Het groot privacyduel tussen Europa en Amerika: Privacy Shield versus GDPR
In 2015 vernietigde het Hof van Justitie van de Europese Unie de ‘Safe Harbour’ beslissing, waardoor de uitwisseling van persoonsgegevens tussen de EU en de Verenigde Staten in gevaar kwam. Kan hetzelfde dit jaar opnieuw gebeuren?
Belangrijk voor de economie, maar ook voor jou en mij
Persoonsgegevens zijn een heel brede categorie van informatie, gaande van je naam en je resultaat op een toets uit het derde middelbaar tot de geolocatie van je gsm en gegevens over je financiële situatie.
Uitwisseling van dergelijke informatie is belangrijk voor alle takken van de economie. Voor Big Tech-bedrijven zoals Google, Facebook en Amazon is het verzamelen en verzenden van persoonlijke gegevens naar de VS zelfs een deel van hun core business. Ook andere spelers in de economie zoals banken en farmaceutische bedrijven maken echter gebruik van uitwisselingen van persoonlijke gegevens en sturen deze gegevens naar de VS.
Maar ook voor individuele burgers is het verzenden van persoonsgegevens naar de VS iets om over na te denken. Wie wil er immers dat de FBI alles weet over zijn privéleven: of je hebt moeten zittenblijven in het middelbaar, of je antidepressiva slikt en of je een maîtresse hebt?
Het Privacy Shield
Het verzenden van persoonlijke gegevens vanuit de EU naar zogenaamd ‘derde landen’ zoals de VS wordt geregeld door de GDPR. Volgens de GDPR moeten deze derde landen adequate privacybescherming bieden vooraleer persoonlijke gegevens naar hen gestuurd mogen worden. De Europese Commissie oordeelde dat de VS, onder de Safe Harbour, inderdaad adequate bescherming biedt, maar werd teruggefloten door het Hof van Justitie. Het Hof vernietigde de Safe Harbour en stelde dat de VS géén adequate bescherming bieden. Meteen na deze rechterlijke uitspraak sloten de EU en de VS echter al een nieuw akkoord: het Privacy Shield. Hierdoor konden persoonsgegevens over de Atlantische Oceaan blijven stromen.
Een nieuw akkoord, dezelfde problemen?
Momenteel ligt het Privacy Shield net zoals zijn voorganger onder vuur door privacy-activisten. Het Hof van Justitie zal zich dus ook over het Privacy Shield moeten buigen. Dit onderzoek onderzocht of het Privacy Shield de toets van het Hof van Justitie zal overleven. Er is zowel gekeken naar de verenigbaarheid van het Privacy Shield met de grondrechten van de EU, als de verenigbaarheid met de GDPR. Het resultaat van het onderzoek is dat het Hof het Privacy Shield hoogstwaarschijnlijk zal vernietigen indien het daarom gevraagd wordt.
Ten eerste toont het onderzoek het bestaan aan van een hele reeks problemen met het commerciële luik van het Privacy Shield (waarbij bedrijven persoonsgegevens naar de VS mogen sturen en daar verder gebruiken). Verschillende basisbeginselen uit de GDPR zijn niet op een gelijkwaardige manier aanwezig in de VS. Daarenboven is geen enkel recht dat de GDPR aan individuen verleent met betrekking tot hun persoonsgegevens voldoende gewaarborgd in de VS, sommige ontbreken zelfs volledig. Het feit dat ‘het recht om vergeten te worden’ volkomen onbestaande is binnen de mediawereld in de VS is hier een sprekend voorbeeld van. Een onafhankelijke toezichthouder, zoals de gegevensbeschermingsautoriteit in België, is evenmin gegarandeerd.
Ten tweede zijn er nóg ernstigere problemen met het niet-commerciële luik. Dit luik van het Privacy Shield zou bescherming moeten bieden aan persoonsgegevens wanneer Amerikaanse veiligheidsdiensten zoals de NSA, de FBI en de CIA deze gegevens verwerken. Het was omwille van tekortkomingen in deze context dat het Hof van Justitie de Safe Harbour vernietigde. Al deze tekortkomingen zijn in essentie nog steeds aanwezig in het Privacy Shield. Nog steeds zijn vormen van massa-surveillance mogelijk in de VS, waarbij enorm grote hoeveelheden persoonsgegevens verzameld worden. Deze praktijken schenden overduidelijk het recht op een privéleven en het recht op de bescherming van persoonsgegevens. Nog steeds wordt het recht op non-discriminatie met de voeten getreden, aangezien er geen enkele bescherming tegen bijvoorbeeld etnische profilering bestaat. Nog steeds ontbreekt een echt onafhankelijke toezichthouder. De nieuw gecreëerde toezichthouder is immers enkel in naam onafhankelijk, aangezien het hier gaat om een lid van de Amerikaanse regering. Ook de problemen in verband met het recht op toegang tot de rechter zijn nog steeds dezelfde als onder de Safe Harbour. Er zijn op dit vlak weliswaar aanpassingen aan de Amerikaanse wetgeving gebeurd, maar deze zijn onvoldoende. Zo was een grote kritiek van het Hof van Justitie op de Safe Harbour dat de procedure voor de Amerikaanse bevoegde rechtbanken geheim was en EU-burgers niet konden deelnemen aan het proces. Dit is in essentie nog steeds het geval.
Om het kort te stellen: het onderzoek legt, vanuit het oogpunt van de grondrechten en de GDPR, alle gebreken van het Privacy Shield bloot. Hierop gebaseerd wordt dan ook voorspeld dat het Hof van Justitie het Privacy Shield met de grond zal gelijkmaken. Dit zou negatieve gevolgen hebben voor de economie, maar positief zijn voor iedereen die wakker ligt over privacy.
Wordt vervolgd; uitspraak later dit jaar.
Bibliografie
Treaty on the Functioning of the European Union 2012/C 326/01, OJ C326 of 26 October 2012.
Treaty on European Union 2012/C 326/01, OJ C326 of 26 October 2012.
Charter of Fundamental Rights of the European Union 2012/C 326/02, OJ C 326/391 of 26 October 2012.
Convention for the Protection of Human Rights and Fundamental Freedoms of 4 November 1950.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L281/31 of 23 November 1995.
Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, OJ L215/7 of 25 August 2000.
Commission Decision 2002/2/EC of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act, OJ L2/13 of 4 January 2002.
Commission Decision 2003/490/EC of 30 June 2003 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Argentina, OJ L168/19 of 5 July 2003.
Commission Decision 2003/821/EC of 21 November 2003 on the adequate protection of personal data in Guernsey, OJ L308/27 of 25 November 2003.
Commission Decision 2004/411/EC of 28 April 2004 on the adequate protection of personal data in the Isle of Man, OJ L151/48 of 30 April 2004.
Commission Decision 2004/535/EC of 14 May 2004 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States’ Bureau of Customs and Border Protection, OJ L235/11 of 6 July 2004.
Council Regulation (EC) No 1290/2005 of 21 June 2005 on the financing of the common agricultural policy, as amended by Council Regulation (EC) No 1437/2007 of 26 November 2007, and Commission Regulation (EC) No 259/2008 of 18 March 2008 laying down detailed rules for the application of Regulation No 1290/2005 as regards the publication of information on the beneficiaries of funds deriving from the European Agricultural Guarantee Fund (EAGF) and the European Agricultural Fund for Rural Development (EAFRD), OJ L209/01 of 11 August 2005.
Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, OJ L105/54 of 13 April 2006.
Commission Decision 2008/393/EC of 8 May 2008 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Jersey, OJ L138/21 of 28 May 2008.
Commission Decision 2010/146/EU of 5 March 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection provided by the Faeroese Act on processing of personal data, OJ L58/17 of 9 March 2010.
Commission Decision 2010/625/EU of 19 October 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Andorra, OJ L277/27 of 21 October 2010.
Commission Decision 2011/61/EU of 31 January 2011 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data, OJ L27/39 of 1 February 2011.
Commission Implementing Decision 2012/484/EU of 21 August 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the Eastern Republic of Uruguay with regard to automated processing of personal data, OJ L227/11 of 28 August 2012.
Commission Implementing Decision 2013/65/EU of 19 December 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by New Zealand, OJ L28/12 of 30 January 2013
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L119/1 of 4 May 2016.
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L119/89 of 4 May 2016.
Commission Implementing Decision 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield, OJ L207/1 of 1 August 2016.
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, OJ L295/39 of 21 November 2018.
Commission Implementing Decision (EU) 2019/419 of 23 January 2019 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information, OJ L76/1 of 19 March 2019.
Proposed acts of the institutions and preparatory documents concerning acts of the institutions
Proposal (Commission) for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, COM(2012) 11 final of 25 January 2012.
Proposal (Commission) for a Council Decision on the conclusion of the Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data, COM(2013) 0528 final of 18 July 2013.
European Parliament legislative resolution P7_TA(2014)0212 of 12 March 2014 on the proposal for the GDPR and the position of the European Parliament adopted at first reading on 12 March 2014 with a view to the adoption of the GDPR, OJ C378/399 of 9 November 2017.
Voting result 2012/0011 (COD) of 8 April 2016 concerning the adoption of the Council's position at first reading and the statement of the Council's reasons concerning the GDPR, ST 7920 2016 INIT, 2012/011 (OLP), 7920/16 of 14 April 2016.
Regulatory Opinions, Guidelines and Communications
Article 29 Working Party, Opinion 03/2013 of 2 April 2013 on purpose limitation, 00569/13/EN WP 203.
Communication from the Commission to the European Parliament pursuant to Article 294(6) of the Treaty on the Functioning of the European Union concerning the position of the Council on the adoption of a Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and repealing Directive 95/46/EC, COM(2016) 214 final, 2012/0011(COD) of 11 April 2016.
Article 29 Working Party, Opinion 01/2016 of 13 April 2016 on the EU – U.S. Privacy Shield draft adequacy decision, 16/EN WP 238.
Article 29 Working Party, Guidelines of 3 October 2017 on Automated Individual Decision-Making and profiling for the purposes of Regulation 2016/679, 17/EN WP 251.
Title 5, 15 and 50 of the Code of Laws of the United States of America.
Executive Order 12333 of 8 December 1981 on the United States Intelligence Activities (As amended by Executive Orders 13284 (2003), 13355 (2004) and 13470 (2008)), Federal Register Vol. 40, No 235.
Presidential Policy Directive 28 of 17 January 2014 regarding Signals Intelligence Activities.
Attorney General Order No. 3824–2017 of 23 January 2017 on the Judicial Redress Act of 2015: Attorney General Designations, Federal Register Vol. 82, No. 13.
Judgments and Opinions by the CJEU
Judgment of 20 May 2003, Österreichischer Rundfunk and Others, C-465/00, ECLI:EU:C:2003:294.
Judgment of 6 November 2003, Lindqvist, C-101/01, ECLI:EU:C:2003:596.
Judgment 31 May 2005, SYFAIT, C-53/03, ECLI:EU:C:2005:333.
Judgment of 30 May 2006, Parliament v Council and Commission, C-317/04 and C-318/04, ECLI:EU:C:2006:346.
Judgment of the Court of First Instance of 8 November 2007, Bavarian Lager v Commission, T-194/04, ECLI:EU:T:2007:334.
Judgment of 29 January 2008, Promusicae, C-275/06, ECLI:EU:C:2008:54.
Judgment of 3 September 2008, Kadi and Al Barakaat, C-402/05P, ECLI:EU:C:2008:461.
Judgment of 16 December 2008, Huber, C-524/06, ECLI:EU:C:2008:724.
Judgment of 16 December 2008, Satakunnan Markkinapörssi and Satamedia, C‑73/07, ECLI:EU:C:2008:727.
Judgment of 7 May 2009, Rijkeboer, C-553/07, ECLI:EU:C:2009:293.
Judgment of 3 December 2009, Hassan and Ayadi, C-399/06P, ECLI:EU:C:2009:748.
Judgment of 9 March 2010, Commission v Germany, C-518/07, ECLI:EU:C:2010:125.
Judgment of 29 June 2010, Commission v Bavarian Lager, C-28/08P, ECLI:EU:C:2010:378.
Judgment of 9 November 2010, Volker und Markus, C-92/09, ECLI:EU:C:2010:662.
Judgment of 16 November 2011, Bank Melli Iran, C-548/09P, ECLI:EU:C:2011:735.
Judgment of 24 November 2011, ASNEF, C-468/10 and C-469/10, ECLI:EU:C:2011:777.
Judgment of 28 June 2012, Commission v Éditions Odile Jacob, C-404/10P, ECLI:EU:C:2012:393.
Judgment of 16 October 2012, Commission v Austria, C-614/10, ECLI:EU:C:2012:631.
Judgment of 31 January 2013, Belov, C‑394/11, ECLI:EU:C:2013:48
Judgment of 30 May 2013, Worten, C-342/12, ECLI:EU:C:2013:355.
Judgment of 18 July 2013, Kadi II, C-584/10P, ECLI:EU:C:2013:518.
Judgment of 7 November 2013, IPI, C‑473/12, ECLI:EU:C:2013:715.
Judgment of 12 December 2013, X, C-486/12, ECLI:EU:C:2013:836.
Judgment of 8 April 2014, Commission v Hungary, C-288/12, ECLI:EU:C:2014:237.
Judgment of 8 April 2014, Digital Rights Ireland and Seitlinger, C-293/12, ECLI:EU:C:2014:238.
Judgment of 13 May 2014, Google Spain and Google, C-131/12, ECLI:EU:C:2014:317.
Judgment of 17 July 2014, YS and Others, C-141/12, ECLI:EU:C:2014:2081.
Judgment of 11 December 2014, Ryneš, C‑212/13, ECLI:EU:C:2014:2428.
Judgment of 1 October 2015, Bara and Others, C-201/14, ECLI:EU:C:2015:638
Judgment of 6 October 2015, Schrems, C-362/14, ECLI:EU:C:2015:650.
Judgment of the General Court of 3 December 2015, CN v Parliament, T‑343/13, ECLI:EU:T:2015:926.
Judgment of 21 December 2016, Tele2 Sverige, C-203/15, ECLI:EU:C:2016:970.
Judgment of 9 March 2017, Manni, C-398/15, ECLI:EU:C:2017:197.
Judgment of the General Court of 28 March 2017, Deutsche Telekom v Commission, T‑210/15, ECLI:EU:T:2017:224.
Judgment of 4 May 2017, Rīgas satiksme, C-13/16, ECLI:EU:C:2017:336.
Judgment of 18 July 2017, Commission v Breyer, C-213/15P, ECLI:EU:C:2017:563.
Opinion of 26 July 2017, Accord PNR UE-Canada, Opinion 1/15, ECLI:EU:C:2017:592.
Judgment of 27 September 2017, Peter Puškár, C‑73/16, ECLI:EU:C:2017:725.
Judgment of 20 December 2017, Peter Nowak, C-434/16, ECLI:EU:C:2017:994.
Judgment of the General Court of 5 February 2018, Edeka-Handelsgesellschaft Hessenring v Commission, T‑611/15, ECLI:EU:T:2018:63.
Judgment of the General Court of 27 February 2018, CEE Bankwatch Network v Commission, T‑307/16, ECLI:EU:T:2018:97.
Judgment of 5 June 2018, ULD Schleswig-Holstein v Wirtschaftsakademie, C‑210/16, ECLI:EU:C:2018:388.
Judgment of 2 October 2018, Ministerio Fiscal, C-207/16, ECLI:EU:C:2018:788.
Judgment of 16 January 2019, Deutsche Post, C-496/17, ECLI:EU:C:2019:26.
Judgment of 14 February 2019, Buivids, C-345/17, ECLI:EU:C:2019:122.
Judgment of 13 March 2019, AlzChem v Commission, C‑666/17P, ECLI:EU:C:2019:196.
Action brought on 25 October 2016, La Quadrature du Net and Others v Commission, T-738/16.
Reference for a preliminary ruling from the High Court (Ireland) of 9 May 2018, Facebook Ireland and Schrems, C-311/18.
Opinions of the Advocate General
Opinion of Advocate General Kokott of 18 July 2007, Promusicae, C‑275/06, ECLI:EU:C:2007:454.
Opinion of Advocate General Cruz Villalón of 12 December 2013, Digital Rights Ireland and Seitlinger, C-293/12, ECLI:EU:C:2013:845.
Opinion of Advocate General Bot of 23 September 2015, Schrems, C-362/14, ECLI:EU:C:2015:627.
Opinion of Advocate General Mengozzi of 8 September 2016, Accord PNR UE-Canada, Opinion 1/15, ECLI:EU:C:2016:656.
Opinion of Advocate General Tanchev of 11 April 2019, Commission v Poland, C-619/18, ECLI:EU:C:2019:325.
High Court of Justice (UK) 9 November 1923, R v Sussex Justices, ex parte McCarthy, 1 KB 256.
ECtHR 4 December 2008, S. and Marper v. the United Kingdom, nos. 30562/04 and 30566/04.
High Court (IRL) 3 October 2017, The Data Protection Commissioner and Facebook Ireland Limited and Maximillian Schrems, No. 4809 P.
AUSLOOS J., The Right to Erasure: Safeguard for Informational Self-Determination in a Digital Society?, Dissertation for the degree of Doctor of Laws (PhD) KU Leuven, 2018, 468.
GIAKOUMOPOULOS C., BUTTARELLI G. and O’FLAHERTY M., Handbook on European data protection law, European Union Agency for Fundamental Rights and Council of Europe, Luxembourg, 2018, 397.
GONZÁLEZ FUSTER, G., The Emergence of Personal Data Protection as a Fundamental Right of the EU, Cham, Springer, 2014, 274.
HOOFNAGLE, C. J., Federal Trade Commission: Privacy Law and Policy, New York, Cambridge University Press, 2016, 402.
KRZYSZTOFEK M., Post-reform Personal Data Protection In the European Union : General Data Protection Regulation (eu) 2016/679, Alphen aan den Rijn, Kluwer Law International B.V., 2017, 255.
LYNSKEY, O., The Foundations of EU Data Protection Law, Oxford, Oxford University Press, 2015, 307.
BRKAN M., “The Court of Justice of the EU, Privacy and Data Protection: Judge-made law as a leitmotif in fundamental rights protection” in BRKAN, M. and PSYCHOGIOPOULOU, E., Courts, privacy and data protection in the digital environment, Cheltenham, Edward Elgar Publishing, 2017, 241.
CHEVALLIER-GOVERS C., “Personal Data Protection: Confrontation between the European Union and the United States of America” in Y. ECHINARD and others (eds), L'Union européenne et les Etats-Unis : processus, politiques et projets, Bruxelles, Larcier, 2012, 287.
DE BUSSER E., “Flagrant Denial of Data Protection: Redefining the Adequacy Requirement” in SVANTESSON D. J. B. and KLOZA D. (eds), Trans-Atlantic Data Privacy Relations as a Challenge for Democracy, Cambridge, Intersentia, 2017, 430.
DIENST S., “Lawful processing of personal data in companies under the GDPR” in D. RÜCKER and T. KUGLER (eds), New European General Data Protection Regulation, München, Beck, 2018, 291.
KUGLER T., “Practical Examples, I.” in D. RÜCKER and T. KUGLER (eds), New European General Data Protection Regulation, München, Beck, 2018, 291.
RÜCKER D., “Scope of application of the GDPR, I.” in D. RÜCKER and T. KUGLER (eds), New European General Data Protection Regulation, München, Beck, 2018, 291.
SALUZZO S., “Looking for safe harbours outside the European Union: The issue of onward transfers in EU data protection law and its external dimension” in VERMEULEN G. and LIEVENS E. (eds), Data Protection and Privacy under Pressure, Antwerp, Maklu, 2017, 341.
SCHREY J., “General conditions for data processing in companies under the GDPR, IV.” in D. RÜCKER and T. KUGLER (eds), New European General Data Protection Regulation, München, Beck, 2018, 291.
VERMEULEN G., “The Paper Shield: On the degree of protection of the EU-US privacy shield against unnecessary or disproportionate data collection by the US intelligence and law enforcement service” in SVANTESSON D. J. B. and KLOZA D. (eds), Trans-Atlantic Data Privacy Relations as a Challenge for Democracy, Cambridge, Intersentia, 2017, 430.
ANDOULSI, I., “L'arrêt de la Cour du 9 novembre 2010 dans les affaires jointes Volker und Markus Schecke GBR et Hartmut Eifert contre Land d'Hessen (C-92/09 et C-93/09): une reconnaissance jurisprudentielle du droit fondamental à la protection des données personnelles?”, Cah. dr. eur. 2011, 471-522.
AZOULAI, L., VAN DER SLUIS M., “Institutionalizing personal data protection in times of global institutional distrust: Schrems”, Common Market Law Review 2016, 1343-1371.
BOBEK, M., “Joined Cases C-92 & 93/09, Volker und Markus Schecke GbR and Hartmut Eifert, Judgment of the Court of Justice (Grand Chamber) of 9 November 2010”, CMLRev 2011, 2005-2022.
BRÉCHOT, F.-X., “Clap de fin pour la conservation généralisée des données de connexion en Europe?”, RUE 2017, 178-187.
CAROTTI, B., “Il caso Schrems, o del conflitto tra riservatezza e sorveglianza di massa”, Giornale di diritto amministrativo 2016, 333-344.
CRESPI, S., “The applicability of Schrems principles to the Member States: national security and data protection within the EU context”, ELR 2018, 669-686.
DOCKSEY, C., “Opinion 1/15 Privacy and security, finding the balance”, MJECL 2017, 768-773.
EPSTEIN, R. A., “The ECJ's Fatal Imbalance: Its cavalier treatment of national security issues poses serious risk to public safety and sound commercial practices”, European Constitutional Law Review 2016, 330-340.
EYNARD, J., “D'une ingérence généralisée à une autre : deux poids, deux mesures ?”, R.T.D.H. 2018, 761-783.
FALOT N. and HIJMANS, H., “Tele2: de afweging tussen privacy en veiligheid nader omlijnd”, NtER 2017, 44-52.
FORGET, C., “L'avis de la C.J.U.E. sur l'accord PNR Union européenne-Canada : une occasion ratée de réaffirmer le principe de finalité?”, JDE 2018, 87-89.
GRANGER M.-P. and IRION K., “The Court of Justice and the Data Retention Directive in Digital Rights Ireland: telling off the EU legislator and teaching a lesson in privacy and data protection”, ELR 2014, 835-850.
HIJMANS H., “PNR Agreement EU-Canada Scrutinised: CJEU Gives Very Precise Guidance to Negotiators”, EDPL 2017, 406-412.
KUNER, C., “International agreements, data protection, and EU fundamental rights on the international stage: Opinion 1/15, EU-Canada PNR”, CMLRev 2018, 857-882.
LE BONNIEC, N., “L'avis 1/15 de la CJUE relatif à l'accord PNR entre le Canada et l'Union européenne : une délicate conciliation entre sécurité nationale et sécurité numérique”, RTD Eur 2018, 617-628.
LYNSKEY, O., “Control over Personal Data in a Digital Age: Google Spain v AEPD and Mario Costeja Gonzalez”, Mod. Law Rev. 2015, 522-548.
LYNSKEY, O., “The Data Retention Directive is incompatible with the rights to privacy and data protection and is invalid in its entirety: Digital Rights Ireland”, CMLRev 2014, 1789-1812.
MOEREL, L., “De betekenis van de Safe Harbor uitspraak van het Europese Hof voor datadoorgiftes naar de VS”, Nederlands juristenblad 2016, 1174-1183.
OJANEN, T., “Making the Essence of Fundamental Rights Real: The Court of Justice of the European Union Clarifies the Structure of Fundamental Rights under the Charter”, European Constitutional Law Review 2016, 318-329.
PEYROU, S., “Arrêt «Tele2 Sverige» : l’interdiction du stockage de masse de données à caractère personnel réaffirmée par la Cour de justice de l’Union européenne”, JDE 2017, 107-109.
PEYROU, S., “La Cour de justice de l'Union européenne, à l'avant-garde de la défense des droits numériques”, JTDE 2015, 395-398.
ROBERTS, A., “Privacy, Data Retention and Domination: Digital Rights Ireland Ltd v Minister for Communications”, Mod. Law Rev. 2015, 535-548.
SCHEININ, M., “Towards evidence-based discussion on surveillance: A Rejoinder to Richard A. Epstein”, European Constitutional Law Review 2016, 341-348.
SZYDLO, M., “The independence of data protection authorities in EU law: between the safeguarding of fundamental rights and ensuring the integrity of the internal market”, ELR 2017, 369-387.
STEENBRUGGEN, W. and VAN HARTEN, S., “Safe Harbour is dood. Lang leve Safe Harbour 2.0?", Mediaforum 2015, 281-285.
TRACOL, X., ““Invalidator” strikes back: The harbour has never been safe”, CLSR 2016, 345-362.
ZALNIERIUTE, M., “Developing a European Standard for International Data Transfers after Snowden: Opinion 1/15 on the EU-Canada PNR Agreement”, Mod. Law Rev. 2018, 1046-1063.
Autorité de protection des données – Gegevensbeschermingsautoriteit (ADP-GBA), ‘AVG/GDPR - Rechten van de burger’, (Brussels, 23 November 2018) <https://www.youtube.com/watch? v=ceKry1RlQbs&feature=youtu.be> accessed 25 March 2019.
