Blog‎ > ‎General‎ > ‎

Rethinking personal data and national sovereignty

posted Aug 4, 2020, 4:01 PM by Jake Vosloo   [ updated Aug 4, 2020, 4:54 PM ]

Countries are realising the exceptional power and national security risks associated with private data of their citizens. For example, data exported from the EU to the US (China, or Russia) allow the US (Chinese, or Russian) governments unfettered access to personal relationships, political views, financial, geo-location, and password data about their citizens and with this a direct line to influence those citizens. The recent Schrems II decision by the EU court is the first step in restricting how data can be transferred between countries. A summarised extract follows:

In the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary. On the basis of the findings made in that decision, the Court pointed out that, in respect of certain surveillance programmes, those provisions do not indicate any limitations on the power they confer to implement those programmes, or the existence of guarantees for potentially targeted non-US persons. The Court adds that, although those provisions lay down requirements with which the US authorities must comply when implementing the surveillance programmes in question, the provisions do not grant data subjects actionable rights before the courts against the US authorities.

The Court points out, in particular, that decision 2010/87 imposes an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned and that the decision requires the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former. 

As mentioned by, it is not immediately obvious what level of national security surveillance is acceptable without offending GDPR standards and that data subject rights under Australia’s Privacy Act 1988 (Cth) do not fully align with the data subject rights under the GDPR.