Uncovering EU External Multilevel Governance: The Implementation of EU Data Protection Law in Switzerland

Law enforcement access to personal data presents a paradox at the heart of debates between the European Union (EU) and the United States about privacy protections. On the one hand, the comprehensive privacy regime in the EU contains many requirements that do not apply in the United States-the EU is than the United States in applying requirements that do not exist in the latter. On the other hand, the United States also sets requirements that do not exist in the EU, such as the Fourth Amendment requirement that a warrant be signed by a judge upon a finding of probable cause. Thus, both are stricter in important ways when setting standards for law enforcement access to personal data. The fact that both sides are stricter in significant respects is important to two distinct topics: how to reform the system of Mutual Legal Assistance (MLA), and whether the United States provides adequate protection for personal data under EU law, and thus is an appropriate destination for data flows from the EU.The relative strictness of standards for law enforcement access is central to understanding current obstacles to reforming the MLA system, the mechanism for sharing law enforcement evidence held in one country for use in criminal investigations in a different country. Our research team has been writing a series of articles about MLA reform.1 The topic has become increasingly important in recent years-globalized communications mean that e-mails, social network data, and other evidence for criminal investigations are often held in a different country. In the course of studying obstacles to effective reform, we have come to believe that the fact that both the EU and the United States provide stricter privacy protections is salient but little understood-each side is reluctant to compromise on a new approach to the extent that there would be a weakening of some specific safeguards that currently exist in their respective jurisdictions. We hope that a fuller understanding of the relative strictness of both sides will enable a more fruitful discussion of possible paths to MLA reform.The relative strictness of both the EU and the United States is also important to a second topic, the current litigation and debates about whether the United States provides adequate protection of privacy, and thus is a lawful destination for flows of personal data from the EU.2 Under the EU Data Protection Directive, which went into effect in 1998,3 transfers of personal data from EU Member States to other countries, such as the United States, are generally permitted only if the recipient jurisdiction has adequate protections.4 From its negotiation in 2000 until 2015, a major legal basis for such transfers was the EU/U.S. Safe Harbor, under which participating companies could lawfully send personal data to the United States.5 In 2015, the European Court of Justice struck down the Safe Harbor for lacking in Schrems v. Data Protection Commissioner.6 A related transfer mechanism, the standard contract clause, is now facing a similar legal challenge in Ireland, and the Irish Data Protection Commissioner has preliminarily found the challenge to be well founded.7 In addition, the EU has recently approved two instruments that will go into full effect in 2018 and strengthen existing privacy protections: the General Data Protection Regulation (GDPR),8 which applies predominantly to private-sector processing of personal information, and a new Police and Criminal Justice Directive that governs law enforcement access to personal data.9 Both the GDPR and law enforcement directive have similar adequacy requirements for transfers of personal data.10 An accurate assessment of the of U.S. law enforcement access to information is thus vital to multiple aspects of current EU data protection law.Part I of this Article provides background for both MLA reform and the current debates. Part II highlights ways that the EU's comprehensive data protection regime creates privacy protections, including for law enforcement access, that are stricter than those applied to the United States. …

Multi‐level Climate Governance: The global system and selected sub‐systems

“In the public interest”: The privacy implications of international business-to-business sharing of cyber-threat intelligence

The chapter analyses the role of the principle of territoriality in the application of European Union (EU) data protection law. The aim is to assess to what extent the territorial element is relevant in determining the scope of application of data protection obligations and consequently whether the new EU regulation is consistent with general principles of international law governing the exercise of prescriptive jurisdiction. By drawing a comparison between the territorial scope of Directive 95/46 and the new GDPR, the chapter claims that territorial connections constitute the main trigger for the EU jurisdictional claim. Finally, taking into account the novelties introduced by the GDPR, it evaluates the international legitimacy of EU data protection rules, especially in the light of the principle of proportionality as a tool to balance competing jurisdictional interests.

The European Union (EU) approach to data protection consists of assessing the adequacy of the data protection offered by the laws of a particular jurisdiction against a set of principles that includes purpose limitation, transparency, quality, proportionality, security, access, and rectification. The EU's Data Protection Directive sets conditions on the transfer of data to third countries by prohibiting Member States from transferring to such countries as have been deemed inadequate in terms of the data protection regimes. In theory, each jurisdiction is evaluated similarly and must be found fully compliant with the EU's data protection principles to be considered adequate. In practice, the inconsistency with which these evaluations are made presents a hurdle to international data-sharing and makes difficult the integration of different data-sharing approaches; in the 20 years since the Directive was first adopted, the laws of only five countries from outside of the EU, Economic Area, or the European Free Trade Agreement have been deemed adequate to engage in data transfers without the need for further administrative safeguards.

The article illustrates how the Court of Justice of the European Union (CJEU)’s Schrems II judgment solidified the European court’s approach to European Union (EU) data protection and the issues of data collection and transfer outside EU borders. The judgment rebalances how to arrange the issues containing the collection of private information and the risk to the public without surveillance. Thus, invalidating previously used EU-Third Country data sharing frameworks. Included in this are the Passenger Name Records (PNR), which are used in day-to-day mechanisms of the air industry when sharing bulk data sets with other countries to provide crucial information for anti-terrorism with border protection agencies. Not only does it protect national security, but makes flying safer. Though the EU argues it cannot sacrifice the integrity of individual data autonomy. Due to the Schrems II judgment, most other countries will be unable to pass new EU standards, and data transfer has to be judged on a case-by-case basis, which when looking at the international air industry is unfeasible. By exploring the Schrems II judgment, this article will analyze the third-country data transfer mechanisms and the impact the judgment had on third countries. Air law, PNR, CJEU, Schrems II, Privacy Shield, national security, European Data Protection, data transfer mechanisms, GDPR, Standard Contractual Clauses (SCC)

Data protection and research in the European Union: a major step forward, with a step back

Artificial intelligence (AI) is already a major part of our daily lives. From unlocking our smartphones with our faces to receiving film recommendations on streaming platforms, AI is part of our routines. In recent years, a widespread adoption of AI technologies both by public and private agencies has been observed. Notwithstanding the many conveniences it has created, the use of AI also involves many risks for people individually and for society as a whole. For instance, it may jeopardise fundamental rights such as privacy and data protection or even intensify existing discrimination against minorities. For this reason, various nations are now facing the challenge of regulating AI without limiting its development. In terms of data protection, the European General Data Protection Regulation (GDPR) has been consistently applied and enforced in the European Union (EU) and has inspired many other data protection laws that came after it, such as the one in Brazil. In Brazil, the General Data Protection Law (LGPD) has finally come into force and is slowly being enforced. In 2021, a series of legislative initiatives concerning the development and use of AI systems drew the attention of governments, academics and the tech industry around the world. In the EU, the European Commission released a proposal for regulation in April that presents harmonised rules on AI. Meanwhile, in Brazil, in September, the Chamber of Deputies approved a rather superficial bill aiming to regulate AI in the country. Thus, one can wonder: what is the impact of data protection laws on AI regulations? And how could Brazil benefit once again from following the EU’s lead on regulating AI? In order to answer these questions, this article begins by explaining the concept of AI. It then presents the relation between AI and privacy and data protection as well as the main principles that guide privacy and data protection under both EU and Brazilian data protection laws. Subsequently, it introduces the EU legal framework for AI and focuses on the risk-based approach. Later, it presents the proposed Brazilian bill, focusing on its main principles from a comparative perspective with the EU. Finally, it will conclude how Brazil can benefit from taking inspiration from the EU experience on AI regulation.

The European Public Prosecutor’s Office (the ‘EPPO’) necessarily processes personal data in order to fulfil its mission; As such, it falls squarely within the European Union (EU) data protection regulatory landscape. However, because the EU data protection regulatory landscape itself is currently found at a crossroads, an analysis of the EPPO data protection model may be twofold: First, placing it within the proper cross-organization dialogue currently taking place on the future regulatory model of personal data processing for law enforcement purposes carried out at EU level. Second, at an EPPO-specific level, whereby the actual data protection regime afforded to it may be assessed. This article purports to elaborate upon the above two data protection dimensions of EPPO personal data processing activities: It presents considerations and policy options during the lawmaking period that resulted in the establishment of the EPPO, it analyses the data protection regime ultimately awarded to it and attempts to, critically, place the EPPO data protection model within its proper operational and legislative environment.

This article explores the potential uses by employers of contact‐tracing apps and other monitoring technologies to mitigate the spread of COVID‐19, and the potential concerns that these raise in the context of the European Union's General Data Protection Regulation. Given the imbalance of power in the employment relationship, the authors call for national laws to strengthen employees' ability to refuse the use of such apps and technologies after the end of the COVID‐19 pandemic. When such tools are no longer needed to keep employees safe, additional regulations and guidance will be necessary to prevent future problems, such as function creep and other misuse by employers.

ABSTRACTThe important role that climate leaders and leadership play at different levels of the European Union (EU) multilevel governance system is exemplified. Initially, climate leader states set the pace with ambitious policy measures that were adopted largely on an ad hoc basis. Since the mid-1980s, the EU has developed a multilevel climate governance system that has facilitated leadership and lesson-drawing at all governance levels including the local level. The EU has become a global climate policy leader by example although it had been set up as a ‘leaderless Europe’. The resulting ‘leadership without leader’ paradox cannot be sufficiently explained merely by reference to top-level EU climate policies. Local-level climate innovations and lesson-drawing have increasingly been encouraged by the EU’s multilevel climate governance system which has become more polycentric. The recognition of economic co-benefits of climate policy measures has helped to further the EU’s climate leadership role.

INTRODUCTION This chapter introduces the European approach to privacy and data protection. Two things are important to point out from the start. First, there are differences between the right to privacy and the right to data protection, which will be described in more detail below. Perhaps the most prominent difference lies in the material scope. The right to privacy usually does not extend to the collection of nonprivate and non-privacy-sensitive data, whereas the term ‘personal data’, central to most data protection documents, is not limited to private or sensitive information, but extents to any data with which someone could potentially be identified. ‘Even ancillary information, such as “the man wearing a black suit” may identify someone out of the passers-by standing at a traffic light. ’Second, this study will primarily discuss the European perspective and in doing so will refer to documents of both the European Union (EU) and the Council of Europe (CoE). For privacy, the case law by the European Court of Human Rights (ECtHR) on Article 8 of the European Convention on Human Rights (ECHR) will be central and with regard to data protection, the EU's Data Protection Directive and the General Data Protection Regulation, which will replace the Directive over time, will function as the primary (though not exclusive) points of reference. Article 8 ECHR grants a right to respect for private and family life, home and correspondence: 1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. The right to data protection is currently protected by the Data Protection Directive, which contains rules for data controllers such as: store data only when necessary, store data safely, process personal data with a legitimate aim, be transparent about the processing activities, etc. It also contains some rights for data subjects, such as the right to have access to personal data, to correct inaccurate data and to object to certain types of data processing.

Transparency remains a contested concept in European Union (EU) law and policy. All the main instruments of EU consumer and data protection law require that consumers be given access to and understand certain information about their relationships with traders. Improved transparency is also proposed as a response to a variety of problems associated with digital markets, including those experienced by consumers and data subjects. At the same time, transparency is increasingly challenged as ineffective and potentially even counterproductive from doctrinal and critical scholarship alike. First, transparency is seen as inherently unable to transform the economic reality on the ground and to address the power imbalances between consumers and traders. Secondly, it is argued that acts of representation involved in transparency suffer from complexity and are prone to exploitation by the actors who engage in it. This, in turn, casts doubt on the ability of transparency to steer the behaviour of businesses and transform markets to the benefit of consumers and society. This article builds upon prior critiques of transparency and connects them with a doctrinal analysis of EU consumer and data protection law and in particular the Unfair Contract Terms Directive, the Unfair Commercial Practices Directive, and the General Data Protection Regulation. Seven different notions of transparency are identified: (i) Transparency as access to the medium over time; (ii) Transparency as presentation of information that facilitates understanding; (iii) Transparency as formulations that facilitate understanding; (iv) Transparency as non-ambiguity and logical intelligibility; (v) Transparency as the absence of deception and confusion; (vi) Transparency as completeness and specificity; and (vii) Transparency as non-arbitrariness. The article submits that the acts of representation involved in transparency are already recognized in the three legal regimes and attempts are made to leverage the mediated nature of transparency to consumers’ advantage. Crucially, existing efforts to regulate mediation and improve its quality can, nowadays, be reinforced with the help of algorithmic systems geared toward supporting consumers. Moreover, some of the deployments of transparency identified—most notably transparency as non-arbitrariness—push its outer conceptual boundaries in ways that bring transparency very close to fairness. The article ultimately questions a vision of transparency as a necessarily softer-touch protective frame, which cannot alter business conduct. The conceptual richness of transparency offers opportunities for its deployment in more disruptive ways.

Europe’s two basic regulatory texts, the 1981 Council of Europe’s Convention 108 and the 1995 European Union (EU) Data Protection Directive, say little on enforcement in general and on the use of criminal law in particular. As the 1995 Directive left the choice of the enforcement regime, including the establishment of appropriate sanctions and remedies, to the discretion of the EU Member States, the use of criminal sanctions varies from one Member State to another: there are Member States with only criminal sanctions, but most Member States have a mixed system of criminal and administrative enforcement. In practice, the criminal law provisions in countries where they exist are seldom used due to both institutional resistance from prosecutors and courts, and some characteristics of criminal law. There is indeed a general preference for administrative procedures controlled by the data protection authorities. However, the use of administrative sanctions in the EU is only of a recent date. Most national data protection Acts give no guidance on the choice of administrative or criminal sanctions and on the discretion of the data protection authorities to impose administrative sanctions. Such discretion for data protection authorities might raise questions, especially in the light of a trend towards high administrative fines in the EU Member States. The reform of the 1995 Directive shows the investment of the EU in a harmonised system of administrative sanctions. The minimal attention of the EU to criminal sanctions, on the other hand, can arguably be explained by the scarce case law on the matter and by the sensitivity of the use of criminal law in Community (former first pillar) matters. Neither do the reform instruments contain any provisions on the use of criteria to be taken into account when choosing between administrative or criminal enforcement. The lack of harmonisation goes against the aim of a regulation to establish a uniform data protection framework, is oblivious to the explicit powers for the EU created with the 2009 Treaty of Lisbon to impose criminal law obligations via directives, creates legal uncertainty for companies and the data subject, and might invite forum shopping, i.e., the fact that companies can move their main establishment to a Member State with the most flexible sanction powers. This chapter addresses seven characteristics of criminal law, which explain why Member States prefer to use administrative law. However, regulators should keep the different ratios of administrative law and criminal law in mind when selecting the appropriate enforcement regime. Principles of criminalisation should guide the regulators in their criminalisation exercise: it must be seen as a last resort, for serious cases only. Administrative law may turn out to be more accommodating to the dynamic character of data protection, but is in need of a fundamental rights agenda.

PurposeThis study aims to discover the legal borderline between licit online marketing and illicit privacy-intrusive and manipulative marketing, considering in particular consumers’ expectations of privacy.Design/methodology/approachA doctrinal legal research methodology is applied throughout with reference to the relevant legislative frameworks. In particular, this study analyzes the European Union (EU) data protection law [General Data Protection Regulation (GDPR)] framework (as it is one of the most advanced privacy laws in the world, with strong extra-territorial impact in other countries and consequent risks of high fines), as compared to privacy scholarship on the field and extract a compliance framework for marketers.FindingsThe GDPR is a solid compliance framework that can help to distinguish licit marketing from illicit one. It brings clarity through four legal tests: fairness test, lawfulness test, significant effect test and the high-risk test. The performance of these tests can be beneficial to consumers and marketers in particular considering that meeting consumers’ expectation of privacy can enhance their trust. A solution for marketers to respect and leverage consumers’ privacy expectations is twofold: enhancing critical transparency and avoiding the exploitation of individual vulnerabilities.Research limitations/implicationsThis study is limited to the European legal framework scenario and to theoretical analysis. Further research is necessary to investigate other legal frameworks and to prove this model in practice, measuring not only the consumers’ expectation of privacy in different contexts but also the practical managerial implications of the four GDPR tests for marketers.Originality/valueThis study originally contextualizes the most recent privacy scholarship on online manipulation within the EU legal framework, proposing an easy and accessible four-step test and twofold solution for marketers. Such a test might be beneficial both for marketers and for consumers’ expectations of privacy.