Livet efter Schrems II : EU:s integritetsskydd i ljuset av statlig övervakning

Sammanfattning: International transfers of personal data impose great risk to the fundamental rights of individuals. Equally true however is the fact that international transfers of personal data (as well as other categories of data) are of great value to the global economy and to the business of many European companies. Personal data has to be able to flow freely within the European single market as well as to the rest of the world, but if the fundamental rights which are recognized by the EU are to be taken seriously this simply can’t be the case, there has to be restrictions of some sort. In other words, international transfers have to recognize fundamental rights, or otherwise they can’t occur. The million-dollar question, therefore, is how these two interests can merge. International transfers of personal data are regulated in the general data protection regulation, which is explored in depth in the thesis. The rules of such transfers are quite complex and have of late been vigorously debated. In the center of it all is Maximilian Schrems, who has succeeded in his attempts to tear down the regulation’s popular mechanisms for international transfers, namely Safe Harbour and Privacy Shield. It has successfully been argued that these mechanisms don’t guarantee an adequate level of protection of the fundamental rights of individuals within the EU when their personal data is transferred to the United States. The secret surveillance of the American intelligence agencies imposes to great of a threat to the fundamental rights, which aren’t safeguarded by these mechanisms. The European Court of Justice has in its case law been sympathetic to the criticism of Mr. Schrems and has judged both Safe Harbour and Privacy Shield invalid. In the light of the case law of the court, specifically the Schrems II ruling, international data transfers to the United States are very problematic from a privacy perspective, and I argue that all transfers to all third countries are troublesome as a consequence of Schrems II. If an international transfer is to be carried out to a country which performs secret surveillance (i.e. most countries of the world) the data controller and processor have to guarantee the protection of the rights of the data subject vis-à-vis the state’s surveillance throughout the transfer, otherwise it can’t materialize. This I argue is not possible, which in practice prohibits the possibility for transfers to most countries almost completely. In summary the thesis explores the dynamic relationship between international transfers of personal data and national security. The overriding conclusion is that it is a dysfunctional relationship indeed and that transfers can’t occur to third countries which doesn’t respect fundamental rights. This is the case in general, regardless of what mechanisms are used, what data is to be transferred and what supplementary measures the parties apply.