Author: Stephanie Schiedermair

(26) ‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

I. Legal background

The fact that the list of legal definitions set out in Art. 4 also contains a definition of “international organisations” underscores the significance that the GDPR attaches to international cooperation between the EU on the one hand, and other states and other international organisationson the other, in data protection matters. This is based on the realisation that effective data protection in the Internet age can only be ensured, if it is also enforced on a cross-border basis.

The legal definition set out in Art. 4 no. 26 is identical to that of Art. 2 lit. e Europol Regulation. Both provisions pick up on aspects of the standard definition of an “international organisation” under public international law. Although there is no generally binding and exhaustive definition of an “international organisation”, all international organisations share certain fundamental characteristics. Under international law, e.g., an “international organisation” is generally taken to mean an association of two or more subjects of international law based on an international treaty in the field of international law to pursue a common purpose with at least one effective institution.

II. Analysis

The first fundamental characteristic of an international organisation is the fact that it is an intergovernmental organisation involving states and other subjects of international law. It is important to make a distinction between these intergovernmental organisations based on states and other subjects of international law, and non-governmental organisations, which consist of non-governmental players. The latter include, by way of example, Amnesty International, Greenpeace or Doctors Without Borders (Médecins Sans Frontières). Non-governmental organisations are associations under private law that, despite having an international impact and international members, were not set up by subjects of international law. This means that they are not subjects of international law either. By using the term “organisation … governed by public international law”, Art. 4 no. 26 refers to the definition of an intergovernmental organisation, excluding non-governmental organisations from the definition used in the GDPR. An intergovernmental organisation must have been established by subjects of international law. These include the conventional subjects of international law, namely states and international organisations, the latter having witnessed tremendous growth both in quantitative terms and in terms of their significance since the Second World War, as well as historical subjects of international law, such as the Holy See.

An international organisation is established by way of a treaty under international law. The rules set out in the Vienna Convention on the Law of Treaties (the ‘VCLT’) signed on 23 May 1969 apply to this founding treaty. The founding treaty typically contains provisions on joining and leaving the international organisation, the purpose of the organisation, its structure and the entry into force of the founding treaty. The purpose for which an international organisation is set up is decided by the subjects of international law that establish it. The organisation must, however, have a purpose that is fundamentally compatible with international law. If this is not the case, then the international organisation cannot be eligible for protection under international law. Typical areas of activity of international organisations include peacekeeping and defence (UN, NATO), business and finance (WTO, IMF, OECD) and other matters that affect all states, such as employment, health and social affairs (ILO, WHO, UNESCO). The areas of activity show that the EU is concerned with other international organisations in data protection matters, e.g. in the field of security, data protection in the private sector or the protection of data concerning health. For the field of security, the question raised by some Member States during the legislative procedure of the GDPR, whether Interpol constitutes an international organization in the sense of Art. 4 no. 26, must be answered in the affirmative.

In order to also be able to act independently of its Member States, the international organisation must be equipped with at least one effective institution. While Member States can exert significant influence over the staffing of this institution of the international organisation, it can in principle act independently of the Member States. While NATO, e.g., only has one institution, namely the NATO Council created by Art. 9 of the North Atlantic Treaty, other international organisations have a structure consisting of various institutions. Art. 4 no. 26 makes a rather non-technical reference to an “international organisation” and “its subordinate bodies”. These include, first, the (main and ancillary) institutions of an international organisation and second, also its sub-institutions. All in all, this will be taken to refer to all organisational units that can be allocated to the international organisation as a legal entity.

[…]