US war on terror EU SWIFT(ly) signs blank cheque on EU data

The EU and the United States signed the Terrorist Finance Tracking Program (also known as SWIFT Agreement) agreement giving the US authorities access to bulk data containing the millions of records in the EU to enable the US authorities to trace financial transactions related to suspected terrorist activity (or to put it bluntly, against US interest). The SWIFT Agreement added some data protection safeguards, but the United States has been found to circumvent the agreement with the aid of the Europol. The EU Commission and the Europol have classified all documents concerning the SWIFT Agreement as secret. EU citizens confront a dark future where unelected EU bureaucrats continue to betray the trust of the people handing out bulk data to “counter terrorism” but at the same time undermining cherished values and violating human right standards and principles.     

Medical data breaches: Notification delayed is notification denied

The EU and the United States have implemented data breach notification rules that cover the health sectors. Nevertheless, data breach incidents involving medical data continue to rise, especially in the US and the UK. The HITECH Act, Pub. L. 111-5 Title XIII is the first federal health breach notification law in the US to be characterized by less government intrusions, while the revised EU Privacy Directive, 2009/136/EC calls for tougher privacy protection for data held by electronic communication providers. While the EU law sets a global de facto standard, the law remains toothless without strong enforcement mechanisms.     

Norway and Emissions Trading: From Global Front-Runner to EU Follower

A striking convergence has taken place in the design of the Norwegian and EU greenhouse gas emissions trading systems from 1998 to 2004. This article argues that the Norwegian adaptation to the EU did not take place as a consequence of perceived legal obligations under the European Economic Area agreement. Nor did it take place due to Norwegian actors being persuaded about the merits of the EU design. The main explanation has to do with interests. The EU market and politics are of course generally very important for Norway. However, before the US pulled out of the Kyoto Protocol in 2001, the Norwegian outlook in climate politics was global. The US pull-out accelerated the development and hence the attractiveness of the EU trading system and resulted in EU emissions trading as the most probable and possibly only international market for Norway to link up to. Hence, this analysis provides further support to the importance of being sensitive to the global context and institutional interaction when analyzing the relationship between the EU and its neighboring countries.     

Protecting digital identity in the cloud: Regulating cross border data disclosure

Widespread use of cloud computing and other off-shore hosting and processing arrangements make regulation of cross border data one of the most significant issues for regulators around the world. Cloud computing has made data storage and access cost effective but it has changed the nature of cross border data. Now data does not have to be stored or processed in another country or transferred across a national border in the traditional sense, to be what we consider to be cross border data. Nevertheless, the notion of physical borders and transfers still pervades thinking on this subject. The European Commission (“EC”) is proposing a new global standard for data transfer to ensure a level of protection for data transferred out of the EU similar to that within the EU. This paper examines the two major international schemes regulating cross-border data, the EU approach and the US approach, and the new EC and US proposals for a global standard. These approaches which are all based on data transfer are contrasted with the new Australian approach which regulates disclosure. The relative merits of the EU, US and Australian approaches are examined in the context of digital identity, rather than just data privacy which is the usual focus, because of the growing significance of digital identity, especially to an individual's ability to be recognized and to transact. The set of information required for transactions which invariably consists of full name, date of birth, gender and a piece of what is referred to as identifying information, has specific functions which transform it from mere information. As is explained in this article, as a set, it literally enables the system to transact. For this reason, it is the most important, and most vulnerable, part of digital identity. Yet while it is deserving of most protection, its significance has been largely under-appreciated. This article considers the issues posed by cross border data regulation in the context of cloud computing, with a focus on transaction identity and the other personal information which make up an individual's digital identity. The author argues that the growing commercial and legal importance of digital identity and its inherent vulnerabilities mandate the need for its more effective protection which is provided by regulation of disclosure, not just transfer.     

数据跨境流动规制中的“长臂管辖”——对欧盟GDPR的原旨主义考察

欧盟《一般数据保护条例》是个人数据保护的重要立法之一,而其中的“长臂管辖”条款是最有特色并颇受争议的规则。从内在视角来看,欧盟语境下个人数据的特殊含义和重要地位,是“长臂管辖”的正当性基础。而其在制度上形成内外联动的局面,是因为欧盟想扭转其在全球互联网和信息产业的劣势地位,并增强其在全球数据保护立法的话语权,同时更好地保护个人数据和国家安全。对此,中国未来的数据保护立法应结合自身数据产业的特点,明确立法旨意,形成内外联动,在国际互联网和数据治理中采取积极有为的态度,掌握该领域的话语权。     

Extradition on the Two Sides of the Atlantic: The U.S. Model as Blueprint for the European Arrest Warrant?

This article compares the EU’s enhanced extradition model, in the form of the European Arrest Warrant, with the more mature American interstate extradition mechanism. The US Constitution’s Extradition Clause mandates interstate extradition and, after a slow start-up, has led to a smooth and obligatory procedure. In the EU, the European Arrest Warrant, based on the principle of mutual recognition, has made a number of significant changes to traditional extradition and has simplified extradition between EU member states. Yet, it does not operate without problems and the first decade has revealed what the difficulties with extradition on the basis of mutual recognition are. The comparison with the US seeks to draw lessons from the US experience. The main finding is that in a number of areas the US example can direct the EU toward further improving its extradition scheme, while at the same time it is not realistic to expect that the EU will achieve a similar degree of harmony as in the US, required for an obligatory extradition scheme. The article argues that it is important to recognise these limits in order to make the European Arrest Warrant a success.     

The Power of EU Collective Action: The Impact of EU Data Privacy Regulation on US Business Practice

Contemporary critiques of globalisation processes often focus on the potential levelling of regulatory standards and the export by the United States of neoliberal norms of deregulation and market facilitation. This paper, in contrast, examines the extra-jurisdictional impact of EU regulatory policy on the behaviour of foreign private parties, even in powerful states such as the United States. Shaffer finds that the threat of curtailing access to the EU's large market provides the EU with leverage. By acting collectively, EU Member States can magnify the impact of European policy on US business practice and enhance EU Member State clout in the negotiation of de jure and de facto foreign standards. The site of analysis is the current dispute between the United States and the European Union over the provision of 'adequate' data privacy protection in accordance with the EU Directive on data privacy. The paper explores the many ways in which the Directive affects US practice through changing the stakes of US players – including regulators, businesses, privacy advocates, lawyers and privacy service providers – and thereby shifting the playing field in the United States on which competing interest groups clash. In examining the interaction of EU law, US practice and international trade rules, the author finds that WTO law, rather than constraining the Directive's extra-jurisdictional impact, provides the EU with a shield against US retaliatory threats, thereby facilitating a trading up of data privacy standards. The paper concludes by examining the conditions under which cross-border exchange can lead to a leveraging up of social protections: the desire for firms to expand their markets, Member States' collective bargaining power buttressed by market clout, the nature of luxury goods, the externalities of foreign under-regulation legitimising EU intervention, and the constraints of supranational trade rules.     

The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals

The recent release by the European Commission of the first drafts for the amendment of the EU data protection regulatory framework is the culmination of a consulting and preparation process that lasted more than two years. At the same time, it opens up a law-making process that is intended to take at least as much time. The Commission has undertaken the herculean task to amend the whole EU data protection edifice, through the introduction of a General Data Protection Regulation, intended to replace the EU Data Protection Directive 95/46/EC, and a Police and Criminal Justice Data Protection Directive, intended to replace the Framework Decision 2008/977/JHA. This paper shall focus at the replacement of the EU Data Protection Directive by the draft General Data Protection Regulation. Due to the fact that the draft Regulation is a long (and ambitious) text, a selection has been made, with the aim of highlighting its treatment of basic data protection principles and elements, in order to identify merits and shortcomings for the general data protection purposes.     

CLOUD act agreements from an EU perspective

For many years, transatlantic cooperation between the EU and the US in the area of personal data exchange has been a subject of special interest on the part of lawmakers, courts – including supranational ones – NGOs and the public. When implementing recent reform of data protection law, the European Union decided to further strengthen guarantees of the protection of privacy in cyberspace. At the same time, however, it faced the practical problem of how to ensure compliance with these principles in relation to third countries. The approach proposed in the GDPR, which is based on a newly-defined territorial scope of application, clearly indicates an attempt to apply EU rules extraterritorially in relation to data processors in third countries.Irrespective of EU activity, the United States has also introduced its own regulations addressing the same problem. An example is the federal law adopted in 2018, specifying how to execute national court orders for the transfer of electronic data. The CLOUD Act was established in response to legal doubts raised in the Microsoft v United States case regarding the transfer of electronic data stored in the cloud by US obliged entities to law enforcement authorities, as well as in cases where this data is physically located in another country and its transfer could result in violating the legal norms of a foreign jurisdiction. The CLOUD Act also facilitates bilateral international agreements that enable the cross-border transfer of e-evidence for the purposes of ongoing criminal proceedings. Both the content of the new regulations and the model proposed by the US legislature for future agreements concluded on the basis of the CLOUD Act can be seen as an alternative to regulations arising from EU law.The purpose of this paper is to analyse the CLOUD Act and CLOUD Act Agreements from the perspective of EU law and, in particular, attempt to answer the question as to whether this new legal mechanism brings the EU and the USA closer to finding common ground with regard to a coherent model of exchange and protection of personal data.     

Opening up personal data protection: A conceptual controversy

The existence of a fundamental right to the protection of personal data in European Union (EU) law is nowadays undisputed. Established in the EU Charter of Fundamental Rights in 2000, it is increasingly permeating EU secondary law, and is expected to play a key role in the future EU personal data protection landscape. The right's reinforced visibility has rendered manifest the co-existence of two possible and contrasting interpretations as to what it come to mean. If some envision it as a primarily permissive right, enabling the processing of such data under certain conditions, others picture it as having a prohibitive nature, implying that any processing of data is a limitation of the right, be it legitimate or illegitimate. This paper investigates existing tensions between different understandings of the right to the protection of personal data, and explores the assumptions and conceptual legacies underlying both approaches. It traces their historical lineages, and, focusing on the right to personal data protection as established by the EU Charter, analyses the different arguments that can ground contrasted readings of its Article 8. It also reviews the conceptualisations of personal data protection as present in the literature, and finally contrasts all these perspectives with the construal of the right by the EU Court of Justice.     

Modernization of European data protection law at a turning point

CLSR welcomes occasional comment pieces on issues of current importance in the law and technology field. In this note Dr Ulrich Wuermeling of Latham & Watkins LLP, Frankfurt offers a personal viewpoint on the EU data protection reform package.     

A comparison of data protection legislation and policies across the EU

Although the protection of personal data is harmonized within the EU by Directive 95/46/EC and will be further harmonized by the General Data Protection Regulation (GDPR) in 2018, there are significant differences in the ways in which EU member states implemented the protection of privacy and personal data in national laws, policies, and practices. This paper presents the main findings of a research project that compares the protection of privacy and personal data in eight EU member states: France, Germany, the UK, Ireland, Romania, Italy, Sweden, and the Netherlands. The comparison focuses on five major themes: awareness and trust, government policies for personal data protection, the applicable laws and regulations, implementation of those laws and regulations, and supervision and enforcement.The comparison of privacy and data protection regimes across the EU shows some remarkable findings, revealing which countries are frontrunners and which countries are lagging behind on specific aspects. For instance, the roles of and interplay between governments, civil rights organizations, and data protections authorities vary from country to country. Furthermore, with regard to privacy and data protection there are differences in the intensity and scope of political debates, information campaigns, media attention, and public debate. New concepts like privacy impact assessments, privacy by design, data breach notifications and big data are on the agenda in some but not in all countries. Significant differences exist in (the levels of) enforcement by the different data protection authorities, due to different legal competencies, available budgets and personnel, policies, and cultural factors.     

Global Privacy Concerns and Regulation-- Is the United States a World Apart?

The regulatory approach to privacy protection taken by many foreign jurisdictions is markedly different from that of the United States. The European Union (EU) best illustrates the international approach with its comprehensive privacy directive that applies to all EU members. By contrast, the approach regarding data privacy in the United States has been to pass industry-specific laws and often only in response to public outcry over some privacy concern. These fundamental differences have been the source of some conflict in international commercial transacting. Now that the global community is committed to eliminating terrorism, it remains to be seen if these different attitudes toward privacy by the United States and much of the rest of the world will affect global attempts to weed out terrorists. This article discusses the constitutional basis for most US policy approaches to privacy regulation. The article explains how the US constitution is the source for most of the differences between the US and international regulatory approaches to information privacy. Finally, the discussion addresses how new issues regarding privacy in the war on terrorism may be addressed by US Constitutional law.     

The Cyprus and other EU court rulings on data retention: The Directive as a privacy bomb

This paper discusses the controversy surrounding the Data Retention Directive with an emphasis on the 2011 decision of the Cyprus Supreme Court which has annulled several district court orders that allowed the police access to telecommunications data relating to certain persons relevant to criminal investigations. The annulment has been on the ground that the legal provisions upon which the orders have been issued are unconstitutional. It will suggest that the decision does not entail a direct rejection of the EU Data Retention Directive and that in any event, Cyprus is not a Member State resisting the particular measure. This is because the legal provisions are deemed unconstitutional, though part of the law that has transposed the relevant Directive into national law are provisions that go beyond what the EU legislator intended to regulate through that Directive. Still, the particular Directive sits rather uneasily within the ‘human rights’ regime, in particular the one governing the individual right of privacy.     

Global Environment Threats and a Divided Northern Community

The EU, Japan, and the US now share many environmental norms, laws, and institutions and cooperate on international environmental matters through numerous bilateral and multilateral channels. They disagree, however, on how to deal with some of the most serious issues facing the global environment and the quality of human life including wide-scale biodiversity loss, climate change, the use of genetically modified (GM) organisms; the trans-boundary movement of hazardous wastes, and chemical safety. As these are all issues that require the involvement of developing countries if global environmental protection efforts are to be effective, the discord that exists among the Northern states is of tremendous significance. The US has pulled out of the Kyoto Protocol arguing that the treaty is poorly designed and would be detrimental to the US economy. Japan and the EU have had to try to find a way to bring the treaty into force without the participation of the world’s largest emitter of greenhouse gases and to convince participating countries to meet their targets even though this may put them at a competitive disadvantage. In the case of biodiversity loss, although the US initiated international negotiations on biodiversity preservation, it has refused to join the EU and Japan in ratifying the Convention on Biological Diversity. There are also differences between the US, on the one side, and Japan and the EU on the other, regarding the use of GM organisms. This article analyses the reasons for the differences that have emerged among northern states in their international environmental policy positions and what the implications of this northern policy divide are for the effectiveness and legitimacy of international environmental protection efforts.     

On the Use of Law in Transatlantic Relations: Legal Dialogues between the EU and US

Law plays a significant role in contemporary transatlantic relations outside of the bilateral context which, from the perspective of EU external relations law, might seem neither conventional nor apparent. Non‐bilateral transatlantic relations increasingly deploy law as a communication tool between the two legal orders. For example, in 2011, the US intervened informally and anonymously in the formulation of EU legislation, while the US House of Representatives passed legislation to prohibit the impact of EU law upon the US legal order. Another example is constituted by EU amicus curiae submissions before the US Supreme Court in death penalty cases. The so‐called Brussels effect is also the subject of recent scholarship, assessing the perceived spillover effect of EU regulatory standards onto US rules. The paper provides many vivid examples of the variable institutional and legal components of transatlantic relations not usually accounted for in scholarship on transatlantic relations.     

EU General Data Protection Regulation: Changes and implications for personal data collecting companies

The General Data Protection Regulation (GDPR) will come into force in the European Union (EU) in May 2018 to meet current challenges related to personal data protection and to harmonise data protection across the EU. Although the GDPR is anticipated to benefit companies by offering consistency in data protection activities and liabilities across the EU countries and by enabling more integrated EU-wide data protection policies, it poses new challenges to companies. They are not necessarily prepared for the changes and may lack awareness of the upcoming requirements and the GDPR's coercive measures. The implementation of the GDPR requirements demands substantial financial and human resources, as well as training of employees; hence, companies need guidance to support them in this transition. The purposes of this study were to compare the current Data Protection Directive 95/46/EC with the GDPR by systematically analysing their differences and to identify the GDPR's practical implications, specifically for companies that provide services based on personal data. This study aimed to identify and discuss the changes introduced by the GDPR that would have the most practical relevance to these companies and possibly affect their data management and usage practices. Therefore, a review and a thematic analysis and synthesis of the article-level changes were carried out. Through the analysis, the key practical implications of the changes were identified and classified. As a synthesis of the results, a framework was developed, presenting 12 aspects of these implications and the corresponding guidance on how to prepare for the new requirements. These aspects cover business strategies and practices, as well as organisational and technical measures.     

Horizontal mergers and efficiencies; theory and anti trust practice

Horizontal mergers can be challenged by anti trust authorities under both the US and EU Horizontal Merger Guidelines. More horizontal mergers are unconditionally approved in the US than in the EU. EU merger policy toughened after 1998 but became more in line with US practices after 2004. Differences in merger policies between the US and the EU can be explained by a greater scope of the efficiency argument in the US. The paper argues that firms only want to merge in oligopoly, if they expect to realize substantial merger specific efficiency gains, which counterbalances the price increasing effect of merger.      

Genetic Data and the Data Protection Regulation: Anonymity,multiple subjects,sensitivity and a prohibitionary logic regarding genetic data?

Owing to the unique qualities of genetic data, there have been numerous criticisms of the current data protection framework's ability to protect genetic data. It has been suggested that the Directive did not recognise the sensitivity of genetic data and that it ignored a number of legitimate interests in this data (in particular interests which multiple data subjects may have and those which may remain in anonymous data). In 2012, the first results of a reform process of EU data protection law were released. These results included a draft Regulation (to replace the Directive) which introduced a new framework for the protection of genetic data. This Article considers whether the innovative approach to genetic data in the Regulation will provide a more adequate framework for the protection of genetic data. It concludes that the Regulation has rectified the lack of recognition of sensitivity, but still stutters in recognising a number of legitimate interests.     

An analysis of the effectiveness of the EU data breach notification obligation

In this paper we study the law and economics of the EU data breach notification obligation (EU DBNO), which is part of the general data protection regulation. We start our discussion with the origins and aims of the EU DBNO. Following this, we study the social benefits of the DBNO and the conditions for these social benefits to emerge. Next, we analyse whether there would be spontaneous notification without the existence of a DBNO. We discuss how the national DPAs, that are responsible for the execution of the EU DBNO, can sufficiently induce data controllers to comply with the regulation. We also discuss the scope of the regulation from a social welfare perspective, in particular the conditions, which trigger a notification from data controllers.