Strengthening the EU Legal Edifice for Data Transfers
Chapter V of the General Data Protection Regulation (GDPR) provides the rulebook for international transfers of personal data from the EU and serves as the vehicle through which EU data protection law interacts with the wider world. With the growing volume of EU data-related legislation, such as the AI Regulation 2024/1689, which entered into force on 1 August 2024, it is crucial that data transfer rules be fit for purpose. However, several legal challenges threaten to undermine the EU legal edifice for data transfers. The EU seems ambivalent about deciding how far it can expect third countries to adopt data protection standards similar to its own. Moreover, Data Protection Authorities (DPAs) often fail to scrutinize data transfers to third countries that may lack the rule of law. Finally, the EU lacks a comparative methodology for assessing data protection equivalence in third countries. It is essential for the EU to elevate the public discourse so that the global significance of data transfers is recognized.
The role of the Internet
Most personal data are transferred online via the Internet, and how data transfer regulation applies to the Internet is of fundamental importance for determining its territorial reach. However, the Court of Justice of the EU (CJEU) seems conflicted about this question.
In its Lindqvist judgment (Case C-101/01), the Court indicated that the territorial scope of data transfer regulation should not be interpreted too broadly in light of the global reach of the Internet (see paras. 68-69 and 88-89), but then barely mentioned the Internet in its first (Case C-362/14) and second (Case C-311/18) Schrems judgments. Similarly, in Google LLC (Case C-507/17), there was tension between the views of Advocate General Szpunar, who in his Opinion was reluctant to allow EU data protection law to apply broadly to the Internet (see paras. 50-53), and those expressed by the Grand Chamber of the Court in its judgment in the case, which took a more expansive view of this question (see para 72).
These differing views seem to reflect an ambivalence about how far the EU can go in expecting third countries to adopt data protection standards similar to its own. The longer they go unresolved, the greater the uncertainty about the extent to which EU law can build legal bridges with foreign data protection systems, and the higher the risk that this will increase international tensions.
The rule of law
When deciding whether to issue an adequacy decision, the Commission must consider whether a third country or international organisation respects the rule of law, human rights, and fundamental freedoms (see Article 45(2)(a) GDPR), and the EDPB requires that this standard be met for transfers under other legal bases as well (see EDPB Recommendations 01/2020, para. 37). However, the transfer of personal data to countries that do not respect the rule of law has so far received little attention from the EU institutions; for example, the Commission’s 2017 Communication on data transfers, which sets out its strategy for engaging with third countries to facilitate and protect data transfers, barely mentions the rule of law.
The EU’s commercial relations illustrate the scope of the problem. For example, China and Saudi Arabia rank respectively as number 3 and number 17 on the list of the EU’s export markets, which likely reflects widespread data transfers to them. In 2023 an annual report on global human rights practices using the world’s largest quantitative human rights database ranked their human rights practices respectively as number 182 (China) and number 187 (Saudi Arabia) out of 195 countries. Moreover, the continued presence of large European banks in Russia (ranked number 168 in the above report), which implies that personal data may be transferred to them, has been widely reported, as has the potential transfer of Internet user data from the EU to that country. And in 2023 the data protection authorities (DPAs) of Finland and Norway failed to mention the rule of law when dealing with a case involving data transfers to Russia.
In its first Schrems judgment, the CJEU required DPAs to examine complaints arising from Commission adequacy decisions (para. 63); in its second Schrems judgment it found that the same level of protection must be guaranteed irrespective of the legal basis for transfer (para. 92); and in Budapest Főváros (Case C‑46/23) it affirmed that a DPA may exercise its enforcement powers even without a request to do so from a data subject. In light of these judgments, DPAs should be routinely raising questions about data transfers to third countries that may lack the rule of law; failing to do so undermines the consistency of EU data transfer regulation.
Lack of a robust comparative methodology
In its first Schrems judgment, the CJEU found that an adequacy determination of the Commission requires a third country to provide a level of protection essentially equivalent to that under EU law (see para. 73), which logically requires a comparison between EU law and third country law. However, the CJEU chooses to overlook this conclusion, as shown by repeated statements that it “cannot express a view on the legislation or the practice of a third country” (as Advocate General Mengozzi wrote in para. 163 of his opinion in Opinion 1/15). The CJEU thus sends mixed signals by seeming to require examination of foreign law, while at the same time stating that it cannot express a view on it.
Despite the need to evaluate foreign law to determine if it is essentially equivalent to EU law, the EU institutions and DPAs have not set out publicly a methodology for doing so. The Commission conducts legal studies on third country law when deciding whether to issue an adequacy decision, but these are never published and so cannot be evaluated. Studies on data protection in third countries conducted by external researchers for the European Data Protection Board (EDPB) illustrate the difficulty of carrying out research in foreign data protection law; for example, in one study 29 experts were contacted by the research team but only eight agreed to be interviewed. The lack of a transparent, robust comparative methodology agreed between the institutions could create risks for the validity of adequacy decisions and DPA decisions if they were challenged in the EU courts.
Conclusions
The EU legal edifice for data transfers is under strain, but the institutions that administer and interpret it often seem to overlook this. Data transfer regulation apparently has a low priority on the EU agenda, with two notable exceptions. The first is the transfer of personal data to the US, an issue that still consumes an inordinate amount of political attention after more than two decades, and the second are the EU’s ongoing attempts (through initiatives like this) to allow data sharing with law enforcement authorities in third countries.
At the same time, there seems to be little interest among the EU institutions in finding ways to facilitate data transfers that serve important public interests of global significance, such as transfers carried out by international humanitarian organisations to provide assistance to vulnerable individuals and data sharing for medical research and to combat global pandemics. The institutions and the DPAs have also proved hesitant to examine data transfers to some countries that do not share the EU’s democratic values.
Institutional factors exacerbate these problems. The EDPB increasingly assumes a quasi-legislative role by sometimes opining on important data transfer issues with insufficient legal analysis and without explaining the purpose of its action (for example, by its questionable definition of the term “data transfer” in Guidelines 05/2021; see my analysis). The DPAs also seem largely unable to take a pan-European approach to data transfer mechanisms such as codes of conduct that are foreseen in both the GDPR (Article 46(2)(e)) and data legislation like the AI Regulation (see Recital 141 and Chapter X) and could be particularly useful to protect personal data transferred via technologies like AI.
The rise of right-wing and authoritarian political forces seeking to weaken data protection law, which could also eviscerate protections for data transfers, makes it more important than ever to address these failings. For example, the Alternative für Deutschland (AfD), a German far-right party that has risen in the polls, has called for repeal of the GDPR (see p. 182 of its program published in 2021). The presidential campaign of Republican candidate Donald Trump has stated that if elected, he plans to eliminate the independence of the US Federal Trade Commission (FTC) and bring it under presidential authority, which could fatally undermine the EU-US Privacy Framework. And data access and misuse by authoritarian governments in third countries, which must be smiling when they observe the interminable debate between the EU and the US on data transfers, pose a further threat.
It would be unrealistic to expect these problems to be resolved quickly, but one can agree with Pliny the Younger that we should not make the idleness of others the pretext for our own (Letters, book IV, number 16). Scholarly commentators (myself included) have thus far failed to make arguments convincing enough to lead the EU to address these problems. We have a responsibility to raise the level of EU public discourse on data transfers from that of a petulant transatlantic dispute to a discussion about their global significance, which could hopefully lead to a greater realisation of the importance of data transfers for the EU in legal, social, and economic terms.