EU Law on Cross-Border Flows of Personal Data in a Global Perspective

This year’s conference of the Center for Law and Public Utilities (CeLPU) explored the Law’s Evolution and Response to Data-Driven Innovation. As a topic it connects the rise of data-intensive businesses and the global flow of data with law’s responses to these phenomena. It rekindles notions of countries’ jurisdiction and sovereignty, human rights and the corresponding need for the interoperability of legal systems. One legal sub-system that springs to our mind concerns the protection of individuals’ privacy and personal data.
Personal data is peculiar in the way it brings the dignity of a human being together with valuable economic properties. This ambiguity is the reason why personal data protection and data flows are closing in on each other in an increasingly connected and data-driven society. The EU has a key role to play in the global governance of privacy and in particularly regarding the protection of personal data. This role accrues to the EU by virtue of its external relations with third countries stretching over two policy areas for which it has exclusive competences: international transfers of personal data and external commercial policy.
This paper aims to convey EU data protection law and reflect its approach to cross-border flows of personal data in a global perspective. The argument passes through four consecutive stages: first, we will lay the necessary background in the constitutional and regulatory trajectory of personal data protection in the EU. We will proceed to revisit EU governance of cross-border flows of personal data to third countries that will help us to understand the logic of adequacy that is central to EU fundamental rights approach. Next we are going to turn our attention to the impeding stand-off between free trade agreements and domestic data protection law before we explain how the EU plans to regain consistency between its external trade and data protection policies. Last but not least, we will resolve some of the tension between cross-border digital trade and EU-style personal data protection with recourse to a study from the Privacy Bridges project family.
Grounded in the understanding of how deeply entrenched the protection of privacy and personal data have become in EU law and jurisprudence, this paper sets out to establish realistic coordinates for cross-border flows of personal data. We conclude that the EU will throw its weight behind its brand-new General Data Protection Regulation when negotiating digital trade and cross-border data flows. Building privacy bridges could offer a more realistic and constructive path forward that is to a certain extent respectful of local differences while focusing efforts on practical solutions that deliver for individuals and companies alike.