Cross-Border Transfers of Personal Data After Schrems II: Supplementary Measures and new Standard Contractual Clauses (SCCs)

This article analyses the legal challenges of international data transfers resulting from the recent Court of Justice of the European Union (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II). This judgement invalidated the EU-US Privacy Shield Framework but upheld the use of standard contractual clauses (SCCs). However, one caveat is that organisations would have to perform a case-by-case assessment on the application of the SCCs and implement ‘supplementary measures’ to compensate for the lack of data protection in the third country, where necessary. Regrettably, the CJEU missed the opportunity to specify what exactly these ‘supplementary measures’ could be. To fill this gap, the European Data Protection Board (EDPB) adopted guidelines on the measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. In addition, on June 4th, 2021 the European Commission issued new SCCs which replaced the previous SCCs that were adopted under the previous Data Protection Directive 95/46. These new developments have raised the bar for data protection in international data transfers. In this article, we analyse the current regulatory framework for cross-border transfers of EU personal data and examine the practical considerations of the emerging post-Schrems II legal landscape.

Download Full-text

The European Union's Adequacy Approach to Privacy and International Data Sharing in Health Research

The Journal of Law Medicine & Ethics ◽

10.1177/1073110516644205 ◽

2016 ◽

Vol 44 (1) ◽

pp. 143-155 ◽

Cited By ~ 7

Author(s):

Jennifer Stoddart ◽

Benny Chan ◽

Yann Joly

Keyword(s):

Data Sharing ◽

Data Protection ◽

Free Trade Agreement ◽

Trade Agreement ◽

The European Union ◽

Economic Area ◽

Data Protection Directive ◽

International Data ◽

Data Transfers ◽

The Eu

The European Union (EU) approach to data protection consists of assessing the adequacy of the data protection offered by the laws of a particular jurisdiction against a set of principles that includes purpose limitation, transparency, quality, proportionality, security, access, and rectification. The EU's Data Protection Directive sets conditions on the transfer of data to third countries by prohibiting Member States from transferring to such countries as have been deemed inadequate in terms of the data protection regimes. In theory, each jurisdiction is evaluated similarly and must be found fully compliant with the EU's data protection principles to be considered adequate. In practice, the inconsistency with which these evaluations are made presents a hurdle to international data-sharing and makes difficult the integration of different data-sharing approaches; in the 20 years since the Directive was first adopted, the laws of only five countries from outside of the EU, Economic Area, or the European Free Trade Agreement have been deemed adequate to engage in data transfers without the need for further administrative safeguards.

Download Full-text

Reality and Illusion in EU Data Transfer Regulation PostSchrems

German Law Journal ◽

10.1017/s2071832200022197 ◽

2017 ◽

Vol 18 (4) ◽

pp. 881-918 ◽

Cited By ~ 9

Author(s):

Christopher Kuner

Keyword(s):

Data Protection ◽

Eu Law ◽

The European Union ◽

Safe Harbour ◽

Court Of Justice ◽

International Data ◽

Data Transfers ◽

Data Protection Law ◽

International Data Transfers ◽

The Eu

The judgment of the Court of Justice of the European Union inSchrems v. Data Protection Commissioner, in which the Court invalidated the EU-US Safe Harbour arrangement, is a landmark in EU data protection law. The judgment affirms the fundamental right to data protection in the context of international data transfers, defines an adequate level of data protection, and illustrates how data protection rights under EU law can apply to data processing in third countries. It also raises questions about the status of other legal bases for international data transfers under EU law, and shows that many legal disputes concerning data transfers are essentially political arguments in disguise. TheSchremsjudgment illustrates the tendency of EU data protection law to focus on legalistic mechanisms to protect data transfers rather than on protection in practice. The EU and the US have since agreed on a replacement for the Safe Harbour (the EU-US Privacy Shield), the validity of which will likely be tested in the Court of Justice. Regulation of data transfers needs to go beyond formalistic measures and legal fictions, in order to move from illusion to reality.

Download Full-text

La transferencia internacional de datos de carácter personal

Revista de Derecho de la UNED (RDUNED) ◽

10.5944/rduned.11.2012.11139 ◽

2012 ◽

Author(s):

Vicente Guasch Portas

Keyword(s):

European Union ◽

Data Protection ◽

Personal Data ◽

The World ◽

European Union Legislation ◽

International Data ◽

Data Transfers ◽

The Moment ◽

International Data Transfers ◽

Shed Light

La normativa de la Unión Europea en el campo de la protección de datos es la más exigente del planeta. En cambio hay países con una regulación poco exigente, o incluso sin regulación de ningún tipo. Estas diferencias pueden conducir a que la protección conseguida en el seno de la Unión se pierda en el momento en que los datos puedan ser localizados en naciones con un nivel inferior o completamente nulo de protección. Para evitarlo se han regulado minuciosamente las transferencias internacionales de datos. En este trabajo se pretende dar luz a algunos de los aspectos menos conocidos de los movimientos internacionales de datos personales. Analizamos un documento fundamental del Grupo de Trabajo del artículo 29 de la Directiva 95/46/CE: el WP 12. Revisamos la competencia de la AEPD en cuanto a la evaluación de los Estados que proporcionan un nivel adecuado de protección. Examinamos la necesidad de cumplir con las disposiciones legales en el caso de transferencia internacional. Por último reflexionamos sobre los cambios previstos en la propuesta de Reglamento comunitario de protección de datos.The European Union legislation in the field of data protection is the most demanding in the world. But there are countries with lax regulation, or no regulation of any kind. These differences may lead to the protection achieved within the Union lost in the moment that the data may be located in countries with a lower level of protection or completely invalid. To avoid this we have carefully regulated international data transfers. This paper aims to shed light on some of the lesser known aspects of international flows of personal data. We analyzed a fundamental document of the Working Group of Article 29 of Directive 95/46/EC: the WP 12. We review the jurisdiction of the AEPD regarding the evaluation of states that provide an adequate level of protection. We examined the need to comply with the laws in the case of international transfer. Finally we reflect on the changes envisaged in the proposed EU regulation on data protection.

Download Full-text

Cross-Border Transfer of Personal Data

Cyber Crime ◽

10.4018/978-1-61350-323-2.ch409 ◽

2013 ◽

pp. 832-850

Author(s):

Grigore-Octav Stan ◽

Georgiana Ghitu

Keyword(s):

Data Protection ◽

Data Transfer ◽

Personal Data ◽

European Economic Area ◽

The European Union ◽

Legal Regime ◽

Cross Border ◽

Data Protection Directive ◽

High Level ◽

Insight Into

This chapter outlines the Romanian data protection legal regime governing the cross-border transfers of personal data, both to countries located in the European Union (EU) or in the European Economic Area (EEA), as well as to non-EU or non-EEA countries. In addressing the Romanian legal requirements related to international transfers of personal data, a high level insight into the background of Romanian data protection principles and main rules applicable in the broader context of privacy proves useful. Although this chapter analyzes mainly the Romanian legal regime of data protection, with a special emphasis on cross-border transfer of personal data, a similar interpretation and application of the data protection related requirements may also be encountered in other European jurisdictions. While expounding primarily on data transfer related matters, this chapter also looks at how the EU Data Protection Directive (Directive No. 95/46 EC), as well as the relevant secondary legislation in the field of data protection, has been implemented into Romanian law.

Download Full-text

Regulation of International Data Transfers in Clouds

Cloud Computing Law ◽

10.1093/oso/9780198716662.003.0010 ◽

2021 ◽

pp. 340-381

Author(s):

Ulrich Wuermeling ◽

Isabella Oldani

Keyword(s):

Data Transfer ◽

Personal Data ◽

Cloud Provider ◽

European Economic Area ◽

The European Union ◽

General Data Protection Regulation ◽

Number Of Factors ◽

International Data ◽

Data Transfers ◽

International Data Transfers

This chapter studies the regulation of international data transfers in clouds. The General Data Protection Regulation (GDPR) stipulates that any transfer of personal data from the European Union (EU) (as well as other European Economic Area (EEA) countries) to a third country or an international organisation is subject to restrictions to ensure that the level of protection provided by the GDPR is not undermined. The GDPR requires either adequate protection or appropriate safeguards for transfers of personal data to third countries. When assessing a data transfer to a third country, a number of factors must be considered. First, it is necessary to establish whether the processing of personal data falls within the scope of the GDPR. Second, the GDPR may apply either to the cloud provider or its customer, or to both. Third, it is necessary to establish when a 'transfer' of personal data from an EU Member State to a third country is taking place and how the protection of the data can be ensured. Fourth, in some circumstances, there may be an exception to the requirement to ensure continued protection following a data transfer.

Download Full-text

Cross-Border Transfer of Personal Data

Personal Data Privacy and Protection in a Surveillance Era ◽

10.4018/978-1-60960-083-9.ch017 ◽

2011 ◽

pp. 298-316

Author(s):

Grigore-Octav Stan ◽

Georgiana Ghitu

Keyword(s):

Data Protection ◽

Data Transfer ◽

Personal Data ◽

European Economic Area ◽

The European Union ◽

Legal Regime ◽

Cross Border ◽

Data Protection Directive ◽

High Level ◽

Insight Into

Download Full-text

Legislative discourse of digital governance: a corpus-driven comparative study of laws in the European Union and China

International Journal of Legal Discourse ◽

10.1515/ijld-2021-2059 ◽

2021 ◽

Vol 0 (0) ◽

Author(s):

Siyue Li ◽

Chunyu Kit

Keyword(s):

European Union ◽

Data Protection ◽

Data Security ◽

Personal Data ◽

The European Union ◽

Data Governance ◽

Personal Data Protection ◽

Cross Border ◽

Digital Governance ◽

The Eu

Abstract Based on the self-compiled corpora of the European Union and Chinese laws on data governance, this study adopts a corpus-driven approach to comparatively study the legislative design of the EU and China on digital governance, especially on key issues such as data protection, data processing and utilization, and cross-border data transfer. It is found through corpus analysis that the EU has developed a relatively comprehensive data protection system, which internally focuses on the protection of individual data rights and externally sets high standards on the cross-border transfer of data. Despite the data protection paradigm as it manifests, the EU is facing new challenges on data exportation, data jurisdiction in the competitive digital marketplace. Shared the same concern on the data protection legislation, Chinese data law has made significant progress in personal data protection with the nascent enactment of Data Security Law and Personal Data Protection Law. Notably, Chinese legislation features the hierarchal taxonomy of data under the principle of the national security exception, while it requires more legislative skills, flexible response mechanisms, and more subordinate laws to prevent future data security threats. Moreover, the corpus-driven method conducted in this study provides evidential insights for the comparative legal textual studies across jurisdictions.

Download Full-text

The Right to Data Protection and the Commissions’ Adequacy Decision

Unio - EU Law Journal ◽

10.21814/unio.1.6 ◽

2015 ◽

Vol 1 ◽

pp. 77-93

Author(s):

Alexandra Maria Rodrigues Araújo

Keyword(s):

Data Protection ◽

Personal Data ◽

International Organization ◽

European Law ◽

Main Principle ◽

Cross Border ◽

Data Flows ◽

International Data ◽

The Right ◽

The Eu

Data protection is a fundamental right protected by the EU as well as several international human rights instruments. However, an adequate relation of this right faces new challenges every day. A complicated area for the effectiveness of EU data protection law is the cross-border transfer of personal data. In European law, the main principle applicable to international data flows is the principle of adequate protection. This principle implies that a transfer to a third country/international organization is only permissible if an adequate level of protection of the personal data transferred is guaranteed. In this regard, this paper examines the application of this principle in the adequacy decisions adopted by the European Commission.

Download Full-text

The EU General Data Protection Regulation (GDPR)

10.1093/oso/9780198826491.001.0001 ◽

2020 ◽

Cited By ~ 1

Keyword(s):

Data Protection ◽

Personal Data ◽

Privacy Regulation ◽

General Data Protection Regulation ◽

Data Protection Directive ◽

Ongoing Work ◽

Protection Legislation ◽

Recent Reform ◽

General Data ◽

The Eu

This new book provides an article-by-article commentary on the new EU General Data Protection Regulation. Adopted in April 2016 and applicable from May 2018, the GDPR is the centrepiece of the recent reform of the EU regulatory framework for protection of personal data. It replaces the 1995 EU Data Protection Directive and has become the most significant piece of data protection legislation anywhere in the world. This book is edited by three leading authorities and written by a team of expert specialists in the field from around the EU and representing different sectors (including academia, the EU institutions, data protection authorities, and the private sector), thus providing a pan-European analysis of the GDPR. It examines each article of the GDPR in sequential order and explains how its provisions work, thus allowing the reader to easily and quickly elucidate the meaning of individual articles. An introductory chapter provides an overview of the background to the GDPR and its place in the greater structure of EU law and human rights law. Account is also taken of closely linked legal instruments, such as the Directive on Data Protection and Law Enforcement that was adopted concurrently with the GDPR, and of the ongoing work on the proposed new E-Privacy Regulation.

Download Full-text

The European Union and the Search for an International Data Protection Framework

Groningen Journal of International Law ◽

10.21827/5a86a82b67dab ◽

2014 ◽

Vol 2 (2) ◽

pp. 55 ◽

Cited By ~ 2

Author(s):

Christopher Kuner

Keyword(s):

European Union ◽

Data Protection ◽

Legal Framework ◽

Fundamental Rights ◽

The European Union ◽

International Data ◽

Data Protection Law ◽

Eu Fundamental Rights ◽

Global Data ◽

The Eu

The European Union (EU) has supported the growing calls for the creation of an international legal framework to safeguard data protection rights. At the same time, it has worked to spread its data protection law to other regions, and recent judgments of the Court of Justice of the European Union (CJEU) have reaffirmed the autonomous nature of EU law and the primacy of EU fundamental rights law. The tension between initiatives to create a global data protection framework and the assertion of EU data protection law raises questions about how the EU can best promote data protection on a global level, and about the EU’s responsibilities to third countries that have adopted its system of data protection.

Download Full-text