版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
IAICOMMENTARIES23|46-SEPTEMBER2023ISSN2532-6570©2023IAI
1
TheEU–USDataProtection
Framework:BalancingEconomic,
SecurityandPrivacyConsiderations
byFedericaMarconi
Shieldin20162–assertingthattheUSprovidedalevelofdataprotectionfordatatransfersessentiallyequivalenttothatguaranteedintheEU.However,despiteinitialoptimism,bothadequacydecisionsfacedasignificantsetback
whentheCourtofJusticeoftheEuropeanUnioninvalidatedtheminwhatiscommonlyreferredtoasthe“Schremssaga”,3namedafterthe
Therapidevolutionofdigital
technologyhasusheredinadata-
centriceconomy,wheredata
accessibilitydrivesmarketplace
efficiencyandeconomicgrowthacross
variousindustries.However,thisshift,
ontheAdequacyoftheProtectionProvidedbytheSafeHarbourPrivacyPrinciplesandRelatedFrequentlyAskedQuestionsIssuedbytheUSDepartmentofCommerce,
http://data.europa.
eu/eli/dec/2000/520/oj
.
2EuropeanCommission,Commission
ImplementingDecision(EU)2016/1250of12July2016PursuanttoDirective95/46/EContheAdequacyoftheProtectionProvidedbytheEU-U.S.PrivacyShield,
http://data.europa.eu/eli/
dec_impl/2016/1250/oj
.
3CourtofJusticeoftheEuropeanUnion(CJEU),JudgmentoftheGrandChamberinCaseC-362/14:MaximillianSchremsv.DataProtectionCommissioner[SchremsI],6October2015,
https://eur-lex.europa.eu/legal-content/
en/TXT/?uri=celex:62014CJ0362
;andJudgmentoftheGrandChamberinCaseC-311/18:DataProtectionCommissionv.FacebookIrelandLimitedandMaximillianSchrems[SchremsII],16July2020,
https://eur-lex.europa.eu/legal
-
content/en/TXT/?uri=celex:62018CJ0311.
whileofferingnumerousbenefits,
introducessignificantprivacyand
datasecuritychallenges,particularly
inthecontextoftransatlanticdata
transfers.Consideringthevast
economictiesbetweentheEUandthe
US,thetransatlanticdataflowvividly
illustratesthecomplexitiesinvolved
ingoverningandtransferringdata.It
grappleswiththeongoingchallengeof
strikingasatisfactorybalancebetween
economicadvantagesstemmingfrom
datautilisationandvariousconcerns
pertainingtonationalsecurity,digital
sovereigntyandindividualrights.
Inrecentyears,theEuropean
Commissionapprovedtwodifferent
frameworksontransatlanticdataflow
–SafeHarbourin20001andPrivacy
1EuropeanCommission,CommissionDecision
of26July2000PursuanttoDirective95/46/EC
FedericaMarconiisaResearcherintheMultilateralismandGlobalGovernance
ProgrammeattheIstitutoAffariInternazionali(IAI).
IAICOMMENTARIES23|46-SEPTEMBER2023ISSN2532-6570©2023IAI
TheEU–USDataProtectionFramework:
BalancingEconomic,SecurityandPrivacyConsiderations
andmedium-sizedenterprises.6Infact,thevolumeoftransatlanticdataflowexceedsthatofanyotherglobalrelationship,contributingtotherobust7.1trillionUSdollarsUS–EUeconomicpartnership.7
Nevertheless,theregulationofdataexchangebetweentheEUandtheUShasbeenacontentiousmatter,primarilyduetotheirdifferinginterpretationsoffundamentalrightsandvaryingdataprotectionstandards.IntheUS,theoversightofhowcompanieshandleandsecurepersonaldataispredominantlymarkedbytheabsenceofcomprehensivefederallegislation.Thus,privacyanddataprotectionregulationsvaryacrossindustriesandareenforced
bydifferentagencies,resultinginadiverseandfragmentedprivacylandscape.Incontrast,theEUoperatesunderacomprehensivedataprotectionframeworkprimarilygovernedbytheGeneralDataProtectionRegulation(GDPR),whichplacesastrongemphasisonindividualrightsandimposesstringentobligationsondataholdersandprocessors.Tothiseffect,theGDPRunequivocallyforbidsthetransferofpersonaldatatothirdcountrieslacking
Austrianactivistwhofirstchallenged
bothframeworksbeforetheEuropean
Court.Thecoreargumentscentredon
theabsenceofadequatesafeguardsfor
personaldatawithinUSdomesticlaw
andtheextentofstatesurveillanceover
suchdatawhenitwastransferred,as
initiallydisclosedbyEdwardSnowden
in2013.4
Thislegaldevelopmentledtoa
periodofsignificantuncertainty
andfurtherheightenedtheongoing
debateconcerningtheregulationof
transatlanticdatatransfer.Toaddress
theconsequencesofthislegalturmoil,
bothEUandtheUScommittedto
establishing“arenewedandsound
frameworkfortransatlanticdataflows”,5
seekingalong-termsolutiontoaddress
thecomplexitiesofdataprivacyand
security,eventuallyleadingtothe
recentlyadoptedEU–USDataPrivacy
Framework(“DPF”).
Whytransatlanticdataflowsmatter
Dataflowsholdimmensesignificance
forthe
relationship
economicbusinesses
transatlantic
andimpact
6DigitalEurope,GoodNewsforThousandsofBusinesses’:ReactiontoEUAssessmentofUSDataProtectionofPersonalData,10July2023,
https://ww/news/good
-
news-for-thousands-of-businesses-reaction
-
to-eu-assessment-of-us-data-protection-of
-
personal-data
.
7WhiteHouse,FactSheet:UnitedStatesandEuropeanCommissionAnnounceTrans-AtlanticDataPrivacyFramework,25March2022,
/briefing
-
room/statements-releases/2022/03/25/
fact-sheet-united-states-and-european
-
commission-announce-trans-atlantic-data
-
privacy-framework
.
ofallsizesandindustries.Thesedata
exchangesinvolveparticipationfrom
morethan90percentofEUbusinesses
thatconducttransactionswiththeUS,
withanotable70percentbeingsmall
4CasparBowden,TheUSSurveillance
ProgrammesandTheirImpactonEUCitizens’
FundamentalRights,Brussels,European
Parliament,September2013,
https://op.europa.
eu/s/y0iF
.
5EuropeanCommission,CommissionIssues
GuidanceonTransatlanticDataTransfers
andUrgestheSwiftEstablishmentofaNew
FrameworkFollowingtheRulingintheSchrems
Case,6November2015,
https://ec.europa.eu/
commission/presscorner/detail/en/IP_15_6015
.
2
IAICOMMENTARIES23|46-SEPTEMBER2023ISSN2532-6570©2023IAI
TheEU–USDataProtectionFramework:
BalancingEconomic,SecurityandPrivacyConsiderations
departurefromtheEU’sbroadergoalsofadvancingitsdigitalsovereignty.
Restoringtrustinthedigital
environment
InresponsetothelegaluncertaintiesstemmingfromtheCourtofJustice’sdecisions,extensivecollaborationbetweentheUSandtheEUresultedinanagreementinprinciplein2022.Thisagreement,endorsedbyUSPresidentJoeBidenandEuropeanCommissionPresidentUrsulavonderLeyen,reflectedthesharedcommitmenttofacilitatedataflowsbetweenbothjurisdictionsinamannerthatprotectsindividualrightsandpersonaldata.
ExecutiveOrder14086,titled
“EnhancingSafeguardsforU.S.SignalsIntelligenceActivities”,wasissuedbytheBidenadministrationon7October2022.Inconjunctionwiththisexecutiveorder,USAttorneyGeneralMerrickGarlandissuedaRegulationtoestablishaDataProtectionReviewCourt.9Throughtheseactions,theUScommittedtointroducingadditionalprotectivemeasuresaimedataddressingtheconcernsraisedbytheCourtofJusticeregardingmasspersonaldatacollectionandthelackofobjectivecriteriaforlimitingaccesstoandutilisationofthisdatabypublicauthorities.
Inthefollowingmonths,beforefinalisingitsadequacydecisionontheDPF,theEuropeanCommissionsoughttheopinionoftheEuropean
sufficientdataprotectionmeasures
unlesstheEuropeanCommission
issuesadequacydecisionscertifying
whetheracountryconformstothe
requisitestandards.
Consequently,discrepanciesindata
standardshaveledtouncertainties
foreconomicactorsinvolvedin
transatlanticeconomicrelations,
promptingindividualcompaniesto
seekwaystoalignwithEuropean
requirementsandpreventpotential
GDPRviolations.Theseviolationscan
resultinsanctionsofupto4percent
ofthecompany’sannualrevenue,as
exemplifiedbyseveralcasesinvolving
techgiants:Meta,forinstance,received
arecord-breakingGDPRfineof1.3
billionUSdollarslastMay–thelargest
inGDPRhistory.8
Lastly,positionedatthecrossroadsof
dataprotection,internationaltrade
andnationalsecurity,thetopicof
transatlanticdataflowisintricately
linkedtotheEU’sstrategytoassert
digitalsovereigntyandsecurestrategic
autonomy.Thisstrategyplacesa
significantemphasisonthelocalisation
andretentionofdatabelongingto
EuropeancitizenswithintheEU
borders.Thisapproachisdrivenby
thecommitmenttoensurethatdataof
Europeancitizensremainsunderthe
EU’sestablishedlawsandregulations,
whichprioritiseprivacyprotection.
Consequently,eventhoughthenew
frameworkdoesstreamlinethetransfer
ofpersonaldatabetweentheEUandthe
US,itcangiverisetoconcernsabouta
9USCodeofFederalRegulation,Part201:DataProtectionReviewCourt,
/
current/title-28/part-201
.
8EuropeanDataProtectionBoard,1.2Billion
EuroFineforFacebookasaResultofEDPB
BindingDecision,22May2023,
https://edpb.
europa.eu/node/6052
.
3
IAICOMMENTARIES23|46-SEPTEMBER2023ISSN2532-6570©2023IAI
TheEU–USDataProtectionFramework:
BalancingEconomic,SecurityandPrivacyConsiderations
tovalidlyjustifygovernmentintrusionintoprivacy.Consequently,thisraisedconcernsaboutthepossibilityoftheCJEUinvalidatingtheDPF,asithaddonewithpreviousframeworks.
Despitetheseconcerns,on10July,theEuropeanCommissionadoptedtheadequacydecisionontheDPF,
confirmingthatitadequatelevelof
providedprotection
anfor
personaldata.Consequently,personaldatacannowmovefreelyfromtheEUtoUScompaniesthathaveself-certifiedtheiradherencetotheDPFprinciples.UrsulavonderLeyenstatedthatthenewframeworkwill“ensuresafedataflowsforEuropeansandbringlegalcertaintytocompaniesonbothsidesoftheAtlantic”,12while
strengtheningeconomictiesandreaffirmingsharedvalues.PresidentJoeBidenalsowelcomedtheadequacydecision,emphasisingthejointEU–UScommitmenttorobustdataprivacyprotectionsandforeseeingincreasedeconomicopportunitiesforbothjurisdictionsandtheircompanies.
Thirdtime’sacharm?
Onapositivenote,theDPFnowallowsforthetransferofpersonaldatafromtheEUtotheUSthroughacertificationsystem.UScompaniescommittoasetofprivacyprinciples,eliminatingtheneedforadditionaltransfermechanismslikeStandardContractualClausesorbindingcorporaterules,aswellastransferimpactassessments.
DataProtectionBoard(EDPB)onthe
draftdecision.10TheEDPBrecognised
theimprovementsbroughtaboutby
ExecutiveOrder14086,particularlyin
termsofrestrictingaccesstoEUdata
byUSintelligenceservicestowhatis
necessaryandproportionatetoprotect
nationalsecurity.Nevertheless,it
expressedseveralconcerns,including
thoserelatedtoinadequateassurances
regarding“temporarybulkcollection”
andthesubsequentstorageandsharing
ofdatacollectedinbulkwithintheUS
legalframework.Additionally,on11
May,theEuropeanParliamentconveyed
itsreservationsregardingthecontent
oftheDPF.11Whileacknowledgingthat
thecapacitytotransferpersonaldata
acrossbordershas“thepotentialtobe
akeydriverofinnovation,productivity
andeconomiccompetitiveness”,the
Parliamentunderscoredthecritical
necessityforrobustsafeguardstobe
firmlyestablished.Thesesafeguardsare
essentialforprotectingprivacyrights,
preventingillegalmasssurveillance
bytheUSandrestoringthetrustof
bothEUcitizensandbusinessesin
digitalservices,ultimatelypreserving
thevitalityofthedigitaleconomy.
TakingintoconsiderationtheCJEU’s
reasoninginSchremsII,theEuropean
ParliamentcontendedthattheDPFdid
notentirelymeetEUlegalstandards
duetoitslackofan“objectivecriterion”
10EuropeanDataProtectionBoard,Opinion
5/2023ontheEuropeanCommissionDraft
ImplementingDecisionontheAdequate
ProtectionofPersonalDataundertheEU-US
DataPrivacyFramework,28February2023,
https://edpb.europa.eu/node/5132
.
12EuropeanCommission,DataProtection:EuropeanCommissionAdoptsNewAdequacyDecisionforSafeandTrustedEU-USDataFlows,10July2023,
https://ec.europa.eu/commission/
presscorner/detail/en/ip_23_3721
.
11EuropeanParliament,Resolutionof11May
2023ontheAdequacyoftheProtectionAfforded
bytheEU-USDataPrivacyFramework,
https://
www.europarl.europa.eu/doceo/document/TA-
9-2023-0204_EN.html
.
4
IAICOMMENTARIES23|46-SEPTEMBER2023ISSN2532-6570©2023IAI
TheEU–USDataProtectionFramework:
BalancingEconomic,SecurityandPrivacyConsiderations
transactionsorvoluntarydatasharingagreements.
PrivacyactivistMaxSchremsarguesthatthenewframeworkis“largelyacopy”ofpreviousones.14TheUSDepartmentofCommercealsoconsidersthatit“doesnotcreatenewsubstantiveobligationsforparticipatingorganizationswithregardstoprotectingEUpersonaldata”and“[t]heprivacyprinciplesandtheprocesstoinitiallyself-certifyandannuallyre-certifyremainsubstantivelythesame”.15Moreover,SchremsstressesthatsubstantialchangesinUSsurveillancelawareneededfortrueeffectivenessandhassignalledhisintentiontobring“thenewdealbackbeforetheCJEU”.16
Alegalchallengehasthereforebeenannounced,possiblyreachingtheCJEUbylate2023orearly2024whichmayresultinatemporarysuspensionoftheDPF.WhileEUJusticeCommissionerDidierReyndersremainsconfidentintheframework’sresilienceagainstlegalchallenges,manycompaniesarechoosingtostickwithEU-approvedstandardcontractualclausestomaintainGDPRcompliance,despitetheassociatedchallengesandexpenses,inthefaceofongoingrisksanduncertainties.
Companiesarerequiredtocomplete
theirself-certificationbyOctober
2023tobeincludedontheDPFList,
maintainedbytheUSDepartment
ofCommerce.Additionally,the
DPFintroducesvarioussafeguards,
suchasrestrictingUSsurveillance
accesstodatathatis“necessaryand
proportionate”fornationalsecurity,
theestablishmentofaDataProtection
ReviewCourttoaddressconcerns
aboutaccesstopersonaldatabyUS
intelligenceagenciesandmandating
UScompaniestodeletepersonaldata
whenitisnolongerneededforthe
originalpurposeofcollection.
Despitesignificantprogress,however,
thepathtowardsestablishingastable
andreliableframeworkfortransatlantic
datatransfersremainsfraughtwith
difficulties.Persistentconcernsrevolve
aroundhowtheUSwillinterpretthe
conceptof“proportionate”accessto
databyUSauthoritiesanditsadherence
totheCJEU’scriteria.
14NOYB,EuropeanCommissionGivesEU-USDataTransfersThirdRoundatCJEU,10July2023,
https://noyb.eu/en/node/1324
.
15DataPrivacyFrameworkProgramwebsite:
FAQs-EU-U.S.DataPrivacyFramework(EU-U.S.DPF),lastupdated17July2023,
https://
www.dataprivacy/s/article/
FAQs-EU-U-S-Data-Privacy-Framework-EU-U
-
S-DPF-dpf
.
16NOYB,EuropeanCommissionGivesEU-USDataTransfersThirdRoundatCJEU,cit.
Moreover,thereareconcernsabout
theDataProtectionReviewCourt’s
composition:whilemadeupofmembers
fromoutsidetheUSgovernment,there
aredoubtsaboutitsappointment
process,leadingtopotentialissueswith
fairandtransparentdecision-making.
Furthermore,theEuropeanParliament
hashighlightedanadditionalweakness
intheframework,whichliesinits
failuretoaddressdataaccessedby
publicauthoritiesthroughalternative
avenues.13Thisincludesmethodssuch
astheUSCloudActortheUSPatriotAct,
dataacquisitionthroughcommercial
13EuropeanParliament,Resolutionof11May
2023,cit.
5
IAICOMMENTARIES23|46-SEPTEMBER2023ISSN2532-6570©2023IAI
TheEU–USDataProtectionFramework:
BalancingEconomic,SecurityandPrivacyConsiderations
Strikingthedelicatebalancebetween
privacyconcerns,freetradeimperatives
andnationalsecurityinterestswithin
therealmofdataremainsaformidable
challenge,althoughrecenttrends
aroundtransatlanticdataflowsare
encouraging.TheSchremssagahas
vividlyhighlightedtheimperative
tobridgelegaldisparitiesbetween
theEUandtheUS,emphasising
theimportanceofcreatingadigital
internationalenvironmentfounded
ontrust,cooperationandregulatory
alignment.
19September2023
6
IAICOMMENTARIES23|46-SEPTEMBER2023ISSN2532-6570©2023IAI
TheEU–USDataProtectionFramework:
BalancingEconomic,SecurityandPrivacyConsiderations
IstitutoAffariInternazionali(IAI)
TheIstitutoAffariInternazionali(IAI)isaprivate,independentno
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 2026年吉林司法警官职业学院单招职业倾向性测试题库附答案详解(满分必刷)
- 2026年四川国际标榜职业学院单招职业技能考试题库含答案详解(综合卷)
- 2026年厦门工学院单招综合素质考试题库含答案详解(典型题)
- 2026年周口理工职业学院单招综合素质考试题库带答案详解ab卷
- 临床血尿影像诊断及鉴别
- 设计授导型教案
- 9.2任务二投资性房地产初始计量业务核算与应用
- 《因数和倍数练习(第二课时)》课件
- 2026湖南大数据交易所招聘9人笔试参考题库及答案解析
- 2026年天津国土资源和房屋职业学院单招职业技能考试题库含答案解析
- 儿科重症肺炎的护理查房
- 采购分散采购管理办法
- 退婚彩礼返还协议书范本
- 妇科盆底疾病科普讲堂
- 配送司机面试题及答案
- 宜宾市属国有企业人力资源中心宜宾国有企业管理服务有限公司2024年第四批员工公开招聘笔试参考题库附带答案详解
- 开学第一课:小学生收心教育
- 《土壤固化技术》课件
- 春天来了(教案)-2023-2024学年花城版音乐三年级下册
- 废塑料催化热解资源化利用的技术进展与前景探讨
- 2025小学苏教版(2024)科学一年级下册教学设计(附目录)
评论
0/150
提交评论