CETA, TTIP, TiSA, and Data Protection

Author(s):  
Walter Berka

Trade agreements cannot avoid dealing with digital services and data sharing. In the cases of TTIP, CETA, and TiSA, different concepts of data protection collide and it is the fear of the European side that the EU’s acquis on data privacy could get compromised through the liberalization of data flows. This chapter analyses the possible impact of these agreements on data protection. It refers to the European Parliament’s call to include a horizontal self-standing clause in TTIP to exclude the current and future EU data protection legislation from being traded in TTIP, a claim which is based on Article XIV of the GATS. In dealing with these issues, it will be considered further that the EU and the US are discussing data transfers and data protection in other fora as well, namely on the tracks of the new Safe Harbor Agreement and the Data Protection Umbrella Agreement.

Significance The ECJ ruling could add to potential disruptions to transatlantic commercial data flows arising from the EU's developing data protection regime that a study for the US Chamber of Commerce valued at 0.8-1.3% of EU GDP. The ruling weakens the United States in negotiations over the new EU regime, as well as over the Transatlantic Trade and Investment Partnership (TTIP). Impacts The ruling may bolster development of EU-based cloud facilities as EU users seek to avoid the risks of US-based data storage. This could reduce US firms' estimated 76% share of the EU cloud market. It would also lead to further fragmentation of the internet as a global resource.


Author(s):  
Fabiana Accardo

The purpose of this article is that to explain the impact of the landmark decision Schrems c. Data Protection Commissioner [Ireland] - delivered on 7 October 2015 (Case C-362/2014 EU) by the Court of Justice - on the European scenario. Starting from a brief analysis of the major outcomes originated from the pronunciation of the Court of Justice, then it tries to study the level of criticality that the Safe Harbor Agreement and the subsequently adequacy Commission decision 2000/520/EC – that has been invalidated with Schrems judgment – have provoked before this pronunciation on the matter of safeguarding personal privacy of european citizens when their personal data are transferred outside the European Union, in particular the reference is at the US context. Moreover it focuses on the most important aspects of the new EU-US agreement called Privacy Shield: it can be really considered the safer solution for data sharing in the light of the closer implementation of the Regulation (EU) 2016/679, which will take the place of the Directive 95 /46/CE on the EU data protection law?


Author(s):  
A. A. Koval ◽  
A. D. Levashenko

The export of services is not related to the physical movement of goods across the border but is directly dependent on the cross-border movement of data. Cross-border data flows play a vital role in the cross-border provision of digital services. The international community pays particular attention to issues regarding the application of data localization policies. Indeed, this requirement significantly affects global trade in services. The data localization policy provides, according to the WTO, limiting the ability of companies to transfer data about internal users to foreign countries. Developing countries (Russia, China, etc.) involve the application of the localization requirement, i.e., first records in the country, personal data of citizens, while the EU and the US consider the total need of data localization as a barrier to international trade. The article assesses the impact of data regulation requirements on the export and import of digital services.


2019 ◽  
Vol 21 (1) ◽  
pp. 32-43 ◽  
Author(s):  
Annegret Bendiek ◽  
Magnus Römer

Purpose This paper aims to explain how the EU projects its own data protection regime to third states and the US in particular. Digital services have become a central element in the transatlantic economy. A substantial part of that trade is associated with the transfer of data, most of it personal, requiring many of the new products and services emerging to adhere to data protection standards. Yet different conceptions of data protection exist across the Atlantic, with the EU putting a particular focus on protecting the fundamental right to privacy. Design/methodology/approach Using the distinction between positive and negative forms of market integration as a starting point (Scharpf, 1997), this paper examines the question of how the EU is projecting its own data protection regime to third states. The so-called California effect (Vogel, 1997) and the utilization of trade agreements in the EU’s foreign policy and external relations are well researched. With decreasing effectiveness and limited territorial reach of its enlargement policy, the EU found trade agreements to be particularly effective to set standards on a global level (Lavenex and Schimmelfennig, 2009). The existence of the single market makes the Union not only an important locus of regulation but also a strong economic actor with the global ambition of digital assertiveness. In the past, establishing standards for the EU’s vast consumer market has proven effective in compelling non-European market participants to join. Findings As the globe’s largest consumer market, Europe aims to project its own data protection laws through the market place principle (lex loci solutionis), requiring any data processor to follow its laws whenever European customers’ data are processed. This paper argues that European data protection law creates a “California Effect”, whereby the EU exerts pressure on extra-territorial markets by unilateral standard setting. Originality/value With its GDPR, the EU may have defused the problem of European citizens’ data being stored and evaluated according to the US law. However, it has also set a precedent of extra-territorial applicability of its legislation – despite having previously criticized the USA for such practices. By now, international companies increasingly store data of European customers in Europe to prevent conflicts with EU law. With this decision, the EU will apply its own law on others’ sovereign territory. Conflicts created through the extra-territorial effects of national law may contradict the principle of due diligence obligations but are nevertheless not illegitimate. They may, however, have further unintended effects: Other major economies are likely to be less reluctant in the future about passing legal provisions with extra-territorial effect.


This new book provides an article-by-article commentary on the new EU General Data Protection Regulation. Adopted in April 2016 and applicable from May 2018, the GDPR is the centrepiece of the recent reform of the EU regulatory framework for protection of personal data. It replaces the 1995 EU Data Protection Directive and has become the most significant piece of data protection legislation anywhere in the world. This book is edited by three leading authorities and written by a team of expert specialists in the field from around the EU and representing different sectors (including academia, the EU institutions, data protection authorities, and the private sector), thus providing a pan-European analysis of the GDPR. It examines each article of the GDPR in sequential order and explains how its provisions work, thus allowing the reader to easily and quickly elucidate the meaning of individual articles. An introductory chapter provides an overview of the background to the GDPR and its place in the greater structure of EU law and human rights law. Account is also taken of closely linked legal instruments, such as the Directive on Data Protection and Law Enforcement that was adopted concurrently with the GDPR, and of the ongoing work on the proposed new E-Privacy Regulation.


2018 ◽  
Vol 67 (1) ◽  
pp. 233-253
Author(s):  
Billy Melo Araujo

AbstractThe EU and the US have long called for the linking of trade and labour standards in trade agreements at both the multilateral and bilateral level. This article examines their practice of including labour provisions in trade agreements, with a particular focus on recent attempts to include such provisions on so-called ‘mega-regionals’, which were presented by their proponents as providing the benchmark for labour protection in future trade agreements. It discusses the rationale behind the inclusion of such provisions and their practical limitations, and examines the extent to which mega-regionals address these limitations. It is argued that whilst the EU and the US have been keen advocates for trade-labour linkages, there has also been an unwillingness to convert this rhetoric into practice, raising questions about the extent of their commitment to these values.


2021 ◽  
pp. 327-347
Author(s):  
Fred Cate ◽  
Rachel Dockery

This chapter discusses cybersecurity laws. Many measures employed to enhance cybersecurity pose a risk to privacy. In addition, data protection laws focus only on personally identifiable information, while cybersecurity is also concerned with securing economic data such as trade secrets and company databases, government information, and the systems that transmit and process information. As a practical matter, despite the prominence of security obligations in data protection legislation, these were often downplayed or ignored entirely until recent years. Only as cybersecurity threats became more pressing did regulators begin actively enforcing the security obligations found in most data protection laws. More recently, legislative bodies and regulators have begun adopting cybersecurity-specific obligations. However, even these have often mirrored or been combined with privacy protections, sometimes to the detriment of effective cybersecurity. The chapter describes major categories of cybersecurity law, including unfair or deceptive practices legislation, breach notification laws, and data destruction laws. It also considers the new focus on critical infrastructure and information sharing, the China Cybersecurity Law, and the new challenges to data privacy and security law.


Author(s):  
Juan Fernando López Aguilar

Desde los primeros capítulos de la construcción europea con el Tratado de Roma (1957) que cumple 60 años, la jurisprudencia dictada por el Tribunal de Justicia ha sido determinante para la dimensión constitucional del ordenamiento comunitario. En una secuencia de decisiones históricas, el TJ ha afirmado su primacía, eficacia vinculante y su unidad garantizando su interpretación y aplicación uniforme, pero también, sobre todo, los derechos fundamentales dimanantes de las tradiciones constitucionales comunes como fuente del Derecho europeo (principios generales). Esta doctrina se consolida en Derecho positivo, al fin, con la entrada en vigor del Tratado de Lisboa (TL) en 2009, incorporando el TUE, el TFUE, y, relevantemente, la Carta de Derechos Fundamentales de la UE (CDFUE) con el «mismo valor jurídico que los Tratados» y, consiguientemente, parámetro de validez de todo el Derecho derivado, así como de enjuiciamiento de la compatibilidad de la legislación de los EE.MM con el Derecho europeo.La doctrina del TJUE sobre derechos fundamentales ha sido su proyección sobre la protección de datos en el marco de los derechos a la vida privada, a la privacidad frente a la transferencia electrónica de datos y al acceso a la tutela judicial de estos derechos (art. 7, 8 y 47 CDFUE). En ella conjuga los principios de reserva de ley (respetando su contenido esencial) y de proporcionalidad y necesidad de las medidas que les afecten. Pero, además, esta doctrina ha adquirido un impacto decisivo en la articulación jurídica de la relación transatlántica entre la UE y EEUU, confrontando los estándares de protección de datos a ambos lados del Atlántico e imponiendo garantías de un «nivel de protección adecuado» para los ciudadanos europeos. Este artículo examina el impacto de dos recientes sentencias relevantes del TJ —Asunto Digital Rights Ireland (2014) y Asunto Schrems (2015)— sobre el Derecho derivado (Directiva de Conservación de Datos de 2006, Directiva de Protección de Datos de 1995, y Decisión de «adecuación» de la Comisión Europea de 2000) y sobre instrumentos de Derecho internacional (Acuerdo Safe Harbour) entre la UE y EEUU. Impone, como consecuencia, no sólo una negociación que repare las deficiencias detectadas en ambas resoluciones sino una actualización del Derecho europeo (nuevo Data Protection Package en 2016) y una novedosa Ley federal de EEUU que por primera vez ofrece a los ciudadanos europeos acceso al sistema de recursos judiciales ante los tribunales estadounidenses en la defensa del derecho a la protección de datos (Judicial Redress Act, 2016).Right from the first very chapters of the European construction under the Treaty of Rome (1957), which turns 60 this year 2017, the jurisprudence by the Court of Justice has truly been decisive to shape the constitutional dimension of the European Community legal order. In a series of historical decisions, the CJEU has affirmed its primacy, its binding efficacy and unity, while guaranteeing its uniform interpretation and implementation. But it has also, above all, enshrined the fundamental rights resulting from the common constitutional traditions as a source of European Law (i.e general principles). This legal doctrine has been ultimately consolidated in positive Law, finally, with the entry into force of the Treaty of Lisbon (TL) in 2009, incorporating the TEU, the TFEU and, most notably, the Charter of Fundamental Rights of the EU (CFREU) with the «same legal value as the Treaties». Charter Fundamental Rights have turned to be, consequently, a parameter for examining the validity of secondary EU legislation, as well as for scrutinizing and reviewing the standard of compatibility of the national legislation of EU Member States with European law. The legal doctrine of the ECJ on fundamental rights has been particularly relevant in its impact on the data protection in the framework of the rights to privacy, privacy with regard to the electronic data transfer, and access to judicial protection of these rights (art. 7, 8 and 47 CFREU). It combines the principles of reservation of law (in due respect of its essential content) as well as proportionality and necessity for legislative measures that might affect them. But, moreover, this doctrine has had a decisive impact on the legal articulation of the so-called transatlantic partnership between the EU and the US, confronting data protection standards on both sides of the Atlantic and imposing guarantees of an «adequate level of protection» for all European citizens. This paper explores the impact of two recent relevant decisions by the ECJ — its rulings on Digital Rights Ireland case (2014) and on the Schrems case (2015) — upon the secondary EU legislation (Data Retention Directive of 2006, Data Protection Directive of 1995, and the «adequacy» Decision of the European Commission of 2000), as well as upon International Law instruments (Safe Harbour Agreement) between the EU and the US. It imposes, as a consequence, not only a negotiation that remedies the shortcomings detected in both decisions, but also a compelling updating of European law itself (new Data Protection Package in 2016) and a new US federal law, which, for the first time ever, provides European citizens with access to judicial remedies in U.S. Courts in defending their right to data protection (Judicial Redress Act, 2016).


AJIL Unbound ◽  
2020 ◽  
Vol 114 ◽  
pp. 5-9 ◽  
Author(s):  
Cedric Ryngaert ◽  
Mistale Taylor

The deterritorialization of the Internet and international communications technology has given rise to acute jurisdictional questions regarding who may regulate online activities. In the absence of a global regulator, states act unilaterally, applying their own laws to transborder activities. The EU's “extraterritorial” application of its data protection legislation—initially the Data Protection Directive (DPD) and, since 2018, the General Data Protection Regulation (GDPR)—is a case in point. The GDPR applies to “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services . . . to such data subjects in the Union; or (b) the monitoring of their behaviour . . . within the Union.” It also conditions data transfers outside the EU on third states having adequate (meaning essentially equivalent) data protection standards. This essay outlines forms of extraterritoriality evident in EU data protection law, which could be legitimized by certain fundamental rights obligations. It then looks at how the EU balances data protection with third states’ countervailing interests. This approach can involve burdens not only for third states or corporations, but also for the EU political branches themselves. EU law viewed through the lens of public international law shows how local regulation is going global, despite its goal of protecting only EU data subjects.


Author(s):  
Francisco García Martínez

The creation of the General Data Protection Regulation (GDPR) constituted an enormous advance in data privacy, empowering the online consumers, who were doomed to the complete loss of control of their personal information. Although it may first seem that it only affects companies within the European Union, the regulation clearly states that every company who has businesses in the EU must be compliant with the GDPR. Other non-EU countries, like the United States, have seen the benefits of the GDPR and are already developing their own privacy laws. In this article, the most important updates introduced by the GDPR concerning US corporations will be discussed, as well as how American companies can become compliant with the regulation. Besides, a comparison between the GDPR and the state of art of privacy in the US will be presented, highlighting similarities and disparities at the national level and in states of particular interest.


Sign in / Sign up

Export Citation Format

Share Document