These slides are based on the talk I gave to the Wisconsin International Law Journal's Annual Symposium "Stamping Privacy's Passport? The Role of International Law in Safeguarding Individual Privacy" (Wisconsin, USA; 8 April 2016). This talk argued that European data protection's formal understanding of transborder data flow regulation (TBDF) is not only potentially very broad but has not appropriately balanced data protection against other key rights such as freedom of information and association. Many of these existing structural difficulties are exacerbated under the newly agreed General Data Protection Regulation (GDPR). In order to better reconcile the values at stake, Data Protection Authorities (DPAs) should also develop models to "authorize" low-risk TBDFs via self-certification by data controllers themselves. Member States should also make broad use of the derogations the Regulation leaves available. More generally, a contextual, risk-based interpretation of the GPDR must be developed which seeks to provide robust privacy and other individual safeguards without putting in jeopardy Europe’s other core values and liberties.
EU General Data Protection Regulation & Transborder Information Flow
Dr. David Erdos
University of Cambridge
Data Protection: The European Approach
Europe’s Other Commitments
Freedom of expression
Freedom of information
Freedom of association
Freedom of movement
EU Directive & Transborder Data Flows
Derogations (Art. 26 & Art. 9)
1. EU contractual clauses giving “appropriate safeguards”
2. State authorized “appropriate safeguards”
3. Data subject waiver
4. Some weighty publicly orientated right or interest.
General Principle (Art. 25):
• “transfer may only take place if … the third country ensures an
adequate level of protection.”
• European Commission empowered to “whitelist” countries
Reconciliation? The Negatives
Transfer meaning seemingly very broad.
Adequacy seemingly about the legal order of country
Derogations strict – State vires requires all other
States to be informed; State law can restrict all other
Reconciliation? The Positives
Adequacy standard to be assessed “in all the
circumstances” (Art. 25 (2))
Adequacy vires could be applied by any controller –
interpreted in UK as “self-assessment” model.
Court of Justice of EU (CJEU) in Lindqvist (2003)
showed willingness to narrow meaning of transfer.
New CJEU Case Law (2010 onwards)
More severe approach from CJEU from 2010 onwards:
Data Protection now EU Fundamental Right
Growing awareness of undermining of EU data protection
C-262/14 Schrems case on “whitelisting” key e.g.:
“adequacy” here = legal order (not self-help)
“adequacy“ here = “essentially equivalent”
whitelisting can’t block regulatory protective action.
General DP Regulation: A Perfect Storm?
More absolutist starting point: “level of protection …
shall not be undermined” (Art. 40)
Adequacy vires restricted to “whitelisting”
“Appropriate safeguards” based on authorization &
other derogations remain tight
New and far-reaching transparency requirements
Fines of up to €20M (or 4% global turnover)
Reconciliation under General DP Regulation?
Legal Actors to develop contextual jurisprudence e.g.
No transfer if fully under control of EU-based controller?
Sometimes no transfer if public domain content already
transferred? (cf. C-466/12 Svensson re: copyright)
Member States to make broad use of possible
Regulators to “authorize” controllers to self-certify for
Failure of pan-EU statutory law to appropriately reconcile
Issues obscured by very lax enforcement to date
Problems here will become more acute under GDPR
Need a conversation on legal solutions to these problems