An approach to EU/USA transantlantic personal data flow for a new agreement: American technology and European Law in conflict

Thumbnail Image
Full text at PDC
Publication Date
Advisors (or tutors)
Journal Title
Journal ISSN
Volume Title
SGEM 2017
Google Scholar
Research Projects
Organizational Units
Journal Issue
The European Union (EU) and the USA have two very different models of personal data protection (European terminology) or information privacy law (American terminology) (See PAUL SCHWARTZ AND DANIEL SOLOVE). EU law has a defined and clear concept of personal data and a general law to protect this fundamental right. Meanwhile, the USA does not have a uniform definition of information privacy or personally identifiable information (PII); and it has only some sectorial laws to protect privacy in some markets. Personally identifiable information is one of the most central concepts in information privacy regulation. The scope of privacy laws typically turns on whether PII is involved. At the same time, there is not a unique concept in information privacy law (DEIRDRE MULLIGAN). Moreover, computer science has shown that in many circumstances non-PII can be linked to individuals, and that de-identified data can be re-indentified. (PAUL SCHWARTZ, HELEN NISSENBAUN OR D. MULLIGAN) In some way, then, we can say that the European law is applicable to almost all the information on the Internet. And in some way, too, we can say that American technology uses data as part of its technical nature, markets and services. This represents a difficult vantage point from which to start looking for an agreement. In addition, some legal categories of the European Law—General Data Protection Regulation (GDPR)—are not negotiable under contracts, because of their inalienability they cannot be traded away by the free will of individuals, which complicates the mutual relationships between the two continents. After breaking the SAFE HARBOR (after the SCHREMS EUROPEAN COURT DECISION Sept. 23, 2015, in CASE C-362/14) and under the New Agreement PRIVACY SHIELD FRAMEWORK 2016, new problems arose. An example of this can seen in the poor implementation of the Privacy Shield Principles by American companies, or in the case of Facebook where they provided misleading information to the European Union Commission during the approval process for the acquisition of Whatsapp (2014). As a result, the European Commission fined Facebook (18 May, 2017). Even more, on 13 November 2014, Facebook announced a global revision of its data policy, cookie policy and terms. Following this announcement, a Contact Group was created at European level with the Data Protection Authorities (DPAs) of The Netherlands, France, Spain, Hamburg and Belgium. The members of the Contact Group have initiated national investigations, relating to, amongst others, the quality of the information provided to users, the validity of consent and the processing of personal data for advertising purposes. Three of the members publish results on 16 May 2017 (France, Belgium and the Netherlands). These problems are asking for harmonized solutions that reflect cooperation of laws and policies of the two sides of the Atlantic. This is necessary in order to continue with the traditional commercial relationship between Europe and North America and to work together against the terrorism threat. . This paper will examine possible points, criteria and perspectives to find an approach based on the European Law (GDPR) and the US regulations and policies.