Tải bản đầy đủ - 0 (trang)
13 Bilateral Strategy: Joining Forces with Like-Minded Jurisdictions Such as the US

13 Bilateral Strategy: Joining Forces with Like-Minded Jurisdictions Such as the US

Tải bản đầy đủ - 0trang

488



9  Understanding the EU Mandate Under Article 16 TFEU in the External Domain…



strategy avoids what may be perceived from the US side as regulatory imperialism

by the EU.218 In the second place, the strategy may have benefits to the benefit of

global privacy and data protection. A cooperation between the EU and the US jurisdictions – whether or not by way of formal treaties – would be a means to face

common challenges in the area of privacy and data protection in a coordinated manner and to allow both parties to join forces, for instance in the field of enforcement.

In the third place, if well negotiated, the strategy might encourage the US to adopt

the standards originating from the EU and hence be instrumental to the fulfilment of

the EU’s task under Articles 3(5) and 21 TEU to uphold and promote its values in

the wider world. In the fourth place, the strategy might create a level playing field

between companies operating from the US and those operating from the EU and, by

doing so, contribute to ensuring the competitive position of EU companies.219 In the

fifth place, if the great powers act in concert, this is a more effective way of policy-­

making and harmonisation in a global environment than is the case where these

powers fail to agree.220

The most obvious disadvantage to this strategy is connected to the two latter

features: a level playing field between the EU and the US does not necessarily

reflect the preferences of the EU and may require it to lower its standards of

protection.

The exercise of external powers by the EU has led to a few bilateral agreements

with the US, facilitating the exchange of personal data between both jurisdictions,

subject to compliance with data protection standards. These agreements cover the

exchange between private parties, between private parties and government actors, as

well as between government actors inter se.

The exchange of personal data between private parties was the object of the Safe

Harbour agreement of 2000,221 which was declared invalid by the Court of Justice

in the Schrems ruling of 6 October 2015.222 This agreement was based on practical

considerations, in order to ensure that the flow of personal data from the EU to the

US fulfils the requirements of Directive 95/46 on data protection. An important element of the agreement is the enforcement in the US, which was ensured by the



 Term used by Bradford; Anu Bradford, “The Brussels Effect”, Northwestern University Law

Review, Vol. 107, No. 1, 2012, at 35.

219

 According to Cremona, this is an important driver behind EU policies, Marise Cremona, “The

Union as a global actor: Roles, models and identity” CMLR, 41, pp. 553–573, at 556.

220

 In this sense, Daniel W. Drezner, Globalization, Coercion, and Competition: The different pathways to policy convergence, University of Chicago, February 2004.

221

 Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the

European Parliament and of the Council on the adequacy of the protection provided by the safe

harbour privacy principles and related frequently asked questions issued by the US Department of

Commerce, OJ L 215/7.

222

 Case C-362/14, Schrems, EU:C:2015:650. Safe Harbour is now replaced by Privacy

Shield, Commission Implementing Decision of 12.7.2016 pursuant to Directive 95/46/EC of the

European Parliament and of the Council on the adequacy of the protection provided by the

EU-U.S. Privacy Shield.

218



9.13 Bilateral Strategy: Joining Forces with Like-Minded Jurisdictions Such as the US



489



Federal Trade Commission.223 The FTC had declared its strong commitment to vigilant Safe Harbour enforcement.224

From the European side there was criticism of the agreement, in particular concerning the transparency, the enforcement and the access to data by US government authorities.225 This was a reason for the European side, as a consequence of the Snowden

revelations, to seek a review of the agreement, already before the Schrems ruling.226

The exchange between private parties and government actors led to bilateral agreements aiming at reconciling privacy and security relating to the use and transfer of passenger name records (PNR) to the US Department of Homeland Security,227 and to the

processing and transfer of financial messaging data from the EU to the US for the purposes of the Terrorist Finance Tracking Program (TFTP).228 These agreements allow the

access of US authorities to data from the private sector in the EU, subject to conditions

related to data protection. Also in these cases, there is European concern regarding the

implementation of the agreements. This is one of the reasons why the agreements envisage joint mechanisms for their review,229 focusing on implementation.

The exchange between government actors in the law enforcement sector is the

(main) subject of the negotiations on the EU-US Data Protection and Privacy

Agreement (“Umbrella Agreement”),230 which supplements existing agreements

with only limited provisions on data protection,231 and aims to set minimum stan223



 See also Chap. 7, Sect. 7.5 of this book.

 See: Privacy Enforcement and Safe Harbor: Comments of the FTC Staff to European

Commission Review of the U.S.-EU Safe Harbor Framework (12 November 2013), available on:

http://www.ftc.gov/sites/default/files/documents/public_statements/privacy-enforcement-safeharbor-comments-ftc-staff-european-commission-review-u.s.eu-safe-harbor-framework/131112e

uropeancommissionsafeharbor.pdf.

225

 COM(2013)847 - Functioning of the Safe Harbour from the Perspective of EU Citizens and

Companies.

226

 Focusing on review is an assignment of the EU Commission for Justice, Jourova, http://

ec.europa.eu/about/juncker-commission/docs/jourova_en.pdf.

227

 Agreement between the United States of America and the European Union on the use and transfer of passenger name records to the United States Department of Homeland Security, OJ (2012)

L 215/5. This agreement was preceded by two earlier agreements.

228

 Agreement between the European Union and the United States of America on the processing

and transfer of Financial Messaging Data from the European Union to the United States for the

purposes of the Terrorist Finance Tracking Program, OJ L 195/5.

229

 Article 23 of the Agreement between the United States of America and the European Union on

the use and transfer of passenger name records to the United States Department of Homeland

Security, OJ (2012) L 215/5; Article 13 of the Agreement between the European Union and the

United States of America on the processing and transfer of Financial Messaging Data from the

European Union to the United States for the purposes of the Terrorist Finance Tracking Program,

OJ L 195/5.

230

 The Umbrella Agreement was signed by the EU and the US on 2 June 2016, but must still be

ratified. http://www.consilium.europa.eu/en/press/press-releases/2016/06/02-umbrella-agreement/.

See also:  http://www.justice.gov/opa/pr/attorney-general-holder-pledges-support-legislation-provide-eu-citizens-judicial-redress.

http://ec.europa.eu/justice/data-protection/files/factsheets/

umbrella_factsheet_en.pdf.

231

 E.g., Article 9 of the Agreement on mutual legal assistance between the European Union and the

United States of America, which entered into force on 1 February 2010.

224



490



9  Understanding the EU Mandate Under Article 16 TFEU in the External Domain…



dards for data protection where personal data are exchanged between the law

enforcement authorities in the two jurisdictions. The negotiations on this agreement

started in March 2011 and have not been easy, also as a result of one recurring issue,

the right of effective judicial redress to be granted by the US to EU citizens who are

not resident in the US.232 In September 2015, the Commission announced that the

negotiations had been finalised. The signature and the conclusion of the agreement

had to wait for the adoption of the Judicial Redress Act in the US,233 which became

law in February 2016 and must grant EU citizens judicial redress under the US

Privacy Act of 1974.234

The rationale of all these agreements with the US is to facilitate the transfer of

personal data from the EU to the US. The agreements do not harmonise the level of

protection between the EU and the US, nor do they use the concept of mutual recognition.235 The EU recognises the level of protection in the US, including the

enforcement on the US side, but this recognition is not mutual. In this sense, the

agreements are exponents of a mix between a unilateral and a bilateral strategy, not

of a genuine bilateral strategy.236

In short, a bilateral agreement on privacy and data protection between the EU and

the US, as an example of a like-minded country, based on reciprocity, would be something new. An agreement does not necessarily mean an approximation of standards of

privacy and data protection on both sides of the Atlantic Ocean, but could also focus

on mutual recognition, standardisation processes or enforcement cooperation.



9.14  M

 ultilateral Strategy: Towards Global Protection

in the Framework of the UN

The multilateral strategy aims at developing global standards, or, in other words, by

pursuing this strategy, the European Union would operate as generator of global

rules,237 which would most logically be enacted within the framework of the United

Nations.

This strategy has three distinct justifications. First, the objective of influencing

global governance based on EU values would be one of the main reasons for action,

232



 http://ec.europa.eu/justice/data-protection/files/factsheets/umbrella_factsheet_en.pdf.

 Judicial Redress Act of 2015, 130 STAT. 282 PUBLIC LAW 114–126—FEB. 24, 2016.

234

 http://europa.eu/rapid/press-release_STATEMENT-15-5610_en.htm.

235

 See on mutual recognition in general: Valsamis Mitsilegas, The constitutional implications of

mutual recognition in criminal matters in the EU, CML Rev October 2006, Issue 5, pp. 1277–

1311; and Chap. 8, Sect. 8.7 of this book. In relation to transborder data flows: Christopher Kuner,

Transborder Data Flows and Data Privacy Law, Oxford University Press, 2013, at 163, at

178–180.

236

 As explained above in this section in relation to Safe Harbour.

237

 Wording taken from Marise Cremona, “The Union as a global actor: Roles, models and identity”

CMLR, 41, pp. 553–573, at 557.

233



9.14 Multilateral Strategy: Towards Global Protection in the Framework of the UN



491



in view of the moral imperative under Articles 3(5) and 21 TEU. Diogenes’ citizen

of the world deserves strong protection.238 Second, a reason for the European Union

to pursue global rules on data protection would be to avoid the protection of individuals within the Union being compromised because of the fact that the rules in

other parts of the world are more lenient.239 Third, economic reasons could provide

a motivation, because global standards could contribute to creating a level playing

field for economic actors.240

Although, in the area of privacy and data protection, there is no global consensus

on the values of protection and the ways to deliver protection, this multilateral strategy would not start from scratch. As confirmed by the United Nations High

Commissioner for Human Rights: “International human rights law provides a clear

and universal framework for the promotion and protection of the right to privacy,

including in the context of domestic and extraterritorial surveillance, the interception of digital communications and the collection of personal data.”241 Furthermore,

in the context of the UN online privacy is high on the agenda, although no concrete

initiatives for a global agreement have yet been taken.242 On a more practical level,

suggestions have been made for global standards. An example is known as the

‘Madrid Resolution’ on international privacy standards, adopted by the International

Conference of Privacy and Data protection authorities in 2009.243

The multilateral strategy is rather a long shot.244 There is absence of global consensus at an aspirational level, in particular, where this approach implies agreement

with countries that do not share basic democratic values. Moreover, there are diverging views on the level of preferred legislative arrangements, with the transatlantic

divide relating to supervisory arrangements as the obvious example.245 Divergence

238



 See Sect. 9.5 above.

 In this sense, but not specifically on data protection: Anu Bradford, “The Brussels Effect”,

Northwestern University Law Review, Vol. 107, No. 1, 2012, at 46–47.

240

 Bradford specifies this in an interesting way. Even where harmonisation takes place in the market (on a level aspired by the EU) it would make sense to pursue legally binding harmonisation, to

“lock in” EU standards; Anu Bradford, “The Brussels Effect”, Northwestern University Law

Review, Vol. 107, No. 1, 2012, at 47.

241

 The right to privacy in the digital age, Report of the Office of the United Nations High

Commissioner for Human Rights, 30 June 2014..

242

 E.g., The right to privacy in the digital age, Report of the Office of the United Nations High

Commissioner for Human Rights, 30 June 2014, http://www.ohchr.org/EN/HRBodies/HRC/

RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf

243

 Adopted in 2009, by the 31st International Conference. See www.privacyconference2009.org

244

 These three obstacles are also, albeit with different wording, listed in: De Hert, P. and

Papakonstantinou, V., “Three scenarios for international governance of data privacy: towards an

international data privacy organization, preferably a UN agency?”, A Journal of Law and Policy

for the Information Society, vol. 9, no. 2, 271–324, 2013, at 315–322.

245

 Lee A. Bygrave, Data Privacy Law, An International Perspective, Oxford University Press 2014,

at 3F. Also: David C. Vladeck, A U.S. Perspective on Narrowing the U.S.-EU Privacy Divide, in

“Hacia un Nuevo derecho europea de protección de datos, Towards a new European Data Protection

Regime, Artemi Rallo Lombarte, Rosario García Mahamut (eds), Tirant lo Blanch, 2015.

239



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

13 Bilateral Strategy: Joining Forces with Like-Minded Jurisdictions Such as the US

Tải bản đầy đủ ngay(0 tr)

×