Applying Double Standards? : A Study into EU Law Treating Third Countries and EU Member States Differently with regard to Surveillance in the Context of the Protection of Personal Data

(1)

Applying Double Standards? A Study into EU Law Treating Third Countries

and EU Member States Differently with regard to Surveillance in the Context of

the Protection of Personal Data

Thesis Research Master Information Law

University of Amsterdam // Institute for Information Law Student number:

Name: Susanne van Leeuwen Supervisor: dr. Kristina Irion Date: 23 January 2019 Words: 24.103

(2)

Introduction

The Problem

In June 2013, the Snowden revelations shocked the world by revealing electronic surveillance prac-tices from intelligence agencies, not only in the US but also in Europe and other regions of the world. National intelligence agencies of countries may carry out surveillance for the purpose of protecting a country’s national security. The Snowden revelations started a heated debate about the extent of sur-veillance practices and the consequences for the privacy of citizens. In the EU, sursur-veillance practices can conflict with EU citizens’ fundamental rights to privacy and data protection.

When the EU sends personal data of EU citizens to countries outside the EU, the EU takes a non-EU country’s surveillance system into account. These "third" countries are therefore held to a high standard with regard to the surveillance practices they carry out. There seems to be a tension be-tween this strict policy of the EU and the extent to which EU law can assess surveillance practices of its own Member States. Matters regarding the national security of the Member States are excluded from the scope of EU law. This thesis will focus on this discrepancy and assess whether EU law treats surveillance differently depending on whether it is conducted by an EU Member State or a third coun-try. The purpose of this research is thus to assess whether EU law applies a double standard to EU Member States and third countries.

Research Framework

Research Question

In this thesis, the following research question will be assessed:

Does EU law apply a double standard by using higher standards for third countries’ surveillance practices than for EU Member States’ surveillance practices in the context of personal data transfers?

Sub-Questions

The research question can be divided in the following sub-questions which are linked to the four Chapters:

1. Why are matters regarding the national security of EU Member States excluded from the scope of EU law? (Chapter 1)

2. Does the EU treat third countries’ surveillance practices differently than EU Member States’ surveillance practices in the context of personal data transfers? (Chapter 2)

3. Can the Brexit illustrate the double standard of EU law? (Chapter 3)

4. Does the ECHR and the case of law of the ECtHR make up for the lack of EU law on surveil-lance practices by EU Member States? (Chapter 4)

(5)

Methodology, Legal Framework and Scope

In general, the choice of method is determined (or even constrained) by the research question. This research question takes an internal, doctrinal perspective by focusing on provisions in fundamental rights law and data protection law. The law itself functions as a starting point for the discussion, an-swering questions of law as such. Thereby the thesis addresses an issue according to a given legal sys-tem – the legal syssys-tem of the EU. Both primary and secondary EU law will be assessed. Apart from legislation, two other sources of classical legal scholarship will be used: scholarly writing and case law.1

This thesis takes a descriptive view. The thesis will assess EU law in order to answer the re-search question. It describes the background and rationale of EU law and why this leads to the EU ap-plying a double standard. This thesis falls short of normative elements, but nevertheless paves the way for other scholars to critically assess whether or not it is legitimate for the EU to have this double standard.

As to the scope, the thesis will focus on personal data transfers in the commercial sector and surveillance in the context of national security, conducted by intelligence agencies. Although surveil-lance practices can be carried out by both intelligence agencies and law enforcement authorities, sur-veillance and data retention in the service of law enforcement falls outside the scope of this thesis.

It is important for the discussion on the topic of this thesis to define the term "national secu-rity". A discussion on the term is needed. In general, debates can be confusing when participants mis-understand one another and offer arguments that do not meet.2_{When participants of this debate (the}

legislators, businesses, consumers) understand the concept of "national security" differently, they could misunderstand each other. To avoid this, it is important to analyse the word. Subsection 1.3.2 will make a start with such a conceptual analysis.

Lastly, this thesis will conduct a case study of the Brexit. This case study was selected to show the double standard of EU law towards EU Member States and third countries. The Brexit as a case study is instructive because it shows how exactly the same surveillance practices can only be ap-praised by the EU after the UK becomes a third country.

1_{Watkins & Burton 2013, p. 86.} 2_{Bix 2006, p. 28-29.}

(6)

Chapter 1 – The National Security Exemption in EU Law

This first Chapter will look into the issue of competence of the EU and Member States regarding na-tional security. An overview of the development of the EU and its competences is important in order to understand why activities in the area of national security, to date, are not regulated by the EU. This reservation of competence to the Member States means that activities such as electronic mass surveil-lance, cannot be regulated, let loose supervised, by the EU. The Chapter will also pay attention to the surveillance practices carried out by Member States.

1.1 The Competences of the EU

The EU has no competence to regulate Member States’ surveillance in the field of national security. As to the competences of the EU, which is a market union, the rule has always been that the EU only has attributed competence. According to Article 5(2) of the Treaty on European Union (TEU), "the Union shall act only within the limits of the competences conferred upon it by the Member States in the Treaties to attain the objectives set out therein. Competences not conferred upon the Union in the Treaties remain with the Member States".3_{This rule is also known as the principle of conferral.}4_It

means that each action of the EU must have a legal basis in the Treaties: in one or more provisions in the TEU or in the Treaty on the Functioning of the European Union (TFEU).5_{This section will first}

explain the competences of the EU in general, before discussing that there is no competence in the Treaties for national security and thus this remains in the exclusive domain of the Member States.

The Lisbon Treaty clarified the division of competences between the EU and its Member States with specifying the three principal categories of competence of the EU, laid down in Title I of the TFEU: exclusive competence, shared competence with the Member States, or competence only to

take supporting, coordinating, or supplementary action. Exclusive competence means that only the

Union may legislate and adopt legally binding acts. The Member States can only do so if empowered by the Union or for the implementation of Union acts.6

The EU is accorded shared competence for those areas that fall out of the categories of exclu-sive competence and competence only to take supporting, coordinating, or supplementary action. It is therefore a residual category.7_{Shared competence in the TFEU has codified the principle of}

pre-emp-tion: Member States shall exercise their competence to the extent that the Union has not exercised its competence.8

3_{Craig & De Búrca 2015, p. 73.} 4_{Ibid., p. 74.}

5_{Lenaerts & Van Nuffel 2017, p. 72.} 6_{Article 2(1) TFEU.}

7_{Craig & De Búrca 2015, p. 83.} 8_{See Article 2(2) TFEU.}

(7)

1.2 Justice and Home Affairs Law

The non-exhaustive list of principal shared competence areas includes the Area of Freedom, Security and Justice,9_{which was formerly part of the "third pillar": Justice and Home Affairs (JHA) law. A}

le-gal framework for JHA law was first developed on 1 November 1993, when the TEU, also called Maastricht Treaty, entered into force. This treaty introduced a three-pillar structure, referring to the three separate approaches to integration: the Community Treaties, rules concerning the Common For-eign and Security Policy (CFSP) and JHA.10

JHA first concerned rules regarding asylum, immigration, and third country nationals. Inter-national crime cooperation and various forms of judicial, customs, and police cooperation (for exam-ple the creation of a European Police Office (Europol) for the exchange of information), was also in-cluded in this pillar. On 1 May 1999, the Treaty of Amsterdam came into force and with this Treaty, a part of the third pillar (rules on the adoption of immigration, asylum, and civil law measures) was transferred to the EC Treaty, the predecessor of the TFEU, in the first pillar. As a consequence, the third pillar only consisted of police and criminal law cooperation. The pillar was therefore renamed Police and Judicial Co-operation in Criminal Matters (PJCC).

The introduction of the Lisbon Treaty on 1 December 2009 made several important changes, including the transfer of the remaining third pillar areas (rules on the adoption of policing and crimi-nal law issues), to the first pillar.11_{The EC Treaty was renamed the TFEU, which included the main}

JHA cooperation rules in one Title, i.e. Title V (Area of Freedom, Security and Justice) of Part Three of the TFEU. Section 2.1 of this Treaty sets out the three different categories of competence and ex-plains that the EU and the Member States have a shared competence in the Area of Freedom, Security and Justice.12_{This was a significant moment in the development of EU JHA law.}

It follows from the principle of pre-emption that provisions of EU law prevail over national law if the Union has exercised its competence. As a consequence, the Treaty of Lisbon has considera-bly extended the competences of the EU with regard to several areas, such as border checks, asylum and immigration, and judicial co-operation in civil and criminal matters. In these areas, the EU acts through legislative acts adopted by the European Parliament and the Council in accordance with the ordinary legislative procedure.

The reason for introducing separate pillars for the CFSP and JHA was the desire of Member States to cooperate on EU level and remain autonomous at the same time. They wanted to have a mechanism on which they could rely for international cooperation, instead of setting up separate meetings for each CFSP/JHA related issue. But the Member States were not willing to give up their autonomy regarding CFSP and JHA. Instead of giving the power to the EU on a supranational basis, which defined the Community Treaties pillar, they reserved all power to their national authorities, on an intergovernmental basis.13_{The reason for the Member States for taking an intergovernmental}

9_{Article 4(2) TFEU.}

10_{Craig & De Búrca 2015, p. 11.} 11_{Peers 2011, p. 5-6.}

12_{Article 4(2)(j) TFEU.} 13_{Craig & De Búrca 2015, p. 11.}

(8)

approach regarding CFSP and JHA, was the view of some Member States that policing and criminal law issues are at the core of their sovereignty and such sensitive areas of policy should not be dealt with on a supranational basis.14_{There was no power reserved for the EU institutions (the}

Commis-sion, the European Parliament and the CJEU) as is the case in the Community Treaties pillar as a su-pranational area, or only in a reduced way compared to the first pillar.

Nevertheless, it has always been a point of discussion if JHA law should have an intergovern-mental basis or a supranational basis, an issue that, in fact, still exists today.15_{As outlined in the}

previ-ous paragraph, JHA law was an intergovernmental area before the Treaty of Lisbon entered into force. Although Member States kept their sovereignty, the intergovernmental approach also entailed several concerns, regarding human rights protection, legitimacy, and accountability. It was also questioned how effective the intergovernmental approach was in a practical way.16_{Some of these issues were}

ad-dressed in the Treaty of Lisbon. The Treaty made, for example, the EU’s Charter of Fundamental Rights binding and made the EU accede to the European Convention on Human Rights.17

1.3 National Security after the Treaty of Lisbon

Although the EU and the Member States have a shared competence in the Area of Freedom, Security and Justice, Article 2(6) TFEU provides that "the scope of and arrangements for exercising the Un-ion's competences shall be determined by the provisions of the Treaties relating to each area".

1.3.1 The National Security Exemption

The shared competence of the EU is restricted by a major exemption laid down in Article 4(2) of the TEU:

"[The Union] shall respect [the Member States’] essential State functions, including ensuring the terri-torial integrity of the State, maintaining law and order and safeguarding national security. In particu-lar, national security remains the sole responsibility of each Member State [emphasis added]."18

The consequence of this provision is that matters regarding the national security of the Member States are not only excluded from shared competence but are excluded from the scope of EU law in princi-ple. Since surveillance by national intelligence agencies is subsumed under the national security of Member States, the EU does not have power over surveillance in the service of national security. In its Opinion on surveillance of electronic communications for intelligence and national security purposes, the former Article 29 Working Party, predecessor of the current European Data Protection Board

14_{Peers 2011, p. 4 and Craig & De Búrca 2015, p. 11.} 15_{Peers 2011, p. 4.}

16_Ibid. 17_Ibid.

(9)

(EDPB), explicitly acknowledged that the national security exemption precludes surveillance pro-grammes of Member States in principle to be subject to EU law.19

This provision has far-reaching consequences for Member States’ surveillance practices. The EU does not have competence to legislate on these matters and thus could not issue any law that would, for example, attach rules to intelligence authorities in the Member States. Another conse-quence is that because of this provision, the Charter, which protects the fundamental rights of EU citi-zens, does not apply to surveillance practices carried out by Member States’ intelligence agencies for the purpose of national security.

Also in the general provisions of the JHA Title, national security is reserved to the Member States. In parallel to the general rule of Article 4(2) in the TEU, Article 72 of the TFEU provides a specific rule, stating that Title V "shall not affect the exercise of the responsibilities incumbent upon Member States with regard to the maintenance of law and order and the safeguarding of internal

secu-rity [emphasis added]". Member States can thus invoke internal secusecu-rity as an exception that justifies

them not implementing EU law. This broad requirement can also be found in the second sentence of Article 4(2) TEU. Only the wording is different: Article 72 TFEU applies to "internal security" while Article 4(2) speaks of "national security".

The TFEU contains a specific application of the general rule of Article 72 TFEU. Article 88(3) TFEU reads that "any operational action by Europol must be carried out in liaison and in agree-ment with the authorities of the Member State or States whose territory is concerned. The application of coercive measures shall be the exclusive responsibility of the competent national authorities". The European Police Office Europol being restricted to take "coercive measures" should be understood as a specific application of the general rule.20

Article 4(2) TEU and Article 72 TFEU correspond with each other. Prominent scholar on JHA law Peers argues that "the obligation to respect State functions as regards national security as set out in Article 4(2) TEU is less far-reaching than the requirement not to affect internal security respon-sibilities as set out in Article 72 TFEU".21_{He therefore concludes that the second sentence of Article}

4(2) does not add anything to Article 72 TFEU as regards responsibilities for law and order and inter-nal security, and to the third sentence of Article 4(2) TEU as regards the sole responsibility for na-tional security.22_{This last sentence of Article 4(2) TEU is the only provision that reserves competence}

to regulate national security strictly to Member States.

Where the EU has competence, they can make rules for the Member States but still these rules do not cover national security. National security falls outside the scope of these rules. The national security exemption has been incorporated in several EU regulations and directives, including the Gen-eral Data Protection Regulation (GDPR), which provides that the GDPR does not apply to "issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities

19_{Article 29 Working Party 2014 (I), p. 6.} 20_{Peers 2011, p. 28.}

21_{Peers 2011, p. 29.} 22_Ibid.

(10)

which fall outside the scope of Union law, such as activities concerning national security [emphasis added]",23_{and "the processing of personal data by competent authorities for the purposes of the}

pre-vention, investigation, detection or prosecution of criminal offences or the execution of criminal pen-alties, including the safeguarding against and the prevention of threats to public security [emphasis added]".24

What lays outside the scope of EU law is, moreover, not subject to review by the CJEU. The acts of the EU and the Member States are, in principle, subject to judicial review by the CJEU.25_A

specific exception for surveillance in the context of law enforcement was created by Article 35(5) of the previous TEU which provided that the CJEU could not "review the validity or proportionality of operations carried out by the police or other law-enforcement services of a Member State or the exer-cise of the responsibilities incumbent upon Member States with regard to the maintenance of law and order and the safeguarding of internal security". This expressly restricted the CJEU from ruling on certain actions by Member States. The CJEU could only rule on the validity or interpretation of EU acts.26_{This exclusion still exists and is now laid down in Article 276 TFEU. This Article corresponds}

with Article 72 TFEU.27_{The Articles are compatible.}28

The fact that EU law, including the Charter, does not apply to surveillance by intelligence agencies for national security purposes is clearly reflected in the GDPR. Declaration 20, annexed to the TFEU, states that whenever data protection rules adopted on the basis of Article 16 could have di-rect implications for national security, due account will have to be taken of the "specific characteris-tics of the matter". It recalls that the legislation presently applicable, meaning the GDPR, includes specific derogations in this regard. Article 23(1) of the GDPR adds that, if the GDPR is applicable, Union or Member State law may restrict the scope of the obligations and rights provided for in Arti-cles 12 to 22 (such as the data subject's right of access and rights to rectification, erasure, restriction, data portability and object) and Article 34 (communication of a personal data breach to the data sub-ject), as well as Article 5 (data protection principles) "when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard (a) national security; (b) defence; (c) public security; (d) the prevention, investi-gation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security", and a number of other pur-poses.29

It has been argued that the CJEU would not easily go along with the view that national secu-rity affairs in the context of data protection, such as surveillance, fall outside the scope of the Charter, referring to Article 53 of the Charter, which provides that "nothing in this Charter shall be interpreted as restricting or adversely affecting human rights and fundamental freedoms as recognised […]". Also

23_{Recital 16 of the GDPR.} 24_{Article 2(2)(e) GDPR.} 25_{Lenaerts & Van Nuffel, p. 214.} 26_{Peers 2011, p. 21 and Peers 2013, p. 3.} 27_{Articles 72 and 73 TFEU and Article 4(2) TEU.} 28_{Peers 2011, p. 28.}

(11)

the "constitutional autonomy" of the EU would not allow that the high standards of the Charter’s fun-damental rights are disregarded just because of the national security exemption.30_{For example,}

effec-tive judicial redress is a basic principle of EU law,31_{meaning that every individual can go to a}

na-tional court for a case involving nana-tional security.32_{The Charter would thus apply to national security}

activities just because democratic societies need to meet this rule of law standard.

In the Fransson case, the CJEU ruled that outside the scope of EU law, Member States may use national fundamental rights standards.33_{This case concerned tax penalties, which is not subject to}

EU law. But the Court found that tax penalties are related to the obligation to declare VAT, which, according to the CJEU, falls under EU law. The CJEU ruled that national authorities and courts are permitted to use fundamental rights standards "in a situation where action of the Member States is not entirely determined by European Union law".34_{Although national security activities seem not to be}

determined by EU law at all, a vague link between these activities and EU law would be enough. The CJEU has expressly ruled that "the mere fact that a decision concerns State security can-not result in European Union law being inapplicable".35_{So the fact that national security falls outside}

the scope of EU law does not imply that the CJEU’s case law is entirely irrelevant. Also the European Parliament "strongly rejects the notion that all issues related to mass surveillance programs are purely a matter of national security and therefore the sole competence of Member States".36

1.3.2 The Concept of "National Security"

The scope of the concept of internal or national security in this context has not been defined in EU primary law. Consequently, the scope of the exemption is not clear. The previous subsection de-scribed that the GDPR, secondary law, uses the terms "national security" and "public security". The term "public security" is used within different areas of EU legislation, but mostly in the sphere of pri-vacy and data protection. Although it has not been defined anywhere in EU law, "public security" is assumed to be broader than "national security"; it refers to the security within the entire EU: the terri-tory of the EU and EU citizens.37

Various other notions are used in legislation and case law that are similar to national or public security but need to be distinguished.38_{In 2008, in its judgement in the Promusicae case, the CJEU}

ruled with regard to exceptions to the e-Privacy Directive that "[these exceptions] concern, first, na-tional security, defense and public security, which constitute activities of the State or of State

30_{Kuner 2017, p. 897.}

31_{See also Schrems judgement: CJEU 6 October 2015, ECLI:EU:C:2015:650 (Maximillian Schrems/Data Protection Commissioner).} 32_Ibid.

33_{CJEU 26 February 2013, ECLI:EU:C:2013:105 (Åklagaren/Hans Åkerberg Fransson). Derived from Bigo et al. 2013, p. 24.} 34_{CJEU 26 February 2013, ECLI:EU:C:2013:105 (Åklagaren/Hans Åkerberg Fransson), para. 29.}

35_{CJEU 15 December 2009, ECLI:EU:C:2009:781 (Commission/Italy), para. 45.} 36_{European Parliament 2013, under 16.}

37_{Dimitrova & Brkan 2018, p. 760-761.} 38_Ibid.

(12)

authorities unrelated to the fields of activity of individuals [...]"39_{The former Data Protection}

Di-rective (DPD) used the terms "State security" and "defense".40

The Article 29 Working Party acknowledged that there is no common understanding of what is meant by national security. They stated that no clear definition has been adopted by the European legislator, nor is the case law of the European courts conclusive. The notions used by the EU and the Member States related to security are in the view of the Working Party inextricably linked.41_This

re-mains a task for the CJEU. Further, the Article 29 Working Party stated that "there is no automatic presumption that the national security argument used by a national authority exists and is valid. This has to be demonstrated".42

Consequential to the fact that the concept of national security is not delineated, EU legislation may use the abovementioned terms to refer to areas in which the EU actually has competence to legis-late, primarily in the area of law enforcement. But the national security exemption could also apply to law enforcement and thus to surveillance practices carried out in the context of law enforcement. Sur-veillance takes place both in the context of law enforcement and intelligence gathering. SurSur-veillance for national security purposes falls outside the scope of EU law, while surveillance for law enforce-ment purposes falls inside the scope of EU law. Since the work of intelligence services is highly inter-twined with the work of law enforcement authorities,43_{in practice the distinction may not always be}

clear-cut.

1.3.3 The Scope of the National Security Exemption

Article 72 TFEU does not comprise a general rule which limits the competence of the EU with regard to certain JHA subject-matters. The Article only focuses on the responsibilities of Member States re-garding law, order and internal security. It confirms that Member States are free to decide whether they implement EU policing measures, in particular coercive measures (such as arrest, detention, and the use of force).44_{The Treaty does not expressly limit the competence of the EU.}45

Peers therefore argues that Article 72 TFEU regulates how competences of the EU and Mem-ber States are divided with regard to the execution of operational measures that are necessary to im-plement EU rules.46_{Article 86 TFEU, for example, confers certain powers upon the European Public}

Prosecutor to carry out his functions. According to Peers, limiting the EU’s competence to support and coordinate State action (except to the extent that the Treaty confers express powers to act on such

39_{CJEU 29 January 2008, ECLI:EU:C:2008:54 (Productores de Música de España (Promusicae)/ Telefónica de España SAU), para. 51.}

Derived from Article 29 Working Party 2014, Working Document, p. 24.

40_{Article 3(2) DPD. Derived from Article 29 Working Party 2014, Working Document, p. 23.} 41_{Article 29 Working Party 2014, Working Document, p. 25.}

42_{Article 29 Working Party 2014 (I), p. 6.} 43_{Ibid., p. 14-15.}

44_{Peers 2008, p. 271.}

45_{Such as in Article 79(5) TFEU, which provides that "this Article shall not affect the right of Member States to determine volumes of}

ad-mission of third-country nationals coming from third countries to their territory in order to seek work, whether employed or self-em-ployed".

(13)

agencies)47_{"is not a matter of limiting the Union’s legislative competence but, rather, its operational}

competence".48

Article 73 TFEU, which was not included in previous versions of the Treaties, provides that:

"It shall be open to Member States to organise between themselves and under their responsibility such forms of cooperation and coordination as they deem appropriate between the competent departments of their administrations responsible for safeguarding national security."

Although this Article makes it possible for Member States to cooperate with regard to national secu-rity, this does not mean that the EU is excluded from adopting cooperation measures regarding na-tional security. The Article does not expressly rule out this competence. Article 71 provides for the setting up of a Standing Committee on Internal Security (COSI), whose role is to coordinate opera-tional cooperation on naopera-tional security between the authorities of Member States and the institutions of the EU (e.g. Europol and Eurojust). This cooperation is also in line with the objectives of the JHA title to "ensure a high level of security [emphasis added] through measures to prevent and combat crime, racism and xenophobia, and through measures for coordination and cooperation between police and judicial authorities and other competent authorities [emphasis added] [...]".49_{Article 75 TFEU}

provides an explicit competence for the EU to create rules to prevent and combat terrorism and related activities.50_{In this respect, the Article 29 Working Party has pointed out that it is difficult to see what}

the distinction is between fight against terrorism and the protection of national security.51

Also the CJEU has emphasised a limitation to the national security exemption. The CJEU has noted that when Member States exercise their responsibilities with regard to the maintenance of law and order and the safeguarding of internal security, as formulated in Article 72 TFEU, Member States are not allowed to "hinder the full effect of the provisions of the Treaties in other areas".52_{This is in}

accordance with the principle of sincere cooperation (Article 4(3) TEU, ex Article 10 EC).53

Another limitation forms the fact that the EU is still competent to regulate the security of the EU. The security of the EU differs from the Member States' national security, which the EU is not competent to regulate.54_{Article 24(1) TEU provides that: "The Union's competence in matters of}

common foreign and security policy shall cover all areas of foreign policy and all questions relating to the Union's security [emphasis added] [...]".55

47_{Peers 2011, p. 27-28.}

48_{Peers 2008, p. 224. Derived from European Parliament 2013, p. 19.} 49_{Article 67(3) TFEU.}

50_{Peers 2011, p. 28. Article 67(3) TFEU.} 51_{Article 29 Working Party 2014 (I), p. 2.}

52_{CJEC 9 December 1997, Case C-265/95 (Commission of the European Communities/French Republic) p. I-7003. In that case, France had}

failed to comply with the rules on free movement of goods. Derived from European Parliament 2013, p. 19.

53_{European Parliament 2013, p. 19.}

54_{Article 29 Working Party 2014, Working Document, p. 23.} 55_{Article 24(1) TEU. See also Article 2(4) TFEU.}

(14)

1.4 Surveillance by Member States

Although the US has been exposed to much criticism with regard to their surveillance laws56_{and their}

surveillance programmes disclosed by Edward Snowden, these practices are not strictly limited to the US. Rather, large-scale surveillance programmes take place worldwide, including in EU Member States. The Snowden documents, which shed light on the scope of the activities of the intelligence ser-vices, revealed that several Member States may be conducting electronic mass surveillance practices, such as Sweden, France, Germany and potentially the Netherlands. These Member States make use of "upstreaming": a form of intercepting data whereby the infrastructure of the actual content is tapped.57

It has not been proved yet that they also collect data from the servers of private companies, as was the case with the NSA's PRISM programme in the US.58

In surveillance practices, "targeted surveillance" needs to be distinguished from so-called "strategic surveillance". Targeted surveillance is surveillance against a specific person (target), which could be carried out both by law enforcement authorities and intelligence services. Strategic surveil-lance involves collecting bulk pre-emptive data for later analysis, carried out by intelligence services for national security purposes, also called electronic mass surveillance, which falls outside the scope of EU law). It is not always clear-cut whether communication is intercepted for national security pur-poses or not; intelligence services could also get access to personal data that was initially collected for other purposes, such as commercial purposes.59

The difference between these two forms of surveillance is a fine line. For example, strategic surveillance should be distinguished from untargeted surveillance: there will often still be a targeted group, despite that the target can be broad. It has often been criticized that these targets are not deline-ated enough, and that the purpose, such as counter-terrorism, a form of protecting national security, is not clear.60_{In addition, governments are in general not willing to provide much openness about or}

confirm their national surveillance programmes, which makes it difficult to study these programmes.61

As Bigo et al. rightly put it in their Study on Mass Surveillance of Personal Data by Member States and its Compatibility with EU Law, "it is precisely the purposes and the scale or surveillance that differentiates democratic regimes from police states".62_{Surveillance is not a new phenomenon,}

but technological developments have made it possible to store and process large amounts of data all over the world. Intelligence services of countries use the Internet to carry out surveillance activities, which is, unlike the telephony network, a supranational medium. Communication can therefore be in-tercepted in more than one country, which may all provide different levels of protection.63

In addition, although "national security" implies a Member States' security to be a national affair, data are often broadly shared and exchanged between intelligence services of different

56_{Like Section 702 of FISA, on the basis of which intelligence services can intercept communications of citizens from outside the US. See}

https://intelligence.house.gov/fisa-702/.

57_{Bigo et al. 2013, p. 1.} 58_{Ibid., p. 13.} 59_{Kuner 2017, p. 897.} 60_{Bigo et al. 2013, p. 15.}

61_{Article 29 Working Party 2014, Working Document, p. 6-7 and 9.} 62_{Bigo et al. 2013, p. 6.}

(15)

countries, also between Member States and the US. The Snowden documents have revealed that in general, EU intelligence agencies and EU law enforcement authorities of different Member States (for example Europol, whose data exchanges have been argued to be opaque64_{) share data on a large scale}

and also with third countries. Member States share data in particular with the US intelligence ser-vices65_{and with intelligence services of countries participating in the "Five Eyes" network. This is an}

international, intelligence data sharing network in which five countries participate: the US, the UK, Canada, Australia and New Zealand. This would mean that if personal data are in the hands of one in-telligence service, they may be shared with inin-telligence services of other countries without protection from EU law.66

1.5 Conclusion

This Chapter described why Member States’ national security, under which mass surveillance by in-telligence agencies is subsumed, is not inside the scope of EU law. It set out the system of EU law competences, the organisation of the EU and what used to be the former pillar structure to show the relationship between national security and EU law and the origins of the national security exemption. Although the exemption is somewhat nuanced, there is no competence in the Treaties for national se-curity because this remains in the exclusive domain of the Member States. It thus specifically restricts the EU from legislating national security matters. The EU has no power over surveillance in the ser-vice of national security. The EU could not issue any law that would, for example, attach rules to in-telligence authorities in the Member States. Also the Charter is not applicable. Where the EU has competences, such as in the area of law enforcement, the EU can legislate except on national security. This would be different with regard to third countries, as the next Chapter will explain.

64_{Bigo et al. 2013, p. 28.}

65_{Bigo et al. 2013, p. 16 and Kuner 2017, p. 899.} 66_{Kuner 2017, p. 915}

(16)

Chapter 2 - The Double Standard of the EU as regards Surveillance:

Mem-ber States versus Third Countries

The EU cannot assess surveillance for its own Member States. The previous Chapter described the di-vision of competences between the EU and Member States regarding national security. National secu-rity, including surveillance for national security purposes, is the sole responsibility of Member States. But the EU can assess surveillance vis-à-vis third countries by virtue of the EU data protection frame-work. Personal data is increasingly transferred outside the EU, because of our new digital environ-ment. Transfers of personal data to third countries take place under stringent requirements, taking into account the surveillance practices of third countries. These practices may affect a third country’s eligi-bility to receive personal data from EU citizens.

This Chapter will first describe the essentials of the EU legal framework of data protection, followed by the systemic of the GDPR, including the stringent rules on transfers of personal data to third countries. The Chapter will then switch from third countries to Member States, to show that while law enforcement activities fall within the scope of EU law, surveillance activities do not. This reveals the double standard of the EU: third countries are held to high standards with regard to sur-veillance practices, while Member States are not.

2.1 Privacy and Data Protection as Fundamental Rights

Although there is no general competence for the EU to adopt a fundamental rights document, this doc-ument was nevertheless adopted in the form of an EU Charter of Fundamental Rights (hereinafter: "the Charter").67_{The Charter was proclaimed by the European Parliament, the European Commission}

and the Council at Nice on 7 December 2000. Since the proclamation had no legal effect, the Charter did not have binding effect immediately. When the Lisbon Treaty entered into force in 2009, the Charter received official legal, binding value.68_{The Charter applies to Member States when they}

im-plement EU law.69

The Charter provides not only a fundamental right to privacy, it also provides a more specific, independent fundamental right to the protection of personal data. The Charter is a significant, innova-tive and transformainnova-tive step from a constitutional point of view. In particular, a fundamental right to data protection is exceptional and remarkable, as this provision contains regulatory substance with re-gard to the essential principles of EU data protection law, including the mechanism of independent supervision. This is a novelty for constitutional law. Article 7 of the Charter protects the "right to re-spect for his or her private and family life, home and communications" (also: "the right to privacy"). Article 8 protects the "right to the protection of personal data" (also: "the right to data protection"):

67_{Charter of Fundamental Rights (OJ [2000] C364/1). After the Charter was drafted, it was included in and modified by the (failed)}

Consti-tutional Treaty. This last draft received binding value by the Lisbon Treaty.

68_{Article 6(1) TFEU. See Barnard & Peers 2017, p. 240, and De Vries, Bernitz & Weatherill 2015, p. 267.} 69_{Article 51(1) of the Charter.}

(17)

"Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority."70

The fundamental rights to privacy and data protection are of great importance to international data transfers that take place under the GDPR, which will be discussed in this Chapter. The Chapter will show that the mechanisms for data transfers can be challenged because of a third country’s surveil-lance practices, which can be interpreted in the light of Articles 7 and 8 of the Charter.

Article 16 TFEU as the Legal Basis for the GDPR and the Police and Criminal Justice Directive

Another source in EU primary law is Article 16 of the TFEU, which provides the right to data protec-tion. In addition, the Article provides a legal basis for the EU to create "rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data".71_{This Article provides the legal basis}

for EU secondary law. The most important source of EU secondary law is the General Data Protection Regulation (GDPR) for the commercial sector, which replaced the 1995 Data Protection Directive (DPD) in May 2018,72_{and the Police and Criminal Justice (PCJ) Directive in the law enforcement}

sector.

2.2 The General Data Protection Regulation

The GDPR, successor of the Data Protection Directive and adopted on 25 May 2018, aims for a high level of protection of fundamental rights, in particular of personal data. The GDPR builds upon the same data protection principles as set out in Article 8 of the Charter, and introduces some other data protection principles as well, such as the principles of transparency, data minimisation, accuracy, stor-age limitation, integrity and confidentiality, and accountability.73

The GDPR applies to the processing of personal data,74_{processing meaning any operation}

which is performed on personal data (including transfers to third countries) and personal data meaning any information relating to an identified or identifiable - directly or indirectly - natural person.75_The

GDPR reaches all economic sectors and civil government agencies. Independent bodies are empow-ered to supervise and enforce the fundamental right to data protection: Data Protection Authorities

70_{Article 8 of the Charter.}

71_{Article 16(2) TFEU. See also De Vries, Bernitz & Weatherill 2015, p. 256.}

72_{Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the}

processing of personal data and on the free movement of such data [1995] OJ 2 281/0031.

73_{Article 5 GDPR.} 74_{Article 2(1) GDPR.} 75_{Article 4 under 1 GDPR.}

(18)

(DPAs). Failure to comply with the rules of the GDPR, including the rules on data transfers, can result in fines up to 20 million euros or 4% of a company’s worldwide turnover.76

As to the scope of application, the GDPR applies to any company processing the personal data of data subjects residing in the EU, regardless of the location of the company or where the pro-cessing takes place. Personal data can either be collected directly from the data subject by a controller in a third country, or collected by a controller in the EU and then transferred to a third country.77_In

comparison with the DPD, the scope of application has shifted from the processing of personal data carried out in the context of the activities of an establishment of the controller,78_{to the location where}

the data subjects reside. The scope has thus been expanded.

2.2.1 The Digital Single Market for Personal Data

A central element in the economic area of the EU is the Single Market, which is a form of economic integration (also called "market integration"). Economic integration may occur on different levels. These levels, in order of involvement of participating markets, are: a free trade area (States agree upon removing all customs duties and quotas on trade passing; this applies only internally), a customs union (a free trade area plus States apply a common customs duty level on imports from outside the area), a common market (a customs union plus the free movement of production, i.e. labour, capital and enterprise) and an economic union (a common market plus a common monetary and fiscal pol-icy).79_{The EU is an economic union. Its characteristics show similarities to a customs union and a}

common market. The TFEU provides the "four freedoms": free movement of goods, workers, estab-lishment and the provision of services, and capital.80_{This means a free trade area and a free}

move-ment of production. The EU also makes use of common external tariffs81_{and a common monetary and}

fiscal policy.82

A strategy of the EU to a complete Single Market is the Digital Single Market (DSM). The DSM is an area of economic integration where, for example, EU citizens do not have to pay roaming costs when using their mobile phone outside their country, where consumers can access online ser-vices from every country in Europe and where companies in all EU countries are subject to the same data protection and consumer rules.83_{Such a DSM is important for Europe’s position in the global}

market. Europe united is able to compete with big markets such as the US and China, whilst single European nations would not. A DSM also means a bigger market for services and products, which is beneficial for both companies and consumers. The EU and the European Economic Area (EEA, con-sisting of Iceland, Liechtenstein and Norway) together form the DSM.84_{The DSM strategy is based}

76_{Article 83(4) GDPR.} 77_{Yakovleva & Irion 2016, p. 6.} 78_{Article 4(1)(a) DPD.}

79_{Craig & De Búrca 2015, p. 607-608.} 80_Ibid.

81_{The European Union Customs Union (EUCU).}

82_{Economic and Monetary Union of the European Union (EMU).} 83_{European Commission 2015, p. 2.}

(19)

on three pillars: (1) better access for consumers and businesses to digital goods and services across Europe; (2) creating the right conditions and a level playing field for digital networks and innovative services to flourish; (3) maximising the growth potential of the digital economy.85_{Part of the DSM is}

the free flow of personal data, that is also implemented in the GDPR (and Article 16 TFEU). The dual objective of the GDPR is to ensure an equivalent level of protection of natural persons and to enable the free flow of personal data throughout the Union.86

2.2.2 Personal Data Transfers to Third Countries

The EU and some other legal orders have rules in place for cross-border data transfers. It is not possi-ble nor economically or commercially desirapossi-ble to keep personal data within the borders of the DSM. Companies are often active in different countries and online services are also offered across borders. The internet is a supranational medium, which exists despite countries' geographical borders. Never-theless, when personal data is transferred outside the borders of the EU, this could have an impact on the level of protection of the personal data. After all, not all legal systems provide the same high level of protection as the EU does.87

Differences exist between legal orders as to how strict they treat cross-border transfers of per-sonal data. US law, for instance, does not have any restrictions to free flow of perper-sonal data. EU data protection law on the other hand, developed a very regulated system that is based on reciprocity, and maintains restrictions to cross-border transfers. It imposes high standards on third countries as regards personal data transfers. For the free flow of personal data, countries need to have been recognised as having an adequate level of protection, or other authorised grounds for transferring data need to be in place: appropriate safeguards or derogations, as will be described in the next subsection.

All countries that are not part of the DSM will be treated according to Chapter V of the GDPR, which contains rules for cross-border transfers of personal data to these third countries, in ad-dition to the general regime of the GDPR for initial data processing. The transfer of personal data to third countries is subject to a restricted regime, in comparison with the free flow of personal data within the internal digital market. In principle, EU law prohibits all data transfers from the EU to third countries, where the rigid GDPR regime does not apply, unless adequate safeguards are in place. The rational for a restricted regime for personal data transfers to third countries is, according to the CJEU, that "the high level of protection guaranteed by [the DPD] read in the light of the Charter could easily be circumvented by transfers of personal data from the EU to third countries for the purpose of being processed in those countries".88_{There are several conditions to this rule that can thus expand the}

GDPR regime to third countries.

The general principles for the specific rules on transfers to third countries are laid down in Ar-ticle 44 of the GDPR. According to this ArAr-ticle: "any transfer of personal data […] to a third country

85_{European Commission 2015, Press release.} 86_{See Article 1 and recital 170 of the GDPR.} 87_{Kuner 2017, p. 882.}

(20)

or to an international organisation shall take place only if, subject to the other provisions of this Regu-lation, the conditions laid down in this Chapter are complied with by the controller and processor […]. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined".89

2.2.2.1 Personal Data Transfer Mechanisms

Under the GDPR, three main transfer mechanisms exist: an adequacy decision, appropriate safeguards and derogations.90_{The first mechanism, which is also the easiest mechanism to rely on for companies,}

is if a third country is recognised as having an adequate level of protection by the European Commis-sion.91_{The Commission can also recognize a specific sector in a third country as having an adequate}

level of protection, such as healthcare or financial services, which leads to "partial adequacy". Provid-ing an adequate level of protection means that the country provides a system that is essentially equiva-lent to the EU system, the GDPR.92_{Such an adequacy decision allows for the free flow of data}

to-wards the third country. There is no need for the data exporter to implement additional safeguards or obtain any authorisation to legitimately receive the personal data originating from the EU.93

A country does not need to replicate EU data protection rules in order to receive an adequacy decision. Rather, the third country needs to be able to achieve similar standards. The European Com-mission summarised the standards set out in Article 45(2):

"[…] in its assessment the Commission must take into account, inter alia, the rule of law, respect for human rights and fundamental freedoms and relevant legislation, including in the area of data protec-tion, public security, defence, national security and criminal law and access by public authorities to per-sonal data. These must be underpinned by effective and enforceable rights, including administrative and judicial redress for individuals, and an effectively functioning independent supervisory authority to ensure and enforce compliance with data protection rules. Adherence to legally binding conventions, in particular Council of Europe Convention 108, and participation in multilateral or regional systems deal-ing with data protection, will also be taken into account."94

The system as a whole needs to provide a high level of protection.95_{The European Commission has so}

far recognised only twelve countries as providing adequate protection: Andorra, Argentina, Canada (limited to commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zea-land, SwitzerZea-land, Uruguay and the United States of America (limited to the Privacy Shield frame-work for the field of commerce, which has replaced the EU-US Safe Harbor decision).96_Adequacy

89_{Article 44 GDPR.}

90_{Data exchanges in the law enforcement sector can take place on the basis of adequacy decisions governed by the PCJ, or on the basis of}

prior authorisation or a mutual legal assistance treaty.

91_{Article 45 GDPR.}

92_{CJEU 6 October 2015, ECLI:EU:C:2015:650 (Maximillian Schrems/Data Protection Commissioner), para. 73.}

93_{Notwithstanding the above, a controller always needs to sign a contract with its processor(s), even if the processor is based within the EU.} 94_{European Commission 2017, p. 4.}

95_{European Commission 2017, p. 6-7.}

96_{The European Commission has announced that it will "actively engage with key trading partners in East and South-East Asia, starting}

(21)

decisions must be reviewed every four years97_{and can also be revoked by the European}

Commis-sion.98

In the absence of an adequacy finding on country-level, transfers can also be allowed if the controller adduces appropriate safeguards. Although appropriate safeguards only relate to specific data transfers, they are not confined to one country as is the case with adequacy decisions. Several transfer mechanisms are available: Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs), codes of conduct or certification mechanisms99_{(such as privacy seals or marks) and ad hoc}

contractual clauses.100

SCCs are model contracts for the transfer of personal data to third countries that are devel-oped and adopted by the European Commission, or develdevel-oped by the DPA and approved by the Com-mission.101_{SCCs can be signed by a company established outside the EU pledging to follow data}

pro-tection obligations based on EU law, in order to be able to receive data from the EU. It is not allowed to change anything in the document, except for complementary clauses that do not contradict the SCCs.102_{These sets of contractual clauses can exist between an EU controller to a non-EU controller}

or between a EU controller and a non-EU processor. When a company, for example, transfers per-sonal data of clients or employees to a cloud service provider established outside the EU, the compa-nies need to sign the model clauses for EU controller to non-EU processor personal data transfers. Ac-cording to a survey by the International Association of Privacy Professionals (IAPP), the personal data mechanism most frequently used, is the mechanism of SCCs (see Figure 1).

BCRs, formally recognised in the GDPR (unlike the DPD), are legally binding, internal per-sonal data protection policies which are adhered to by an EU controller or processor for transfers of personal data to a non-EU controller or processor within a group of undertakings, or a group of enter-prises engaged in a joint economic activity.103_{For example, a multinational with establishments in}

third countries.104_{All parties agree on the same level of protection. The policies must contain privacy}

principles, such as transparency, data quality, and security, tools of effectiveness, such as audit, train-ing, or complaint handling systems, and an element proving that the rules are binding.105_{In fact,}

countries in Latin America, in particular Mercosur, and the European neighbourhood which have expressed an interest in obtaining an "adequacy finding"". See European Commission 2017, p. 8. To date, the European Commission has published a draft adequacy decision and the adoption procedure of the adequacy decision on Japan. The adequacy decision for South Korea is in the making: adequacy talks are ongoing. See announcement of the European Commission on its website:

https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en#dataprotectionincountriesoutsidetheeu. India is still working

on its data protection law. Currently, India does not have data protection law - only an Information Technology Act - and do not yet qual-ify to start the adequacy procedure. Other main trading partners of the EU, such as China, Russia and Brazil, are not under consideration.

97_{Article 45(3) GDPR.} 98_{Article 45(5) GDPR.} 99_{Article 46(2) GDPR.}

100_{Article 46(3) GDPR. Data importers (controllers or processors) can use codes of conduct and certification mechanisms when they have}

provided binding commitments to comply with the safeguards provided in the approved code or certification. Ad hoc contractual clauses require authorisation from the competent DPA. The other mechanisms, the three main appropriate safeguards, SCCs, BCRs and deroga-tions, need to be pre-approved by the DPA, European Commission or the European Data Protection Board and do not need a further, spe-cific authorisation from the DPA. These mechanisms may be used on condition that enforceable data subject rights and effective legal remedies for data subjects are available, mostly via contractual obligations. See Article 46(1)&(2) GDPR.

101_{The model clauses are available on and can be downloaded from the website of the European Commission:}

https://ec.eu-ropa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.

102_{This can form a problem if the SCCs do not fit the business purpose of a company.} 103_{Article 4(20) GDPR.}

104_{Yakovleva, & Irion 2016, p. 9.}

105_{Article 47 GDPR. See also the website of the European Commission:}

(22)

parties need to rewrite GDPR rules so non-EU companies will respect all these rules. The BCRs need to be sanctionable and the EU-based party is accountable for the data transfers.

These contractual safeguards have a "presumption of legality". This means that the SCC Deci-sions created by the European Commission, and approved BCRs, are presumed to be legal until the highest court (the CJEU) declares them invalid. This presumption keeps the SCCs and BCRs alive and the companies protected, until the CJEU would rule against them. Ad hoc contractual clauses do not have this presumption of legality. The last legal resort for personal data transfers to third countries is laid down in Article 49(1) of the GDPR: derogations that authorize data transfers in specific cases, such as consent or the "compelling legitimate interest" of the controller.106

Figure 1: Use of EU data transfer mechanisms by companies.107

which also involves the EDPB (see Article 47(1) GDPR). It is, however, under the GDPR not necessary anymore to prior notify and obtain authorisation from DPAs for single transfers to third countries based on SCCs or BCRs.

106_{This is, however, subject to stringent conditions that restrict the usability of this new provision. Companies can build their entire business}

on derogations without needing any other transfer mechanism. It has been argued that the expansion of derogations in the GDPR relative to the DPD, shows that the legislator has recognized that "the current transfer rules constitute substantial impediments to trade and the limited value of the 'adequacy system' in practice for companies". See Moerel 2016, p. 4.

(23)

2.3 The Role of Surveillance for Transfers of Personal Data to Third Countries

The previous subsection described the DSM for Member States and the different requirements for ex-ports of personal data to third countries. Not only does the GDPR afford a high level of protection to the personal data of EU citizens within the EU, third countries must also meet high standards to be allowed to receive personal data under the adequacy mechanism. A review of a third country's legal system, in order to be recognised as having an adequate level of protection, involves the examination of certain elements of the legal system.108_{Part of the review criteria is "public security, defence,}

na-tional security and criminal law and the access of public authorities to personal data".109_This

assess-ment of the European Commission can be challenged before the CJEU.

This section will describe the role and major consequences of surveillance practices by third countries for these data transfers if they do not meet the requirements of the CJEU. The CJEU’s standard does not only affect adequacy decisions, but also other appropriate safeguards under the GDPR. This became increasingly controversial when the CJEU declared the adequacy decision on the EU-US Safe Harbor invalid, which will be discussed first.

The sections below will show that the stringent assessment of third countries’ surveillance practices contrasts sharply with the fact that surveillance by Member States for national security pur-poses are not assessed by the EU. It reveals the double standard of the EU: third countries are held to high standards with regard to surveillance practices, while Member States are not. The high level of protection guaranteed by the GDPR and the Charter does not apply to the processing of personal data for surveillance purposes. This means that the EU discriminates as a consequence of its competences.

2.3.1 CJEU: Schrems v Data Protection Commissioner

It has been reported that the US uses mass interception and data analysis programmes (such as X-KEYSCORE110_{) on a large scale, with regard to budget, personnel and the amount of personal data}

that are processed.111_{The Snowden documents were used to reveal that authorities in the US were}

able to access personal data of EU citizens, on the one hand via wiretapping cable-bound internet traf-fic by the National Security Agency (NSA) not needing a court order (UPSTREAM) and on the other hand via personal data collection that is kept by large private companies in the US such as Google and Facebook, as a result of data retention laws (PRISM).112

In 2015, in the Schrems v. Data Protection Commissioner case, the CJEU declared the ade-quacy decision on the Safe Harbor invalid, a decision based on certain data protection principles that allowed for most of the EU-US data transfers. Schrems claimed that the legislation and activities (PRISM) of the Government of the US do not provide sufficient protection against surveillance by the US. This would affect personal data from EU citizens transferred to the US under the Safe Harbor.

108_{See Article 45(2) GDPR.} 109_{Article 45(2)(a) GDPR.} 110_{Bigo et al. 2013, p. 1 and 3.} 111_{Ibid., p. 14.}

(24)

The CJEU first clarified what constitutes a transfer to a third country. A data transfer has not been defined in the GDPR, neither for transfers within the EU or for transfers to third countries. In principle, the fact that personal data change from one geographical location to another, means that a transfer takes place. Before the internet age, it was not so much a problem to determine whether per-sonal data had changed to another geographical location,113_{while today, personal data is often}

repro-duced instead of moved from one location to another.114_{The CJEU ruled that "there is no transfer [of}

data] to a third country within the meaning of [the law] where an individual in a Member State loads personal data onto an internet page which is stored with his hosting provider which is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country".115_{This means that as long as a company uses}

lo-cal servers and keeps its entire infrastructure within the EU, it does not have to meet the requirements for data transfers. It has been argued, however, that today the CJEU would also consider this situation to be a data transfer.116

In Schrems, the CJEU defined a data transfer as being a form of data processing within the meaning of the Data Protection Directive:

"[…] the operation consisting in having personal data transferred from a Member State to a third coun-try constitutes, in itself, processing of personal data within the meaning of Article 2(b) of Directive 95/46 […] carried out in a Member State. That provision defines ‘processing of personal data’ as ‘any operation or set of operations which is performed upon personal data, whether or not by automatic means’ and mentions, by way of example, ‘disclosure by transmission, dissemination or otherwise making available’."117

This means that transfers are regulated under the GDPR and that data transfers are also under the con-trol of DPA’s.118

The Court did not assess the legal system of the US but gave guidance to the European Com-mission as to how they should assess third countries. In fact, this judgement added a few elements to what is now Article 45(2) of the GDPR. In its judgement, the CJEU expressed that the Commission had made a mistake by not assessing these elements. The CJEU explained that:

"[US] authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national secu-rity."119

113_{Kuner 2007, 80.}

114_{González Fuster 2016, p. 162.}

115_{CJEU 6 November 2003, ECLI:EU:C:2003:596 (Bodil Lindqvist), para. 71.} 116_{Kuner 2017, p. 893.}

117_{CJEU 6 October 2015, ECLI:EU:C:2015:650 (Maximillian Schrems/Data Protection Commissioner), para. 45.} 118_{Ibid., para. 57. Derived from González Fuster 2016, p. 166.}

Applying Double Standards? : A Study into EU Law Treating Third Countries and EU Member States Differently with regard to Surveillance in the Context of the Protection of Personal Data