Litcius/Paper detail

The third country problem under the GDPR: enhancing protection of data transfers with technology

Bjørn Aslak Juliussen, Elisavet Kozyri, Dag Johansen, Jon Petter Rui

2023International Data Privacy Law26 citationsDOIOpen Access PDF

Abstract

Transfers of personal data from the protected area to third countries have been a continuous saga in the European Commission and the Court of Justice of the European Union (CJEU). The article analyses recent developments related to transfers of personal data to third countries, including shortcomings in the current transfer mechanisms. The role of technology as a safeguard in third-country transfers under the GDPR is then analysed under the different transfer mechanisms. The main contribution of this article is to link an analysis of the legal requirements for transfers of personal data to third countries with a computer science-based analysis of Privacy-Enhancing Technologies (PETs) in order to better ensure the overall proportionality, efficiency, and foreseeability in cross-border transfers of personal data to third countries. The overall objective of the General Data Protection Regulation (GDPR)1 is two-fold: To contribute to the protection of privacy and personal data and to promote the free flow of personal data within the protected area2 through uniform regulations and homogenized interpretations of those regulations.3 If a controller or processor in the protected area (the exporter) transfers personal data to a country, region, or international organization outside the EEA, the exporter gets the advantage of the free flow of personal data to an area without homogenized data protection rules and interpretations. Under such circumstances, it is imperative to establish requirements that contribute to the initial objective of the GDPR, the protection of privacy and personal data. In EU data protection law, this requirement is known as the ‘essentially equivalent’ requirement.4 If personal data are to be transferred outside the protected area, the receiving country must have a level of personal data protection ‘essentially equivalent’ to the protected area. The Court of Justice of the European Union (CJEU) concluded in both the Schrems I5 and the Schrems II judgement6 that for and the data protection ‘essentially equivalent’ to EU data protection In the Schrems II the Court that the for the of the personal data protection and The of personal data in the Union that transferred personal data to the to the transfers or the transfers legal The Schrems II the of international transfers of personal data to third countries in an the related to transfers of personal data to or such as or in a third The Schrems II as an of the the Commission and the In order to international transfer the Commission is to in the as a of to a and that to of the to the protection of personal In the of the including and with a personal data and analysis have an international and in data the to ensure in The of as as continuous data transfers of personal data and the in personal data transfers and continuous that a in international transfers to a in a receiving third country is the Schrems II an for of personal data that the transfer to the the to the transfer legal in of the Under such an legal the the exporter to the data protection to the rules and regulations in the receiving third a be as both for the exporter and with the to personal data In a from the Data Protection Commission concluded that the for the protection of personal data for transfers known as a the for with of the GDPR data from the protected area to the The the Commission and of a for transfers been as the legal the Schrems II for The Data in an order from the to from The is to in a The European the Commission to with the and the in a The main contribution is to link the from a legal analysis of the and of the ‘essentially equivalent’ requirement with a computer science-based analysis of (PETs) in third-country The legal with transfers to third countries are and analysed from a of to technology legal in third-country The for the legal requirements and is to the of different transfer is that cross-border transfers with technology the and of the data transferred better data protection and and contribute to the proportionality, efficiency, and foreseeability of cross-border The main are the is the and of the requirement for ‘essentially equivalent’ protection in transfers to third is the ‘essentially equivalent’ requirement in and and to the requirement for ‘essentially equivalent’ data protection in transfers to third The transfer is in the The European Data Protection in the of controller or processor is to the GDPR for the in (the The exporter or personal to this to controller or processor is the data (the The is in a third country or is an international of or the is to the GDPR under Transfers of personal data from the protected area and to third countries are under GDPR as a with The the of transfers is to the through transfers of personal data to third countries as data protection of the GDPR from the of cross-border transfers to third countries in are that transfers of the protected area be an from the European Commission that the third country an level of personal data the transfer be a level the exporter and the to such safeguard is the Commission under and that the transfer be a to be as a transfer the transfer of personal data is and The overall of the different transfer in of the GDPR is to ensure that personal data protection in the third country is ‘essentially equivalent’ to the protected The of the requirement for ‘essentially equivalent’ data protection in the receiving third country is to ensure the of the level of personal data protection and to ensure that the GDPR is data are transferred to third The requirement is to the GDPR in of the of of the European and is a requirement of the transfer In the of a third country ‘essentially equivalent’ the the transfer is an or under the Commission to GDPR data protection a and to a third to the Schrems II of personal data in the the Commission to a third-country In the Schrems II the Court that it is the to personal data to a country without The Schrems II be as the of from a the to a to personal data protection in the third the in the receiving third country, the exporter the of the transfer the ‘essentially equivalent’ requirement is the transfer to of the the personal data must be transferred the and of the third country of the data from with the the rules and of the receiving third country, the exporter the and and of the the of the of the the and of the receiving country, and or to the an be in a If the transfer the the to safeguard the The of the to the of ‘essentially equivalent’ protection the of The to personal data protection is ‘essentially equivalent’ the of data protection in the third country to the and and the and the In such the in the receiving third country ‘essentially the transfer be If the transfer personal data to third countries the third the data in a ‘essentially equivalent’ to the GDPR, the of to or of under In the role of in third country are analysed to contribute to ‘essentially equivalent’ protection in transfers is an of a third country the Commission the of a third data protection the of law, for and data protection and and of in the third for transfers of personal data to third countries without or an level of personal data protection in the third country as in the protected The level of protection in the third country from the protected area as as that the as a through the of privacy and and an level of data The European Commission is under GDPR to a third country protection in The of such a be the and The in both the Schrems and II a of the Schrems II the European Commission a an order with to EU that and personal data for to be to is In with the of from the with of under to personal data must be to a a or is to to is to the objective to the order of personal data transferred to the be is to be to in in order to a The a requirement of the requirement of the of in the order is that it to be The the under EU of the for If the Data in an from the it is a for to be the The as of an and as the and in law, that the privacy regulations ‘essentially equivalent’ protection for EU data legal been for the legal that are to be under the of the are that it to The of a Commission and the in the Schrems that is a that in the that the transfer be as In are under the in the it is an that a as in the Schrems a of to the protection of personal data transferred to third countries, such a transfer is an The current of to cross-border transfers of personal data to third countries be as and the in concluded that the and data In of of the main transfer transfers to the are the Schrems II legal legal in the of transfers to a The current be as of personal data the of transfers to third countries through of the and in the receiving third country as the transfer be as both and for the is that to to data protection in the receiving third the current of be as for the to the of the and to transfers of personal data of the protected area. and in the of the of the the GDPR and the in the to be in a third country, through the Commission and the third country or as a the exporter and the it is that a third country with a different legal legal and data protection in a to the level within the protected area. the a third-country to transferred personal data. In the is to (PETs) safeguard the and protection of personal data transferred to third countries and for a in third-country are in the The European Union for as a of that are for privacy and data exporter of personal data be to the to both and to ensure that a transfer to a third country is with GDPR in with the that have as such are in the technology that the exporter of personal data in order to with the ‘essentially equivalent’ have the to GDPR of data a the of a of to be both for the personal data of a of different of that different of data and data and the and of the in cross-border transfers to third countries. that personal data this data are and the data for the controller or for the the of that is to the processor and the of data protection to the data the legal of the transfer the different are The have the to the outside the of the transfer rules in and of the of the the or data protection in the receiving third or the to an that the legal of the The with the analysed in of the overall proportionality, efficiency, and foreseeability the of the different that contribute to personal data in cross-border transfers to third countries, it is to the of the in to personal and data. legal are to are in the of in the of the transfer outside the of the transfer rules in of the The GDPR and the of data protection to personal to an or personal data are the link the and the data The GDPR and the of data protection to and personal data is in such a that are or from the the is outside the of the GDPR and is as data is as personal or and under or outside of the of the GDPR, the is an of To a is an be of the to be such as the controller or to a or To are to be to a be of objective such as the of and the of for the technology the of the and the is a and a in the legal the of the GDPR in an or Under the of of is If is a that the and a the data be as personal The the a of The of is from the objective in GDPR in order to the data are as personal data under the of the or data outside the recent of from the of the General Court the of personal data in Regulation the of personal data under the The in an related to an be or data in the of the the The General Court the of personal data in Regulation to the under the GDPR, in with the The General Court a to the of that be to a the is be as personal data. the General Court that the of must be and that of data the for is the data or the The of the General Court is in with the of In the data transferred to a third the Regulation and the The of the General Court to be with in to third-country to the third country the is for the The data transferred is for the the data are in a the exporter in the protected area. The GDPR the of it is as personal data or the that the in such a is different the exporter or is the data. from the of the in the third country the the of in the GDPR the transfer of data the of outside the of the transfer rules in of the GDPR the data are to a in the receiving third country without to the In a are to the transfer outside the of the transfer rules in of the GDPR the is to the of personal data in the protected area under the of the the are to the personal data the exporter in the protected area to the and of a is the transfer outside the of the transfer rules in The this is that the of transfers from the is for such a of the of the is in such a the data for the the of personal data. is that must be the personal data the of The objective of the transfer rules is to data in the protected area from data protection rules in a third-country In a the data transferred is personal this The different the transfer to outside the transfer rules in is under of the the different personal data the in a data and a for a or an are a for a or a and the link the and the is protected the to the and to and In to cross-border transfers to third countries, the of be the of an that a an EU data is with a that and The data to in a third country for analysis the is to the The to link the from the analysis with the of the the of the is to the analysis of the data in the third be to the of the with a for a or a The of is transferred with the data to the third The analysis of the data is and transferred to the protected area. The the of the analysis and the of the the is then in the protected area. The that be to the of personal data and the of and contribute to the of data in third-country To the of The level of protection be with an that an in the protected area the data from with the and of and of in the and the of the The is and in a the controller or that the controller and processor to transfer the data to a third country for in a the of the to the data from in the third The that the is and of the and the is to a and a data is a that the outside the of the GDPR data that have is as personal data and is an of an safeguard under data protection and under and as a under The that transfer to ensure with the EU level of protection of personal data from the as an for protection and a that the the outside the of the The that a for cross-border transfers to third countries. The from the is for that the the personal data be to a data or to the data in a the to the data is the or of the is and and the exporter analysed the data in and that the in the third country that the personal data be to an or with such The from the for the exporter to the in the receiving third country is an to personal data in a transfer to a third The as an safeguard in transfer to third countries from the and the of in GDPR are the in that the controller or be are that the exporter of personal data the of from third-country as a safeguard in transfers to third countries. To the legal of as a to safeguard the transfer of data contribute to protection the of the transfers such as the of the personal data and the and in the receiving third In such a the analysis of and in the receiving third country is as an overall as a contribute to the the legal of the transfers The overall in is that the third-country such as are from third countries to the protected area in the In a personal data in the protected area under the GDPR, the requirements for transfer to third countries are a to transfer data of the protected of personal data are the of for in The is to that to that personal data are in a region, for in the protected area. technology have to the related to personal data to third countries. for is such a The different to personal data protection and including and the overall such is to the data within the of the that a the transfer rules in the data are transferred to a third The a legal a controller or processor in the Union of a a controller or processor in the protected area the personal data are a in the protected area and the is in a third country or is an EU of an in a third To the GDPR transfers of the protected area. of such transfers is in from the In the personal data are and in the protected area the is an in a third country, the is as a transfer under the In the of for the Protection of with to of Data cross-border transfers to third countries are as a the data are transferred to a that is to the of a that is a to The of transfers in is in the to the In the data transfers are as a data are or to a to the of or international transfer under personal data are to a of a to the without the personal data to the a personal data a the is in a that is to the is an of European data protection as the of and is to the to data protection under of the European of have for the of the to privacy and data protection in the the GDPR the an the GDPR The is a from the that is a from the under the of the The of transfers in a in the of a transfer in EU data protection to be In of the Court the concluded that the EU legal order a legal order and that the the EU to the to the of EU and the EU and be as a in the and the European Commission a the EU to the The of the is to the the in the of EU recent the of the EU to the and the of within the of EU data protection In a from the Court in from the Court a to a is a third-country The Court concluded that the personal data the protected area under the GDPR, the be as a transfer the the personal data is under the of a third The the transfers from the and the a European of the The of personal data in the protected area a processor under the of a third country be as a transfer is the of a The the in the the Court concluded that a personal data the in the protected area a of a a transfer of personal data to a third the the of personal data the The the that it is that the is as a transfer to a third country or the Court the of to the personal data that the as a In the the data in a in the is a third-country or a of a third-country legal for an of the related to a to the personal data in the third-country In such a to the both the of the personal the of the and for and data To the legal of in to transfers to third countries, a is a with the to the outside of the of the transfer rules in of the GDPR the is a in the the legal of the in to the transfer rules and the of to personal data from third countries the and of the of a safeguard in the GDPR is data be to the of the personal the data to is of the computer with or or is to the of the data. is are that to the level of data the level of data and the level of in order to ‘essentially equivalent’ data protection personal data are transferred outside the protected area. To be an of as the of to be known as the and a known as the and it a of known as the The in the be to the is the with that and that those that the the the for those that the the of The protection that is is to that the that the the from the that in the of the and this the level of and the legal of the cross-border transfer to a third a data in the protected area personal data to a processor in the Union data in the data to a data in a third The personal data are in with a both for transfer to the and for within that that the the that the personal data from the personal data is to the exporter within the protected area or the in the third the protection the of the for both the exporter and of personal data. the exporter and the the and be to this for or this be for that and or the data the and the the personal data in the third country the that the personal data. that the the data and the exporter or the exporter and the in the third country the transferred the data. that the personal data are with the exporter and the and it the that data. that the data is for the the of data and different to the of personal data the data to the for the processor of personal data to both the of data and The main different and are in a the that the a known to personal in is the and including is to The of the to be to the that and for be to an and be in the of personal data under GDPR the of the under this is to GDPR, then to be for protection in cross-border be a third-country to for within the third country and with the of the third be to to that for the and an is to both the of data and in the In the a is with an EU the to the of the data protection requirements the of are a that is known both the and this is to that an EU data an personal data to a be a is to the protection requirements those that the and the that the is the data in the third country of as an under the a of data and be as an to ‘essentially equivalent’ protection is such The of the the as the is personal data under the GDPR is for a is as a for under GDPR and an data as personal data under the that personal data are the of and the is in the protected area to the in a receiving third country and the is that is to be to the data to personal the transfer is outside the transfer rules in The in the protected area is as personal data the transfer of the data is as the transfer of personal data under the in the a from the of and the of the transfer rules in of the GDPR the to the of The the legal of in to cross-border transfers of personal data different for and the to the transfer of data to a third country outside the of the transfer rules in of the to that the controller or processor the personal data to the in the third country to to ensure GDPR the exporter is as a transfer and are related to the and of the receiving third under the is to and under the of a third country that the of then the personal data are the third country different are of that for to that the of such is the and and from The to the and of to including to is the from the European in the and the current of to for and the that the of as a in third-country transfer a of protection for the personal data the of the third country, to the of the to the of the third country, the protection and the to the transfer of personal data. from the to of The of the legal of data of the protected area is that the transfer outside the of the transfer rules in and that the and in the third country, be a in with the a both protection for a personal data and for the data been as a that this Under personal data be with a that the protection in the data processor the from or in the of is as a data and then the with the a that the of that to the data. under personal the to a third have the to the and the and then the is to the of that to data. this of an be an in to cross-border transfers to third countries. a that is a in a third country and that is with a known a data in the protected area. that the that a the the as that to the The EU data then a personal to the in the third country, without this the of the the and the of the is is a the of the that be to the and the that be The the of the that to to the this to the to for the of for a of is an of to the data protection of and in cross-border transfers to third countries be a as have be as to for of GDPR in transfer to third countries. the of the transfer outside the of the transfer rules in from the of the in the third a the legal of as a safeguard in transfers to third countries. If personal data are the data or a data exporter in the protected area, and the is or the data in the third country, for the the of to the of as the of personal data and of data and the the of in the third as the of data. In such an the in the third country is outside of the of the transfer rules in The the the is to the of personal data and it is to the personal data from the the data in the third data to be without to be to is to the in this a is a of is data are in an an a the processor data from the this the and the to the the the data in the it the a protection and be to data. a a is as of transfers from the protected area to a third a in the protected area in the EU or and a in the that in a that as data and the that this from the is a with the The EU then a with a known that the to the in the and have it and within an The of the then be to the in the protected area, it is and in this a protection for the transfer of personal from the protected area to a third for the of a be to the to for the to and in the GDPR in of of the be to the that it that the data exporter and data have the transferred data in a then be to a of the to be this and the to the data The data exporter is then to the to the of and the data are in the the of a in a cross-border transfer to a third country the data transfer outside the of the transfer rules in of the To this to a to the of that to that the processor as it is to and that the be or to third-country The the legal of the under this is to the have data through is If a been and is a European and the are to personal then the of a a data transfer outside the of the transfer rules in of the GDPR, or the ‘essentially equivalent’ requirement of of the data from the protected area to a third country is for this data to be in the of a are different from different countries, to in the of a without of personal to the To this been In the the the data. a the from data to the and then the to the the the is the data are different that protection data to third it been that the of of the the it is this is to personal data. In that the of the transfer and the receiving third country, is to with the ‘essentially equivalent’ and be to personal the data are such as for data under GDPR to protection of is the the of the such that the data is to the and the is privacy a with such privacy is a that be in of data. of a is to be the of this the data a data it is that the of data is to the is a of data and have In the is in a a the of the a of is to such that the the data of that the of and The of protection

Topics & Concepts

JudgementParliamentData Protection Act 1998General Data Protection RegulationInternational tradePolitical scienceInternet privacyLaw and economicsComputer securityBusinessComputer scienceLawEconomicsPoliticsPrivacy-Preserving Technologies in DataDigitalization, Law, and RegulationPrivacy, Security, and Data Protection