Överföring av personuppgifter från EU till USA : Särskilt i ljuset av Schrems I och II

The judgments of the Court of Justice of the European Union (CJEU) in Schrems I and II have raised many questions regarding the circumstances in which personal data can be transferred legally from the EU to the US. Hence, the overarching purpose of this thesis is to examine and analyze these circums...

Full description

Bibliographic Details
Main Author: Cahn, Henrietta
Format: Others
Language:Swedish
Published: Uppsala universitet, Juridiska institutionen 2021
Subjects:
Online Access:http://urn.kb.se/resolve?urn=urn:nbn:se:uu:diva-431621
id ndltd-UPSALLA1-oai-DiVA.org-uu-431621
record_format oai_dc
spelling ndltd-UPSALLA1-oai-DiVA.org-uu-4316212021-02-19T05:31:17ZÖverföring av personuppgifter från EU till USA : Särskilt i ljuset av Schrems I och IIsweTransfer of personal data from the EU to the US : Especially in light of Schrems I and IICahn, HenriettaUppsala universitet, Juridiska institutionen2021GDPRdataskyddsförordningenöverföring av personuppgifter till tredjelandSchremsLaw (excluding Law and Society)Juridik (exklusive juridik och samhälle)The judgments of the Court of Justice of the European Union (CJEU) in Schrems I and II have raised many questions regarding the circumstances in which personal data can be transferred legally from the EU to the US. Hence, the overarching purpose of this thesis is to examine and analyze these circumstances.  According to article 45 of the General Data Protection Regulation (GDPR), a third country must ensure an adequate level of protection for personal data if it is to be transferred there. A first condition which must be met in order to reach that level is that the EU Commission, when making decisions about whether a third country offers an adequate level of protection, conforms to its competence according to EU law. The level of protection also has a procedural dimension. Furthermore, in order for an adequate level of protection to be reached, there must be limitations on the third country’s possibilities to conduct foreign intelligence surveillance. One problem with the CJEU’s interpretation of the level of protection in Schrems I and II is that it did not clarify under which circumstances exactly a proportionality analysis must be conducted. Another problem that the judgments have given rise to is that an adequate level of protection is very hard to reach for third countries, since it must be essentially equivalent to the level that applies within the EU. The extra-territorial application of the GDPR and the EU level of protection for personal data could also have a limiting effect on international trade.  According to article 46 of the GDPR, standard contractual clauses (SCC’s) can be used to transfer personal data to a third country when the EU Commission has not made a decision under article 45. The CJEU’s judgment in Schrems II has clarified that the determining factor when deciding whether SCC’s are lawful is whether they contain effective mechanisms that make it possible to ensure that the EU level of protection is maintained, and whether transfers of personal data using SCC’s will be stopped or forbidden if the clauses are set aside or impossible to abide by.  According to article 47 of the GDPR, binding corporate rules (BCR’s) can also be used to transfer personal data to a third country. The decision of a supervisory authority to approve BCR’s, however, does not take into account transfers to specific third countries. Anyone who transfers personal data to a third country using BCR’s must therefore decide in each individual case whether the use of the rules will provide a level of protection in the receiving country that fulfills the demands of the GDPR. The CJEU’s conclusions regarding the US level of protection for personal data indicates that a transfer there using BCR’s could be illegal.  Student thesisinfo:eu-repo/semantics/bachelorThesistexthttp://urn.kb.se/resolve?urn=urn:nbn:se:uu:diva-431621application/pdfinfo:eu-repo/semantics/openAccess
collection NDLTD
language Swedish
format Others
sources NDLTD
topic GDPR
dataskyddsförordningen
överföring av personuppgifter till tredjeland
Schrems
Law (excluding Law and Society)
Juridik (exklusive juridik och samhälle)
spellingShingle GDPR
dataskyddsförordningen
överföring av personuppgifter till tredjeland
Schrems
Law (excluding Law and Society)
Juridik (exklusive juridik och samhälle)
Cahn, Henrietta
Överföring av personuppgifter från EU till USA : Särskilt i ljuset av Schrems I och II
description The judgments of the Court of Justice of the European Union (CJEU) in Schrems I and II have raised many questions regarding the circumstances in which personal data can be transferred legally from the EU to the US. Hence, the overarching purpose of this thesis is to examine and analyze these circumstances.  According to article 45 of the General Data Protection Regulation (GDPR), a third country must ensure an adequate level of protection for personal data if it is to be transferred there. A first condition which must be met in order to reach that level is that the EU Commission, when making decisions about whether a third country offers an adequate level of protection, conforms to its competence according to EU law. The level of protection also has a procedural dimension. Furthermore, in order for an adequate level of protection to be reached, there must be limitations on the third country’s possibilities to conduct foreign intelligence surveillance. One problem with the CJEU’s interpretation of the level of protection in Schrems I and II is that it did not clarify under which circumstances exactly a proportionality analysis must be conducted. Another problem that the judgments have given rise to is that an adequate level of protection is very hard to reach for third countries, since it must be essentially equivalent to the level that applies within the EU. The extra-territorial application of the GDPR and the EU level of protection for personal data could also have a limiting effect on international trade.  According to article 46 of the GDPR, standard contractual clauses (SCC’s) can be used to transfer personal data to a third country when the EU Commission has not made a decision under article 45. The CJEU’s judgment in Schrems II has clarified that the determining factor when deciding whether SCC’s are lawful is whether they contain effective mechanisms that make it possible to ensure that the EU level of protection is maintained, and whether transfers of personal data using SCC’s will be stopped or forbidden if the clauses are set aside or impossible to abide by.  According to article 47 of the GDPR, binding corporate rules (BCR’s) can also be used to transfer personal data to a third country. The decision of a supervisory authority to approve BCR’s, however, does not take into account transfers to specific third countries. Anyone who transfers personal data to a third country using BCR’s must therefore decide in each individual case whether the use of the rules will provide a level of protection in the receiving country that fulfills the demands of the GDPR. The CJEU’s conclusions regarding the US level of protection for personal data indicates that a transfer there using BCR’s could be illegal. 
author Cahn, Henrietta
author_facet Cahn, Henrietta
author_sort Cahn, Henrietta
title Överföring av personuppgifter från EU till USA : Särskilt i ljuset av Schrems I och II
title_short Överföring av personuppgifter från EU till USA : Särskilt i ljuset av Schrems I och II
title_full Överföring av personuppgifter från EU till USA : Särskilt i ljuset av Schrems I och II
title_fullStr Överföring av personuppgifter från EU till USA : Särskilt i ljuset av Schrems I och II
title_full_unstemmed Överföring av personuppgifter från EU till USA : Särskilt i ljuset av Schrems I och II
title_sort överföring av personuppgifter från eu till usa : särskilt i ljuset av schrems i och ii
publisher Uppsala universitet, Juridiska institutionen
publishDate 2021
url http://urn.kb.se/resolve?urn=urn:nbn:se:uu:diva-431621
work_keys_str_mv AT cahnhenrietta overforingavpersonuppgifterfraneutillusasarskiltiljusetavschremsiochii
AT cahnhenrietta transferofpersonaldatafromtheeutotheusespeciallyinlightofschremsiandii
_version_ 1719378048060489728