Lecture 7
There has to be done something to help the data subject controlling its data when the data is being
transferred from one country to another. The EU started with the idea that control rights need to
follow wherever the data goes, which was followed by the CoE. The world needs to be a controlled
entity. Take back the additional protocol of Convention 108 with you to the exam. The 2001
additional protocol mainly on transborder issues. Article 25/26 of the Directive are copied without
too many changes in the regulation regarding these issues.
Case body Linguis about hosting, blogging, about the contemporary use of the internet and how the
law relates to this. The 1995 Directive was looked at by the ECJ and the judgment was okay for data
protection purposes as everyone was afraid of judges not understanding data protection. Everyone
was afraid of a far worse judgment. It is about this woman that has a little blog saying that her
college broke his leg. If you publish something on the internet which is worldwide accessible, is that
an international transfer of data? One could say yes, I put my data on the worldwide web and
everyone can have it, but the court said no, saying that in 1995 internet use was less developed so
the Directive does not really address this. We should see this not as a transfer to third countries
because if not we would confuse and mess up the whole logic of the Directive itself. This logic is to
distinguish between processing within Europe and transferring outside Europe. Art. 25 and 26 on
international transfers.
There is to hypotheses/scenarios about transferring:
I. Transfer to EU MS or states within the EEA. The CoE Convention art. 12 and art. 1 Directive
say that it should be free flow. Data protection after the directive should be more or less the
same, so transfers are no taboo anymore. You can pull your data, Europe is one space for
data so it can free flow everywhere. Page 132. Free transfer from Slovenia to France, but you
can’t allow Slovenia then to transfer it to the US as it is not an EU country, so a third country.
So it is a very simple, typical internal market idea. If the data goes to Slovenia you can ask
your local DPA to intervene, they will contact the Slovenian DPA and data protection justice
will be done. Europe can control national DPA’s, by stating that they should be independent
and effective. We should have some trust in the functioning of DPA’s elsewhere as there was
a lot of suspicion about the Irish DPA. We need to accept some cultural differences but make
also sure that we have some apparatus to make sure that foreign (Irish) DPA’s will function
well. The DPA’s get firm administrative powers after the regulation so there should be at
least some trust in each other’s DPA’s and court systems.
II. Transfer of data to third countries, so outside the EU or the EEA. In this case it is about the
adequacy. A factor of having this could be that you have an independent DPA (not an
effective one per se). In practice, if there is no independent body on the other side of the
line, you won’t get adequacy. Brussels determines the standards, countries ask could you
check us out and check whether the data protection system is adequate. You’re actually
saying your legal system is not adequate, so Brussels determines the standards and adequacy
is a slow process. In practice having control from Europe comes down to the question
whether you have a DPA and do you have a body of law that has a general scope? For
example, Australia could only obtain adequacy for its private sector processing if that has an
accurate body of enforceable norms around. You can also ask adequacy for bits of your
system, instead of a whole. The Safe Harbour principles are replaced by the Privacy Shield
principles but they are more or less the same. If a company accepts these principles, it can
freely transfer data between the EU and the US. EU citizens can then exercise their right of
access and at the side of the US, overside is guaranteed by the Federal Trade Commission
There has to be done something to help the data subject controlling its data when the data is being
transferred from one country to another. The EU started with the idea that control rights need to
follow wherever the data goes, which was followed by the CoE. The world needs to be a controlled
entity. Take back the additional protocol of Convention 108 with you to the exam. The 2001
additional protocol mainly on transborder issues. Article 25/26 of the Directive are copied without
too many changes in the regulation regarding these issues.
Case body Linguis about hosting, blogging, about the contemporary use of the internet and how the
law relates to this. The 1995 Directive was looked at by the ECJ and the judgment was okay for data
protection purposes as everyone was afraid of judges not understanding data protection. Everyone
was afraid of a far worse judgment. It is about this woman that has a little blog saying that her
college broke his leg. If you publish something on the internet which is worldwide accessible, is that
an international transfer of data? One could say yes, I put my data on the worldwide web and
everyone can have it, but the court said no, saying that in 1995 internet use was less developed so
the Directive does not really address this. We should see this not as a transfer to third countries
because if not we would confuse and mess up the whole logic of the Directive itself. This logic is to
distinguish between processing within Europe and transferring outside Europe. Art. 25 and 26 on
international transfers.
There is to hypotheses/scenarios about transferring:
I. Transfer to EU MS or states within the EEA. The CoE Convention art. 12 and art. 1 Directive
say that it should be free flow. Data protection after the directive should be more or less the
same, so transfers are no taboo anymore. You can pull your data, Europe is one space for
data so it can free flow everywhere. Page 132. Free transfer from Slovenia to France, but you
can’t allow Slovenia then to transfer it to the US as it is not an EU country, so a third country.
So it is a very simple, typical internal market idea. If the data goes to Slovenia you can ask
your local DPA to intervene, they will contact the Slovenian DPA and data protection justice
will be done. Europe can control national DPA’s, by stating that they should be independent
and effective. We should have some trust in the functioning of DPA’s elsewhere as there was
a lot of suspicion about the Irish DPA. We need to accept some cultural differences but make
also sure that we have some apparatus to make sure that foreign (Irish) DPA’s will function
well. The DPA’s get firm administrative powers after the regulation so there should be at
least some trust in each other’s DPA’s and court systems.
II. Transfer of data to third countries, so outside the EU or the EEA. In this case it is about the
adequacy. A factor of having this could be that you have an independent DPA (not an
effective one per se). In practice, if there is no independent body on the other side of the
line, you won’t get adequacy. Brussels determines the standards, countries ask could you
check us out and check whether the data protection system is adequate. You’re actually
saying your legal system is not adequate, so Brussels determines the standards and adequacy
is a slow process. In practice having control from Europe comes down to the question
whether you have a DPA and do you have a body of law that has a general scope? For
example, Australia could only obtain adequacy for its private sector processing if that has an
accurate body of enforceable norms around. You can also ask adequacy for bits of your
system, instead of a whole. The Safe Harbour principles are replaced by the Privacy Shield
principles but they are more or less the same. If a company accepts these principles, it can
freely transfer data between the EU and the US. EU citizens can then exercise their right of
access and at the side of the US, overside is guaranteed by the Federal Trade Commission
