This document discusses the European approach to data protection and reconciling it with other interests and rights. It outlines the key principles of European data protection law, including requirements for personal data processing, sensitive data rules, and transparency. It acknowledges tensions with economic, security and other interests. It analyzes rules governing international data transfers and derogations. While the law initially took a flexible approach, more recent court rulings have emphasized data protection as a fundamental right and imposed stricter standards for determining if non-EU countries ensure an adequate level of protection. The upcoming General Data Protection Regulation poses challenges in further restricting data transfers abroad.

1. Dr. David Erdos
Trinity Hall
University of Cambridge

2. Data Protection: The European Approach
Personal
Information
Processing
Principles &
Legitimation
Sensitive Data
Rules
Transparency
& Control
Rules
Discipline &
Supervision

3. Europe’s Other Commitments
Interests
 Economic growth
 Digitization
 Competitiveness
 Globalization
 Crime prevention
 National security
 etc.
Rights
 Freedom of expression
 Freedom of information
 Freedom of association
 Freedom of movement
 Academic freedom
 Business Freedoms
 etc.

4. EU Directive & Transborder Data Flows
Derogations (Art. 26 & Art. 9)
1. EU contractual clauses giving “appropriate safeguards”
2. State authorized “appropriate safeguards”
3. Data subject waiver
4. Some weighty publicly orientated right or interest.
General Principle (Art. 25):
• “transfer may only take place if … the third country ensures an
adequate level of protection.”
• European Commission empowered to “whitelist” countries

5. Reconciliation? The Negatives
 Transfer meaning seemingly very broad.
 Adequacy seemingly about the legal order of country
 Derogations strict – State vires requires all other
States to be informed; State law can restrict all other
derogations.

6. Reconciliation? The Positives
 Adequacy standard to be assessed “in all the
circumstances” (Art. 25 (2))
 Adequacy vires could be applied by any controller –
interpreted in UK as “self-assessment” model.
 Court of Justice of EU (CJEU) in Lindqvist (2003)
showed willingness to narrow meaning of transfer.

7. New CJEU Case Law (2010 onwards)
 More severe approach from CJEU from 2010 onwards:
 Data Protection now EU Fundamental Right
 Growing awareness of undermining of EU data protection
 C-262/14 Schrems case on “whitelisting” key e.g.:
 “adequacy” here = legal order (not self-help)
 “adequacy“ here = “essentially equivalent”
 whitelisting can’t block regulatory protective action.

8. General DP Regulation: A Perfect Storm?
 More absolutist starting point: “level of protection …
shall not be undermined” (Art. 40)
 Adequacy vires restricted to “whitelisting”
 “Appropriate safeguards” based on authorization &
other derogations remain tight
 New and far-reaching transparency requirements
 Fines of up to €20M (or 4% global turnover)

9. Reconciliation under General DP Regulation?
 Legal Actors to develop contextual jurisprudence e.g.
 No transfer if fully under control of EU-based controller?
 Sometimes no transfer if public domain content already
transferred? (cf. C-466/12 Svensson re: copyright)
 Member States to make broad use of possible
derogations
 Regulators to “authorize” controllers to self-certify for
low-risk transfers.

10. Conclusions
 Failure of pan-EU statutory law to appropriately reconcile
values here
 Issues obscured by very lax enforcement to date
 Problems here will become more acute under GDPR
 Need a conversation on legal solutions to these problems