From the very outset of the EU data protection legislation, and hence from the 1995 Directive, international data transfer has been subject to strict requirements aimed at ensuring that protection travels with data. Although these rules have been widely criticized for their inability to deal with the complexity of modern international transactions, the GDPR has essentially inherited the same architecture of the Directive together with its structural limitations. This research aims to highlight the main weaknesses of the EU data export restrictions and identify what steps should be taken to enable a free, yet safe, data flow. This research first places EU data transfer rules in the broader debate about the challenges that the un-territorial cyberspace poses to States’ capabilities to exert their control over data. It then delves into the territorial scope of the GDPR to understand how far it goes in protecting data beyond the EU borders. The objectives underpinning data export restrictions (i.e., avoiding the circumvention of EU standards and protecting data from foreign public authorities) and their limitations in achieving such objectives are then identified. Lastly, three possible “solutions” for enabling data flow are tested. Firstly, it is shown that the adoption by an increasing number of non-EEA countries of GDPR-like laws and the implementation by many companies of GDPR-compliant policies is more likely to boost international data flow than internationally agreed standards. Secondly, the role that Article 3 GDPR may play in making data transfer rules “superfluous” is analysed, as well as the need to complement the direct applicability of the GDPR with cross-border cooperation between EU and non-EU regulators. Thirdly, the study finds that the principle of accountability, as an instrument of data governance, may boost international data flow by pushing most of the burden for ensuring GDPR compliance on organizations and away from resource-constrained regulators.

Exchanging and Protecting Personal Data across Borders: GDPR Restrictions on International Data Transfer / Oldani, Isabella. - (2020 Jul 20), pp. 1-410. [10.15168/11572_270518]

Exchanging and Protecting Personal Data across Borders: GDPR Restrictions on International Data Transfer

Oldani, Isabella
2020-07-20

Abstract

From the very outset of the EU data protection legislation, and hence from the 1995 Directive, international data transfer has been subject to strict requirements aimed at ensuring that protection travels with data. Although these rules have been widely criticized for their inability to deal with the complexity of modern international transactions, the GDPR has essentially inherited the same architecture of the Directive together with its structural limitations. This research aims to highlight the main weaknesses of the EU data export restrictions and identify what steps should be taken to enable a free, yet safe, data flow. This research first places EU data transfer rules in the broader debate about the challenges that the un-territorial cyberspace poses to States’ capabilities to exert their control over data. It then delves into the territorial scope of the GDPR to understand how far it goes in protecting data beyond the EU borders. The objectives underpinning data export restrictions (i.e., avoiding the circumvention of EU standards and protecting data from foreign public authorities) and their limitations in achieving such objectives are then identified. Lastly, three possible “solutions” for enabling data flow are tested. Firstly, it is shown that the adoption by an increasing number of non-EEA countries of GDPR-like laws and the implementation by many companies of GDPR-compliant policies is more likely to boost international data flow than internationally agreed standards. Secondly, the role that Article 3 GDPR may play in making data transfer rules “superfluous” is analysed, as well as the need to complement the direct applicability of the GDPR with cross-border cooperation between EU and non-EU regulators. Thirdly, the study finds that the principle of accountability, as an instrument of data governance, may boost international data flow by pushing most of the burden for ensuring GDPR compliance on organizations and away from resource-constrained regulators.
XXXII
2018-2019
Scuola di Studi Internazionali (29/10/12-)
International Studies
Alì, Antonino
no
Inglese
Settore IUS/14 - Diritto dell'Unione Europea
File in questo prodotto:
File Dimensione Formato  
PhD dissertation_Isabella Oldani.pdf

Open Access dal 21/07/2022

Tipologia: Tesi di dottorato (Doctoral Thesis)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 3.56 MB
Formato Adobe PDF
3.56 MB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/270518
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact