by Kanerva Jalas

Personal data in the European Union (EU) is protected under the General Data Protection Regulation, which entered into force in 2018. In the EU data is divided into two main categories: personal data is defined as information relating to an ‘identified or an identifiable natural person’. Such would include, for example, the name, the address, and location. Sensitive data includes personal data such as information which would reveal the ‘racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data’ or information about the data subject’s health. Processing sensitive data is prohibited unless the situation falls under a specific exception. The GDPR aims to protect the right to personal data by providing data subjects relevant information on how information on them is utilised in today’s digital society. According to the Regulation, data subjects have the right to ‘access their data’ and have it corrected where it is incorrect. Furthermore, data subjects can object to processing on relevant grounds, and can demand that it is no longer used where a controller or a processor is using their personal data for illegal purposes. Penalties for breaches of the Regulation depend on the size and seriousness of the breach; where there has been a severe violation, an undertaking can be fined up to 4 percent of its total annual turnover. For minor violations, companies can be fined for 2 percent (or 10 million euros).

Therefore, it can be said that a multitude of legal safeguards exist for EU citizens for the protection of their personal data. However, the technological sector is dominated by Big Tech, such as Google, Apple, Meta, Amazon and Microsoft (GAFAM), many of which are headquartered in the United States and other non-EU countries. Technological development has resulted in the rise of a new commodity - data - an intangible and mobile good resulting in constant cross-border movement. Hence, the question arises on how it can be ensured the rights of EU citizens are respected without restricting individuals’ usage of digital goods.

The need for protection of data subject’s rights in an international context was realised in an international context already in 1981, when the Council of Europe set forth an initiative for a Convention for the protection of individuals regarding Automatic Processing of Personal Data. The Convention, however, was only enforceable against other Convention Member States, limiting the scope of protection. This shortcoming has been replaced by the new GDPR framework for data transfers to third countries to the EU. The principal method for data transfers is most often ‘adequacy decisions’. The basis for these agreements is that the third country must have an ‘adequate level of protection’, in practice requiring an adequate similarity in protection to the rules on the EU level. An adequacy decision is a favourable solution to third countries as - where successful - it allows for ‘automatic transfers’ of data to the country. The Commission determines adequacy on the basis of the national legislation, human rights protection and international laws within the third country. It is required that the Commission retains monitoring over the level of adequacy and must ensure that it is kept in place after the completion of the agreement.

Another possibility exists on the basis of appropriate safeguards, such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), codes of conduct, or Data Protection Authorities (DPAs) or Commission Supervisory adopted data protection rules. SCCs are third-party beneficiary clauses allowing data subjects (EU citizens) to rely on them despite being a third party to the contractual agreement. Importantly, SCCs require the third country to the EU to agree to being subjected to the DPAs authority in the data exporting country in the case of a dispute (EU Member State). Where a data transfer is based on SCCs, it remains the responsibility of the processor or the controller to ensure that adequate protection exists in the third country’s regime. The second most prominent option is BCRs: these are most used within multinationals which conduct joint economic activities. BCRs are to apply for all the undertakings within the group, and must be approved by the national supervisory authorities. They are only adopted after an opinion has been issued by the European Data Protection Board (EDPB).

Due to the lack of adequate protection in third country data protection legislation, the usage of these methods have been seen in practice. Due to fast growing innovation clusters within the United States (US), developments within the data protection transfer mechanisms have been seen in EU-US communication. Within this sphere, it has been seen that despite continuous attempts to adopt an adequacy decision to ensure effortless flow of data between the jurisdictions, the EU has not found the US rules to guarantee a sufficient level for the adoption of such a decision. The previous ‘Safe Harbour’ Decision was invalidated by the European Court of Justice (ECJ) on the basis of the decision lacking protection from interferences of the US government. This decision was soon followed by the ‘EU-US Privacy Shield’ which aimed to repair the shortcomings of the previous one. However, similarly to its predecessor, the decision was invalidated by the ECH on the grounds of lack of adequate protection. At the current stage, data transfers to the US rely on the usage of SCCs and BCRs by undertakings, whilst a proposal has been put forward by the Commission for the adoption of a new adequacy decision. Examples of successful adequacy decisions exist between Japan and the EEA area (EU and Norway, Liechtenstein and Iceland) as well as between Canada and the EU. Until today, the Commission is still yet to reject an adequacy decision to a third country out of its own initiative.

Sources:

Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems [2020] EU:C:2020:559.

Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] EU:C:2015:650.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1.

Council of Europe, European Union Agency and the ECtHR, Handbook on European Data Protection Law, (2018).

Intersoft Consulting, ‘GDPR Fines/Penalties’: https://gdpr-info.eu/issues/fines-penalties/, accessed on 14 March 2023.

H Guinness, ‘What is GAFA? Why the EU Doesn’t Love Large American Internet Companies’, Make Us Of, 18 June 2015: https://www.makeuseof.com/tag/gafa-

eu-doesnt-love-large-american-internet-companies/, accessed on the 14th of 2023.

E Carpanelli and N Lazzerini (eds), Use and Misuse of New Technologies: Contemporary Challenges in International and European Law (Springer, 2019).

JS Engel, ‘Global Clusters of Innovation’ (2015) 57 California Management Review 36.

Commission, ‘EU-US data transfers’: https://commission.europa.eu/law/law-topic/data-protection/

international-dimension-data-protection/eu-us-data-transfers_en, accessed on the 14th March.

Y Suda, ‘Japan’s Personal Information Protection Policy Under Pressure’ (2020) 60 Asian Survey 510.

Government of Canada, ‘The European Union’s General Data Protection Regulation’: https://www.tradecommissioner.gc.ca/guides/gdpr-eu-rgpd.aspx?lang=eng.

T Naef, Data Protection without Data Protectionism: The Right to Protection of Personal Data and Data Transfers in EU Law and International Trade Law (Springer, 2021).