“And [they] built a crooked h[arbour]” – the Schrems ruling and what it means for the future of data transfers between the EU and US

Safe Harbour (Henceforth, SH) has been the main enabler of EU-US personal data transfers since Decision 2000/520/EC came into force. Initially, Safe Harbour was seen as an innovative solution to a difficult problem. However, the problems the agreement was created to solve were never remedied. Thus, it did not come as a surprise that the Court of Justice of the European Union (hereinafter, CJEU), in Case C-362/14 (the Schrems ruling), deemed the agreement invalid. In the story “And he built a crooked house”, the infamous ‘crooked house’, designed by Robert A. Heinlein’s character Quintus Teal, mirrors SH’s flawed design. It also exemplifies the fact that great innovations can fail if not thought through carefully. Although the Schrems ruling’s scope does not go beyond Decision 2000/520/EC, it will force European Data Protection Agencies to look deeper into alternative data transfer mechanisms and possibly, consider transfers to jurisdictions other than the US. Furthermore, this decision highlights the fact that if any progress on this front is going to be made going forward regarding personal data transfers, any solution(s) would have to be made at a global level. This paper will provide an overview of the implications of the CJEU ruling on data transfers between the EU and the US going forward.

Download Full-text

L’invalidità del Safe Harbor Agreement

Ricerche giuridiche ◽

10.30687/rg/2281-6100/2018/01/007 ◽

2018 ◽

Author(s):

Fabiana Accardo

Keyword(s):

European Union ◽

Data Protection ◽

Personal Data ◽

Safe Harbor ◽

The European Union ◽

Court Of Justice ◽

The Us ◽

Data Protection Law ◽

The Impact ◽

The Eu

The purpose of this article is that to explain the impact of the landmark decision Schrems c. Data Protection Commissioner [Ireland] - delivered on 7 October 2015 (Case C-362/2014 EU) by the Court of Justice - on the European scenario. Starting from a brief analysis of the major outcomes originated from the pronunciation of the Court of Justice, then it tries to study the level of criticality that the Safe Harbor Agreement and the subsequently adequacy Commission decision 2000/520/EC – that has been invalidated with Schrems judgment – have provoked before this pronunciation on the matter of safeguarding personal privacy of european citizens when their personal data are transferred outside the European Union, in particular the reference is at the US context. Moreover it focuses on the most important aspects of the new EU-US agreement called Privacy Shield: it can be really considered the safer solution for data sharing in the light of the closer implementation of the Regulation (EU) 2016/679, which will take the place of the Directive 95 /46/CE on the EU data protection law?

Download Full-text

Regulation of International Data Transfers in Clouds

Cloud Computing Law ◽

10.1093/oso/9780198716662.003.0010 ◽

2021 ◽

pp. 340-381

Author(s):

Ulrich Wuermeling ◽

Isabella Oldani

Keyword(s):

Data Transfer ◽

Personal Data ◽

Cloud Provider ◽

European Economic Area ◽

The European Union ◽

General Data Protection Regulation ◽

Number Of Factors ◽

International Data ◽

Data Transfers ◽

International Data Transfers

This chapter studies the regulation of international data transfers in clouds. The General Data Protection Regulation (GDPR) stipulates that any transfer of personal data from the European Union (EU) (as well as other European Economic Area (EEA) countries) to a third country or an international organisation is subject to restrictions to ensure that the level of protection provided by the GDPR is not undermined. The GDPR requires either adequate protection or appropriate safeguards for transfers of personal data to third countries. When assessing a data transfer to a third country, a number of factors must be considered. First, it is necessary to establish whether the processing of personal data falls within the scope of the GDPR. Second, the GDPR may apply either to the cloud provider or its customer, or to both. Third, it is necessary to establish when a 'transfer' of personal data from an EU Member State to a third country is taking place and how the protection of the data can be ensured. Fourth, in some circumstances, there may be an exception to the requirement to ensure continued protection following a data transfer.

Download Full-text

Introductory Note

10.1093/oso/9780190848194.003.0027 ◽

2017 ◽

Cited By ~ 1

Author(s):

Francesco Seatzu

Keyword(s):

Personal Data ◽

Case Law ◽

Fundamental Rights ◽

The European Union ◽

Safe Harbour ◽

European Court ◽

Institutional Issues ◽

Introductory Note ◽

The Us ◽

Rights Issues

The year 2015 was characterized by some important development in the European Court of Justice’s (ECJ) case law as a whole, and in particular the case law on fundamental rights, citizenship, institutional issues, protection of personal data, and social policy and rights issues. Noteworthy is that the ECJ finally issued its landmark and long-awaited judgment in the Maximillian Schrems case that led to the invalidation of the ‘safe harbour’ system, namely, one of the mechanisms in the last fifteen years for personal data transfers from the European Union to US entities having voluntary self-certified under the US safe harbour framework.

Download Full-text

Reality and Illusion in EU Data Transfer Regulation PostSchrems

German Law Journal ◽

10.1017/s2071832200022197 ◽

2017 ◽

Vol 18 (4) ◽

pp. 881-918 ◽

Cited By ~ 9

Author(s):

Christopher Kuner

Keyword(s):

Data Protection ◽

Eu Law ◽

The European Union ◽

Safe Harbour ◽

Court Of Justice ◽

International Data ◽

Data Transfers ◽

Data Protection Law ◽

International Data Transfers ◽

The Eu

The judgment of the Court of Justice of the European Union inSchrems v. Data Protection Commissioner, in which the Court invalidated the EU-US Safe Harbour arrangement, is a landmark in EU data protection law. The judgment affirms the fundamental right to data protection in the context of international data transfers, defines an adequate level of data protection, and illustrates how data protection rights under EU law can apply to data processing in third countries. It also raises questions about the status of other legal bases for international data transfers under EU law, and shows that many legal disputes concerning data transfers are essentially political arguments in disguise. TheSchremsjudgment illustrates the tendency of EU data protection law to focus on legalistic mechanisms to protect data transfers rather than on protection in practice. The EU and the US have since agreed on a replacement for the Safe Harbour (the EU-US Privacy Shield), the validity of which will likely be tested in the Court of Justice. Regulation of data transfers needs to go beyond formalistic measures and legal fictions, in order to move from illusion to reality.

Download Full-text

ASSESSING THE IMPLICATIONS OF SCHREMS II FOR EU–US DATA FLOW

International and Comparative Law Quarterly ◽

10.1017/s0020589321000348 ◽

2021 ◽

pp. 1-18

Author(s):

Maria Helen Murphy

Keyword(s):

European Union ◽

Data Protection ◽

Data Flow ◽

Data Transfer ◽

Personal Data ◽

Fundamental Rights ◽

Constant Flow ◽

The European Union ◽

Court Of Justice ◽

The Eu

Abstract With the constant flow of data across jurisdictions, issues regarding conflicting laws and the protection of rights arise. This article considers the EU–US data transfer relationship in the aftermath of the decision in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems where the Court of Justice of the European Union (CJEU) invalidated an EU–US data transfer agreement for the second time in just five years. This judgment continues the line of cases emphasising the high value the Court places on securing EU personal data in accordance with EU data protection standards and fundamental rights. This article assesses the implications of the ruling for the vulnerable EU–US data transfer relationship.

Download Full-text

Japan’s Personal Information Protection Policy Under Pressure

Asian Survey ◽

10.1525/as.2020.60.3.510 ◽

2020 ◽

Vol 60 (3) ◽

pp. 510-533

Author(s):

Yuko Suda

Keyword(s):

Domestic Politics ◽

Data Transfer ◽

Personal Information ◽

Mutual Recognition ◽

Personal Data ◽

Information Protection ◽

The European Union ◽

Protection Policy ◽

The Eu ◽

Personal Information Protection

This article explores the politics surrounding the recent data transfer agreement between Japan and the European Union, with a focus on the linkage between Japanese domestic politics and foreign pressure on Japan’s personal information protection policy. The agreement may be seen as one of mutual recognition, in that Japan and the EU mutually recognized the other as providing an “adequate level of protection” for personal data. However, a close examination of the case suggests that Japan made substantial efforts to meet the EU’s standards for adequacy in order to enhance the interests of transnationalized Japanese firms that rely on the flow of personal information across borders. In sum, the latest changes in Japanese personal information protection regulation paved the way for the Japan-EU data transfer agreement; these changes were precipitated by the extraterritorial effect of the EU’s data protection laws, which had resonated within Japan’s domestic politics.

Download Full-text

Tarcza Prywatności UE–USA po kolizji w „bezpiecznej przystani”. Zakres ochrony prywatności po wyroku w sprawie C-362/14 Schrems

Przegląd Prawa i Administracji ◽

10.19195/0137-1134.107.10 ◽

2017 ◽

Vol 107 ◽

pp. 181-193

Author(s):

Sylwia Majkowska-Szulc

Keyword(s):

Data Transfer ◽

Essential Element ◽

Personal Data ◽

The United States ◽

Fundamental Rights ◽

The European Union ◽

Transatlantic Trade ◽

Trading Partners ◽

Charter Of Fundamental Rights ◽

The Eu

EU–U.S. PRIVACY SHIELD AFTER A COLLISION IN THE “SAFE HARBOUR”. THE SCOPE OF PRIVACY PROTECTION AFTER THE JUDGEMENT IN THE C-362/14 SCHREMS CASETransfer of personal data is an essential element of the transatlantic trade relationship, because the EU and the United States are for each other the most important trading partners. Data transfers increasingly form an integral part of their commercial exchanges. The Court of Justice of the European Union ruling of 6 October 2015 in case C-362/14 Schrems reaffirmed the importance of the fundamental right to the protection of personal data, as enshrined in the Charter of Fundamental Rights of the EU, including the situation when such data are transferred outside the EU. In the wake of the hereinabove judgement the transatlantic data transfer has been regulated anew. European Commission has launched EU-U.S. Privacy Shield in order to ensure stronger protection for transatlantic data flows. This article aims to analyse the importance and results of the above-mentioned judgement.

Download Full-text

Cross-Border Transfers of Personal Data After Schrems II: Supplementary Measures and new Standard Contractual Clauses (SCCs)

Nordic Journal of European Law ◽

10.36969/njel.v4i2.23780 ◽

2021 ◽

Vol 4 (2) ◽

pp. 37-47

Author(s):

Marcelo Corrales Compagnucci ◽

Mateo Aboy ◽

Timo Minssen

Keyword(s):

Data Protection ◽

Personal Data ◽

The European Union ◽

Cross Border ◽

Data Protection Directive ◽

Legal Challenges ◽

International Data ◽

Data Transfers ◽

International Data Transfers ◽

The Eu

This article analyses the legal challenges of international data transfers resulting from the recent Court of Justice of the European Union (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II). This judgement invalidated the EU-US Privacy Shield Framework but upheld the use of standard contractual clauses (SCCs). However, one caveat is that organisations would have to perform a case-by-case assessment on the application of the SCCs and implement ‘supplementary measures’ to compensate for the lack of data protection in the third country, where necessary. Regrettably, the CJEU missed the opportunity to specify what exactly these ‘supplementary measures’ could be. To fill this gap, the European Data Protection Board (EDPB) adopted guidelines on the measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. In addition, on June 4th, 2021 the European Commission issued new SCCs which replaced the previous SCCs that were adopted under the previous Data Protection Directive 95/46. These new developments have raised the bar for data protection in international data transfers. In this article, we analyse the current regulatory framework for cross-border transfers of EU personal data and examine the practical considerations of the emerging post-Schrems II legal landscape.

Download Full-text

TTIP, CETA, and TiSA Behind Closed Doors

10.1093/oso/9780198808893.003.0010 ◽

2017 ◽

Cited By ~ 2

Author(s):

Panagiotis Delimatsis

Keyword(s):

European Union ◽

Global Governance ◽

Early Stage ◽

European Parliament ◽

Trade Negotiations ◽

The European Union ◽

The Us ◽

The Eu

Secrecy and informality rather than transparency traditionally reign trade negotiations at the bilateral, regional, and multilateral levels. Yet, transparency ranks among the most basic desiderata in the grammar of global governance and has been regarded as positively related to legitimacy. In the EU’s case, transparent trade diplomacy is quintessential for constitutional—but also for broader political—reasons. First, even if trade matters fall within the EU’s exclusive competence, the EU executive is bound by the Treaty on the Functioning of the European Union (TFEU) to inform the European Parliament, the EU co-legislator, in regular intervals. Second, transparency at an early stage is important to address public reluctance, suspicion, or even opposition regarding a particular trade deal. This chapter chronicles the quest for and turning moments relating to transparency during the EU trade negotiations with Canada (CETA); the US (TTIP), and various WTO members on services (TiSA).

Download Full-text

The Trend of Scientific Productivity of Chinese, EuropeanUnion, and United States Universities and Private Companies: Does the Future Belong to E-Technology Companies?

Publications ◽

10.3390/publications9020018 ◽

2021 ◽

Vol 9 (2) ◽

pp. 18

Author(s):

Mauro G. Carta ◽

Matthias C. Angermeyer ◽

Silvano Tagliagambe

Keyword(s):

United States ◽

European Union ◽

Scientific Productivity ◽

The United States ◽

The European Union ◽

Private Companies ◽

American Universities ◽

The Us ◽

Parametric Statistics ◽

The Eu

The purpose is to verify trends of scientific production from 2010 to 2020, considering the best universities of the United States, China, the European Union (EU), and private companies. The top 30 universities in 2020 in China, the EU, and the US and private companies were selected from the SCImago institutions ranking (SIR). The positions in 2020, 2015, and 2010 in SIR and three sub-indicators were analyzed by means of non-parametric statistics, taking into consideration the effect of time and group on rankings. American and European Union universities have lost positions to Chinese universities and even more to private companies, which have improved. In 2020, private companies have surpassed all other groups considering Innovation as a sub-indicator. The loss of leadership of European and partly American universities mainly concerns research linked to the production of patents. This can lead to future risks of monopoly that may elude public control and cause a possible loss of importance of research not linked to innovation.

Download Full-text