Chapter 24 Answer guidance to end of chapter questions

1. Transnational data flows require consensus between States, brokered through negotiation and compromise. The Schrems judgments (Schrems I and Schrems II) of the CJEU are illegitimate and impractical and do nothing to facilitate such transnational convergence.

Discuss.

This is a deliberately provocative question. The chapter has established the importance of transnational data flows with cross-border flows of data worth trillions of Euros – ‘the difference between a moderately liberal approach to cross-border data flows as one which is moderately restrictive could be worth a little over 1.5% of EU GDP per year or around €2 trillion.’ Thus such data transfers form a vital part of our global trade. By Art 44 GDPR ‘any transfer of personal data shall take place only if the conditions laid down in this Chapter are complied with’, this includes adequacy decisions as found in Art. 45 GDPR. This states that ‘a transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.’ The Commission has made several such decisions including famously the safe harbour and then the Privacy Shield with the US.

The Schrems judgments referred to in the question are of course Schrems v Data Protection Commissioner (Schrems I) and Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II). The first was a challenge by privacy campaigner Max Schrems led to the annulment of the safe harbor agreement by the CJEU, the second annulled the privacy shield and sought unsuccessfully to strike out standard contractual clauses. The question asks the student to critically engage with these decisions and to comment on whether in their opinion the court should have acted as it did in relation to both.

2. Although a number of countries around the world have data protection laws, there is insufficient international protection for data privacy in the digital age. We therefore need an international treaty on data protection. Such a treaty could be based on existing legal instruments (including GDPR) and administered by the UN. This would finally give us the effective international protection we need for data processing on a global level.

Discuss.

In some ways this is the counterpoint to question one. It asks the student to consider the extra-territorial reach of the GDPR and to ask whether it is appropriate to have one region essentially impose its values across the globe. The extra-territorial reach of the GDPR is in essence a response to the global nature of the trade in data in the digital (and often borderless) economy and as such a tension between global and local values of data privacy and the appropriateness of the data protection laws grows. With Schrems v Data Protection Commissioner and Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems as its backdrop the student should discuss why international efforts to harmonise data protection laws have to date proven unsuccessful.

Back to top