Author: Stephanie Schiedermair

 

In relation to third countries and international organisations, the Commission and supervisory authorities shall take appropriate steps to:

(a) develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;

(b) provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;

(c) engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data;

(d) promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.

I. Introduction

The newly introduced Art. 50 GDPR on international cooperation subjects the Comm and the national SAs to the obligation to cooperate in relation to third countries outside of the EU and other international organisations. Although the wording of the provision includes an obligation on the part of the Comm and the SAs (“shall take … steps”),[1] the fact that reference is made to “appropriate” steps shows that the obligation allows considerable room for manoeuvre on the part of the Comm and the authorities.[2] Pursuant to Art. 17 para. 1 sentence 6 TEU, the Comm is responsible for the EU’s external representation in principle.[3] This is why, regarding the Comm’s authority to consult third countries and international organisations on data protection matters, Art. 50 GDPR only specifies the Comm’s fundamental responsibility. The Article also, however, authorises and obliges the national SAs to engage in international cooperation.[4]

This obligation to engage in international cooperation in data protection matters is based on the fundamental conviction that, in the era of the Internet, data protection must be international in order to be effective.[5] This idea is shared by the GDPR, which addresses the fundamental conviction mainly from the perspective of legal protection in cases with an international context. By way of example, the GDPR has identified an increased risk to the ability of natural persons to exercise their data protection rights when personal data move across borders outside of the Union.[6] The GDPR also identifies as factors that pose a risk to the enforcement of data protection law rights: the lack of, or insufficient, action taken by SAs outside of the EU; insufficient preventative or remedial powers; inconsistent legal regimes and resource constraints.[7] This is why the legislature is keen to promote cooperation between the data protection SAs within and outside of the EU so that information can be exchanged and joint investigations can be conducted.[8]

Although the obligation to engage in international cooperation refers explicitly to countries outside of the EU and international organisations other than the EU, successful collaboration with players outside of the EU first of all requires cooperation between the Comm and the SAs in the Member States and among the SAs. Cooperation also aims to facilitate international mutual assistance in enforcing legal data protection provisions.[9] As a result, Art. 50 lit. a specifies the primary objective of the steps to be taken as developing international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data. The Comm and the authorities can both use existing mechanisms and introduce new ones within this context.

 

II. Background

There are already numerous forums for the purposes of collaboration and dialogue on data protection matters at the international level. The first international document on data protection was developed by the OECD when its Ministerial Council adopted privacy guidelines on 23 September 1980.[10] While the guidelines are non-binding per se, many of the fundamental ideas and much of the wording used in the guidelines have been incorporated into national data protection legislation worldwide.[11] The guidelines adopted by the United Nations were also influenced to a considerable degree by the OECD guidelines. The OECD guidelines are, however, based on the technological standards prevailing in 1980, meaning that they ought to be revised as a matter of urgency. The OECD provides its members with a forum in which the industrialised nations represented within the organisation can, in particular, discuss economic issues.[12] As a result, data protection tends to be discussed from an economic perspective within the OECD.

By contrast, the United Nations, which also addresses the issue of data protection on a global scale, takes a human rights-based approach to data protection issues. The United Nations takes the right to privacy set out in Art. 17 of the International Covenant on Civil and Political Rights as a starting point, as, based on the dynamic interpretation of the UN Human Rights Committee, this also includes data protection.[13] The UN Human Rights Committee has also made several statements on data protection. Its statements are not, however, legally binding, but rather are limited to reports and recommendations. The UN also adopted data protection guidelines in a resolution passed by the General Assembly on 14 December 1990.[14] In addition, the UN repeatedly establishes data protection communication forums in order to promote international dialogue in data protection matters.[15]

 

 

 

[…]

 

 

 

 

[1]This is why Knyrim, Datenschutz-Grundverordnung (2016), p. 277, refers to a “task conferred upon the Commission and the supervisory authorities”.

[2]Von dem Bussche in Plath, BDSG/DSGVO, Art. 50, para. 1, therefore, sees the norm as nothing other than a “diplomatic letter of intent”.

[3]In particular, CFSP remains the reserve of the Council, cf. Art. 17, para. 1, sentence 6 TEU.

[4]Pursuant to Von dem Bussche in Plath (ed), BDSG/DSGVO, Vol. 3, DSGVO, Art. 50, para. 1, this is the real meaning of the norm.

[5]Cf. e.g. Masing, NJW 2012, p. 2305 (pp. 2309 et seq.); Schiedermair, Der Schutz des Privaten als internationales Grundrecht (2012), pp. 1 et seq.

[6]Recital 116 GDPR.

[7]Ibid.

[8]Ibid.

[9]Ibid.

[10]OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, https://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm (15 September 2020).

[11]Cf. Schiedermair, Der Schutz des Privaten als internationales Grundrecht (2012), pp. 150 et seq.

[12]See Schiedermair, Der Schutz des Privaten als internationales Grundrecht (2012), pp. 152 et seq.

[13]For details, see Schiedermair Der Schutz des Privaten als internationales Grundrecht (2012), pp. 67 et seq.eng_fn

[14]UN-Res. 45/95, Guidelines for the Regulation of Computerized Personal Data Files, https://www.refworld.org/cgi-bin/texis/vtx/rwmain?docid=3ddcafaac (15 September 2020). For details on the guidelines, see Schiedermair, Der Schutz des Privaten als internationales Grundrecht (2012), pp. 118 et seq.

[15]Cf. Schiedermair, Der Schutz des Privaten als internationales Grundrecht (2012), pp. 130 et seq.