Tải bản đầy đủ - 0 (trang)
16 The Meaning of the Three Strategies for the EU Legislator: Giving Wide External Effect with the Unilateral Strategy as a Composing Element

16 The Meaning of the Three Strategies for the EU Legislator: Giving Wide External Effect with the Unilateral Strategy as a Composing Element

Tải bản đầy đủ - 0trang

498



9  Understanding the EU Mandate Under Article 16 TFEU in the External Domain…



This wide external effect is not only given to provisions laying down a wide territorial scope of EU data protection law,284 but also to the provisions on transfers of

personal data to third countries and international organisations.285 The requirement

of adequacy of the level of protection afforded by a third country as the main ground

for allowing transfer is a perfect example of how internal EU law can have wide

external effect.



9.16.2  T

 he Regime of Data Transfers: A Typical Example

of a Unilateral Strategy

The adequacy regime for data transfers under Article 25 of Directive 95/46 on data

protection is a typical example of the unilateral approach. The European Union

accepts the transfer of data to third countries who adhere to the European standards,

although some leeway is given to these third countries. Their level of protection

must not be the same as that of the Union itself. An adequate level is sufficient.286 In

a guidance paper of 1998, the Article 29 Working Party understands this as encompassing a core of data protection principles and effective means for their application287 that does not necessarily have to be equal to the level of the European Union

and does not require that the country of destination has established an independent

data protection authority.288 Arguably, this last point is outdated since the Treaties

now confirm independent control as a core element of data protection, in Article

16(2) TFEU an Article 8(3) Charter. In Digital Rights Ireland and Seitlinger289 the

Court of Justice emphasised the need for effective control. More in general, the

leeway for third countries seems to be restricted in Schrems,290 to the extent the

Court explained adequacy as essential equivalence.

In any event, the European Union unilaterally decides the level of protection that

is required for a transfer of data. Article 26 of Directive 95/46 contains derogations,

284



 In particular in Article 4(1)(c) of Directive 95/46 and in Article 3(2) GDPR

 In particular in Chapter IV of Directive 95/46 and in Chapter V GDPR.The requirement of

adequacy is laid down in Article 25 of the Directive and Article 46 GDPR.

286

 Article 12(3)(a) of Convention for the Protection of Individuals with regard to Automatic

Processing of Personal Data, ETS No. 108 requires an equivalent level.

287

 Article 29 Data Protection Working Party, Working Document, Transfers of personal data to

third countries : Applying Articles 25 and 26 of the EU data protection directive, Adopted by the

Working Party on 24 July 1998, WP 12, at 5.

288

 Article 29 Data Protection Working Party, Working Document, Transfers of personal data to

third countries : Applying Articles 25 and 26 of the EU data protection directive, Adopted by the

Working Party on 24 July 1998, WP 12, at 7.

289

 Joined cases C-293/12 and C-594/12, Digital Rights Ireland (C-293/12) and Seitlinger

(C-594/12), EU:C:2014:238, at 68.

290

 Case C-362/14, Schrems, EU:C:2015:650.

285



9.16 The Meaning of the Three Strategies for the EU Legislator: Giving Wide…



499



but the application of these derogations is unilaterally decided by the Union and its

Member States. Chapter V of the General Data Protection Regulation maintains and

further refines this system. The system will be reinforced and simplified, in view of

the challenges of globalisation. Particularly, the tool of Binding Corporate Rules

will be streamlined and extended.291 This will not change the unilateral nature of the

system.

The importance of transfer as an element of the unilateral strategy has increased

due to the developing information society, where the availability of personal data

outside the European Union may already be qualified as a transfer, for instance in a

cloud environment.292 Transfer within the meaning of EU data protection law is an

important element of transborder data flows, and is a global phenomenon that the

EU side has regulated by applying its own standards.293 The Court of Justice interpreted the notion of transfers under Directive 95/46 in Lindqvist.294



9.16.3  A

 rticle 48 of the GDPR, a Unilateral Solution

for a Conflict of Law

Article 48 of the General Data Protection Regulation, which is the consequence of

a suggestion by the European Parliament, addresses a situation where the systems

of the European Union and third countries are incompatible, and where no mutual

legal assistance treaty or international agreement is in force providing for a solution

for the incompatibility. This provision is entitled “transfers or disclosures not authorised by Union law”.

The European Parliament’s suggestion provided a prohibition for controllers or

processors of EU data from disclosing personal data to third-country administrative

or judicial authorities, unless a prior authorisation of the competent DPA has been

obtained.295 This DPA role was not accepted by the other institutions, but other elements are retained in the final text of the General Data Protectio Regulation. The

provision deals with possible requests from third states’ governments that may

breach EU data protection law and is a reaction to the Snowden revelations, as far



291





Viviane Reding, The European data protection framework for the twenty-first century,

International Data Privacy Law, Vol. 2, No. 3, pp 119–129, 2012, at 127.

292

 European Data Protection Supervisor, Opinion of 26 November 2012 on the Commission’s

Communication on “Unleashing the potential of Cloud Computing in Europe”, at 72–76.

293

 Christopher Kuner, Transborder Data Flows and Data Privacy Law, Oxford University Press,

2013, at 163, at 159–160.

294

 Case C-101/01, Lindqvist, EU:C:2003:596, at 58 and 69. See Sect. 9.10 above.

295

 This provision is not included in the documents of the Commission and of the Council. The

EDPS proposes a softer version of this provision, European Data Protection Supervisor, Opinion

of 27 July 2015 - Europe’s big opportunity, EDPS recommendations on the EU’s options for data

protection reform, and the Annex - Comparative table of GDPR texts with EDPS

recommendations



500



9  Understanding the EU Mandate Under Article 16 TFEU in the External Domain…



as access by the NSA to personal data of EU citizens stored by US internet companies is concerned under the PRISM programme.296

The provision envisages protecting the individuals in the European Union, where

internet companies are under a legal obligation in a third country that implies a

breach of EU data protection law. This provision is a unilateral instrument and does

not recognise claims by third countries under their national laws. The effect of the

provision could be to encourage third countries to enter into negotiations with the

Union to solve the conflict of law.297



9.16.4  T

 he Bilateral and Multilateral Strategies: External

Action by the EU Legislator on Privacy and Data

Protection as a Promising Avenue, Not Necessarily

Harmonising the Level of Protection

This chapter mentioned agreements with the United States298 and also discussed the

roles of the United Nations, the OECD and the Council of Europe, in relation to the

European Union. External EU action by the EU legislator is a promising avenue

precisely because of the global nature of the phenomena under discussion, which

should be further explored. A distinction must be made between bilateral agreements with certain third countries and multilateral agreements.299

The scope of external EU action is determined by the powers conferred on the

European Union under EU law, and subsequently by the way these powers are exercised. As explained above, an agreement does not necessarily include an approximation of standards of privacy and data protection, but could also focus on mutual

recognition, standardisation processes or enforcement cooperation.300 As an illustration, one subject may be mentioned that would qualify for inclusion in an agreement, the concept of accountability. As was explained in Chap. 6, this concept is a

modern instrument of ensuring data protection and has a prominent place in the

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal

Data (1980), as amended on 11 July 2013,301 as an obligation for data controllers to

put a privacy management programme in place.302

296



 Planning Tool for Resource Integration, Synchronisation and Management (PRISM) of the

NSA, See Chapter 3, Sects. 3.7 and 3.8.

297

 This is not necessarily the effect. The provision could also intensify the controversy between the

EU and the US, what Bygrave calls the Transatlantic Privacy Divide, Lee A. Bygrave, Data Privacy

Law, An International Perspective, Oxford University Press, 2014, at 107–116.

298

 In Sect. 9.4.

299

 Here agreements are meant in a wide sense, including international treaties, but also more informal tools for international cooperation.

300

 Further read, Christopher Kuner, Transborder Data Flows and Data Privacy Law, Oxford

University Press, 2013, at 163, at 175–180.

301

 C(2013)79, published on website OECD.

302

 Guideline 15.



9.17 The Meaning of the Three Strategies for the DPAs and the Cooperation…



501



Accountability is a flexible instrument that should be tailored to “the structure,

scale, volume and sensitivity of operations”.303 Due to this flexibility, accountability

is also an arrangement that could be included in agreements with third countries and

with international organisations, without necessarily harmonising data protection

standards. Accountability could be tailored to the specific characteristics of the

jurisdiction in which an accountable organisation operates and could ensure compliance with different requirements depending on the jurisdiction.304 Binding Corporate

Rules, included in Article 47 of the General Data Protection Regulation, are a specific expression of accountability.305

In any event, promising bilateral or multilateral strategies include ways of ensuring the interoperability between different legal systems, without necessarily requiring that the level of protection in other regions of the world is adapted to the EU

level, nor that the level of protection in the European Union must be lowered.



9.17  T

 he Meaning of the Three Strategies for the DPAs

and the Cooperation Between Them: Extending

Cooperation to Authorities in Third Countries

As was explained in Chaps. 7 and 8, control is an essential element of data protection and cooperation between DPAs is an essential element of control.306 The cooperation mechanisms of DPAs are essential in the external domain, in view of the

global scale of the problem.



9.17.1  R

 egulators and External Action: The Basis Is

a Unilateral Strategy, Ensuring the Control of EU Law

Control of the compliance with EU data protection law in an internet environment

includes enforcement vis-à-vis data controllers who have their headquarters or their

processing activities in a third country. This is a substantial part of the task of the

DPAs, resulting from the fact that big internet companies have their headquarters

outside the European Union. It is also complicated, as may be illustrated by the



303



 Guideline 15, a) ii.

 The tool provided by Nymity illustrates how this could work in practice, Nymity, Getting to

Accountability, Maximizing Your Privacy Management Program, The Nymity Approach to

Getting to Accountability, https://www.nymity.com/~/media/NymityAura/Resources/Getting%20

to%20Accountability/Nymity-Getting-to-Accountability-Paper.ashx.

305

 Lee A. Bygrave, Data Privacy Law, An International Perspective, Oxford University Press,

2014, at 209.

306

 E.g., in Chap. 8, Sect. 8.1.

304



502



9  Understanding the EU Mandate Under Article 16 TFEU in the External Domain…



difficulties of regaining control over the privacy settings of big internet companies

through enforcement by DPAs. These difficulties triggered this book.307

In its essence, the task of DPAs (and of cooperation mechanisms of DPAs) of

ensuring control is a unilateral task, ensuring that individuals are protected in accordance with European and national law applicable within their respective jurisdictions. As was explained in Chap. 8, the task of DPAs also involves contributing to

the protection of individuals all over the Union.308 The task also has extraterritorial

components outside the European Union, including the use of enforcement powers

in an external context.

This being said, the basis of the work of the DPAs in their policy activities and

their enforcement practice is defending the high European standards, not aiming at

finding compromises with lower standards of third countries. There is no evidence

that the practice is different.



9.17.2  T

 he Cooperation Between DPAs and Regulatory

Agencies in Third Countries as an Exponent

of the Bilateral and Multilateral Strategy

Fulfilment of the task of DPAs is not only a unilateral activity. Fulfilment of this task

also requires cooperation with authorities in third countries, including cooperation

with regulatory authorities in third countries, in order to ensure effective control.

The cooperation between DPAs and regulatory agencies in third countries has been

developing over the last years, in a bilateral as well as a multilateral context.

This cooperation can be qualified as policy cooperation, where DPAs cooperate

in order to create a better understanding of privacy and data protection issues or

where they engage in common policy development. An important mechanism in

this type of cooperation is the International Conference of Privacy and Data

Protection Authorities, which presents itself as “the assembly of all accredited data

protection and privacy commissioners from around the world”.309 Under its rules

and procedures the Conference is an entity in its own right, representing its ­members

and one of its purposes is to promote and enhance personal data protection and

privacy rights at the international level.310 This conference adopts resolutions and

declarations.311 In 2009 it adopted the Madrid Resolution with a proposal for international privacy standards.312 It would be in line with the principle of sincere coop-



307



 See Chap. 1, Sect. 1.1 of this book.

 As explicitly recognised in Article 51(2) GDPR.

309

 https://www.privacyconference2015.org/the-international-conference/

310

 https://privacyconference2015.org//wp-content/uploads/2015/01/Rules-and-Procedures-2014.

pdf

311

 https://www.privacyconference2015.org/resolutions-declarations/

312

 Adopted by the 31st International Conference of Privacy and Data Protection Authorities (2009).

308



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

16 The Meaning of the Three Strategies for the EU Legislator: Giving Wide External Effect with the Unilateral Strategy as a Composing Element

Tải bản đầy đủ ngay(0 tr)

×