Tải bản đầy đủ - 0trang
13 Bilateral Strategy: Joining Forces with Like-Minded Jurisdictions Such as the US
9 Understanding the EU Mandate Under Article 16 TFEU in the External Domain…
strategy avoids what may be perceived from the US side as regulatory imperialism
by the EU.218 In the second place, the strategy may have benefits to the benefit of
global privacy and data protection. A cooperation between the EU and the US jurisdictions – whether or not by way of formal treaties – would be a means to face
common challenges in the area of privacy and data protection in a coordinated manner and to allow both parties to join forces, for instance in the field of enforcement.
In the third place, if well negotiated, the strategy might encourage the US to adopt
the standards originating from the EU and hence be instrumental to the fulfilment of
the EU’s task under Articles 3(5) and 21 TEU to uphold and promote its values in
the wider world. In the fourth place, the strategy might create a level playing field
between companies operating from the US and those operating from the EU and, by
doing so, contribute to ensuring the competitive position of EU companies.219 In the
fifth place, if the great powers act in concert, this is a more effective way of policy-
making and harmonisation in a global environment than is the case where these
powers fail to agree.220
The most obvious disadvantage to this strategy is connected to the two latter
features: a level playing field between the EU and the US does not necessarily
reflect the preferences of the EU and may require it to lower its standards of
The exercise of external powers by the EU has led to a few bilateral agreements
with the US, facilitating the exchange of personal data between both jurisdictions,
subject to compliance with data protection standards. These agreements cover the
exchange between private parties, between private parties and government actors, as
well as between government actors inter se.
The exchange of personal data between private parties was the object of the Safe
Harbour agreement of 2000,221 which was declared invalid by the Court of Justice
in the Schrems ruling of 6 October 2015.222 This agreement was based on practical
considerations, in order to ensure that the flow of personal data from the EU to the
US fulfils the requirements of Directive 95/46 on data protection. An important element of the agreement is the enforcement in the US, which was ensured by the
Term used by Bradford; Anu Bradford, “The Brussels Effect”, Northwestern University Law
Review, Vol. 107, No. 1, 2012, at 35.
According to Cremona, this is an important driver behind EU policies, Marise Cremona, “The
Union as a global actor: Roles, models and identity” CMLR, 41, pp. 553–573, at 556.
In this sense, Daniel W. Drezner, Globalization, Coercion, and Competition: The different pathways to policy convergence, University of Chicago, February 2004.
Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the
European Parliament and of the Council on the adequacy of the protection provided by the safe
harbour privacy principles and related frequently asked questions issued by the US Department of
Commerce, OJ L 215/7.
Case C-362/14, Schrems, EU:C:2015:650. Safe Harbour is now replaced by Privacy
Shield, Commission Implementing Decision of 12.7.2016 pursuant to Directive 95/46/EC of the
European Parliament and of the Council on the adequacy of the protection provided by the
EU-U.S. Privacy Shield.
9.13 Bilateral Strategy: Joining Forces with Like-Minded Jurisdictions Such as the US
Federal Trade Commission.223 The FTC had declared its strong commitment to vigilant Safe Harbour enforcement.224
From the European side there was criticism of the agreement, in particular concerning the transparency, the enforcement and the access to data by US government authorities.225 This was a reason for the European side, as a consequence of the Snowden
revelations, to seek a review of the agreement, already before the Schrems ruling.226
The exchange between private parties and government actors led to bilateral agreements aiming at reconciling privacy and security relating to the use and transfer of passenger name records (PNR) to the US Department of Homeland Security,227 and to the
processing and transfer of financial messaging data from the EU to the US for the purposes of the Terrorist Finance Tracking Program (TFTP).228 These agreements allow the
access of US authorities to data from the private sector in the EU, subject to conditions
related to data protection. Also in these cases, there is European concern regarding the
implementation of the agreements. This is one of the reasons why the agreements envisage joint mechanisms for their review,229 focusing on implementation.
The exchange between government actors in the law enforcement sector is the
(main) subject of the negotiations on the EU-US Data Protection and Privacy
Agreement (“Umbrella Agreement”),230 which supplements existing agreements
with only limited provisions on data protection,231 and aims to set minimum stan223
See also Chap. 7, Sect. 7.5 of this book.
See: Privacy Enforcement and Safe Harbor: Comments of the FTC Staff to European
Commission Review of the U.S.-EU Safe Harbor Framework (12 November 2013), available on:
COM(2013)847 - Functioning of the Safe Harbour from the Perspective of EU Citizens and
Focusing on review is an assignment of the EU Commission for Justice, Jourova, http://
Agreement between the United States of America and the European Union on the use and transfer of passenger name records to the United States Department of Homeland Security, OJ (2012)
L 215/5. This agreement was preceded by two earlier agreements.
Agreement between the European Union and the United States of America on the processing
and transfer of Financial Messaging Data from the European Union to the United States for the
purposes of the Terrorist Finance Tracking Program, OJ L 195/5.
Article 23 of the Agreement between the United States of America and the European Union on
the use and transfer of passenger name records to the United States Department of Homeland
Security, OJ (2012) L 215/5; Article 13 of the Agreement between the European Union and the
United States of America on the processing and transfer of Financial Messaging Data from the
European Union to the United States for the purposes of the Terrorist Finance Tracking Program,
OJ L 195/5.
The Umbrella Agreement was signed by the EU and the US on 2 June 2016, but must still be
See also: http://www.justice.gov/opa/pr/attorney-general-holder-pledges-support-legislation-provide-eu-citizens-judicial-redress.
E.g., Article 9 of the Agreement on mutual legal assistance between the European Union and the
United States of America, which entered into force on 1 February 2010.
9 Understanding the EU Mandate Under Article 16 TFEU in the External Domain…
dards for data protection where personal data are exchanged between the law
enforcement authorities in the two jurisdictions. The negotiations on this agreement
started in March 2011 and have not been easy, also as a result of one recurring issue,
the right of effective judicial redress to be granted by the US to EU citizens who are
not resident in the US.232 In September 2015, the Commission announced that the
negotiations had been finalised. The signature and the conclusion of the agreement
had to wait for the adoption of the Judicial Redress Act in the US,233 which became
law in February 2016 and must grant EU citizens judicial redress under the US
Privacy Act of 1974.234
The rationale of all these agreements with the US is to facilitate the transfer of
personal data from the EU to the US. The agreements do not harmonise the level of
protection between the EU and the US, nor do they use the concept of mutual recognition.235 The EU recognises the level of protection in the US, including the
enforcement on the US side, but this recognition is not mutual. In this sense, the
agreements are exponents of a mix between a unilateral and a bilateral strategy, not
of a genuine bilateral strategy.236
In short, a bilateral agreement on privacy and data protection between the EU and
the US, as an example of a like-minded country, based on reciprocity, would be something new. An agreement does not necessarily mean an approximation of standards of
privacy and data protection on both sides of the Atlantic Ocean, but could also focus
on mutual recognition, standardisation processes or enforcement cooperation.
ultilateral Strategy: Towards Global Protection
in the Framework of the UN
The multilateral strategy aims at developing global standards, or, in other words, by
pursuing this strategy, the European Union would operate as generator of global
rules,237 which would most logically be enacted within the framework of the United
This strategy has three distinct justifications. First, the objective of influencing
global governance based on EU values would be one of the main reasons for action,
Judicial Redress Act of 2015, 130 STAT. 282 PUBLIC LAW 114–126—FEB. 24, 2016.
See on mutual recognition in general: Valsamis Mitsilegas, The constitutional implications of
mutual recognition in criminal matters in the EU, CML Rev October 2006, Issue 5, pp. 1277–
1311; and Chap. 8, Sect. 8.7 of this book. In relation to transborder data flows: Christopher Kuner,
Transborder Data Flows and Data Privacy Law, Oxford University Press, 2013, at 163, at
As explained above in this section in relation to Safe Harbour.
Wording taken from Marise Cremona, “The Union as a global actor: Roles, models and identity”
CMLR, 41, pp. 553–573, at 557.
9.14 Multilateral Strategy: Towards Global Protection in the Framework of the UN
in view of the moral imperative under Articles 3(5) and 21 TEU. Diogenes’ citizen
of the world deserves strong protection.238 Second, a reason for the European Union
to pursue global rules on data protection would be to avoid the protection of individuals within the Union being compromised because of the fact that the rules in
other parts of the world are more lenient.239 Third, economic reasons could provide
a motivation, because global standards could contribute to creating a level playing
field for economic actors.240
Although, in the area of privacy and data protection, there is no global consensus
on the values of protection and the ways to deliver protection, this multilateral strategy would not start from scratch. As confirmed by the United Nations High
Commissioner for Human Rights: “International human rights law provides a clear
and universal framework for the promotion and protection of the right to privacy,
including in the context of domestic and extraterritorial surveillance, the interception of digital communications and the collection of personal data.”241 Furthermore,
in the context of the UN online privacy is high on the agenda, although no concrete
initiatives for a global agreement have yet been taken.242 On a more practical level,
suggestions have been made for global standards. An example is known as the
‘Madrid Resolution’ on international privacy standards, adopted by the International
Conference of Privacy and Data protection authorities in 2009.243
The multilateral strategy is rather a long shot.244 There is absence of global consensus at an aspirational level, in particular, where this approach implies agreement
with countries that do not share basic democratic values. Moreover, there are diverging views on the level of preferred legislative arrangements, with the transatlantic
divide relating to supervisory arrangements as the obvious example.245 Divergence
See Sect. 9.5 above.
In this sense, but not specifically on data protection: Anu Bradford, “The Brussels Effect”,
Northwestern University Law Review, Vol. 107, No. 1, 2012, at 46–47.
Bradford specifies this in an interesting way. Even where harmonisation takes place in the market (on a level aspired by the EU) it would make sense to pursue legally binding harmonisation, to
“lock in” EU standards; Anu Bradford, “The Brussels Effect”, Northwestern University Law
Review, Vol. 107, No. 1, 2012, at 47.
The right to privacy in the digital age, Report of the Office of the United Nations High
Commissioner for Human Rights, 30 June 2014..
E.g., The right to privacy in the digital age, Report of the Office of the United Nations High
Commissioner for Human Rights, 30 June 2014, http://www.ohchr.org/EN/HRBodies/HRC/
Adopted in 2009, by the 31st International Conference. See www.privacyconference2009.org
These three obstacles are also, albeit with different wording, listed in: De Hert, P. and
Papakonstantinou, V., “Three scenarios for international governance of data privacy: towards an
international data privacy organization, preferably a UN agency?”, A Journal of Law and Policy
for the Information Society, vol. 9, no. 2, 271–324, 2013, at 315–322.
Lee A. Bygrave, Data Privacy Law, An International Perspective, Oxford University Press 2014,
at 3F. Also: David C. Vladeck, A U.S. Perspective on Narrowing the U.S.-EU Privacy Divide, in
“Hacia un Nuevo derecho europea de protección de datos, Towards a new European Data Protection
Regime, Artemi Rallo Lombarte, Rosario García Mahamut (eds), Tirant lo Blanch, 2015.