.png){kind=icon}
- Transnational data flows require consensus between States, brokered through negotiation and compromise. The Schrems judgment of the European Court of Justice is illegitimate and impractical and will do nothing to facilitate such transnational convergence.
Discuss.
This is a deliberately provocative question. The chapter has established the importance of transnational data flows with cross-border flows of data growing 45 times from 2005 to 2014, to account for $2.8 trillion (approx. 3.3 per cent) of global GDP in 2014. The Boston Consulting Group has estimated that across Europe, the quantifiable benefit from personal data applications could reach €1 trillion annually by 2020—with two-thirds of that benefit accruing to consumers, and one-third to businesses. Thus such data transfers form a vital part of our global trade. By Art 44 GDPR ‘any transfer of personal data . . . shall take place only if the conditions laid down in this Chapter are complied with’, this includes adequacy decisions as found in Art. 45 GDPR. This states that ‘a transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.’ The Commission has made several such decisions including famously the safe harbour with the US. The Schrems judgment referred to in the question is of course Schrems v Data Protection Commissioner in which a challenge by privacy campaigner Max Schrems led to the annulment of this agreement by the CJEU. The question asks the student to critically engage with the decision in Schrems and to comment on whether in their opinion the court should have acted as it did.
- Although a number of countries around the world have data protection laws, there is insufficient international protection for data privacy in the digital age. We therefore need an international treaty on data protection. Such a treaty could be based on existing legal instruments (including GDPR) and administered by the UN. This would finally give us the effective international protection we need for data processing on a global level.
Discuss.
In some ways this is the counterpoint to the previous question. It asks the student to consider the extra-territorial reach of the GDPR and to ask whether it is appropriate to have one region essentially impose its values across the globe. The extra-territorial reach of the GDPR is in essence a response to the global nature of the trade in data in the digital (and often borderless) economy and as such a tension between global and local values of data privacy and the appropriateness of the data protection laws grows. With Schrems v Data Protection Commissioner and Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems as its backdrop the student should discuss why international efforts to harmonise data protection laws have to date proven unsuccessful.