PRESERVING THE E.U. DATA PROTECTION STANDARD

187
 
Preserving the E.U. data protection standard in a globalized world
criminal law”.
26
 Consequently, the presence of invasive investigative public bodies 
and the lack of adequate guarantees to the data subject assume relevance for the deci-
sion whether to limit the trans-border data flows between subsidiaries and holdings 
or between companies. Once again this limit does not affect public authorities, but 
restricts the set of information held by private companies available for their scrutiny.
Without considering the NSA case that is still on-going, an explanatory case on 
the relationship between trans-border data flows, foreign jurisdiction and the pos-
sible effects on citizens and social control is provided by the SWIFT case; the same 
criticism applies and has been expressed by commentators with regard to the U.S. 
Patriot Act. These two cases differ because in the NSA case non-E.U. authorities 
requested to access information held by a company based in the E.U., whereas in the 
SWIFT case the requests were directed to U.S. companies in order to have access to 
the information they received from their E.U. subsidiaries.
In the SWIFT case (
Article 29 Data Protection Working Party, 2006b
) the Article 
29 Data Protection Working Party clarified that a foreign law does not represent the 
legal base for the disclosure of personal information to non-E.U. authorities, since 
only the international instruments provide an appropriate legal framework enabling 
international cooperation (
Article 29 Data Protection Working Party, 2006b
; see also 
Article 29 Data Protection Working Party, 2006a
). Furthermore, the exception pro-
vided by Art. 26 (1) (b) Directive 95/46/EC
27
does not apply when the transfer is 
not necessary or legally required on important public interest grounds of an E.U. 
Member State (
Article 29 Data Protection Working Party, 2006b
).
28
In contrast (as emerged in the PATRIOT Act case and also with reference to the 
wider, complex and dynamic system of powers enjoyed by the U.S. government in the 
realm of criminal investigations and national security (
van Hoboken et al., 2012
)
29
), the 
U.S. authorities may access data held by the E.U. subsidiaries of U.S. companies.
30
However, it is necessary to point out that there is a potential breach of protection of per-
sonal data of European citizens and that this happens not only with regards to U.S. laws, 
but also in relations with other foreign regulations, as demonstrated by the recent draft 
of the Indian Privacy (Protection) Bill
31
and Chinese laws on data protection (
Greenleaf 
and Tian, 2013; The Decision of the Standing Committee of the National People’s  
26 
See Article 41 (2) (a), PGDPR-LIBE_30-91 and also Art. 41 (2) (a), PGDPR.
27 
Art. 26 (1) (b) justifies the transfer that is necessary or legally required on important public inter-
est grounds, or for the establishment, exercise or defence of legal claims (Article 26 (1) (d) of the 
Directive.
28 
“Any other interpretation would make it easy for a foreign authority to circumvent the requirement 
for adequate protection in the recipient country laid down in the Directive”.
29 
See above § 2.
30 
It is necessary to underline that the guarantees provided by the U.S. Constitution in the event of U.S. 
government requests for information do not apply to European citizens, as well as, legal protection 
under specific U.S. laws applies primarily to U.S. citizens and residents.
31 
See Privacy (Protection) Bill, 2013, updated third draft. Available: 
http://cis-india.org/internet-gover-
nance/blog/privacy-protection-bill-2013-updated-third-draft
[Jan. 31, 2014].

Download 5,67 Mb.

Do'stlaringiz bilan baham: