International Transfers of Personal Data: Complex Legal Maneuvers
Access to personal data has become a key component of technological and political power, and involves highly sophisticated legal instruments.
Schematically speaking, this access can primarily be achieved through a voluntary transfer. From this perspective, in Europe the GDPR has implemented a protective framework that produces effects beyond European borders, through adequacy decisions by the European Commission, and the ad hoc measures and verification protocols that it implements to ensure the compliance of data transfers in third countries. In their interactions with the USA, undertakings that are subject to the GDPR are in a position of relative legal uncertainty following the CJEU Schrems II judgment of 16 July 2020.
Access to data may also be imposed or demanded by a third country authority. The most obvious example is that of the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which has contributed to the blurring of the lines between compliant practices and practices that can lead to penalties for all stakeholders who are doubly accountable, i.e., who are subject to both local law and US law. The CLOUD Act, in the same way as its equivalent in numerous other countries, raises the issue of the injunctions to transfer personal data that are issued to foreign organizations and the means they have to oppose this.
Thus, whether on a voluntary or compulsory basis, international transfers of personal data are at the heart of the practical problems with which our colleagues are confronted.