Many states recognize, at least on paper, that data protection and privacy are important values. Nevertheless, they diverge quite jarringly on what the correct level or design of such protection should be.Footnote 1 In particular, there is deep disagreement about when data protection crosses the line and becomes data protectionism. In this book, I have shown—using the example of EU law—where the line between data protection and data protectionism in international trade law currently is, and how it can, or should be redrawn.

The first part of this book explored EU-style data protection, its application to cross-border flows of personal data, and its consequences. EU data protection law centers around the fundamental right to data protection enshrined in Article 8 CFR. The right to data protection was integrated into the CFR alongside the right to private life to strengthen the protection of fundamental rights in light of changes in society, social progress, and scientific and technological developments.Footnote 2 I argued in Chap. 2 that the right to data protection in Article 8 CFR has an extraterritorial dimension that applies to cross-border flows of personal data. The extraterritorial dimension of Article 8 CFR affords individuals in the EU continuous protection of personal data––essentially equivalent to that guaranteed within the EU—in the case that personal data is transferred from the EU to a third country. I suggested that this right to continuous protection of personal data is an unwritten constituent part––in addition to the six written constituent parts––enshrined in Article 8 CFR. The right to continuous protection of personal data applies, for example, when personal data that is transferred to a third country could be the target of internet surveillance practices in a third country. In cases in which continuous protection of personal data cannot be guaranteed, the export of personal data from the EU must be restricted to accord with this unwritten constituent part of Article 8 CFR.

At the same time, the right to continuous protection of personal data found in Article 8 CFR is not absolute and can be limited according to Article 52 (1) CFR. In Chap. 3, I analyzed the possibilities of such limitations. However, as I showed, no lawful limitations are possible in cases in which systematic, structural, and continuous data transfers take place to a third country that does not provide a level of protection for personal data that is essentially equivalent to that guaranteed within the EU. The interference with Article 8 CFR caused by systematic, structural, and continuous data transfers fails the proportionality assessment in Article 52(1) CFR. Neither the freedom of expression in Article 11 CFR nor the freedom to conduct a business in Article 16 CFR can justify this interference. I thus concluded that the legal mechanisms in Articles 45 and 46 GDPR cannot be used for systematic, structural, and continuous data transfers to third countries that do not provide a level of protection that is essentially equivalent to that guaranteed within the EU. My fundamental rights analysis demonstrates that only the derogations in Article 49 GDPR—which do not allow for systematic, structural, and continuous data transfers—can be used to limit the right to continuous protection of personal data in Article 8 CFR. Occasional data transfers using the contract-based derogation and the consent-based derogation in Article 49 GDPR may take place even if the third country of destination does not provide an adequate level of protection. However, these derogations both require some sort of agreement from the data subject for the transfer of their personal data and the data subject must be informed about the risks of the data transfers in question. Taken together, this means that the EU fundamental rights-based regulation of data transfers can have highly restrictive effects.

The second part of this book examined the relationship of the EU fundamental rights-based regulation of data transfers and international trade law. It covered the compatibility of current EU regulation with WTO law and the possibility to accommodate such regulation in new trade agreements. In Chap. 4, I identified seven interferences caused by the EU regulation of data transfers with obligations in the GATS. Most of these interferences are justifiable under the privacy exception in Article XIV(c)(ii) GATS. My analysis also showed that the EC negotiated the GATS with great foresight. The negotiation documents reveal that the EC pushed for the adoption of a privacy exception with a view to its future data protection framework. Nevertheless, I argued that some aspects of the EU regulation of data transfers do not find justification under the privacy exception in Article XIV(c)(ii) GATS. This concerns due process requirements in cases in which a third country requests an adequacy decision according to Article 45 GDPR; special framework adequacy decisions for countries that otherwise would not qualify for a regular adequacy decision such as the invalidated Decision (EU) 2016/1250, the Privacy Shield adequacy decision for the US, or the planned adequacy decision for the Transatlantic Data Privacy Framework between the EU and the US; and inconsistencies in the use of the corrective powers to ban or suspend data transfers in Article 58(2)(f) and (j) GDPR by the supervisory authorities in the EU member states. Consequently, I found that the EU fundamental rights-based regulation of data transfers is compatible with WTO law as long as the due process requirements are complied with, no special framework adequacy decisions are adopted, and the supervisory authorities in the EU member states use their corrective powers actively and consistently to enforce the right to continuous protection of personal data.

Due to their importance for international trade, cross-border flows of personal data are also the subject of multiple, current negotiations in international trade law. While multilateral trade negotiations at the WTO move slow and compromise is increasingly more difficult, bilateral and regional trade agreements have become an important forum to address data flows on the international plane. I showed in Chap. 5 that the EU must respect several requirements when negotiating data flow clauses in trade agreements. The most important requirement is the primacy of fundamental rights over international law, which includes the right to continuous protection of personal data enshrined in Article 8 CFR. Yet I also criticized the EU model data flow clauses, which the European Commission endorsed as a model for future negotiations of EU trade agreements in 2018, for not committing to the free flow of personal data across borders and refusing to establish regulatory cooperation in the field of data protection. As an alternative, I proposed four new designs for a data flow clause that respect the primacy of the right to continuous protection of personal data in Article 8 CFR while still entailing a commitment to the free flow of personal data across borders and regulatory cooperation between the contracting parties in the field of data protection. The four designs further the opportunity to reach greater convergence for high data protection standards on the international plane.

The EU fundamental rights-based regulation of data transfers proved to be a good example to illuminate the line between data protection and data protectionism according to WTO law. It allowed me to show that even very high data protection standards––such as in the EU––can be compatible with the GATS when consistently applied. At the same time, the EU regulation of data transfers was also a good example to show how the line between data protection and data protectionism can or should be redrawn. The architecture of EU law gives primacy to fundamental rights over international law. The EU thus cannot negotiate data flow clauses in trade agreements that compromise its high data protection standards. The four designs of data flow clauses that I introduced combine a commitment to the free flow of personal data across borders with high data protection standards and therefore offer a new avenue for data protection without data protectionism.

Nevertheless, even if I portrayed the EU fundamental rights-based regulation of data transfers as a good example to assess the line between data protection and data protectionism, the EU regulation of data transfers also faces challenges. One of the biggest challenges today lies in the enforcement of the right to continuous protection of personal data. Fragmented enforcement clashes with EU data protection law and international trade law. Recital (10) GDPR entails one of the goals of EU data protection law:

Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union.

This applies to the transfer of personal data in the same way it applies to all other data processing operations. In addition, Article 8 CFR guarantees that everyone has the right to the protection of his or her personal data regardless of his or her place of residence in the EU. This means that the protection of personal data transferred from the EU to a third country must be the same in every EU member state and without variation regardless of the destination country. In short, no inconsistencies can be reconciled with EU data protection law. Moreover, inconsistent enforcement of the EU fundamental rights-based regulation of data transfers could lead to arbitrary or unjustifiable discrimination according to the standards in the chapeau of Article XIV GATS and therefore constitute a violation of WTO law. This is because such inconsistencies cannot be reconciled with the overall policy objective of securing compliance with the right to continuous protection of personal data in Article 8 CFR, which is covered by Article XIV(c)(ii) GATS.

The matter of enforcement of the EU’s fundamental rights-based regulation of data transfers requires increased attention. In the end, it is the individual supervisory authorities of the EU member states that are responsible for enforcing the right to continuous protection of personal data in Article 8 CFR. Until recently, the enforcement of this right has been slack. Following the judgment of the ECJ in Schrems 2 on 16 July 2020, however, the enforcement of this right has been put in the spotlight. In this judgment, the ECJ explicitly stated that the exercise of the powers to suspend and prohibit data transfers set out in Article 58(2)(f) and (j) GDPR are not simply optional, but an obligation that the supervisory authorities in the EU member states have to fulfill in cases in which the level of protection required by EU law cannot be ensured.Footnote 3 In short, supervisory authorities must act to remedy violations of the right to continuous protection of personal data, and they must act consistently. This concerns two situations in particular: First, the different supervisory authorities must adopt the same policy for data transfers to a specific third country (consistency among the different supervisory authorities). Second, every supervisory authority must adopt the same policy for data transfers to all third countries that pose similar threats to fundamental rights in order not to discriminate against certain countries (consistency within the individual supervisory authorities).

The Schrems 2 judgment has put the individual EU supervisory authorities to the test. In the months following the decision, the judgment has seemed to have had little effect on data transfers in practice. Some of the largest EU data exporters maintain that they will continue to use standard data protection clauses for the transfer of personal data from the EU to the US, despite the clear indication by the ECJ that this is not sufficient. For example, Microsoft stated that they would update their contractual clauses and use strong encryption, but otherwise not change their practices.Footnote 4 This has left the supervisory authorities in the EU struggling to fulfil their “new” responsibilities.Footnote 5 Many of the supervisory authorities are underfunded and understaffed.Footnote 6 And while some supervisory authorities have acted to regulate the transfer of personal data from the EU to the US, others have not.Footnote 7 In any case, even those which have acted have so far only offered general statements and few guidelines. For example, the DPC of Ireland stated that “the application of the [standard data protection clauses] transfer mechanism to transfers of personal data to the United States is now questionable.”Footnote 8 Supervisory authorities have not really used their corrective powers to remedy the violations outlined in Schrems 2.

On 10 November 2020, the EDPB adopted recommendations on measures that supplement transfer tools to ensure compliance with Schrems 2.Footnote 9 However, the EDPB identified two common scenarios in which no effective compliant measures could be found. Footnote 10 It is important to stress that the findings in Schrems 2 not only concern data transfers to the US, but are applicable to data transfers to all third countries, some of which might also not provide a level of protection of personal data essentially equivalent to that guaranteed within the EU. It is now up to the EU—and specifically the supervisory authorities in the individual EU member states—to increase their efforts to enforce the right to continuous protection of personal data in Article 8 CFR.Footnote 11 The current situation undermines EU data protection law and any attempt to address specific data transfers only—such as transfers to the US, for example—risks violating international trade law. To remedy the current situation, a comprehensive and coordinated course of action is required. I have shown in this book that the consistency mechanism in Article 64 GDPR could offer a potential remedy although others may be necessary as well. How the supervisory authorities meet this challenge is a topic to follow-up on in future research.

Overall, this book has shown that restrictions on cross-border flows of personal data oriented toward protecting fundamental rights––such as laid out in EU data protection law––comply with international trade law and thus should not be interpreted as protectionist when applied consistently. This is clear from the fact that restrictions oriented toward protecting fundamental rights would disappear if third countries implemented stronger uniform data protection legislation and followed international human rights law pertaining to surveillance practices. In EU data protection law, data transfers are allowed as long as these rights are guaranteed. Ultimately, this means that the EU fundamental rights-based regulation of data transfers can be justifiably considered as data protection without data protectionism.