La protezione transnazionale dei dati personali. Dai “safe harbour principles” al “privacy shield”

Intorno alla decisione nel caso Schrems: la sovranità digitale e il governo internazionale delle reti di telecomunicazione

DOI: 10.13134/978-88-97524-75-5/1

La sorveglianza elettronica di massa e il conflitto regolatorio USA/UE

The article focuses on the background of the ECJ Schrems decision and deals with the regulatory conflict between USA and Europe in the field of data protection. It provides a detailed analysis of the legal architecture of the mass surveillance programs adopted by the US security agencies and discusses the issue of privacy protection for foreign citizens. By comparing the US and the EU approach, it details the transatlantic conflict that arose in the aftermath of the introduction of the Directive 95/46 and looks at the ECJ Digital Rights, Google Spain and Schrems decisions as integral part of such regulatory conflict. It argues that given the particular features of the technological context, which makes extraterritorial violations much easier, decision makers should take more seriously the universal character of the right to privacy as a fundamental human right.

DOI: 10.13134/978-88-97524-75-5/2

Alcune considerazioni sugli aspetti tecnologici della sorveglianza di massa, a margine della sentenza Safe Harbor della Corte di giustizia dell’Unione Europea

This paper addresses the mass surveillance activities revealed by Edward Snowden, emphasizing the role of the Datagate as background issue in the recent European Court of Justice decision against the EU-USA “Safe Harbour” agreement. Importance and limitations of cryptography as a self-defence weapon against the invasiveness of surveillance technologies are also briefly discussed. The recent discovery of two different cases of vulnerability in network security equipment is described along with its relations to the Datagate, whilst readers are cautioned against placing blind confidence in cryptographic technology to protect sensitive data.

DOI: 10.13134/978-88-97524-75-5/3

La Carta dei diritti fondamentali dell’Unione europea nel reasoning dei giudici di Lussemburgo

The reasoning of the Court of Justice in the Schrems judgment places this decision in the wake of the judicial saga commenced with the Digital Rights Ireland and Google Spain cases. Also in this decision, in fact, the Court of Luxembourg has taken it seriously the right to privacy, in light of the threats and risks arising from the broader and broader circulation of personal data, especially through the Internet. When invalidating the decision of the Commission concerning the adequacy of the safe harbour principles, the Court of Justice has once again enforced in a very extensive manner the Charter of Fundamental Rights of the European Union, and particularly Articles 7 and 8. This has led the Court, indeed, to convert the adequacy standard for personal data to be transferred to non-EU countries in the requirement of equivalent protection. This decision, however, this decision is likely to bring unprecedented consequences and global effects which cannot be limited to the European Union territory.

DOI: 10.13134/978-88-97524-75-5/4

La giurisprudenza della Corte di Giustizia in materia di dati personali da Google Spain a Schrems

The article summarizes the ECJ’s decisions on personal data protection, from Google Spain to Schrems. It points out the main issues touched by these decisions focusing in particular, on the relevance of the rights to privacy and to protection of personal data as fundamental rights and on the applicable law. What emerges from the analysis of the argumentative path followed by the Court on these issues is the intention to extend the scope of the European data protection law beyond European borders. The article draws a special attention to the political role assumed by the ECJ in this context in promoting the European model.

DOI: 10.13134/978-88-97524-75-5/5

Verso il Privacy Shield: il tramonto dei Safe Harbour Privacy Principles

As provided by article 25 of Directive 95/46/EC, the Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if the third country in question ensures an adequate level of protection. In order to facilitate the data flows to United States, while ensuring a high level of protection of personal data, the Commission recognized the adequacy of the Safe Harbour Privacy Principles through the adoption of Decision 2000/520/EC. The paper analyses the Safe Harbour framework, a set of principles, based on EU directive, issued by the U.S. Department of Commerce to provide adequate protection for the purposes of personal data transfers from the EU. Specifically, the Authors focus on genesis, content and criticalities of the Safe Harbour Principles, as well as the grounds for which the Court of Justice, in its judgment dated 6th October 2015, declared the Decision 2000/520/EC invalid.

DOI: 10.13134/978-88-97524-75-5/6

I trasferimenti di dati personali verso Paesi terzi dopo la sentenza Schrems e nel nuovo regolamento generale sulla protezione dei dati

This paper examines the EU Court of justice’s judgment the case Maximillian Schrems v. Data Protection Commissioner. In this land-mark ruling, the Court declares that the European Commission’s decision enforcing the « Safe Harbour » agreement between the US Department of Commerce and the European Union, read in the light of Articles 7, 8 and 47 of the EU Charter of Fundamental Rights, is invalid. Although the Commission found in that decision that the American legal system affords an adequate level of protection of personal data, the Court holds that the law and practices in force in the USA at the time of the facts of the case did not ensure a protection sufficient to comply with the requirements of the EU legislation on the protection of such data. The Court further determines that national supervisory authorities of Member States may examine claims concerning violation of an individual’s rights in regard to the processing of his personal data which has been transferred to a third country. The analysis of the judgment is conducted in two parts. The first briefly presents the basic elements of the case and outlines the fundamental requirements of directive 95/46/CE (the « General Data Protection Directive ») and its mechanism of transfers of personal data to third countries. The second part identifies the reasons of the Court’s decision and discusses some of the problematic consequences raised by the case. These include the effective functioning of the EU data protection law and Charter of Fundamental Rights; the « complete independence » of functions of Member States’ national supervisory authority; the Commission’s power to adopt adequacy decisions regarding third States; the legal effects of the declaration of invalidity of the « Safe Harbour » decision and its disruptive practical consequences on transatlantic data transfers. The issues raised by the Court’s ruling are also examined under the new General Data Protection Regulation’s draft text, since on 15th December 2015 the European institutions reached agreement on this important measure, which is due to abrogate and substitute the directive. The comment concludes with a brief general assessment of the questions that the judgment of the Court has left open, and some observations regarding the tension between the USA and the European Union because of the tentative assertion by the European legislator of its data protection legal framework as a model legislation at a global level.

DOI: 10.13134/978-88-97524-75-5/7

Model Contract Clauses e Corporate Binding Rules: valide alternative al Safe Harbor Agreement?

The ECJ’s ruling Schrems v. Data Protection Commissioner has invalidated the EU-US Safe Harbor Agreement. The decision is the third step of the European Court of Justice — after the Digital Ireland and Costeja Gonzales cases — towards the acknowledgment of personal data protection as a fundamental right, pursuant to article 9 of the Treaty of Nice, and marks the rift between EU and US on the fair balance among surveillance systems and privacy laws. After the collapse of the Safe Harbour Agreement, binding corporate rules, for multinational organizations or groups of companies, and contract model clauses, in any other case, seem to be the only compliant solutions for overseas transfers of personal data. However, are these measures sufficient to face the improving data flows between the two sides of the Atlantic?

DOI: 10.13134/978-88-97524-75-5/8

I flussi di dati transfrontalieri e le scelte delle imprese tra Safe Harbour e Privacy Shield

The Safe Harbour agreement was the result of an economic and political compromise between the European Union and the United States in the field of data protection, where the European regulatory model has demonstrated its influence in an interdependent world. The ECJ judgement has put an end to this compromise. Against this background, the author points out the different solutions that private companies may adopt in the short-, medium- and long-term. In this light, the article considers the chance of reaching a new international bilateral agreement in short time and the limits posed by the ECJ decision to this potential agreement. Focusing on the medium-term scenario, the author takes into account the impact of the Schrems case on the different legal alternatives for data transfer (data subject’s consent, standard contractual clauses, and binding corporate rules) and discusses the consequences of this judgement on business strategies. In the long-term scenario, a more optimistic outlook is possible, given the increasing demand for data protection coming from U.S. companies and society at large, as demonstrated by the support provided the U.S. business community to new regulatory initiatives and by the In re Microsoft Corp. case.

DOI: 10.13134/978-88-97524-75-5/9

Libertà d’impresa, concorrenza e neutralità della rete nel mercato transnazionale dei dati personali

Moving from the ECJ’s decision in the Schrems case, the article explores the connections between competition, privacy and net neutrality in relation to EU-USA trans-border data flows. Collection, manipulation and accumulation of personal and anonymous information by social media, search engines and other big players in web 2.0., seems to engender a new type of economic surplus that may affect market balance, building and strengthening dominant positions. In the “big-data” era, stands out the need to promote a data protection policy more devoted to a “quantitative” approach, trying to ensure the convergence between anti-monopolistic and privacy rules, in the frame of a stronger and more effective enforcement of fundamental rights of solidarity.

DOI: 10.13134/978-88-97524-75-5/10

Appendice

DOI: 10.13134/978-88-97524-75-5/11