Överföring av personuppgifter från EU till USA : Särskilt i ljuset av Schrems I och II
The judgments of the Court of Justice of the European Union (CJEU) in Schrems I and II have raised many questions regarding the circumstances in which personal data can be transferred legally from the EU to the US. Hence, the overarching purpose of this thesis is to examine and analyze these circums...
Main Author: | |
---|---|
Format: | Others |
Language: | Swedish |
Published: |
Uppsala universitet, Juridiska institutionen
2021
|
Subjects: | |
Online Access: | http://urn.kb.se/resolve?urn=urn:nbn:se:uu:diva-431621 |
id |
ndltd-UPSALLA1-oai-DiVA.org-uu-431621 |
---|---|
record_format |
oai_dc |
spelling |
ndltd-UPSALLA1-oai-DiVA.org-uu-4316212021-02-19T05:31:17ZÖverföring av personuppgifter från EU till USA : Särskilt i ljuset av Schrems I och IIsweTransfer of personal data from the EU to the US : Especially in light of Schrems I and IICahn, HenriettaUppsala universitet, Juridiska institutionen2021GDPRdataskyddsförordningenöverföring av personuppgifter till tredjelandSchremsLaw (excluding Law and Society)Juridik (exklusive juridik och samhälle)The judgments of the Court of Justice of the European Union (CJEU) in Schrems I and II have raised many questions regarding the circumstances in which personal data can be transferred legally from the EU to the US. Hence, the overarching purpose of this thesis is to examine and analyze these circumstances. According to article 45 of the General Data Protection Regulation (GDPR), a third country must ensure an adequate level of protection for personal data if it is to be transferred there. A first condition which must be met in order to reach that level is that the EU Commission, when making decisions about whether a third country offers an adequate level of protection, conforms to its competence according to EU law. The level of protection also has a procedural dimension. Furthermore, in order for an adequate level of protection to be reached, there must be limitations on the third country’s possibilities to conduct foreign intelligence surveillance. One problem with the CJEU’s interpretation of the level of protection in Schrems I and II is that it did not clarify under which circumstances exactly a proportionality analysis must be conducted. Another problem that the judgments have given rise to is that an adequate level of protection is very hard to reach for third countries, since it must be essentially equivalent to the level that applies within the EU. The extra-territorial application of the GDPR and the EU level of protection for personal data could also have a limiting effect on international trade. According to article 46 of the GDPR, standard contractual clauses (SCC’s) can be used to transfer personal data to a third country when the EU Commission has not made a decision under article 45. The CJEU’s judgment in Schrems II has clarified that the determining factor when deciding whether SCC’s are lawful is whether they contain effective mechanisms that make it possible to ensure that the EU level of protection is maintained, and whether transfers of personal data using SCC’s will be stopped or forbidden if the clauses are set aside or impossible to abide by. According to article 47 of the GDPR, binding corporate rules (BCR’s) can also be used to transfer personal data to a third country. The decision of a supervisory authority to approve BCR’s, however, does not take into account transfers to specific third countries. Anyone who transfers personal data to a third country using BCR’s must therefore decide in each individual case whether the use of the rules will provide a level of protection in the receiving country that fulfills the demands of the GDPR. The CJEU’s conclusions regarding the US level of protection for personal data indicates that a transfer there using BCR’s could be illegal. Student thesisinfo:eu-repo/semantics/bachelorThesistexthttp://urn.kb.se/resolve?urn=urn:nbn:se:uu:diva-431621application/pdfinfo:eu-repo/semantics/openAccess |
collection |
NDLTD |
language |
Swedish |
format |
Others
|
sources |
NDLTD |
topic |
GDPR dataskyddsförordningen överföring av personuppgifter till tredjeland Schrems Law (excluding Law and Society) Juridik (exklusive juridik och samhälle) |
spellingShingle |
GDPR dataskyddsförordningen överföring av personuppgifter till tredjeland Schrems Law (excluding Law and Society) Juridik (exklusive juridik och samhälle) Cahn, Henrietta Överföring av personuppgifter från EU till USA : Särskilt i ljuset av Schrems I och II |
description |
The judgments of the Court of Justice of the European Union (CJEU) in Schrems I and II have raised many questions regarding the circumstances in which personal data can be transferred legally from the EU to the US. Hence, the overarching purpose of this thesis is to examine and analyze these circumstances. According to article 45 of the General Data Protection Regulation (GDPR), a third country must ensure an adequate level of protection for personal data if it is to be transferred there. A first condition which must be met in order to reach that level is that the EU Commission, when making decisions about whether a third country offers an adequate level of protection, conforms to its competence according to EU law. The level of protection also has a procedural dimension. Furthermore, in order for an adequate level of protection to be reached, there must be limitations on the third country’s possibilities to conduct foreign intelligence surveillance. One problem with the CJEU’s interpretation of the level of protection in Schrems I and II is that it did not clarify under which circumstances exactly a proportionality analysis must be conducted. Another problem that the judgments have given rise to is that an adequate level of protection is very hard to reach for third countries, since it must be essentially equivalent to the level that applies within the EU. The extra-territorial application of the GDPR and the EU level of protection for personal data could also have a limiting effect on international trade. According to article 46 of the GDPR, standard contractual clauses (SCC’s) can be used to transfer personal data to a third country when the EU Commission has not made a decision under article 45. The CJEU’s judgment in Schrems II has clarified that the determining factor when deciding whether SCC’s are lawful is whether they contain effective mechanisms that make it possible to ensure that the EU level of protection is maintained, and whether transfers of personal data using SCC’s will be stopped or forbidden if the clauses are set aside or impossible to abide by. According to article 47 of the GDPR, binding corporate rules (BCR’s) can also be used to transfer personal data to a third country. The decision of a supervisory authority to approve BCR’s, however, does not take into account transfers to specific third countries. Anyone who transfers personal data to a third country using BCR’s must therefore decide in each individual case whether the use of the rules will provide a level of protection in the receiving country that fulfills the demands of the GDPR. The CJEU’s conclusions regarding the US level of protection for personal data indicates that a transfer there using BCR’s could be illegal. |
author |
Cahn, Henrietta |
author_facet |
Cahn, Henrietta |
author_sort |
Cahn, Henrietta |
title |
Överföring av personuppgifter från EU till USA : Särskilt i ljuset av Schrems I och II |
title_short |
Överföring av personuppgifter från EU till USA : Särskilt i ljuset av Schrems I och II |
title_full |
Överföring av personuppgifter från EU till USA : Särskilt i ljuset av Schrems I och II |
title_fullStr |
Överföring av personuppgifter från EU till USA : Särskilt i ljuset av Schrems I och II |
title_full_unstemmed |
Överföring av personuppgifter från EU till USA : Särskilt i ljuset av Schrems I och II |
title_sort |
överföring av personuppgifter från eu till usa : särskilt i ljuset av schrems i och ii |
publisher |
Uppsala universitet, Juridiska institutionen |
publishDate |
2021 |
url |
http://urn.kb.se/resolve?urn=urn:nbn:se:uu:diva-431621 |
work_keys_str_mv |
AT cahnhenrietta overforingavpersonuppgifterfraneutillusasarskiltiljusetavschremsiochii AT cahnhenrietta transferofpersonaldatafromtheeutotheusespeciallyinlightofschremsiandii |
_version_ |
1719378048060489728 |