandsgaard Øe delivered on 19 December 2019, Schrems 2, C-311/18, EU:C:2019:1145
Google Scholar
ECJ, Achbita: ECJ, Judgment of 14 March 2017, Achbita, C-157/15, EU:C:2017:203
Google Scholar
ECJ, Affish BV: ECJ, Judgment of 17 July 1997, Affish BV, C-183/95, EU:C:1997:373
Google Scholar
ECJ, Balkan-Import Export GmbH, ECJ, Judgment of 22 January 1976, Balkan-Import Export GmbH, C-55/75, EU:C:1976:8
Google Scholar
ECJ, Digital Rights Ireland: ECJ, Judgment of 8 April 2014, Digital Rights Ireland, C-293/12 and C-594/12, EU:C:2014:238
Google Scholar
ECJ, Germany v. Council (Bananas): ECJ, Judgment of 10 March 1998, Germany v. Council, C-122/95, EU:C:1998:94
Google Scholar
ECJ, Germany v. Parliament and Council: ECJ, Judgment of 12 December 2006, Germany v. Parliament and Council, C-380/03, EU:C:2006:772.
Google Scholar
ECJ, Lindqvist: ECJ, Judgment of 6 November 2003, Lindqvist, C-101/01, EU:C:2003:596
Google Scholar
ECJ, Melloni: ECJ, Judgment of 26 February 2013, Melloni, C-399/11, EU:C:2013:107
Google Scholar
ECJ, Opinion 1/15: ECJ, Opinion 1/15 of 26 July 2017, Draft agreement between Canada and the European Union, EU:C:2017:592
Google Scholar
ECJ, Parliament v. Council and Commission: ECJ, Judgment of 30 May 2006, Parliament v. Council and Commission, Joined Cases C-317/04 and C-318/04, EU:C:2006:346
Google Scholar
ECJ, Planet 49 GmbH: ECJ, Judgment of 1 October 2019, Planet49 GmbH, C-673/17, EU:C:2019:801
Google Scholar
ECJ, SABAM: ECJ, Judgment of 24 November 2011, SABAM, C-70/10, EU:C:2011:771
Google Scholar
ECJ, Satamedia: ECJ, Judgment of 16 December 2008, Satamedia, C-73/0756, EU:C:2008:727
Google Scholar
ECJ, Scarlet Extended: ECJ, Judgment of 24 November 2011, Scarlet Extended, C-70/10, EU:C:2011:771
Google Scholar
ECJ, Schecke: ECJ, Judgment of 9 November 2010, Schecke, C-92/09 and C-93/09, EU:C:2010:662
Google Scholar
ECJ, Schrems: ECJ, Judgment of 6 October 2015, Schrems, C-362/14, EU:C:2015:650
Google Scholar
ECJ, Schrems 2: ECJ, Judgment of 16 July 2020, Facebook Ireland and Schrems, C-311/18, EU:C:2020:559
Google Scholar
ECJ, Sky Österreich: ECJ, Judgment of 22 January 2013, Sky Österreich, C-283/11, EU:C:2013:28
Google Scholar
ECJ, Swiss International Air Lines AG: ECJ, Judgment of 21 December 2016, Swiss International Air Lines AG, C-272/15, EU:C:2016:993
Google Scholar
ECJ, T. Port GmbH: ECJ, Judgment of 10 March 1998, T. Port GmbH, C-364/95 and C-365/95, EU:C:1998:95
Google Scholar
ECJ, Tele2/Watson: ECJ, Judgment of 21 December 2016, Tele2/Watson, C-203/15 and C-698/15, EU:C:2016:970
Google Scholar
ECJ, WebMindLicenses: ECJ, Judgment of 17 December 2015, WebMindLicenses, C-419/14, EU:C:2015:832
Google Scholar
ECJ, Wirtschaftsakademie Schleswig-Holstein: ECJ, Judgment of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C-210/16, EU:C:2018:388
Google Scholar
ECtHR, Autronic AG v. Switzerland: ECtHR, Judgment of 22 May 1990, Autronic AG v. Switzerland, App no. 12726/87
Google Scholar
ECtHR, Casado Coca v. Spain: ECtHR, Judgment of 24 February 1994, Casado Coca v. Spain, App no. 15450/89
Google Scholar
ECtHR, D.H. v. Czech Republic: ECtHR, Judgment of 13 November 2007, D.H. v. Czech Republic, App No. 57325/00
Google Scholar
ECtHR, Markt intern Verlag GmbH and Klaus Beermann v. Germany: ECtHR, Judgement of 20 November 1989, Markt intern Verlag GmbH and Klaus Beermann v. Germany, App no. 10572/83
Google Scholar
ECtHR, Neumeister v. Austria: ECtHR, Judgment of 7 May 1974, Neumeister v. Austria, App no. 1936/63
Google Scholar
ECtHR, Perez v. France: ECtHR, Judgment of 12 February 2004a, Perez v. France, App no. 47287/99
Google Scholar
ECtHR, Thompson v. United Kingdom: ECtHR, Judgment of 15 June 2004b, Thompson v. United Kingdom, App no. 36256/97
Google Scholar
IHC, Schrems 2: IHC, Judgment of 3 October 2017, Data Protection Commissioner v. Facebook Ireland and Schrems, 2016 No. 4809 P 8
Google Scholar

Documents

Article 29 WP (1997) First orientations on Transfers of Personal Data to Third Countries - Possible Ways Forward in Assessing Adequacy. WP 4. 26 June 1997
Google Scholar
Article 29 WP (1998a) Preliminary views on the use of contractual provisions in the context of transfers of personal data to third countries. WP 9. 22 April 1998
Google Scholar
Article 29 WP (1998b) Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive. WP 12. 24 July 1998
Google Scholar
Article 29 WP (2002) Opinion 04/2002 on the level of protection of personal data in Argentina. WP 63. 3 October 2002
Google Scholar
Article 29 WP (2005) Working Document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995. WP 114. 25 November 2005
Google Scholar
Article 29 WP (2006) Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT). WP 128. 22 November 2006
Google Scholar
Article 29 WP (2009) Opinion 6/2009 on the level of protection of personal data in Israel. WP 165. 1 December 2009
Google Scholar
Article 29 WP (2010) Opinion 02/2010 on online behavioural advertising. WP 171. 22 June 2010
Google Scholar
Article 29 WP (2011) Opinion 11/2011 on the level of protection of personal data in New Zealand. WP 182. 4 April 2011
Google Scholar
Article 29 WP (2012a) Opinion 05/2012 on Cloud Computing. WP 196. 1 July 2012
Google Scholar
Article 29 WP (2012b) Opinion 07/2012 on the level of protection of personal data in the Principality of Monaco. WP 198. 19 July 2012
Google Scholar
Article 29 WP (2014) Opinion 7/2014 on the protection of personal data in Quebec. WP 219. 4 June 2014
Google Scholar
Article 29 WP (2015) Statement of the Article 29 Working Party. 16 October 2015
Google Scholar
Article 29 WP (2018) Guidelines on consent under Regulation 2016/679. WP 259 rev.01. 28 November 2017 as last revised and adopted on 10 April 2018
Google Scholar
Bangemann Group (1994) Europe and the global information society. Recommendations of the high-level group on the information society to the Corfu European Council. Luxembourg
Google Scholar
CNIL (1989) Délibiration No. 89-78. 10e Rapport. 11 juillet 1989
Google Scholar
CNIL (2019) Loi «Informatique et Libertés» et RGPD: ce qui change pour l’outre-mer. 4 juillet 2019
Google Scholar
Council of Europe (1981) Explanatory Report to Convention 108: Council of Europe, Explanatory Report to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. 28 January 1981.
Google Scholar
Council of Europe (1989) New technologies: a challenge to privacy protection? Study prepared by the Committee of experts on data protection (CJ-PD) under the authority of the European Committee on Legal Co-operation (CDCJ). Strasbourg 1989
Google Scholar
Council of Europe (2001) Explanatory Report to the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows. 8 November 2001
Google Scholar
Council of Europe Consultative Committee of Convention 108 (2002) Guide to the preparation of contractual clauses governing data protection during the transfer of personal data to third parties not bound by an adequate level of data protection
Google Scholar
Council of Europe/European Commission/ICC (1992) Model contract to ensure equivalent protection in the context of transborder data flows. 2 November 1992
Google Scholar
DSK (2015) Positionspapier Safe-Harbor – Update. 26 October 2015
Google Scholar
EDPB (2018) Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/6793. 25 May 2018
Google Scholar
EDPB (2020) Recommendations 02/2020 on the European Essential Guarantees for surveillance measures. 10 November 2020
Google Scholar
EDPS (2011) Opinion on the Communication from the Commission on “A comprehensive approach on personal data protection in the European Union”. 14 January 2011
Google Scholar
EDPS (2014) The transfer of personal data to third countries and international organisations by EU institutions and bodies. 14 July 2014
Google Scholar
EEA Joint Committee (1999) Decision No 83/1999 of 25 June 1999 amending Protocol 37 and Annex XI (Telecommunication services) to the EEA Agreement, [2000] OJ L 296/41
Google Scholar
EEA Joint Committee (2018) Decision No 154/2018 of 6 July 2018 amending Annex XI (Electronic communication, audiovisual services and information society) and Protocol 37 (containing the list provided for in Article 101) to the EEA Agreement, [2018] OJ L 183/23
Google Scholar
EESC (1991) Opinion on the proposal for a Council Directive concerning the protection of individuals in relation to the processing of personal data [1991] OJ C 159/38. 24 April 1991
Google Scholar
EU (2007) Explanations relating to the Charter of Fundamental Rights [2007] OJ C303/17. 14 December 2007
Google Scholar
European Commission (1990) Proposal for a Council Directive concerning the protection of individuals in relation to the processing of personal data. [1990] OJ C277/3. 27 July 1990
Google Scholar
European Commission (1992) Amended proposal for a Council Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data. COM(92) 422 final. 15 October 1992
Google Scholar
European Commission (2001) Decision 2001/497/EC on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC [2001] OJ L 181/19. 15 June 2001
Google Scholar
European Commission (2003a) First report on the implementation of the Data Protection Directive (95/46/EC). COM(2003) 265 final. 15 May 2003
Google Scholar
European Commission (2003b) Decision 2003/821/EC on the adequate protection of personal data in Guernsey [2003] OJ L 308/27. 21 November 2003
Google Scholar
European Commission (2004) Decision 2004/915/EC amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries [2004] OJ L 385/74. 27 December 2004
Google Scholar
European Commission (2009) Frequently asked questions relating to transfers of personal data from the EU/EEA to third countries. 13 March 2009
Google Scholar
European Commission (2010a) Comparative Study on Different Approaches to New Privacy Challenges, in Particular in the Light of Technological Developments. LS/2008/C4/ 011 – 30-CE-0219363/00-28. 20 January 2010
Google Scholar
European Commission (2010b) Decision 2010/87/EU on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council [2010] OJ L 39/5. 5 February 2010
Google Scholar
European Commission (2011) A comprehensive approach on personal data protection in the European Union. COM(2010) 609 final. 4 November 2011
Google Scholar
European Commission (2012a) Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). COM(2012) 11 final. 27 July 1990
Google Scholar
European Commission (2012b) Safeguarding Privacy in a Connected World. A European Data Protection Framework for the 21st Century. COM(2012) 9/3. 25 January 2012
Google Scholar
European Commission (2015) Communication regarding the Transfer of Personal Data from the EU to the United States of America under Directive 95/46/EC following the Judgment by the Court of Justice in Case C-362/14 (Schrems). COM(2015) 566 final. 6 November 2015
Google Scholar
European Commission (2017) Communication on Exchanging and Protecting Personal Data in a Globalised World. COM(2017) 7 final. 10 January 2017
Google Scholar
European Commission (2019) Data protection rules as a trust-enabler in the EU and beyond – taking stock. COM(2019) 374 final. 24 July 2019
Google Scholar
European Commission (2020) Opening remarks by Vice-President Jourová and Commissioner Reynders at the press point following the judgment in case C-311/18 Facebook Ireland and Schrems. STATEMENT/20/1366. 16 July 2020
Google Scholar
European Commission (2021) Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council [2021] OJ L 199/31. 4 June 2021
Google Scholar
European Council (1995) Common Position (EC) No 1/95 with a view to adopting Directive 95/…/EC of the European Parliament and of the Council of… on the protection of individuals with regard to the processing of personal data and on the free movement of such data (95/C 93/01) [1994] OJ C 93/1. 20 February 1995
Google Scholar
European Parliament (2013) LIBE, Draft Report on the proposal for a regulation of the European Parliament and of the Council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (COM(2012)0011 – C7-0025/2012 – 2012/ 0011(COD)), PE501.927v04-00. 21 November 2013
Google Scholar
ICO (2017) The eighth data protection principle and international data transfers. Version 4.1. 30 June 2017
Google Scholar
IIF (2019) Data Flows Across Borders. Overcoming Data Localization Restrictions. March 2019
Google Scholar
OECD (1980) Explanatory Memorandum. Guidelines governing the protection of privacy and transborder flows of personal data. Annex to the recommendation of the Council of 23 September 1980
Google Scholar
OECD (2000) Transborder Data Flow Contracts in the Wider Framework of Mechanisms for Privacy Protection on Global Networks. OECD Digital Economy Papers No. 66. DSTI/ICCP/ REG(99)15/FINAL. 21 September 2000
Google Scholar
OECD (2018) Trade and cross-border data flows. TAD/TC/WP(2018)19. 21 December 2018
Google Scholar
SARK (1979) The Vulnerability of the Computerized Society: Considerations and Proposals. TDRS Doc. No. SW01.01. December 1979
Google Scholar
USITC (2013) Digital Trade in the U.S. and Global Economies, Part 1. Investigation No. 332-531. USITC Publication 4415
Google Scholar

Download references

Author information

Authors and Affiliations

Faculty of Law, University of Zurich, Zurich, Switzerland
Tobias Naef

Authors

Tobias Naef
View author publications
You can also search for this author in PubMed Google Scholar

Rights and permissions

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Naef, T. (2023). The Restrictive Effect of the Legal Mechanisms for Data Transfers in the European Union. In: Data Protection without Data Protectionism. European Yearbook of International Economic Law(), vol 28. Springer, Cham. https://doi.org/10.1007/978-3-031-19893-9_3

Download citation

DOI: https://doi.org/10.1007/978-3-031-19893-9_3
Published: 13 December 2022
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-19892-2
Online ISBN: 978-3-031-19893-9
eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics