Cross-Border Transfers of Personal Data After Schrems II: Supplementary Measures and new Standard Contractual Clauses (SCCs)

This article analyses the legal challenges of international data transfers resulting from the recent Court of Justice of the European Union (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II). This judgement invalidated the EU-US Privacy Shield Framework but upheld the use of standard contractual clauses (SCCs). However, one caveat is that organisations would have to perform a case-by-case assessment on the application of the SCCs and implement ‘supplementary measures’ to compensate for the lack of data protection in the third country, where necessary. Regrettably, the CJEU missed the opportunity to specify what exactly these ‘supplementary measures’ could be. To fill this gap, the European Data Protection Board (EDPB) adopted guidelines on the measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. In addition, on June 4th, 2021 the European Commission issued new SCCs which replaced the previous SCCs that were adopted under the previous Data Protection Directive 95/46. These new developments have raised the bar for data protection in international data transfers. In this article, we analyse the current regulatory framework for cross-border transfers of EU personal data and examine the practical considerations of the emerging post-Schrems II legal landscape.

Does The GDPR Achieve Its Goal of “Protection of Youth”?

The increasing ‘datafication of society’1 and ubiquitous computing resulted in high privacy risks such as commercial exploitation of personal data, discrimination, identity theft and profiling (automated processing of personal data). 2 Especially, minor data subjects are more likely to be victims of unfair commercial practices due to their behavioral characteristics (emotional volatility and impulsiveness) and unawareness of consequences of their virtual activities.3 Accordingly, it has been claimed that thousands of mobile apps utilized by children collected their data and used it for tracking their location, processed it for the development of child profiles so as to tailor behavioral advertising targeted at them and shared it with third parties without children’s or parent’s knowledge.4 Following these concerns, recently adopted EU General Data Protection Regulation (679/2016) departed from its Data Protection Directive (DPD) in terms of children’s data protection by explicitly recognizing that minors need more protection than adults5 and providing specific provisions aimed at protecting children’s right to data protection.6 Unlike the GDPR, the DPD was designed to provide “equal” protection for all data subjects irrespective of their age.7 This paper argues that consent principle along with the requirement of parental consent cannot effectively be implemented for the protection of children’s data due to the lack of actual choice, verification issues and complexity of data processing, and also the outcome of the privacy notices in a child-appropriate form is limited. However, there are other mechanisms and restrictions embodied in the GDPR, which provide opportunities for the protection of children’s data by placing burden on data controllers rather than data subjects.

The Second Internet: The Brussels Bourgeois Internet

This chapter describes the Brussels Bourgeois Internet. The ideal consists of positive, managed liberty where rights of others are respected, as in the bourgeois public space, where liberty follows only when rights are secured. The exemplar of this approach is the European Union, which uses administrative means, soft law, and regulation to project its vision across the Internet. Privacy and data protection have become the most emblematic struggles. Under the Data Protection Directive of 1995, the European Union developed data-protection law and numerous privacy rights, including a right to be forgotten, won in a case against Google Spain in 2014, the arguments about which are dissected. The General Data Protection Regulation (GDPR) followed in 2018, amplifying this approach. GDPR is having the effect of enforcing European data-protection law on international players (the ‘Brussels effect’), while the European Union over the years has developed unmatched expertise in data-protection law.

Data Protection Regulation and Jurisdiction

Chapter 7 focuses on the intriguing question of when EU law is applied to, and enforced against, foreign data controllers by data protection authorities situated in a Member State of the EU. This chapter examines jurisdiction and applicable law in the area of data protection enforcement in the light of recent jurisprudence of the Court of Justice of the EU and Member States’ courts. Given that this caselaw relates to the “old” data protection instrument, namely the Data Protection Directive 1995/46/EC (DPD), this is contrasted with the “new” General Data Protection Regulation (GDPR), which entered into force in 2018. The comparison with the now superseded DPD is also important as it sketches the background and development of EU data protection law, which is important for the wider context and in particular for showing how difficult a coordination of national competences in this field has been. The chapter does not examine jurisdiction in civil litigation before the courts (Chapter 11), but instead focuses exclusively on administrative and regulatory competence under public law.

Introduction

The introductory chapter frames the way the topic of the risk-based approach will be addressed throughout the book. Rather than studying the risk-based approach as a given that is often seen as the irreconcilable opposite of the so-called rights-based approach (directly stemming from the status of data protection as a fundamental right of the EU), it sees the risk-based approach instead as the latest avatar of a series of regulation models applied in the data protection context. If the risk-based approach is the implementation of a regulation model to data protection, this means that the rights-based approach, and data protection more generally, has always had something to do with regulation. Furthermore, given the crucial importance that risk management tools play in the regulation model at stake, the issue becomes one of the entanglement of data protection law, risk, and regulation. One of the main points put forth is that the principle of proportionality is common to data protection law, regulation, and risk. From this perspective it frames the shift from the rights-based approach to the risk-based approach as a matter of variations around the proportionality principle. These variations are encapsulated in the different models of regulation at play: from the command and control model of the Data Protection Directive, to the meta regulation model underpinning the risk-based approach in the GDPR and other statutes.

Data protection as command and control regulation

Chapter 2 demonstrates that data protection can be understood as command and control regulation by applying the three constitutive elements of regulation (standard setting, monitoring, behaviour control) thereto. If one wants to understand the modus operandi of newer models of regulation as applied to data protection (namely risk-based model of regulation), one must first understand the basis. That is, how data protection can be understood as regulation in the first place. This standpoint has another corollary. Since newer models of regulation are featured in contemporary statutes (with the GDPR as a prime example), an understanding of data protection as command and control regulation entails to study less contemporary statutes. The prime case study will therefore be the EU Data Protection Directive, which, even though not in force anymore is considered a suitable case for analysis as it embodies earlier models of regulation. Because this chapter is retrospective in scope (i.e. looking at previous data protection statutes in order to better understand the current ones), it often refers to historical sources of data protection (e.g. statutes and literature).

Cooperation between Financial Intelligence Units in the European Union: Stuck in the middle between the General Data Protection Regulation and the Police Data Protection Directive

Financial Intelligence Units (FIUs) hold a central position in the chain of actors responsible for the monitoring of money movements in the European Union. In support of their role, which is to receive, analyse and disseminate suspicious transaction reports, they have been furnished with significant information processing powers. At present, FIUs feature prominently in the EU’s anti-money laundering and counterterrorist financing agendas and plans to further enhance their powers of information exchange are underway. At the same time, however, the legal challenges that arise from their constant empowerment, particularly for the protection of personal data, are being overlooked. This article focuses on the cooperation between FIUs in the EU and argues that the latter takes place under a complex legal framework, which raises significant challenges for data protection. In particular, it highlights the present-day uncertainty over the data protection framework that governs their operations and discusses whether FIUs should be subject to the General Data Protection Regulation or to its law enforcement counterpart, the Police Data Protection Directive. The remaining of the article focuses on the ‘ FIU.net ’ – the decentralized network for information exchanges between EU FIUs – and on the data protection challenges that emerged from the recent integration of this network into Europol.

The EU General Data Protection Regulation (GDPR)

This new book provides an article-by-article commentary on the new EU General Data Protection Regulation. Adopted in April 2016 and applicable from May 2018, the GDPR is the centrepiece of the recent reform of the EU regulatory framework for protection of personal data. It replaces the 1995 EU Data Protection Directive and has become the most significant piece of data protection legislation anywhere in the world. This book is edited by three leading authorities and written by a team of expert specialists in the field from around the EU and representing different sectors (including academia, the EU institutions, data protection authorities, and the private sector), thus providing a pan-European analysis of the GDPR. It examines each article of the GDPR in sequential order and explains how its provisions work, thus allowing the reader to easily and quickly elucidate the meaning of individual articles. An introductory chapter provides an overview of the background to the GDPR and its place in the greater structure of EU law and human rights law. Account is also taken of closely linked legal instruments, such as the Directive on Data Protection and Law Enforcement that was adopted concurrently with the GDPR, and of the ongoing work on the proposed new E-Privacy Regulation.

Background and Evolution of the EU General Data Protection Regulation (GDPR)

This book provides an article-by-article commentary on the EU General Data Protection Regulation (‘GDPR’). Adopted in April 2016 and applicable from May 2018, the GDPR is the centrepiece of the reform of the EU regulatory framework for protection of personal data. While retaining the conceptual framework of the Data Protection Directive 95/46 (‘DPD’) that it replaced, the GDPR represents a major shift in the way that data protection is regulated in EU law. In addition, the GDPR has already become a global benchmark in the field.

The GDPR as Global Data Protection Regulation?

The deterritorialization of the Internet and international communications technology has given rise to acute jurisdictional questions regarding who may regulate online activities. In the absence of a global regulator, states act unilaterally, applying their own laws to transborder activities. The EU's “extraterritorial” application of its data protection legislation—initially the Data Protection Directive (DPD) and, since 2018, the General Data Protection Regulation (GDPR)—is a case in point. The GDPR applies to “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services . . . to such data subjects in the Union; or (b) the monitoring of their behaviour . . . within the Union.” It also conditions data transfers outside the EU on third states having adequate (meaning essentially equivalent) data protection standards. This essay outlines forms of extraterritoriality evident in EU data protection law, which could be legitimized by certain fundamental rights obligations. It then looks at how the EU balances data protection with third states’ countervailing interests. This approach can involve burdens not only for third states or corporations, but also for the EU political branches themselves. EU law viewed through the lens of public international law shows how local regulation is going global, despite its goal of protecting only EU data subjects.